Drop Rate Exceeded

Unanswered Question
Jul 30th, 2009

I just upgrade our MARS to 6.03 and and I am getting this message from our ASA. I was simply going to place in a drop rule, but there is no IP address to use for the rule. The IP address are all NA.

Drop Rate Exceeded N/A 0 N/A N/A N/A

Can I create a rule to drp this alert?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
aghaznavi Wed, 08/05/2009 - 05:33

After you upgrade MARS from version 6.0.2 to 6.0.3, it appears that drop rules are ignored.

Update your MARS with the patch release 6.0.3 (3188) (csmars-6.0.3.3190-customerpatch.zip) in order to correct the potential issues with drop rules.

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/user/guide/combo/rules.html#wp532001

The specified object in the system log message has exceeded the specified burst threshold rate or average threshold rate. The object can be drop activity of a host, TCP/UDP port, IP protocol, or various drops due to potential attacks. It indicates the system is under potential attack.

scootertgm Wed, 08/05/2009 - 05:50

When I upgraded, I went from 4.36 to 6.03 3188. Drop rules are working.

The issue is I get the following messages:

Drop Rate Exceeded N/A N/A N/A N/A N/A Aug 5, 2009 6:38:55 AM PDT

From the ASA. I can't create a drop rule for those events as it needs an IP to drop from. How would I make a rule to not see these events?

tichomir.kotek Sat, 08/08/2009 - 11:39

drop rules do not need an IP. just create drop rule with wizzard and then edit created drop rule and change src to ANY. should be working

Actions

This Discussion