Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
36772
Views
8
Helpful
5
Replies

Error #733100 - drop rate-1 exceeded

Craig Norborg
Level 4
Level 4

‎11-24-2009 07:08 AM - edited ‎03-11-2019 09:42 AM

Ok, I've read all the man pages and other discussions on this, so please don't just quote those back to me.  I know this is an aggregation of the various drop types and that there is no "set" value that you should set your thresholds at.  What I want to know is whether there is a way to tell what is triggering this message, ie: exactly what broke the threshold, something like source-IP or what ACL line is causing it?

If not, if this is simply a message that is going to be generated but you can't pull some specific information as to what generated the message, and thus tell whether its something you should take action on or ignore, is there a way to disable it all-together?  I already have the "Enable scanning threat detection" box un-checked, so that's not it!

Hey Cisco, if you're going to generate these messages, I'm sure there are >tons< of us who would like to know exactly what they mean, how to interpret them and what to do about them in more detail.  Your documentation is severely lacking!!

6 people had this problem
Labels:
0 Helpful
5 Replies 5

grant.maynard
Level 4
Level 4

‎11-24-2009 08:15 AM

Apologies if you've already seen it...

Basic threat-detection is enabled by default and is disabled with:

    no threat-detection basic-threat

For an idea of what's causing the log messages:

    show threat-detection rate

also by default, statistics for access lists are enabled. If it's ACLs which are triggering the messages, i suppose the message IDs 106023 is the best place to look.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/protect.html#wpmkr1076627

Elias Michalitsis
Level 1
Level 1
In response to grant.maynard

‎01-18-2011 06:44 AM

Hi,

I've got the same message on my ASA.

Is it an attack or a general message?

What can i do to solve the problem?

I have attached the relevant syslog message from Kiwi Syslog Server.

Thanks

Elias

Preview file
161 KB
0 Helpful

Kureli Sankar
Cisco Employee
Cisco Employee
In response to Elias Michalitsis

‎01-18-2011 07:33 AM

I filed a documentation only defect a while ago:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtj02347

Symptom:
This is a documentation only defect.  syslog message 733100 needs to include
"host drop" reason.

http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4963969

ASA-4-733100> [10.60.88.2] drop rate-2 exceeded. Current burst rate is 0 per 
second, max configured rate is 8; Current average rate is 5 per second, 
max configured rate is 4; Cumulative total count is 38086

Conditions:
None

Workaround:

Issue "show run all threat-detection".
The number of triggers of different thresholds can be checked in "show
threat-detection rate".

Syslog 733100 is related to scanning-rate, adjusting this parameter should be
able to resolve too many messages showing up in the syslogs.

In this case, tuning the command "threat-detection rate scanning-rate 3600
average-rate 15" stopped too many of these messages being logged. In other
cases one may have to increase the scanning-rate and average-rate to a higher
value.

The resolved syslog link: 
http://www.cisco.com/en/US/docs/security/asa/asa83/system/message/logmsgs.html#wp4963969

-KS
0 Helpful

Elias Michalitsis
Level 1
Level 1
In response to Kureli Sankar

‎01-18-2011 12:17 PM

Ok Sankar.

I can understood that this message is not a serious attack but it has to do with the current situation of the firewall. I mean, that my firewall is doing so many scannings and it raises a message about this.

I have increase the average rate and the burst rate and i will see tomorrow what is happens.

Am i right or not?

0 Helpful

Kureli Sankar
Cisco Employee
Cisco Employee
In response to Elias Michalitsis

‎01-18-2011 01:55 PM

You are correct. Depending on your network and traffic that the firewall sees you may see these syslogs very often  and you may have to tune the settings so, you don't see too many of these too often.

-KS

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card