Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA 5510

All-

What is this message I see in the fws log?

[ Scanning] drop rate-1 exceeded.

Thanks,

Vlad

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ASA 5510

By the way "scanning drop" includes:

ACL drop, Bad packet drop, Conn limit drop, ICMP drop, Inspect drop, Interface drop and Syn attack.

5 REPLIES

Re: ASA 5510

Re: ASA 5510

By the way "scanning drop" includes:

ACL drop, Bad packet drop, Conn limit drop, ICMP drop, Inspect drop, Interface drop and Syn attack.

New Member

Re: ASA 5510

is there a way I can check what hosts were previously shunned if now I cant see any.

I have the log which says rate exceeded but I want to see which were the shunned hosts.

I cant see any with sh threat-detection shun

Thanks,

V

New Member

Re: ASA 5510

I'm receiving the same messages on log:

[ Scanning] drop rate-1 exceeded. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 9 per second, max configured rate is 5; Cumulative total count is 5622

[ Scanning] drop rate-2 exceeded. Current burst rate is 8 per second, max configured rate is 8; Current average rate is 8 per second, max configured rate is 4; Cumulative total count is 31781

[ Scanning] drop rate-1 exceeded. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 9 per second, max configured rate is 5; Cumulative total count is 5915

[ Scanning] drop rate-2 exceeded. Current burst rate is 8 per second, max configured rate is 8; Current average rate is 8 per second, max configured rate is 4; Cumulative total count is 31911

[ Scanning] drop rate-1 exceeded. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 9 per second, max configured rate is 5; Cumulative total count is 5915

.

.

.

It happens all the time.

It doesn't show the source or destination.

I'm using ASDM 6.1 - ASA 5510

How can I avoid this messagens and protect from this scanning attacks?

Thank's,

Renato

New Member

ASA 5510

Found Solution for drop rate-1:

https://supportforums.cisco.com/thread/228276

The syslogs "[ Scanning] drop rate-1 exceeded." mean the you have exceeded the "Scanning attack detected" threshold.

Shows a threshold that you exceeded.

But threat detection will not drop unless you tell it to.

The default behavior is to just alert (generate syslog).

So I would like to know if drop rate-2 is the same.

Thank's.


835
Views
0
Helpful
5
Replies
CreatePlease to create content