Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA Dropping internal Packets after reaching scanning rate limit...

I have the threat-detection setup like the following:

threat-detection rate scanning-threat rate-interval 600 average-rate 6 burst-rate 20

threat-detection rate scanning-threat rate-interval 1200 average-rate 5 burst-rate 15

threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8

threat-detection basic-threat

threat-detection scanning-threat shun except ip-address 10.1.0.0 255.255.0.0

threat-detection scanning-threat shun except ip-address 10.2.0.0 255.255.0.0

threat-detection scanning-threat shun except ip-address 10.1.0.40 255.255.255.255

threat-detection scanning-threat shun except ip-address 10.4.5.0 255.255.255.0

threat-detection scanning-threat shun except ip-address 10.1.5.0 255.255.255.0

threat-detection scanning-threat shun except ip-address 10.2.5.0 255.255.255.0

threat-detection scanning-threat shun duration 3600

threat-detection statistics host

threat-detection statistics port

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

Though I still receieve these events in the syslog.

1/31/2012 7:05:29 AM

%ASA-4-733100: [ Scanning] drop rate-3 exceeded. Current burst rate is 9 per second, max configured rate is 8; Current average rate is 0 per second, max configured rate is 4; Cumulative total count is 3290

1/31/2012 7:05:09 AM

%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 26 per second, max configured rate is 20; Current average rate is 2 per second, max configured rate is 6; Cumulative total count is 1590

1/31/2012 7:05:09 AM

%ASA-4-733100: [ Scanning] drop rate-2 exceeded. Current burst rate is 20 per second, max configured rate is 15; Current average rate is 1 per second, max configured rate is 5; Cumulative total count is 1713

1/31/2012 7:04:29 AM

%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 31 per second, max configured rate is 20; Current average rate is 1 per second, max configured rate is 6; Cumulative total count is 792

1/31/2012 7:04:29 AM

%ASA-4-733100: [ Scanning] drop rate-2 exceeded. Current burst rate is 15 per second, max configured rate is 15; Current average rate is 0 per second, max configured rate is 5; Cumulative total count is 919

1/31/2012 6:22:31 AM

%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 20 per second, max configured rate is 20; Current average rate is 1 per second, max configured rate is 6; Cumulative total count is 805


The Devices that are generating them (I believe) are IP Phones. They are the devices listed in the 10.x.5.0/24 range.

When I do a 'show shun'  I get nothing back.

What Gives?

Everyone's tags (3)
4 REPLIES
New Member

ASA Dropping internal Packets after reaching scanning rate limit

So We had another event where our IP Phones were dropping connectons. Even with the exceptions entered above we still seem to have the IPs added to an attacker/attacked list.

1/31/2012 2:59:53 PM

%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 2 per second, max configured rate is 20; Current average rate is 6 per second, max configured rate is 6; Cumulative total count is 3991

1/31/2012 2:59:53 PM

%ASA-4-733100: [ Scanning] drop rate-2 exceeded. Current burst rate is 1 per second, max configured rate is 15; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 6374

1/31/2012 2:59:35 PM

%ASA-4-733100: [ 10.4.5.2(unresolved)] drop rate-1 exceeded. Current burst rate is 21 per second, max configured rate is 20; Current average rate is 1 per second, max configured rate is 6; Cumulative total count is 1363

1/31/2012 2:59:35 PM

%ASA-4-733101: Host 10.4.5.2(unresolved) is attacking. Current burst rate is 21 per second, max configured rate is 20; Current average rate is 1 per second, max configured rate is 6; Cumulative total count is 1363

1/31/2012 2:59:33 PM

%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 12 per second, max configured rate is 20; Current average rate is 6 per second, max configured rate is 6; Cumulative total count is 3754

1/31/2012 2:59:25 PM

%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 23 per second, max configured rate is 20; Current average rate is 2 per second, max configured rate is 6; Cumulative total count is 1260

1/31/2012 2:59:25 PM

%ASA-4-733100: [ Scanning] drop rate-3 exceeded. Current burst rate is 9 per second, max configured rate is 8; Current average rate is 0 per second, max configured rate is 4; Cumulative total count is 1820

1/31/2012 2:59:23 PM

%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 34 per second, max configured rate is 20; Current average rate is 6 per second, max configured rate is 6; Cumulative total count is 3612

1/31/2012 2:59:23 PM

%ASA-4-733100: [ Scanning] drop rate-2 exceeded. Current burst rate is 17 per second, max configured rate is 15; Current average rate is 4 per second, max configured rate is 5; Cumulative total count is 5897

1/31/2012 2:59:19 PM

%ASA-4-733100: [ 10.4.5.2(unresolved)] drop rate-1 exceeded. Current burst rate is 22 per second, max configured rate is 20; Current average rate is 0 per second, max configured rate is 6; Cumulative total count is 963

1/31/2012 2:59:19 PM

%ASA-4-733101: Host 10.4.5.2(unresolved) is targeted. Current burst rate is 22 per second, max configured rate is 20; Current average rate is 0 per second, max configured rate is 6; Cumulative total count is 963

1/31/2012 2:59:13 PM

%ASA-4-733100: [ Scanning] drop rate-3 exceeded. Current burst rate is 3 per second, max configured rate is 8; Current average rate is 4 per second, max configured rate is 4; Cumulative total count is 15419

1/31/2012 2:59:05 PM

%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 30 per second, max configured rate is 20; Current average rate is 1 per second, max configured rate is 6; Cumulative total count is 794

1/31/2012 2:59:05 PM

%ASA-4-733100: [ Scanning] drop rate-2 exceeded. Current burst rate is 15 per second, max configured rate is 15; Current average rate is 0 per second, max configured rate is 5; Cumulative total count is 919

1/31/2012 2:59:03 PM

%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 30 per second, max configured rate is 20; Current average rate is 5 per second, max configured rate is 6; Cumulative total count is 3033

New Member

Experiencing the same type of

Experiencing the same type of issue. 

Did you ever find a solution to this problem?

Have been trying to resolve this issue for about two weeks with no luck.

Have been searching everywhere and coming up empty handed.

 

Same problem here.  Ever find

Same problem here.  Ever find a solution?

New Member

Still empty handed.  Pretty

Still empty handed.  Pretty much gave up getting any help on it.

 

 

2932
Views
0
Helpful
4
Replies