Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3524
Views
0
Helpful
4
Replies

ASA Dropping internal Packets after reaching scanning rate limit...

stownsend
Level 2
Level 2

‎01-31-2012 07:51 AM - edited ‎03-11-2019 03:21 PM

I have the threat-detection setup like the following:

threat-detection rate scanning-threat rate-interval 600 average-rate 6 burst-rate 20
threat-detection rate scanning-threat rate-interval 1200 average-rate 5 burst-rate 15
threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 10.1.0.0 255.255.0.0
threat-detection scanning-threat shun except ip-address 10.2.0.0 255.255.0.0
threat-detection scanning-threat shun except ip-address 10.1.0.40 255.255.255.255
threat-detection scanning-threat shun except ip-address 10.4.5.0 255.255.255.0
threat-detection scanning-threat shun except ip-address 10.1.5.0 255.255.255.0
threat-detection scanning-threat shun except ip-address 10.2.5.0 255.255.255.0
threat-detection scanning-threat shun duration 3600
threat-detection statistics host
threat-detection statistics port
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

Though I still receieve these events in the syslog.

1/31/2012 7:05:29 AM

%ASA-4-733100: [ Scanning] drop rate-3 exceeded. Current burst rate is 9 per second, max configured rate is 8; Current average rate is 0 per second, max configured rate is 4; Cumulative total count is 3290

1/31/2012 7:05:09 AM

%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 26 per second, max configured rate is 20; Current average rate is 2 per second, max configured rate is 6; Cumulative total count is 1590

1/31/2012 7:05:09 AM

%ASA-4-733100: [ Scanning] drop rate-2 exceeded. Current burst rate is 20 per second, max configured rate is 15; Current average rate is 1 per second, max configured rate is 5; Cumulative total count is 1713

1/31/2012 7:04:29 AM

%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 31 per second, max configured rate is 20; Current average rate is 1 per second, max configured rate is 6; Cumulative total count is 792

1/31/2012 7:04:29 AM

%ASA-4-733100: [ Scanning] drop rate-2 exceeded. Current burst rate is 15 per second, max configured rate is 15; Current average rate is 0 per second, max configured rate is 5; Cumulative total count is 919

1/31/2012 6:22:31 AM

%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 20 per second, max configured rate is 20; Current average rate is 1 per second, max configured rate is 6; Cumulative total count is 805


The Devices that are generating them (I believe) are IP Phones. They are the devices listed in the 10.x.5.0/24 range.

When I do a 'show shun'  I get nothing back.

What Gives?

3 people had this problem
Labels:
0 Helpful
4 Replies 4

stownsend
Level 2
Level 2

‎01-31-2012 03:56 PM

So We had another event where our IP Phones were dropping connectons. Even with the exceptions entered above we still seem to have the IPs added to an attacker/attacked list.

1/31/2012 2:59:53 PM

%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 2 per second, max configured rate is 20; Current average rate is 6 per second, max configured rate is 6; Cumulative total count is 3991

1/31/2012 2:59:53 PM

%ASA-4-733100: [ Scanning] drop rate-2 exceeded. Current burst rate is 1 per second, max configured rate is 15; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 6374

1/31/2012 2:59:35 PM

%ASA-4-733100: [ 10.4.5.2(unresolved)] drop rate-1 exceeded. Current burst rate is 21 per second, max configured rate is 20; Current average rate is 1 per second, max configured rate is 6; Cumulative total count is 1363

1/31/2012 2:59:35 PM

%ASA-4-733101: Host 10.4.5.2(unresolved) is attacking. Current burst rate is 21 per second, max configured rate is 20; Current average rate is 1 per second, max configured rate is 6; Cumulative total count is 1363

1/31/2012 2:59:33 PM

%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 12 per second, max configured rate is 20; Current average rate is 6 per second, max configured rate is 6; Cumulative total count is 3754

1/31/2012 2:59:25 PM

%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 23 per second, max configured rate is 20; Current average rate is 2 per second, max configured rate is 6; Cumulative total count is 1260

1/31/2012 2:59:25 PM

%ASA-4-733100: [ Scanning] drop rate-3 exceeded. Current burst rate is 9 per second, max configured rate is 8; Current average rate is 0 per second, max configured rate is 4; Cumulative total count is 1820

1/31/2012 2:59:23 PM

%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 34 per second, max configured rate is 20; Current average rate is 6 per second, max configured rate is 6; Cumulative total count is 3612

1/31/2012 2:59:23 PM

%ASA-4-733100: [ Scanning] drop rate-2 exceeded. Current burst rate is 17 per second, max configured rate is 15; Current average rate is 4 per second, max configured rate is 5; Cumulative total count is 5897

1/31/2012 2:59:19 PM

%ASA-4-733100: [ 10.4.5.2(unresolved)] drop rate-1 exceeded. Current burst rate is 22 per second, max configured rate is 20; Current average rate is 0 per second, max configured rate is 6; Cumulative total count is 963

1/31/2012 2:59:19 PM

%ASA-4-733101: Host 10.4.5.2(unresolved) is targeted. Current burst rate is 22 per second, max configured rate is 20; Current average rate is 0 per second, max configured rate is 6; Cumulative total count is 963

1/31/2012 2:59:13 PM

%ASA-4-733100: [ Scanning] drop rate-3 exceeded. Current burst rate is 3 per second, max configured rate is 8; Current average rate is 4 per second, max configured rate is 4; Cumulative total count is 15419

1/31/2012 2:59:05 PM

%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 30 per second, max configured rate is 20; Current average rate is 1 per second, max configured rate is 6; Cumulative total count is 794

1/31/2012 2:59:05 PM

%ASA-4-733100: [ Scanning] drop rate-2 exceeded. Current burst rate is 15 per second, max configured rate is 15; Current average rate is 0 per second, max configured rate is 5; Cumulative total count is 919

1/31/2012 2:59:03 PM

%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 30 per second, max configured rate is 20; Current average rate is 5 per second, max configured rate is 6; Cumulative total count is 3033

0 Helpful

rccleveland
Level 1
Level 1
In response to stownsend

‎03-18-2014 06:02 AM

Experiencing the same type of issue. 

Did you ever find a solution to this problem?

Have been trying to resolve this issue for about two weeks with no luck.

Have been searching everywhere and coming up empty handed.

 

0 Helpful

ICPBusinessSolutions
Level 1
Level 1
In response to stownsend

‎11-05-2014 01:40 PM

Same problem here.  Ever find a solution?

0 Helpful

rccleveland
Level 1
Level 1
In response to ICPBusinessSolutions

‎04-27-2015 08:41 AM

Still empty handed.  Pretty much gave up getting any help on it.

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card