I have a router using CBAC with error messages such as this:
Feb 16 01:05:11.676 CET: %FW-4-ALERT_ON: getting aggressive, count (15/500) current 1-min rate: 501
Feb 16 01:05:14.017 CET: %FW-4-ALERT_OFF: calming down, count (10/400) current 1-min rate: 369
My understanding from docs online and also Richard Deal's book is that there were more than 500 connections started in the last minute which resulting in the first message, this then dropped below the low threshold of 400 resulting in the second message.
But I can find no mention anywhere on what the 'count (15/500)' and 'count (10/400)' numbers mean on each line. Is this how many sessions were blocked by CBAC in the last minute?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...