cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
28012
Views
0
Helpful
6
Replies

Error #733100 - drop rate-1 exceeded

richardwiseman
Level 1
Level 1

Getting the following 733100 events, and all are Scanning

ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 10 per second, max configured rate is 400; Current average rate is 56 per second, max configured rate is 200; Cumulative total count is 33887
ASA-4-733100: [ Scanning] drop rate-2 exceeded. Current burst rate is 8 per second, max configured rate is 320; Current average rate is 13 per second, max configured rate is 160; Cumulative total count is 47709

Question

Why am I getting events from less than the manually configured rates?

Here is the configuration changes output by show run

no threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10
no threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8
threat-detection rate scanning-threat rate-interval 600 average-rate 200 burst-rate 400
threat-detection rate scanning-threat rate-interval 3600 average-rate 160 burst-rate 320
no threat-detection rate syn-attack rate-interval 600 average-rate 100 burst-rate 200
no threat-detection rate syn-attack rate-interval 3600 average-rate 80 burst-rate 160
threat-detection rate syn-attack rate-interval 600 average-rate 25 burst-rate 50
threat-detection rate syn-attack rate-interval 3600 average-rate 20 burst-rate 40

In the configuration guide http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/protect.html#wpmkr1076627

it says "You can configure up to three commands with different rate intervals."

Question

Do this mean there are three different types of command, or you can only manual adjust three out of the various basic threat detection settings?

1 Accepted Solution

Accepted Solutions

From http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/protect.html#wp1058639 "If you already configured this command as part of the basic threat detection configuration (see the "Configuring Basic Threat Detection" section), then those settings are shared with the scanning threat detection feature; you cannot configure separate rates for each feature."

But you have a point in that the alert has a value that is less than the limit reported. Are you running 8.0.4? Then this is defect "CSCsv42964: scanning-threat does not pick up the correct rate threshold in syslog".

Please mark this as solved if it is, to benefit future readers.

PK

View solution in original post

6 Replies 6

Panos Kampanakis
Cisco Employee
Cisco Employee

The doc is saying that you can have 3 versions of the command

For example

threat-detection rate scanning-threat rate-interval 600 average-rate 200  burst-rate 400
threat-detection rate scanning-threat rate-interval  3600 average-rate 160 burst-rate 320

threat-detection rate scanning-threat rate-interval 800 average-rate 200  burst-rate 400

You will receive a log for which limit you reached in the log for every time you exceed the limit ("[ Scanning] drop rate-1 exceeded", or "[ Scanning] drop rate-2 exceeded").

You have configure 2 limits. If you are running also basic threat detection the basic limits are also matched and the logs will also reflect those.

I hope it helps.

PK

Hello, You have explained the second question, thanks.

But the first question is still not clear.

threat-detection rate scanning-threat rate-interval 600 average-rate 200  burst-rate 400
threat-detection rate scanning-threat rate-interval  3600 average-rate 160 burst-rate 320

threat-detection rate scanning-threat rate-interval 800 average-rate 200  burst-rate 400

Question

In your example does, would they equal rate 1,2 and 3 ?

Basic Threat Detection is enabled.

Question

So are you saying with basic threat detection, the default settings for scanning-threat are still valid, even though they are "no"ed out in the running config?

Question

I do not get why I am getting scanning threat alerts below the threshold I have set.

If another basic threat detection setting, was triggering the event why does the alert message not show the trigger? For example acl drop?

If you disable basic threat detection, and just have manual entries for the threat you are interested in, for example dos-drop would this generate a syslog event 733100.

Thanks

From http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/protect.html#wp1058639 "If you already configured this command as part of the basic threat detection configuration (see the "Configuring Basic Threat Detection" section), then those settings are shared with the scanning threat detection feature; you cannot configure separate rates for each feature."

But you have a point in that the alert has a value that is less than the limit reported. Are you running 8.0.4? Then this is defect "CSCsv42964: scanning-threat does not pick up the correct rate threshold in syslog".

Please mark this as solved if it is, to benefit future readers.

PK

Hi,

Yes I am running 8.04

Was aware of a bug using ASDM, thought workround was to use CLI.

So I need to upgrade to 8.05 to fully fix, think this will sort alot of people out. Many Thanks

Is there a workround I can do before I can arrange an upgrade?

I would happy turn off scanning-threat but want to monitor other things such as syn-attack?

Regards

It is a syslog generation bug so I am afraid thee is no workaround.

You can disable the scanning threat. The syn-attack is a different event.

Take care,

PK

PS: It is important to flag the question as answered for future reads, so  kidly do so if this is now answered.

Hi can you confirm how this is done

I know I can switch off Basic Threat Detection and Scanning Threat Detection is already off.

How do I just switch on for syn-attack?

I know best solution is to upgrade as fast a possible.

Many Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: