Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Syslog Message

Hi all,

In my firewall ASA 5540,Every day I am getting the syslog message.

 

4Jul 07 201408:57:39     [ Scanning] drop rate-2 exceeded. Current burst rate is 0 per second, max configured rate is 8; Current average rate is 7 per second, max configured rate is 4; Cumulative total count is 28683

 

Please explain about above mentioned syslog.

2 REPLIES
Community Member

Hi,Please have a look at this

Hi,

Please have a look at this link http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100830-asa-pix-netattacks.html#sol6

Regards,

Yadhu

PS: Pls rate all helpful posts.

Regards, Tony http://yadhutony.blogspot.com

Hi Kabeer, That is because of

Hi Kabeer,

 

That is because of the threat detection value set on your ASA. This might be an attack.

 

Because of the scanning rate configured and the
threat-detection rate scanning-rate 3600
average-rate 15
command:
%ASA-4-733100: [144.60.88.2] drop rate-2 exceeded. Current burst rate is 0 per
second, max configured rate is 8; Current average rate is 5 per second, max
configured rate is 4; Cumulative total count is 38086
Recommended Action
Perform the following steps
according to the specified
object type that appears
in the message:
1.
If the object in the message is one of the following:
Firewall
Bad pkts
Rate limit
DoS attck
ACL drop
 
Conn limit
ICMP attck
Scanning
SYN attck
Inspect
Interface
Check whether the drop rate is ac
ceptable for the running environment.
2.
Adjust the threshold rate of the particular drop to an appropriate value by using the
threat-detection rate
xxx command, where
xxx
is one of the following:
acl-drop
bad-packet-drop
conn-limit-drop
dos-drop
fw-drop
icmp-drop
inspect-drop
interface-drop

scanning-threat

syn-attack
3.
If the object in the message is a TCP or UDP port
, an IP address, or a
host drop, check whether
or not the drop rate is accepta
ble for the running environment.
4.
Adjust the threshold rate of the particular drop to an appropriate value by using the
threat-detection rate bad-packet-drop
command.
Note
If you do not want the drop rate exceed warning to appear, you can disable it by using
the
no threat-detection basic-threat command.
 
You can refer the below mentioned cisco document for more information.
 
http://www.cisco.com/c/en/us/td/docs/security/asa/syslog-guide/syslogs.pdf
 
Regards
Karthik
 
 
48
Views
0
Helpful
2
Replies
CreatePlease to create content