Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Drop Rate Exceeded

I just upgrade our MARS to 6.03 and and I am getting this message from our ASA. I was simply going to place in a drop rule, but there is no IP address to use for the rule. The IP address are all NA.

Drop Rate Exceeded N/A 0 N/A N/A N/A

Can I create a rule to drp this alert?

3 REPLIES
Silver

Re: Drop Rate Exceeded

After you upgrade MARS from version 6.0.2 to 6.0.3, it appears that drop rules are ignored.

Update your MARS with the patch release 6.0.3 (3188) (csmars-6.0.3.3190-customerpatch.zip) in order to correct the potential issues with drop rules.

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/user/guide/combo/rules.html#wp532001

The specified object in the system log message has exceeded the specified burst threshold rate or average threshold rate. The object can be drop activity of a host, TCP/UDP port, IP protocol, or various drops due to potential attacks. It indicates the system is under potential attack.

New Member

Re: Drop Rate Exceeded

When I upgraded, I went from 4.36 to 6.03 3188. Drop rules are working.

The issue is I get the following messages:

Drop Rate Exceeded N/A N/A N/A N/A N/A Aug 5, 2009 6:38:55 AM PDT

From the ASA. I can't create a drop rule for those events as it needs an IP to drop from. How would I make a rule to not see these events?

New Member

Re: Drop Rate Exceeded

drop rules do not need an IP. just create drop rule with wizzard and then edit created drop rule and change src to ANY. should be working

463
Views
0
Helpful
3
Replies
CreatePlease login to create content