topic ASA sh asp drop and syslog in Network Security

ASA sh asp drop and syslog

Pavel Pokorny — Mon, 11 Mar 2019 23:13:47 GMT

Dear all,

I have a little confusion about logging.

My setup (8.2.4):

sh run logg

logging enable

logging timestamp

logging emblem

logging list all level debugging

logging buffer-size 100000

logging asdm-buffer-size 512

logging monitor debugging

logging trap warnings

logging asdm errors

logging queue 8192

logging host inside monitor

logging permit-hostdown

no logging message 313005

no logging message 713042

logging message 111001 level errors

logging rate-limit 1000 10 level 7

I would like to see in syslog (ie):

#sh asp drop

Frame drop:

Punt rate limit exceeded (punt-rate-limit) NUMBER

Regarding to doc, when something happens, what increases this counter, then syslog message should follow (322002, 322003).

But I can't see anything in syslog.

Is it bug or feature?

This same happens with other accidents regarding to asp drop.

Is there any other chance (even temporarily) to start producing syslog messages for particular Frame drop, or Flow drop?

Or do I have to use packet capture only (which increases load of ASA, and in this case is not flexible as syslog)?

Thank you very much

Regards

Pavel

ASA sh asp drop and syslog

Kureli Sankar — Sun, 03 Jun 2012 15:36:19 GMT

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/s2.html#wp1555034

Name: punt-rate-limit

Punt rate limit exceeded:

    This counter will increment when the appliance attempts to forward a layer-2 packet to 
a rate-limited control point service routine and the rate limit (per/second) is now being 
exceeded. Currently, the only layer-2 packets destined for a control point service routine 
which are rate limited are ARP packets. The ARP packet rate limit is 500 ARPs per second 
per interface.

Recommendation:

    Analyze your network traffic to determine the reason behind the high rate of ARP 
packets.

 Syslogs:

    322002, 322003

These are arp inspection syslogs which get printed only in transparent mode.

Most of the times, the reason for theat asp drop message is a loop.

-Kureli

ASA sh asp drop and syslog

Pavel Pokorny — Sun, 03 Jun 2012 19:15:09 GMT

Hi,

Thanks for hint. I know this explanation - but it dind't help, so I've put question here.

Where is it written, that those messages are printed only in transparent mode?

http://www.cisco.com/en/US/docs/security/asa/asa83/system/message/logmsgs.html#wp4771509

I have fw in routed mode.

I give you example of capture:

1: 11:48:13.171301 5c26.0a4c.ed53 0100.5e0c.0045 0x0800 492: 10.18.0.69.61818 > 227.12.0.69.11000: [udp sum ok] udp 450 [ttl 1] (id 22159) Drop-reason: (punt-rate-limit) Punt rate limit exceeded

2: 11:48:13.171377 5c26.0a4c.ed53 0100.5e0c.0045 0x0800 492: 10.18.0.69.61818 > 227.12.0.69.11000: [udp sum ok] udp 450 [ttl 1] (id 22160) Drop-reason: (punt-rate-limit) Punt rate limit exceeded

How can I involve ARP inspection on ASA?

Thank you very much.

Pavel

ASA sh asp drop and syslog

Kureli Sankar — Sun, 03 Jun 2012 22:49:45 GMT

Arp inspection can only be enabled on TFW.

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/a2.html#wp1716385

See the table - command modes.

-Kureli

ASA sh asp drop and syslog

Pavel Pokorny — Mon, 04 Jun 2012 05:53:39 GMT

Aaah,

Blind, sorry.

Al right, but tell me please, right explanation of messages I gave you.

Because, I have 8.2.4 in Routed mode.

Do you have any?

Thank very much.

Pavel