11-26-2012 12:55 PM - edited 03-11-2019 05:28 PM
Hi all,
I see this in ASA logs
ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 0 per second, max configured rate is 10; Current average rate is 22 per second, max configured rate is 5; Cumulative total count is 13472
after this i did sh asp drop and then clear asp drops
sh asp drop
Frame drop:
Flow is denied by configured rule (acl-drop) 8295
First TCP packet not SYN (tcp-not-syn) 165
TCP failed 3 way handshake (tcp-3whs-failed) 4
TCP RST/FIN out of order (tcp-rstfin-ooo) 140
TCP packet SEQ past window (tcp-seq-past-win) 101
TCP Out-of-Order packet buffer full (tcp-buffer-full) 48
TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout) 7
TCP dup of packet in Out-of-Order queue (tcp-dup-in-queue) 77
TCP packet failed PAWS test (tcp-paws-fail) 21
Last clearing: 20:46:35 UTC Nov 26 2012 by cc4708n
Flow drop:
Flow is denied by access rule (acl-drop) 168
NAT reverse path failed (nat-rpf-failed) 44
Here it shows frames drop due to ACL .
is there any may i can see which ACL is this and whether it is inbound or outbound?
Thanks
mahesh
Solved! Go to Solution.
11-27-2012 12:44 AM
Hi,
sh access-list should give you the hit counts.
Regards.
Alain
Don't forget to rate helpful posts.
11-27-2012 11:02 AM
Hello Mahesh,
Well the log you are seeing is related to threat detection feature with scanning enable.
Threat detection basically collects information such as access list, ports, protocol, etc and creates a “database”. The log just indicates the burst threshold rate or average threshold rate has exceeded.
now, the show asp drop command shows the packets or connections dropped by the ASA and the “flow is denied by configured rule (acl-drop)” counter is incremented when a drop rule is hit by the packet and gets dropped (99% by implicit deny on the outside interface), when an acl is applied to interface or any other feature etc. Apart from default rule drops, a packet could be dropped because of:
ACL configured on an interface
ACL configured for AAA and AAA denied the user
Thru-box traffic arriving at management-only ifc
Unencrypted traffic arriving on a ipsec-enabled interface
If you want to look at which ACL is dropping packets there is no detailed information on the asp drop output, most likely it’s going to generate 106023, 106100, 106004 if one of ACLs listed below are fired.
I hope it helps.
Juan Lombana
Please rate helpful posts.
11-28-2012 12:29 PM
Mahesh,
Correct, they do not impact on the ASA performance. You can stop the log from been generated, so you won’t see it on the syslog server or ASDM. You can run the following command:
no logging message 733100
At the beginning of the syslog you can see the ID:
ASA-4-733100:
I hope it helps
Juan Lombana
Please rate helpful posts.
11-27-2012 12:44 AM
Hi,
sh access-list should give you the hit counts.
Regards.
Alain
Don't forget to rate helpful posts.
11-27-2012 07:58 AM
Hi Alain,
I did sh access-list.
It shows me quite a few hit counts.
Should i look for hit count with exact number like 8295
or does i have to find all hit counts and see that sum matches with current ASP drop?
Thanks
MAhesh
11-27-2012 10:07 AM
Hi,
I took a closer lokk at the doc concerning asp drop and it can be lots of stuff so I don't think that the show access-list will be enough to troubleshoot the issue, I'll leave firewall experts help you.
Regards.
Alain
Don't forget to rate helpful posts.
11-27-2012 11:02 AM
Hello Mahesh,
Well the log you are seeing is related to threat detection feature with scanning enable.
Threat detection basically collects information such as access list, ports, protocol, etc and creates a “database”. The log just indicates the burst threshold rate or average threshold rate has exceeded.
now, the show asp drop command shows the packets or connections dropped by the ASA and the “flow is denied by configured rule (acl-drop)” counter is incremented when a drop rule is hit by the packet and gets dropped (99% by implicit deny on the outside interface), when an acl is applied to interface or any other feature etc. Apart from default rule drops, a packet could be dropped because of:
ACL configured on an interface
ACL configured for AAA and AAA denied the user
Thru-box traffic arriving at management-only ifc
Unencrypted traffic arriving on a ipsec-enabled interface
If you want to look at which ACL is dropping packets there is no detailed information on the asp drop output, most likely it’s going to generate 106023, 106100, 106004 if one of ACLs listed below are fired.
I hope it helps.
Juan Lombana
Please rate helpful posts.
11-28-2012 11:46 AM
Hi Juan,
Thanks for reply.
So these are just informational messages?
They have no impact on the performance of ASA ?
Is there way i can get rid of these logs?
Thanks
Mahesh
11-28-2012 12:29 PM
Mahesh,
Correct, they do not impact on the ASA performance. You can stop the log from been generated, so you won’t see it on the syslog server or ASDM. You can run the following command:
no logging message 733100
At the beginning of the syslog you can see the ID:
ASA-4-733100:
I hope it helps
Juan Lombana
Please rate helpful posts.
11-28-2012 02:00 PM
Many thanks Alain & Juan
Regards
Mahesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide