Re: %ASA-3-209006: Fragment queue threshold exceeded, dropped UDP frag

sandeeprao · ‎08-29-2020

Hi Team,

I am looking for more information and eventually a recommendation on the following syslog alert.

%ASA-3-209006: Fragment queue threshold exceeded, dropped UDP fragment from <source-ip> to <destination-ip> on Internet interface.

There's quite a few of them in our logs and apparently it's an indicator of a DoS attack (UDP/IP Fragmentation). This resulted in ASA getting choked and eventually resulting in an outage. However it is not quite clear on what is the recommendation to prevent further incidents and keep ASA alive and kicking.

Also, couldn't quite locate this syslog message code in Cisco documentation here.

https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs1.html

Look like we need a doc bug to get this added.

Appreciate if anyone can provide more insights on the above syslog and any recommendation on threshold configurations that we can enforce on ASA or on ISP. that can prevent future incidents

Thanks.

czellers · ‎11-23-2021

209006

Error Message %ASA-4-209006: Fragment queue threshold exceeded, dropped TCP fragment from IP address/port to IP address/port on outside interface.

Explanation The ASA drops TCP fragment when the fragment database threshold, that is 2/3 of the queue size per interface, has exceeded.

Recommended Action None required.

https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslog-messages-201002-to-219002.html#Cisco_Concept.dita_0a15872e-a3d7-4cbb-b2a5-97d6e1f9298d