Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1046
Views
5
Helpful
2
Replies

ASA error message/Is my network under attack?

Russell Pearson
Level 1
Level 1

‎12-03-2010 03:00 PM - edited ‎03-11-2019 12:18 PM

Hey there,

My network has been slow and I'm looking in the asa logs.
I see the following message...
Dec 03 2010 14:32:34: %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 11 per second, max configured rate is 10; Current average rate is 2 per second, max configured rate is 5; Cumulative total count is 1302

What exactly does this mean?
Is it a vulnerable network/device attack, or intended as a DOS attack?
If so, what can I do to stop it?

Thanks in advance.

Labels:
0 Helpful
2 Replies 2

mirober2
Cisco Employee
Cisco Employee

‎12-04-2010 06:54 AM

Hello,

You're seeing those messages because the threat-detection feature on the ASA is enabled and it is letting you know that the ASA was dropping packets at a burst rate of 11 per second. This message is intended as an alert that the ASA is dropping a significant amount of packets that is beyond the configured threshold (10).

To see what packets are being dropped, you can do a 'show asp drop'. This will give you the number of packets that have been dropped by the ASA and the reasons they were dropped. The best way to troubleshoot this is to do 'clear asp drop' to reset the counters and then configure an ASP drop capture with the 'capture drop type asp-drop all' command. Once this is setup, you can use 'show asp drop' and 'show capture drop' to understand what specific packets are being dropped and why. This will give you an indication if the messages are referring to a network attack, a configuration problem, or if this is just a normal rate of dropped packets for your environment.

Here is a list of the various drop reasons and their explanations:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s2.html#wp1435096

And here is an explanation of the syslog message you're seeing, which includes some recommended actions:

http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4963969

Hope that helps.

-Mike

Russell Pearson
Level 1
Level 1
In response to mirober2

‎12-04-2010 08:49 AM

Great reply.

Thank you very much.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card