05-31-2012 12:41 AM - edited 03-11-2019 04:13 PM
Dear all,
I have a little confusion about logging.
My setup (8.2.4):
sh run logg
logging enable
logging timestamp
logging emblem
logging list all level debugging
logging buffer-size 100000
logging asdm-buffer-size 512
logging monitor debugging
logging trap warnings
logging asdm errors
logging queue 8192
logging host inside monitor
logging permit-hostdown
no logging message 313005
no logging message 713042
logging message 111001 level errors
logging rate-limit 1000 10 level 7
I would like to see in syslog (ie):
#sh asp drop
Frame drop:
Punt rate limit exceeded (punt-rate-limit) NUMBER
Regarding to doc, when something happens, what increases this counter, then syslog message should follow (322002, 322003).
But I can't see anything in syslog.
Is it bug or feature?
This same happens with other accidents regarding to asp drop.
Is there any other chance (even temporarily) to start producing syslog messages for particular Frame drop, or Flow drop?
Or do I have to use packet capture only (which increases load of ASA, and in this case is not flexible as syslog)?
Thank you very much
Regards
Pavel
06-03-2012 08:36 AM
http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/s2.html#wp1555034
Name: punt-rate-limit
Punt rate limit exceeded:
This counter will increment when the appliance attempts to forward a layer-2 packet to a rate-limited control point service routine and the rate limit (per/second) is now being exceeded. Currently, the only layer-2 packets destined for a control point service routine which are rate limited are ARP packets. The ARP packet rate limit is 500 ARPs per second per interface.
Recommendation:
Analyze your network traffic to determine the reason behind the high rate of ARP packets.
Syslogs:
322002, 322003
These are arp inspection syslogs which get printed only in transparent mode.
Most of the times, the reason for theat asp drop message is a loop.
-Kureli
06-03-2012 12:15 PM
Hi,
Thanks for hint. I know this explanation - but it dind't help, so I've put question here.
Where is it written, that those messages are printed only in transparent mode?
http://www.cisco.com/en/US/docs/security/asa/asa83/system/message/logmsgs.html#wp4771509
I have fw in routed mode.
I give you example of capture:
1: 11:48:13.171301 5c26.0a4c.ed53 0100.5e0c.0045 0x0800 492: 10.18.0.69.61818 > 227.12.0.69.11000: [udp sum ok] udp 450 [ttl 1] (id 22159) Drop-reason: (punt-rate-limit) Punt rate limit exceeded
2: 11:48:13.171377 5c26.0a4c.ed53 0100.5e0c.0045 0x0800 492: 10.18.0.69.61818 > 227.12.0.69.11000: [udp sum ok] udp 450 [ttl 1] (id 22160) Drop-reason: (punt-rate-limit) Punt rate limit exceeded
How can I involve ARP inspection on ASA?
Thank you very much.
Pavel
06-03-2012 03:49 PM
Arp inspection can only be enabled on TFW.
http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/a2.html#wp1716385
See the table - command modes.
-Kureli
06-03-2012 10:53 PM
Aaah,
Blind, sorry.
Al right, but tell me please, right explanation of messages I gave you.
Because, I have 8.2.4 in Routed mode.
Do you have any?
Thank very much.
Pavel
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide