Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2788
Views
0
Helpful
4
Replies

ASA sh asp drop and syslog

Pavel Pokorny
Level 1
Level 1

‎05-31-2012 12:41 AM - edited ‎03-11-2019 04:13 PM

Dear all,

I have a little confusion about logging.

My setup (8.2.4):

sh run logg

logging enable

logging timestamp

logging emblem

logging list all level debugging

logging buffer-size 100000

logging asdm-buffer-size 512

logging monitor debugging

logging trap warnings

logging asdm errors

logging queue 8192

logging host inside monitor

logging permit-hostdown

no logging message 313005

no logging message 713042

logging message 111001 level errors

logging rate-limit 1000 10 level 7

I would like to see in syslog (ie):

#sh asp drop

Frame drop:

  Punt rate limit exceeded (punt-rate-limit)      NUMBER

Regarding to doc, when something happens, what increases this counter, then syslog message should follow (322002, 322003).

But I can't see anything in syslog.

Is it bug or feature?

This same happens with other accidents regarding to asp drop.

Is there any other chance (even temporarily) to start producing syslog messages for particular Frame drop, or Flow drop?

Or do I have to use packet capture only (which increases load of ASA, and in this case is not flexible as syslog)?

Thank you very much

Regards

Pavel

Labels:
0 Helpful
4 Replies 4

Kureli Sankar
Cisco Employee
Cisco Employee

‎06-03-2012 08:36 AM

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/s2.html#wp1555034

Name: punt-rate-limit


Punt rate limit exceeded:


    This counter will increment when the appliance attempts to forward a layer-2 packet to 
a rate-limited control point service routine and the rate limit (per/second) is now being 
exceeded. Currently, the only layer-2 packets destined for a control point service routine 
which are rate limited are ARP packets. The ARP packet rate limit is 500 ARPs per second 
per interface.


Recommendation:


    Analyze your network traffic to determine the reason behind the high rate of ARP 
packets.


 Syslogs:


    322002, 322003

These are arp inspection syslogs which get printed only in transparent mode.

Most of the times, the reason for theat asp drop message is a loop.

-Kureli

0 Helpful

Pavel Pokorny
Level 1
Level 1
In response to Kureli Sankar

‎06-03-2012 12:15 PM

Hi,

Thanks for hint. I know this explanation - but it dind't help, so I've put question here.

Where is it written, that those messages are printed only in transparent mode?

http://www.cisco.com/en/US/docs/security/asa/asa83/system/message/logmsgs.html#wp4771509

I have fw in routed mode.

I give you example of capture:

   1: 11:48:13.171301 5c26.0a4c.ed53 0100.5e0c.0045 0x0800 492: 10.18.0.69.61818 > 227.12.0.69.11000:  [udp sum ok] udp 450 [ttl 1] (id 22159) Drop-reason: (punt-rate-limit) Punt rate limit exceeded

   2: 11:48:13.171377 5c26.0a4c.ed53 0100.5e0c.0045 0x0800 492: 10.18.0.69.61818 > 227.12.0.69.11000:  [udp sum ok] udp 450 [ttl 1] (id 22160) Drop-reason: (punt-rate-limit) Punt rate limit exceeded

How can I involve ARP inspection on ASA?

Thank you very much.

Pavel

0 Helpful

Kureli Sankar
Cisco Employee
Cisco Employee
In response to Pavel Pokorny

‎06-03-2012 03:49 PM

Arp inspection can only be enabled on TFW.

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/a2.html#wp1716385

See the table - command modes.

-Kureli

0 Helpful

Pavel Pokorny
Level 1
Level 1
In response to Kureli Sankar

‎06-03-2012 10:53 PM

Aaah,

Blind, sorry.


Al right, but tell me please, right explanation of messages I gave you.

Because, I have 8.2.4 in Routed mode.

Do you have any?

Thank very much.

Pavel

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card