I am looking at the ASA syslog for my website IP.  I found lots of logs like this happened at exact same time and second and date (for different port, eg. 33670, 336578), appeared 31x and then 2 mins later, appear 31x again.

%ASA-4-434002: SFR requested to drop TCP packet from DMZ:<site IP>/443 to EXTERNAL:52.55.179.122/36520

At the same date and time (slightly different with seconds), on my web server, system event log shows error for Schannel:

Event ID 36888
The following fatal alert was generated: 40. The internal error state is 1205.

Event ID 36874
An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.

Questions:

1) if SFR can detect and drop the packet from that EXTERNAL IP, then why web server still receive those Schannel error messages? I assume SFR drop the packets before they can reach the web server.  So, those schannel errors shouldn't appear on the system event log at all.  Did i misunderstand somewhere?

2) Why the same ASA message ID: %ASA-4-434002: appears 2 mins later on the syslog server? Reported by the same host name (primary/active).

3) I have lots of these 434002 warning messages from syslogs, they are all from amazon.com web service / data center.  Any recommendation for preventing them to hit my site? Each time, different IP was reported, i don't think blocking the IP is an effective way.