FTD issue - connection limit

S891 · ‎05-10-2023

I experienced a network downtime due to possible issue with Firepower 4115 and the suspect was high number of connections/ scanning. It caused downtime/ slowness for about 10 minutes and then problem went away automatically.

These are some of the messages in the log aroud the time the issue happened.

%FTD-3-209006: Fragment queue threshold exceeded, dropped UDP fragment

%FTD-4-209005: Discard IP fragment set with more than 24 elements:

%FTD-4-733101: Host 10.60.0.88 is attacking. Current burst rate is 11212 per second, max configured rate is 10; Current average rate is 8489 per second, max configured rate is 5; Cumulative total count is 10244532%

There are fewer logs on the FTD during the time we experienced issue.

It seems like the FTD was under attack as you can see the cumulaive count crossed 10 Million mark.

Is the cumulative count the actual threshold of 10 Million?

Any idea what could have happened and how to avoid in future?

marce1000 · ‎05-10-2023

>...%FTD-4-733101: Host 10.60.0.88 is attacking.
The particular host address seems local , you could query it's owner and or isolate it on the network ,

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

S891 · ‎05-10-2023

I already isolated it..ofcourse! But my question sis that does the connection count of 10Million cause future connections to be dropped? How long does the cumulative connection count kept?