05-10-2023 09:57 AM - edited 05-10-2023 09:58 AM
I experienced a network downtime due to possible issue with Firepower 4115 and the suspect was high number of connections/ scanning. It caused downtime/ slowness for about 10 minutes and then problem went away automatically.
These are some of the messages in the log aroud the time the issue happened.
%FTD-3-209006: Fragment queue threshold exceeded, dropped UDP fragment
%FTD-4-209005: Discard IP fragment set with more than 24 elements:
%FTD-4-733101: Host 10.60.0.88 is attacking. Current burst rate is 11212 per second, max configured rate is 10; Current average rate is 8489 per second, max configured rate is 5; Cumulative total count is 10244532%
There are fewer logs on the FTD during the time we experienced issue.
It seems like the FTD was under attack as you can see the cumulaive count crossed 10 Million mark.
Is the cumulative count the actual threshold of 10 Million?
Any idea what could have happened and how to avoid in future?
05-10-2023 11:09 PM
>...%FTD-4-733101: Host 10.60.0.88 is attacking.
The particular host address seems local , you could query it's owner and or isolate it on the network ,
M.
05-10-2023 11:15 PM
I already isolated it..ofcourse! But my question sis that does the connection count of 10Million cause future connections to be dropped? How long does the cumulative connection count kept?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide