cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1939
Views
0
Helpful
2
Replies

FTD issue - connection limit

S891
Level 2
Level 2

I experienced a network downtime due to possible issue with Firepower 4115 and the suspect was high number of connections/ scanning. It caused downtime/ slowness for about 10 minutes and then problem went away automatically.

These are some of the messages in the log aroud the time the issue happened.  

%FTD-3-209006: Fragment queue threshold exceeded, dropped UDP fragment

%FTD-4-209005: Discard IP fragment set with more than 24 elements:

%FTD-4-733101: Host 10.60.0.88 is attacking. Current burst rate is 11212 per second, max configured rate is 10; Current average rate is 8489 per second, max configured rate is 5; Cumulative total count is 10244532%

There are fewer logs on the FTD during the time we experienced issue.

It seems like the FTD was under attack as you can see the cumulaive count crossed 10 Million mark. 

Is the cumulative count the actual threshold of 10 Million?

Any idea what could have happened and how to avoid in future?

2 Replies 2

Mark Elsen
Hall of Fame
Hall of Fame

 

                                 >...%FTD-4-733101: Host 10.60.0.88 is attacking. 
         The particular host address seems local , you could query it's owner and or isolate it on the network ,

 M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)

I already isolated it..ofcourse! But my question sis that does the connection count of 10Million cause future connections to be dropped? How long does the cumulative connection count kept? 

Review Cisco Networking for a $25 gift card