Solved: High Discard rate on a FW interface

e.craig · ‎06-13-2013

Hi,

I am getting alert on high discard rates on FW interfaces via a monitoring tool. Just want to validate if the packets dropped by ACL's are also contributing to the high discard rate counter? If this is the case what would be an acceptable threshold to set High Discard rate on FW interfaces to insure I do not miss an actual issue regarding high discard rate. "Interface::I-Interface_Performance_CiscoRouter_Ethernet-IF-XXX-XXXX-SEC/4::HighDiscardRate"

Julio Carvajal · ‎06-13-2013

Hello,

The packet-drop being seeing on the ASA interfaces are related to the security checks being done by the firewall (involves Inspections, ACLs, RPF checks, etc) so there is no treshold, it will all depends on how much traffic u are receiving on your ASA.

Regards,

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎06-13-2013

Hello,

Well, that would depend again of the enviroment you have there,

As an example I would not focus much on ACL drops logs ( as they are already being denied, altough it will let you know what traffic is trying to reach ur network) but the treshold would be way higher based on the fact that is common to drop a lot of traffic via an ACL.

But I do not have a specific treshold that I could provide as it will depend on the enviroment.

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎06-13-2013

Hello,

Do u have any other question?

Otherwise u can mark the question as answered

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎06-13-2013

Hello,

The packet-drop being seeing on the ASA interfaces are related to the security checks being done by the firewall (involves Inspections, ACLs, RPF checks, etc) so there is no treshold, it will all depends on how much traffic u are receiving on your ASA.

Regards,

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

e.craig · ‎06-13-2013

Hi Thanks. The threshold I was speaking of would be on the monitoring system (when to alert on)

Julio Carvajal · ‎06-13-2013

Hello,

Well, that would depend again of the enviroment you have there,

As an example I would not focus much on ACL drops logs ( as they are already being denied, altough it will let you know what traffic is trying to reach ur network) but the treshold would be way higher based on the fact that is common to drop a lot of traffic via an ACL.

But I do not have a specific treshold that I could provide as it will depend on the enviroment.

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

e.craig · ‎06-13-2013

Thank you for your feedback, much appreciated

Julio Carvajal · ‎06-13-2013

Hello,

Do u have any other question?

Otherwise u can mark the question as answered

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC