Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1492
Views
0
Helpful
2
Replies

Is %ASA-4-733100 ever useful?

Joseph Da Rosa
Level 1
Level 1

‎04-09-2013 09:39 AM - edited ‎03-11-2019 06:25 PM

I've upgraded some old PIXen to ASAs running 9.1(1) in the past few months, and have seen plenty of these:

Apr  8 16:33:32 myasa %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 13 per second, max configured rate is 50; Current average rate is 25 per second, max configured rate is 25; Cumulative total count is 15012

I'm wondering: has this message ever really helped anyone?  It provides no indication which host is causing the drop rate to be exceeded, to which host(s), on which ports, with which protocol, or what specifically was wrong with any of that traffic.  It's like an alarm that says "problem! (maybe) problem! (maybe) problem!"--so generic that it's not helpful.

Even when the same message is produced with an IP address instead of "[ Scanning ]" it's not useful in my experience, for many of the same reasons.  I currently see the message produced with the IP of our VPN server in the brackets, but without some indication of what specifically is making the ASA angry about the traffic to or from the VPN server, that information is of no use to me at all.  I've looked through the available "show threat-detection" information in the wake of these messages but it's  still too general to be of any use.

Is there some way I'm missing to convert these messages into specific, useful, actionable information?

(BTW, I am not asking how to reduce the frequency of %ASA-4-733100 messages; I've already tuned the rates, as you can see.  I'd just like to know if anyone out there has managed to get some use out of them, and if so how.)

Labels:
0 Helpful
2 Replies 2

Joseph Da Rosa
Level 1
Level 1

‎04-12-2013 07:27 PM

I'm going to take the lack of responses as a "no, it's not useful".  I'm at the point where I'm considering just disabling scanning threat detection entirely, which is a bit of a shame since that's one of the more desirable features for a firewall, but if it's not producing specific/useful/actionable information (and/or is false alarming based on the activity of internal servers, as we've seen) then there's not much value in keeping it enabled.

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to Joseph Da Rosa

‎04-13-2013 01:48 PM

Hello Joseph,

I was going to explain you why this is useful and how you should be careful but I would say that is better if a provide you with the best threat-detection documentation available,

Here u go

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bd3913.shtml

This should answer all of your questions and even more

remember to rate all of the helpful posts


Julio Carvajal

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card