cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1373
Views
0
Helpful
1
Replies
Highlighted
Beginner

Scanning problem

Hello,

I have a remote site with 5 peoples with ASA 5505 just behind the ISP router.

I keep observes message like this in my syslog servers.

Nov 26 09:42:21 Nov-******** 26 2012 09:42:21: %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 4 per second, max configured rate is 10; Current average rate is 7 per second, max configured rate is 5; Cumulative total count is 4344

Nov 26 09:42:41 Nov-******** 26 2012 09:42:41: %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 3 per second, max configured rate is 10; Current average rate is 7 per second, max configured rate is 5; Cumulative total count is 4371

Nov 26 09:43:01 Nov-******** 26 2012 09:43:01: %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 4 per second, max configured rate is 10; Current average rate is 7 per second, max configured rate is 5; Cumulative total count is 4359

Nov 26 09:43:21 Nov-******** 26 2012 09:43:21: %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 3 per second, max configured rate is 10; Current average rate is 7 per second, max configured rate is 5; Cumulative total count is 4355

Nov 26 09:43:41 Nov-******** 26 2012 09:43:41: %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 3 per second, max configured rate is 10; Current average rate is 7 per second, max configured rate is 5; Cumulative total count is 4372

Nov 26 09:43:41 Nov-******** 26 2012 09:43:41: %ASA-4-733100: [ Scanning] drop rate-2 exceeded. Current burst rate is 0 per second, max configured rate is 8; Current average rate is 7 per second, max configured rate is 4; Cumulative total count is 26008

Nov 26 09:44:01 Nov-******** 26 2012 09:44:01: %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 4 per second, max configured rate is 10; Current average rate is 7 per second, max configured rate is 5; Cumulative total count is 4311

Nov 26 09:44:21 Nov-******** 26 2012 09:44:21: %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 3 per second, max configured rate is 10; Current average rate is 7 per second, max configured rate is 5; Cumulative total count is 4312

Nov 26 09:44:41 Nov-******** 26 2012 09:44:41: %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 4 per second, max configured rate is 10; Current average rate is 7 per second, max configured rate is 5; Cumulative total count is 4282

My conf for the threat part is based on default config for "threat detection" :

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

I'm in versions:

-ASA Version 8.4(4)1 

-asdm-649-103.bin

But I've configured some service policy to have compression with internal equipment between this site and the datacenter, and to allow the user to ping and ftp everywhere:

tcp-map MY_tcpmap

  queue-limit 20 timeout 4

  synack-data allow

  invalid-ack allow

  seq-past-window allow

  tcp-options range 26 26 allow

  tcp-options range 28 28 allow

  no ttl-evasion-protection

  urgent-flag allow

!

access-list inside-mpc_1 extended permit ip object-group INTERN_SUBS object-group REMOTE_VPN_SUBS

class-map ipe-compress-class

match access-list inside-mpc_1

access-list inside_mpc extended permit ip object INTERN_SUB1 object INTERN_SUB2

class-map inside-class

match access-list inside_mpc

policy-map inside-policy

class inside-class

  set connection advanced-options tcp-state-bypass

class ipe-compress-class

  set connection random-sequence-number disable

  set connection advanced-options MY_tcpmap

service-policy inside-policy interface inside

class-map icmp-class

match default-inspection-traffic

class-map ftp-class

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map icmp_policy

class icmp-class

  inspect icmp

class ftp-class

  inspect ftp

service-policy icmp_policy interface outside

When I'm looking with ADSM the debugging view, I see a lot of broadcast issued by one of the computer. I think the problematic software is Dell Stage and I'm working with the user to remove it.

But even if this problematic user is not at office, there is that kind of message.
Can someone help me to identify the bad traffic ?

Please tell me if you need more informations.

Best regards

1 REPLY 1
Highlighted
Beginner

Hi everyone,
I still observe these message in my syslog permanently.

Dec  3 04:34:50 Dec-****** 03 2012 04:34:50: %ASA-4-733100: [ Scanning] drop rate-2 exceeded. Current burst rate is 0 per second, max configured rate is 8; Current average rate is 8 per second, max configured rate is 4; Cumulative total count is 30079

Dec  3 04:35:10 Dec-****** 03 2012 04:35:10: %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 4 per second, max configured rate is 10; Current average rate is 8 per second, max configured rate is 5; Cumulative total count is 4945

Dec  3 04:35:30 Dec-****** 03 2012 04:35:30: %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 3 per second, max configured rate is 10; Current average rate is 8 per second, max configured rate is 5; Cumulative total count is 4929

Dec  3 04:35:50 Dec-****** 03 2012 04:35:50: %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 4 per second, max configured rate is 10; Current average rate is 8 per second, max configured rate is 5; Cumulative total count is 4945

Dec  3 04:36:10 Dec-****** 03 2012 04:36:10: %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 4 per second, max configured rate is 10; Current average rate is 8 per second, max configured rate is 5; Cumulative total count is 4954

Dec  3 04:36:31 Dec-****** 03 2012 04:36:31: %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 3 per second, max configured rate is 10; Current average rate is 8 per second, max configured rate is 5; Cumulative total count is 4960

...
It's very annonying...


The only thing I can add is:

****# sh asp drop

Frame drop:

  NAT-T keepalive message (natt-keepalive)                                 86325

  IPSEC tunnel is down (ipsec-tun-down)                                     1456

  Punt no memory (punt-no-mem)                                               118

  Invalid encapsulation (invalid-encap)                                      379

  Invalid IP header (invalid-ip-header)                                        6

  Invalid IP length (invalid-ip-length)                                        2

  Reverse-path verify failed (rpf-violated)                                    1

  Flow is denied by configured rule (acl-drop)                           1501067

  Invalid SPI (np-sp-invalid-spi)                                             10

  First TCP packet not SYN (tcp-not-syn)                                   13218

  TCP data send after FIN (tcp-data-past-fin)                                  5

  TCP failed 3 way handshake (tcp-3whs-failed)                             15380

  TCP RST/FIN out of order (tcp-rstfin-ooo)                                67556

  TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff)                             6

  TCP SYNACK on established conn (tcp-synack-ooo)                             11

  TCP packet SEQ past window (tcp-seq-past-win)                             9154

  TCP invalid ACK (tcp-invalid-ack)                                            2

  TCP Out-of-Order packet buffer full (tcp-buffer-full)                    35094

  TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout)                155

  TCP RST/SYN in window (tcp-rst-syn-in-win)                                  20

  TCP dup of packet in Out-of-Order queue (tcp-dup-in-queue)                2258

  TCP packet failed PAWS test (tcp-paws-fail)                                  7

  Slowpath security checks failed (sp-security-failed)                   1769202

  ICMP Inspect seq num not matched (inspect-icmp-seq-num-not-matched)          5

  FP L2 rule drop (l2_acl)                                                    53

  Dropped pending packets in a closed socket (np-socket-closed)            16945

Last clearing: 04:24:15 EST Nov 13 2012 by enable_15

Flow drop:

  Need to start IKE negotiation (need-ike)                                 14146

  NAT reverse path failed (nat-rpf-failed)                                    56

  Inspection failure (inspect-fail)                                          128

  SSL bad record detected (ssl-bad-record-detect)                            194

  SSL handshake failed (ssl-handshake-failed)                                  6

  SSL received close alert (ssl-received-close-alert)                          7

Last clearing: 04:24:15 EST Nov 13 2012 by enable_15

Can anyone help me to debug this ?

Best regards

Content for Community-Ad