Hi

I disable basic threat detection with the command:

no threat-detection basic-threat

But user get disconnected as well.

How can I disable threat detection?

Thanks

Hi all

Can someone please tell how to stop or properly configuring threat detection apparently the basic setting are not good for production?

Thanks

Hi Roussillon,

We first need to identify the exact reason for drops, if this disconnects are so frequent then you first need to check the logs that you get at the time of the disconnect on the disconnect. If the logs say something like this:

"%ASA-4-733100: [Interface] drop rate 1 exceeded. Current burst rate is 1 per  second, max configured rate is 8000; Current average rate is 2030 per second, max  configured rate is 2000; Cumulative total count is 3930654."

For a scanning drop caused by potential attacks:

"ASA-4-733100: [Scanning] drop rate-1 exceeded. Current burst rate is 10 per  second_max configured rate is 10; Current average rate is 245 per second_max  configured rate is 5; Cumulative total count is 147409 (35 instances received)

For bad packets caused by potential attacks:

"%ASA-4-733100: [Bad pkts] drop rate 1 exceeded. Current burst rate is 0 per  second, max configured rate is 400; Current average rate is 760 per second, max  configured rate is 100; Cumulative total count is 1938933"

Maybe the legitimate outside host is sending requests which is exceeding the normal value defined in the threat-detection. If so we can create an exception for that particular host in the threat-detection, so that it is always allowed.

Moreover could you tell me if you are using any IPS module with the ASA??

Thanks,

Varun

Hi Varun,

Thanks for your help.

We are not using any IPS module

I am logging all warning messages(severity=4) to a syslog server when I do a search for messages I can not find  %ASA-4-733100 nor %ASA-4-733101. In the logs there are message like %ASA-4-106023 or %ASA-4-31300, but not those we are looking for.

I'am also  logging  messages 733100 & 733101 to console but nothing get logged.

I did as follow:

logging list notify-threat message 733100-733101

logging monitor notify-threat

term monitor

Nevertheless the command show threat-detection rate syn-attack show:

                              Average(eps)     current(eps)     trigger     Total events

10-min SYN attck          0                     0                     2                12

I understand That an exception can be configured if scanning threat detection is enable with the command:

threat-detection scanning-threat  [shun [except {ip-address ip_address mask | object-group network_object_group_id}]]

But in our ASA scanning-threat is not active. That's why I do not understand why connections get interrupted

I have noticed that connections comming from host with their own public ip address are less impacted, but really less impacted. I configure a computer with a public ip address(not nat, no ip masquerading), then  I started  annyconnect client and it stayed connected during 28 hours. It was me who stop the connection.

Thanks

Hi

can someone help us please? this is really urgent and enoyng.

how can we just make threat detection disapear??

thanks

Hi Roussillon,

If you really wanna disable all the thread detection on the firewall, then you can just put a no in front of the threat-detection statements and disable them or use "clear configure threat-detection" to clear all the commands:

http://www.cisco.com/en/US/customer/docs/security/asa/asa82/command/reference/c2.html#wp2400005

Thanks,

Varun

Hy

sorry if i answer late, but I was out off office.

I tried both method but nothing works.

Do you know if ASA can do Save reset?

Thanks

You were not at all able to delete the threat-detection on the ASA, even after doing "clear configure threat-detcetion" ???

Well do you have any IPS device in the network???

Can you share your configuration from ASA and also the output " show module".

-Varun

Hi,

Indeed in ASDM we see SYN attack messages. But I think it is not the real problem.

The problem occurs when à user behind à box doing NAT connects to a server with a natted ip behind the ASA. I would say double NAT.

This is the output of the command show module

Mod Card Type                                    Model            

--- -------------------------------------------- ------------------

  0 ASA 5520 Adaptive Security Appliance         ASA5520           

Mod MAC Address Range                 Hw Version   Fw Version   Sw Version

--- --------------------------------- ------------ ------------ ---------------

  0 c47d.4f3b.6b15 to c47d.4f3b.6b19  2.0          1.0(11)5     8.3(1)

Mod SSM Application Name           Status           SSM Application Version

--- ------------------------------ ---------------- --------------------------

Mod Status             Data Plane Status     Compatibility

--- ------------------ --------------------- -------------

  0 Up Sys             Not Applicable

Thanks

Hi,

i am not sure now about the real issue, are you not able to access a server on the inside for inside hosts itself??? If that is the case then i woudl need the ip addresses of source and destination and if the inside hosts need to access the server o its natted ip only. It would be great if you can provide an output of :

show run nat

show run global

show run static

show run same

Thanks,

Varun