Threat-Detection Feature Blocking Traffic

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-18-2018 03:04 PM - edited 02-21-2020 07:31 AM
How can I prevent the threat-detection from blocking assess to an IP?
I have disabled the basic threat-detection and have included that IP in the exception list. I rebooted the ASA to make sure that there everything is released from memory but when, when I issue the "show threat-detection statistics | inc <IP Address>, it still show sup with an total session and active session.
I believe this is preventing us from accessing the IP, which is ok to access.
Thank you in advance,
LN
- Labels:
-
IPS and IDS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-22-2018 03:30 AM
Total sessions and active sessions in threat-detection statistics do not indicate traffic drops. Dropped sessions should show up in fw-drop, insp-drop, null-ses and bad-acc, depending on the reason the session has been dropped.
In this sort of situations it is helpful doing a packet capture on the incoming and outgoing interface and compare the 2 and see if the ASA is actually dropping traffic.
You could also do a asp-drop capture for the specific IPs and see if the packets are dropped and why.
HTH
Bogdan
