Re: Drop Rate Exceeded

scootertgm · ‎07-30-2009

I just upgrade our MARS to 6.03 and and I am getting this message from our ASA. I was simply going to place in a drop rule, but there is no IP address to use for the rule. The IP address are all NA.

Drop Rate Exceeded N/A 0 N/A N/A N/A

Can I create a rule to drp this alert?

aghaznavi · ‎08-05-2009

After you upgrade MARS from version 6.0.2 to 6.0.3, it appears that drop rules are ignored.

Update your MARS with the patch release 6.0.3 (3188) (csmars-6.0.3.3190-customerpatch.zip) in order to correct the potential issues with drop rules.

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/user/guide/combo/rules.html#wp532001

The specified object in the system log message has exceeded the specified burst threshold rate or average threshold rate. The object can be drop activity of a host, TCP/UDP port, IP protocol, or various drops due to potential attacks. It indicates the system is under potential attack.

scootertgm · ‎08-05-2009

When I upgraded, I went from 4.36 to 6.03 3188. Drop rules are working.

The issue is I get the following messages:

Drop Rate Exceeded N/A N/A N/A N/A N/A Aug 5, 2009 6:38:55 AM PDT

From the ASA. I can't create a drop rule for those events as it needs an IP to drop from. How would I make a rule to not see these events?

tichomir.kotek · ‎08-08-2009

drop rules do not need an IP. just create drop rule with wizzard and then edit created drop rule and change src to ANY. should be working