Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation

Who Me Too'd this topic

ASA Dropping internal Packets after reaching scanning rate limit...

stownsend
Level 2
Level 2

‎01-31-2012 07:51 AM - edited ‎03-11-2019 03:21 PM

I have the threat-detection setup like the following:

threat-detection rate scanning-threat rate-interval 600 average-rate 6 burst-rate 20
threat-detection rate scanning-threat rate-interval 1200 average-rate 5 burst-rate 15
threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 10.1.0.0 255.255.0.0
threat-detection scanning-threat shun except ip-address 10.2.0.0 255.255.0.0
threat-detection scanning-threat shun except ip-address 10.1.0.40 255.255.255.255
threat-detection scanning-threat shun except ip-address 10.4.5.0 255.255.255.0
threat-detection scanning-threat shun except ip-address 10.1.5.0 255.255.255.0
threat-detection scanning-threat shun except ip-address 10.2.5.0 255.255.255.0
threat-detection scanning-threat shun duration 3600
threat-detection statistics host
threat-detection statistics port
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

Though I still receieve these events in the syslog.

1/31/2012 7:05:29 AM

%ASA-4-733100: [ Scanning] drop rate-3 exceeded. Current burst rate is 9 per second, max configured rate is 8; Current average rate is 0 per second, max configured rate is 4; Cumulative total count is 3290

1/31/2012 7:05:09 AM

%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 26 per second, max configured rate is 20; Current average rate is 2 per second, max configured rate is 6; Cumulative total count is 1590

1/31/2012 7:05:09 AM

%ASA-4-733100: [ Scanning] drop rate-2 exceeded. Current burst rate is 20 per second, max configured rate is 15; Current average rate is 1 per second, max configured rate is 5; Cumulative total count is 1713

1/31/2012 7:04:29 AM

%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 31 per second, max configured rate is 20; Current average rate is 1 per second, max configured rate is 6; Cumulative total count is 792

1/31/2012 7:04:29 AM

%ASA-4-733100: [ Scanning] drop rate-2 exceeded. Current burst rate is 15 per second, max configured rate is 15; Current average rate is 0 per second, max configured rate is 5; Cumulative total count is 919

1/31/2012 6:22:31 AM

%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 20 per second, max configured rate is 20; Current average rate is 1 per second, max configured rate is 6; Cumulative total count is 805


The Devices that are generating them (I believe) are IP Phones. They are the devices listed in the 10.x.5.0/24 range.

When I do a 'show shun'  I get nothing back.

What Gives?

3 people had this problem
Labels:
0 Helpful
Who Me Too'd this topic