Hi Team,
I am looking for more information and eventually a recommendation on the following syslog alert.
%ASA-3-209006: Fragment queue threshold exceeded, dropped UDP fragment from <source-ip> to <destination-ip> on Internet interface.
There's quite a few of them in our logs and apparently it's an indicator of a DoS attack (UDP/IP Fragmentation). This resulted in ASA getting choked and eventually resulting in an outage. However it is not quite clear on what is the recommendation to prevent further incidents and keep ASA alive and kicking.
Also, couldn't quite locate this syslog message code in Cisco documentation here.
https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs1.html
Look like we need a doc bug to get this added.
Appreciate if anyone can provide more insights on the above syslog and any recommendation on threshold configurations that we can enforce on ASA or on ISP. that can prevent future incidents
Thanks.
