Re: Fishy ASA dynamic NAT behavior after IP address change

From: Farrukh Haroon (farrukhharoon@gmail.com)
Date: Mon Mar 30 2009 - 15:35:36 ART

• Next message: Luan Nguyen: "RE: Cisco Networkers documents"
• Previous message: Peter Svidler: "label preferece , LDP or BGP label ?"
• Maybe in reply to: Alexei Monastyrnyi: "Fishy ASA dynamic NAT behavior after IP address change"
• Next in thread: Tyson Scott: "RE: Fishy ASA dynamic NAT behavior after IP address change"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Seems to be related to the (newer) threat detection feature. Most probably a
bug.

On Mon, Mar 30, 2009 at 9:08 PM, Alexei Monastyrnyi <alexeim73@gmail.com>wrote:

> Hi.
>
> The log was flooded by %ASA-4-733100 messages, like hundreds of them.
> Unfortunately I don't log level 4 to syslog, so no exact message, just a
> message ID.
>
> :"Object" as per message description on ASA 8 System Log Messages Guide was
> [Scanning] and "rate_val" was all 10 out of 10.
>
> %ASA-4-733100: Object drop rate rate_ID exceeded. Current burst rate is
> rate_val per second, max configured rate is rate_val; Current average rate
> is rate_val per second, max configured rate is rate_val; Cumulative total
> count is total_cnt
>
>
> http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4963969
>
> So something of NAT went crossed with security concerns of ASA box. As
> mentioned, after restart all went to normal.
>
> Cheers,
> A.
>
> Farrukh Haroon wrote:
>
>> Any details about this syslog? Can you post one?
>>
>> On Tue, Mar 24, 2009 at 11:10 PM, Alexei Monastyrnyi <alexeim73@gmail.com<mailto:
>> alexeim73@gmail.com>> wrote:
>>
>> Hi Group.
>>
>> Just wonder if someone has come across this.
>>
>> I was changing IP address on ASA 8.0(4) system which does
>> selective dynamic PAT like below, about 30 such N-pairs.
>> nat (inside) 0 access-list nonat
>> nat (inside) N access-list xyz
>> global (outside) N IP-address/pool
>>
>> After IP change on outside interface, dynamic part NAT engine
>> stopped working. And it was a lot of [Scanning] messages severity
>> 4 in the log. Show xlat showed only static PAT entries, all
>> traffic which was supposed to get NATted or go via nonat ACL was
>> just black-holed.
>>
>> shut/no shut on outside interface didn't do. The only way I could
>> fix it is by ASA unit reload.
>>
>> I checked open caveats for 8.0(40 are open/relosved for higher
>> interim releases, no luck.
>>
>> Shall one expect restarting productin systems after IP address
>> chenge? Sounds na bit uts. :-)
>>
>> Hints are appreciated.
>>
>> Cheers,
>> A
>>
>>
>> Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

• Next message: Luan Nguyen: "RE: Cisco Networkers documents"
• Previous message: Peter Svidler: "label preferece , LDP or BGP label ?"
• Maybe in reply to: Alexei Monastyrnyi: "Fishy ASA dynamic NAT behavior after IP address change"
• Next in thread: Tyson Scott: "RE: Fishy ASA dynamic NAT behavior after IP address change"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Apr 06 2009 - 06:44:08 ART