Re: Fishy ASA dynamic NAT behavior after IP address change

From: Alexei Monastyrnyi (alexeim73@gmail.com)
Date: Mon Mar 30 2009 - 15:08:47 ART

• Next message: Peter Svidler: "label preferece , LDP or BGP label ?"
• Previous message: Divin Mathew John: "Re: simple question regarding the Routing Table."
• Maybe in reply to: Alexei Monastyrnyi: "Fishy ASA dynamic NAT behavior after IP address change"
• Next in thread: Farrukh Haroon: "Re: Fishy ASA dynamic NAT behavior after IP address change"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi.

The log was flooded by %ASA-4-733100 messages, like hundreds of them.
Unfortunately I don't log level 4 to syslog, so no exact message, just a
message ID.

:"Object" as per message description on ASA 8 System Log Messages Guide
was [Scanning] and "rate_val" was all 10 out of 10.

%ASA-4-733100: Object drop rate rate_ID exceeded. Current burst rate is
rate_val per second, max configured rate is rate_val; Current average
rate is rate_val per second, max configured rate is rate_val; Cumulative
total count is total_cnt

http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4963969

So something of NAT went crossed with security concerns of ASA box. As
mentioned, after restart all went to normal.

Cheers,
A.

Farrukh Haroon wrote:
> Any details about this syslog? Can you post one?
>
> On Tue, Mar 24, 2009 at 11:10 PM, Alexei Monastyrnyi
> <alexeim73@gmail.com <mailto:alexeim73@gmail.com>> wrote:
>
> Hi Group.
>
> Just wonder if someone has come across this.
>
> I was changing IP address on ASA 8.0(4) system which does
> selective dynamic PAT like below, about 30 such N-pairs.
> nat (inside) 0 access-list nonat
> nat (inside) N access-list xyz
> global (outside) N IP-address/pool
>
> After IP change on outside interface, dynamic part NAT engine
> stopped working. And it was a lot of [Scanning] messages severity
> 4 in the log. Show xlat showed only static PAT entries, all
> traffic which was supposed to get NATted or go via nonat ACL was
> just black-holed.
>
> shut/no shut on outside interface didn't do. The only way I could
> fix it is by ASA unit reload.
>
> I checked open caveats for 8.0(40 are open/relosved for higher
> interim releases, no luck.
>
> Shall one expect restarting productin systems after IP address
> chenge? Sounds na bit uts. :-)
>
> Hints are appreciated.
>
> Cheers,
> A
>
>
> Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

• Next message: Peter Svidler: "label preferece , LDP or BGP label ?"
• Previous message: Divin Mathew John: "Re: simple question regarding the Routing Table."
• Maybe in reply to: Alexei Monastyrnyi: "Fishy ASA dynamic NAT behavior after IP address change"
• Next in thread: Farrukh Haroon: "Re: Fishy ASA dynamic NAT behavior after IP address change"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Apr 06 2009 - 06:44:08 ART