Information about managing deny flows, Licensing requirements for managing deny flows, Guidelines and limitations – Cisco ASA 5505 User Manual

Page 430

Advertising
background image

20-6

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 20 Configuring Logging for Access Lists

Managing Deny Flows

Information About Managing Deny Flows

When you enable logging for message 106100, if a packet matches an ACE, the ASA creates a flow entry
to track the number of packets received within a specific interval. The ASA has a maximum of 32 K
logging flows for ACEs. A large number of flows can exist concurrently at any point of time. To prevent
unlimited consumption of memory and CPU resources, the ASA places a limit on the number of
concurrent deny flows; the limit is placed on deny flows only (not on permit flows) because they can
indicate an attack. When the limit is reached, the ASA does not create a new deny flow for logging until
the existing flows expire.

For example, if someone initiates a DoS attack, the ASA can create a large number of deny flows in a
short period of time. Restricting the number of deny flows prevents unlimited consumption of memory
and CPU resources.

When you reach the maximum number of deny flows, the ASA issues syslog message 106100:

%ASA|PIX-1-106101: The number of ACL log deny-flows has reached limit (number).

The access-list alert-interval command sets the time interval for generating syslog message 106001.
Syslog message 106001 alerts you that the ASA has reached a deny flow maximum. When the deny flow
maximum is reached, another syslog message 106001 is generated if at least six seconds have passed
since the last 106001 message was generated.

Licensing Requirements for Managing Deny Flows

The following table shows the licensing requirements for this feature:

Guidelines and Limitations

This section includes the guidelines and limitations for this feature.

Context Mode Guidelines

Supported in single and multiple context mode.

Firewall Mode Guidelines

Supported only in routed and transparent firewall modes.

IPv6 Guidelines

Supports IPv6.

Additional Guidelines and Limitations

The ASA places a limit on the number of concurrent deny flows only—not permit flows.

Model

License Requirement

All models

Base License.

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals