Event ID - ASA-2-410002

Message CodeASA-2-410002
SeverityCritical
DescriptionDropped num DNS responses with mis-matched id in the past sec second(s): from src_ifc:sip/sport to dest_ifc:dip/dport.
ExplanationThis syslog message is generated when the security device detects an excess number of DNS responses with a mismatched DNS identifier. The threshold is set by the id-mismatch DNS policy-map parameter submode command.
  1. num—The number of ID mismatch instances as configured by the id-mismatch command.
  2. sec—The duration in seconds as configured by the id-mismatch command.
  3. src_ifc—The source interface name at which the DNS message is received with a mismatched DNS identifier.
  4. sip—The source IP address.
  5. sport—The source port.
  6. dest_ifc—The destination interface name.
  7. dip—The destination IP address.
  8. dport—The destination port.
User ActionA high rate of mismatched DNS identifiers might indicate an attack on the cache. Check the IP address/port in the syslog message to trace the source of the attack. You can configure ACLs to block traffic permanently from the source.
Reference Links

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught

Did this information help you to resolve the problem?

Yes: My problem was resolved.
No: The information was not helpful / Partially helpful.
 Refresh