When a log message is enabled for ACE, every time the ACE is hit (the ACE is used here to deny a network), a log 106100 message is created. The FWSM has a maximum of 640,000 flows for ACE. To avoid the central processing unit (CPU) spikes on concurrent flows, the FWSM places a limit on the deny flow. The FWSM does not place a limit on the permit flows. The deny flows can be exploited by a Denial of Service (DoS) attack. Restricting the number of deny flows prevents unlimited consumption of memory and CPU resources. When the maximum number of deny flows is reached, the FWSM issues a system log message 106100:
%XXX-1-106101: The number of ACL log deny-flows has reached limit (number).
The deny flow limit can be configured in the FWSM:
FWSM(config)# access-list deny-flow-max number
The maximum number of default concurrent deny flows that can be created is 4096 (the number can be 1-4096).
The time for reporting the syslog message and actual deny flow can be configured as follows:
FWSM(config)# access-list alert-interval secs The default value of reporting is 300 sec, and the range is between 1-3600 sec.
Was this article helpful?