Cisco ASA Interface Discards Affect Overall Device Status, how to best proceed?

I'm curious to know what others are doing in this instance, but I (like many others) am noticing that interfaces on our ASA firewalls are showing high discards hour after hour. This behavior is expected, as discarding packets is what firewalls are supposed to do (duh). My issue is that these high discards are causing the interface to reflect a "critical" status, which is then causing the node itself to show as "critical."

I'd like to find the best way to prevent my firewall from showing "critical" in these instances without affecting global polling thresholds, if possible (as this issue doesn't exist on monitored switches, routers, non-ASA firewalls). I'm curious to know how others in similar situations have resolved this in their deployments. Any advice?

Thanks in advance for any assistance!

Find more posts tagged with

Cisco ASA

Accepted answers

All comments

maciej.sandecki

Interesting, in our environment I can see hundreds of thousands of receive discards on some firewall interfaces, but the interfaces do not go into warning or critical status, even though the global error/discard thresholds are set to 1000/2500 for warning/critical. Now I'm wondering if there is something wrong with my installation .

Have you tried overriding global thresholds for the specific interface using manual, high value thresholds or dynamically calculated thresholds?

stuartd

Are you using enhanced node status calculation, by any chance? As that definitely would contribute towards the discards showing an issue?

maciej.sandecki

Right, I see we have selected Enhanced for nodes, but Classic for Interfaces. Thanks for pointing this out.

mjb231569

Hello! I can manually override the thresholds on specific interfaces and this does work, but I monitor over 100 ASA firewalls so I was hoping to avoid going the manual route. Dynamic thresholds aren't seeming to work in my instance, they're still showing critical even with this selected.

All that said, I will manually adjust the thresholds on all ASAs if I need to.

mjb231569

Hello! Yes, I am using "Enhanced" node status calculation. I'm also using "Enhanced" for interface status calculation.

Do you think I should swap both over to "Classic?"

maciej.sandecki

Enhanced status calculation has some positive results. If you switch the status calculation for interfaces to Classic (like I have it), your interfaces will not go into warning or critical status if they go over thresholds for errors/discards or utilization. But you can then have alerts (or dashboard resources, reports) based on breached thresholds, not status.

mjb231569

This might be what I do then. I'll switch over to classic for interface stats, then set up some custom alerts based on device type. I'll set ASAs to alert at a higher discard level than other devices.

ronan.tonilon

Disclaimer:
The content posted herein are provided as a suggestion or recommendation to you for your internal use. The information set forth herein may come from third party website or customers. SolarWinds is not liable for any downtime or any issue that may occur if you perform the following suggestions on the link provided. Your organization should internally review and assess to what extent, if any, such custom scripts or recommendations will be incorporated into your environment.
Please try this first in a lab environment, before implementing to your production.

You can open a support ticket to get insights, but please take note of our Working with Support Policy, customizations are not supported especially if this would involved custom scripts or queries, support can assist in a best effort practice since our support team is intended as a break fix support.

In this situation where high discard rates on Cisco ASA firewall interfaces are expected behavior, to prevent these specific metrics from negatively affecting your node status in SolarWinds without globally altering threshold settings. common approach is by overriding thresholds specifically on firewall interfaces, combined with custom alerts as needed. This will keep SolarWinds monitoring clean and accurate without globally affecting other device thresholds and this prevents these expected discards from affecting your overall node status.

You can refer to the below approach:

1. Create Custom Thresholds (Per-Interface Thresholds):

SolarWinds allows you to configure thresholds per-interface to override global thresholds specifically for cases like this.

Steps:

Navigate to Settings > Manage Nodes.
Find your Cisco ASA firewall and expand it to view interfaces.
Select the affected interface(s), click Edit Properties.
Check the box for Override Orion General Thresholds.
Adjust discard thresholds to a much higher value to avoid critical status alerts (or disable discard alerting entirely by entering a large value).

This allows specific ASA interfaces to have tailored thresholds.

2. Use Custom Interface Alerting Conditions:
Create alerts that explicitly exclude Cisco ASA interfaces from discard-based alerts, if you’d prefer to handle discards separately.

Example SWQL/Advanced Alert Condition:
WHERE Interfaces.Node.Vendor != 'Cisco' OR Interfaces.Node.MachineType NOT LIKE '%ASA%'

This prevents Cisco ASA discards from triggering alerts or critical statuses on nodes.

3. Interface Status Calculations:
Consider excluding discard rates from status calculations entirely for ASA firewalls if it's genuinely not actionable:

Settings > All Settings > Thresholds & Polling > Interface Thresholds
Define Custom Thresholds or select Do Not Calculate Interface Status for ASA interfaces.
Interface discards will still be collected for informational purposes but won't impact node status.

Note:

If reporting/tracking discards is important: Keep thresholds high enough to prevent constant critical statuses but continue to log discards for informational purposes.
Make sure to take note and document these changes for future reference and audits.

Hope this helps.