Manualsbrain.com
  1. Manuals
  2. Brands
  3. Cisco
  4. Cisco ASA 5580 Adaptive Security Appliance
  5. Leaflet

Cisco Cisco ASA 5580 Adaptive Security Appliance Leaflet

Download
Page of 1214
 
3-5
思科 ASA 系列命令参考,命令
 
 3       show as-path-access-list  show auto-update 命令
  show asp drop
 Recommendation:
    If you have configured IPsec NAT-T on your appliance, this indication is normal and 
doesn't indicate a problem. If NAT-T is not configured on your appliance, analyze your 
network traffic to determine the source of the NAT-T traffic.
 Syslogs:
    None
----------------------------------------------------------------
Name: ipsecudp-keepalive
IPSEC/UDP keepalive message:
    This counter will increment when the appliance receives an IPsec over UDP keepalive 
message. IPsec over UDP keepalive messages are sent from the IPsec peer to the appliance 
to keep NAT/PAT flow information current in network devices between the IPsec over UDP 
peer and the appliance. Note - These are not industry standard NAT-T keepalive messages 
which are also carried over UDP and addressed to UDP port 4500. 
 Recommendation:
    If you have configured IPsec over UDP on your appliance, this indication is normal and 
doesn't indicate a problem. If IPsec over UDP is not configured on your appliance, analyze 
your network traffic to determine the source of the IPsec over UDP traffic.
 Syslogs:
    None
----------------------------------------------------------------
Name: bad-ipsec-prot
IPsec not AH or ESP:
    This counter will increment when the appliance receives a packet on an IPsec 
connection which is not an AH or ESP protocol. This is not a normal condition.
 Recommendation:
    If you are receiving many IPsec not AH or ESP indications on your appliance, analyze 
your network traffic to determine the source of the traffic.
 Syslogs:
    402115
----------------------------------------------------------------
Name: ipsec-ipv6
IPsec via IPV6:
    This counter will increment when the appliance receives an IPsec ESP packet, IPsec 
NAT-T ESP packet or an IPsec over UDP ESP packet encapsulated in an IP version 6 header. 
The appliance does not currently support any IPsec sessions encapsulated in IP version 6.
 Recommendation:
    None
 
 Syslogs:
    None
----------------------------------------------------------------
Name: bad-ipsec-natt
Bad IPsec NATT packet:
    This counter will increment when the appliance receives a packet on an IPsec 
connection which has negotiated NAT-T but the packet is not addressed to the NAT-T UDP 
destination port of 4500 or had an invalid payload length.
 
 Recommendation:
    Analyze your network traffic to determine the source of the NAT-T traffic.