Cisco Cisco ASA 5580 Adaptive Security Appliance Leaflet
3-5
思科 ASA 系列命令参考,S 命令
第 3 章 show as-path-access-list 至 show auto-update 命令
show asp drop
Recommendation:
If you have configured IPsec NAT-T on your appliance, this indication is normal and
doesn't indicate a problem. If NAT-T is not configured on your appliance, analyze your
network traffic to determine the source of the NAT-T traffic.
Syslogs:
None
----------------------------------------------------------------
Name: ipsecudp-keepalive
IPSEC/UDP keepalive message:
This counter will increment when the appliance receives an IPsec over UDP keepalive
message. IPsec over UDP keepalive messages are sent from the IPsec peer to the appliance
to keep NAT/PAT flow information current in network devices between the IPsec over UDP
peer and the appliance. Note - These are not industry standard NAT-T keepalive messages
which are also carried over UDP and addressed to UDP port 4500.
Recommendation:
If you have configured IPsec over UDP on your appliance, this indication is normal and
doesn't indicate a problem. If IPsec over UDP is not configured on your appliance, analyze
your network traffic to determine the source of the IPsec over UDP traffic.
Syslogs:
None
----------------------------------------------------------------
Name: bad-ipsec-prot
IPsec not AH or ESP:
This counter will increment when the appliance receives a packet on an IPsec
connection which is not an AH or ESP protocol. This is not a normal condition.
Recommendation:
If you are receiving many IPsec not AH or ESP indications on your appliance, analyze
your network traffic to determine the source of the traffic.
Syslogs:
402115
----------------------------------------------------------------
Name: ipsec-ipv6
IPsec via IPV6:
This counter will increment when the appliance receives an IPsec ESP packet, IPsec
NAT-T ESP packet or an IPsec over UDP ESP packet encapsulated in an IP version 6 header.
The appliance does not currently support any IPsec sessions encapsulated in IP version 6.
Recommendation:
None
Syslogs:
None
----------------------------------------------------------------
Name: bad-ipsec-natt
Bad IPsec NATT packet:
This counter will increment when the appliance receives a packet on an IPsec
connection which has negotiated NAT-T but the packet is not addressed to the NAT-T UDP
destination port of 4500 or had an invalid payload length.
Recommendation:
Analyze your network traffic to determine the source of the NAT-T traffic.