Cisco Cisco ASA 5580 Adaptive Security Appliance Leaflet
3-8
思科 ASA 系列命令参考,S 命令
第 3 章 show as-path-access-list 至 show auto-update 命令
show asp drop
Name: inspect-srtp-no-remote-phone-proxy-ip
Inspect SRTP Remote Phone Proxy IP not populated:
This counter will increment when remote phone proxy IP is not populated
Recommendation:
No action is required. The remote phone proxy IP address is populated from the
signaling exchange. If error persists debug the signaling messages to figure out if ASA is
seeing all the signaling messages.
Syslogs:
None.
----------------------------------------------------------------
Name: inspect-srtp-client-port-not-present
Inspect SRTP client port wildcarded in media session:
This counter will increment when client port is not populated in media session
Recommendation:
No action is required. The client port is populated dynamically when the media stream
comes in from the client. Capture the media packets to see if the client is sending media
packets.
Syslogs:
None.
----------------------------------------------------------------
Name: ipsec-need-sa
IPsec SA not negotiated yet:
This counter will increment when the appliance receives a packet which requires
encryption but has no established IPsec security association. This is generally a normal
condition for LAN-to-LAN IPsec configurations. This indication will cause the appliance to
begin ISAKMP negotiations with the destination peer.
Recommendation:
If you have configured IPsec LAN-to-LAN on your appliance, this indication is normal
and doesn't indicate a problem. However, if this counter increments rapidly it may
indicate a crypto configuration error or network error preventing the ISAKMP negotiation
from completing. Verify that you can communicate with the destination peer and verify your
crypto configuration via the 'show running-config' command.
Syslogs:
None
----------------------------------------------------------------
Name: ipsec-spoof
IsSec spoof detected:
This counter will increment when the appliance receives a packet which should have
been encrypted but was not. The packet matched the inner header security policy check of a
configured and established IPsec connection on the appliance but was received unencrypted.
This is a security issue.
Recommendation:
Analyze your network traffic to determine the source of the spoofed IPsec traffic.
Syslogs:
402117
----------------------------------------------------------------