Manualsbrain.com
  1. Manuals
  2. Brands
  3. Cisco
  4. Cisco ASA 5580 Adaptive Security Appliance
  5. Leaflet

Cisco Cisco ASA 5580 Adaptive Security Appliance Leaflet

Download
Page of 1214
 
3-17
思科 ASA 系列命令参考,命令
 
 3       show as-path-access-list  show auto-update 命令
  show asp drop
Recommendation:
    Verify that a route exists for the destination address obtained from the generated 
syslog.
Syslogs:
   110002, 110003.
----------------------------------------------------------------
Name: rpf-violated
Reverse-path verify failed:
    This counter is incremented when ip-verify is configured on an interface and the 
security appliance receives a packet for which the route lookup of source-ip did not yield 
the same interface as the one on which the packet was received.
Recommendation:
    Trace the source of traffic based on source-ip printed in syslog below and investigate 
why it is sending spoofed traffic.
Syslogs:
    106021.
----------------------------------------------------------------
Name: acl-drop
Flow is denied by configured rule:
    This counter is incremented when a drop rule is hit by the packet and gets 
dropped.This rule could be a default rule created when the box comes up, when various 
features are turned on or off, when an acl is applied to interface or any other feature 
etc. Apart from default rule drops, a packet could be dropped because of:
     1) ACL configured on an interface
     2) ACL configured for AAA and AAA denied the user
     3) Thru-box traffic arriving at management-only ifc
     4) Unencrypted traffic arriving on a ipsec-enabled interface
Recommendation:
    Note if one of ACLs listed below are fired.
Syslogs:
    106023, 106100, 106004
----------------------------------------------------------------
Name: unable-to-create-flow
Flow denied due to resource limitation:
    This counter is incremented and the packet is dropped when flow creation fails due to 
a system resource limitation.The resource limit may be either:
       1) system memory
       2) packet block extension memory
       3) system connection limit
    Causes 1 and 2 will occur simultaneously with flow drop reason "No memory to complete 
flow".
Recommendation:
    - Observe if free system memory is low.
    - Observe if flow drop reason "No memory to complete flow" occurs.
    - Observe if connection count reaches the system connection limit with the command 
"show resource usage".
Syslogs:
    None
----------------------------------------------------------------