Cisco Cisco ASA 5580 Adaptive Security Appliance Leaflet
3-19
思科 ASA 系列命令参考,S 命令
第 3 章 show as-path-access-list 至 show auto-update 命令
show asp drop
'clear xlate' is issued. Also, if connections have not been recently removed, and the
counter is incrementing rapidly, the appliance may be under attack. Capture a sniffer
trace to help isolate the cause.
Syslogs:
6106015
----------------------------------------------------------------
Name: bad-tcp-cksum
Bad TCP checksum:
This counter is incremented and the packet is dropped when the appliance receives a
TCP packet whose computed TCP checksum does not match the recorded checksum in TCP header.
Recommendation:
The packet corruption may be caused by a bad cable or noise on the line.It may also be
that a TCP endpoint is sending corrupted packets and an attack is in progress.Please use
the packet capture feature to learn more about the origin of the packet.To allow packets
with incorrect TCP checksum disable checksum-verification feature under tcp-map.
Syslogs:
None
----------------------------------------------------------------
Name: bad-tcp-flags
Bad TCP flags:
This counter is incremented and the packet is dropped when the appliance receives a
TCP packet with invalid TCP flags in TCP header.Example a packet with SYN and FIN TCP
flags set will be dropped.
Recommendations:
The packet corruption may be caused by a bad cable or noise on the line.It may also be
that a TCP endpoint is sending corrupted packets and an attack is in progress.Please use
the packet capture feature to learn more about the origin of the packet.
Syslogs:
None
----------------------------------------------------------------
Name: tcp-reserved-set
TCP reserved flags set:
This counter is incremented and the packet is dropped when the appliance receives a
TCP packet with reserved flags set in TCP header.
Recommendations:
The packet corruption may be caused by a bad cable or noise on the line.It may also be
that a TCP endpoint is sending corrupted packets and an attack is in progress.Please use
the packet capture feature to learn more about the origin of the packet.To allow such TCP
packets or clear reserved flags and then pass the packet use reserved-bits configuration
under tcp-map.
Syslogs:
None
----------------------------------------------------------------
Name: tcp-bad-option-list
TCP option list invalid:
This counter is incremented and the packet is dropped when the appliance receives a
TCP packet with a non-standard TCP header option.