Cisco Cisco ASA 5580 Adaptive Security Appliance Leaflet
3-29
思科 ASA 系列命令参考,S 命令
第 3 章 show as-path-access-list 至 show auto-update 命令
show asp drop
Recommendation:
This counter should never be incrementing on the Active appliance or context.However,
it is normal to see it increment on the Standby appliance or context.
Syslogs:
302014, 302016, 302018
----------------------------------------------------------------
Name: dst-l2_lookup-fail
Dst MAC L2 Lookup Failed:
This counter will increment when the appliance is configured for transparent mode and
the appliance does a Layer 2 destination MAC address lookup which fails.Upon the lookup
failure, the appliance will begin the destination MAC discovery process and attempt to
find the location of the host via ARP and/or ICMP messages.
Recommendation:
This is a normal condition when the appliance is configured for transparent mode. You
can also execute (show mac-address-table) to list the L2 MAC address locations currently
discovered by the appliance.
Syslogs:
None
----------------------------------------------------------------
Name: l2_same-lan-port
L2 Src/Dst same LAN port:
This counter will increment when the appliance/context is configured for transparent
mode and the appliance determines that the destination interface's L2 MAC address is the
same as its ingress interface.
Recommendation:
This is a normal condition when the appliance/context is configured for transparent
mode. Since the appliance interface is operating in promiscuous mode, the
appliance/context receives all packets on the local LAN seqment.
Syslogs:
None
----------------------------------------------------------------
Name: flow-expired
Expired flow:
This counter is incremented when the security appliance tries to inject a new or
cached packet belonging to a flow that has already expired.It is also incremented when the
appliance attempts to send an rst on a tcp flow that has already expired or when a packet
returns from IDS blade but the flow had already expired.The packet is dropped
Recommendation:
If valid applications are getting pre-empted, investigate if a longer timeout is
needed.
Syslogs:
None.
----------------------------------------------------------------
Name: inspect-icmp-out-of-app-id
ICMP Inspect out of App ID:
This counter will increment when the ICMP inspection engine fails to allocate an 'App
ID' data structure.The structure is used to store the sequence number of the ICMP packet.