Cisco Cisco ASA 5580 Adaptive Security Appliance Leaflet
3-32
思科 ASA 系列命令参考,S 命令
第 3 章 show as-path-access-list 至 show auto-update 命令
show asp drop
Recommendation:
No action required.
Syslogs:
None.
----------------------------------------------------------------
Name: inspect-dns-invalid-domain-label
DNS Inspect invalid domain label:
This counter will increment when the appliance detects an invalid DNS domain name or
label.DNS domain name and label is checked per RFC 1035.
Recommendation:
No action required.If the domain name and label check is not desired, disable the
protocol-enforcement parameter in the DNS inspection policy-map (in supported releases).
Syslogs:
None.
----------------------------------------------------------------
Name: inspect-dns-pak-too-long
DNS Inspect packet too long:
This counter is incremented when the length of the DNS message exceeds the configured
maximum allowed value.
Recommendation:
No action required.If DNS message length checking is not desired, enable DNS
inspection without the 'maximum-length' option, or disable the 'message-length maximum'
parameter in the DNS inspection policy-map (in supported releases).
Syslogs:
410001
----------------------------------------------------------------
Name: inspect-dns-out-of-app-id
DNS Inspect out of App ID:
This counter will increment when the DNS inspection engine fails to allocate a data
structure to store the identification of the DNS message.
Recommendation:
Check the system memory usage.This event normally happens when the system runs short
of memory.
Syslogs:
None.
----------------------------------------------------------------
Name: inspect-dns-id-not-matched
DNS Inspect ID not matched:
This counter will increment when the identification of the DNS response message does
not match any DNS queries that passed across the appliance earlier on the same connection.
Recommendation:
No action required if it is an intermittent event.If the cause is an attack, you can
deny the host using the ACLs.
Syslogs:
None.