Cisco Cisco ASA 5580 Adaptive Security Appliance Leaflet
3-64
思科 ASA 系列命令参考,S 命令
第 3 章 show as-path-access-list 至 show auto-update 命令
show asp drop
流量丢弃原因
----------------------------------------------------------------
Name: tunnel-torn-down
Tunnel has been torn down:
This counter will increment when the appliance receives a packet associated with an
established flow whose IPsec security association is in the process of being deleted.
Recommendation:
This is a normal condition when the IPsec tunnel is torn down for any reason.
Syslogs:
None
----------------------------------------------------------------
Name: no-ipv6-ipsec
IPsec over IPv6 unsupported:
This counter will increment when the appliance receives an IPsec ESP packet, IPsec
NAT-T ESP packet or an IPsec over UDP ESP packet encapsulated in an IP version 6
header.The appliance does not currently support any IPsec sessions encapsulated in IP
version 6.
Recommendation:
None
Syslogs:
None
----------------------------------------------------------------
Name: tunnel-pending
Tunnel being brought up or torn down:
This counter will increment when the appliance receives a packet matching an entry in
the security policy database (i.e. crypto map) but the security association is in the
process of being negotiated; it’s not complete yet.
This counter will also increment when the appliance receives a packet matching an
entry in the security policy database but the security association has been or is in the
process of being deleted.The difference between this indication and the 'Tunnel has been
torn down' indication is that the 'Tunnel has been torn down' indication is for
established flows.
Recommendation:
This is a normal condition when the IPsec tunnel is in the process of being negotiated
or deleted.
Syslogs:
None
----------------------------------------------------------------
Name: need-ike
Need to start IKE negotiation:
This counter will increment when the appliance receives a packet which requires
encryption but has no established IPsec security association.This is generally a normal
condition for LAN-to-LAN IPsec configurations.This indication will cause the appliance to
begin ISAKMP negotiations with the destination peer.
Recommendation:
If you have configured IPsec LAN-to-LAN on your appliance, this indication is normal
and does not indicate a problem.However, if this counter increments rapidly it may
indicate a crypto configuration error or network error preventing the ISAKMP negotiation
from completing.