Cisco Cisco ASA 5510 Adaptive Security Appliance Leaflet
3-5
Cisco ASA Series 명령 참조, S 명령
3장 show as-path-access-list through show auto-update 명령
show asp drop
프레임 삭제 사유
----------------------------------------------------------------
Name: natt-keepalive
NAT-T keepalive message:
This counter will increment when the appliance receives an IPsec NAT-T keepalive
message. NAT-T keepalive messages are sent from the IPsec peer to the appliance to keep
NAT/PAT flow information current in network devices between the NAT-T IPsec peer and the
appliance.
Recommendation:
If you have configured IPsec NAT-T on your appliance, this indication is normal and
doesn't indicate a problem. If NAT-T is not configured on your appliance, analyze your
network traffic to determine the source of the NAT-T traffic.
Syslogs:
None
----------------------------------------------------------------
Name: ipsecudp-keepalive
IPSEC/UDP keepalive message:
This counter will increment when the appliance receives an IPsec over UDP keepalive
message. IPsec over UDP keepalive messages are sent from the IPsec peer to the appliance
to keep NAT/PAT flow information current in network devices between the IPsec over UDP
peer and the appliance. Note - These are not industry standard NAT-T keepalive messages
which are also carried over UDP and addressed to UDP port 4500.
Recommendation:
If you have configured IPsec over UDP on your appliance, this indication is normal and
doesn't indicate a problem. If IPsec over UDP is not configured on your appliance, analyze
your network traffic to determine the source of the IPsec over UDP traffic.
Syslogs:
None
----------------------------------------------------------------
Name: bad-ipsec-prot
IPsec not AH or ESP:
This counter will increment when the appliance receives a packet on an IPsec
connection which is not an AH or ESP protocol. This is not a normal condition.
Recommendation:
If you are receiving many IPsec not AH or ESP indications on your appliance, analyze
your network traffic to determine the source of the traffic.
Syslogs:
402115
----------------------------------------------------------------
Name: ipsec-ipv6
IPsec via IPV6:
This counter will increment when the appliance receives an IPsec ESP packet, IPsec
NAT-T ESP packet or an IPsec over UDP ESP packet encapsulated in an IP version 6 header.
The appliance does not currently support any IPsec sessions encapsulated in IP version 6.
Recommendation:
None
Syslogs:
None