Manualsbrain.com
  1. Manuals
  2. Brands
  3. Cisco
  4. Cisco ASA 5510 Adaptive Security Appliance
  5. Leaflet

Cisco Cisco ASA 5510 Adaptive Security Appliance Leaflet

Download
Page of 1264
 
3-17
Cisco ASA Series 명령 참조, S 명령      
 
3      show as-path-access-list through show auto-update 명령
  show asp drop    
    This counter is incremented when the security appliance tries to send a packet out of 
an interface and does not find a route for it in routing table.
Recommendation:
    Verify that a route exists for the destination address obtained from the generated 
syslog.
Syslogs:
   110002, 110003.
----------------------------------------------------------------
Name: rpf-violated
Reverse-path verify failed:
    This counter is incremented when ip-verify is configured on an interface and the 
security appliance receives a packet for which the route lookup of source-ip did not yield 
the same interface as the one on which the packet was received.
Recommendation:
    Trace the source of traffic based on source-ip printed in syslog below and investigate 
why it is sending spoofed traffic.
Syslogs:
    106021.
----------------------------------------------------------------
Name: acl-drop
Flow is denied by configured rule:
    This counter is incremented when a drop rule is hit by the packet and gets dropped. 
This rule could be a default rule created when the box comes up, when various features are 
turned on or off, when an acl is applied to interface or any other feature etc. Apart from 
default rule drops, a packet could be dropped because of:
     1) ACL configured on an interface
     2) ACL configured for AAA and AAA denied the user
     3) Thru-box traffic arriving at management-only ifc
     4) Unencrypted traffic arriving on a ipsec-enabled interface
Recommendation:
    Note if one of ACLs listed below are fired.
Syslogs:
    106023, 106100, 106004
----------------------------------------------------------------
Name: unable-to-create-flow
Flow denied due to resource limitation:
    This counter is incremented and the packet is dropped when flow creation fails due to 
a system resource limitation. The resource limit may be either:
       1) system memory
       2) packet block extension memory
       3) system connection limit
    Causes 1 and 2 will occur simultaneously with flow drop reason "No memory to complete 
flow".
Recommendation:
    - Observe if free system memory is low.
    - Observe if flow drop reason "No memory to complete flow" occurs.
    - Observe if connection count reaches the system connection limit with the command 
"show resource usage".
Syslogs:
    None