Cisco Cisco ASA 5510 Adaptive Security Appliance Leaflet
3-27
Cisco ASA Series 명령 참조, S 명령
3장 show as-path-access-list through show auto-update 명령
show asp drop
This counter will increment when the appliance attempts to perform a crypto operation
on a packet and the crypto operation fails. This is not a normal condition and could
indicate possible software or hardware problems with the appliance.
Recommendation:
If you are receiving many bad crypto indications your appliance may need servicing.
You should enable syslog 402123 to determine whether the crypto errors are hardware or
software errors. You can also check the error counter in the global IPsec statistics with
the 'show ipsec stats' CLI command. If the IPsec SA which is triggering these errors is
known, the SA statistics from the 'show ipsec sa detail' command will also be useful in
diagnosing the problem.
Syslogs:
402123
----------------------------------------------------------------
Name: send-ctm-error
Send to CTM returned error:
This counter is obsolete in the appliance and should never increment.
Recommendation:
None
Syslogs:
None
----------------------------------------------------------------
Name: security-failed
Early security checks failed:
This counter is incremented and packet is dropped when the security appliance :
- receives an IPv4 multicast packet when the packets multicast MAC address doesn't
match the packets multicast destination IP address
- receives an IPv6 or IPv4 teardrop fragment containing either small offset or
fragment overlapping
- receives an IPv4 packet that matches an IP audit (IPS) signature
Recommendation:
Contact the remote peer administrator or escalate this issue according to your
security policy
For detailed description and syslogs for IP audit attack checks please refer the ip
audit signature section of command reference guide
Syslogs:
106020
400xx in case of ip audit checks
----------------------------------------------------------------
Name: sp-security-failed
Slowpath security checks failed:
This counter is incremented and packet is dropped when the security appliance is:
1) In routed mode receives a through-the-box:
- L2 broadcast packet
- IPv4 packet with destination IP address equal to 0.0.0.0
- IPv4 packet with source IP address equal to 0.0.0.0
2) In routed or transparent mode and receives a through-the-box IPv4 packet with:
- first octet of the source IP address equal to zero
- source IP address equal to the loopback IP address
- network part of source IP address equal to all 0's
- network part of source IP address equal to all 1's
- source IP address host part equal to all 0's or all 1's