Cisco Cisco ASA 5510 Adaptive Security Appliance Leaflet
3-44
Cisco ASA Series 명령 참조 , S 명령
3장 show as-path-access-list through show auto-update 명령
show asp drop
----------------------------------------------------------------
Name: telnet-not-permitted
Telnet not permitted on least secure interface:
This counter is incremented and packet is dropped when the appliance receives a TCP
SYN packet attempting to establish a TELNET session to the appliance and that packet was
received on the least secure interface.
Recommendation:
To establish a Telnet session to the appliance via the least secure interface, first
establish an IPsec tunnel to that interface and then connect the Telnet session over that
tunnel.
Syslogs:
402117
----------------------------------------------------------------
Name: ipv6-sp-security-failed
IPv6 slowpath security checks failed:
This counter is incremented and the packet is dropped for one of the following
reasons:
1) IPv6 through-the-box packet with identical source and destination address.
2) IPv6 through-the-box packet with linklocal source or destination address.
3) IPv6 through-the-box packet with multicast destination address.
Recommendation:
These packets could indicate malicious activity, or could be the result of a
misconfigured IPv6 host. Use the packet capture feature to capture type asp packets, and
use the source MAC address to identify the source.
Syslogs:
For identical source and destination address, syslog 106016, else none.
----------------------------------------------------------------
Name: ipv6-eh-inspect-failed
IPv6 extension header is detected and denied:
This counter is incremented and packet is dropped when the appliance receives a IPv6
packet but extension header could not be inspected due to memory allocation failed.
Recommendation:
Also check 'show memory' output to make sure appliance has enough memory to operate.
Syslogs:
None
----------------------------------------------------------------
Name: ipv6-bad-eh
Bad IPv6 extension header is detected and denied:
This counter is incremented and packet is dropped when the appliance receives a IPv6
packet with bad extension header.
Recommendation:
Check 'verify-header type' of 'parameters' in 'policy-map type ipv6'. Remove
'verify-header type' if the header conformance can be skipped.
Syslogs:
325005
----------------------------------------------------------------
Name: ipv6-bad-eh-order