Manualsbrain.com
  1. Manuals
  2. Brands
  3. Cisco
  4. Cisco ASA 5510 Adaptive Security Appliance
  5. Leaflet

Cisco Cisco ASA 5510 Adaptive Security Appliance Leaflet

Download
Page of 1264
 
3-64
Cisco ASA Series 명령 참조 , S 명령
  
3      show as-path-access-list through show auto-update 명령              
  show asp drop
Flow Drop Reasons
----------------------------------------------------------------
Name: tunnel-torn-down
Tunnel has been torn down:
    This counter will increment when the appliance receives a packet associated with an 
established flow whose IPsec security association is in the process of being deleted.
Recommendation:
    This is a normal condition when the IPsec tunnel is torn down for any reason.
Syslogs:
    None
----------------------------------------------------------------
Name: no-ipv6-ipsec
IPsec over IPv6 unsupported:
    This counter will increment when the appliance receives an IPsec ESP packet, IPsec 
NAT-T ESP packet or an IPsec over UDP ESP packet encapsulated in an IP version 6 header.  
The appliance does not currently support any IPsec sessions encapsulated in IP version 6.
Recommendation:
    None
Syslogs:
    None
----------------------------------------------------------------
Name: tunnel-pending
Tunnel being brought up or torn down:
    This counter will increment when the appliance receives a packet matching an entry in 
the security policy database (i.e. crypto map) but the security association is in the 
process of being negotiated; it’s not complete yet.
    This counter will also increment when the appliance receives a packet matching an 
entry in the security policy database but the security association has been or is in the 
process of being deleted. The difference between this indication and the 'Tunnel has been 
torn down' indication is that the 'Tunnel has been torn down' indication is for 
established flows.
Recommendation:
    This is a normal condition when the IPsec tunnel is in the process of being negotiated 
or deleted.
Syslogs:
    None
----------------------------------------------------------------
Name: need-ike
Need to start IKE negotiation:
    This counter will increment when the appliance receives a packet which requires 
encryption but has no established IPsec security association. This is generally a normal 
condition for LAN-to-LAN IPsec configurations. This indication will cause the appliance to 
begin ISAKMP negotiations  with the destination peer.
Recommendation:
    If you have configured IPsec LAN-to-LAN on your appliance, this indication is normal 
and does not indicate a problem.  However, if this counter increments rapidly it may 
indicate a crypto configuration error or network error preventing the ISAKMP negotiation 
from completing.