Cisco Cisco ASA 5510 Adaptive Security Appliance Prospecto
3-8
Cisco ASA Series 명령 참조 , S 명령
3장 show as-path-access-list through show auto-update 명령
show asp drop
No action is required. The media session is created by Inspect SIP or Skinny when the
IP address is parsed as part of the signaling exchange. Debug the signaling messages to
figure out the cause.
Syslogs:
None.
----------------------------------------------------------------
Name: inspect-srtp-no-remote-phone-proxy-ip
Inspect SRTP Remote Phone Proxy IP not populated:
This counter will increment when remote phone proxy IP is not populated
Recommendation:
No action is required. The remote phone proxy IP address is populated from the
signaling exchange. If error persists debug the signaling messages to figure out if ASA is
seeing all the signaling messages.
Syslogs:
None.
----------------------------------------------------------------
Name: inspect-srtp-client-port-not-present
Inspect SRTP client port wildcarded in media session:
This counter will increment when client port is not populated in media session
Recommendation:
No action is required. The client port is populated dynamically when the media stream
comes in from the client. Capture the media packets to see if the client is sending media
packets.
Syslogs:
None.
----------------------------------------------------------------
Name: ipsec-need-sa
IPsec SA not negotiated yet:
This counter will increment when the appliance receives a packet which requires
encryption but has no established IPsec security association. This is generally a normal
condition for LAN-to-LAN IPsec configurations. This indication will cause the appliance to
begin ISAKMP negotiations with the destination peer.
Recommendation:
If you have configured IPsec LAN-to-LAN on your appliance, this indication is normal
and doesn't indicate a problem. However, if this counter increments rapidly it may
indicate a crypto configuration error or network error preventing the ISAKMP negotiation
from completing. Verify that you can communicate with the destination peer and verify your
crypto configuration via the 'show running-config' command.
Syslogs:
None
----------------------------------------------------------------
Name: ipsec-spoof
IsSec spoof detected:
This counter will increment when the appliance receives a packet which should have
been encrypted but was not. The packet matched the inner header security policy check of a
configured and established IPsec connection on the appliance but was received unencrypted.
This is a security issue.
Recommendation: