Cisco Cisco ASA 5580 Adaptive Security Appliance Fascicule
3-26
思科 ASA 系列命令参考,S 命令
第 3 章 show as-path-access-list 至 show auto-update 命令
show asp drop
Recommendations:
In order to allow such packet, use the window-variation configuration under tcp-map.
Syslogs:
None
----------------------------------------------------------------
Name: rate-exceeded
QoS rate exceeded:
This counter is incremented when rate-limiting (policing) is configured on an
egress/ingress interface and the egress/ingress traffic rate exceeds the burst rate
configured.The counter is incremented for each packet dropped.
Recommendation:
Investigate and determine why the rate of traffic leaving/entering the interface is
higher than the configured rate.This may be normal, or could be an indication of virus or
attempted attack.
Syslogs:
None.
----------------------------------------------------------------
Name: queue-removed
Rate-limiter queued packet dropped:
When QoS config is changed or removed, the existing packets in the output queues
awaiting transmission are dropped and this counter is incremented.
Recommendation:
Under normal conditions, this may be seen when the QoS configuration has been changed
by the user.If this occurs when no changes to QoS config were performed, please contact
Cisco Technical Assistance Center (TAC).
Syslogs:
None.
----------------------------------------------------------------
Name: bad-crypto
Bad crypto return in packet:
This counter will increment when the appliance attempts to perform a crypto operation
on a packet and the crypto operation fails.This is not a normal condition and could
indicate possible software or hardware problems with the appliance
Recommendation:
If you are receiving many bad crypto indications your appliance may need servicing.You
should enable syslog 402123 to determine whether the crypto errors are hardware or
software errors.You can also check the error counter in the global IPsec statistics with
the 'show ipsec stats' CLI command.If the IPsec SA which is triggering these errors is
known, the SA statistics from the 'show ipsec sa detail' command will also be useful in
diagnosing the problem.
Syslogs:
402123
----------------------------------------------------------------
Name: ctm-error
CTM returned error:
This counter will increment when the appliance attempts to perform a crypto operation
on a packet and the crypto operation fails.This is not a normal condition and could
indicate possible software or hardware problems with the appliance.