Cisco Cisco ASA 5510 Adaptive Security Appliance Fascicule
3-37
Cisco ASA Series 명령 참조, S 명령
3장 show as-path-access-list through show auto-update 명령
show asp drop
This counter is incremented and the packet is dropped as requested by IPS module when
the packet matches a signature on the IPS engine.
Recommendations:
Check syslogs and alerts on IPS module.
Syslogs:
420002
----------------------------------------------------------------
Name: ips-fail-close
IPS card is down:
This counter is incremented and the packet is dropped when IPS card is down and
fail-close option was used in IPS inspection.
Recommendations:
Check and bring up the IPS card.
Syslogs:
420001
----------------------------------------------------------------
Name: ips-fail
IPS config removed for connection:
This counter is incremented and the packet is dropped when IPS configuration is not
found for a particular connection.
Recommendations:
check if any configuration changes have been done for IPS.
Syslogs:
None
----------------------------------------------------------------
Name: ips-no-ipv6
Executing IPS software does not support IPv6:
This counter is incremented when an IPv6 packet, configured to be directed toward IPS
SSM, is discarded since the software executing on IPS SSM card does not support IPv6.
Recommendations:
Upgrade the IPS software to version 6.2 or later.
Syslogs:
None
----------------------------------------------------------------
Name: l2_acl
FP L2 rule drop:
This counter will increment when the appliance denies a packet due to a layer-2 ACL.
By default, in routed mode the appliance will PERMIT:
1) IPv4 packets
2) IPv6 packets
3) ARP packets
4) L2 Destination MAC of FFFF:FFFF:FFFF (broadcast)
5) IPv4 MCAST packet with destination L2 of 0100:5E00:0000-0100:5EFE:FFFF
6) IPv6 MCAST packet with destination L2 of 3333:0000:0000-3333:FFFF:FFFF
By default, in Transparent mode permits the routed mode ACL and PERMITS:
1) BPDU packets with destination L2 of 0100:0CCC:CCCD