Cisco Cisco ASA 5580 Adaptive Security Appliance Dépliant
3-44
思科 ASA 系列命令参考,S 命令
第 3 章 show as-path-access-list 至 show auto-update 命令
show asp drop
Syslogs:
None.
----------------------------------------------------------------
Name: telnet-not-permitted
Telnet not permitted on least secure interface:
This counter is incremented and packet is dropped when the appliance receives a TCP
SYN packet attempting to establish a TELNET session to the appliance and that packet was
received on the least secure interface.
Recommendation:
To establish a Telnet session to the appliance via the least secure interface, first
establish an IPsec tunnel to that interface and then connect the Telnet session over that
tunnel.
Syslogs:
402117
----------------------------------------------------------------
Name: ipv6-sp-security-failed
IPv6 slowpath security checks failed:
This counter is incremented and the packet is dropped for one of the following
reasons:
1) IPv6 through-the-box packet with identical source and destination address.
2) IPv6 through-the-box packet with linklocal source or destination address.
3) IPv6 through-the-box packet with multicast destination address.
Recommendation:
These packets could indicate malicious activity, or could be the result of a
misconfigured IPv6 host.Use the packet capture feature to capture type asp packets, and
use the source MAC address to identify the source.
Syslogs:
For identical source and destination address, syslog 106016, else none.
----------------------------------------------------------------
Name: ipv6-eh-inspect-failed
IPv6 extension header is detected and denied:
This counter is incremented and packet is dropped when the appliance receives a IPv6
packet but extension header could not be inspected due to memory allocation failed.
Recommendation:
Also check 'show memory' output to make sure appliance has enough memory to operate.
Syslogs:
None
----------------------------------------------------------------
Name: ipv6-bad-eh
Bad IPv6 extension header is detected and denied:
This counter is incremented and packet is dropped when the appliance receives a IPv6
packet with bad extension header.
Recommendation:
Check 'verify-header type' of 'parameters' in 'policy-map type ipv6'. Remove
'verify-header type' if the header conformance can be skipped.
Syslogs:
325005