Cisco Cisco ASA 5510 Adaptive Security Appliance Folheto
3-77
Cisco ASA Series 명령 참조, S 명령
3장 show as-path-access-list through show auto-update 명령
show asp drop
When not on the same interface as the host undergoing NAT, use the mapped address
instead of the real address to connect to the host. Also, enable the appropriate inspect
command if the application embeds IP address.
Syslogs:
305005
----------------------------------------------------------------
Name: inspect-fail
Inspection failure:
This counter will increment when the appliance fails to enable protocol inspection
carried out by the NP for the connection. The cause could be memory allocation failure, or
for ICMP error message, the appliance not being able to find any established connection
related to the frame embedded in the ICMP error message.
Recommendation:
Check system memory usage. For ICMP error message, if the cause is an attack, you can
deny the host using the ACLs.
Syslogs:
313004 for ICMP error.
----------------------------------------------------------------
Name: no-inspect
Failed to allocate inspection:
This counter will increment when the security appliance fails to allocate a run-time
inspection data structure upon connection creation. The connection will be dropped.
Recommendation:
This error condition is caused when the security appliance runs out of system memory.
Please check the current available free memory by executing the "show memory" command.
Syslogs:
None
----------------------------------------------------------------
Name: reset-by-ips
Flow reset by IPS:
This reason is given for terminating a TCP flow as requested by IPS module.
Recommendations:
Check syslogs and alerts on IPS module.
Syslogs:
420003
----------------------------------------------------------------
Name: flow-reclaimed
Non-tcp/udp flow reclaimed for new request:
This counter is incremented when a reclaimable flow is removed to make room for a new
flow. This occurs only when the number of flows through the appliance equals the maximum
number permitted by the software imposed limit, and a new flow request is received. When
this occurs, if the number of reclaimable flows exceeds the number of VPN tunnels
permitted by the appliance, then the oldest reclaimable flow is removed to make room for
the new flow. All flows except the following are deemed to be reclaimable:
1. TCP, UDP, GRE and Failover flows
2. ICMP flows if ICMP stateful inspection is enabled
3. ESP flows to the appliance
Recommendation: