Cisco Cisco ASA 5510 Adaptive Security Appliance 产品宣传页
3-18
Cisco ASA Series 명령 참조 , S 명령
3장 show as-path-access-list through show auto-update 명령
show asp drop
----------------------------------------------------------------
Name: unable-to-add-flow
Flow hash full:
This counter is incremented when a newly created flow is inserted into flow hash table
and the insertion failed because the hash table was full. The flow and the packet are
dropped. This is different from counter that gets incremented when maximum connection
limit is reached.
Recommendation:
This message signifies lack of resources on the device to support an operation that
should have been successful. Please check if the connections in the 'show conn' output
have exceeded their configured idle timeout values. If so, contact the Cisco Technical
Assistance Center (TAC).
Syslogs:
None.
----------------------------------------------------------------
Name: np-sp-invalid-spi
Invalid SPI:
This counter will increment when the appliance receives an IPsec ESP packet addressed
to the appliance which specifies a SPI (security parameter index) not currently known by
the appliance.
Recommendation:
Occasional invalid SPI indications are common, especially during rekey processing.
Many invalid SPI indications may suggest a problem or DoS attack. If you are experiencing
a high rate of invalid SPI indications, analyze your network traffic to determine the
source of the ESP traffic.
Syslogs:
402114
----------------------------------------------------------------
Name: unsupport-ipv6-hdr
Unsupported IPv6 header:
This counter is incremented and the packet is dropped if an IPv6 packet is received
with an unsupported IPv6 extension header. The supported IPv6 extension headers are: TCP,
UDP, ICMPv6, ESP, AH, Hop Options, Destination Options, and Fragment. The IPv6 routing
extension header is not supported, and any extension header not listed above is not
supported. IPv6 ESP and AH headers are supported only if the packet is through-the-box.
To-the-box IPv6 ESP and AH packets are not supported and will be dropped.
Recommendation:
This error may be due to a misconfigured host. If this error occurs repeatedly or in
large numbers, it could also indicate spurious or malicious activity such as an attempted
DoS attack.
Syslogs:
None.
----------------------------------------------------------------
Name: tcp-not-syn
First TCP packet not SYN:
Received a non SYN packet as the first packet of a non intercepted and non nailed
connection.
Recommendation: