First Published: May 31, 2005

show asp drop

高速セキュリティパスでドロップされたパケットまたは接続をデバッグするには、特権 EXEC モードで show asp drop コマンドを使用します。

show asp drop[ flow [ flow_drop_reason ] | frame [ frame_drop_reason ]]

構文の説明


flow `flow_drop_reason`	（任意）ドロップされたフロー（接続）を表示します。flow_drop_reason 引数を使用して、特定の理由を指定できます。考えられるフローのドロップ理由のリストを表示するには ? を使用します。
frame `frame_drop_reason`	（任意）ドロップされたパケットを表示します。frame_drop_reason 引数を使用して、特定の理由を指定できます。考えられるフレームのドロップ理由のリストを表示するには ? を使用します。

コマンドデフォルト

デフォルトの動作や値はありません。

コマンドモード

次の表に、コマンドを入力できるモードを示します。


コマンドモード	ファイアウォールモード		セキュリティコンテキスト
	ルーテッド	トランスペアレント	シングル	マルチ
	ルーテッド	トランスペアレント	シングル	コンテキスト	システム
特権 EXEC	対応	対応	対応	対応	対応

コマンド履歴


リリース	変更内容
7.0(1)	このコマンドが追加されました。
7.0(8)/7.2(4)/8.0(4)	カウンタが最後にクリアされた時間を示すタイムスタンプが出力に含まれます（clear asp drop コマンドを参照）。また、説明の横にドロップ理由のキーワードが表示されるため、関連キーワードを使用して簡単に capture asp-drop コマンドを使用できます。

使用上のガイドライン

show asp drop コマンドは、高速セキュリティパスによってドロップされたパケットまたは接続を表示します。この情報は、問題のトラブルシューティングに役立つ場合があります。高速セキュリティパスの詳細については、一般的な操作の設定ガイドを参照してください。この情報はデバッグの目的でのみ使用されます。また、情報の出力は変更される可能性があります。このコマンドを使用したシステムデバッグについて支援が必要な場合は、Cisco TAC にお問い合わせください。

Name: sam-test -------------------------- Name

次の項では、各ドロップ理由の名前、説明、および推奨事項を示します。

フレームのドロップ理由
フローのドロップ理由

フレームのドロップ理由

a-module

Packet is unknown or traced:

This counter is incremented when the packet blocked by an unknown preprocessor.

Recommendations:

None.

Syslogs:

None.

----------------------------------------------------------------

acl-drop

Flow is denied by configured rule:

This counter is incremented when a drop rule is hit by the packet and gets dropped. This rule could be a default rule created when the box comes up, when various features are turned on or off, when an acl is applied to interface or any other feature etc. Apart from default rule drops, a packet could be dropped because of:

1) ACL configured on an interface

2) ACL configured for AAA and AAA denied the user

3) Thru-box traffic arriving at management-only ifc

4) Unencrypted traffic arriving on a ipsec-enabled interface

推奨事項：

Note if one of ACLs listed below are fired.

Syslogs:

106023, 106100, 106004

----------------------------------------------------------------

app-recv-queue-not-ready

Inspect Datapath peer index not ready:

This counter is incremented when the application receiving queue is not ready.

Recommendations:

This event only happens when the system is in the transient state, such as the system is booting, or Snort is in the middle of becoming up or down.

Syslogs:

None.

----------------------------------------------------------------

appid

Blocked or blacklisted by the AppID preprocessor:

This counter is incremented and the packet is dropped as requested by the AppID preprocessor.

Recommendations:

Review the snort output in packet tracer or capture with trace enabled.

Syslogs:

None.

----------------------------------------------------------------

async-lock-queue-limit

Async lock queue limit exceeded:

Each async lock working queue has a limit of 1000. When more SIP packets are attempted to be dispatch to the work queue, packet will be dropped.

推奨事項：

Only SIP traffic may be dropped. When SIP packets have the same parent lock and they can be queued into the same async lock queue, thus may result into blocks depletion, becasue only single core is handling all the media. If a SIP packet attempts to be queued when the size of the async lock queue exceeds the limit, the packet will be dropped.

Syslogs:

None.

----------------------------------------------------------------

back-orifice

Blocked or blacklisted by the back orifice preprocessor:

This counter is incremented and the packet is dropped as requested by the back orifice preprocessor.

Recommendations:

Review the snort output in packet tracer or capture with trace enabled.

Syslogs:

None.

----------------------------------------------------------------

backplane-channel-null

Backplane channel null:

The card backplane channel was NULL. This may happen because the channel

was not initialized correctly and had to be closed. ASA will drop the packet.

推奨事項：

これは発生してはならない事象です。Cisco TAC に連絡して、サポートを受けてください。

Syslogs:

None.

----------------------------------------------------------------

bad-crypto

Bad crypto return in packet:

This counter will increment when the appliance attempts to perform a crypto operation on a packet and the crypto operation fails. This is not a normal condition and could indicate possible software or hardware problems with the appliance

推奨事項：

If you are receiving many bad crypto indications your appliance may need servicing. You should enable syslog 402123 to determine whether the crypto errors are hardware or software errors. You can also check the error counter in the global IPSec statistics with the 'show ipsec stats' CLI command. If the IPSec SA which is triggering these errors is known, the SA statistics from the 'show ipsec sa detail' command will also be useful in diagnosing the problem.

Syslogs:

402123

----------------------------------------------------------------

bad-ipsec-natt

BAD IPSec NATT packet:

This counter will increment when the appliance receives a packet on an IPSec connection which has negotiated NAT-T but the packet is not addressed to the NAT-T UDP destination port of 4500 or had an invalid payload length.

推奨事項：

Analyze your network traffic to determine the source of the NAT-T traffic.

Syslogs:

None

----------------------------------------------------------------

bad-ipsec-prot

IPSec not AH or ESP:

This counter will increment when the appliance receives a packet on an IPSec connection which is not an AH or ESP protocol. これは正常な状態ではありません。

推奨事項：

If you are receiving many IPSec not AH or ESP indications on your appliance, analyze your network traffic to determine the source of the traffic.

Syslogs:

402115

----------------------------------------------------------------

bad-ipsec-udp

BAD IPSec UDP packet:

This counter will increment when the appliance receives a packet on an IPSec connection which has negotiated IPSec over UDP but the packet has an invalid payload length.

推奨事項：

Analyze your network traffic to determine the source of the NAT-T traffic.

Syslogs:

None

----------------------------------------------------------------

bad-tcp-cksum

Bad TCP checksum:

This counter is incremented and the packet is dropped when the appliance receives a TCP packet whose computed TCP checksum does not match the recorded checksum in TCP header.

推奨事項：

The packet corruption may be caused by a bad cable or noise on the line. また、TCP エンドポイントから破損したパケットが送信され、攻撃を受けている可能性もあります。Please use the packet capture feature to learn more about the origin of the packet. To allow packets with incorrect TCP checksum disable checksum-verification feature under tcp-map.

Syslogs:

None

----------------------------------------------------------------

Data path channel closed:

このチャネルを介してパケットの送出を試行する前にデータパスチャネルが閉じると、このカウンタは増分します。Recommendation:

It is normal in multi-processor system when one processor closes the channel (e.g., via CLI), and another processor tries to send a packet through the channel.

Syslogs:

None

----------------------------------------------------------------

cluster-app-no-forward

Application packet not allowed to be forwarded:

Some applications might have problems if their packets are forwarded.

推奨事項：

None.

Syslogs:

None.

----------------------------------------------------------------

cluster-bad-ifc-goid-in-trailer

Failed to find ifc from goid in the trailer:

The goid extracted from the trailer does not yield a valid real ifc.

推奨事項：

None.

Syslogs:

None.

----------------------------------------------------------------

cluster-bad-tp-pkt

Failed to fetch the transport layer header of the packet:

Fetching the transport layer header of the packet failed.

これは、TTL が 254 で、次のいずれかの条件に一致する場合に発生します。

1. クラスタリングが無効です。

2. パケットは UDP ではありません。

3. 宛先ポートが 4193 ではありません。

推奨事項：

None.

Syslogs:

None.

----------------------------------------------------------------

cluster-bad-trailer

Failed to fetch the trailer of the packet:

Fetching the trailer of the packet failed.

推奨事項：

None.

Syslogs:

None.

----------------------------------------------------------------

cluster-bad-trailer-tlv

Cluster CCL packet trailer has incorrect tlv:

Packet received on the Cluster CCL interface has incorrect trailer tlv option.

推奨事項：

None.

Syslogs:

None.

----------------------------------------------------------------

cluster-ccl-backup

Cluster CCL backup:

A Cluster data packet was received over CCL on a backup unit, when it should have been received on the owner+director unit.

推奨事項：

None.

Syslogs:

None.

----------------------------------------------------------------

cluster-ccl-bad-unxlate-redirect

Cluster member dropped an unexpected NAT untranslate redirect packet from peer:

Dynamic PAT pool owner received a NAT untranslate packet from peer. However it matches a director stub flow.

推奨事項：

This counter is a temporal condition after a cluster member failure. However, if this counter is incremented continuously, there could be a timing issue that caused the error. Contact Cisco Systems in such case.Syslogs:

None.

データノードユニットのクラスタデータインターフェイスの準備ができていません（いくつかのデータインターフェイスがコントロールノードと異なる状態にあります）。管理専用ではない L3 インターフェイスの場合、データインターフェイスの準備が完了するまでは、データノードはこの L3 インターフェイス上の接続を所有できません。データノードが所有する必要があるパケットは、ドロップされます。ボックスからのパケットも、データノードのデータインターフェイスが準備できる前にドロップされます。このドロップは、データノードのデータインターフェイスが準備完了し、データノードがクラスタに完全に参加した後には発生しません。

推奨事項：

This counter is informational and the behavior expected. パケットはドロップされます。

Syslogs:

None.

----------------------------------------------------------------

cluster-data-node-ignored

Flow matched a cluster drop-on-data node classify rule:

マルチキャストルーティングパケットが L3 クラスターインターフェイスで受信され、そのユニットがデータノードでした。これらのパケットを処理できるのは制御ノードだけです。

推奨事項：

This counter is informational and the behavior expected. パケットは制御ノードによって処理されます。

Syslogs:

None.

----------------------------------------------------------------

cluster-dir-flow-create-fail

Cluster director failed to create director flow:

Director is trying to create a stub flow but failed due to resource limitation. リソースの制限は、次のとおりです。

1) system memory

2) packet block extension memory

3) system connection limit

Causes 1 and 2 will occur simultaneously with flow drop reason "No memory to complete flow".

推奨事項：

- Observe if free system memory is low.

- Observe if flow drop reason "No memory to complete flow" occurs.

- Observe if connection count reaches the system connection limit with the command "show resource usage".

Syslogs:

None

----------------------------------------------------------------

cluster-dir-invalid-ifc

Cluster director has packet with invalid ingress/egress interface:

Cluster director has processed a previously queued packet with invalid ingress and/or egress interface. This is a result of interface removal (through CLI) before the packet can be processed.

推奨事項：

This counter is informational and the behavior expected. パケットはドロップされます。

Syslogs:

None.

----------------------------------------------------------------

無効な CMD（Cisco メタデータ）のカプセル化：

このカウンタは、セキュリティアプライアンスが無効なヘッダーフィールドを持つ CMD パケットを受信すると増加します。パケットはドロップされます。

有効な SGT 範囲：

- 有効な SGT：1 ～ 65533

- SGT 0：「不明な（Unknown）」セキュリティグループ用に予約済み

推奨事項：

1. 直接接続された CMD 対応デバイスに適切な CMD 設定があり、有効な SGT 値（1 ～ 65533）を使用していることを確認してください。

2. パケットキャプチャを使用して、ドロップされたパケットの CMD ヘッダーを調べます

Syslogs:

None.

----------------------------------------------------------------

conn-disallow

接続の不許可:

このカウンタは、接続不許可イベントが設定されると増加します。パケットはドロップされます。

推奨事項：

- TCP syslog ホストの状態を確認します。TCP ホストが接続されていない場合

- 新しい接続を許可するようにロギング許可ホストダウンを設定します。

Syslogs:

3201008

----------------------------------------------------------------

conn-limit

Connection limit reached:

この理由は、接続制限値またはホスト接続制限値を超えたためにパケットがドロップされたことによるものです。If this is a TCP packet which is dropped during TCP connection establishment phase due to connection limit, the drop reason 'TCP connection limit reached' is also reported.

推奨事項：

If this is incrementing rapidly, check the syslogs to determine which host's connection limit is reached. トラフィックが正常な場合、またはホストが攻撃を受けている場合は、接続制限値を増分する必要があることもあります。

Syslogs:

201011

----------------------------------------------------------------

connection-lock

Connection locking failed:

While the packet was waiting for processing, the flow that would be usedwas destroyed.

推奨事項：

The message could occur from user interface command to remove connection in an device that is actively processing packet. Otherwise, investigate flow drop counter. This message may occur if the flow are forced dropped from error.

Syslogs:

None.

----------------------------------------------------------------

connection-q-expired

Expired flow:

This counter is incremented when the security appliance tries to inject a new or cached packet belonging to a flow that has already expired.It is also incremented when the appliance attempts to send an rst on a tcp flow that has already expired or when a packet returns from IDS blade but the flow had already expired. The packet is dropped

推奨事項：

If valid applications are getting pre-empted, investigate if a longer timeout is needed.

Syslogs:

None.

----------------------------------------------------------------

cp-event-queue-error

CP event queue error:

This counter is incremented when a CP event queue enqueue attempt has failed due to queue length exceeded. This queue is used by the data-path to punt packets to the control-point for additional processing. このような状況が発生する可能性があるのは、マルチプロセッサ環境だけです。The module that attempted to enqueue the packet may issue it's own packet specific drop in response to this error. Recommendation:

While this error does indicate a failure to completely process a packet, it may not adversely affect the connection. If the condition persists or connections are adversely affected contact the Cisco Technical Assistance Center (TAC). Syslogs:

None

----------------------------------------------------------------

cp-syslog-event-queue-error

CP syslog event queue error:

This counter is incremented when a CP syslog event queue enqueue attempt has failed due to queue length exceeded. This queue is used by the data-path to punt logging events to the control-point when logging destinations other than to a UDP server are configured. このような状況が発生する可能性があるのは、マルチプロセッサ環境だけです。Recommendation:

While this error does indicate a failure to completely process a logging event, logging to UDP servers should not be affected. If the condition persists consider lowering the logging level and/or removing logging destinations or contact the Cisco Technical Assistance Center (TAC). Syslogs:

None

Dispatch decode error:

パケットディスパッチモジュールがフレームをデコードするときにエラーを検出すると、このカウンタは増分します。このエラーの一例として、サポートされていないパケットフレームがあります。Recommendation:

Verify the packet format with a capture tool.

Syslogs:

None

----------------------------------------------------------------

dispatch-queue-limit

Dispatch queue limit reached:

There are 32K load balancer queues that a packet could be hashed to. 各キューのパケット数は、1000 個に制限されています。When more packets are attempted, tail drop occurs and this counter is incremented.

推奨事項：

If this happens excessively, find out which queues are affected and the connections hashing to that queue. Send this information to development

Syslogs:

None

----------------------------------------------------------------

dns-guard-id-not-matched

DNS Guard ID not matched:

DNS 応答メッセージの ID が、同じ接続上で先にセキュリティアプライアンスを通過した DNS クエリーのいずれにも一致しなかった場合、このカウンタが増分します。このカウンタは、DNS Guard 機能により増分します。

推奨事項：

No action required if it is an intermittent event. 原因が攻撃にある場合、ACL を使用してホストを拒否することができます。

Syslogs:

None.

----------------------------------------------------------------

dns-guard-out-of-app-id

DNS Guard out of App ID:

DNS Guard 機能が DNS メッセージの ID を保存するためのデータ構造の割り当てに失敗した場合、このカウンタが増分します。

推奨事項：

Check the system memory usage. 通常このイベントは、システムがメモリ不足になった場合に発生します。

Syslogs:

None.

----------------------------------------------------------------

dst-l2_lookup-fail

Dst MAC L2 Lookup Failed:

This counter will increment when the appliance is configured for Layer 2 switching and the appliance does a Layer 2 destination MAC address lookup which fails. Upon the lookup failure, the appliance will begin the destination MAC discovery process and attempt to find the location of the host via ARP and/or ICMP messages.

推奨事項：

This is a normal condition when the appliance is configured for Layer 2 switching. You can also execute (show mac-address-table) to list the L2 MAC address locations currently discovered by the appliance.

Syslogs:

None

Expired flow:

推奨事項：

If valid applications are getting pre-empted, investigate if a longer timeout is needed.

Syslogs:

None.

----------------------------------------------------------------

flow-expired-drop

Expired flow:

推奨事項：

If valid applications are getting pre-empted, investigate if a longer timeout is needed.

Syslogs:

None.

----------------------------------------------------------------

flow-out-of-memory

Flow out of memory:

このカウンタは、システムが新しいフローのメモリを割り当てるのに失敗すると増加します。パケットはドロップされます。

推奨事項：

- システムメモリの使用状況を確認してください。

- システム内のフロー数を確認してください。

Syslogs:

None

----------------------------------------------------------------

fo-standby

Dropped by standby unit:

If a through-the-box packet arrives at an appliance or context in a Standby state and a flow is created, the packet is dropped and the flow removed. パケットがこの方法でドロップされるたびに、このカウンタが増分します。

推奨事項：

このカウンタは、アクティブなアプライアンスまたはコンテキストで増分されないようにする必要があります。ただし、スタンバイアプライアンスまたはコンテキストで増分するのは正常です。

Syslogs:

302014, 302016, 302018

----------------------------------------------------------------

fragment-full-reassembly-failed

Fragment full reassembly failed:

This counter is incremented when the appliance fails to allocate memory while reassembling a chain of fragmented packets into a single packet. 一連のフラグメントパケットはすべてドロップされます。

推奨事項：

Use the show blocks command to monitor the current block memory.

Syslogs:

None

----------------------------------------------------------------

fragment-reassembly-failed

Fragment reassembly failed:

This counter is incremented when the appliance fails to reassemble the fragmented IP packets. 一連のフラグメントパケットはすべてドロップされます。

推奨事項：

Use 'show fragment' command to check all the failure counters.

Syslogs:

None

----------------------------------------------------------------

ftp

Blocked or blacklisted by the FTP preprocessor:

This counter is incremented and the packet is dropped as requested by the FTP preprocessor.

Recommendations:

Review the snort output in packet tracer or capture with trace enabled.

Syslogs:

None.

----------------------------------------------------------------

geneve-dual-arm-no-data-saved

Geneve dual-arm; no geneve data saved:

このカウンタは、保存された Geneve データをインターネットからデュアルアームパケットにコピーしようとしたときに保存される Geneve データがないと増加します。これは通常、Geneve データを保存しようとしたときにフローが作成されていないと発生します。

推奨事項：

No.

Syslogs:

番号

----------------------------------------------------------------

geneve-encap-error

Fail to encap with Geneve:

このカウンタは、セキュリティアプライアンスが Geneve でパケットのカプセル化に失敗すると増加します。

推奨事項：

No.

Syslogs:

None.

----------------------------------------------------------------

geneve-invalid-header

Invalid Geneve header format:

このカウンタは、正しい Geneve 宛先ポート番号を持つ UDP パケットをセキュリティアプライアンスが受信したものの、Geneve ヘッダーの復号に失敗すると増加します。

推奨事項：

No.

Syslogs:

860004。

----------------------------------------------------------------

geneve-invalid-header-thru-traffic

Invalid Geneve header format for through-the-box traffic:

このカウンタは、正しい Geneve 宛先ポート番号を持つ through-the-box UDP パケットをセキュリティアプライアンスが受信したものの、Geneve ヘッダーの復号に失敗すると増加します。

推奨事項：

No.

Syslogs:

860008。

----------------------------------------------------------------

geneve-invalid-nve-peer

Geneve packet from an invalid NVE peer:

このカウンタは、設定されていない NVE ピアからの Geneve パケットをセキュリティアプライアンスが受信すると増加します。

推奨事項：

No.

Syslogs:

860007。

----------------------------------------------------------------

geneve-invalid-udp-checksum

Invalid Geneve header format:

このカウンタは、UDP ヘッダーのチェックサム値が正しくない Geneve パケットをセキュリティアプライアンスが受信すると増加します。

推奨事項：

No.

Syslogs:

860006。

----------------------------------------------------------------

geneve-invalid-vni-mcast-ip

Invalid Multicast IP on Geneve VNI interface:

このカウンタは、セキュリティアプライアンスが VNI インターフェイスからマルチキャストグループ IP を取得できなかった場合に増分されます。

推奨事項：

設定されたピア NVE がない場合、VNI インターフェイスに有効なマルチキャストグループ IP が設定されていることを確認します。

Syslogs:

None.

----------------------------------------------------------------

geneve-missing-peer-vtep-ip

Geneve Peer VTEP IP not found:

このカウンタは、セキュリティアプライアンスが Geneve カプセル化の内部宛先 IP のピア VTEP IP を見つけられないと増加します。

推奨事項：

Verify that in show arp vtep-mapping/show mac-address-table vtep-mapping/show ipv6 neighbor vtep-mapping, the VTEP IP is present for the desired remote inner host.

Syslogs:

None.

----------------------------------------------------------------

ha-nlp-invalid-fragments

NLP sending invalid fragments in failover link:

This counter is incremented and the packet is dropped when NLP tries to send a fragmented packet with invalid size through failover link.

Recommendations:

None

Syslogs:

None

----------------------------------------------------------------

ha-nlp-lu-link-not-ready

Failover link is not ready for processing NLP packets:

This counter is incremented and the packet is dropped when NLP tries to send or receive a packet however failover link lu status is down.

Recommendations:

None

Syslogs:

None

----------------------------------------------------------------

ha-nlp-send-ha-msg-err

Send NLP packet over HA failover link failed:

This counter is incremented and the packet is dropped when NLP failed to send packet through failover link.

Recommendations:

Check the show counter result to get more information about the failure.

Syslogs:

None

Inspect scansafe duplicate connection:

このカウンタは、同じ送信元 IP アドレスとポートで重複した接続があると増加します。This packet will be dropped and connection will be closed.

Syslogs:

775002.

----------------------------------------------------------------

inspect-scansafe-encoding-failed

Inspect scansafe header encoding failed :

This counter is incremented when the base64 encoding of user and group name is failed. The packet is dropped and connection is closed.

Syslogs:

775002.

----------------------------------------------------------------

inspect-scansafe-hdr-encryption-failed

Inspect scansafe header encryption failed:

This counter is incremented when the encryption of scansafe header is failed. The packet is dropped and connection is closed.

Syslogs:

775002.

----------------------------------------------------------------

inspect-scansafe-license-key-not-configured

Scansafe license key not configured:

This counter is incremented when the scansafe licnese key is not configured. The packet is dropped and the connection isclosed.

推奨事項：

Verify if the configured scansafe license key is configured on the security appliance.

Syslogs:

775002.

STUN Inspect invalid packet:

This counter will increment when the appliance detects an invalid STUN packet.

Examples: Incomplete STUN header; malformed STUN Header; etc.

推奨事項：

No action required if it is an intermittent event. 原因が攻撃にある場合、ACL を使用してホストを拒否することができます。

Syslogs:

None.

----------------------------------------------------------------

inspect-stun-out-of-memory

STUN Inspect out of Memory:

This counter will increment when the STUN inspection engine fails to allocate memory.

推奨事項：

Check the system memory usage. 通常このイベントは、システムがメモリ不足になった場合に発生します。

Syslogs:

None.

----------------------------------------------------------------

inspect-stun-out-of-trans-id

STUN Inspect out of Trans ID:

This counter will increment when the STUN inspection engine fails to allocate an 'Trans ID' data structure. The structure is used to store the transaction id of the STUN packet.

推奨事項：

Check the system memory usage. 通常このイベントは、システムがメモリ不足になった場合に発生します。

Syslogs:

None.

----------------------------------------------------------------

inspect-stun-pinhole-fail

STUN Inspect failed to open pinhole:

This counter will increment when the appliance fails to open a pinhole after a STUN request and successful response message exchange.

推奨事項：

Check the system memory usage. 通常このイベントは、システムがメモリ不足になった場合に発生します。

Syslog:

None.

----------------------------------------------------------------

inspect-stun-trans-id-no-match

STUN Inspect trans id not matched:

This counter will increment when the transaction id in the STUN successful/error response message does not match any STUN request message that passed across the appliance earlier on the same connection.

推奨事項：

No action required if it is an intermittent event. 原因が攻撃にある場合、ACL を使用してホストを拒否することができます。

Syslogs:

313004

----------------------------------------------------------------

intercept-unexpected

Intercept unexpected packet:

Either received data from client while waiting for SYNACK from server or received a packet which cannot be handled in a particular state of TCP intercept.

推奨事項：

If this drop is causing the connection to fail, please have a sniffer trace of the client and server side of the connection while reporting the issue. The box could be under attack and the sniffer traces or capture would help narrowing down the culprit.

Syslogs:

None.

----------------------------------------------------------------

interface-down

Interface is down:

This counter will increment for each packet received on an interface that is shutdown via the 'shutdown' interface sub-mode command. 入トラフィックでは、セキュリティコンテキスト分類が行われ、そのコンテキストに関連付けられたインターフェイスがシャットダウンしている場合、このパケットはドロップされます。出トラフィックでは、出トラフィックがシャットダウンしている場合、パケットがドロップされます。

推奨事項：

No action required.

Syslogs:

None.

----------------------------------------------------------------

invalid-adjacency

No valid adjacency:

This counter is incremented when the security appliance has tried to obtian an adjacency and could not obtain mac-address for next hop. パケットはドロップされます。

推奨事項：

Configure a capture for this drop reason and check if a host with specified destination address exists on connected network or is routable from the device.

Syslogs:

None.

----------------------------------------------------------------

invalid-app-length

Invalid App length:

This counter will increment when the appliance detects an invalid length of the Layer 7 payload in the packet. 現在は、DNS Guard 機能のみによるドロップをカウントします。Example: Incomplete DNS header.

推奨事項：

No action required.

Syslogs:

None.

----------------------------------------------------------------

invalid-encap

Invalid Encapsulation:

This counter is incremented when the security appliance receives a frame belonging to an unsupported link-level protocol or if the L3type specified in the frame is not supported by the appliance. パケットはドロップされます。

推奨事項：

Verify that directly connected hosts have proper link-level protocol settings.

Syslogs:

None.

----------------------------------------------------------------

invalid-encryption-packet

Invalid encryption packet received:

This counter will increment when the appliance receives a packet associated with an IPSec connection on a flow that does not have encrypt flags on.

推奨事項：

通常の操作の一部として、このカウンタの増分を確認することができます。ただし、カウンタが急速に増加し、トラフィックが中断している場合は、設定の誤りまたはソフトウェアの欠陥が原因である可能性があります。

Syslogs:

None

----------------------------------------------------------------

invalid-ethertype

Invalid Ethertype:

This counter is incremented when the fragmentation module on the security appliance receives or tries to send a fragmented packet that does not belong IP version 4 or version 6. パケットはドロップされます。

推奨事項：

Verify mtu of device and other devices on connected network to determine why the device is processing such fragments.

Syslogs:

None.

----------------------------------------------------------------

invalid-geneve-segment-id

Invalid Geneve segment-id:

このカウンタは、無効なセグメント ID を持つ Geneve パケットのカプセル化をセキュリティアプライアンスが解除すると増加します。

推奨事項：

No.

Syslogs:

860001。

----------------------------------------------------------------

invalid-geneve-segment-id-fp

Invalid VXLAN in-tag:

This counter is incremented when the security appliance decapsulates a VXLAN packet in FP which has an invalid segment-id.

推奨事項：

No.

Syslogs:

778003.

----------------------------------------------------------------

invalid-geneve-shared-ch

Invalid Geneve segment-id:

このカウンタは、無効なセグメント ID を持つ Geneve パケットのカプセル化をセキュリティアプライアンスが解除すると増加します。

推奨事項：

No.

Syslogs:

860001。

----------------------------------------------------------------

invalid-ip-header

Invalid IP header:

This counter is incremented and the packet is dropped when the appliance receives an IP packet whose computed checksum of the IP header does not match the recorded checksum in the header.

推奨事項：

The packet corruption may be caused by a bad cable or noise on the line. また、ピアから破損したパケットが送信され、攻撃を受けている可能性もあります。Please use the packet capture feature to learn more about the origin of the packet.

Syslogs:

None

----------------------------------------------------------------

invalid-ip-length

Invalid IP Length:

This counter is incremented when the security appliance receives an IPv4 or IPv6 packet in which the header length or total length fields in IP header are not valid or do not conform to the received packet length.

推奨事項：

None.

Syslogs:

None.

----------------------------------------------------------------

invalid-ip-option

IP option drop:

This counter is incremented when any unicast packet with ip options or a multicast packet with ip-options that have not been configured to be accepted, is received by the security appliance. パケットはドロップされます。

推奨事項：

Investigate why a packet with ip options is being sent by the sender.

Syslogs:

None.

----------------------------------------------------------------

invalid-map-address-port

Invalid MAP address/port combination:

MAP（アドレスとポートのマッピング）ドメインの基本マッピングルールに一致するアドレスを持つパケットのエンコーディングに一貫性がないか、使用されているポート番号が割り当てられた範囲内にありません。

推奨事項：

MAP BR と CE の設定をチェックして、同じ MAP ドメイン内で一貫していることを確認します。これは、割り当てられていないポートを悪意を持って使用しようとする不正な MAPCE によっても発生する可能性があることに注意してください。

Syslogs:

305019, 305020

----------------------------------------------------------------

invalid-onwer-id-received

Packet dropped as invalid owner id received:

This counter is incremented when a cluster node gets a invalid owner id from the VPN director.

Recommendations:

None.

Syslogs:

None.

----------------------------------------------------------------

invalid-peer-nve

Invalid peer NVE:

This counter is incremented when the security appliance fails to get IP and MAC address of a peer NVE.

推奨事項：

Verify that peer nve is configured or learned for the nve.

Syslogs:

None.

----------------------------------------------------------------

invalid-sctp-length

Invalid SCTP Length:

This counter is incremented when the security appliance recieves a SCTP packet whose common header size is less than the required common header size (12 bytes).

推奨事項：

The invalid packet could be a bogus packet being sent by an attacker.

Syslog:

None.

----------------------------------------------------------------

invalid-tcp-hdr-length

Invalid TCP Length:

This counter is incremented when the security appliance receives a TCP packet whose size is smaller than minimum-allowed header length or does not conform to the received packet length.

推奨事項：

The invalid packet could be a bogus packet being sent by an attacker.

Investigate the traffic from source in the following syslog.

Syslogs:

500003.

----------------------------------------------------------------

invalid-udp-length

Invalid UDP Length:

This counter is incremented when the security appliance receives a UDP packet whose size as calculated from the fields in header is different from the measured size of packet as received from the network.

推奨事項：

The invalid packet could be a bogus packet being sent by an attacker.

Syslogs:

None.

----------------------------------------------------------------

invalid-vxlan-segment-id

Invalid VXLAN segment-id:

This counter is incremented when the security appliance decapsulates a VXLAN packet which has an invalid segment-id.

推奨事項：

No.

Syslogs:

778001.

----------------------------------------------------------------

invalid-vxlan-segment-id-fp

Invalid VXLAN in-tag:

This counter is incremented when the security appliance decapsulates a VXLAN packet in FP which has an invalid segment-id.

推奨事項：

No.

Syslogs:

778003.

----------------------------------------------------------------

invalid-vxlan-segment-id-tvi

Invalid VXLAN segment-id on TVI:

This counter is incremented when the TVI interface processes a VXLAN packet which has an invalid segment-id.

推奨事項：

No.

Syslogs:

番号

----------------------------------------------------------------

ips-fail

IPS config removed for connection:

This counter is incremented and the packet is dropped when IPS configuration is not found for a particular connection.

Recommendations:

check if any configuration changes have been done for IPS.

Syslogs:

None

----------------------------------------------------------------

ips-fail-close

IPS card is down:

This counter is incremented and the packet is dropped when IPS card is down and fail-close option was used in IPS inspection.

Recommendations:

IPS カードを確認して動作させます。

Syslogs:

420001

----------------------------------------------------------------

ips-license-disabled-fail-close

IPS module license disabled:

This counter is incremented and the packet is dropped when the IPS module license is disabled and the fail-close option was used in IPS inspection.

Recommendations:

Please apply an activiation key that has the IPS Module License enabled.

Syslogs:

420008

----------------------------------------------------------------

ips-no-ipv6

Executing IPS software does not support IPv6:

This counter is incremented when an IPv6 packet, configured to be directed toward IPS SSM, is discarded since the software executing on IPS SSM card does not support IPv6.

Recommendations:

Upgrade the IPS software to version 6.2 or later.

Syslogs:

None

----------------------------------------------------------------

ips-preproc

Blocked or blacklisted by the IPS preprocessor:

This counter is incremented and the packet is dropped as requested by the IPS preprocessor.

Recommendations:

Review the snort output in packet tracer or capture with trace enabled.

Syslogs:

None.

----------------------------------------------------------------

ips-request

IPS Module requested drop:

This counter is incremented and the packet is dropped as requested by IPS module when the packet matches a signature on the IPS engine.

Recommendations:

Check syslogs and alerts on IPS module.

Syslogs:

420002

----------------------------------------------------------------

ipsec-clearpkt-notun

IPSec Clear Pkt w/no tunnel:

このカウンタは、アプライアンスが暗号化されているはずにもかかわらず暗号化されていないパケットを受信すると、増加します。パケットは、アプライアンスで設定および確立された IPSec 接続の内部ヘッダーセキュリティポリシーチェックと一致しましたが、暗号化されずに受信されました。これはセキュリティの問題です。

推奨事項：

ネットワークトラフィックを分析して、スプーフィングされた IPSec トラフィックの送信元を特定します。

Syslogs:

402117

----------------------------------------------------------------

ipsec-decrypt

IPSec パケット復号エラー：

このカウンタは、暗号オフロードハードウェアで復号できなかったパケット、またはアンチリプレイチェック、長さチェック、SA エラー、SA または SPI の不一致、ハードウェア障害などの問題が原因で無効とマークされたパケットを IPSec 接続でアプライアンスが受信すると増加します。

推奨事項：

ネットワーク通信を分析して、これらの通信の送信元および/または設定の問題を特定してください。

Syslogs:

None

----------------------------------------------------------------

ipsec-ipv6

IPSec via IPV6:

このカウンタは、アプライアンスが IPSec ESP パケット、IPSec NAT-T ESP パケット、または IP バージョン 6 ヘッダーにカプセル化された IPSec over UDPESP パケットを受信すると増加します。アプライアンスは現在、IP バージョン 6 にカプセル化された IPSec セッションをサポートしていません。

推奨事項：

None

Syslogs:

None

----------------------------------------------------------------

ipsec-lock-error

IPSec locking error:

このカウンタは、IPSec 動作が試行されると増分しますが、内部ロックエラーによって失敗します。

推奨事項：

この状態は通常の操作中には発生しないはずであり、アプライアンスのソフトウェアの問題を示している可能性があります。このエラーが発生した場合は、Cisco Technical Assistance Center（TAC）に連絡してください。

Syslogs:

None.

----------------------------------------------------------------

ipsec-need-sa

IPSec SA not negotiated yet:

This counter will increment when the appliance receives a packet which requires encryption but has no established IPSec security association. これは通常、LAN-to-LAN IPSec 設定に見られる正常な状態です。この指示により、アプライアンスは宛先ピアとの　ISAKMP ネゴシエーションを開始します。

推奨事項：

If you have configured IPSec LAN-to-LAN on your appliance, this indication is normal and doesn't indicate a problem. However, if this counter increments rapidly it may indicate a crypto configuration error or network error preventing the ISAKMP negotiation from completing. Verify that you can communicate with the destination peer and verify your crypto configuration via the 'show running-config' command.

Syslogs:

None

----------------------------------------------------------------

ipsec-selector-failure

IPSec VPN inner policy selector mismatch detected:

このカウンタは、トンネルに設定されたポリシーと一致しない内部 IP ヘッダーを含む IPSec パケットが受信されたときに増分されます。

推奨事項：

トンネルの暗号 ACL が正しいこと、および許容可能なすべてのパケットがトンネル ID に含まれていることを確認します。このメッセージが繰り返し表示される場合は、ボックスが攻撃を受けていないことを確認してください。

Syslogs:

402116

----------------------------------------------------------------

IPv6 extension headers exceeding configured maximum extension headers is denied:

extension header count is denied by IPv6 extension header configuration:

This counter is incremented and packet is dropped when the appliance receives a IPv6 packet with fragmentation extension header which is denied by the user configuration rule.

推奨事項：

Check action of 'match header fragmentation' in 'policy-map type ipv6'. Remove action 'drop' if fragmentation should be allowed.

Syslogs:

325004

----------------------------------------------------------------

ipv6-eh-inspect-failed

IPv6 extension header is detected and denied:

This counter is incremented and packet is dropped when the appliance receives a IPv6 packet but extension header could not be inspected due to memory allocation failed.

推奨事項：

Also check 'show memory' output to make sure appliance has enough memory to operate.

Syslogs:

None

----------------------------------------------------------------

ipv6-esp-denied

ESP is denied by IPv6 extension header configuration:

This counter is incremented and packet is dropped when the appliance receives a IPv6 packet with ESP extension header which is denied by the user configuration rule.

推奨事項：

Check action of 'match header esp' in 'policy-map type ipv6'. Remove action 'drop' if ESP should be allowed.

Syslogs:

325004

----------------------------------------------------------------

ipv6-fragment-denied

IPv6 fragmentation extension header is denied by user configuration:

This counter is incremented and packet is dropped when the appliance receives a IPv6 packet with fragmentation extension header which is denied by the user configuration rule.

推奨事項：

Check action of 'match header fragmentation' in 'policy-map type ipv6'. Remove action 'drop' if fragmentation should be allowed.

Syslogs:

325004

----------------------------------------------------------------

ipv6-hop-by-hop-denied

IPv6 hop-by-hp extension header is denied by user configuration:

This counter is incremented and packet is dropped when the appliance receives a IPv6 packet with hop-by-hop extension header which is denied by the user configuration rule.

推奨事項：

Check action of 'match header hop-by-hop' in 'policy-map type ipv6'. Remove action 'drop' if hop-by-hop should be allowed.

Syslogs:

325004

----------------------------------------------------------------

ipv6-mobility-denied

IPv6 mobility extension header is denied by user configuration:

This counter is incremented and packet is dropped when the appliance receives a IPv6 packet with mobility extension header which is denied by the user configuration rule.

推奨事項：

Check action of 'match header mobility' in 'policy-map type ipv6'. Remove action 'drop' if mobility should be allowed.

Syslogs:

325004

----------------------------------------------------------------

ipv6-mobility-type-denied

IPv6 mobility type extension header is denied by user configuration:

This counter is incremented and packet is dropped when the appliance receives a IPv6 packet with mobility type extension header which is denied by the user configuration rule.

推奨事項：

Check action of 'match header mobility type' in 'policy-map type ipv6'. Remove action 'drop' if mobility should be allowed.

Syslogs:

325004

----------------------------------------------------------------

ipv6-routing-type-denied

routing type is denied by IPv6 extension header configuration:

This counter is incremented and packet is dropped when the appliance receives a IPv6 packet with routing type extension header which is denied by the user configuration rule.

推奨事項：

Check action of 'match header routing-type' in 'policy-map type ipv6'. Remove action 'drop' if routing-type should be allowed.

Syslogs:

325004

----------------------------------------------------------------

ipv6-sp-security-failed

IPv6 slowpath security checks failed:

次のいずれかの理由により、このカウンタが増分し、パケットがドロップされます。

1) IPv6 through-the-box packet with identical source and destination address.

2) IPv6 through-the-box packet with linklocal source or destination address.

3) IPv6 through-the-box packet with multicast destination address.

推奨事項：

These packets could indicate malicious activity, or could be the result of a misconfigured IPv6 host. パケットキャプチャ機能を使用して type asp パケットをキャプチャし、送信元 MAC アドレスを使用して送信元を特定します。

Syslogs:

For identical source and destination address, syslog 106016, else none.

----------------------------------------------------------------

l2_acl

FP L2 rule drop:

This counter will increment when the appliance denies a packet due to a layer-2 ACL. By default, in routed mode the appliance will PERMIT:

1) IPv4 packets

2) IPv6 packets

3) ARP packets

4) L2 Destination MAC of FFFF:FFFF:FFFF (broadcast)

5) IPv4 MCAST packet with destination L2 of 0100:5E00:0000-0100:5EFE:FFFF

6) IPv6 MCAST packet with destination L2 of 3333:0000:0000-3333:FFFF:FFFF

By default, in Transparent mode permits the routed mode ACL and PERMITS:

1) BPDU packets with destination L2 of 0100:0CCC:CCCD

2) Appletalk packets with destination L2 of 0900:0700:0000-0900:07FF:FFFF

The user can also configure ethertype ACL(s) and apply them to an interface to permit other types of L2 traffic.

Note - Packets permitted by L2 ACLs may still be dropped by L3-L4 ACLs.

推奨事項：

If your running the appliance/context in transparent mode and your NON-IP packets are dropped by the appliance, you can configure an ethertype ACL and apply the ACL to an access group. Note - the appliance ethertype CLI only supports protocol types and not L2 destination MAC addresses.

Syslogs:

106026, 106027

----------------------------------------------------------------

l2_acl_vxlan

FP L2 rule VXLAN drop:

This counter will increment when the appliance denies a packet because it fails to locate VXLAN out_tag when applying layer-2 ACL checks.

推奨事項：

This only happens under VXLAN based tag-switching use case. Please make sure VXLAN segment-id configuration and tag switching table are correct.

Syslogs:

None

----------------------------------------------------------------

l2_same-lan-port

L2 Src/Dst same LAN port:

This counter will increment when the appliance/context is configured for transparent mode and the appliance determines that the destination interface's L2 MAC address is the same as its ingress interface.

推奨事項：

This is a normal condition when the appliance/context is configured for transparent mode. Since the appliance interface is operating in promiscuous mode, the appliance/context receives all packets on the local LAN seqment.

Syslogs:

None

----------------------------------------------------------------

loopback-buffer-full

Loopback buffer full:

This counter is incremented and the packet is dropped when packets are sent from one context of the appliance to another context through a shared interface and there is no buffer space in loopback queue.

Recommendations:

Check system CPU to make sure it is not overloaded.

Syslogs:

None

----------------------------------------------------------------

loopback-count-exceeded

Loopback count exceeded:

This counter is incremented and the packet is dropped when a packet is sent from one context of the appliance to another context through a shared interface, but this packet has exceeded the number of times it is allowed to queue to the loopback queue.

Recommendations:

Check the context configuration for each context. The packet is entering a loop in the context configurations so that it is stuck between contexts, and is repeatedly put into the loopback queue.

Syslogs:

None

----------------------------------------------------------------

loopback-ifc-not-found

Loopback output interface not found:

This counter is incremented and the packet is dropped when packets are sent from one context of the appliance to another context through a shared interface, and the output interface is not found by the loopback queue.

Recommendations:

Syslogs:

None

----------------------------------------------------------------

Expired flow:

推奨事項：

If valid applications are getting pre-empted, investigate if a longer timeout is needed.

Syslogs:

None.

----------------------------------------------------------------

monitor-only-mode-hdr-mismatch

Monitor-only mode packets:

This counter is incremented and the packet dropped if there is a mismatch in monitor-only mode config and the AFBP header flag.

Recommendations:

None

Syslogs:

None

----------------------------------------------------------------

mp-pf-queue-full

Port Forwarding Queue Is Full:

このカウンタは、ポートフォワーディングアプリケーションの内部キューがいっぱいである際に、別の伝送パケットを受信した場合に増分します。

推奨事項：

これは、ソフトウェアエラーを Cisco TAC に報告する必要があることを示しています。

Syslogs:

None.

----------------------------------------------------------------

mp-send-cp-fail

SVC Module send CP error failed:

This counter will increment when the security appliance cannot send the error information to CP.

推奨事項：

これは、ソフトウェアエラーを Cisco TAC に報告する必要があることを示しています。

Syslogs:

None.

----------------------------------------------------------------

mp-service-inject-failed

SERVICE Module failed to inject a packet:

This error occurs if an attempt to inject a packet via the SERVICE Module fails.

推奨事項：

None.

Syslogs:

None.

----------------------------------------------------------------

mp-svc-addr-renew-response

SVC Module received address renew response data frame:

このカウンタは、セキュリティアプライアンスが SVC から Address Renew Response メッセージを受信すると増分します。SVC はこのメッセージを送信しません。

推奨事項：

This indicates that an SVC software error should be reported to the Cisco TAC.

Syslogs:

None.

----------------------------------------------------------------

mp-svc-async-qlimit

SVC Module reached ASYNC Q LIMIT:

DTLS アウトバウンドパケットはハッシュされ、ASYNC LOCK Q にキューイングされます。FPR4245 の場合、各非同期ロック Q は 5000 パケットに制限されます。それ以上のパケットのキューイングが試行されると、ドロップが発生し、このカウンタが増加します。

推奨事項：

これは、DTLS セッションの場合に FPR4245 で発生する可能性があります。これによりパフォーマンスが低下する場合は、Cisco TAC にお問い合わせください。

Syslogs:

None.

----------------------------------------------------------------

mp-svc-bad-compress

SVC Module unable to compress a packet:

This counter is incremented when a packet to be sent to an AnyConnect client is not able to be compressed.

推奨事項：

Disable all compression for the AnyConnect client.

Syslogs:

None.

----------------------------------------------------------------

mp-svc-bad-decompress

SVC Module unable to decompress a packet:

This counter is incremented when a packet received from an AnyConnect client is not able to be decompressed.

推奨事項：

Disable all compression for the AnyConnect client.

Syslogs:

None.

----------------------------------------------------------------

mp-svc-bad-framing

SVC Module received badly framed data:

このカウンタは、セキュリティアプライアンスが SVC から、またはデコードできないコントロールソフトウェアからパケットを受信すると増分します。

推奨事項：

これは、ソフトウェアエラーを Cisco TAC に報告する必要があることを示しています。SVC またはセキュリティアプライアンスで、障害が発生している可能性があります。

Syslogs:

722037 (Only for SVC received data).

----------------------------------------------------------------

mp-svc-bad-length

SVC Module received bad data length:

このカウンタは、セキュリティアプライアンスが SVC から、または計算された指定の長さが一致しないコントロールソフトウェアからパケットを受信すると増分します。

推奨事項：

Syslogs:

722037 (Only for SVC received data).

----------------------------------------------------------------

mp-svc-compress-error

SVC Module compression error:

このカウンタは、セキュリティアプライアンスが、SVC に対してデータを圧縮中にエラーを検出すると増分します。

推奨事項：

Syslogs:

722037.

----------------------------------------------------------------

SVC モジュールがフラグメントの失敗を送信できませんでした

このカウンタは、セキュリティアプライアンスが ICMP エラーメッセージを生成できない場合に増加します。

推奨事項：

Syslogs:

None.

----------------------------------------------------------------

Cluster member dropped an invalid NAT untranslate redirect packet from peer:

Cluster member received a NAT untranslate packet from peer. However this member does not own the NAT address pool the packet belongs to.

推奨事項：

This counter is a temporal condition after a cluster member failure. However, if this counter is incremented continuously, it could be an internal software error. Contact Cisco Systems in such case.Syslogs:

None.

----------------------------------------------------------------

nat-cluster-pool-update-fail

Cluster control node failed to send NAT pool update to data node:

クラスター制御ノードが NAT プールの更新をデータノードに送信できませんでした。This drop will increase if system resources is low.

推奨事項：

- Observe if free system memory is low.

- Observe if "SEC_NAT_SEND_NO_BUFFER" counter is increasing.

Syslogs:

None.

----------------------------------------------------------------

nat-host-pb-limits-reached

NAT failed due to host limits reached:

ホストがポートブロックの制限に達したため、IP またはトランスポートヘッダーを変換するための xlate の作成に失敗しました。

推奨事項：

「show local host」をチェックして、xlate とポートブロック作成のためのホスト割り当てを確認してください。

Syslogs:

305016

----------------------------------------------------------------

nat-no-xlate-to-pat-pool

NAT no xlate to pat pool:

No pre-existing xlate found for a connection with a destination matching a mapped address in a PAT pool.

推奨事項：

Configure static PAT if access is desired.

Syslogs:

None.

----------------------------------------------------------------

nat-rpf-failed

NAT reverse path failed:

変換されたホストの実際のアドレスを使用して、変換されたホストに接続しようとして拒否されました。

推奨事項：

NAT 経由のホストと同じインターフェイス上にない場合は、実際のアドレスの代わりにマップされたアドレスを使用してホストに接続します。また、アプリケーションに IP アドレスが埋め込まれている場合は、適切な inspect コマンドを有効にします。

Syslogs:

305005

----------------------------------------------------------------

nat-xlate-failed

NAT failed:

IP またはトランスポートヘッダーを変換するための xlate の作成に失敗しました。

推奨事項：

If NAT is not desired, disable "nat-control". Otherwise, use the "static", "nat" or "global" command to configure NAT policy for the dropped flow. For dynamic NAT, ensure that each "nat" command is paired with at least one "global" command. Use "show nat" and "debug pix process" to verify NAT rules.

Syslogs:

305005, 305006, 305009, 305010, 305011, 305012

----------------------------------------------------------------

nat-xlate-pool-exhausted

NAT failed due to pool exhaustion:

プールの枯渇により、IP またはトランスポートヘッダーを変換するための xlate の作成に失敗しました。

推奨事項：

「show nat pool」をチェックして、NAT プールが xlate 作成にどのように割り当てられているかを確認してください。

Syslogs:

305005, 305006, 305009, 305010, 305011, 305012

----------------------------------------------------------------

natt-keepalive

NAT-T keepalive message:

This counter will increment when the appliance receives an IPSec NAT-T keepalive message. NAT-T keepalive messages are sent from the IPSec peer to the appliance to keep NAT/PAT flow information current in network devices between the NAT-T IPSec peer and the appliance.

推奨事項：

If you have configured IPSec NAT-T on your appliance, this indication is normal and doesn't indicate a problem. If NAT-T is not configured on your appliance, analyze your network traffic to determine the source of the NAT-T traffic.

No valid adjacency:

This counter is incremented when the security appliance has tried to obtian an adjacency and could not obtain mac-address for next hop. パケットはドロップされます。

推奨事項：

Configure a capture for this drop reason and check if a host with specified destination address exists on connected network or is routable from the device.

Syslogs:

None.

----------------------------------------------------------------

no-route

No route to host:

This counter is incremented when the security appliance tries to send a packet out of an interface and does not find a route for it in routing table.

推奨事項：

Verify that a route exists for the destination address obtained from thegenerated syslog.

Syslogs:

110001.

----------------------------------------------------------------

no-route-to-peer-nve

No route to peer NVE:

This counter is incremented when the security appliance fails to locate next hop to peer NVE.

推奨事項：

Verify peer NVE is reachable via source-interface.

Syslogs:

None.

----------------------------------------------------------------

no-same-security-traffic

No same-security-traffic configured:

This counter is incremented when the decrypt and encrypt tunnel is owned by the same interface and same-security-traffic is not configured.

推奨事項：

Configure "same-security-traffic permit intra-interface".

Syslogs:

None.

----------------------------------------------------------------

no-v4-adjacency

No valid adjacency:

This counter is incremented when the security appliance has tried to obtian an adjacency and could not obtain mac-address for next hop. パケットはドロップされます。

推奨事項：

Configure a capture for this drop reason and check if a host with specified destination address exists on connected network or is routable from the device.

Syslogs:

None.

----------------------------------------------------------------

no-v6-adjacency

No valid adjacency:

This counter is incremented when the security appliance has tried to obtian an adjacency and could not obtain mac-address for next hop. パケットはドロップされます。

推奨事項：

Configure a capture for this drop reason and check if a host with specified destination address exists on connected network or is routable from the device.

Syslogs:

None.

----------------------------------------------------------------

no-valid-nve-ifc

No valid NVE interface:

This counter is incremented when the security appliance fails to identify the NVE interface for a VNI interface.

推奨事項：

Verify that the nve is configured for all interfaces.

Syslogs:

None.

----------------------------------------------------------------

no-valid-vni-ifc

No valid VNI interface:

This counter is incremented when the security appliance fails to identify the VNI interface by a given segment-id.

推奨事項：

Verify that the segment-id in the syslog is configured on an interface.

Syslogs:

778002.

----------------------------------------------------------------

non-ip-pkt-in-routed-mode

Non-IP packet received in routed mode:

アプライアンスが受信したパケットが IPv4、IPv6、ARP のいずれでもなく、アプライアンスまたはコンテキストがルーテッドモードに設定されている場合、このカウンタが増分します。In normal operation such packets should be dropped by the default L2 ACL configuration.

推奨事項：

これは、ソフトウェアエラーを Cisco TAC に報告する必要があることを示しています。

Syslogs:

106026, 106027

----------------------------------------------------------------

none

Not a Blocking Packet:

This counter is incremented when the packet is not blocked.

Recommendations:

None.

Syslogs:

None.

----------------------------------------------------------------

np-socket-closed

Dropped pending packets in a closed socket:

ソケットがユーザーまたはソフトウェアにより突然終了すると、そのソケットのパイプライン中にある保留中のパケットもドロップします。このカウンタは、パイプライン中にある各ソケットがドロップするたびに増分します。

推奨事項：

It is common to see this counter increment as part of normal operation. ただし、カウンタが急速に増加し、ソケットベースのアプリケーションに大きな誤動作がある場合は、ソフトウェアの欠陥が原因である可能性があります。問題をさらに調査するには、Cisco TAC に連絡してください。

Syslogs:

None.

----------------------------------------------------------------

Dispatch PMTU Reinject Fail:

ICMP PMTU がグローバルディスパッチワークキューへのエンキューに失敗しました：

A forwarded data packet failed to enqueue into global dispatch work queue.

推奨事項：

This could be an internal software error. 購入された代理店にお問い合わせください。

Syslogs:

None.

----------------------------------------------------------------

policy-params-failed

Unable to create policy params:

This counter is incremented and every packet is dropped when data-plane does not have a valid policy installed in the security context

推奨事項：

If this is incrementing check the data plane logs to see why there was a policy install failure.

Syslogs:

None

----------------------------------------------------------------

prefilter

Blocked or blacklisted by the prefilter preprocessor:

This counter is incremented and the packet is dropped as requested by the prefilter preprocessor.

Recommendations:

Review the snort output in packet tracer or capture with trace enabled.

Syslogs:

None.

----------------------------------------------------------------

punt-no-mem

Punt no memory:

This counter is incremented and the packet is dropped when there is no memory to create data structure for punting a packet to Control Point.

推奨事項：

No action needs to be taken if this condition is transient. If this condition persists due to low memory, then system upgrade might be necessary.

Syslogs:

None

----------------------------------------------------------------

punt-queue-limit

Punt queue limit exceeded:

This counter is incremented and the packet is dropped when punt queue limit is exceeded, an indication that a bottle-neck is forming at Control Point.

推奨事項：

No action needs to be taken. これは設計上の制限値です。

Syslogs:

None

----------------------------------------------------------------

punt-rate-limit

Punt rate limit exceeded:

This counter will increment when the appliance attempts to forward a layer-2 packet to a rate-limited control point service routine and the rate limit (per/second) is now being exceeded. Currently, the only layer-2 packets destined for a control point service routine which are rate limited are ARP packets. ARP パケットのレート制限は、インターフェイスあたり毎秒 500 ARP です。

推奨事項：

Analyze your network traffic to determine the reason behind the high rate of ARP packets.

Syslogs:

322002, 322003

----------------------------------------------------------------

punt_action

FP L2 rule drop:

This counter will increment when the appliance denies a packet due to a layer-2 ACL. By default, in routed mode the appliance will PERMIT:

1) IPv4 packets

2) IPv6 packets

3) ARP packets

4) L2 Destination MAC of FFFF:FFFF:FFFF (broadcast)

5) IPv4 MCAST packet with destination L2 of 0100:5E00:0000-0100:5EFE:FFFF

6) IPv6 MCAST packet with destination L2 of 3333:0000:0000-3333:FFFF:FFFF

By default, in Transparent mode permits the routed mode ACL and PERMITS:

1) BPDU packets with destination L2 of 0100:0CCC:CCCD

2) Appletalk packets with destination L2 of 0900:0700:0000-0900:07FF:FFFF

The user can also configure ethertype ACL(s) and apply them to an interface to permit other types of L2 traffic.

Note - Packets permitted by L2 ACLs may still be dropped by L3-L4 ACLs.

推奨事項：

Syslogs:

106026, 106027

----------------------------------------------------------------

queue-removed

Rate-limiter queued packet dropped:

When QoS config is changed or removed, the existing packets in the output queues awaiting transmission are dropped and this counter is incremented.

推奨事項：

Under normal conditions, this may be seen when the QoS configuration has been changed by the user. If this occurs when no changes to QoS config were performed, please contact Cisco Technical Assistance Center (TAC).

Syslogs:

None.

----------------------------------------------------------------

quic-initial-malformed-pkt

QUIC Initial Malformed pkt received:

QUIC プロキシが最初の不正な形式のパケットを受信すると、このカウンタが増加し、パケットがドロップされます。

Recommendations:

None

Syslogs:

None

----------------------------------------------------------------

quic-malformed-pkt

QUIC Malformed pkt received:

QUIC プロキシが不正な形式のパケットを受信すると、このカウンタが増加し、パケットがドロップされます。

Recommendations:

None

Syslogs:

None

----------------------------------------------------------------

quic-proxy-0rtt-pkt-drop

QUIC Proxy 0RTT received:

QUIC プロキシが 0RTT パケットを受信すると、このカウンタが増加し、パケットがドロップされます。

推奨事項：

None

Syslogs:

None

QUIC Proxy residue packet:

Recommendations:

None

Syslogs:

None

----------------------------------------------------------------

rate-exceeded

QoS rate exceeded:

This counter is incremented when rate-limiting (policing) is configured on an egress/ingress interface and the egress/ingress traffic rate exceeds the burst rate configured. パケットがドロップされるたび、このカウンタが増分します。

推奨事項：

Investigate and determine why the rate of traffic leaving/entering the interface is higher than the configured rate. 正常な状態の場合もあれば、ウイルスの感染や攻撃を示している可能性もあります。

Syslogs:

None.

----------------------------------------------------------------

reason-info

Preprocessor sending packet info to tracer:

This counter is used internally by snort.

Recommendations:

None.

Syslogs:

None.

----------------------------------------------------------------

SCTP chunk parameter SUPPORTED ADDRESS contains invalid length:n This counter is incremented and the packet is dropped when SCTP INIT/INIT ACK chunk parameter SUPPORTED ADDRESS contains invalid length (< 4).

Recommendations:

None

Syslogs:

None

----------------------------------------------------------------

sctp-chunk-sack-in-invalid-state

SCTP SACK is not received in valid state:

This counter is incremented and the packet is dropped when SCTP SACK chunk is not received in valid state.

Recommendations:

None

Syslogs:

None

----------------------------------------------------------------

sctp-chunk-sack-no-assoc

SCTP SACK is received with no association:

This counter is incremented and the packet is dropped when SCTP SACK chunk is received without an association.

Recommendations:

None

Syslogs:

None

----------------------------------------------------------------

sctp-chunk-sack-too-small

SCTP SACK length is too small:

This counter is incremented and the packet is dropped when SCTP SACK chunk length is too small.

Recommendations:

None

Syslogs:

None

----------------------------------------------------------------

sctp-chunk-shutdown-ack-in-invalid-state

SCTP SHUTDOWN ACK is not received in valid state:

This counter is incremented and the packet is dropped when SCTP SHUTDOWN ACK chunk is not received in valid state.

Recommendations:

None

Syslogs:

None

----------------------------------------------------------------

sctp-chunk-shutdown-ack-no-assoc

SCTP SHUTDOWN ACK is received with no association:

This counter is incremented and the packet is dropped when SCTP SHUTDOWN ACK chunk is received without an association.

Recommendations:

None

Syslogs:

None

----------------------------------------------------------------

sctp-chunk-shutdown-comp-no-assoc

SCTP SHUTDOWN COMPLETE is received with no association:

This counter is incremented and the packet is dropped when SCTP SHUTDOWN COMPLETE chunk is received without an association.

Recommendations:

None

Syslogs:

None

----------------------------------------------------------------

sctp-chunk-shutdown-complete-in-invalid-state

SCTP SHUTDOWN COMPLETE is not received in valid state:

This counter is incremented and the packet is dropped when SCTP SHUTDOWN COMPLETE chunk is not received in valid state.

Recommendations:

None

Syslogs:

None

----------------------------------------------------------------

sctp-chunk-shutdown-in-invalid-state

SCTP SHUTDOWN is not received in valid state:

This counter is incremented and the packet is dropped when SCTP SHUTDOWN chunk is not received in valid state.

Recommendations:

None

Syslogs:

None

----------------------------------------------------------------

sctp-chunk-shutdown-no-assoc

SCTP SHUTDOWN is received with no association:

This counter is incremented and the packet is dropped when SCTP SHUTDOWN chunk is received without an association.

Recommendations:

None

Syslogs:

None

----------------------------------------------------------------

sctp-chunk-shutdown-too-small

SCTP SHUTDOWN length is too small:

This counter is incremented and the packet is dropped when SCTP SHUTDOWN chunk length is too small.

Recommendations:

None

Syslogs:

None

----------------------------------------------------------------

sctp-chunk-too-small

SCTP chunk length value is smaller then chunk header size:

This counter is incremented and the packet is dropped when the SCTP chunk length value is less then the size of chunk header.

Recommendations:

None

Syslogs:

None

----------------------------------------------------------------

sctp-chunk-unexpected

Received SCTP chunk unexpectedly:

This counter is incremented and the packet is dropped when chunk is received unexpectedly.

Recommendations:

None

Syslogs:

None

----------------------------------------------------------------

sctp-chunk-unrec-param

SCTP chunk contains unrecognizable parameter:

This counter is incremented and the packet is dropped when SCTP chunk contains unrecognizable parameter.

Recommendations:

None

Syslogs:

None

----------------------------------------------------------------

sctp-chunk-zero-ver-tag

Received SCTP non-INIT/ABORT chunk with zero verification tag:

This counter is incremented and the packet is dropped when packet containing INIT/ABORT chunk has zero verification tag.

Recommendations:

None

Syslogs:

None

----------------------------------------------------------------

sctp-data-chunk-in-invalid-state

SCTP DATA chunk in invalid state:

This counter is incremented and the packet is dropped when SCTP DATA chunk is received in invalid state.

Recommendations:

None

Syslogs:

None

----------------------------------------------------------------

sctp-data-chunk-len-exceeds-rwnd

SCTP DATA chunk length greater than receive window:

This counter is incremented and the packet is dropped when SCTP DATA chunk length is greater than receive window.

Recommendations:

None

Syslogs:

None

----------------------------------------------------------------

sctp-data-chunk-len-invalid

SCTP DATA chunk length is invalid:

This counter is incremented and the chunk is dropped when SCTP DATA chunk has invalid chunk length.

Recommendations:

None

Syslogs:

None

----------------------------------------------------------------

sctp-data-chunk-len-too-small

SCTP DATA chunk length is too small:

This counter is incremented and the packet is dropped when SCTP DATA chunk length is too small.

Recommendations:

None

Syslogs:

None

----------------------------------------------------------------

sctp-dgram-header-unavailable

SCTP Datagram header unavailable:

This counter is incremented and the packet is dropped when SCTP datagram header is unavailable.

Recommendations:

None

Syslogs:

None

----------------------------------------------------------------

sctp-drop-fixme

SCTP drop fixme:

This counter is incremented when the security appliance recieves a SCTP packet with a fixme drop reason

推奨事項：

None.

Syslog:

None.

----------------------------------------------------------------

sctp-duplicate-data-stream

Received duplicate SCTP DATA stream:

This counter is incremented and the packet is dropped when a duplicate SCTP DATA stream is received.

Recommendations:

None

Syslogs:

None

----------------------------------------------------------------

sctp-initack-chunk-inv-state

Received SCTP INIT ACK chunk in non-COOKIE-WAIT state:

This counter is incremented and the packet is dropped when SCTP packet containing INIT ACK chunk is received in non-cookie-wait state.

Recommendations:

None

Syslogs:

None

----------------------------------------------------------------

sctp-invalid-bundle

SCTP packet bundle has control chunks after data chunks:

This counter is incremented and the packet is dropped when SCTP packet has control chunks present after data chunks and is dropped.

Recommendations:

None

Syslogs:

None

----------------------------------------------------------------

sctp-invalid-fragments

SCTP invalid fragments received:

This counter is incremented and all fragments in reassembly queue will be deleted including the fragment which is not yet been queued.

Recommendations:

None

Syslogs:

None

----------------------------------------------------------------

sctp-no-association

SCTP no association:

This counter is incremented and the packet is dropped when no matching association exist for this packet.

Recommendations:

None

Syslogs:

None

----------------------------------------------------------------

sctp-pkt-auth-chunk-extra

SCTP packets contains more than one AUTH chunk:

This counter is incremented and the packet is dropped when SCTP packet contains more than one AUTH chunk.

Recommendations:

None

Syslogs:

None

----------------------------------------------------------------

sctp-pkt-auth-chunk-no-data

SCTP packets contains only AUTH chunks:

This counter is incremented and the packet is dropped when SCTP packet contains only AUTH chunks.

Recommendations:

None

Syslogs:

None

----------------------------------------------------------------

sctp-pkt-partial_chunk

SCTP packet has partial chunk:

This counter is incremented and the packet is dropped when SCTP packet contains a partial chunk.

Recommendations:

None

Syslogs:

None

----------------------------------------------------------------

sctp-pkt-too-small

SCTP packet size less than minimum length of 16:

This counter is incremented and the packet is dropped when SCTP packet size is less then the combined size of common header and chunk header.

Recommendations:

None

Syslogs:

None

----------------------------------------------------------------

sctp-reassembly-buffer-size-limit

SCTP Reassembly Datagram queue bytesize limit exceeded:

This counter is incremented and the reassembly datagram is deleted from the stream reassembly queue (all fragments) after the total bytesize of chunks in the dgram reassembly queue reaches its maximum (8192bytes).

Recommendations:

None

Syslogs:

None

----------------------------------------------------------------

sctp-reassembly-queue-limit

SCTP Reassembly queue limit exceeded:

This counter is incremented and the fragmented chunks are deleted from the reassembly queue after the number of fragments in reassembly queue reaches its maximum(6).

Recommendations:

None

Syslogs:

None

----------------------------------------------------------------

sctp-reassembly-queue-timeout

SCTP Reassembly queue timeout:

This counter is incremented and the fragmented chunks are deleted from the reassembly queue when those fragmented chunks has been held in the reassembly queue for 30 seconds.

Recommendations:

None

Syslogs:

None

----------------------------------------------------------------

sctp-reassembly-system-limit

SCTP Reassembly Datagram queue limit exceeded:

This counter is incremented and the reassembly datagram will not be created for the new incoming fragments after the number of datagrams in reassembly queues in ASA reaches its maximum (125/core) We do repacking if the fragment is bundled else we drop the whole packet.

Recommendations:

None

Syslogs:

None

----------------------------------------------------------------

sctp-reorder-queue-limit

SCTP Reorder queue limit exceeded:

This counter is incremented and the chunk is dropped when number of out of order chunks exceeds the limit (50/stream) for the stream.

Recommendations:

None

Syslogs:

None

----------------------------------------------------------------

sctp-reorder-queue-timeout

SCTP Reorder queue timeout:

This counter is incremented and the data chunk is dropped when an out of order SCTP data chunk has been held in the buffer for 30 seconds.

Recommendations:

None

Syslogs:

None

----------------------------------------------------------------

sctp-reorder-stream-limit

SCTP Number of streams in reorder exceeded limit:

This counter is incremented and the chunk is dropped when first out of order chunk is received after the number ofStreams in Reorder reaches its maximum (64*number of cpu cores).

Recommendations:

None

Syslogs:

None

----------------------------------------------------------------

sctp-shutack-chunk-unexpected

Received SCTP SHUTDOWN ACK chunk unexpectedly:

This counter is incremented and the packet is dropped when SHUTDOWN ACK is received unexpectedly.

Recommendations:

None

Syslogs:

None

----------------------------------------------------------------

sctp-shutcomplete-chunk-unexpected

Received SCTP SHUTDOWN COMPLETE chunk unexpectedly:

This counter is incremented and the packet is dropped when SHUTDOWN COMPLETE is received unexpectedly.

Recommendations:

None

Syslogs:

None

----------------------------------------------------------------

sctp-stream-id-invalid

SCTP DATA chunk contains invalid stream id:

This counter is incremented and the packet is dropped when SCTP DATA chunk contains invalid stream id.

Recommendations:

None

Syslogs:

None

----------------------------------------------------------------

security-failed

Early security checks failed:

This counter is incremented and packet is dropped when the security appliance :

- receives an IPv4 multicast packet when the packets multicast MAC address doesn't match the packets multicast destination IP address

- receives an IPv6 or IPv4 teardrop fragment containing either small offset or fragment overlapping

- receives an IPv4 packet that matches an IP audit (IPS) signature

推奨事項：

Contact the remote peer administrator or escalate this issue according to your security policy

For detailed description and syslogs for IP audit attack checks please refer the ip audit signature section of command reference guide

Syslogs:

106020

400xx in case of ip audit checks

----------------------------------------------------------------

security-profile-not-matched

Security-profile not matched:

This traffic contains a security-profile ID that does not match a security-profile on ASA 1000V.

推奨事項：

Check the port-profile configuration on the Nexus 1000V with "show port-profile" and verify that a security-profile is configured for each port-profile redirecting traffic to ASA 1000V, and that security-profile names match between Nexus 1000V and ASA 1000V. Verify that security-profiles are associated with the inside interface using "service-interface security-profile all <inside_interface_name>" on ASA 1000V. Use "show vsn port" on Nexus 1000V and "show vsn security-profile" on ASA 1000V to verify that security-profiles have matching ID values on both devices.

Syslogs:

None.

----------------------------------------------------------------

security-profile-not-used

Security-profile not used:

This traffic does not use a security-profile. Traffic through ASA 1000V is expected to use a security-profile configured on Nexus 1000V.

推奨事項：

Syslogs:

None.

----------------------------------------------------------------

send-ctm-error

Send to CTM returned error:

This counter is obsolete in the appliance and should never increment.

推奨事項：

None

Syslogs:

None

----------------------------------------------------------------

service-interface-down

Service interface is down:

ASA 1000V will drop any vPath tagged traffic if the service-interface has not been configured.

推奨事項：

Ensure that all security profile interfaces are associated with the inside interface using

service-interface security-profile all <inside_interface_name>

(only needed in ASDM mode)

Syslogs:

None.

----------------------------------------------------------------

session-preproc

Blocked or blacklisted by the session preprocessor:

This counter is incremented and the packet is dropped as requested by the session preprocessor.

Recommendations:

Review the snort output in packet tracer or capture with trace enabled.

Syslogs:

None.

----------------------------------------------------------------

session-string

Session debug info:

This counter is used internally by snort.

Recommendations:

None.

Syslogs:

None.

----------------------------------------------------------------

sfr-bad-handle-received

Received Bad flow handle in a packet from SFR Module, thus dropping flow.

This counter is incremented, flow and packet are dropped on ASA as the handle for SFR flow has changed in flow duration.

Recommendations:

Check syslogs and alerts on SFR module.

Syslogs:

None

----------------------------------------------------------------

sfr-bad-tlv-received

SFR Module requested drop:

This counter is incremented and the packet is dropped as requested by SFR module when the packet has bad TLV's.

Recommendations:

Check syslogs and alerts on SFR module.

Syslogs:

None

----------------------------------------------------------------

sfr-fail-close

SFR card is down:

This counter is incremented and the packet is dropped when SFR card is down and fail-close option was configured in SFR action.

Recommendations:

Check and bring up the SFR card.

Syslogs:

434001

----------------------------------------------------------------

sfr-ha-request

SFR HA replication drop:

This counter is incremented when the security appliance receives a SFR HA request packet, but could not process it and the packet is dropped.

推奨事項：

This could happen occasionally when SFR does not have the latest ASA HA state, like right after ASA HA state change. If the counter is constantly increasing however, then it can be because SFR and ASA are out of sync. If that happens, contact Cisco TAC for assistance.

Syslogs:

None.

----------------------------------------------------------------

sfr-invalid-encap

SFR invalid header drop:

This counter is incremented when the security appliance receives a SFR packet with invalid messsage header, and the packet is dropped.

推奨事項：

これは発生してはならない事象です。Cisco TAC に連絡して、サポートを受けてください。

Syslogs:

None.

----------------------------------------------------------------

sfr-malformed-packet

SFR Module requested drop:

This counter is incremented and the packet is dropped as requested by SFR module when the packet is malformed.

Recommendations:

Check syslogs and alerts on SFR module.

Syslogs:

None

----------------------------------------------------------------

sfr-no-flow

SFR config removed for connection:

This counter is incremented and the packet is dropped when SFR configuration is not found for a particular connection.

Recommendations:

check if any configuration changes have been done for SFR.

Syslogs:

None

----------------------------------------------------------------

sfr-request

SFR Module requested drop:

This counter is incremented and the packet is dropped as requested by SFR module when the packet matches a signature on the SFR engine.

Recommendations:

Check syslogs and alerts on SFR module.

Syslogs:

434002

----------------------------------------------------------------

sfr-request-ssl-decrypt

SFR Module SSL decryption requested drop:

パケットが復号されるときに SFR モジュールの SSL 復号の要求に応じて、このカウンタが増加し、パケットがドロップされます。

Recommendations:

Check syslogs and alerts on SFR module.

Syslogs:

None

----------------------------------------------------------------

sfr-rx-monitor-only

SFR invalid monitor-only receive drop:

This counter is incremented when the security appliance receives a SFR packet when in monitor-only mode, and the packet is dropped.

推奨事項：

これは発生してはならない事象です。Cisco TAC に連絡して、サポートを受けてください。

Syslogs:

None.

----------------------------------------------------------------

shunned

Packet shunned:

This counter will increment when a packet is received which has a source IP address that matches a host in the shun database.

推奨事項：

No action required.

Syslogs:

401004

----------------------------------------------------------------

si

Blocked or blacklisted by the SI preprocessor:

This counter is incremented and the packet is dropped as requested by the SI preprocessor.

Recommendations:

Review the snort output in packet tracer or capture with trace enabled.

Syslogs:

None.

----------------------------------------------------------------

smb

Blocked or blacklisted by the SMB preprocessor:

This counter is incremented and the packet is dropped as requested by the SMB preprocessor.

Recommendations:

Review the snort output in packet tracer or capture with trace enabled.

Syslogs:

None.

----------------------------------------------------------------

snort-blacklist

Packet is blacklisted by snort:

This counter is incremented and the packet is dropped as flow is blacklisted by snort.

Recommendations:

Review Snort policies for any such rule denying the flow.

Syslogs:

None.

----------------------------------------------------------------

snort-blist-full

Snort flow block list limit reached:

This counter is incremented and the packet dropped when datapath buffers packets to avoid out-of-order on fast-forwarded flows and the no. of packets queued exceeded the maximum limit.

Recommendations:

None

Syslogs:

None

----------------------------------------------------------------

snort-blist-full-failopen

Snort flow block list limit reached:

フェールオープンフローでの順序不正を回避するためにデータパスがパケットをバッファリングし、キューイングされたパケットの数が上限を超えると、このカウンタが増加し、パケットがドロップされます。

Recommendations:

None

Syslogs:

None

----------------------------------------------------------------

snort-block

Packet is blocked as requested by snort:

This counter is incremented and the packet is dropped as requested by snort.

Recommendations:

Review Snort policies for any such rule denying the flow.

Syslogs:

None.

----------------------------------------------------------------

snort-busy

Drop the frame as SNORT instance is busy and can not handle:

This counter is incremented and the packet is dropped as the Snort module is busy and unable to handle the frame.

Recommendations:

Review Snort statistics for the reason behind high load on SNORT instance.

Syslogs:

None.

----------------------------------------------------------------

snort-busy-in-fp

Drop the frame as SNORT instance is busy and can not handle:

Snort モジュールがビジー状態で、フルプロキシモードで処理できないと、このカウンタが増加し、パケットがドロップされます。

Recommendations:

Review Snort statistics for the reason behind high load on SNORT instance.

Syslogs:

None.

----------------------------------------------------------------

snort-busy-inline-flow

Drop the frame as SNORT instance is busy and can not handle:

Snort モジュールがビジー状態で、インラインまたはパッシブでのフローの場合、このカウンタが増加し、パケットがドロップされます。

Recommendations:

Review Snort statistics for the reason behind high load on SNORT instance.

Syslogs:

None.

----------------------------------------------------------------

snort-busy-no-app-info

Drop the frame as SNORT instance is busy and can not handle:

Snort モジュールがビジー状態で、アプリ情報またはフローを見つけられないと、このカウンタが増加し、パケットがドロップされます。

Recommendations:

Review Snort statistics for the reason behind high load on SNORT instance.

Syslogs:

None.

----------------------------------------------------------------

snort-busy-not-fp

Drop the frame as SNORT instance is busy and can not handle:

フルプロキシモードではないときに Snort モジュールがビジー状態で処理できない場合、このカウンタが増加し、パケットがドロップされます。

Recommendations:

Review Snort statistics for the reason behind high load on SNORT instance.

Syslogs:

None.

----------------------------------------------------------------

snort-detain

Packet is detained as requested by snort:

This counter is incremented and the packet is detained as requested by snort.

推奨事項：

This counter is informational and the behavior is expected.

Syslogs:

None.

----------------------------------------------------------------

snort-down

Drop the frame as the SNORT instance is down:

This counter is incremented and the packet is dropped as the Snort module is down.

Recommendations:

Review Snort statistics for the reason behind SNORT instance down.

Syslogs:

None.

----------------------------------------------------------------

snort-down-in-fp

Drop the frame as the SNORT instance is down:

Snort モジュールがダウンしていて、フルプロキシモードで処理できないと、このカウンタが増加し、パケットがドロップされます。

Recommendations:

Review Snort statistics for the reason behind SNORT instance down.

Syslogs:

None.

----------------------------------------------------------------

snort-down-inline-flow

Drop the frame as the SNORT instance is down:

Snort モジュールがダウンしていて、インラインまたはパッシブでのフローの場合、このカウンタが増加し、パケットがドロップされます。

Recommendations:

Review Snort statistics for the reason behind SNORT instance down.

Syslogs:

None.

----------------------------------------------------------------

snort-down-no-app-info

Drop the frame as the SNORT instance is down:

Snort モジュールがダウンしていて、アプリ情報またはフローを見つけられないと、このカウンタが増加し、パケットがドロップされます。

Recommendations:

Review Snort statistics for the reason behind SNORT instance down.

Syslogs:

None.

----------------------------------------------------------------

snort-down-not-fp

Drop the frame as the SNORT instance is down:

フルプロキシモードではないときに Snort モジュールがダウンしていて処理できない場合、このカウンタが増加し、パケットがドロップされます。

Recommendations:

Review Snort statistics for the reason behind SNORT instance down.

Syslogs:

None.

----------------------------------------------------------------

snort-drop

Snort requested to drop the frame:

This counter is incremented and the packet is dropped as requested by Snort module.

Recommendations:

Review Snort policies for any such rule denying the flow.

Syslogs:

None.

----------------------------------------------------------------

snort-flow-mismatch

Received an different flow from snort:

このカウンタは、Snort から受信したフローが異なっていて、ドロップする必要がある場合に増加します。

Recommendations:

Enable and review the module specific snort/pdts debug messages.

Syslogs:

None.

----------------------------------------------------------------

snort-inject-data-pkt

Inject a new data packet after being received from from snort:

このカウンタは、新しいデータパケットが挿入され、ドロップする必要がある場合に増加します。

Recommendations:

Enable and review the module specific snort/pdts debug messages.

Syslogs:

None.

----------------------------------------------------------------

snort-inject-data-pkt-l2-hdr

Inject a new data L2 header packet after being received from from snort:

このカウンタは、新しい L2 ヘッダーデータパケットが挿入され、ドロップする必要がある場合に増加します。

Recommendations:

Enable and review the module specific snort/pdts debug messages.

Syslogs:

None.

----------------------------------------------------------------

snort-invalid-msg

Received an invalid message from snort:

This counter is incremented when the packet framed by snort is incorrect and needs to be dropped.

Recommendations:

Enable and review the module specific snort/pdts debug messages.

Syslogs:

None.

----------------------------------------------------------------

snort-invalid-verdict

Received invalid verdict from snort:

This counter is incremented and the packet is dropped as verdict is invalid and cannot be acted up on.

Recommendations:

Enable and review the module specific snort/pdts debug messages.

Syslogs:

None.

----------------------------------------------------------------

snort-module

Blocked or blacklisted by snort:

This counter is incremented and the packet is dropped as requested by snort.

Recommendations:

Review the snort output in packet tracer or capture with trace enabled.

Syslogs:

None.

----------------------------------------------------------------

snort-react

Blocked or blacklisted by the snort react preprocessor:

This counter is incremented and the packet is dropped as requested by the snort react preprocessor.

Recommendations:

Review the snort output in packet tracer or capture with trace enabled.

Syslogs:

None.

----------------------------------------------------------------

snort-replace-data-pkt

Replace fixed length of data packet after being received from from snort:

このカウンタは、固定長のデータが置き換えられてドロップする必要がある場合に増加します。

Recommendations:

Enable and review the module specific snort/pdts debug messages.

Syslogs:

None.

----------------------------------------------------------------

snort-response

Blocked or blacklisted by the snort response preprocessor:

This counter is incremented and the packet is dropped as requested by the snort response preprocessor.

Recommendations:

Review the snort output in packet tracer or capture with trace enabled.

Syslogs:

None.

----------------------------------------------------------------

snort-silent-drop

Packet is dropped silently as requested by snort:

This counter is incremented and the packet is dropped as requested by snort.

Recommendations:

Enable and review the module specific snort/pdts debug messages.

Syslogs:

None.

----------------------------------------------------------------

snp-ha-udp-lu-link-resource-alloc-failure

Failover dropped packet due to resource limitation:

システムリソースが制限されているためにブロック拡張の割り当てが失敗すると、このカウンタが増加し、パケットはドロップされます。リソースの制限は、次のとおりです。

1) system memory

2) packet block extension memory

推奨事項：

- Observe if free system memory is low.

Syslogs:

None

----------------------------------------------------------------

snp-ha-udp-lu-link-unexpected-packet

Failover UDP trans received an unexpected packet:

NP HA UDP トランスポートが異なるエンティティ宛てのパケットを受信すると、このカウンタが増加し、パケットはドロップされます。

推奨事項：

Verify if the appliance is under attack. 疑わしいパケットがない場合、このカウンタはソフトウェアエラーによって増加している可能性が高いです。カウンタの増分の原因であるトラフィックを把握し、Cisco TAC に連絡してください。

Syslogs:

None

----------------------------------------------------------------

sp-security-failed

Slowpath security checks failed:

This counter is incremented and packet is dropped when the security appliance is:

1) In routed mode receives a through-the-box:

- L2 broadcast packet

- IPv4 packet with destination IP address equal to 0.0.0.0

- IPv4 packet with source IP address equal to 0.0.0.0

2) In routed or transparent mode and receives a through-the-box IPv4 packet with:

- first octet of the source IP address equal to zero

- source IP address equal to the loopback IP address

- network part of source IP address equal to all 0's

- network part of the source IP address equal to all 1's

- source IP address host part equal to all 0's or all 1's

- Destination IP address host part equal to all 0's

3) In routed or transparent mode and receives an IPv4 or IPv6 packet with same source and destination IP addresses

推奨事項：

1 and 2) Determine if an external user is trying to compromise the protected network. 設定に誤りのあるクライアントをチェックします。

3) If this message counter is incrementing rapidly, an attack may be in progress. パケットキャプチャ機能を使用して type asp パケットをキャプチャし、パケット内の送信元 MAC アドレスをチェックして送信元を特定します。

Syslogs:

1 and 2) 106016

3) 106017

----------------------------------------------------------------

ssl-alert-length-invalid

SSL alert length invalid:

The minimal length of SSL handshake alert should be 2 bytes. If the handshake record is less than 2 bytes, the packet will be dropped.

推奨事項：

This counter is incremented for invalid SSL record type that has SSL alert less than 2 bytes. This invalid type received from the remote peer is treated as a fatal error and the SSL packets that encounter this error must be dropped.

Syslogs:

None

----------------------------------------------------------------

ssl-first-record-invalid

SSL first record invalid:

The minimal length of SSL first handshake record should be 11 bytes. If the first record is less than 11 bytes, the packet will be dropped.

推奨事項：

This counter is incremented for invalid SSL record type that has first SSL record less than 11 bytes. This invalid type received from the remote peer is treated as a fatal error and the SSL packets that encounter this error must be dropped.

Syslogs:

None

----------------------------------------------------------------

ssl-preproc

Blocked or blacklisted by the SSL preprocessor:

This counter is incremented and the packet is dropped as requested by the SSL preprocessor.

Recommendations:

Review the snort output in packet tracer or capture with trace enabled.

Syslogs:

None.

----------------------------------------------------------------

ssl-record-length-invalid

SSL record length invalid:

The minimal length of SSL handshake record should be 4 bytes. If the handshake record is less than 4 bytes, the packet will be dropped.

推奨事項：

This counter is incremented for invalid SSL record type that has SSL record less than 4 bytes. This invalid type received from the remote peer is treated as a fatal error and the SSL packets that encounter this error must be dropped.

Syslogs:

None

----------------------------------------------------------------

ssm-app-fail

Service module is down:

This counter only applies to the ASA 5500 series adaptive security appliance. SSM により検査されるパケットが、SSM が使用不可になったためにドロップすると増分します。たとえば、ソフトウェアまたはハードウェアの欠陥、ソフトウェアまたはシグナチャのアップグレード、またはシャットダウンするモジュールなどです。

推奨事項：

The card manager process running in the security appliance control plane would have issued system messages and CLI warning to inform you of the failure. Please consult the documentation that comes with the SSM to trouble shoot the SSM failure. Contact Cisco Technical Assistance Center (TAC) if needed.

Syslog:

None.

----------------------------------------------------------------

ssm-app-request

Service module requested drop:

This counter only applies to the ASA 5500 series adaptive security appliance. このカウンタは、SSM で実行するアプリケーションが、セキュリティアプライアンスがパケットをドロップすることを要求すると増分します。

推奨事項：

More information could be obtained by querying the incident report or system messages generated by the SSM itself. 手順については、SSM に付属のマニュアルを参照してください。

Syslogs:

None.

----------------------------------------------------------------

ssm-asdp-invalid

Invalid ASDP packet received from SSM card:

This counter only applies to the ASA 5500 series adaptive security appliance. セキュリティアプライアンスが内部データプレーンインターフェイスから ASA SSM Dataplane Protocol（ASDP）パケットを受信したが、このパケットを解析してドライバに問題が生じると増分します。ASDP is a protocol used by the security appliance to communicate with certain types of SSMs, like the CSC-SSM. This could happen for various reasons, for example ASDP protocol version is not compatible between the security appliance and SSM, in which case the card manager process in the control plane issues system messages and CLI warnings to inform you of the proper version of images that need to be installed; the ASDP packet belongs to a connection that has already been terminated on the security appliance; the security appliance has switched to the standby state (if failover is enable) in which case it can no longer pass traffic; or any unexpected value when parsing the ASDP header and payload.

推奨事項：

The counter is usually 0 or a very small number. But user should not be concerned if the counter slowly increases over the time, especially when there has been a failover, or you have manually cleared connections on the security appliance via CLI. If the counter increases drastically during normal operation, please contact Cisco Technical Assistance Center (TAC).

Syslogs:

421003

421004

----------------------------------------------------------------

ssm-dpp-invalid

Invalid packet received from SSM card:

This counter only applies to the ASA 5500 series adaptive security appliance. セキュリティアプライアンスが内部データプレーンインターフェイスから ASA SSM Dataplane Protocol（ASDP）パケットを受信するが、それを解析する適切なドライバを検出できない場合に増分します。

推奨事項：

The data plane driver is dynamically registered depending on the type of SSM installed in the system. したがって、この現象は、セキュリティアプライアンスが完全に初期化される前にデータプレーンパケットが到着すると発生する可能性があります。このカウンタ値は通常 0 です。少々のドロップがあっても気にする必要はありません。ただし、システムが起動して稼働中であるときにこのカウンタの値が上昇し続ける場合は、問題があることを示している可能性があります。Please contact Cisco Technical Assistance Center (TAC) if you suspect it affects the normal operation of your the security appliance.

Syslogs:

None.

----------------------------------------------------------------

stream

Blocked or blacklisted by the stream preprocessor:

This counter is incremented and the packet is dropped as requested by the stream preprocessor.

Recommendations:

Review the snort output in packet tracer or capture with trace enabled.

Syslogs:

None.

----------------------------------------------------------------

sts-lookup-failure

STS lookup failure:

This counter is incremented when the security appliance fails to lookup for the out tag for a given in tag when tag switching is enabled on the VNI interface.

推奨事項：

Verify that an out tag exists for the in tag obtained from thegenerated syslog.

Syslogs:

779001.

----------------------------------------------------------------

sts-nat-diff-egress

STS locates different egress from NAT:

This counter is incremented when the security appliance locates different egress interface by STS and NAT.

推奨事項：

Verify that the NAT configuration on interface shown in the syslog is correct.

Syslogs:

779002.

----------------------------------------------------------------

suppress-icmpv6-loopback

同じ src/dst によるループバックでの ICMPv6 パケット過大の抑制：

このカウンタは、送信元と宛先の IPv6 アドレスが同一であり、インターフェイスがループバックインターフェイスであるパケットに対する、ICMPv6「パケット過大」エラーメッセージの生成を、アプライアンスが抑制すると増加します。これにより、パケットが自身にルーティングされるループバックシナリオでの不要なエラーメッセージの生成が防止されます。

推奨事項：

No action required. これは、送信元アドレスと宛先アドレスが一致する場合に、ループバックインターフェイスで ICMPv6 エラーがループすることを防ぐための通常の動作です。

Syslogs:

None.

----------------------------------------------------------------

tcp-3whs-failed

TCP failed 3 way handshake:

This counter is incremented and the packet is dropped when appliance receives an invalid TCP packet during three-way-handshake. Example SYN-ACK from client will be dropped for this reason.

Recommendations:

None

Syslogs:

None

----------------------------------------------------------------

tcp-ack-syn-diff

TCP ACK in SYNACK invalid:

This counter is incremented and the packet is dropped when appliance receives a SYN-ACK packet during three-way-handshake with incorrect TCP acknowledgement number.

Recommendations:

None

Syslogs:

None

----------------------------------------------------------------

tcp-acked

TCP DUP and has been ACKed:

This counter is incremented and the packet is dropped when appliance receives a retransmitted data packet and the data has been acknowledged by the peer TCP endpoint.

Recommendations:

None

Syslogs:

None

----------------------------------------------------------------

tcp-bad-option-length

TCP option length invalid:

This counter is incremented and the packet is dropped when the appliance receives a TCP packet with TCP option length 0, which is invalid for non-NOP option.

推奨事項：

None.

Syslogs:

None

----------------------------------------------------------------

tcp-bad-option-list

TCP option list invalid:

This counter is incremented and the packet is dropped when the appliance receives a TCP packet with a non-standard TCP header option.

Recommendations:

To allow such TCP packets or clear non-standard TCP header options and then allow the packet, use tcp-options configuration under tcp-map.

Syslogs:

None

----------------------------------------------------------------

tcp-buffer-full

TCP Out-of-Order packet buffer full:

This counter is incremented and the packet is dropped when appliance receives an out-of-order TCP packet on a connection and there is no buffer space to store this packet. Typically TCP packets are put into order on connections that are inspected by the appliance or when packets are sent to SSM for inspection. There is a default queue size and when packets in excess of this default queue size are received they will be dropped.

Recommendations:

On ASA platforms the queue size could be increased using queue-limit configuration under tcp-map.

Syslogs:

None

----------------------------------------------------------------

tcp-buffer-timeout

TCP Out-of-Order packet buffer timeout:

This counter is incremented and the packet is dropped when a queued out of order TCP packet has been held in the buffer for too long.Typically, TCP packets are put into order on connections that are inspected by the security appliance or when packets are sent to the SSM for inspection. When the next expected TCP packet does not arrive within a certain period, the queued out of order packet is dropped.

Recommendations:

The next expected TCP packet may not arrive due to congestion in the network which is normal in a busy network. The TCP retransmission mechanism in the end host will retransmit the packet and the session will continue.

Syslogs:

None

----------------------------------------------------------------

TCP SYNACK with data:

This counter is incremented and the packet is dropped when the appliance receives a TCP SYN-ACK packet with data.

Recommendations:

Syslogs:

None

----------------------------------------------------------------

tcp-synack-ooo

TCP SYNACK on established conn:

This counter is incremented and the packet is dropped when appliance receives a TCP SYN-ACK packet on an established TCP connection.

Recommendations:

None

Syslogs:

None

----------------------------------------------------------------

tcp_xmit_partial

TCP retransmission partial:

This counter is incremented and the packet is dropped when check-retranmission feature is enabled and a partial TCP retransmission was received.

Recommendations:

None

Syslogs:

None

----------------------------------------------------------------

tcpnorm-rexmit-bad

TCP bad retransmission:

This counter is incremented and the packet is dropped when check-retranmission feature is enabled and a TCP retranmission with different data from the original packet was received.

Recommendations:

None

Syslogs:

None

----------------------------------------------------------------

tcpnorm-win-variation

TCP unexpected window size variation:

This counter is incremented and the packet is dropped when window size advertized by TCP endpoint is drastically changed without accepting that much data.

Recommendations:

In order to allow such packet, use the window-variation configuration under tcp-map.

Syslogs:

None

----------------------------------------------------------------

telnet-not-permitted

Telnet not permitted on least secure interface:

アプライアンスがそのアプライアンスに対して TELNET セッションを確立しようとする TCP SYN パケットを受信する際に、セキュリティレベルが最も低いインターフェイスでそのパケットを受信した場合は、このカウンタが増分し、パケットがドロップされます。

推奨事項：

To establish a TELNET session to the appliance via the least secure interface, first establish an IPSec tunnel to that interface and then connect the TELNET session over that tunnel.

Syslogs:

402117

----------------------------------------------------------------

tfw-no-mgmt-ip-config

No management IP address configured for TFW:

This counter is incremented when the security appliance receives an IP packet in transparent mode and has no management IP address defined. パケットはドロップされます。

推奨事項：

Configure the device with management IP address and mask values.

Syslogs:

322004

----------------------------------------------------------------

ttl-exceeded

ttl exceeded:

This counter is incremented when the security appliance receives an IP packet whose value of ttl (time to live) has exceeded the allowed limit. Specifically if the packet has ttl value of 1, when set connection decrement-ttl command is configured, or less than 1, the packet is dropped.

Syslogs:

None.

----------------------------------------------------------------

tunnel-pending

Tunnel being brought up or torn down:

このカウンタは、アプライアンスがセキュリティポリシーデータベース（つまり暗号マップ）のエントリと一致するパケットを受信したときに増加しますが、セキュリティアソシエーションはネゴシエート中です。まだ完成していません。

このカウンタは、アプライアンスがセキュリティポリシーデータベースのエントリと一致するパケットを受信したが、セキュリティアソシエーションが削除された、または削除中の場合にも増加します。この表示と「トンネルが切断されました」という表示の違いは、後者は確立されたフローに対するものであるということです。

推奨事項：

これは、IPSec トンネルがネゴシエートまたは削除されているときに見られる正常な状態です。

Syslogs:

None

----------------------------------------------------------------

unable-to-add-flow

Flow hash full:

This counter is incremented when a newly created flow is inserted into flow hash table and the insertion failed because the hash table was full. フローとパケットはドロップされます。This is different from counter that gets incremented when maximum connection limit is reached.

推奨事項：

This message signifies lack of resources on the device to support an operation that should have been successful. Please check if the connections in the 'show conn' output have exceeded their configured idle timeout values. If so, contact the Cisco Technical Assistance Center (TAC).

Syslogs:

None.

----------------------------------------------------------------

unable-to-add-to-owner-table

Packet dropped due to failure to add an entry to the owner table:

This counter is incremented when a cluster node fails to add the onwer entry for the connection

Recommendations:

None.

Syslogs:

None.

----------------------------------------------------------------

unable-to-create-flow

Flow denied due to resource limitation:

このカウンタは、システムリソースが制限されているため、フローの作成が失敗すると増分し、パケットはドロップされます。リソースの制限は、次のとおりです。

1) system memory

2) packet block extension memory

3) system connection limit

Causes 1 and 2 will occur simultaneously with flow drop reason "No memory to complete flow".

推奨事項：

- Observe if free system memory is low.

- Observe if flow drop reason "No memory to complete flow" occurs.

- Observe if connection count reaches the system connection limit with the command "show resource usage".

Syslogs:

None

----------------------------------------------------------------

unable-to-create-vpn-fwd-cflow

Packet dropped due to resource limitation:

This counter is incremented when we fail to create a cluster stub flow in the peer receiving a forwarded VPN decoded packet.

Recommendations:

None.

Syslogs:

None.

----------------------------------------------------------------

unable-to-find-owner

Packet dropped due to failure to find the owner:

This counter is incremented when a cluster node fails to find the onwer for the connection from VPN director

Recommendations:

Check whether the Director node is ready to process queries.

Syslogs:

None.

----------------------------------------------------------------

unable-to-find-vpn-context

Packet dropped due to failure to find the VPN context:

This counter is incremented when a cluster peer tries to encrypt a packet but fails to get the VPN context.

Recommendations:

None.

Syslogs:

None.

----------------------------------------------------------------

unable-to-replicate-packets

Packet dropped and not replicated due to resource limitation:

In case of shared interface, we need to loopback multicast and broadcast traffic. When system resource 'packet block extension memory' limitation is reached, this counter will be incremented, the packet will be droppped and the packet will not be replicated to other contexts.

推奨事項：

- Observe if free system memory is low.

Syslogs:

None

----------------------------------------------------------------

unexpected-packet

Unexpected packet:

This counter is incremented when the appliance in transparent mode receives a non-IP packet, destined to it's MAC address, but there is no corresponding service running on the appliance to process the packet.

推奨事項：

Verify if the appliance is under attack. If there are no suspicious packets, or the device is not in transparent mode, this counter is most likely being incremented due to a software error. カウンタの増分の原因であるトラフィックを把握し、Cisco TAC に連絡してください。

Syslogs:

None

----------------------------------------------------------------

unsupport-ipv6-hdr

Unsupported IPv6 header:

サポートされていない IPv6 拡張ヘッダーが付いた IPv6 パケットを受信した場合、このカウンタが増分し、そのパケットはドロップされます。サポートされている IPv6 拡張ヘッダーは、TCP、UDP、ICMPv6、ESP、AH、Hop オプション、Destination オプション、および Fragment です。IPv6 ルーティング拡張ヘッダーはサポートされていません。また、上記以外の拡張ヘッダーもサポートされていません。IPv6 ESP ヘッダーと AH ヘッダーは、パケットが through-the-box の場合にのみサポートされます。To-the-box の IPv6 ESP パケットと AH パケットはサポートされず、ドロップされます。

推奨事項：

This error may be due to a misconfigured host. このエラーが再発する場合、または何度も発生する場合は、DoS 攻撃など偽のアクティビティや悪意のあるアクティビティを示している可能性があります。

Syslogs:

None.

----------------------------------------------------------------

unsupported-ip-version

Unsupported IP version:

This counter is incremented when the security appliance receives an IP packet that has an unsupported version in version field of IP header. Specifically, if the packet does not belong to version 4 or version 6. パケットはドロップされます。

推奨事項：

Verify that other devices on connected network are configured to send IP packets belonging to versions 4 or 6 only.

Syslogs:

None.

----------------------------------------------------------------

unsupported_8021q_vlan_tags

Unsupported 802.1Q VLAN tags:

This counter is incremented and the packet dropped when the security appliance receives a packet with too many layers of VLAN tags.

Recommendations:

None

Syslogs:

None

----------------------------------------------------------------

uztna-policy-data-not-found

Hybrid Zero-Trust Policy data not found

ハイブリッドゼロトラストフローに関連付けられているポリシーデータが見つからない場合、このカウンタが増加し、パケットがドロップされます。

推奨事項：

None

Syslogs:

None.

----------------------------------------------------------------

uztna-src-translation-failure

universal-zero-trust SRC NAT POOL exhaustion

ユニバーサルゼロトラストトラフィックの送信元変換が設定されても、プールがすべて使用されていると、このカウンタが増加し、パケットがドロップされます。

推奨事項：

これは、ユニバーサルゼロトラストアプリケーション宛てのトラフィックの送信元を変換するために設定された IP が不十分である可能性があります。送信元変換プールに IP をさらに追加することを検討してください。

Syslogs:

None.

----------------------------------------------------------------

vaccess-channel

Vaccess channel drop:

このカウンタは、セキュリティアプライアンスが Vaccess インターフェイスチャネルを介したパケットの転送を試みると増加します。パケットはドロップされます。

推奨事項：

予期されたシナリオでは、vaccess インターフェイスに転送されたパケットがドロップされます（icmp、mcast などの場合）。

Syslogs:

None.

----------------------------------------------------------------

vPath-license-failure

Packet dropped due to vPath license failure:

Traffic is dropped due to licensing failure for ASA 1000V.

推奨事項：

Nexus 1000V をチェックし、使用中のすべての ASA1000V 仮想マシンをサポートするのに十分な ASA1000V ライセンスがインストールされていることを確認します。Use "show license" to check the available licenses for ASA 1000V and use "show license usage" to check the status of them.

Syslogs:

4450002.

----------------------------------------------------------------

vpn-cflow-fail-due-to-full-flow

Packet dropped due to a conflicting full flow:

This counter is incremented when we fail to create a cluster stub flow in the peer receiving a forwarded VPN decoded packet, because there is already a full flow.

Recommendations:

None.

Syslogs:

None.

----------------------------------------------------------------

vpn-context-expired

Expired VPN context:

このカウンタは、セキュリティアプライアンスが暗号化または復号を必要とするパケットを受信し、操作の実行に必要な ASP VPN コンテキストが無効になると増加します。

推奨事項：

これは、ソフトウェアエラーを Cisco TAC に報告する必要があることを示しています。

Syslogs:

None

----------------------------------------------------------------

vpn-handle-error

VPN Handle Error:

This counter is incremented when the appliances is unable to create a VPN handle because the VPN handle already exists.

推奨事項：

It is possible to see this counter increment as part of normal operation However, if the counter is rapidly incrementing and there is a major malfunction of vpn-based applications, then this may be caused by a software defect. Contact the Cisco TAC to investigate the issue further.

Syslogs:

None.

----------------------------------------------------------------

vpn-handle-mismatch

VPN Handle Mismatch:

This counter is incremented when the appliance wants to forward a block and the flow referred to by the VPN Handle is different than the flow associated with the block.

推奨事項：

This is not a normal occurrence. 詳細な分析のため、show console-output を実行して出力を CISCO TAC に送信してください。

Syslogs:

None.

----------------------------------------------------------------

vpn-lock-error

IPSec locking error:

このカウンタは、内部ロックエラーにより VPN フローを作成できない場合に増分されます。

推奨事項：

Syslogs:

None.

----------------------------------------------------------------

vpn-overlap-conflict

VPN Network Overlap Conflict:

パケットが復号されると、内部パケットが暗号マップの設定に対して検査されます。パケットが受信したものとは異なる暗号マップエントリと一致する場合、パケットはドロップされ、このカウンタが増加します。これの一般的な原因は、類似または重複するアドレス空間を含む 2 つの暗号マップエントリによるものです。

推奨事項：

重複するネットワークがないか VPN 設定を確認してください。暗号マップの順序と ACL での「拒否」ルールの使用を確認します。

Syslogs:

None

----------------------------------------------------------------

vpn-reclassify-failed

VPN Reclassify Failed:

This counter is incremented when a packet for a VPN flow is dropped due to the flow failing to be reclassified after a VPN state change.

推奨事項：

This counter is incremented when a packet for a VPN flow arrives that requires reclassification due to VPN CLI or Tunnel state changes. If the flow no longer matches the existing policies, then the flow is freed and the packet dropped.

Syslogs:

No new syslogs accompany this event.

----------------------------------------------------------------

vtemplate-channel

Vtemplate チャネルドロップ：

このカウンタは、セキュリティアプライアンスが仮想テンプレートインターフェイスチャネルを介したパケットの転送を試みると増加します。パケットはドロップされます。

推奨事項：

予期されたシナリオでは、仮想テンプレートインターフェイスに転送されたパケットがドロップされます（icmp、mcast などの場合）。

Syslogs:

None.

----------------------------------------------------------------

vti-channel

VTI チャネルドロップ：

このカウンタは、セキュリティアプライアンスが VTI インターフェイスチャネルを介したパケットの転送を試みると増加します。パケットはドロップされます。

推奨事項：

予期されたシナリオでは、VTI インターフェイスに転送されたパケットがドロップされます（icmp、mcast などの場合）。

Syslogs:

None.

----------------------------------------------------------------

vxlan-ccl-inner-dip-not-found

Peer CCL inner IP not found:

このカウンタは、セキュリティアプライアンスがピア CCL 内部宛先 IP の検出に失敗すると増加します。

推奨事項：

No.

Syslogs:

None.

----------------------------------------------------------------

vxlan-encap-error

Fail to encap with VXLAN:

This counter is incremented when the security appliance fails to encapsulate a packet with VXLAN.

推奨事項：

No.

Syslogs:

None.

----------------------------------------------------------------

vxlan-invalid-header

Invalid VXLAN header format:

This counter is increamented when the security appliance receives a UDP packet with correct VXLAN destination port number but failed to decode the VXLAN header.

推奨事項：

No.

Syslogs:

778004.

----------------------------------------------------------------

vxlan-invalid-header-thru-traffic

Invalid VXLAN header format for through-the-box traffic:

This counter is increamented when the security appliance receives a through-the-box UDP packet with correct VXLAN destination port number but failed to decode the VXLAN header.

推奨事項：

No.

Syslogs:

778008.

----------------------------------------------------------------

vxlan-invalid-nve-peer

VXLAN packet from an invalid NVE peer:

This counter is increamented when the security appliance receives a VXLAN packet from an NVE peer that is not configured.

推奨事項：

No.

Syslogs:

778007.

----------------------------------------------------------------

vxlan-invalid-udp-checksum

Invalid VXLAN header format:

This counter is increamented when the security appliance receives a VXLAN packet with incorrect checksum value in UDP header.

推奨事項：

No.

Syslogs:

778006.

----------------------------------------------------------------

vxlan-invalid-vni-mcast-ip

Invalid Multicast IP on VNI interface:

このカウンタは、セキュリティアプライアンスが VNI インターフェイスからマルチキャストグループ IP を取得できなかった場合に増分されます。

推奨事項：

設定されたピア NVE がない場合、VNI インターフェイスに有効なマルチキャストグループ IP が設定されていることを確認します。

Syslogs:

None.

----------------------------------------------------------------

vxlan-missing-peer-vtep-ip

Peer VTEP IP not found:

This counter is incremented when the security appliance fails to find the peer VTEP IP for an inner destnation IP for VXLAN encapsulation.

推奨事項：

Verify that in show arp vtep-mapping/show mac-address-table vtep-mapping/show ipv6 neighbor vtep-mapping, the VTEP IP is present for the desired remote inner host.

Syslogs:

None.

----------------------------------------------------------------

wccp-redirect-no-route

No route to Cache Engine:

このカウンタは、セキュリティアプライアンスがパケットのリダイレクトを試行し、キャッシュエンジンへのルートを検出できない場合に増分します。

推奨事項：

Verify that a route exists for Cache Engine.

Syslogs:

None.

----------------------------------------------------------------

wccp-return-no-route

No route to host for WCCP returned packet:

このカウンタは、パケットがキャッシュエンジンから戻され、セキュリティアプライアンスがこのパケットの元のソースのルートを検出できない場合に増分します。

推奨事項：

Verify that a route exists for the source ip address of the packet returned from Cache Engine.

Syslogs:

None.

----------------------------------------------------------------

x-link2state

Blocked or blacklisted by the x-link2state preprocessor:

This counter is incremented and the packet is dropped as requested by the x-link2state preprocessor.

Recommendations:

Review the snort output in packet tracer or capture with trace enabled.

Syslogs:

None.

----------------------------------------------------------------

zta-src-translation-failure

ZeroTrustAccess SRC NAT POOL exhaustion

ゼロトラスト通信の送信元変換が設定されても、プールがすべて使用されていると、このカウンタが増加し、パケットはドロップされます。

推奨事項：

これは、ゼロトラストアプリケーション宛てのトラフィックの送信元を変換するために設定された IP が不十分である可能性があります。送信元変換プールに IP をさらに追加することを検討してください。

Syslogs:

None.

----------------------------------------------------------------

フローのドロップ理由

acl-drop

Flow is denied by access rule:

This counter is incremented when a drop rule is hit by the packet and flow creation is denied. This rule could be a default rule created when the box comes up, when various features are turned on or off, when an acl is applied to interface or any other feature etc. Apart from default rule drops, a flow could be denied because of:

1) ACL configured on an interface

2) ACL configured for AAA and AAA denied the user

3) Thru-box traffic arriving at management-only ifc

4) Unencrypted traffic arriving on a ipsec-enabled interface

5) Implicity deny 'ip any any' at the end of an ACL

推奨事項：

Observe if one of syslogs related to packet drop are fired. Flow drop results in the corresponding packet-drop that would fire requisite syslog.

Syslogs:

None.

----------------------------------------------------------------

acl-drop-reclassify

Flow is denied by access rule after reclassification:

このカウンタは、ACL ルールの再分類中にドロップルールがパケットにヒットすると増分されます。

推奨事項：

Observe if one of syslogs related to packet drop are fired. Flow drop results in the corresponding packet-drop that would fire requisite syslog.

Syslogs:

None.

----------------------------------------------------------------

asa-teardown

ASA requested flow to be torndown:

ASA requested the flow to be removed

推奨事項：

None.

Syslogs:

None.

----------------------------------------------------------------

audit-failure

Audit failure:

A flow was freed after matching an "ip audit" signature that had reset as the associated action.

推奨事項：

If removing the flow is not the desired outcome of matching this signature, then remove the reset action from the "ip audit" command.

Syslogs:

None

----------------------------------------------------------------

bfd-flag-not-set

UDP BFD フローの BFD フラグが設定されていません：

このカウンタは、vaccess インターフェイスからアイデンティティインターフェイスへの BFD ポートを使用する UDP フローが、BFD フラグの設定なしで作成された場合に増加します。

推奨事項：

インターフェイスの BFD 設定を確認してください。

Syslogs:

None.

----------------------------------------------------------------

channel-closed

Channel closed:

このカウンタは、チャネルが閉じられると増加します。

推奨事項：

None.

Syslogs:

None.

----------------------------------------------------------------

children-limit

Max per-flow children limit exceeded:

1 つの親フローに関連付けられている子フローの数が内部制限の 200 を超えています。

推奨事項：

このメッセージは、アプリケーションの動作に問題があるか、ファイアウォールメモリを使い果たしようとしていることを示しています。Use "set connection per-client-max" command to further fine tune the limit. For FTP, additionally enable the "strict" option in "inspect ftp".

Syslogs:

210005

----------------------------------------------------------------

clean_for_vpn_stub

Clean up for creation of a new VPN stub:

This reason is given for tearing down a conflicting connection in preparation for a new vpn stub connection.

Recommendations:

None.

Syslogs:

None.

----------------------------------------------------------------

closed-by-block-reset

Flow is cleared on receiving block with reset:

Snort はリセットされたブロックを送信します

推奨事項：

This counter is informational and the behavior is expected.

Syslogs:

None.

----------------------------------------------------------------

closed-by-inspection

Flow closed by inspection:

アプリケーション検査中にエラーが検出されるとフローが終了します。たとえば、H323 メッセージの検査中にエラーが検出された場合、対応する H323 フローは終了します。

推奨事項：

None.

Syslogs:

None.

----------------------------------------------------------------

cluster-ccl-backup

Cluster CCL backup:

A Cluster data packet was received over CCL on a backup unit, when it should have been received on the owner+director unit.

推奨事項：

None.

Syslogs:

None.

----------------------------------------------------------------

cluster-ccl-bad-unxlate-redirect

Cluster member dropped an unexpected NAT untranslate redirect packet from peer:

Dynamic PAT pool owner received a NAT untranslate packet from peer. However it matches a director stub flow.

推奨事項：

None.

----------------------------------------------------------------

cluster-cflow-clu-closed

Cluster flow with CLU closed on owner:

Director/backup unit received a cluster flow clu delete message from the owner unit and terminated the flow.

推奨事項：

This counter should increment for every replicated clu that is torn down on the owner unit.

Syslogs:

None.

----------------------------------------------------------------

cluster-cflow-clu-timeout

Cluster flow with CLU removed from due to idle timeout:

A cluster flow with CLU is considered idle if director/backup unit no longer receives periodical update from owner which is supposed to happen at fixed interval when flow is alive.

推奨事項：

This counter is informational.

Syslogs:

None.

----------------------------------------------------------------

cluster-cflow-isakmp-owner-closed

Cluster flow closed on ISAKMP owner:

Director/backup unit received an isakmp redirected packet from a forwarding unit and terminated the flow.

推奨事項：

This counter should increment for every cflow torn down by isakmp redirected packet on the isakmp owner unit.

Syslogs:

None.

----------------------------------------------------------------

cluster-cflow-nat-pool-removed

Cluster flow is removed due to non-existent nat pool:

Deleting a director/backup flow as it is referring to a NAT pool IP which is already removed.

推奨事項：

This counter is informational.

Syslogs:

None.

----------------------------------------------------------------

cluster-cflow-stale-clu-closed

Cluster flow with CLU removed due to stale owner:

A cluster flow was removed because it has stale owner info. Stale info can happen due to missing CLU_DELETE as normally this is not a reliable msg.

推奨事項：

This counter is informational.

Syslogs:

None.

----------------------------------------------------------------

cluster-convert-to-dirbak

Forwarding or redirect flow converted to director or backup flow:

Forwarding or redirect flow is removed, so that director or backup flow can be created.

Recommendations:

This counter is informational and the behavior expected.

Syslogs:

None.

----------------------------------------------------------------

cluster-ctp-punt-channel-missing

Flow removed at bulk sync becasue CTP punt channel is missing:

クラスタで復元されたフローに CTP パントチャネルがないため、バルク同期中にフローが削除されます。

推奨事項：

クラスター制御ノードがクラスターを離れたばかりである可能性があります。And there might be packet drops on the Cluster Control Link.

Syslogs:

302014

----------------------------------------------------------------

cluster-dir-removed-dup-owner

Duplicated owner flow removed by director:

Another unit owns the flow, so director deleted the flow on this unit.

Recommendations:

This counter is informational and the behavior is expected.

Syslogs:

None.

----------------------------------------------------------------

cluster-director-change

The flow director changed due to a cluster join event:

A new unit joined the cluster and is now the director for the flow. The old director/backup has removed it's flow and the flow owner will update the new director.

Recommendations:

This counter is informational and the behavior expected.

Syslogs:

None.

----------------------------------------------------------------

cluster-director-closed

Flow removed due to director flow closed:

Owner unit received a cluster flow clu delete message from the director unit and terminated the flow.

推奨事項：

This counter should increment for every replicated clu that is torn down on the director unit.

Syslogs:

None.

----------------------------------------------------------------

cluster-drop-on-data-node

Flow matched a cluster drop-on-data-node classify rule:

これは、L3 サブネットからのパケットがすべてのユニットで認識され、制御ノードのみがそれらを処理する必要がある場合です。

Recommendations:

This counter is informational and the behavior expected. パケットは制御ノードによって処理されます。

Syslogs:

None.

----------------------------------------------------------------

cluster-dup-owner-to-dir

Duplicated owner flow detected, and I will become a director later:

Another unit owns the flow, so need to delete my flow in order to create a director flow in its place later.

Recommendations:

This counter is informational and the behavior is expected.

Syslogs:

None.

----------------------------------------------------------------

cluster-mcast-owner-change

The multicast flow owner changed due to a cluster join or leave event:

This flow gets created on a new owner unit.

Recommendations:

This counter is informational and the behavior expected.

Syslogs:

None.

----------------------------------------------------------------

cluster-mobility-backup-removed

Flow mobility has backup removed:

Flow mobility moved this flow to another unit. This backup will be removed because new owner and director are on difference nodes.

Recommendations:

This counter is informational and the behavior expected.

Syslogs:

None.

----------------------------------------------------------------

cluster-mobility-fwder-removed

Flow mobility has old fwder removed:

Flow mobility moved this flow to another unit. This old fwder will be removed because it's turning into a backup.

Recommendations:

This counter is informational and the behavior expected.

Syslogs:

None.

----------------------------------------------------------------

cluster-mobility-owner-2-dir

Flow mobility has old owner/director changed to director only:

フローモビリティにより、このフローは別のユニットに移動しました。このユニットは、以前は所有者とディレクタの両方でしたが、現在はディレクタフローのみをホストします。

Recommendations:

This counter is informational and the behavior expected.

Syslogs:

None.

----------------------------------------------------------------

cluster-mobility-owner-removed

Flow mobility has old owner removed:

Flow mobility moved this flow to another unit. This old owner will be removed.

Recommendations:

This counter is informational and the behavior expected.

Syslogs:

None.

----------------------------------------------------------------

cluster-owner-2-dir

Another owner overrides me, and I will become a director later:

Another unit owns the flow, and asks me to delete my flow in order to create a director flow in its place later.

Recommendations:

This counter is informational and the behavior is expected.

Syslogs:

None.

----------------------------------------------------------------

cluster-owner-2-fwd

Another owner overrides me, and I will become a forwarder later:

Another unit owns the flow, and asks me to delete my flow in order to create a forwarder flow in its place later.

Recommendations:

This counter is informational and the behavior is expected.

Syslogs:

None.

----------------------------------------------------------------

cluster-parent-owner-left

Flow removed at bulk sync becasue parent flow is gone:

Flow is removed during bulk sync becasue the parent flow's owner has left the cluster.

推奨事項：

This counter is informational and the behavior expected.

Syslogs:

302014

----------------------------------------------------------------

cluster-pinhole-control-node-change

Control node only pinhole flow removed at bulk sync due to control node change:

クラスター制御ノードが変更されたために、一括同期中に、制御ノードのみのピンホールフローが削除されました。

推奨事項：

This counter is informational and the behavior expected.

Syslogs:

302014

----------------------------------------------------------------

cluster-redirect

Flow matched a cluster redirect classify rule:

A stub forwarding flow will thereafter forward packets to the cluster unit that owns the flow.

Recommendations:

This counter is informational and the behavior expected. The packet was forwarded to the owner over the Cluster Control Link.

Syslogs:

None.

----------------------------------------------------------------

cluster-removed-stale-stub

Stale stub flow removed by owner:

This is a stale stub flow, so owner deleted the flow on this unit.

Recommendations:

This counter is informational and the behavior is expected.

Syslogs:

None.

----------------------------------------------------------------

conn-limit-exceeded

Connection limit exceeded:

This reason is given for closing a flow when the connection limit has been exceeded. The connection limit is configured via the 'set connection conn-max' action command.

推奨事項：

None.

Syslogs:

201011

----------------------------------------------------------------

connection-timeout

Connection timeout:

This counter is incremented when a flow is closed because of the expiration of it's inactivity timer.

推奨事項：

No action required.

Syslogs:

302014, 302016, 302018, 302021

----------------------------------------------------------------

ctm-crypto-request-error

CTM crypto request error:

このカウンタは、CTM が暗号化要求を受け入れることができないたびに増分されます。これは通常、暗号ハードウェア要求キューがいっぱいであることを意味します。

推奨事項：

Issue the show crypto protocol statistics ssl command and contact the Cisco TAC with this information.

Syslogs:

None.

----------------------------------------------------------------

cxsc-bad-hdl

Flow terminated by ASA due to bad handle from CX

Since the handle received from CX is invalid, dropping flow.

Recommendations:

Check syslogs and alerts on CXSC module.

Syslogs:

421004

----------------------------------------------------------------

cxsc-fail-close

CXSC fail-close:

This reason is given for terminating a flow since CXSC card is down and fail-close option was used with CXSC action.

Recommendations:

Check and bring up CXSC card

Syslogs:

429001

----------------------------------------------------------------

cxsc-request

Flow terminated by CXSC:

This reason is given for terminating a flow as requested by CXSC module.

Recommendations:

Check syslogs and alerts on CXSC module.

Syslogs:

429002

----------------------------------------------------------------

dtls-hello-close

DTLS hello close:

This counter is incremented when the UDP connection is dropped after the DTLS client hello message processing is finished. This does not indicatean error.

推奨事項：

None.

Syslogs:

None.

----------------------------------------------------------------

dynamic-filter

Flow matched dynamic-filter blacklist:

フローは、トラフィックをドロップするように設定された脅威レベルのしきい値よりも高い脅威レベルを持つダイナミックフィルタブラックリストまたはグレーリストエントリと一致しました。

推奨事項：

内部 IP アドレスを使用して、感染したホストを追跡します。Take remidiation steps to remove the infection.

Syslogs:

None.

----------------------------------------------------------------

fin-timeout

FIN Timeout:

This reason is given for closing a TCP flow due to expiry of half-closed timer.

Recommendations:

If these are valid session which take longer to close a TCP flow, increase the half-closed timeout.

Syslogs:

302014

----------------------------------------------------------------

flow-missing-snort-info

Snort inspected flow missing pdts snort info:

This reason is given for terminating a flow because the connection lacks snort related structure.

Recommendations:

No action required.

Syslogs:

None.

----------------------------------------------------------------

flow-reclaimed

Non-tcp/udp flow reclaimed for new request:

このカウンタは、新しいフロー用のスペースを確保するために再利用可能なフローが削除されると増分されます。これは、アプライアンスを通過するフローの数が、ソフトウェアによって課された制限により許可されている最大数と等しく、新しいフロー要求が受信された場合にのみ発生します。これが発生した場合、再利用可能なフローの数がアプライアンスで許可されている VPN トンネルの数を超えると、最も古い再利用可能なフローが削除され、新しいフロー用のスペースが確保されます。以下を除くすべてのフローは、再利用可能と見なされます。

1. TCP, UDP, GRE and Failover flows

2. ICMP flows if ICMP stateful inspection is enabled

3. アプライアンスへの ESP フロー

推奨事項：

このカウンタがゆっくりと増加している場合は、アクションは不要です。このカウンタが急速に増加している場合は、アプライアンスが攻撃を受けており、アプライアンスがフローの再利用と再構築により多くの時間を費やしていることを意味している可能性があります。

syslog

302021

----------------------------------------------------------------

fo-primary-closed

Failover primary closed:

スタンバイユニットがアクティブユニットからフロー削除メッセージを受信し、フローを終了しました。

推奨事項：

アプライアンスがステートフルフェールオーバーを実行している場合、このカウンタは、スタンバイアプライアンスで切断された複製された接続ごとに増分する必要があります。

Syslogs:

302014, 302016, 302018

----------------------------------------------------------------

Invalid MAP address/port combination:

推奨事項：

Syslogs:

305019, 305020

----------------------------------------------------------------

invalid-peer-nve

Invalid peer NVE:

This counter is incremented when the security appliance fails to get IP and MAC address of a peer NVE for a flow.

推奨事項：

Verify that peer nve is configured or learned for the nve.

Syslogs:

None.

----------------------------------------------------------------

invalid-vxlan-segment-id

Invalid VXLAN segment-id:

This counter is incremented when the security appliance sees an invalid VXLAN segment-id attached to a flow.

推奨事項：

No.

Syslogs:

None.

----------------------------------------------------------------

ips-conn-timeout

IPS CONN タイムアウト：

この理由は、接続タイマーの期限が切れたために、最適化された状態追跡軽量 TCP フローが終了すると表示されます。

Recommendations:

If these are valid session which take longer to establish a connection increase the embryonic timeout.

Syslogs:

302014

----------------------------------------------------------------

ips-fail-close

IPS fail-close:

This reason is given for terminating a flow since IPS card is down and fail-close option was used with IPS inspection.

Recommendations:

Check and bring up IPS card

Syslogs:

420001

----------------------------------------------------------------

ips-license-disabled-fail-close

IPS module license disabled:

This reason is given for terminating a flow when the IPS module license is disabled and the fail-close option was used in IPS inspection.

Recommendations:

Please apply an activiation key that has the IPS Module License enabled.

Syslogs:

420008

----------------------------------------------------------------

ips-request

Flow terminated by IPS:

This reason is given for terminating a flow as requested by IPS module.

Recommendations:

Check syslogs and alerts on IPS module.

Syslogs:

420002

----------------------------------------------------------------

ips-syn-timeout

IPS SYN Timeout:

この理由は、初期タイマーの期限が切れたために、最適化された状態追跡軽量 TCP フローが終了すると表示されます。

Recommendations:

If these are valid session which take longer to establish a connection increase the embryonic timeout.

Syslogs:

302014

----------------------------------------------------------------

ipsec-detunnel-fail

IPsec detunnel processing failed:

このカウンタは、クリアテキストフローが IPSec トンネルフロー処理に失敗すると増加します。

推奨事項：

Use the following command to look at more specific packet drops.

show asp drop

Syslogs:

None

----------------------------------------------------------------

ipsec-selector-failure

IPSec VPN inner policy selector mismatch detected:

このカウンタは、トンネルに設定されたポリシーと一致しない内部 IP ヘッダーを含む IPSec パケットが受信されたときに増分されます。

推奨事項：

Syslogs:

402116

----------------------------------------------------------------

Multicast entry removed:

A packet has arrived that matches a multicast flow, but the multicast service is no longer enabled, or was re-enabled after the flow was built.

- OR -

The multicast entry has been deleted so the flow is being cleaned up, but the packet will be reinjected into the data path.

推奨事項：

Reenable multicast if it is disabled.

- OR -

No action required.

Syslogs:

None

----------------------------------------------------------------

mcast-intrf-removed

Multicast interface removed:

An output interface has been removed from the multicast entry.

- OR -

All output interfaces have been removed from the multicast entry.

推奨事項：

No action required.

- OR -

Verify that there are no longer any receivers for this group.

Syslogs:

None

----------------------------------------------------------------

nat-failed

NAT failed:

IP またはトランスポートヘッダーを変換するための xlate の作成に失敗しました。

推奨事項：

Syslogs:

305005, 305006, 305009, 305010, 305011, 305012

----------------------------------------------------------------

IPSec over IPv6 unsupported:

推奨事項：

None

Syslogs:

None

----------------------------------------------------------------

no-route-to-peer-nve

No route to peer NVE:

This counter is incremented when the security appliance fails to locate next hop to peer NVE.

推奨事項：

Verify peer NVE is reachable via source-interface.

Syslogs:

None.

----------------------------------------------------------------

no-valid-nve-ifc

No valid NVE interface:

このカウンタは、セキュリティアプライアンスがフローの VNI インターフェイスの NVE インターフェイスを識別できない場合に増分されます。

推奨事項：

Verify that the nve is configured for all interfaces.

Syslogs:

None.

----------------------------------------------------------------

non_tcp_syn

non-syn TCP:

This reason is given for terminating a TCP flow when the first packet is not a SYN packet.

Recommendations:

None

Syslogs:

None

----------------------------------------------------------------

np-context-removed

NP virtual context removed:

This counter is incremented when the virtual context with which the flow is going to be associated has been removed. This could happen in multi-core environment when one CPU core is in the process of destroying the virtual context, and another CPU core tries to create a flow in the context.

推奨事項：

No action is required.

Syslog:

None.

----------------------------------------------------------------

np-midpath-cp-event-failure

NP midpath CP event failure:

This is counter for critical midpath events that could not be sent to the CP.

推奨事項：

これは、ソフトウェアエラーを Cisco TAC に報告する必要があることを示しています。

Syslog:

None.

----------------------------------------------------------------

np-midpath-service-failure

NP midpath service failure:

これは、重大なミッドパスサービスエラーの一般的なカウンタです。

推奨事項：

これは、ソフトウェアエラーを Cisco TAC に報告する必要があることを示しています。

Syslog:

None.

----------------------------------------------------------------

np-socket-block-conv-failure

NP socket block conversion failure:

このカウンタは、ソケットブロック変換の失敗に対して増分されます。

推奨事項：

これは、ソフトウェアエラーを Cisco TAC に報告する必要があることを示しています。

Syslog:

None.

----------------------------------------------------------------

np-socket-conn-not-accepted

A new socket connection was not accepted:

このカウンタは、セキュリティアプライアンスによって受け入れられない新しいソケット接続ごとに増分されます。

推奨事項：

通常の操作の一部として、このカウンタの増分を確認することができます。ただし、カウンタが急速に増加し、ソケットベースのアプリケーションに大きな誤動作がある場合は、ソフトウェアの欠陥が原因である可能性があります。問題をさらに調査するには、Cisco TAC に連絡してください。

Syslog:

None.

----------------------------------------------------------------

np-socket-data-move-failure

NP socket data movement failure:

このカウンタは、ソケットデータ移動エラーのために増分されます。

推奨事項：

これは、ソフトウェアエラーを Cisco TAC に報告する必要があることを示しています。

Syslog:

None.

----------------------------------------------------------------

np-socket-failure

NP socket failure:

これは、重大なソケット処理エラーの一般的なカウンタです。

推奨事項：

これは、ソフトウェアエラーを Cisco TAC に報告する必要があることを示しています。

Syslog:

None.

----------------------------------------------------------------

np-socket-new-conn-failure

NP socket new connection failure:

このカウンタは、新しいソケット接続の失敗に対して増分されます。

推奨事項：

これは、ソフトウェアエラーを Cisco TAC に報告する必要があることを示しています。

Syslog:

None.

----------------------------------------------------------------

np-socket-relay-failure

NP socket relay failure:

これは、ソケットリレー処理エラーの一般的なカウンタです。

推奨事項：

Syslog:

None.

----------------------------------------------------------------

QUIC Proxy residue packet:

Recommendations:

None

Syslogs:

None

----------------------------------------------------------------

quic-proxy-stateless-reset-packet

QUIC Proxy stateless reset packet:

このカウンタは、QUIC ステートレスリセットパケットを受信すると増加します。

Recommendations:

None

Syslogs:

None

----------------------------------------------------------------

recurse

Close recursive flow:

A flow was recursively freed. This reason applies to pair flows, multicast slave flows, and syslog flows to prevent syslogs being issued for each of these subordinate flows.

推奨事項：

No action required.

Syslogs:

None

----------------------------------------------------------------

reinject-punt

Flow terminated by punt action:

This counter is incremented when a packet is punted to the exception-path for processing by one of the enhanced services such as inspect, aaa etc and the servicing routine, having detected a violation in the traffic flowing on the flow, requests that the flow be dropped. フローはすぐにドロップされます。

推奨事項：

Please watch for syslogs fired by servicing routine for more information. Flow drop terminates the corresponding connection.

Syslogs:

None.

----------------------------------------------------------------

reset-appliance

TCP Reset-APPLIANCE:

This reason is given for closing a flow when a TCP reset is generated by appliance.

推奨事項：

None.

Syslogs:

302014

----------------------------------------------------------------

reset-by-cx

Flow reset by CXSC:

This reason is given for terminating a TCP flow as requested by the CXSC module.

Recommendations:

Check syslogs and alerts on CXSC module.

Syslogs:

429003

----------------------------------------------------------------

reset-by-ips

Flow reset by IPS:

This reason is given for terminating a TCP flow as requested by IPS module.

Recommendations:

Check syslogs and alerts on IPS module.

Syslogs:

420003

----------------------------------------------------------------

reset-by-sfr

Flow reset by SFR:

This reason is given for terminating a TCP flow as requested by the SFR module.

Recommendations:

Check syslogs and alerts on SFR module.

Syslogs:

434003

----------------------------------------------------------------

reset-in

TCP Reset-I:

This reason is given for closing an outbound flow (from a low-security interface to a same- or high-security interface) when a TCP reset is received on the flow.

推奨事項：

None.

Syslogs:

302014

----------------------------------------------------------------

reset-out

TCP Reset-O:

This reason is given for closing an inbound flow (from a high-security interface to low-security interface) when a TCP reset is received on the flow.

推奨事項：

None.

Syslogs:

302014

----------------------------------------------------------------

rm-host-limit

RM host limit reached:

このカウンタは、コンテキストまたはシステムのホストの最大数に達し、新しい接続が試行されると増分されます。

推奨事項：

Syslogs:

321001

----------------------------------------------------------------

rm-inspect-rate-limit

RM inspect rate limit reached:

このカウンタは、コンテキストまたはシステムの最大検査レートに到達し、新しい接続が試行されると増分されます。

推奨事項：

Syslogs:

321002

----------------------------------------------------------------

SSL handshake failed:

このカウンタは、SSL ハンドシェイクが失敗したために TCP 接続が切断されたときに増分されます。

推奨事項：

これは、SSL ハンドシェイクが失敗したために TCP 接続が切断されたことを示しています。ハンドシェイク障害状態によって生成された syslog 情報に基づいて問題を解決できない場合は、Cisco TAC に連絡するときに関連する syslog 情報を含めてください。

Syslogs:

725006.

725014.

----------------------------------------------------------------

ssl-malloc-error

SSL malloc error:

This counter is incremented for each malloc failure that occurs in the SSL lib. This is to indicate that SSL encountered a low memory condition where it can't allocate a memory buffer or packet block.

推奨事項：

Check the security appliance memory and packet block condition and contact the Cisco TAC with this memory information.

Syslogs:

None.

----------------------------------------------------------------

ssl-received-close-alert

SSL received close alert:

このカウンタは、セキュリティアプライアンスがリモートクライアントからクローズアラートを受信するたびに増分されます。これは、クライアントが接続を切断することを通知したことを示しています。これは通常の切断プロセスの一環です。

推奨事項：

None.

Syslog:

725007.

----------------------------------------------------------------

ssl-record-decrypt-error

SSL record decryption failed:

このカウンタは、SSL データの受信中に復号エラーが発生した場合に増分されます。これは通常、ASA またはピアの SSL コードにバグがあるか、攻撃者がデータストリームを変更している可能性があることを意味します。SSL 接続が終了しました。

推奨事項：

ASA との間の SSL データストリームを調査します。攻撃者がいない場合、これは Cisco TAC に報告する必要のあるソフトウェアエラーを示しています。

Syslogs:

None.

----------------------------------------------------------------

ssm-app-fail

Service module failed:

このカウンタは、ASA5500 シリーズ適応型セキュリティアプライアンスにのみ適用されます。SSM に障害が発生したために、SSM によって検査されている接続が終了すると増分されます。

推奨事項：

セキュリティアプライアンスのコントロールプレーンで実行されているカードマネージャプロセスは、システムメッセージと CLI 警告を発行して障害を通知しました。SSM の障害をトラブルシューティングするには、SSM に付属のドキュメントを参照してください。Contact Cisco Technical Assistance Center (TAC) if needed.

Syslog:

421001.

----------------------------------------------------------------

ssm-app-incompetent

Service module incompetent:

このカウンタは、ASA5500 シリーズ適応型セキュリティアプライアンスにのみ適用されます。接続が SSM によって検査されることになっているときに増分されますが、SSM はそれを検査できません。This counter is reserved for future use. It should always be 0 in the current release.

推奨事項：

None.

Syslog:

None.

----------------------------------------------------------------

ssm-app-request

Flow terminated by service module:

このカウンタは、ASA5500 シリーズ適応型セキュリティアプライアンスにのみ適用されます。SSM で実行されているアプリケーションがセキュリティアプライアンスに接続の終了を要求すると、増分されます。

推奨事項：

SSM 自体によって生成されたインシデントレポートまたはシステムメッセージを照会することにより、より多くの情報を取得できます。Please consult the documentation that comes with comes with the SSM for instructions.

Syslogs:

None.

----------------------------------------------------------------

svc-conn-timer-cb-fail

SVC connection timer callback failure:

This condition occurs when there is a failed attempt to place an event on the async lock queue for that connection.

推奨事項：

None.

Syslogs:

None.

----------------------------------------------------------------

svc-failover

An SVC socket connection is being disconnected on the standby unit:

This counter is incremented for each new SVC socket connection that is disconnected when the active unit is transitioning into standby state as part of a failover transition.

推奨事項：

None. これは、現在のデバイスがアクティブからスタンバイに移行しているときの SVC 接続の通常のクリーンアップの一環です。デバイス上の既存の SVC 接続は無効になり、削除する必要があります。

Syslogs:

None.

----------------------------------------------------------------

svc-replacement-conn

SVC replacement connection established:

This counter is incremented when an SVC connection is replaced by a new connection.

推奨事項：

None. これは、ユーザーが ASA への接続を維持するのに問題があることを示している可能性があります。ユーザーは、ホームネットワークとインターネット接続の品質を評価する必要があります。

Syslog:

722032

----------------------------------------------------------------

svc-selector-failure

SVC VPN inner policy selector mismatch detected:

This counter is incremented when an SVC packet is received with an inner IP header that does not match the policy for the tunnel.

推奨事項：

None. This packet will be discarded automatically.

Syslogs:

None.

----------------------------------------------------------------

svc-spoof-detect

SVC spoof packet detected:

このカウンタは、セキュリティアプライアンスが暗号化されているはずのパケットを受信すると増加しますが、暗号化されていません。パケットは、セキュリティアプライアンスで設定および確立された SVC 接続の内部ヘッダーのセキュリティポリシーチェックと一致しましたが、暗号化されずに受信されました。これはセキュリティの問題です。

推奨事項：

ネットワークトラフィックを分析して、スプーフィングされた SVC トラフィックの送信元を特定します。

Syslogs:

None

----------------------------------------------------------------

svc-udp-conn-timer-cb-fail

SVC UDP connection timer callback failure:

This condition occurs when there is a failed attempt to place an event on the async lock queue for that connection.

推奨事項：

None.

Syslogs:

None.

----------------------------------------------------------------

syn-timeout

SYN Timeout:

This reason is given for closing a TCP flow due to expiry of embryonic timer.

Recommendations:

If these are valid session which take longer to establish a connection increase the embryonic timeout.

Syslogs:

302014

----------------------------------------------------------------

tcp-fins

TCP FINs:

This reason is given for closing a TCP flow when TCP FIN packets are received.

Recommendations:

This counter will increment for each TCP connection that is terminated normally with FINs.

Syslogs:

302014

----------------------------------------------------------------

tcp-full-proxy-required

Full TCP proxy is required, but not available in monitor-only mode:

This flow requires full TCP proxy, but this feature is not available in monitor-only mode.

推奨事項：

None.

Syslogs:

None.

----------------------------------------------------------------

tcp-intecept-no-response

TCP intercept, no response from server:

1 秒ごとに 3 回試行した後 SYN 再送信タイムアウトになりました。サーバーに到達できず、接続が切断されています。

推奨事項：

サーバーが ASA から到達可能かどうかを確認します。

Syslogs:

None

----------------------------------------------------------------

tcp-intercept-kill

Flow terminated by TCP Intercept:

TCP intercept would teardown a connection if this is the first SYN, a connection is created for the SYN, and TCP intercept replied with a SYN cookie, or after seeing a valid ACK from client, when TCP intercept sends a SYN to server, server replies with a RST.

推奨事項：

TCP intercept normally does not create a connection for first SYN, except when there are nailed rules or the packet comes over a VPN tunnel or the next hop gateway address to reach the client is not resolved. したがって、最初の SYN の場合、これは接続が作成されたことを示します。TCP インターセプトがサーバーから RST を受信すると、対応するポートがサーバーで閉じられている可能性があります。

Syslogs:

None

----------------------------------------------------------------

tcp-intercept-unexpected

TCP intercept unexpected state:

TCP インターセプトモジュールの論理エラーで、発生してはなりません。

推奨事項：

Indicates memory corruption or some other logic error in the TCP intercept module.

Syslogs:

None

----------------------------------------------------------------

tcpmod-connect-clash

A TCP connect socket clashes with an existing listen connection. This is an internal system error. Contact TAC.

----------------------------------------------------------------

tcpnorm-invalid-syn

TCP invalid SYN:

This reason is given for closing a TCP flow when the SYN packet is invalid.

Recommendations:

SYN packet could be invalid for number of reasons, like invalid checksum, invalid TCP header. Please use the packet capture feature to understand why the SYN packet is invalid. If you would like to allow these connection use tcp-map configurations to bypass checks.

Syslogs:

302014

----------------------------------------------------------------

tcpnorm-rexmit-bad

TCP bad retransmission:

This reason is given for closing a TCP flow when check-retranmission feature is enabled and the TCP endpoint sent a retranmission with different data from the original packet.

Recommendations:

The TCP endpoint maybe attacking by sending different data in TCP retransmits. Please use the packet capture feature to learn more about the origin of the packet.

Syslogs:

302014

----------------------------------------------------------------

tcpnorm-win-variation

TCP unexpected window size variation:

This reason is given for closing a TCP flow when window size advertized by TCP endpoint is drastically changed without accepting that much data.

Recommendations:

In order to allow this connection, use the window-variation configuration under tcp-map.

Syslogs:

302014

----------------------------------------------------------------

tracer-flow

packet-tracer traced flow drop:

This counter is internally used by packet-tracer for flow freed once tracing is complete.

推奨事項：

None.

Syslog:

None.

----------------------------------------------------------------

tunnel-pending

Tunnel being brought up or torn down:

推奨事項：

これは、IPSec トンネルがネゴシエートまたは削除されているときに見られる正常な状態です。

Syslogs:

None

----------------------------------------------------------------

tunnel-torn-down

Tunnel has been torn down:

このカウンタは、IPSec セキュリティアソシエーションの削除中に確立されたフローに関連付けられたパケットをアプライアンスが受信すると増加します。

推奨事項：

これは、IPSec トンネルが何らかの理由により切断された場合に見られる正常な状態です。

Syslogs:

None

----------------------------------------------------------------

unable-to-create-flow

Unable to create flow:

このカウンタは、システムがフローを作成できないと増加します。

推奨事項：

None.

Syslog:

None.

----------------------------------------------------------------

uztna-flow-obj-limit

UZTNA フローオブジェクトの制限に達しました：

このカウンタは、システムの最大数の UZTNA フローオブジェクトが割り当てられているときに新しい接続が試行されると増加します。

推奨事項：

None.

Syslogs:

None.

----------------------------------------------------------------

vPath-license-failure

Flow terminated due to vPath license failure:

ASA 1000V のライセンス障害が原因で、フローがドロップされます。

推奨事項：

Syslogs:

4450002.

----------------------------------------------------------------

vpn-bad-decrypt-rule

The flow could not be created because a wrong decryption policy was hit:

This is a transient condition when clustering is enabled and vpn-mode is set to distributed.

Recommendations:

通常の操作の一部として、このカウンタの増分を確認することができます。ただし、カウンタが急速に増加し、トラフィックが中断している場合は、設定の誤りまたはソフトウェアの欠陥が原因である可能性があります。次のコマンドを使用して、このカウンタに関する詳細情報を収集し、Cisco TAC に連絡して問題をさらに調査してください。

show asp drop

show tech-support

Syslogs:

No new syslogs accompany this event.

----------------------------------------------------------------

vpn-context-association-failure

VPN context association failure:

This counter is increased whenever we fail to associate the VPN context with a cluster flow.

推奨事項：

None.

Syslogs:

None.

----------------------------------------------------------------

vpn-context-expired

Expired VPN context:

推奨事項：

これは、ソフトウェアエラーを Cisco TAC に報告する必要があることを示しています。

Syslogs:

None

----------------------------------------------------------------

vpn-handle-error

VPN handle error:

このカウンタは、VPN ハンドルが既に存在するためにアプライアンスが VPN ハンドルを作成できない場合に増分されます。

推奨事項：

通常の操作の一部として、このカウンタの増分を確認することができます。However, if the counter is rapidly incrementing and there is a major malfunction of vpn-based applications, then this may be caused by a software defect. Use the following commands to gather more information about this counter and contact the Cisco TAC to investigate the issue further.

capture <name> type asp-drop vpn-handle-error

show asp table classify crypto

show asp table vpn-context detail

Syslogs:

None

----------------------------------------------------------------

vpn-handle-not-found

VPN handle not found:

This counter is incremented when a datagram hits an encrypt, or decrypt operation, and no VPN handle is found for the flow the datagram is on.

推奨事項：

capture <name> type asp-drop vpn-handle-not-found

show asp table classify crypto

show asp table vpn-context detail

Syslogs:

None

----------------------------------------------------------------

vpn-invalid-encryption

The flow is dropped because encryption flag was not set:

Recommendations:

show asp drop

show tech-support

Syslogs:

No new syslogs accompany this event.

----------------------------------------------------------------

vpn-lock-error

IPSec locking error:

このカウンタは、内部ロックエラーにより VPN フローを作成できない場合に増分されます。

推奨事項：

Syslogs:

None.

----------------------------------------------------------------

vpn-missing-decrypt

The flow could not be created because its decryption policy was not available:

復号ポリシーが完全に初期化される前に、VPN フローの作成が試行されました。これは一時的な状態であり、復号ポリシーのインストールが完了すると解決されます。

Recommendations:

capture <name> type asp-drop vpn-missing-decrypt

show asp table classify

show asp drop

show tech-support

Syslogs:

No new syslogs accompany this event.

----------------------------------------------------------------

次に、show asp drop コマンドの出力例を示します。タイムスタンプが、カウンタが最後にクリアされた時間を示しています。

ciscoasa# show asp drop

Frame drop:

Flow is denied by configured rule (acl-drop) 3

Dst MAC L2 Lookup Failed (dst-l2_lookup-fail) 4110

L2 Src/Dst same LAN port (l2_same-lan-port) 760

Expired flow (flow-expired) 1

Last clearing: Never

Flow drop:

Flow is denied by access rule (acl-drop) 24

NAT failed (nat-failed) 28739

NAT reverse path failed (nat-rpf-failed) 22266

Inspection failure (inspect-fail) 19433

Last clearing: 17:02:12 UTC Jan 17 2012 by enable_15

コマンド	説明
capture	パケットをキャプチャします。asp drop コードに基づいてパケットをキャプチャするオプションも含まれています。
clear asp drop	高速セキュリティパスのドロップ統計情報をクリアします。
show conn	接続に関する情報を表示します。

show asp drop コマンドの使用方法

ダウンロード オプション

偏向のない言語

翻訳について

show asp drop

構文の説明

コマンド デフォルト

コマンド モード

コマンド履歴

使用上のガイドライン

フレームのドロップ理由

a-module

acl-drop

app-recv-queue-not-ready

appid

async-lock-queue-limit

back-orifice

backplane-channel-null

bad-crypto

bad-ipsec-natt

bad-ipsec-prot

bad-ipsec-udp

bad-tcp-cksum

bad-tcp-flags

blks-export-lim

blks-export-lim-fp

blks-export-lim-inline-flow

blks-export-lim-no-app-info

block-no-prepend

bvi-missing-nameif

bvi-unsupported-packet

captive-portal

channel-closed

cluster-app-no-forward

cluster-bad-ifc-goid-in-trailer

cluster-bad-tp-pkt

cluster-bad-trailer

cluster-bad-trailer-tlv

cluster-ccl-backup

cluster-ccl-bad-unxlate-redirect

cluster-ccl-bad-unxlate-redirect-backup

cluster-ccl-cfull-sent

cluster-ccl-unknown

cluster-ccl-unknown-stub

cluster-data-node-data-ifc-not-ready

cluster-data-node-ignored

cluster-dir-flow-create-fail

cluster-dir-invalid-ifc

cluster-dir-nat-changed

cluster-dispatch-queue-fail

cluster-early-sec-chk-fail

cluster-forward-error

cluster-frag-error

cluster-frag-owner-query-error

cluster-invalid-owner

cluster-invalid-pkt

cluster-ip-version-error

cluster-no-msgp

cluster-non-ip-pkt

cluster-non-owner-ignored

cluster-not-owner

cluster-not-supported

cluster-owner-update

cluster-peer-mcast-ignored

cluster-queued-ccl-unknown

cluster-semi-scale-not-ready

cluster-stub-to-full

cluster-stub-uninterested

cluster-tp-sender-myself

cluster-tp-version-incompatible

cluster-ttl-expired

cluster-ttl-invalid

cluster-vpn-fwdr-flow-reset

cmd-invalid-encap

conn-disallow

conn-limit

connection-lock

connection-q-expired

cp-event-queue-error

cp-syslog-event-queue-error

ダウンロードオプション

コマンドデフォルト

コマンドモード