The packet matched the inner header security policy check of a configured and established IPSec connection on the appliance but was received unencrypted. This counter will increment when the appliance receives a packet which should have been encrypted but was not.
Verify that you can communicate with the destination peer and verify your crypto configuration via the 'show running-config' command. However, if this counter increments rapidly it may indicate a crypto configuration error or network error preventing the ISAKMP negotiation from completing.
If you have configured IPSec LAN-to-LAN on your appliance, this indication is normal and doesn't indicate a problem. This indication will cause the appliance to begin ISAKMP negotiations with the destination peer. This is generally a normal condition for LAN-to-LAN IPSec configurations. This counter will increment when the appliance receives a packet which requires encryption but has no established IPSec security association. This counter will increment when the appliance receives a packet on an IPSec connection which has negotiated IPSec over UDP but the packet has an invalid payload length. This counter will increment when the appliance receives a packet on an IPSec connection which has negotiated NAT-T but the packet is not addressed to the NAT-T UDP destination port of 4500 or had an invalid payload length.Īnalyze your network traffic to determine the source of the NAT-T traffic. The appliance does not currently support any IPSec sessions encapsulated in IP version 6. This counter will increment when the appliance receives an IPSec ESP packet, IPSec NAT-T ESP packet or an IPSec over UDP ESP packet encapsulated in an IP version 6 header. If you are receiving many IPSec not AH or ESP indications on your appliance, analyze your network traffic to determine the source of the traffic. This counter will increment when the appliance receives a packet on an IPSec connection which is not an AH or ESP protocol. If IPSec over UDP is not configured on your appliance, analyze your network traffic to determine the source of the IPSec over UDP traffic. If you have configured IPSec over UDP on your appliance, this indication is normal and doesn't indicate a problem.
Note - These are not industry standard NAT-T keepalive messages which are also carried over UDP and addressed to UDP port 4500. IPSec over UDP keepalive messages are sent from the IPSec peer to the appliance to keep NAT/PAT flow information current in network devices between the IPSec over UDP peer and the appliance. This counter will increment when the appliance receives an IPSec over UDP keepalive message. If NAT-T is not configured on your appliance, analyze your network traffic to determine the source of the NAT-T traffic. If you have configured IPSec NAT-T on your appliance, this indication is normal and doesn't indicate a problem. NAT-T keepalive messages are sent from the IPSec peer to the appliance to keep NAT/PAT flow information current in network devices between the NAT-T IPSec peer and the appliance. This counter will increment when the appliance receives an IPSec NAT-T keepalive message. The following sections include each drop reason name and description, including recommendations: Is used for debugging purposes only, and the information output is subject to change. See the general operations configuration guide for more information about the accelerated security path. The show asp drop command shows the packets or connections dropped by the accelerated security path, which might help you troubleshoot a problem. It also displays the drop reason keywords next to the description, so you can easily use the capture asp-drop command with the associated keyword. Output includes a timestamp indicating when the counters were last cleared (see the clear asp drop command). The following table shows the modes in which you can enter the command: Use ? to see a list of possible frame drop reasons. You can specify a particular reason by using the frame_drop_reason argument. Use ? to see a list of possible flow drop reasons. You can specify a particular reason by using the flow_drop_reason argument. (Optional) Shows the dropped flows (connections). Show asp drop | frame ] Syntax Description To debug the accelerated security path dropped packets or connections, use the show asp drop command in privileged EXEC mode.
0 kommentar(er)
