These log messages refer to the IGMP (IGMP events) category.
2.32.1. querier_election_won (ID: 04200001)
- Default Severity
- NOTICE
- Log Message
- Taking on the role of Querier at interface <iface>.
- Explanation
- This router is now the IGMP Querier at the specified interface.
- Firewall Action
- None
- Recommended Action
- None
- Revision
- 1
- Parameters
- iface
2.32.2. querier_election_lost (ID: 04200002)
- Default Severity
- NOTICE
- Log Message
- Lost Querier election to <dest> at interface <iface>.
- Explanation
- "I" am no longer the IMGP Querier at the specified interface.
- Firewall Action
- None
- Recommended Action
- None
- Revision
- 1
- Parameters
- dest
iface
2.32.3. invalid_dest_ip_address (ID: 04200003)
- Default Severity
- WARNING
- Log Message
- Rejected IGMP message directed to unicast IP <ip_dest> at interface <recv_if>.
- Explanation
- Rejected IGMP message directed to a unicast IP. Possible IGMP DoS attack. Note that sending IGMP messages to a unicast IP
is legal with IGMPv1 and IGMPv2, but not recommended.
- Firewall Action
- drop
- Recommended Action
- Identify the offending application, upgrade if possible.
- Revision
- 1
- Parameters
- recv_if
ip_dest
- Context Parameters
- Packet Buffer
2.32.4. invalid_destination_ethernet_address (ID: 04200004)
- Default Severity
- WARNING
- Log Message
- Rejected IGMP message with inconsistent IP/ethernet addresses (<ipdest>/<edest>) at interface <recv_if>.
- Explanation
- Rejected IGMP message directed to a unicast ethernet. Known IGMP DoS attack.
- Firewall Action
- drop
- Recommended Action
- Identify the offending application or user, isolate or upgrade if possible.
- Revision
- 1
- Parameters
- recv_if
ipdest
edest
- Context Parameters
- Packet Buffer
2.32.5. failed_restarting_igmp_conn (ID: 04200006)
- Default Severity
- EMERG
- Log Message
- Could not restart the IGMP listening conn. Reason: Out of memory
- Explanation
- Could not restart the IGMP listening conn. The IGMP system is no longer functional since it cannot handle IGMP requests.
- Firewall Action
- None
- Recommended Action
- Reboot the system.
- Revision
- 1
2.32.6. invalid_size_query_packet (ID: 04200007)
- Default Severity
- WARNING
- Log Message
- Broken IGMP Query at interface <recv_if> (payload exceeds packet size).
- Explanation
- Harmful condition that potentially could give an attacker full access to the system. May indicate faulty hardware, an attack
or experimental software.
- Firewall Action
- drop
- Recommended Action
- None, but keep an eye open for malfunctional software/hardware somewhere on the network.
- Revision
- 1
- Parameters
- recv_if
- Context Parameters
- Packet Buffer
2.32.7. invalid_query_group_address (ID: 04200008)
- Default Severity
- ERROR
- Log Message
- IGMP group specific query at interface <recv_if> about group <grp> (<grp_sat> after being SAT'ed) includes unicast ip address.
- Explanation
- Unicast IP address found inside group specific query. This is most likely a faulty SAT config.
- Firewall Action
- drop
- Recommended Action
- Check your IGMP ruleset to see if a muticast group somehow might be translated into a unicast address.
- Revision
- 1
- Parameters
- recv_if
grp
grp_sat
- Context Parameters
- Packet Buffer
2.32.8. igmp_query_dropped (ID: 04200009)
- Default Severity
- NOTICE
- Log Message
- Rule <name> dropped IGMP Query about group <grp> and source <src> at interface <if> from router <rip>.
- Explanation
- Dropped IGMP Query.
- Firewall Action
- drop
- Recommended Action
- None
- Revision
- 1
- Parameters
- if
rip
igmpver
grp
src
name
2.32.9. igmp_query_received (ID: 04200010)
- Default Severity
- NOTICE
- Log Message
- Rule <name> <action> IGMP Query about group <grp> and source <src> at interface <if> from router <rip>. Group <grp> is translated
into <sgrp> and source <src> into <ssrc>.
- Explanation
- Got IGMP Query.
- Firewall Action
- allow
- Recommended Action
- None
- Revision
- 1
- Parameters
- if
rip
igmpver
grp
src
sgrp
ssrc
name
action
2.32.10. bad_src (ID: 04200011)
- Default Severity
- WARNING
- Log Message
- Rule <name> drops multicast sender <src> (SAT'ed into <sats>) in group <grp> (SAT'ed into <satg>) specific IGMP Query at interface
<iface>.
- Explanation
- This is most likely a faulty IGMP configuration, but may also indicate faulty software on the network. Under special circumstances
this could be an active attempt to scan the network for information.
- Firewall Action
- drop
- Recommended Action
- Specifically check your IGMP ruleset for incorrect SAT information (IGMP support requires at least one "REPORT" (Member Report)
rule and one matching "QUERY" rule). Make sure both multicast groups and source addresses map one-to-one between Member Reports
and Queries. Finally check the network for for other anomalies that could indicate broken equipment or installed "spyware".
- Revision
- 1
- Parameters
- name
src
grp
sats
satg
iface
2.32.11. igmp_report_received (ID: 04200012)
- Default Severity
- NOTICE
- Log Message
- Rule <name> <action> IGMP Member Report concerning group <grp> and source <src> at interface <if> from host <hip>. Group <grp>
is translated into <sgrp> and source <src> into <ssrc>
- Explanation
- Got IGMP Report.
- Firewall Action
- allow
- Recommended Action
- None
- Revision
- 1
- Parameters
- if
hip
igmpver
grp
src
sgrp
ssrc
name
action
2.32.12. packet_includes_aux_data (ID: 04200013)
- Default Severity
- WARNING
- Log Message
- IGMP Group record <grp> from interface <recv_if> contains auxilliary data.
- Explanation
- This software support IGMPv1, IGMPv2 and IGMPv3 and none of them support the feature known as "Auxilliary Data". This is a
broken packet.
- Firewall Action
- drop
- Recommended Action
- If this is a legal situation and the administrator have no reason to suspect an attack, upgrading this software may solve
the problem.
- Revision
- 1
- Parameters
- recv_if
grp
- Context Parameters
- Packet Buffer
2.32.13. invalid_size_report_packet (ID: 04200014)
- Default Severity
- ERROR
- Log Message
- Broken IGMP Member Report at interface <recv_if>. Group record <grp> makes payload larger than IGMP packet size.
- Explanation
- Harmful condition that potentially could give an attacker full access to the system. May indicate faulty hardware, an attack
or experimental software.
- Firewall Action
- drop
- Recommended Action
- None, but keep an eye open for for broken hardware somewhere in the network.
- Revision
- 1
- Parameters
- recv_if
grp
- Context Parameters
- Packet Buffer
2.32.14. bad_grp (ID: 04200015)
- Default Severity
- WARNING
- Log Message
- Bad IGMP Member Report at interface <iface>: Group record request group <grp> (which is not a multicast group).
- Explanation
- This is most likely a faulty IGMP config.
- Firewall Action
- drop
- Recommended Action
- Specifically check for inconsistent SAT/NAT information in the IGMP config.
- Revision
- 1
- Parameters
- grp
iface
2.32.15. invalid_report_grp_record (ID: 04200016)
- Default Severity
- WARNING
- Log Message
- Bad IGMP Member Report received. Group record <grp> of unknown type <type>.
- Explanation
- This indicates faulty software/hardware somewhere on the network.
- Firewall Action
- drop
- Recommended Action
- None, but keep an eye open for for broken hardware somewhere in the network.
- Revision
- 1
- Parameters
- grp
type
- Context Parameters
- Packet Buffer
2.32.16. igmp_report_dropped (ID: 04200017)
- Default Severity
- NOTICE
- Log Message
- Rule <name> drops IGMP Member Report concerning group <grp> and source <src> at interface <if> from host <hip>.
- Explanation
- Dropped IGMP Report.
- Firewall Action
- drop
- Recommended Action
- None
- Revision
- 1
- Parameters
- if
hip
igmpver
grp
src
sat_grp
sat_src
name
2.32.17. igmp_ruleset_rejects_report (ID: 04200018)
- Default Severity
- WARNING
- Log Message
- Rule <name> drops multicast sender <src> for group record <grp> in Member Report at interface <iface>.
- Explanation
- IGMP Member Report contains an unwanted IP sender.
- Firewall Action
- drop
- Recommended Action
- None
- Revision
- 1
- Parameters
- name
src
grp
iface
2.32.18. bad_inet (ID: 04200019)
- Default Severity
- WARNING
- Log Message
- Rejected IGMP message from incorrect IP <src> at interface <iface>.
- Explanation
- Rejected IGMP message because it claims to have been sent by "me", but I know I did not send any. Possible IGMP DoS attack,
but more likely an IP conflict. .
- Firewall Action
- drop
- Recommended Action
- Assign a different IP to the offending application.
- Revision
- 1
- Parameters
- src
iface
- Context Parameters
- Packet Buffer
2.32.19. max_global_requests_per_second_reached (ID: 04200020)
- Default Severity
- WARNING
- Log Message
- Rejected IGMP message. Global requests per second rate reached
- Explanation
- Too many IGMP requests received per second. Possible IGMP DoS attack.
- Firewall Action
- drop
- Recommended Action
- Increase global IGMPMaxReqs per second limit if more requests are wanted.
- Revision
- 1
- Parameters
- ipsrc
iface
2.32.20. max_if_requests_per_second_reached (ID: 04200021)
- Default Severity
- WARNING
- Log Message
- Rejected IGMP message. Max requests per second and interface rate reached
- Explanation
- Too many IGMP requests received per second. Possible IGMP DoS attack.
- Firewall Action
- drop
- Recommended Action
- Increase IGMPMaxReqsIf per second limit if more requets are wanted.
- Revision
- 1
- Parameters
- ipsrc
iface
2.32.21. disallowed_igmp_version (ID: 04200022)
- Default Severity
- NOTICE
- Log Message
- Disallowed IGMP Version
- Explanation
- A system is using a too old IGMP version.
- Firewall Action
- drop
- Recommended Action
- Upgrade the host/router running the disallowed version, or lower LowestIGMPVer limit.
- Revision
- 1
- Parameters
- recv_ver
required_ver
- Context Parameters
- Packet Buffer
2.32.22. received_unknown_igmp_type (ID: 04200023)
- Default Severity
- NOTICE
- Log Message
- Dropped IGMP message with unknown type.
- Explanation
- Invalid IGMP message type received.
- Firewall Action
- drop
- Recommended Action
- None, but keep an eye open for malfunctional software/hardware on the network.
- Revision
- 1
- Parameters
- MSGType
- Context Parameters
- Packet Buffer
2.32.23. older_querier_present (ID: 04200024)
- Default Severity
- NOTICE
- Log Message
- Entering IGMPv<igmpver> Older Querier Present compatibility mode on interface <iface> because of a received General Query
from <rip>.
- Explanation
- The router will use IGMPv[igmpver] when it is snooping/proxying IGMP messages upstream.
- Firewall Action
- None
- Recommended Action
- None
- Revision
- 1
- Parameters
- iface
rip
igmpver
2.32.24. older_querier_gone (ID: 04200025)
- Default Severity
- NOTICE
- Log Message
- No IGMPv<igmpver> querier present. Older Querier Present (IGMPv<igmpver>) compatibility mode on interface <iface> has ended.
Entering IGMPv<nigmpver> mode.
- Explanation
- The router has not heard any IGMPv[igmpver] general queries and will switch and use IGMPv[nigmpver] version when snooping/proxying
IGMP messages upstream.
- Firewall Action
- None
- Recommended Action
- None
- Revision
- 1
- Parameters
- iface
igmpver
nigmpver
cOS Core 15.00.02 Log Reference Guide
