These log messages refer to the IPV6 category.
2.28.1. [ID: 115] Max IPv6 options per extension header reached
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- Max IPv6 options per extension header reached.
- Default Log Severity
- Notice
- Parameters
- max, flow, pkt, user, userid
- Explanation
- The maximum amount of options within an extension header has been reached.
- Gateway Action
- Ignore
- Action Description
- None
- Proposed Action
- The IPSettings:IP6MaxOPH setting can be changed to increase or decrease the number of options allowed within an extension header. The IPSettings:IP6OnMaxOPH setting can be changed to control the gateway's behavior when the maximum number of options has been reached.
2.28.2. [ID: 492] Max IPv6 options per extension header reached
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- Max IPv6 options per extension header reached.
- Default Log Severity
- Warning
- Parameters
- max, flow, pkt, user, userid
- Explanation
- The maximum amount of options within an extension header has been reached.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- The IPSettings:IP6MaxOPH setting can be changed to increase or decrease the number of options allowed within an extension header. The IPSettings:IP6OnMaxOPH setting can be changed to control the gateway's behavior when the maximum number of options has been reached.
2.28.3. [ID: 477] Order of extension headers is invalid
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- Order of extension headers is invalid.
- Default Log Severity
- Warning
- Parameters
- exthdr, hdrver, offset, pkt
- Explanation
- IPv6 require a strict ordering between different extensions headers (the order among extension headers will change their semantics).
A packet that did not comply with this ordering have been received.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- This packet is severely broken. If the packet sender is one of your network devices, investigate why the unit is sending malformed
packets. This log message can be disabled by the IPSettings:LogNonIP4 setting.
2.28.4. [ID: 304] Bad IP version
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- Bad IP version.
- Default Log Severity
- Warning
- Parameters
- ipver, pkt
- Explanation
- The received packet has a disallowed IP version. This typically means that there is a mismatch between the IP packet and a
lower layer protocol (such as Ethernet).
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- This packet is severely broken. If the packet sender is one of your network devices, investigate why the unit is sending malformed
packets. This log message can be disabled by the IPSettings:LogNonIP4 setting.
2.28.5. [ID: 401] Received unknown extension header
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- Received unknown extension header.
- Default Log Severity
- Error
- Parameters
- exthdr, flow, pkt, user, userid
- Explanation
- An unknown extension header was not allowed to be forwarded by the gateway.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- Verify that the packet was not malformed in any way using a network analysis tool. If the packet is valid, report the extension
header with header id exthdr to customer support.
2.28.6. [ID: 263] Non-zero IP Flow Label
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- Non-zero IP Flow Label.
- Default Log Severity
- Warning
- Parameters
- flow, pkt, user, userid
- Explanation
- Flow Labels provides an alternative and efficient way for Flow Label capable IPv6 routers to forward IPv6 packets based only
on data in the IP header at fixed positions. For more information see RFC3697.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- The IPSettings:IP6FL setting can be changed to control the gateway's behavior for packets with the Flow Label field set.
2.28.7. [ID: 486] Non-zero IP Flow Label
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- Non-zero IP Flow Label.
- Default Log Severity
- Notice
- Parameters
- flow, pkt, user, userid
- Explanation
- Flow Labels provides an alternative and efficient way for Flow Label capable IPv6 routers to forward IPv6 packets based only
on data in the IP header at fixed positions. For more information see RFC3697.
- Gateway Action
- Allow
- Action Description
- None
- Proposed Action
- The IPSettings:IP6FL setting can be changed to control the gateway's behavior for packets with the Flow Label field set.
2.28.8. [ID: 621] Non-zero IP Flow Label
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- Non-zero IP Flow Label.
- Default Log Severity
- Warning
- Parameters
- flow, pkt, user, userid
- Explanation
- Flow Labels provides an alternative and efficient way for Flow Label capable IPv6 routers to forward IPv6 packets based only
on data in the IP header at fixed positions. For more information see RFC3697.
- Gateway Action
- Strip
- Action Description
- None
- Proposed Action
- The IPSettings:IP6FL setting can be changed to control the gateway's behavior for packets with the Flow Label field set.
2.28.9. [ID: 804] Illegal sender address
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- Illegal sender address.
- Default Log Severity
- Notice
- Parameters
- srcip, pkt
- Explanation
- Received a packet where the source address does not identify a single node uniquely.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- If possible, trace down the originator and validate its configuration.
2.28.10. [ID: 470] IPv6 extension header size limit reached
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- IPv6 extension header size limit reached.
- Default Log Severity
- Notice
- Parameters
- maxlen, flow, pkt, user, userid
- Explanation
- The maximum total size of extension header within an IPv6 packet has been reached.
- Gateway Action
- Ignore
- Action Description
- None
- Proposed Action
- The IPSettings:IP6MaxExtHdr setting can be changed to increase or decrease the total size of extension headers allowed. The IPSettings:IP6OnMaxExtHdr setting can be changed to control the gateway's behavior when the maximum extension header size is reached.
2.28.11. [ID: 249] IPv6 extension header size limit reached
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- IPv6 extension header size limit reached.
- Default Log Severity
- Warning
- Parameters
- maxlen, flow, pkt, user, userid
- Explanation
- The maximum total size of extension header within an IPv6 packet has been reached.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- The IPSettings:IP6MaxExtHdr setting can be changed to increase or decrease the total size of extension headers allowed. The IPSettings:IP6OnMaxExtHdr setting can be changed to control the gateway's behavior when the maximum extension header size is reached.
2.28.12. [ID: 220] Non-zero IPv6 PADN data
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- Non-zero IPv6 PADN data.
- Default Log Severity
- Notice
- Parameters
- flow, pkt, user, userid
- Explanation
- The IPv6 PADN field(s) was found to be non-zero. It is recommended to at least strip this information from the packet to prevent
unfiltered data to be tunneled within the pad fields.
- Gateway Action
- Allow
- Action Description
- None
- Proposed Action
- The IPSettings:IP6OPT_PADN setting can be changed to control the gateway's behavior when processing packets with non-zero pad fields.
2.28.13. [ID: 575] Non-zero IPv6 PADN data
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- Non-zero IPv6 PADN data.
- Default Log Severity
- Warning
- Parameters
- flow, pkt, user, userid
- Explanation
- The IPv6 PADN field(s) was found to be non-zero. It is recommended to at least strip this information from the packet to prevent
unfiltered data to be tunneled within the pad fields.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- The IPSettings:IP6OPT_PADN setting can be changed to control the gateway's behavior when processing packets with non-zero pad fields.
2.28.14. [ID: 268] Non-zero IPv6 PADN data
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- Non-zero IPv6 PADN data.
- Default Log Severity
- Warning
- Parameters
- flow, pkt, user, userid
- Explanation
- The IPv6 PADN field(s) was found to be non-zero. It is recommended to at least strip this information from the packet to prevent
unfiltered data to be tunneled within the pad fields.
- Gateway Action
- Strip
- Action Description
- None
- Proposed Action
- The IPSettings:IP6OPT_PADN setting can be changed to control the gateway's behavior when processing packets with non-zero pad fields.
2.28.15. [ID: 347] Fragment header in non-fragment
- Log Categories
- IPV6,FRAG,STATELESS,VALIDATE
- Log Message
- Fragment header in non-fragment.
- Default Log Severity
- Information
- Parameters
- offset, pktlen, pkt
- Explanation
- An IPv6 packet may include a fragment header that states that "this is the first and only fragment". By definition, this is
not a fragment. This construction is perfectly legal, and is used when an IPv6 node have discovered that the path MTU is lower
than the minimal IPv6 MTU. This situation is likely when IPv6 traffic is tunneled via a non-IPv6 network, such as a modem
or an IPv4 network.
- Gateway Action
- None
- Action Description
- None
- Proposed Action
- The FragSettings:IP6NopFrags setting can be changed to control the gateway's behavior for non-fragmented packets with a fragment header.
2.28.16. [ID: 283] Fragment header in non-fragment
- Log Categories
- IPV6,FRAG,STATELESS,VALIDATE
- Log Message
- Fragment header in non-fragment.
- Default Log Severity
- Notice
- Parameters
- offset, pktlen, pkt
- Explanation
- An IPv6 packet may include a fragment header that states that "this is the first and only fragment". By definition, this is
not a fragment. This construction is perfectly legal, and is used when an IPv6 node have discovered that the path MTU is lower
than the minimal IPv6 MTU. This situation is likely when IPv6 traffic is tunneled via a non-IPv6 network, such as a modem
or an IPv4 network.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- Under normal circumstances, it is recommended to NOT drop this kind of packets. The FragSettings:IP6NopFrags setting can be changed to control the gateway's behavior for non-fragmented packets with a fragment header.
2.28.17. [ID: 260] Received fragmented jumbogram
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- Received fragmented jumbogram.
- Default Log Severity
- Warning
- Parameters
- flow, pkt, user, userid
- Explanation
- A packet carrying both a jumbogram option and a fragmentation header was received. Jumbograms are not allowed to be fragmented.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- The IPSettings:IP6OPT_JUMBO setting can be changed to control the gateway's behavior for validating IPv6 packets with Jumbogram options.
2.28.18. [ID: 128] Received fragmented jumbogram
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- Received fragmented jumbogram.
- Default Log Severity
- Warning
- Parameters
- flow, pkt, user, userid
- Explanation
- A packet carrying both a jumbogram option and a fragmentation header was received. Jumbograms are not allowed to be fragmented.
- Gateway Action
- Reject
- Action Description
- None
- Proposed Action
- The IPSettings:IP6OPT_JUMBO setting can be changed to control the gateway's behavior for validating IPv6 packets with Jumbogram options.
2.28.19. [ID: 157] Received Home Address option
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- Received Home Address option.
- Default Log Severity
- Notice
- Parameters
- flow, pkt, user, userid
- Explanation
- The packet contained a Home Address IPv6 option, which according to configuration is allowed.
- Gateway Action
- Allow
- Action Description
- None
- Proposed Action
- The IPSettings:IP6OPT_HA setting can be changed to control the gateway's behavior for IPv6 packets with Home Address options.
2.28.20. [ID: 150] Received Home Address option
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- Received Home Address option.
- Default Log Severity
- Warning
- Parameters
- flow, pkt, user, userid
- Explanation
- The packet contained a Home Address IPv6 option, which according to configuration is disallowed.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- The IPSettings:IP6OPT_HA setting can be changed to control the gateway's behavior for IPv6 packets with Home Address options.
2.28.21. [ID: 535] Multicast Home Address option
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- Multicast Home Address option.
- Default Log Severity
- Warning
- Parameters
- flow, pkt, user, userid
- Explanation
- The packet contained a Home Address IPv6 option with a non-unicast home address. According to RFC3775, the home address must
be a unicast address.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- The IPSettings:IP6OPT_HA setting can be changed to control the gateway's behavior for IPv6 packets with Home Address options.
2.28.22. [ID: 457] Received Home Address option
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- Received Home Address option.
- Default Log Severity
- Warning
- Parameters
- flow, pkt, user, userid
- Explanation
- The packet contained a Home Address IPv6 option, which according to configuration should be treated as if the gateway did
not support that option.
- Gateway Action
- Drop
- Action Description
- The packet was dropped according to the action bits in the Home Address option
- Proposed Action
- The IPSettings:IP6OPT_HA setting can be changed to control the gateway's behavior for IPv6 packets with Home Address options.
2.28.23. [ID: 412] Received Home Address option
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- Received Home Address option.
- Default Log Severity
- Warning
- Parameters
- flow, pkt, user, userid
- Explanation
- The packet contained a Home Address IPv6 option, which according to configuration should be treated as if the gateway did
not support that option.
- Gateway Action
- Reject
- Action Description
- The packet was rejected according to the action bits in the Home Address option
- Proposed Action
- The IPSettings:IP6OPT_HA setting can be changed to control the gateway's behavior for IPv6 packets with Home Address options.
2.28.24. [ID: 121] IP6 option with invalid size
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- IP6 option with invalid size.
- Default Log Severity
- Warning
- Parameters
- option, len, expectlen, flow, pkt, user, userid
- Explanation
- An IPv6 option with a known static size, claimed to be of another size than specified by the IPv6 specification.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- If the packet sender is one of your network devices, investigate why the unit is sending malformed IP options.
2.28.25. [ID: 458] Received Jumbogram option
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- Received Jumbogram option.
- Default Log Severity
- Notice
- Parameters
- flow, pkt, user, userid
- Explanation
- The packet contained a Jumbogram IPv6 option, which according to configuration is allowed.
- Gateway Action
- Allow
- Action Description
- None
- Proposed Action
- The IPSettings:IP6OPT_JUMBO setting can be changed to control the gateway's behavior for IPv6 packets with Jumbogram options.
2.28.26. [ID: 586] Received Jumbogram option
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- Received Jumbogram option.
- Default Log Severity
- Warning
- Parameters
- flow, pkt, user, userid
- Explanation
- The packet contained a Jumbogram option, which according to configuration is disallowed.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- The IPSettings:IP6OPT_JUMBO setting can be changed to control the gateway's behavior for IPv6 packets with Jumbogram options.
2.28.27. [ID: 101] Received Jumbogram option
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- Received Jumbogram option.
- Default Log Severity
- Warning
- Parameters
- flow, pkt, user, userid
- Explanation
- The packet contained a Jumbogram option, which according to configuration should be treated as if the gateway did not support
that option. RFC2675 states that devices not supporting the Jumbogram option should reject the packet.
- Gateway Action
- Reject
- Action Description
- None
- Proposed Action
- The IPSettings:IP6OPT_JUMBO setting can be changed to control the gateway's behavior for IPv6 packets with Jumbogram options.
2.28.28. [ID: 417] Received malformed Jumbogram
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- Received malformed Jumbogram.
- Default Log Severity
- Warning
- Parameters
- iplen, paylen, pktlen, flow, pkt, user, userid
- Explanation
- The packet contained a malformed Jumbogram option. The IP payload field iplen must be zero for jumbograms. The paylen parameter is the length indicated by the Jumbogram option. pktlen is the total packet length.
- Gateway Action
- Drop
- Action Description
- Ignoring RFC2675 reject behavior and dropping packet
- Proposed Action
- The IPSettings:IP6OPT_JUMBO setting can be changed to control the gateway's behavior for IPv6 packets with Jumbogram options. Unless the gateway is supposed
to be completely transparent, it is recommended to change the setting's action to ValidateLogRejectBad.
2.28.29. [ID: 603] Received malformed Jumbogram
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- Received malformed Jumbogram.
- Default Log Severity
- Warning
- Parameters
- iplen, paylen, pktlen, flow, pkt, user, userid
- Explanation
- The packet contained a malformed Jumbogram option. The IP payload field iplen must be zero for jumbograms. The paylen parameter is the length indicated by the Jumbogram option. pktlen is the total packet length.
- Gateway Action
- Reject
- Action Description
- Rejecting packet according to RFC2675
- Proposed Action
- The IPSettings:IP6OPT_JUMBO setting can be changed to control the gateway's behavior for IPv6 packets with Jumbogram options. Unless the gateway is supposed
to be completely transparent, it is recommended to change the setting's action to ValidateLogRejectBad.
2.28.30. [ID: 407] Received unknown option
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- Received unknown option.
- Default Log Severity
- Warning
- Parameters
- option, optlen, flow, pkt, user, userid
- Explanation
- The packet contained an option type that was not recognized. The current configuration allows all unknown IPv6 options.
- Gateway Action
- Allow
- Action Description
- The option's action bits were ignored and the packet was allowed
- Proposed Action
- The IPSettings:IP6OPT_Other setting can be changed to control the gateway's behavior for packets with unknown IPv6 options. It is recommended that the
setting is set to RFC2460LogNoSupport which will make the gateway handle the packets according to the unknown option's action
bits.
2.28.31. [ID: 197] Received unknown option
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- Received unknown option.
- Default Log Severity
- Warning
- Parameters
- option, optlen, flow, pkt, user, userid
- Explanation
- The packet contained an option type that was not recognized. The current configuration disallows all unknown IPv6 options.
- Gateway Action
- Drop
- Action Description
- The option's action bits were ignored and the packet was dropped
- Proposed Action
- The IPSettings:IP6OPT_Other setting can be changed to control the gateway's behavior for packets with unknown IPv6 options. It is recommended that the
setting is set to RFC2460LogNoSupport which will make the gateway handle the packets according to the unknown option's action
bits.
2.28.32. [ID: 314] Processed unknown option
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- Processed unknown option.
- Default Log Severity
- Warning
- Parameters
- option, optlen, flow, pkt, user, userid
- Explanation
- The packet contained an option type that was not recognized. RFC2460 states that network nodes that do not recognize an option
should handle the packet according to the action bits within the unknown option.
- Gateway Action
- Drop
- Action Description
- The packet was dropped according to the unknown option's action bits
- Proposed Action
- The IPSettings:IP6OPT_Other setting can be changed to control the gateway's behavior for packets with unknown IPv6 options. It is recommended that the
packet is handled according to the option's action bits by configure the IPSettings:IP6OPT_Other setting to RFC2460LogNoSupport.
2.28.33. [ID: 280] Processed unknown option
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- Processed unknown option.
- Default Log Severity
- Warning
- Parameters
- option, optlen, flow, pkt, user, userid
- Explanation
- The packet contained an option type that was not recognized. The IPv6 specification states that network nodes that do not
recognize an option should handle the packet according to the action bits within the unknown option. The action bits for the
option option stated that the unknown option should be dropped and not rejected since the destination address is a non-unicast address.
- Gateway Action
- Drop
- Action Description
- The packet is dropped
- Proposed Action
- The IPSettings:IP6OPT_Other setting can be changed to control the gateway's behavior for packets with unknown IPv6 options. It is recommended that the
packet is handled according to the option's action bits by configure the IPSettings:IP6OPT_Other setting to RFC2460LogNoSupport.
2.28.34. [ID: 154] Processed unknown option
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- Processed unknown option.
- Default Log Severity
- Warning
- Parameters
- option, optlen, flow, pkt, user, userid
- Explanation
- The packet contained an option type that was not recognized. RFC2460 states that network nodes that do not recognize an option
should handle the packet according to the action bits within the unknown option. The action bits for the option option stated that the packet should be rejected regardless of destination address.
- Gateway Action
- Reject
- Action Description
- The packet was rejected according to the unknown option's action bits
- Proposed Action
- The IPSettings:IP6OPT_Other setting can be changed to control the gateway's behavior for packets with unknown IPv6 options. It is recommended that the
packet is handled according to the option's action bits by configure the IPSettings:IP6OPT_Other setting to RFC2460LogNoSupport.
2.28.35. [ID: 344] Processed unknown option
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- Processed unknown option.
- Default Log Severity
- Warning
- Parameters
- option, optlen, flow, pkt, user, userid
- Explanation
- The packet contained an option type that was not recognized. RFC2460 states that network nodes that do not recognize an option
should handle the packet according to the action bits within the unknown option. The action bits for the option option stated that the packet should be rejected if the destination address is a unicast address and dropped silently otherwise.
- Gateway Action
- Reject
- Action Description
- The packet was rejected according to the unknown option's action bits
- Proposed Action
- The IPSettings:IP6OPT_Other setting can be changed to control the gateway's behavior for packets with unknown IPv6 options. It is recommended that the
packet is handled according to the option's action bits by configure the IPSettings:IP6OPT_Other setting to RFC2460LogNoSupport.
2.28.36. [ID: 356] Processed unknown option
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- Processed unknown option.
- Default Log Severity
- Warning
- Parameters
- option, optlen, flow, pkt, user, userid
- Explanation
- The packet contained an option type that was not recognized. RFC2460 states that network nodes that do not recognize an option
should handle the packet according to the action bits within the unknown option. The action bits for the option option stated that the unknown option should be ignored and that the packet processing should continue.
- Gateway Action
- Allow
- Action Description
- The option was ignored according to the unknown option's action bits
- Proposed Action
- The IPSettings:IP6OPT_Other setting can be changed to control the gateway's behavior for packets with unknown IPv6 options. It is recommended that the
packet is handled according to the option's action bits by configure the IPSettings:IP6OPT_Other setting to RFC2460LogNoSupport.
2.28.37. [ID: 563] Received Router Alert option
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- Received Router Alert option.
- Default Log Severity
- Notice
- Parameters
- flow, pkt, user, userid
- Explanation
- The packet contained a Router Alert IPv6 option, which according to configuration is allowed.
- Gateway Action
- Allow
- Action Description
- None
- Proposed Action
- The IPSettings:IP6OPT_RA setting can be changed to control the gateway's behavior for IPv6 packets with Router Alert options. It is recommended that
the setting is set to RFC3775LogNoSupport which will make the gateway ignore the option according to the option's action bits.
2.28.38. [ID: 396] Received Router Alert option
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- Received Router Alert option.
- Default Log Severity
- Warning
- Parameters
- flow, pkt, user, userid
- Explanation
- The packet contained a Router Alert IPv6 option, which according to configuration is disallowed.
- Gateway Action
- Drop
- Action Description
- The option's action bits were ignored and the packet was dropped
- Proposed Action
- The IPSettings:IP6OPT_RA setting can be changed to control the gateway's behavior for IPv6 packets with Router Alert options. It is recommended that
the setting is set to RFC3775LogNoSupport which will make the gateway ignore the option according to the option's action bits.
2.28.39. [ID: 214] Received Router Alert option
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- Received Router Alert option.
- Default Log Severity
- Notice
- Parameters
- flow, pkt, user, userid
- Explanation
- The packet contained a Router Alert IPv6 option, which according to configuration should be treated as if the gateway did
not support the option. RFC3775 states that the option should be ignored by devices not supporting it.
- Gateway Action
- Allow
- Action Description
- The option was ignored according to the action bits of the RA option
- Proposed Action
- The IPSettings:IP6OPT_RA setting can be changed to control the gateway's behavior for IPv6 packets with Router Alert options. It is recommended that
the setting is set to RFC3775LogNoSupport which will make the gateway ignore the option according to the option's action bits.
2.28.40. [ID: 178] Received Routing Header option
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- Received Routing Header option.
- Default Log Severity
- Warning
- Parameters
- type, segmentsleft, flow, pkt, user, userid
- Explanation
- An IPv6 packet carrying a Routing Header of type type and segments left value of segmentsleft was dropped according to configuration.
- Gateway Action
- Drop
- Action Description
- The segments field was ignored and the packet was dropped
- Proposed Action
- The IPSettings:IP6OPT_RH0, IPSettings:IP6OPT_RH2 and IPSettings:IP6OPT_RHOther settings can be changed to control the gateway's behavior for packets with routing headers. The IPv6 specifications states
that unknown routing headers should be rejected or accepted depending on the value of the segments left field in the routing
header.
2.28.41. [ID: 531] Received Routing Header option
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- Received Routing Header option.
- Default Log Severity
- Notice
- Parameters
- type, segmentsleft, flow, pkt, user, userid
- Explanation
- An IPv6 packet carrying a Routing Header of type type and segments left value of segmentsleft was allowed since all routes provided in the packet had been processed and the packet was heading for its final destination.
- Gateway Action
- Allow
- Action Description
- Packet was allowed since segments field was zero
- Proposed Action
- The IPSettings:IP6OPT_RH0, IPSettings:IP6OPT_RH2 and IPSettings:IP6OPT_RHOther settings can be changed to control the gateway's behavior for packets with routing headers. The IPv6 specifications states
that unknown routing headers should be rejected or accepted depending on the value of the segments left field in the routing
header.
2.28.42. [ID: 363] Received Routing Header option
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- Received Routing Header option.
- Default Log Severity
- Warning
- Parameters
- type, segmentsleft, flow, pkt, user, userid
- Explanation
- An IPv6 packet carrying a Routing Header of type type and segments left value of segmentsleft was rejected since all routes provided in the packet had not been processed.
- Gateway Action
- Reject
- Action Description
- Packet was rejected since segments field was non-zero
- Proposed Action
- The IPSettings:IP6OPT_RH0, IPSettings:IP6OPT_RH2 and IPSettings:IP6OPT_RHOther settings can be changed to control the gateway's behavior for packets with routing headers. The IPv6 specifications states
that unknown routing headers should be rejected or accepted depending on the value of the segments left field in the routing
header.
2.28.43. [ID: 578] IPv6 option extension header overflow
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- IPv6 option extension header overflow.
- Default Log Severity
- Warning
- Parameters
- exthdr, option, optlen, avail, flow, pkt, user, userid
- Explanation
- An option option within an extension header of type exthdr, claimed to be larger than the size of the extension header. The extension headers and options within an IPv6 packet must
be properly formatted so that routers and receivers can deliver and process the packet.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- If the packet sender is one of your network devices, investigate why the unit is sending malformed IP options.
2.28.44. [ID: 562] IPv6 option extension header overflow
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- IPv6 option extension header overflow.
- Default Log Severity
- Warning
- Parameters
- exthdr, option, avail, flow, pkt, user, userid
- Explanation
- An option option within an extension header of type exthdr, could not be processed since the available length within the extension header was less then the minimum required length
of 2 bytes.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- If the packet sender is one of your network devices, investigate why the unit is sending malformed IP options.
2.28.45. [ID: 439] IP data is larger than the maximum allowed[...]
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- IP data is larger than the maximum allowed size.
- Default Log Severity
- Warning
- Parameters
- ipproto, maxlen, paylen, pkt
- Explanation
- Total IP payload is larger than the maximum allowed size for the given protocol. For fragmented traffic this is the size of
the reassembled payload, otherwise it is the data portion of one single packet. Extension headers do not count as part of
the IP payload.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- If the network supports packets of this size (and this is a desired property of the network), modify the size limit settings
(LengthLimSettings:MaxTCPLen, LengthLimSettings:MaxUDPLen, LengthLimSettings:MaxICMPLen, LengthLimSettings:MaxGRELen, LengthLimSettings:MaxESPLen, LengthLimSettings:MaxAHLen, LengthLimSettings:MaxSKIPLen, LengthLimSettings:MaxOSPFLen, LengthLimSettings:MaxIPIPLen, LengthLimSettings:MaxIPCompLen, LengthLimSettings:MaxL2TPLen and LengthLimSettings:MaxOtherSubIPLen) accordingly. This log message can be turned off by modifying the LengthLimSettings:LogOversizedPackets setting.
2.28.46. [ID: 1012] Packet too big
- Log Categories
- IPV6,STATELESS,PMTU
- Log Message
- Packet too big.
- Default Log Severity
- Information
- Parameters
- mtu, iplen, flow, pkt, user, userid
- Explanation
- Packet was rejected in accordance with RFC 1191, since it was larger (iplen bytes) than the next-hop MTU (mtu bytes).
- Gateway Action
- Reject
- Action Description
- An ICMP error packet too big was returned to the sender
- Proposed Action
- This is a normal part of the path-MTU discovery process. In the unlikely case where the path-MTU discovery process is becoming
a performance bottleneck, consider manually modifying the next-hop MTU.
2.28.47. [ID: 1013] Packet too big
- Log Categories
- IPV6,STATELESS,PMTU
- Log Message
- Packet too big.
- Default Log Severity
- Warning
- Parameters
- mtu, iplen, flow, pkt, user, userid
- Explanation
- Packet was dropped because it was too large (iplen bytes) in order to be properly forwarded to the next hop (with an MTU of mtu bytes). No ICMP error (packet too big) was sent to the source to notify about this condition. Most likely the upper limit
of ICMP errors per second had been reached, but this can also be a sign of severe resource starvation. This breaks proper
path-MTU discovery as described by RFC 1981 and may cause network malfunction.
- Gateway Action
- Drop
- Action Description
- Packet was silently lost; the system failed to send an ICMP error.
- Proposed Action
- Review the upper limit of ICMP errors per second (ICMPSettings:ICMPSendPerSecLimit) to see if there is a bottleneck. While not being the preferred solution, a workaround may be to manually update the next-hop
MTU at certain routes.
2.28.48. [ID: 656] Reserved bits in fragment header are non-zero
- Log Categories
- IPV6,FRAG,STATELESS,VALIDATE
- Log Message
- Reserved bits in fragment header are non-zero.
- Default Log Severity
- Warning
- Parameters
- value, offset, pktlen, pkt
- Explanation
- The IPv6 fragment header contains two reserved bits (third and second LSB of the fragment offset field). The IPv6 RFC 2460
states that these bits should be initialized to zero and ignored by all parts (including firewalls and routers). In this particular
case the bits were non-zero.
- Gateway Action
- None
- Action Description
- None
- Proposed Action
- While not RFC 2460 compliant, we recommend adjusting the setting FragSettings:IP6ResvBitFrags to 'strip' or 'striplog' in order to prevent information leakage.
2.28.49. [ID: 660] Reserved bits in fragment header are non-zero
- Log Categories
- IPV6,FRAG,STATELESS,VALIDATE
- Log Message
- Reserved bits in fragment header are non-zero.
- Default Log Severity
- Warning
- Parameters
- value, offset, pktlen, pkt
- Explanation
- The IPv6 fragment header contains two reserved bits (third and second LSB of the fragment offset field). The IPv6 RFC 2460
states that these bits should be initialized to zero and ignored by all parts (including firewalls and routers). In this particular
case the bits were non-zero.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- This log message is controlled by the setting FragSettings:IP6ResvBitFrags.
2.28.50. [ID: 650] Reserved bits in fragment header are non-zero
- Log Categories
- IPV6,FRAG,STATELESS,VALIDATE
- Log Message
- Reserved bits in fragment header are non-zero.
- Default Log Severity
- Warning
- Parameters
- value, offset, pktlen, pkt
- Explanation
- The IPv6 fragment header contains two reserved bits (third and second LSB of the fragment offset field). The IPv6 RFC 2460
states that these bits should be initialized to zero and ignored by all parts (including firewalls and routers). In this particular
case the bits were non-zero.
- Gateway Action
- Strip
- Action Description
- None
- Proposed Action
- This log message is controlled by the setting FragSettings:IP6ResvBitFrags.
2.28.51. [ID: 658] Reserved field in fragment header is non-zero
- Log Categories
- IPV6,FRAG,STATELESS,VALIDATE
- Log Message
- Reserved field in fragment header is non-zero.
- Default Log Severity
- Warning
- Parameters
- value, offset, pktlen, pkt
- Explanation
- The IPv6 fragment header contains a reserved field where all other IPv6 extension headers would contain a size field. The
IPv6 RFC 2460 states that this field should be initialized to zero (which incidentally is what it would be if it had been
a size field), and ignored by all parts (including firewalls and routers). In this particular case this field was non-zero.
- Gateway Action
- None
- Action Description
- None
- Proposed Action
- While not RFC 2460 compliant, we recommend adjusting the setting FragSettings:IP6ResvFldFrags to 'strip' or 'striplog' in order to prevent information leakage and/or software malfunction.
2.28.52. [ID: 648] Reserved field in fragment header is non-zero
- Log Categories
- IPV6,FRAG,STATELESS,VALIDATE
- Log Message
- Reserved field in fragment header is non-zero.
- Default Log Severity
- Warning
- Parameters
- value, offset, pktlen, pkt
- Explanation
- The IPv6 fragment header contains a reserved field where all other IPv6 extension headers would contain a size field. The
IPv6 RFC 2460 states that this field should be initialized to zero (which incidentally is what it would be if it had been
a size field), and ignored by all parts (including firewalls and routers). In this particular case this field was non-zero.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- This log message is controlled by the setting FragSettings:IP6ResvFldFrags.
2.28.53. [ID: 645] Reserved field in fragment header is non-zero
- Log Categories
- IPV6,FRAG,STATELESS,VALIDATE
- Log Message
- Reserved field in fragment header is non-zero.
- Default Log Severity
- Warning
- Parameters
- value, offset, pktlen, pkt
- Explanation
- The IPv6 fragment header contains a reserved field where all other IPv6 extension headers would contain a size field. The
IPv6 RFC 2460 states that this field should be initialized to zero (which incidentally is what it would be if it had been
a size field), and ignored by all parts (including firewalls and routers). In this particular case this field was non-zero.
- Gateway Action
- Strip
- Action Description
- None
- Proposed Action
- This log message is controlled by the setting FragSettings:IP6ResvFldFrags.
2.28.54. [ID: 508] Fragment truncated at L3 header
- Log Categories
- IPV6,FRAG,STATELESS,VALIDATE
- Log Message
- Fragment truncated at L3 header.
- Default Log Severity
- Warning
- Parameters
- exthdr, offset, pktlen, pkt, rule
- Explanation
- A first fragment was received, but a L4 header was not included inside. The fragment is truncated in the middle of an IPv6
extension header.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- First fragments that do not include the L4 header are considered a security threat. Examine why this kind of message have
been sent. This log message can be disabled by the IPSettings:LogNonIP4 setting.
2.28.55. [ID: 358] Packet truncated at L3 header
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- Packet truncated at L3 header.
- Default Log Severity
- Warning
- Parameters
- exthdr, offset, pktlen, pkt
- Explanation
- The received message is either too small to contain the IPv6 header itself, or it is too small to contain an expected extension
header.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- This packet is severely broken. If the packet sender is one of your network devices, investigate why the unit is sending malformed
packets. This log message can be disabled by the IPSettings:LogNonIP4 setting.
2.28.56. [ID: 158] Non-zero IP Traffic Class field
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- Non-zero IP Traffic Class field.
- Default Log Severity
- Notice
- Parameters
- value, flow, pkt, user, userid
- Explanation
- The IPv6 Traffic Class field in the IPv6 header was non-zero. The Traffic Class field may be used by Differentiated Services
to group traffic into different traffic classes.
- Gateway Action
- Allow
- Action Description
- None
- Proposed Action
- The IPSettings:TrafficClass setting can be changed to control the gateway's behavior for packets with non-zero Traffic Class fields .
2.28.57. [ID: 585] Non-zero IP Traffic Class field
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- Non-zero IP Traffic Class field.
- Default Log Severity
- Warning
- Parameters
- value, flow, pkt, user, userid
- Explanation
- The IPv6 Traffic Class field in the IPv6 header was non-zero. The Traffic Class field may be used by Differentiated Services
to group traffic into different traffic classes.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- The IPSettings:TrafficClass setting can be changed to control the gateway's behavior for packets with non-zero Traffic Class fields .
2.28.58. [ID: 284] Non-zero IP Traffic Class field
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- Non-zero IP Traffic Class field.
- Default Log Severity
- Warning
- Parameters
- value, flow, pkt, user, userid
- Explanation
- The IPv6 Traffic Class field in the IPv6 header was non-zero. The Traffic Class field may be used by Differentiated Services
to group traffic into different traffic classes.
- Gateway Action
- Strip
- Action Description
- None
- Proposed Action
- The IPSettings:TrafficClass setting can be changed to control the gateway's behavior for packets with non-zero Traffic Class fields .
2.28.59. [ID: 489] Hop Limit is zero
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- Hop Limit is zero.
- Default Log Severity
- Warning
- Parameters
- flow, pkt, user, userid
- Explanation
- An IPv6 packet with a Hop Limit value of zero was received and dropped. Transmission of IPv6 packets with a Hop Limit value
of zero violates the IP specification and should be dropped.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- This log message can be disabled by the IPSettings:LogReceivedTTL0 setting.
2.28.60. [ID: 408] HopLimit reached
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- HopLimit reached.
- Default Log Severity
- Warning
- Parameters
- flow, pkt, user, userid
- Explanation
- An IPv4 packet with a TTL=1 was received. The packet was to be forwarded, at which point TTL reached zero and the packet had
to be dropped.
- Gateway Action
- Drop
- Action Description
- The packet has been dropped.
- Proposed Action
- This log message is only possible when IPSettings:TTLMin is set to 1. Whether to log and/or reject can be controlled by the MiscSettings:TTL0OnFwd setting.
2.28.61. [ID: 295] HopLimit reached
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- HopLimit reached.
- Default Log Severity
- Warning
- Parameters
- flow, pkt, user, userid
- Explanation
- An IPv4 packet with a TTL=1 was received. The packet was to be forwarded, at which point TTL reached zero and the packet had
to be dropped.
- Gateway Action
- Drop
- Action Description
- The packet has been dropped.
- Proposed Action
- This log message is only possible when IPSettings:TTLMin is set to 1. Whether to log and/or reject can be controlled by the MiscSettings:TTL0OnFwd setting.
2.28.62. [ID: 148] Hop Limit too low
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- Hop Limit too low.
- Default Log Severity
- Notice
- Parameters
- value, min, flow, pkt, user, userid
- Explanation
- An IPv6 packet with a Hop Limit value equal or less than the configured minimum value was detected.
- Gateway Action
- Allow
- Action Description
- None
- Proposed Action
- The Hop Limit value should be larger than 3 to prevent a user to map routers behind the firewall, i.e. firewalking. In order
to support trace-route applications, the IPSettings:TTLMin value needs to be set to 1.
2.28.63. [ID: 402] Hop Limit too low
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- Hop Limit too low.
- Default Log Severity
- Warning
- Parameters
- value, min, flow, pkt, user, userid
- Explanation
- An IPv6 packet with a Hop Limit value equal or less than the configured minimum value was detected.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- The Hop Limit value should be larger than 3 to prevent a user to map routers behind the firewall, i.e. firewalking. In order
to support trace-route applications, the IPSettings:TTLMin value needs to be set to 1.
2.28.64. [ID: 453] Hop Limit too low
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- Hop Limit too low.
- Default Log Severity
- Warning
- Parameters
- value, min, flow, pkt, user, userid
- Explanation
- An IPv6 packet with a Hop Limit value equal or less than the configured minimum value was detected.
- Gateway Action
- Reject
- Action Description
- None
- Proposed Action
- The Hop Limit value should be larger than 3 to prevent a user to map routers behind the firewall, i.e. firewalking. In order
to support trace-route applications, the IPSettings:TTLMin value needs to be set to 1.
2.28.65. [ID: 118] Fragment truncated at L4 header
- Log Categories
- IPV6,FRAG,STATELESS,VALIDATE
- Log Message
- Fragment truncated at L4 header.
- Default Log Severity
- Warning
- Parameters
- ipproto, offset, pktlen, pkt, rule
- Explanation
- A first fragment was received. The fragment claims to contain an L4 header but the fragment is too short to contain a header
of the specific protocol.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- This packet is severely broken. If the packet sender is one of your network devices, investigate why the unit is sending malformed
packets. This log message can be disabled by the IPSettings:LogNonIP4 setting.
2.28.66. [ID: 125] Header payload in fragment is truncated
- Log Categories
- IPV6,FRAG,STATELESS,VALIDATE
- Log Message
- Header payload in fragment is truncated.
- Default Log Severity
- Warning
- Parameters
- exthdr, offset, hdrlen, pktlen, pkt, rule
- Explanation
- A first fragment was received, but a L4 header was not included inside. The fragment is truncated in the middle of an IPv6
extension headers payload.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- This packet is severely broken. If the packet sender is one of your network devices, investigate why the unit is sending malformed
packets. This log message can be disabled by the IPSettings:LogNonIP4 setting.
2.28.67. [ID: 294] Header payload is truncated
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- Header payload is truncated.
- Default Log Severity
- Warning
- Parameters
- exthdr, offset, hdrlen, pktlen, pkt
- Explanation
- The received message is too small to contain the full payload of an IPv6 extension header.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- This packet is severely broken. If the packet sender is one of your network devices, investigate why the unit is sending malformed
packets. This log message can be disabled by the IPSettings:LogNonIP4 setting.
2.28.68. [ID: 415] Packet truncated at L4 header
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- Packet truncated at L4 header.
- Default Log Severity
- Warning
- Parameters
- ipproto, offset, pktlen, pkt
- Explanation
- The received packet is too short to contain an L4 header of the protocol in question.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- This packet is severely broken. If the packet sender is one of your network devices, investigate why the unit is sending malformed
packets. This log message can be disabled by the IPSettings:LogNonIP4 setting.
2.28.69. [ID: 523] IPv6 payload is truncated
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- IPv6 payload is truncated.
- Default Log Severity
- Warning
- Parameters
- paylen, size, pkt
- Explanation
- The IPv6 header claim that the packet is paylen bytes large (the value logged includes the size of the IPv6 header), but only size bytes of data have been received.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- This packet is severely broken. If the packet sender is one of your network devices, investigate why the unit is sending malformed
packets. This log message can be disabled by the IPSettings:LogNonIP4 setting.
2.28.70. [ID: 1025] Unrecognized IPv6 next header
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- Unrecognized IPv6 next header. Dropping.
- Default Log Severity
- Warning
- Parameters
- exthdr, offset, flow, pkt, user, userid
- Explanation
- A packet with unrecognized IPv6 Next Header was received and dropped.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- None
2.28.71. [ID: 1024] Unrecognized IPv6 next header
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- Unrecognized IPv6 next header. Rejecting.
- Default Log Severity
- Warning
- Parameters
- exthdr, offset, flow, pkt, user, userid
- Explanation
- A packet with unrecognized IPv6 Next Header was received and rejected.
- Gateway Action
- Reject
- Action Description
- None
- Proposed Action
- None
2.28.72. [ID: 511] Adjacent PAD option
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- Adjacent PAD option.
- Default Log Severity
- Warning
- Parameters
- exthdr, option, prevoption, flow, pkt, user, userid
- Explanation
- IPv6 extension headers and options are aligned by PAD fields to minimize the amount of CPU resources needed by network elements
to process IPv6 packets. Multiple adjacent PAD1 or PADN options can be used for denial-of-service attacks by forcing network
elements to process an unnecessary amount of PAD options.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- The IPSettings:IP6ValidateSyntax setting can be changed to control the gateway's validation of IPv6 headers.
2.28.73. [ID: 598] Unaligned IPv6 option
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- Unaligned IPv6 option.
- Default Log Severity
- Warning
- Parameters
- option, offset, flow, pkt, user, userid
- Explanation
- IPv6 extension headers and options should according to IPv6 specifications be aligned at certain offsets within a packet to
minimize the amount of CPU resources needed by network elements to process IPv6 packets. The option option was found not to be properly aligned.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- The IPSettings:IP6ValidateSyntax setting can be changed to control the gateway's validation of IPv6 headers.
2.28.74. [ID: 277] Fragment with invalid extension header
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- Fragment with invalid extension header.
- Default Log Severity
- Warning
- Parameters
- exthdr, flow, pkt, user, userid
- Explanation
- According to the IPv6 specification, some extension headers are not allowed to be present in fragmented IPv6 packets.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- The IPSettings:IP6ValidateSyntax setting can be changed to control the gateway's validation of IPv6 headers.
2.28.75. [ID: 610] Out of scope option
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- Out of scope option.
- Default Log Severity
- Warning
- Parameters
- exthdr, option, flow, pkt, user, userid
- Explanation
- The IPv6 option found in the extension header is according to the IPv6 specification not allowed to be used within the processed
header.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- If the packet sender is one of your network devices, investigate why the unit is sending malformed IP options.
2.28.76. [ID: 110] Repeated extension header
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- Repeated extension header.
- Default Log Severity
- Warning
- Parameters
- exthdr, flow, pkt, user, userid
- Explanation
- Some extension headers are according to the IPv6 specifications only allowed to occur once within each IPv6 packet. The extension
header exthdr occurred more than once within this packet.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- The IPSettings:IP6ValidateSyntax setting can be changed to control the gateway's validation of IPv6 headers.
2.28.77. [ID: 311] Repeated option
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- Repeated option.
- Default Log Severity
- Warning
- Parameters
- option, flow, pkt, user, userid
- Explanation
- Some options are according to the IPv6 specifications only allowed to occur once within each IPv6 packet. The option option occurred more than once within this packet.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- The IPSettings:IP6ValidateSyntax setting can be changed to control the gateway's validation of IPv6 headers.
2.28.78. [ID: 567] IPv6 Too large PADN
- Log Categories
- IPV6,STATELESS,VALIDATE
- Log Message
- IPv6 Too large PADN.
- Default Log Severity
- Warning
- Parameters
- len, maxlen, flow, pkt, user, userid
- Explanation
- IPv6 extension headers and options are aligned by PAD fields to minimize the amount of CPU resources needed by network elements
to process IPv6 packets. It is however possible to overuse the PADN options with the purpose of consuming CPU resources.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- The IPSettings:IP6ValidateSyntax setting can be changed to control the gateway's validation of IPv6 headers.
cOS Stream 4.00.03 Log Reference Guide
