These log messages refer to the NDP category.
2.32.1. [ID: 165] Advertisement delayed
- Log Categories
- NDP,SYSTEM
- Log Message
- Advertisement delayed.
- Default Log Severity
- Warning
- Parameters
- ip, destip, desthw, iface
- Explanation
- Replies to address resolution requests have been put under rate limit and an advertisement to destip has been put on hold. This may in the pathological case prevent new hosts from establishing communication with the firewall.
- Gateway Action
- None
- Action Description
- None
- Proposed Action
- Review the NDSettings:NDMaxResolvReply setting and consider increasing it. Whether to log this event is controlled by the NDSettings:NDLogRatelimitDelay setting.
2.32.2. [ID: 184] Advertisement for static entry
- Log Categories
- NDP,STATEFUL,VALIDATE
- Log Message
- Advertisement for static entry.
- Default Log Severity
- Warning
- Parameters
- knownhw, srchw, srcip, destip, targetip, iface, pkt
- Explanation
- A Neighbor Advertisement message for a statically configured IP has been received, but the message advertised a different
L2 address than what has been configured. Note that messages with the "override" flag cleared are not logged.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- First make sure that the statically configured L2 address is correct. If it is, then this is very likely an attack trying
to re-route network traffic. The attacker must have access to a machine attached to the network in question, so take note
of the srchw parameter. In order for traffic hijacking to work using this attack, this parameter must point at a compromised machine.
Denial of service can be achieved by using a non-existing address. Whether to log this event is controlled by the NDSettings:StaticNDChanges setting.
2.32.3. [ID: 1719] Anycast address ignored
- Log Categories
- NDP,STATEFUL,VALIDATE
- Log Message
- Anycast address ignored.
- Default Log Severity
- Information
- Parameters
- knownhw, srchw, srcip, destip, targetip, iface, pkt
- Explanation
- While trying to resolve targetip, at least one anycast reply has been ignored.
- Gateway Action
- Ignore
- Action Description
- None
- Proposed Action
- None
2.32.4. [ID: 179] Unknown ICMP code
- Log Categories
- NDP,STATELESS,VALIDATE
- Log Message
- Unknown ICMP code.
- Default Log Severity
- Warning
- Parameters
- srchw, srcip, code, iface, pkt
- Explanation
- An ND message with an unknown ICMP code was received. The gateway is currently implementing ND according to RFC4861, and does
not know how to handle this type of message.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- This log message can be turned off with the NDSettings:NDValidation setting.
2.32.5. [ID: 569] Illegal option size
- Log Categories
- NDP,STATELESS,VALIDATE
- Log Message
- Illegal option size.
- Default Log Severity
- Warning
- Parameters
- srchw, srcip, destip, targetip, type, expectlen, len, iface, pkt
- Explanation
- An ND message with a broken option has been received. The options size is incorrect for the given option type.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- This log message can be turned off with the NDSettings:NDValidation setting.
2.32.6. [ID: 276] Forged reply
- Log Categories
- NDP,STATEFUL,VALIDATE
- Log Message
- Forged reply.
- Default Log Severity
- Warning
- Parameters
- knownhw, srchw, srcip, destip, targetip, iface, pkt
- Explanation
- An ND message has been received with the "solicitation" and "override" flag set, but the gateway never asked for it (so it
is not solicited). Additionally it has got a new target HW address. This can be a lingering reply for something that we already
have resolved, but it is more likely a direct attempt to modify the neighbor cache.
- Gateway Action
- Drop
- Action Description
- The ND message has been dropped
- Proposed Action
- Take note of the srchw parameter. Identify that machine/user at the network and make sure that it is not compromised. Note that a seasoned attacker
would spoof the HW sender. The machine or user pointed out by the sender address may be "innocent" in the case of an attack.
Make sure that an appropriate value is used for the NDSettings:NDChanges setting.
2.32.7. [ID: 1714] Confusing reply
- Log Categories
- NDP,STATEFUL,VALIDATE
- Log Message
- Confusing reply.
- Default Log Severity
- Warning
- Parameters
- knownhw, srchw, srcip, destip, targetip, iface, pkt
- Explanation
- The system has, during IP targetip address resolution, received multiple different replies with conflicting link-layer options within the span of NDSettings:NDVerifyTimer seconds. In other words, there is an address conflict in the local network. The link-layer information has been updated to
that of the second reply.
- Gateway Action
- Replace
- Action Description
- None
- Proposed Action
- Review the network. IPv6 allows multiple devices to share the same IP, but only when specifically configured for this purpose.
In this case not all devices appear to have been configured as such, though a possibility is also that a device has been replaced
or modified. Whether to log this event or not is controlled by NDSettings:NDValidation, but the actual decision to select either the first or the second conflicting reply is taken at random. This behavior can
be disabled by setting NDSettings:NDVerifyTimer to zero, in which case conflicting replies will be handled in accordance with the NDSettings:NDChanges setting.
2.32.8. [ID: 1720] Confusing reply
- Log Categories
- NDP,STATEFUL,VALIDATE
- Log Message
- Confusing reply.
- Default Log Severity
- Warning
- Parameters
- knownhw, srchw, srcip, destip, targetip, iface, pkt
- Explanation
- The system has, during IP targetip address resolution, received multiple different replies with conflicting link-layer options within the span of NDSettings:NDVerifyTimer seconds. In other words, there is an address conflict in the local network. The link-layer information used is that of the
first reply.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- Review the network. IPv6 allows multiple devices to share the same IP, but only when specifically configured for this purpose.
In this case not all devices appear to have been configured as such, though a possibility is also that a device has been replaced
or modified. Whether to log this event or not is controlled by NDSettings:NDValidation, but the actual decision to select either the first or the second conflicting reply is taken at random. This behavior can
be disabled by setting NDSettings:NDVerifyTimer to zero, in which case conflicting replies will be handled in accordance with the NDSettings:NDChanges setting.
2.32.9. [ID: 1718] Confusing solicitation HW address
- Log Categories
- NDP,STATEFUL,VALIDATE
- Log Message
- Confusing solicitation HW address.
- Default Log Severity
- Warning
- Parameters
- knownhw, srchw, srcip, destip, targetip, iface, pkt
- Explanation
- The system has received a solicitation request with a conflicting link-layer option, for the address targetip. The conflict was seen either seen while performing address resolution (in which case we already have received advertisements
for the destination with a different link-layer address), while probing the address (in which case we have an old link-layer
destination known from the past), or while actively replying to dead-peer probes from another link-layer address (on behalf
of the same IP). The system deemed the old information to be more trustworthy than the one found in the solicitation, and
while a reply has been sent to the supplied link-layer addresses, no local information was been updated.
- Gateway Action
- Ignore
- Action Description
- None
- Proposed Action
- Apart from that the conflict has been seen in a very specific time interval (which may happen by coincidence), the event in
itself has a very limited relevans. Review the network if this is a reoccurring phenomenon, or if it happens in conjunction
with other suspicious activity. The behavior of the system is controlled by a combination of NDSettings:NDVerifyTimer and NDSettings:NDChanges. IPv6 allows multiple devices to share the same IP, but only when specifically configured for this purpose. In this case
not all devices appear to have been configured as such, though a possibility is also that a device has been replaced or modified.
2.32.10. [ID: 1717] Confusing solicitation HW address
- Log Categories
- NDP,STATEFUL,VALIDATE
- Log Message
- Confusing solicitation HW address.
- Default Log Severity
- Warning
- Parameters
- knownhw, srchw, srcip, destip, targetip, iface, pkt
- Explanation
- The system has received a solicitation request with a conflicting link-layer option, for the address targetip. The system has been updated to use the supplied link-layer information. This only happens when NDSettings:NDChanges is set to accept all link-layer updates.
- Gateway Action
- Replace
- Action Description
- None
- Proposed Action
- Apart from that the conflict has been seen in a very specific time interval (which may happen by coincidence), the event in
itself has a very limited relevans. Review the network if this is a reoccurring phenomenon, or if it happens in conjunction
with other suspicious activity. The behavior of the system is controlled by a combination of NDSettings:NDVerifyTimer and NDSettings:NDChanges. IPv6 allows multiple devices to share the same IP, but only when specifically configured for this purpose. In this case
not all devices appear to have been configured as such, though a possibility is also that a device has been replaced or modified.
2.32.11. [ID: 226] DAD reply delayed
- Log Categories
- NDP,SYSTEM
- Log Message
- DAD reply delayed.
- Default Log Severity
- Warning
- Parameters
- ip, desthw, iface
- Explanation
- Replies to Duplicate Address probes have been put under rate limit. The system might not be able to prevent the IP ip to be used by desthw.
- Gateway Action
- None
- Action Description
- None
- Proposed Action
- Review the NDSettings:NDMaxDupReply setting and consider increasing it. Whether to log this event is controlled by the NDSettings:NDLogRatelimitDelay setting.
2.32.12. [ID: 153] Received DAD probe
- Log Categories
- NDP
- Log Message
- Received DAD probe.
- Default Log Severity
- Information
- Parameters
- srchw, srcip, destip, targetip, iface, pkt
- Explanation
- Another host or server on the network is sending a Duplicate Address Probe to detect if the IP address targetip is not used by another device. The IP is used by the gateway and the probing host will be notified.
- Gateway Action
- None
- Action Description
- This message will not be used by the system, though an answer will be sent to the srchw address
- Proposed Action
- This log message can be turned off with the NDSettings:StaticNDChanges setting.
2.32.13. [ID: 462] Duplicated option
- Log Categories
- NDP,STATELESS,VALIDATE
- Log Message
- Duplicated option.
- Default Log Severity
- Warning
- Parameters
- srchw, srcip, destip, targetip, iface, pkt
- Explanation
- Two (or more) source link-layer options containing different data were found.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- This log message can be turned off with the NDSettings:NDValidation setting.
2.32.14. [ID: 430] Duplicated option
- Log Categories
- NDP,STATELESS,VALIDATE
- Log Message
- Duplicated option.
- Default Log Severity
- Warning
- Parameters
- srchw, srcip, destip, targetip, iface, pkt
- Explanation
- Two (or more) target link-layer options containing different data were found.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- This log message can be turned off with the NDSettings:NDValidation setting.
2.32.15. [ID: 552] ND hop limit reached
- Log Categories
- NDP,STATELESS,VALIDATE
- Log Message
- ND hop limit reached.
- Default Log Severity
- Warning
- Parameters
- srchw, srcip, destip, targetip, count, iface, pkt
- Explanation
- The hop-limit of an ND message is hardcoded to 255. The idea is to prevent these messages from being routed.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- Make sure that no router in the network is accidentally forwarding ND messages.
2.32.16. [ID: 1715] HW source inconsistent with static IP
- Log Categories
- NDP,STATEFUL,VALIDATE
- Log Message
- HW source inconsistent with static IP.
- Default Log Severity
- Warning
- Parameters
- knownhw, newhw, srcip, destip, targetip, iface, pkt
- Explanation
- This concerns a static IP entry. The system has received solicitation requests on behalf of srcip, but with conflicting source link-layer information. The solicitation is sent from newhw but the configuration expects this to be knownhw. This log message is not generated for solicitations from an anycast (alternative) IP.
- Gateway Action
- Ignore
- Action Description
- The system replied to the solicitation, but did not register srchw as the HW source of srcip.
- Proposed Action
- Review the network, the configuration may have to be updated.
2.32.17. [ID: 1723] HW source inconsistent with static IP
- Log Categories
- NDP,STATEFUL,VALIDATE
- Log Message
- HW source inconsistent with static IP.
- Default Log Severity
- Warning
- Parameters
- knownhw, newhw, srcip, destip, targetip, iface, pkt
- Explanation
- This concerns a static IP entry. The system has received solicitation requests on behalf of srcip, but with conflicting source link-layer information. The solicitation is sent from newhw but the configuration expects this to be knownhw. This log message is not generated for solicitations from an anycast (alternative) IP.
- Gateway Action
- Drop
- Action Description
- The system will not process this solicitation any further, and no response will be sent.
- Proposed Action
- Review the network, the configuration may have to be updated.
2.32.18. [ID: 434] Linklayer option contains multicast address
- Log Categories
- NDP,STATELESS,VALIDATE
- Log Message
- Linklayer option contains multicast address.
- Default Log Severity
- Warning
- Parameters
- srchw, srcip, destip, targetip, type, hwaddr, iface, pkt
- Explanation
- At least one link-layer address option was found to contain a multicast address. This is illegal, and a known denial-of-service
attack.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- Take note of the HW sender (the srchw parameter). Identify the machine/user at the network and make sure that it is not compromised. Note that a seasoned attacker
would spoof the HW sender (the machine or user pointed out by the sender address may be "innocent" in the case of an attack).
This log message can be turned off with the NDSettings:NDValidation setting.
2.32.19. [ID: 454] Dead peer probe answered with multicast[...]
- Log Categories
- NDP,STATEFUL,VALIDATE
- Log Message
- Dead peer probe answered with multicast message.
- Default Log Severity
- Warning
- Parameters
- knownhw, srchw, srcip, destip, targetip, iface, pkt
- Explanation
- The system has sent a dead peer probe to a previously resolved IP, and received a multicast answer. This is an illegal response.
- Gateway Action
- Drop
- Action Description
- The packet has been dropped and will not be considered an answer for the dead peer probe
- Proposed Action
- Whether to log this event or not is controlled by the NDSettings:NDValidation setting. The packet is considered invalid, so it will be dropped regardless of the setting. Examine the network to see why
such a response was sent.
2.32.20. [ID: 619] Multicast target
- Log Categories
- NDP,STATELESS,VALIDATE
- Log Message
- Multicast target.
- Default Log Severity
- Warning
- Parameters
- srchw, srcip, destip, targetip, iface, pkt
- Explanation
- An ND message with a multicast target IP. This is illegal.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- This log message can be turned off with the NDSettings:NDValidation setting.
2.32.21. [ID: 574] Neighbor cache updated with new HW address
- Log Categories
- NDP,STATEFUL,VALIDATE
- Log Message
- Neighbor cache updated with new HW address.
- Default Log Severity
- Warning
- Parameters
- knownhw, newhw, srcip, destip, targetip, iface, pkt
- Explanation
- The L2 (hardware) address of the given target IP has been updated by an ND message. The setting NDSettings:NDChanges is currently in a mode to accept any advertised changes to L2 data, allowing data traffic to adjust very quickly to topological
changes of the network (at the expense of certain vulnerabilities).
- Gateway Action
- Allow
- Action Description
- None
- Proposed Action
- Accepting any advertised changes to L2 data will open up for a number of exploits (including both crude denial-of-service,
eavesdropping and more sophisticated router hi-jacking attacks). Consider changing the NDSettings:NDChanges setting to FavourOld or FavourOldLog, to allow for a more moderate acceptance of new L2 information.
2.32.22. [ID: 330] New HW address advertised for resolved IP
- Log Categories
- NDP,STATEFUL,VALIDATE
- Log Message
- New HW address advertised for resolved IP.
- Default Log Severity
- Warning
- Parameters
- knownhw, newhw, srcip, destip, targetip, iface, pkt
- Explanation
- An ND message tried to update the L2 (hardware) address of the given target IP. The packet have been dropped because the setting
NDSettings:NDChanges is currently in a mode to drop any such packet.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- The current setting does not allow updates to known L2 information at all. This gives little extra security (and can in fact
be exploited for subtle denial-of-service attacks). Consider adding known L2 addresses as 'static' ND entries instead.
2.32.23. [ID: 418] New HW address advertised for resolved IP
- Log Categories
- NDP,STATEFUL,VALIDATE
- Log Message
- New HW address advertised for resolved IP.
- Default Log Severity
- Notice
- Parameters
- knownhw, newhw, srcip, destip, targetip, iface, pkt
- Explanation
- An ND message tried to update the L2 (hardware) address of the given target IP. The old L2 address will be probed to see if
it is still alive, in which case the new L2 address will be discarded. If no answer is received, the new address will be accepted.
- Gateway Action
- Ignore
- Action Description
- The ND message has been acknowledged, but was not allowed to update the current L2 information
- Proposed Action
- If the current behavior is not desired, modify the NDSettings:NDChanges setting accordingly.
2.32.24. [ID: 211] Advertisement from the Unknown Address
- Log Categories
- NDP,STATELESS,VALIDATE
- Log Message
- Advertisement from the Unknown Address.
- Default Log Severity
- Warning
- Parameters
- srchw, srcip, destip, targetip, iface, pkt
- Explanation
- A neighbor advertisement message has been received from the "unknown address" (the all zeroes address). This is illegal.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- Examine why this kind of advertisement has been sent. Whether to log this event or not is controlled by the NDSettings:NDValidation setting.
2.32.25. [ID: 195] No target route for packet
- Log Categories
- NDP,RULE
- Log Message
- No target route for packet.
- Default Log Severity
- Warning
- Parameters
- srchw, srcip, destip, targetip, iface, pkt
- Explanation
- An ND message targeted to the IP targetip was received via interface iface, but there is no route from this interface to to this address.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- Make sure that the route is not disabled, or that it is not "shadowed" by a default route. Examine all dynamic values (in
all routes), including OSPF-managed routes, network prefixes from ND Router Advertisements and gateways from DHCP-leases.
This log message can be turned off with the NDSettings:NDValidation setting.
2.32.26. [ID: 599] No source route for packet
- Log Categories
- NDP,RULE
- Log Message
- No source route for packet.
- Default Log Severity
- Warning
- Parameters
- srchw, srcip, destip, targetip, iface, pkt
- Explanation
- An ND message was received from the source IP srcip via interface iface, but there is no route to this address via that interface.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- Make sure that the route is not disabled, or that it is not "shadowed" by a default route. Examine all dynamic values (in
all routes), including OSPF-managed routes, network prefixes from ND Router Advertisements and gateways from DHCP-leases.
This log message can be turned off with the NDSettings:NDValidation setting.
2.32.27. [ID: 107] Reply without target link-layer option
- Log Categories
- NDP,STATEFUL,VALIDATE
- Log Message
- Reply without target link-layer option.
- Default Log Severity
- Warning
- Parameters
- knownhw, srchw, srcip, destip, targetip, iface, pkt
- Explanation
- The system is trying to resolve targetip. An answer has been received, but the answer did not include an L2 address and was thus useless.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- Examine why this kind of advertisement has been sent. Whether to log this event or not is controlled by the NDSettings:NDValidation setting.
2.32.28. [ID: 1716] Noisy reply
- Log Categories
- NDP,STATEFUL,VALIDATE
- Log Message
- Noisy reply.
- Default Log Severity
- Warning
- Parameters
- knownhw, srchw, srcip, destip, targetip, iface, pkt
- Explanation
- While trying to resolve targetip, multiple non-anycast replies were received for the same L2 address knownhw within a short timespan. While not a problem in itself, it is considered suspicious behavior.
- Gateway Action
- Adjust
- Action Description
- None
- Proposed Action
- Examine where the duplicate advertisements are coming from. Ideally an ND solicitation should never result in duplicate advertisements
since the messages are link-local. A device could deliberately be sending multiple replies in order to try and direct address
resolution away from the ordinary source, either for malicious or valid purposes. An example of a valid use would be HA failover.
The NDSettings:NDNoiseThreshold defines how many replies (not counting anycast replies) that are required in order to be considered noisy, during the timespan
defined by NDSettings:NDVerifyTimer. Whether to log this event or not is controlled by the NDSettings:NDValidation setting.
2.32.29. [ID: 309] Linklayer option does not match HW sender
- Log Categories
- NDP,STATELESS,VALIDATE
- Log Message
- Linklayer option does not match HW sender.
- Default Log Severity
- Warning
- Parameters
- srchw, srcip, destip, targetip, option, iface, pkt
- Explanation
- An ND message was received with a link-layer address option that did not match the HW sender address found in the L2 header.
- Gateway Action
- Drop
- Action Description
- The packet has been dropped and will not be further processed
- Proposed Action
- The advanced setting NDSettings:NDMatchL2Sender can be adjusted in order to control how the gateway will respond to mismatched link-layer options and the address found in
the L2 header.
2.32.30. [ID: 120] Linklayer option does not match HW sender
- Log Categories
- NDP,STATELESS,VALIDATE
- Log Message
- Linklayer option does not match HW sender.
- Default Log Severity
- Notice
- Parameters
- srchw, srcip, destip, targetip, option, iface, pkt
- Explanation
- An ND message was received with a link-layer address option that did not match the HW sender address found in the L2 header.
- Gateway Action
- Allow
- Action Description
- The packet will be processed as if the link-layer address option would match that of the HW sender address found in the L2
header. The address found in the link-layer option will be used
- Proposed Action
- The advanced setting NDSettings:NDMatchL2Sender can be adjusted in order to control how the gateway will respond to mismatched link-layer options and the address found in
the L2 header.
2.32.31. [ID: 180] Neighbor entry lost
- Log Categories
- NDP,SYSTEM
- Log Message
- Neighbor entry lost.
- Default Log Severity
- Warning
- Parameters
- ip, knownhw, iface
- Explanation
- The system need to resolve an IP address, but the current virtual system is out of neighbor entries. The neighbor entry for
IP ip at interface iface has been freed in order to continue.
- Gateway Action
- Discard
- Action Description
- The system has been forced to discard one existing neighbor entry in use
- Proposed Action
- This log is commonly seen during some denial-of-service attacks. If you think that the system should be able to handle this
amount of active neighbors, review the NDSettings:NDCacheSizeEther setting and consider increasing it. Whether to log this event is controlled by the NDSettings:NDLogOutOfEntries setting.
2.32.32. [ID: 163] Probe from unknown host
- Log Categories
- NDP,STATEFUL,VALIDATE
- Log Message
- Probe from unknown host.
- Default Log Severity
- Notice
- Parameters
- srchw, srcip, destip, targetip, iface, pkt
- Explanation
- Received a dead peer probe without source link-layer option, and there was no previous information about this IP in the neighbor
cache. One valid case where this can happen is when the gateway is required to keep track of more neighbors than the NDSettings:NDCacheSizeEther setting allow for.
- Gateway Action
- None
- Action Description
- The system will query for the IP srcip before the probe can be answered
- Proposed Action
- Whether to log this event is controlled by the NDSettings:NDValidation setting.
2.32.33. [ID: 1733] Probe from host with unexpected HW address
- Log Categories
- NDP,STATEFUL,VALIDATE
- Log Message
- Probe from host with unexpected HW address.
- Default Log Severity
- Notice
- Parameters
- srchw, knownhw, srcip, destip, targetip, iface, pkt
- Explanation
- Received a dead peer probe for srcip from the HW address srchw, but the last known HW address was knownhw. A reply has been sent to srchw, but the last known HW address was not updated.
- Gateway Action
- None
- Action Description
- The system replied to the solicitation, but did not register srchw as the HW source of srcip.
- Proposed Action
- Whether to log this event is controlled by the NDSettings:NDValidation setting. The behavior (whether to reply and/or update the known HW address) is controlled by the NDSettings:NDChanges setting.
2.32.34. [ID: 1730] Probe from host with unexpected HW address
- Log Categories
- NDP,STATEFUL,VALIDATE
- Log Message
- Probe from host with unexpected HW address.
- Default Log Severity
- Warning
- Parameters
- srchw, knownhw, srcip, destip, targetip, iface, pkt
- Explanation
- Received a dead peer probe for srcip from the HW address srchw, but the last known HW address was knownhw. The probe has therefore been dropped and no action was taken.
- Gateway Action
- Drop
- Action Description
- The system will not process this solicitation any further, and no response will be sent.
- Proposed Action
- Whether to log this event is controlled by the NDSettings:NDValidation setting. The behavior (whether to reply and/or update the known HW address) is controlled by the NDSettings:NDChanges setting.
2.32.35. [ID: 303] Dead Peer probe delayed
- Log Categories
- NDP,SYSTEM
- Log Message
- Dead Peer probe delayed.
- Default Log Severity
- Warning
- Parameters
- ip, knownhw, iface
- Explanation
- Dead Peer probes have been put under rate limit and a probe for the IP addresses ip have been put on hold. For the time being, the system will consider this address to be valid.
- Gateway Action
- None
- Action Description
- None
- Proposed Action
- Review the NDSettings:NDMaxUnreachProbe setting. Whether to log this event is controlled by the NDSettings:NDLogRatelimitDelay setting.
2.32.36. [ID: 1729] Probe from host while resolving address
- Log Categories
- NDP,STATEFUL,VALIDATE
- Log Message
- Probe from host while resolving address.
- Default Log Severity
- Information
- Parameters
- srchw, srcip, destip, targetip, iface, pkt
- Explanation
- Received a dead peer probe from srcip while waiting for address resolution to finish, so the HW address is technically unknown to us. The HW address srchw was supplied with the probe (and a reply was sent there), but this information has not been used to resolve the IP address.
- Gateway Action
- Ignore
- Action Description
- The system replied to the solicitation, but did not register srchw as the HW source of srcip.
- Proposed Action
- Whether to log this event is controlled by the NDSettings:NDValidation setting. The behavior (whether to reply and/or update the known HW address) is controlled by the NDSettings:NDChanges setting.
2.32.37. [ID: 1727] Probe from host while resolving address
- Log Categories
- NDP,STATEFUL,VALIDATE
- Log Message
- Probe from host while resolving address.
- Default Log Severity
- Warning
- Parameters
- srchw, srcip, destip, targetip, iface, pkt
- Explanation
- Received a dead peer probe from srcip while waiting for address resolution to finish, so the HW address is technically unknown to us. The probe has therefore been
dropped and no action was taken.
- Gateway Action
- Drop
- Action Description
- The system replied to the solicitation, but did not register srchw as the HW source of srcip.
- Proposed Action
- Whether to log this event is controlled by the NDSettings:NDValidation setting. The behavior (whether to reply and/or update the known HW address) is controlled by the NDSettings:NDChanges setting.
2.32.38. [ID: 266] Reply to Dead Peer probe delayed
- Log Categories
- NDP,SYSTEM
- Log Message
- Reply to Dead Peer probe delayed.
- Default Log Severity
- Warning
- Parameters
- ip, destip, knownhw, iface
- Explanation
- Replies to Dead Peer probes have been put under rate limit and the reply to destip have been delayed. This may in the pathological case break ongoing communications between destip and the system.
- Gateway Action
- None
- Action Description
- None
- Proposed Action
- Review the NDSettings:NDMaxUnreachReply setting and consider increasing it. Whether to log this event is controlled by the NDSettings:NDLogRatelimitDelay setting.
2.32.39. [ID: 338] NDP resolve timeout
- Log Categories
- NDP,STATEFUL
- Log Message
- NDP resolve timeout.
- Default Log Severity
- Notice
- Parameters
- localip, ip, iface, flow, pkt, user, userid
- Explanation
- The system failed to resolve IP ip at interface iface. The IP is not reachable via the local network; traffic to and from this address will be dropped.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- The "ndpsnoop" feature will allow realtime examination of the ND traffic at interface iface; use this to pinpoint the problem. Review the route configuration and the access rules, especially when seemingly valid Advertisements
are discarded. Verify whether is possible to route bidirectional traffic to and from IP ip at interface iface. Whether to log this event is controlled by the NDSettings:NDLogResolveFailure setting.
2.32.40. [ID: 445] Packet truncated at L4 header
- Log Categories
- NDP,STATELESS,VALIDATE
- Log Message
- Packet truncated at L4 header.
- Default Log Severity
- Warning
- Parameters
- srchw, srcip, pktlen, iface, pkt
- Explanation
- The message contains enough data for an ICMP header, and this header identifies the message as an ND message. There is however
not enough data for an ND message.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- This log message can be turned off with the NDSettings:NDValidation setting.
2.32.41. [ID: 519] Option is truncated
- Log Categories
- NDP,STATELESS,VALIDATE
- Log Message
- Option is truncated.
- Default Log Severity
- Warning
- Parameters
- srchw, srcip, destip, targetip, type, offset, maxlen, len, iface, pkt
- Explanation
- The message is truncated in the middle of option type type at offset offset. The option is supposed to be len bytes long, but there is only enough data for maxlen bytes in the packet.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- This log message can be turned off with the NDSettings:NDValidation setting.
2.32.42. [ID: 348] ND message allowed by access rule
- Log Categories
- NDP
- Log Message
- ND message allowed by access rule.
- Default Log Severity
- Notice
- Parameters
- srchw, srcip, destip, targetip, iface, pkt, rule
- Explanation
- The ND sender IP address srcip was verified and accepted by access rule rule in the access section.
- Gateway Action
- Allow
- Action Description
- None
- Proposed Action
- Modify the access rule accordingly, if the sender should not be allowed.
2.32.43. [ID: 127] ND message disallowed by access rule
- Log Categories
- NDP
- Log Message
- ND message disallowed by access rule.
- Default Log Severity
- Notice
- Parameters
- srchw, srcip, destip, targetip, recviface, pkt, rule
- Explanation
- Further processing of received ND packet is not allowed due to access rule rule did not allow the sender IP srcip.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- If the decision to drop the packet was correct but you don't want any logs then either change the LogEnabled property on the
access rule (if the rule is an explicitly configured access rule), add an access rule to drop the packet silently or configure
a log message exception in the log receiver to ignore this message. If the decision to drop the packet was incorrect then
there are two cases: If the rule is an explicitly configured access rule then modify it, and possibly other, access rules
accordingly. Otherwise start by verifying that the routing is correctly configured for the sender's address since routes provide
automatic access rules. If that does not help, that is, in setups where packets arriving from the sender arrive on another
interface than where packets going to the sender are routed, then add an access rule accepting the sender's address on the
receive interface.
2.32.44. [ID: 1657] ND message disallowed by route to source IP
- Log Categories
- NDP,ROUTE,IPSPOOFING
- Log Message
- ND message disallowed by route to source IP.
- Default Log Severity
- Notice
- Parameters
- srchw, srcip, destip, targetip, recviface, srcroute, pkt
- Explanation
- Further processing of received ND packet is not allowed due to the source IP srcip not being routed over the receive interface recviface.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- This is an effect of the automatic reverse path ingress filtering of the system based on the routes known to the system. The
default policy is basically "strict reverse path forwarding", that is, that a packet must be received on the interface where
packets to the source IP of the packet would be routed out, to be acceptable. In some scenarios, for instance, where asymmetric
routing is used, this is too strict. Exceptions can then be made by marking interfaces as security equvivalent or by adding
explicit access rules to allow packets from the source IP on this interface even tough packets to the source IP will be sent
over some other interface.
2.32.45. [ID: 212] Solicitation delayed
- Log Categories
- NDP,SYSTEM
- Log Message
- Solicitation delayed.
- Default Log Severity
- Warning
- Parameters
- ip, knownhw, iface
- Explanation
- Neighbor Solicitations have been put under rate limit and a solicitation for the IP addresses ip that the system it is supposed to resolve have been put on hold. Communication with this address will be impossible until
the rate limit has been lifted. This log is commonly seen during some denial-of-service attacks.
- Gateway Action
- None
- Action Description
- None
- Proposed Action
- Review the NDSettings:NDMaxSolicitation setting. Whether to log this event is controlled by the NDSettings:NDLogRatelimitDelay setting.
2.32.46. [ID: 625] Solicitation from unknown host
- Log Categories
- NDP,STATEFUL,VALIDATE
- Log Message
- Solicitation from unknown host.
- Default Log Severity
- Warning
- Parameters
- srchw, srcip, destip, targetip, iface, pkt
- Explanation
- Received a multicast neighbor solicitation without source link-layer option. This is illegal, and a possible denial-of-service
attack mentioned in RFC4861.
- Gateway Action
- Drop
- Action Description
- The system will not process this solicitation any further, and no response will be sent.
- Proposed Action
- Whether to log this event is controlled by the NDSettings:NDValidation setting.
2.32.47. [ID: 1725] Solicitation from host with unexpected HW[...]
- Log Categories
- NDP,STATEFUL,VALIDATE
- Log Message
- Solicitation from host with unexpected HW address.
- Default Log Severity
- Notice
- Parameters
- srchw, knownhw, srcip, destip, targetip, iface, pkt
- Explanation
- Received a multicast neighbor solicitation from srcip using the HW address srchw, but the last known HW address was knownhw. The HW address srchw was supplied with the probe (and a reply has been sent there), but the last known HW address has not been updated.
- Gateway Action
- Ignore
- Action Description
- The system replied to the solicitation, but did not register srchw as the HW source of srcip
- Proposed Action
- Whether to log this event is controlled by the NDSettings:NDValidation setting. The behavior (whether to reply and/or update the known HW address) is controlled by the NDSettings:NDChanges setting.
2.32.48. [ID: 1735] Solicitation from host with unexpected HW[...]
- Log Categories
- NDP,STATEFUL,VALIDATE
- Log Message
- Solicitation from host with unexpected HW address.
- Default Log Severity
- Warning
- Parameters
- srchw, knownhw, srcip, destip, targetip, iface, pkt
- Explanation
- Received a multicast neighbor solicitation from srcip using the HW address srchw, but the last known HW address was knownhw. The packet has been dropped and will not be further processed.
- Gateway Action
- Drop
- Action Description
- The system will not process this solicitation any further, and no response will be sent.
- Proposed Action
- Whether to log this event is controlled by the NDSettings:NDValidation setting. The behavior (whether to reply and/or update the known HW address) is controlled by the NDSettings:NDChanges setting.
2.32.49. [ID: 1734] Solicitation from host while resolving address
- Log Categories
- NDP,STATEFUL,VALIDATE
- Log Message
- Solicitation from host while resolving address.
- Default Log Severity
- Information
- Parameters
- srchw, srcip, destip, targetip, iface, pkt
- Explanation
- Received a multicast neighbor solicitation from srcip while waiting for address resolution to finish, so the HW address is technically unknown to us. A reply has been sent to
srchw, but the last known HW address was not updated.
- Gateway Action
- Ignore
- Action Description
- The system replied to the solicitation, but did not register srchw as the HW source of srcip.
- Proposed Action
- Whether to log this event is controlled by the NDSettings:NDValidation setting. The behavior (whether to reply and/or update the known HW address) is controlled by the NDSettings:NDChanges setting.
2.32.50. [ID: 1722] Solicitation from host while resolving address
- Log Categories
- NDP,STATEFUL,VALIDATE
- Log Message
- Solicitation from host while resolving address.
- Default Log Severity
- Notice
- Parameters
- srchw, srcip, destip, targetip, iface, pkt
- Explanation
- Received a multicast neighbor solicitation from srcip while waiting for address resolution to finish, so the HW address is technically unknown to us. The packet has been dropped
and will not be further processed.
- Gateway Action
- Drop
- Action Description
- The system will not process this solicitation any further, and no response will be sent.
- Proposed Action
- Whether to log this event is controlled by the NDSettings:NDValidation setting. The behavior (whether to reply and/or update the known HW address) is controlled by the NDSettings:NDChanges setting.
2.32.51. [ID: 316] Spoofed HW sender
- Log Categories
- NDP,STATELESS,VALIDATE
- Log Message
- Spoofed HW sender.
- Default Log Severity
- Warning
- Parameters
- srchw, srcip, destip, targetip, iface, pkt
- Explanation
- An ND message has been received. The message has got an L2 header attached to it, and the L2 sender address inside that header
belongs to the system. Either this is a forged message, or packets are leaking from one network into another.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- Examine why these packets are being received. There are two possible sources: An active attack, or that the system is hearing
its own ND messages (the most common case is that one physical multicast-capable network have been partitioned into two or
more "logical" subnet). Check the receive mode for the receiving interface. An attacker can attempt to "impersonate" the firewall
by using a known address associated with the firewall, in order to "update" an unsecure host with false information. This
kind of attack is usually not directed to the firewall, and so the likeliness that the firewall will of detecting this is
very low for "normal" or "selective multicast" mode, and high for "promiscuous" or "all-multicast" mode. Whether to log this
event is controlled by the NDSettings:NDValidation setting.
2.32.52. [ID: 239] Dead peer probe answered from unknown HW[...]
- Log Categories
- NDP,STATEFUL,VALIDATE
- Log Message
- Dead peer probe answered from unknown HW sender.
- Default Log Severity
- Warning
- Parameters
- knownhw, srchw, srcip, destip, targetip, iface, pkt
- Explanation
- The system has sent a dead peer probe to a previously resolved IP, and received an answer with a different L2 address. This
is not expected to happen as the probe (from the system) was sent to the known address knownhw, and is an illegal response.
- Gateway Action
- Drop
- Action Description
- The packet has been dropped and will not be considered an answer for the dead peer probe
- Proposed Action
- Whether to log this event or not is controlled by the NDSettings:NDValidation setting. The packet is considered invalid, so it will be dropped regardless of the setting. Examine the network to see why
such a response was sent. It may be an attempt to hijack traffic, in which case srchw must be the address of a compromised machine.
2.32.53. [ID: 315] Spoofed IP sender
- Log Categories
- NDP,STATELESS,VALIDATE
- Log Message
- Spoofed IP sender.
- Default Log Severity
- Warning
- Parameters
- srchw, srcip, destip, targetip, iface, pkt
- Explanation
- An ND message has been received from one IP owned (or proxied) by the system. Either this is a forged message, or packets
are leaking from one network into another.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- Examine why these packets are being received. There are two possible sources: An active attack, or that the system is hearing
its own ND messages (the most common case is that one physical multicast-capable network have been partitioned into two or
more "logical" subnet). Check the receive mode for the receiving interface. An attacker can attempt to "impersonate" the firewall
by using a known address associated with the firewall, in order to "update" an unsecure host with false information. This
kind of attack is usually not directed to the firewall, and so the likeliness that the firewall will of detecting this is
very low for "normal" or "selective multicast" mode, and high for "promiscuous" or "all-multicast" mode. Whether to log this
event is controlled by the NDSettings:NDValidation setting.
2.32.54. [ID: 271] Spoofed source linklayer option
- Log Categories
- NDP,STATELESS,VALIDATE
- Log Message
- Spoofed source linklayer option.
- Default Log Severity
- Warning
- Parameters
- srchw, srcip, destip, targetip, option, iface, pkt
- Explanation
- An ND message contained a source link-layer option with an L2 address that belongs to the system. Either this is a forged
message, or packets are leaking from one network into another.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- Examine why these packets are being received. There are two possible sources: An active attack, or that the system is hearing
its own ND messages (the most common case is that one physical multicast-capable network have been partitioned into two or
more "logical" subnet). Check the receive mode for the receiving interface. An attacker can attempt to "impersonate" the firewall
by using a known address associated with the firewall, in order to "update" an unsecure host with false information. This
kind of attack is usually not directed to the firewall, and so the likeliness that the firewall will of detecting this is
very low for "normal" or "selective multicast" mode, and high for "promiscuous" or "all-multicast" mode. Whether to log this
event is controlled by the NDSettings:NDValidation setting.
2.32.55. [ID: 446] Spoofed IP target
- Log Categories
- NDP,STATELESS,VALIDATE
- Log Message
- Spoofed IP target.
- Default Log Severity
- Warning
- Parameters
- srchw, srcip, destip, targetip, iface, pkt
- Explanation
- An ND message has been received for one target IP that is owned (or proxied) by the system. Either this is a forged message,
or packets are leaking from one network into another.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- Examine why these packets are being received. There are two possible sources: An active attack, or that the system is hearing
its own ND messages (the most common case is that one physical multicast-capable network have been partitioned into two or
more "logical" subnet). Check the receive mode for the receiving interface. An attacker can attempt to "impersonate" the firewall
by using a known address associated with the firewall, in order to "update" an unsecure host with false information. This
kind of attack is usually not directed to the firewall, and so the likeliness that the firewall will of detecting this is
very low for "normal" or "selective multicast" mode, and high for "promiscuous" or "all-multicast" mode. Whether to log this
event is controlled by the NDSettings:NDValidation setting.
2.32.56. [ID: 1160] IPv6 DNS was discovered
- Log Categories
- NDP
- Log Message
- IPv6 DNS was discovered.
- Default Log Severity
- Notice
- Parameters
- ip, iface
- Explanation
- IPv6 DNS has been discovered on the interface.
- Gateway Action
- None
- Action Description
- None
- Proposed Action
- None
2.32.57. [ID: 1136] IPv6 DNS has expired
- Log Categories
- NDP
- Log Message
- IPv6 DNS has expired.
- Default Log Severity
- Notice
- Parameters
- ip, iface
- Explanation
- IPv6 DNS has expired.
- Gateway Action
- None
- Action Description
- None
- Proposed Action
- None
2.32.58. [ID: 1139] Generated IPv6 address appear to be occupied
- Log Categories
- NDP
- Log Message
- Generated IPv6 address appear to be occupied.
- Default Log Severity
- Warning
- Parameters
- ip, iface
- Explanation
- Generated IPv6 address appear to be occupied.
- Gateway Action
- Reject
- Action Description
- None
- Proposed Action
- This could mean that there is identical hardware on the network since IP is generated based on MAC.
2.32.59. [ID: 1134] No routers were discovered
- Log Categories
- NDP
- Log Message
- No routers were discovered.
- Default Log Severity
- Warning
- Parameters
- iface
- Explanation
- No router advertisements were received.
- Gateway Action
- None
- Action Description
- None
- Proposed Action
- None
2.32.60. [ID: 1159] IPv6 prefix was discovered
- Log Categories
- NDP
- Log Message
- IPv6 prefix was discovered.
- Default Log Severity
- Notice
- Parameters
- network, iface
- Explanation
- IPv6 prefix has been discovered on the interface.
- Gateway Action
- None
- Action Description
- None
- Proposed Action
- None
2.32.61. [ID: 1151] IPv6 prefix has expired
- Log Categories
- NDP
- Log Message
- IPv6 prefix has expired.
- Default Log Severity
- Notice
- Parameters
- network, iface
- Explanation
- IPv6 prefix has expired.
- Gateway Action
- None
- Action Description
- None
- Proposed Action
- None
2.32.62. [ID: 1284] IPv6 prefix preferred lifetime exceeds valid[...]
- Log Categories
- NDP
- Log Message
- IPv6 prefix preferred lifetime exceeds valid lifetime.
- Default Log Severity
- Notice
- Parameters
- network, iface
- Explanation
- IPv6 prefix preferred lifetime exceeds valid lifetime.
- Gateway Action
- Reject
- Action Description
- None
- Proposed Action
- None
2.32.63. [ID: 1138] Router was discovered
- Log Categories
- NDP
- Log Message
- Router was discovered.
- Default Log Severity
- Notice
- Parameters
- ip, iface
- Explanation
- IPv6 router has been discovered on the interface.
- Gateway Action
- None
- Action Description
- None
- Proposed Action
- None
2.32.64. [ID: 1142] IPv6 router has expired
- Log Categories
- NDP
- Log Message
- IPv6 router has expired.
- Default Log Severity
- Notice
- Parameters
- ip, iface
- Explanation
- IPv6 router has expired.
- Gateway Action
- None
- Action Description
- None
- Proposed Action
- None
cOS Stream 4.00.03 Log Reference Guide
