2.40. SCTP

Home Prev	cOS Stream 4.00.03 Log Reference Guide	Next

2.40.1. [ID: 1335] IP address outside IP rule filter

Log Categories: SCTP,STATEFUL,VALIDATE
Log Message: IP address outside IP rule filter.
Default Log Severity: Warning
Parameters: iplen, chunktype, chunkindex, chunkoffset, chunklen, paramtype, paramoffset, paramlen, ip, pkt, assoc, rule
Explanation: The packet contains an alternative transport address that does not comply with the IP rule. Traffic to and from addresses that don't match the IP rule, will not be allowed once the association has been established for stateful SCTP inspection since that would cause problems to an association's state tracking in case the traffic is using paths that do not pass through the firewall. By disallowing this kind of addresses, the association is narrowed down to match that of the IP rule.
Gateway Action: Strip
Action Description: None
Proposed Action: None

2.40.2. [ID: 1350] IP address outside IP rule filter

Log Categories: SCTP,STATEFUL,VALIDATE
Log Message: IP address outside IP rule filter.
Default Log Severity: Warning
Parameters: iplen, chunktype, chunkindex, chunkoffset, chunklen, paramtype, paramoffset, paramlen, ip, pkt, assoc, rule
Explanation: The packet contains an alternative transport address that does not comply with the IP rule. Traffic to and from addresses that don't match the IP rule, will not be allowed once the association has been established for stateful SCTP inspection since that would cause problems to an association's state tracking in case the traffic is using paths that do not pass through the firewall. By disallowing this kind of addresses, the association is narrowed down to match that of the IP rule.
Gateway Action: Strip
Action Description: None
Proposed Action: None

2.40.3. [ID: 1371] ABORT bundled with DATA chunk

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: ABORT bundled with DATA chunk.
Default Log Severity: Warning
Parameters: iplen, chunktype, chunkindex, chunkoffset, chunklen, pkt
Explanation: An abort message was bundled with DATA chunks.
Gateway Action: Drop
Action Description: None
Proposed Action: This log message is controlled by SCTPSettings:SCTPLogFormatError.

2.40.4. [ID: 1216] Advertised receiver window credit too low

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Advertised receiver window credit too low.
Default Log Severity: Warning
Parameters: value, pkt
Explanation: This log message indicates that the advertised window credit during association setup is too low. Normally this is the maximum window credit for the entire lifetime of the association. Not only does this affect the data transfer rate, but also the maximum user message size in bytes. This log message is indirectly controlled by SCTPSettings:SCTPMinInitWindowCredit.
Gateway Action: Drop
Action Description: None
Proposed Action: None

2.40.5. [ID: 1324] Association abort

Log Categories: SCTP,STATEFUL
Log Message: Association abort.
Default Log Severity: Warning
Parameters: pkt, assoc, rule
Explanation: The association was aborted by a peer.
Gateway Action: Abort
Action Description: None
Proposed Action: None

2.40.6. [ID: 1361] Established association exists

Log Categories: SCTP,STATEFUL,VALIDATE
Log Message: Established association exists.
Default Log Severity: Warning
Parameters: iplen, chunktype, chunkindex, chunkoffset, chunklen, pkt, assoc, rule
Explanation: The association the current control chunk is trying to establish already exists.
Gateway Action: Drop
Action Description: None
Proposed Action: None

2.40.7. [ID: 1367] Association established

Log Categories: SCTP,STATEFUL
Log Message: Association established.
Default Log Severity: Information
Parameters: pkt, assoc, rule
Explanation: An SCTP association handshake has been completed, and a new association has been established.
Gateway Action: Enable
Action Description: None
Proposed Action: None

2.40.8. [ID: 1658] Association establishment clash

Log Categories: SCTP,STATEFUL
Log Message: Association establishment clash.
Default Log Severity: Warning
Parameters: pkt, assoc, rule
Explanation: The association failed to establish because it tried to claim a combination of ports and IP addresses that is already in use by another association.
Gateway Action: Abort
Action Description: None
Proposed Action: The system may contain lingering associations that have been silently abandoned for one reason or another (there is also a known attack with these symptoms). Verify that the existing associations are valid; by default SCTP has a very long idle timeout and abandoned associations may need to be manually removed.

2.40.9. [ID: 1689] Association no longer allowed

Log Categories: SCTP,STATEFUL
Log Message: Association no longer allowed.
Default Log Severity: Warning
Parameters: assoc, rule
Explanation: The system policy has been updated, and as a consequence the association assoc was no longer allowed. The association has been forcefully closed.
Gateway Action: Close
Action Description: None
Proposed Action: Verify that the endpoints are aware that the association has been closed.

2.40.10. [ID: 1362] Association closed due to idle timeout

Log Categories: SCTP,STATEFUL
Log Message: Association closed due to idle timeout.
Default Log Severity: Information
Parameters: assoc, rule
Explanation: An SCTP association was closed due to idle timeout. An SCTP association is considered "idle" if it has no flows.
Gateway Action: Close
Action Description: None
Proposed Action: Strictly following RFC 4960, an established SCTP association should never time out. Examine the hosts involved if this is a reoccurring problem. The idle lifetime can also be adjusted using the setting SCTPSettings:SCTPIdleLifetime.

2.40.11. [ID: 1359] Handshake random replace

Log Categories: SCTP,STATEFUL
Log Message: Handshake random replace.
Default Log Severity: Warning
Parameters: assoc, rule
Explanation: There are too many concurrent SCTP handshakes and a randomly chosen handshake attempt has been discarded.
Gateway Action: Close
Action Description: None
Proposed Action: The maximum number of concurrent SCTP handshakes can be adjusted with SCTPSettings:SCTPMaxHandshake. Configure the system to support more simultaneous handshakes, or try to track down the host(s) that overloads the network.

2.40.12. [ID: 1326] Association handshake timeout

Log Categories: SCTP,STATEFUL
Log Message: Association handshake timeout.
Default Log Severity: Warning
Parameters: assoc, rule
Explanation: An SCTP association handshake timed out. No association was ever established. Larger amounts of "handshake timeouts" may be caused by port scanning.
Gateway Action: Close
Action Description: No association has been setup
Proposed Action: The maximum lifetime of an handshake can be adjusted using the setting SCTPSettings:SCTPHandshakeLifetime.

2.40.13. [ID: 1332] Association handshake initiated

Log Categories: SCTP,STATEFUL
Log Message: Association handshake initiated.
Default Log Severity: Notice
Parameters: pkt, assoc, rule
Explanation: An SCTP init message was received. This is the first part of an SCTP association handshake.
Gateway Action: Open
Action Description: Allowed by the configuration
Proposed Action: None; normally a log message that the association has been established should follow.

2.40.14. [ID: 1639] Association handshake restart

Log Categories: SCTP,STATEFUL
Log Message: Association handshake restart.
Default Log Severity: Notice
Parameters: pkt, assoc, rule
Explanation: An SCTP init message was received by an established association. This is an anomalous event that can happen, say if either of the end-points has lost their state (crashed or rebooted).
Gateway Action: Reopen
Action Description: None
Proposed Action: None; normally a log message that the association has been established should follow.

2.40.15. [ID: 1659] Association restart clash

Log Categories: SCTP,STATEFUL
Log Message: Association restart clash.
Default Log Severity: Warning
Parameters: pkt, assoc, rule
Explanation: A failed attempt was made to restart an SCTP association, leaving the old association unaffected. The attempt failed to establish the new association because the new association tried to claim a combination of ports and IP addresses that is already in use by other existing associations.
Gateway Action: Abort
Action Description: None
Proposed Action: The system may contain lingering associations that have been silently abandoned for one reason or another (there is also a known attack with these symptoms). Verify that the existing associations are valid; by default SCTP has a very long idle timeout and abandoned associations may need to be manually removed.

2.40.16. [ID: 1329] Association restart initiated

Log Categories: SCTP,STATEFUL
Log Message: Association restart initiated.
Default Log Severity: Notice
Parameters: newinitvtag, newrespvtag, assoc, rule
Explanation: An SCTP init message, matching an existing association, was received. This might be an association restart, in which case it should be followed by an "association restarted" log message.
Gateway Action: Open
Action Description: None
Proposed Action: None

2.40.17. [ID: 1384] Association restart initiated

Log Categories: SCTP,STATEFUL
Log Message: Association restart initiated.
Default Log Severity: Notice
Parameters: newinitip, newrespip, newinitvtag, newrespvtag, assoc, rule
Explanation: An SCTP init message, matching an existing association, was received. This might be an association restart, in which case it should be followed by an "association restarted" log message.
Gateway Action: Open
Action Description: None
Proposed Action: None

2.40.18. [ID: 1339] Association restarted

Log Categories: SCTP,STATEFUL
Log Message: Association restarted.
Default Log Severity: Information
Parameters: pkt, assoc, rule
Explanation: An SCTP association was successfully restarted.
Gateway Action: Reopen
Action Description: The effect is the same as if the old association had been closed, and a new one has been negotiated
Proposed Action: None

2.40.19. [ID: 1347] Association random replace

Log Categories: SCTP,STATEFUL
Log Message: Association random replace.
Default Log Severity: Warning
Parameters: assoc, rule
Explanation: There are too many concurrent established SCTP associations and a randomly chosen association has been discarded. More correctly; the currently established SCTP associations are using too many resources and one association has been selected. The selection is made randomly, but associations using more resources are more likely to be chosen.
Gateway Action: Close
Action Description: None
Proposed Action: The maximum number of concurrent SCTP associations can be (indirectly) adjusted with SCTPSettings:SCTPMaxAssocLinks. Configure the system to support more simultaneous associations, or try to track down the host(s) that overloads the network. Note that the setting counts the number of IP combinations that can be made within the associations; with the maximum supported IP addresses (32 per endpoint) the setting should be given a value that is 1024 (32 x 32) times larger than the maximum concurrent associations.

2.40.20. [ID: 1327] Association timeout on shutdown

Log Categories: SCTP,STATEFUL
Log Message: Association timeout on shutdown.
Default Log Severity: Warning
Parameters: assoc, rule
Explanation: An SCTP association was forcibly closed since the shutdown sequence timed out.
Gateway Action: Close
Action Description: None
Proposed Action: Strictly following RFC 4960, an SCTP association should never time out during the shutdown sequence. Examine the hosts involved if this is a reoccurring problem. The maximum lifetime of the shutdown sequence can be adjusted using the setting SCTPSettings:SCTPHandshakeLifetime.

2.40.21. [ID: 1358] Association closed

Log Categories: SCTP,STATEFUL
Log Message: Association closed.
Default Log Severity: Notice
Parameters: pkt, assoc, rule
Explanation: The association has been gracefully closed.
Gateway Action: Close
Action Description: None
Proposed Action: None

2.40.22. [ID: 1343] Association shutdown received

Log Categories: SCTP,STATEFUL
Log Message: Association shutdown received.
Default Log Severity: Information
Parameters: pkt, assoc, rule
Explanation: An SCTP association has begun a shutdown sequence.
Gateway Action: Allow
Action Description: The association is now effectively closed, but will linger until the peer has acknowledged the shutdown
Proposed Action: None

2.40.23. [ID: 1640] Association linger timeout

Log Categories: SCTP,STATEFUL
Log Message: Association linger timeout.
Default Log Severity: Critical
Parameters: assoc, rule
Explanation: The system failed to synchronize the shutdown of an SCTP association over the HA cluster, and could not recover the necessary information to retry. This may have left the association open in the established state, even though it should have been closed. Such associations will eventually timeout, but may be possible to exploit in the meantime.
Gateway Action: Discard
Action Description: Timeout while waiting for HA peer to acknowledge deletion of closed association
Proposed Action: Check if the association (identified as assoc) has been left open (verify that there are no log messages saying that it has been "restarted" or that a new one has been opened with the same network parameters); manually close it if so.

2.40.24. [ID: 1357] PPID blacklisted

Log Categories: SCTP,STATEFUL,VALIDATE
Log Message: PPID blacklisted.
Default Log Severity: Warning
Parameters: iplen, chunktype, chunkindex, chunkoffset, chunklen, ppid, pkt, assoc, rule
Explanation: The Payload Protocol Identifier of a DATA chunk was blacklisted by the SCTP service that is used by the IP rule that allows the traffic.
Gateway Action: Drop
Action Description: None
Proposed Action: Exclude the Payload Protocol Identifier from the blacklist of the SCTP service used if you want to allow it.

2.40.25. [ID: 1239] Bundled singular chunk type

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Bundled singular chunk type.
Default Log Severity: Warning
Parameters: chunktype, count, pkt
Explanation: Certain chunks are not allowed to be mixed with other chunks in the same packet; in fact only one such chunk is allowed per packet. In this case a packet was found to not honor this restriction.
Gateway Action: Drop
Action Description: None
Proposed Action: This packet is broken. If the packet sender is one of your network devices, investigate why the unit is sending malformed packets.

2.40.26. [ID: 1377] Unexpected cookie ack from initiator of[...]

Log Categories: SCTP,STATEFUL
Log Message: Unexpected cookie ack from initiator of restart.
Default Log Severity: Warning
Parameters: pkt, assoc, rule
Explanation: A COOKIE ACK was received from the initiator of a restart instead of the responder.
Gateway Action: Drop
Action Description: None
Proposed Action: None

2.40.27. [ID: 1375] Unexpected cookie echo from responder of[...]

Log Categories: SCTP,STATEFUL
Log Message: Unexpected cookie echo from responder of restart.
Default Log Severity: Warning
Parameters: pkt, assoc, rule
Explanation: A COOKIE ECHO was received from the responder of a restart instead of the initiator.
Gateway Action: Drop
Action Description: None
Proposed Action: None

2.40.28. [ID: 1298] Chunk length includes padding at end

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Chunk length includes padding at end.
Default Log Severity: Notice
Parameters: iplen, chunktype, chunkindex, chunkoffset, chunklen, padlen, pkt
Explanation: The length parameter of a chunk includes the padding at the end.
Gateway Action: Allow
Action Description: None
Proposed Action: This log message is controlled by SCTPSettings:SCTPLogFormatError.

2.40.29. [ID: 1660] Cookie echoed

Log Categories: SCTP,STATEFUL
Log Message: Cookie echoed.
Default Log Severity: Debug
Parameters: pkt, assoc, rule
Explanation: An SCTP cookie-echo message was received. This is the third part of an SCTP association handshake, consisting of the initiator returning the responder "cookie".
Gateway Action: Accept
Action Description: Part of association handshake.
Proposed Action: None; normally a log message that the association has been established should follow.

2.40.30. [ID: 1439] Stripped DATA chunk from packet containing[...]

Log Categories: SCTP,STATEFUL,VALIDATE
Log Message: Stripped DATA chunk from packet containing SHUTDOWN.
Default Log Severity: Information
Parameters: chunktype, chunkindex, chunkoffset, chunklen, pkt
Explanation: DATA chunk found after SHUTDOWN chunk.
Gateway Action: Strip
Action Description: None
Proposed Action: None

2.40.31. [ID: 1363] Destination port mismatch

Log Categories: SCTP,STATEFUL,VALIDATE
Log Message: Destination port mismatch.
Default Log Severity: Warning
Parameters: iplen, chunktype, chunkindex, chunkoffset, chunklen, destport, pkt, assoc, rule
Explanation: The destination port of an SCTP packet sent by the initiator of an association does not match the destination port of the association the packet belongs to.
Gateway Action: Drop
Action Description: None
Proposed Action: None

2.40.32. [ID: 1369] Unexpected DATA from shutdown initiator

Log Categories: SCTP,STATEFUL,VALIDATE
Log Message: Unexpected DATA from shutdown initiator.
Default Log Severity: Warning
Parameters: iplen, chunktype, chunkindex, chunkoffset, chunklen, pkt, assoc, rule
Explanation: A DATA chunk has been received for an SCTP association by the initiator of the shutdown.
Gateway Action: Drop
Action Description: None
Proposed Action: None

2.40.33. [ID: 1352] Initial vtag changed

Log Categories: SCTP,STATEFUL,VALIDATE
Log Message: Initial vtag changed.
Default Log Severity: Warning
Parameters: iplen, chunktype, chunkindex, chunkoffset, chunklen, newvtag, pkt, assoc, rule
Explanation: During an SCTP association establishment this is not the first INIT_ACK chunk that has been seen and it contains a different initiate tag than the first INIT_ACK chunk sent.
Gateway Action: Drop
Action Description: None
Proposed Action: None

2.40.34. [ID: 1345] No init seen

Log Categories: SCTP,STATEFUL,VALIDATE
Log Message: No init seen.
Default Log Severity: Warning
Parameters: iplen, chunktype, chunkindex, chunkoffset, chunklen, pkt, assoc, rule
Explanation: No former INIT chunk was encountered that justifies the receipt of the current chunk.
Gateway Action: Drop
Action Description: None
Proposed Action: None

2.40.35. [ID: 1386] Restart changed initiator IP address number

Log Categories: SCTP,STATEFUL
Log Message: Restart changed initiator IP address number.
Default Log Severity: Warning
Parameters: old, new, pkt, assoc, rule
Explanation: An INIT chunk was received for a restart of an association. The number of IP addresses between the original association and the restart is bigger.
Gateway Action: Drop
Action Description: None
Proposed Action: Make sure a restart does not contain more IP addresses that the original association.

2.40.36. [ID: 1376] Restart added initiator IP address

Log Categories: SCTP,STATEFUL
Log Message: Restart added initiator IP address.
Default Log Severity: Warning
Parameters: ip, pkt, assoc, rule
Explanation: A restart was issued which added a new ip address for the initiator of an SCTP association.
Gateway Action: Drop
Action Description: None
Proposed Action: Make sure a restart does not add IP addresses that do not exist to the initiator of the original association.

2.40.37. [ID: 1383] Restart added responder IP address

Log Categories: SCTP,STATEFUL
Log Message: Restart added responder IP address.
Default Log Severity: Warning
Parameters: ip, pkt, assoc, rule
Explanation: A restart was issued which added a new ip address for the responder of an SCTP association.
Gateway Action: Drop
Action Description: None
Proposed Action: Make sure a restart does not add IP addresses that do not exist to the responder of the original association.

2.40.38. [ID: 1387] Restart changed responder IP address number

Log Categories: SCTP,STATEFUL
Log Message: Restart changed responder IP address number.
Default Log Severity: Warning
Parameters: old, new, pkt, assoc, rule
Explanation: An INIT-ACK chunk was received for a restart of an association. The number of IP addresses between the original association and the restart is bigger.
Gateway Action: Drop
Action Description: None
Proposed Action: Make sure a restart does not contain more IP addresses that the original association.

2.40.39. [ID: 1338] Wrong association restart state

Log Categories: SCTP,STATEFUL,VALIDATE
Log Message: Wrong association restart state.
Default Log Severity: Warning
Parameters: iplen, chunktype, chunkindex, chunkoffset, chunklen, pkt, assoc, rule
Explanation: A COOKIE_ACK has been received for a restart of an association which is not in the COOKIE_ECHOED or ESTABLISHED state.
Gateway Action: Drop
Action Description: None
Proposed Action: None

2.40.40. [ID: 1368] Shutdown during establishment

Log Categories: SCTP,STATEFUL,VALIDATE
Log Message: Shutdown during establishment.
Default Log Severity: Warning
Parameters: iplen, chunktype, chunkindex, chunkoffset, chunklen, pkt, assoc, rule
Explanation: Received a shutdown related control chunk during the establishment of an association.
Gateway Action: Drop
Action Description: None
Proposed Action: None

2.40.41. [ID: 1355] Expired restart period

Log Categories: SCTP,STATEFUL,VALIDATE
Log Message: Expired restart period.
Default Log Severity: Warning
Parameters: iplen, chunktype, chunkindex, chunkoffset, chunklen, pkt, assoc, rule
Explanation: The period for an association to be restarted has been expired.
Gateway Action: Drop
Action Description: None
Proposed Action: None

2.40.42. [ID: 1333] Too many shutdown requests

Log Categories: SCTP,STATEFUL,VALIDATE
Log Message: Too many shutdown requests.
Default Log Severity: Warning
Parameters: iplen, chunktype, chunkindex, chunkoffset, chunklen, pkt, assoc, rule
Explanation: More than one SHUTDOWN or ABORT chunks have been received for the association within two seconds.
Gateway Action: Drop
Action Description: None
Proposed Action: None

2.40.43. [ID: 1346] Unexpected COOKIE ACK

Log Categories: SCTP,STATEFUL,VALIDATE
Log Message: Unexpected COOKIE ACK.
Default Log Severity: Warning
Parameters: iplen, chunktype, chunkindex, chunkoffset, chunklen, pkt, assoc, rule
Explanation: A COOKIE_ACK chunk has been received while the current association is neither in the expected COOKIE_ECHOED state or in the ESTABLISHED state with the potential for a possible restart.
Gateway Action: Drop
Action Description: None
Proposed Action: None

2.40.44. [ID: 1331] Unexpected COOKIE ECHO

Log Categories: SCTP,STATEFUL,VALIDATE
Log Message: Unexpected COOKIE ECHO.
Default Log Severity: Warning
Parameters: iplen, chunktype, chunkindex, chunkoffset, chunklen, pkt, assoc, rule
Explanation: A stray COOKIE_ECHO chunk has been received while the association has either received only an INIT chunk or is shutting down. Possibly a stale packet that was used to establish the present association or a past association that is no longer in existence.
Gateway Action: Drop
Action Description: None
Proposed Action: None

2.40.45. [ID: 1656] Unexpected DATA from initiator

Log Categories: SCTP,STATEFUL,VALIDATE
Log Message: Unexpected DATA from initiator.
Default Log Severity: Warning
Parameters: iplen, chunktype, chunkindex, chunkoffset, chunklen, pkt, assoc, rule
Explanation: A DATA chunk from the initiator was seen, before having received a valid COOKIE-ECHO from the initiator. The packet has been dropped.
Gateway Action: Drop
Action Description: None
Proposed Action: None

2.40.46. [ID: 1654] Unexpected DATA from responder

Log Categories: SCTP,STATEFUL,VALIDATE
Log Message: Unexpected DATA from responder.
Default Log Severity: Warning
Parameters: iplen, chunktype, chunkindex, chunkoffset, chunklen, pkt, assoc, rule
Explanation: A DATA chunk from the responder was seen, before having received the (Cookie) Echo-Ack from the responder. The packet has been dropped.
Gateway Action: Drop
Action Description: None
Proposed Action: None

2.40.47. [ID: 1342] Unexpected shutdown chunk

Log Categories: SCTP,STATEFUL,VALIDATE
Log Message: Unexpected shutdown chunk.
Default Log Severity: Warning
Parameters: iplen, state, chunktype, chunkindex, chunkoffset, chunklen, pkt, assoc, rule
Explanation: Received a shutdown related control chunk while the association was in the wrong state.
Gateway Action: Drop
Action Description: None
Proposed Action: None

2.40.48. [ID: 1288] Empty state cookie parameter found

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Empty state cookie parameter found.
Default Log Severity: Warning
Parameters: chunktype, chunkindex, chunkoffset, chunklen, paramtype, paramoffset, paramlen, pkt
Explanation: A state cookie parameter with no value was found within an INIT_ACK chunk.
Gateway Action: Drop
Action Description: None
Proposed Action: This packet is invalid. If the packet sender is one of your network devices, investigate why the unit is sending empty state cookie parameters within INIT_ACK chunks.

2.40.49. [ID: 1686] Clash

Log Categories: SCTP,STATEFUL,HA
Log Message: Clash.
Default Log Severity: Critical
Parameters: srcport, srcip, destport, destip, srciface, assoc, rule
Explanation: Cannot synchronize assoc; an incompatible SCTP association exists at this node.
Gateway Action: Abort
Action Description: Synchronization failed and the system now has two different SCTP associations that at least partially respond to the same traffic
Proposed Action: Identify the two mutually exclusive associations, and manually resolve the situation. The peer is likely to have additional log messages. Consider rebooting one of the HA nodes.

2.40.50. [ID: 1685] Clash

Log Categories: SCTP,STATEFUL,HA
Log Message: Clash.
Default Log Severity: Warning
Parameters: srcport, srcip, destport, destip, srciface, assoc, rule
Explanation: Synchronization encountered an incompatible SCTP association at the current node. This was resolved by discarding the existing association without notifying the endpoints, as it (assoc) did not appear to have been in use for some time. More specifically, it had not been forwarding any traffic for a time exceeding the one given by FlowTimeoutSettings:FlowLifetimeSCTPStateful.
Gateway Action: Discard
Action Description: Synchronization encountered an unexpected situation involving two mutually exclusive SCTP associations. However, as one of the associations had been unused (not forwarding traffic) for a time of at least FlowTimeoutSettings:FlowLifetimeSCTPStateful, the assoc was discarded in favour of the one synchronized
Proposed Action: Verify that the discarded association indeed was right to discard.

2.40.51. [ID: 1684] Disallowed

Log Categories: SCTP,STATEFUL,HA
Log Message: Disallowed.
Default Log Severity: Warning
Parameters: srcport, srcip, destport, destip, srciface
Explanation: Disallowed by policies at the current node, but allowed by the peer node. This sometimes happen when associations are being setup at the same time that the HA node is booting up, or when the configuration has been updated at the HA peer but not at the current node.
Gateway Action: Ignore
Action Description: The association will not be synchronized; at least not for the moment
Proposed Action: Usually the association is synchronized once the HA peer has been updated, but it is still advised to verify that the relevant association has been properly synchronized.

2.40.52. [ID: 1170] Host name address detected

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Host name address detected.
Default Log Severity: Notice
Parameters: name, offset, datalen, pkt
Explanation: The packet contains a Host Name address parameter; an alternative address using the DNS format. Note that the host name will be resolved by a, potentially compromised, external entity. Therefore it has the potential to circumvent the IP policy (but not the routes). Whether this will incur a security risk depends on the network layout, but it does increase the target area. This log message is controlled by SCTPSettings:SCTPHostNameAddressParam.
Gateway Action: Allow
Action Description: None
Proposed Action: None

2.40.53. [ID: 1189] Host name address detected

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Host name address detected.
Default Log Severity: Information
Parameters: name, offset, datalen, pkt
Explanation: The packet contains a Host Name address parameter; an alternative address using the DNS format. Note that the host name will be resolved by a, potentially compromised, external entity. Therefore it has the potential to circumvent the IP policy (but not the routes). Whether this will incur a security risk depends on the network layout, but it does increase the target area. This log message is controlled by SCTPSettings:SCTPHostNameAddressParam.
Gateway Action: Strip
Action Description: None
Proposed Action: None

2.40.54. [ID: 1374] Host name address detected

Log Categories: SCTP,STATEFUL,VALIDATE
Log Message: Host name address detected.
Default Log Severity: Warning
Parameters: name, offset, datalen, pkt, assoc, rule
Explanation: For stateful inspection of SCTP traffic, a Host Name Address parameter always gets stripped from a chunk.
Gateway Action: Strip
Action Description: None
Proposed Action: None

2.40.55. [ID: 1381] Wrong initiator primary IP

Log Categories: SCTP,STATEFUL
Log Message: Wrong initiator primary IP.
Default Log Severity: Warning
Parameters: ip, pkt, assoc, rule
Explanation: A packet with an INIT ACK chunk was received for a restart which did not use as destination IP the primary IP that the initiator of the restart declared on the previous INIT chunk he sent.
Gateway Action: Drop
Action Description: None
Proposed Action: None

2.40.56. [ID: 1379] Wrong responder primary IP

Log Categories: SCTP,STATEFUL
Log Message: Wrong responder primary IP.
Default Log Severity: Warning
Parameters: ip, pkt, assoc, rule
Explanation: A packet with an INIT ACK chunk was received for a restart which did not use as source IP the destination IP that the initiator of the restart used on the previous INIT chunk he sent.
Gateway Action: Drop
Action Description: None
Proposed Action: None

2.40.57. [ID: 1373] IP address inside IP rule filter

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: IP address inside IP rule filter.
Default Log Severity: Warning
Parameters: ip, pkt
Explanation: Although the IP address parameter encountered in an SCTP chunk is within the IP rule filter, the setting SCTPSettings:SCTPMultihoming does not allow it.
Gateway Action: Strip
Action Description: None
Proposed Action: None

2.40.58. [ID: 1198] IP address outside IP rule filter

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: IP address outside IP rule filter.
Default Log Severity: Information
Parameters: ip, pkt
Explanation: The packet contains an alternative transport address that does not comply with the IP rule. This log message, as well as how these addresses are treated by the system, is controlled by SCTPSettings:SCTPMultihoming. Allowing the association to use this transport address will result in a loosened IP policy; traffic to and from addresses that don't match the IP rule, will be allowed once the association has been established. By disallowing this kind of addresses, the association is narrowed down to match that of the IP rule.
Gateway Action: Strip
Action Description: None
Proposed Action: None

2.40.59. [ID: 1177] IP address outside IP rule filter

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: IP address outside IP rule filter.
Default Log Severity: Notice
Parameters: ip, pkt
Explanation: The packet contains an alternative transport address that does not comply with the IP rule. This log message, as well as how these addresses are treated by the system, is controlled by SCTPSettings:SCTPMultihoming. Allowing the association to use this transport address will result in a loosened IP policy; traffic to and from addresses that don't match the IP rule, will be allowed once the association has been established. By disallowing this kind of addresses, the association is narrowed down to match that of the IP rule.
Gateway Action: Allow
Action Description: None
Proposed Action: None

2.40.60. [ID: 1348] Source IP disallowed by association

Log Categories: SCTP,STATEFUL,VALIDATE
Log Message: Source IP disallowed by association.
Default Log Severity: Warning
Parameters: iplen, chunktype, chunkindex, chunkoffset, chunklen, pkt, assoc, rule
Explanation: The initiator of an association has sent an SCTP packet using an IP that does not exist in the list of its IP addresses.
Gateway Action: Drop
Action Description: None
Proposed Action: None

2.40.61. [ID: 1385] IP disallowed by initiator of restart

Log Categories: SCTP,STATEFUL,VALIDATE
Log Message: IP disallowed by initiator of restart.
Default Log Severity: Warning
Parameters: ip, iplen, chunktype, chunkindex, chunkoffset, chunklen, pkt, assoc, rule
Explanation: A packet with a COOKIE ECHO chunk has been received for a restart using an IP address that is used by the peer for the original association but was not included to be used for the restart as well.
Gateway Action: Drop
Action Description: None
Proposed Action: None

2.40.62. [ID: 1336] Destination IP disallowed by association

Log Categories: SCTP,STATEFUL,VALIDATE
Log Message: Destination IP disallowed by association.
Default Log Severity: Warning
Parameters: iplen, chunktype, chunkindex, chunkoffset, chunklen, pkt, assoc, rule
Explanation: The initiator of an association has sent an SCTP packet using as destination IP an IP that does not exist in the list of the responder's IP addresses.
Gateway Action: Drop
Action Description: None
Proposed Action: None

2.40.63. [ID: 1378] IP disallowed by responder of restart

Log Categories: SCTP,STATEFUL,VALIDATE
Log Message: IP disallowed by responder of restart.
Default Log Severity: Warning
Parameters: ip, iplen, chunktype, chunkindex, chunkoffset, chunklen, pkt, assoc, rule
Explanation: A packet with a COOKIE ACK chunk has been received for a restart using an IP address that is used by the peer for the original association but was not included to be used for the restart as well.
Gateway Action: Drop
Action Description: None
Proposed Action: None

2.40.64. [ID: 1294] SCTP padding with illegal length

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: SCTP padding with illegal length.
Default Log Severity: Warning
Parameters: iplen, chunktype, chunkindex, chunkoffset, chunklen, offset, padlen, pkt
Explanation: An SCTP chunk contained more than 3 bytes of padding; padlen bytes of padding. According to the RFC 4960 padding MUST not exceed 3 bytes in total. The illegal padding is located at offset offset (relative the SCTP header), inside the chunk with index chunkindex. This may also be a severely malformed packet, whose content is impossible to interpret.
Gateway Action: Drop
Action Description: None
Proposed Action: This packet is broken. If the packet sender is one of your network devices, investigate why the unit is sending malformed packets.

2.40.65. [ID: 1271] SCTP mis-aligned by padding

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: SCTP mis-aligned by padding.
Default Log Severity: Warning
Parameters: offset, padlen, pkt
Explanation: What looks like mis-aligned padding was found at the end of the SCTP packet. The padding in itself was not a problem; this padding caused the end of the packet to be mis-aligned. Padding to a mis-aligned offset is not only pointless, but it is also a telltale sign of something broken.
Gateway Action: Drop
Action Description: None
Proposed Action: This packet is broken. If the packet sender is one of your network devices, investigate why the unit is sending malformed packets.

2.40.66. [ID: 1277] SCTP chunk end mis-aligned by padding

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: SCTP chunk end mis-aligned by padding.
Default Log Severity: Warning
Parameters: iplen, chunktype, chunkindex, chunkoffset, chunklen, offset, padlen, pkt
Explanation: What looks like mis-aligned padding was found at the end of a chunk inside the SCTP packet; this padding caused the end of the chunk to be mis-aligned. Padding to a mis-aligned offset is not only pointless, but it is also a telltale sign of something broken.
Gateway Action: Drop
Action Description: None
Proposed Action: This packet is broken. If the packet sender is one of your network devices, investigate why the unit is sending malformed packets.
Proposed Action: This packet is broken. If the packet sender is one of your network devices, investigate why the unit is sending malformed packets.

2.40.67. [ID: 1291] Address type illegal with Host Name Address[...]

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Address type illegal with Host Name Address option.
Default Log Severity: Warning
Parameters: paramtype, pkt
Explanation: An SCTP message that combines the Host Name Address parameter with an address parameter of type paramtype. RCF4960 explicitly forbids the Host Name Address option to be combined with address parameters of any other address type.
Gateway Action: Drop
Action Description: None
Proposed Action: This packet is invalid. If the packet sender is one of your network devices, investigate why the unit is trying to use both static address and host name address parameters.

2.40.68. [ID: 1663] Init-ack seen

Log Categories: SCTP,STATEFUL
Log Message: Init-ack seen.
Default Log Severity: Debug
Parameters: pkt, assoc, rule
Explanation: An SCTP init-ack message was received. This is the second part of an SCTP association handshake, and the first reply from the responder. The message contains a "cookie" that the initiator is supposed to return unchanged.
Gateway Action: Accept
Action Description: Part of association handshake.
Proposed Action: None; normally a log message that the association has been established should follow.

2.40.69. [ID: 1382] Association restart from initiator failed

Log Categories: SCTP,STATEFUL,VALIDATE
Log Message: Association restart from initiator failed.
Default Log Severity: Warning
Parameters: pkt, assoc, rule
Explanation: The initiator of an association issued a restart using a different primary IP and possibly interface but no matching IP rule was found to allow it.
Gateway Action: Drop
Action Description: None
Proposed Action: Configure an IP rule that allows the initiator to issue a restart using the new primary IP and interface.

2.40.70. [ID: 1366] Initiator vtag mismatch

Log Categories: SCTP,STATEFUL,VALIDATE
Log Message: Initiator vtag mismatch.
Default Log Severity: Warning
Parameters: iplen, chunktype, chunkindex, chunkoffset, chunklen, vtag, pkt, assoc, rule
Explanation: The verification tag of an SCTP common header sent by the responder of an SCTP association does not match the verification tag of the initiator.
Gateway Action: Drop
Action Description: None
Proposed Action: None

2.40.71. [ID: 1176] Invalid SCTP checksum

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Invalid SCTP checksum.
Default Log Severity: Notice
Parameters: chksum, calcchksum, pkt
Explanation: The checksum of the SCTP message was incorrect.
Gateway Action: Allow
Action Description: None
Proposed Action: Set SCTPSettings:SCTPValidateChecksum to change the behavior for SCTP checksum validation.

2.40.72. [ID: 1242] Invalid SCTP checksum

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Invalid SCTP checksum.
Default Log Severity: Warning
Parameters: chksum, calcchksum, pkt
Explanation: The checksum of the SCTP message was incorrect.
Gateway Action: Drop
Action Description: None
Proposed Action: Set SCTPSettings:SCTPValidateChecksum to change the behavior for SCTP checksum validation.

2.40.73. [ID: 1178] Invalid SCTP chunk length

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Invalid SCTP chunk length.
Default Log Severity: Warning
Parameters: iplen, chunktype, chunkindex, chunkoffset, chunklen, pkt
Explanation: The chunk length exceeded the SCTP message length, or the length did not match the length specified for that chunk type.
Gateway Action: Drop
Action Description: None
Proposed Action: This packet is broken. If the packet sender is one of your network devices, investigate why the unit is sending malformed packets.

2.40.74. [ID: 1174] Invalid SCTP destination port

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Invalid SCTP destination port.
Default Log Severity: Notice
Parameters: matchkey
Explanation: The destination port of the SCTP message was zero.
Gateway Action: Drop
Action Description: None
Proposed Action: None

2.40.75. [ID: 1337] Invalid destination route

Log Categories: SCTP,ROUTE,STATEFUL,VALIDATE
Log Message: Invalid destination route.
Default Log Severity: Warning
Parameters: destiface, iface, flow, assoc, rule, user, userid
Explanation: The destination IP was routed via an interface destiface that is not security equivalent with the corresponding interface iface used when the association was setup. From the moment the association is setup, the initiator is assumed to be reached via the interface from which the INIT message was received, or one that is security equivalent with it. Similarly the responder is assumed to be reached via the original destination interface of the INIT message, or one that is security equivalent with it. This log message is generated when the assumption is violated by the traffic.
Gateway Action: Drop
Action Description: The system prevented an SCTP flow from being opened because the destination route is deemed not to be security equivalent with those used during association setup
Proposed Action: Establish whether the IP address is routed via the correct interface. Verify whether the IP address is valid for the association. Review whether the destination interface destiface should be security equivalent with the corresponding interface iface used at the association setup.

2.40.76. [ID: 1194] Invalid SCTP error cause length

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Invalid SCTP error cause length.
Default Log Severity: Warning
Parameters: iplen, chunktype, chunkindex, chunkoffset, chunklen, code, offset, datalen, pkt
Explanation: The length of the error cause exceeded the SCTP ERROR chunk length, or the length did not match the length specified for that error cause type.
Gateway Action: Drop
Action Description: None
Proposed Action: This packet is broken. If the packet sender is one of your network devices, investigate why the unit is sending malformed packets.

2.40.77. [ID: 1273] Invalid SCTP heartbeat information

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Invalid SCTP heartbeat information.
Default Log Severity: Warning
Parameters: iplen, chunktype, chunkindex, chunkoffset, chunklen, type, datalen, pkt
Explanation: The information of a HEARTBEAT or HEARTBEAT ACK chunk chunktype was of the wrong type type. This log is controlled by SCTPSettings:SCTPLogFormatError.
Gateway Action: Drop
Action Description: None
Proposed Action: None

2.40.78. [ID: 1187] Invalid Host Name address format

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Invalid Host Name address format.
Default Log Severity: Warning
Parameters: iplen, offset, datalen, pkt
Explanation: A badly formatted Host Name address parameter was found. This log is controlled by SCTPSettings:SCTPLogFormatError.
Gateway Action: Drop
Action Description: None
Proposed Action: This packet is broken. If the packet sender is one of your network devices, investigate why the unit is sending malformed packets.

2.40.79. [ID: 1353] Invalid stream ID

Log Categories: SCTP,STATEFUL,VALIDATE
Log Message: Invalid stream ID.
Default Log Severity: Warning
Parameters: iplen, chunktype, chunkindex, chunkoffset, chunklen, streamid, max, pkt, assoc, rule
Explanation: The stream ID of an SCTP DATA chunk was larger than the maximum inbound stream ID of the association.
Gateway Action: Drop
Action Description: None
Proposed Action: None

2.40.80. [ID: 1258] Illegal initiate tag

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Illegal initiate tag.
Default Log Severity: Warning
Parameters: value, pkt
Explanation: The initiate tag of the SCTP INIT chunk was zero which is not allowed.
Gateway Action: Drop
Action Description: None
Proposed Action: None

2.40.81. [ID: 1257] Invalid number of streams

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Invalid number of streams.
Default Log Severity: Warning
Parameters: inbound, outbound, pkt
Explanation: The number of inbound or outbound streams in an INIT chunk was zero.
Gateway Action: Drop
Action Description: None
Proposed Action: None

2.40.82. [ID: 1188] Invalid number of mandatory SCTP parameters

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Invalid number of mandatory SCTP parameters.
Default Log Severity: Warning
Parameters: iplen, chunktype, chunkindex, chunkoffset, chunklen, code, offset, datalen, value, pkt
Explanation: A chunk was missing mandatory parameters. This log is controlled by SCTPSettings:SCTPLogFormatError.
Gateway Action: Drop
Action Description: None
Proposed Action: This packet is broken. If the packet sender is one of your network devices, investigate why the unit is sending malformed packets.

2.40.83. [ID: 1325] Invalid stream ID

Log Categories: SCTP,STATEFUL,VALIDATE
Log Message: Invalid stream ID.
Default Log Severity: Warning
Parameters: iplen, chunktype, chunkindex, chunkoffset, chunklen, streamid, max, pkt, assoc, rule
Explanation: The stream ID of an SCTP DATA chunk was larger than the maximum outbound stream ID of the association.
Gateway Action: Drop
Action Description: None
Proposed Action: None

2.40.84. [ID: 1296] Invalid pad parameter inside chunk

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Invalid pad parameter inside chunk.
Default Log Severity: Warning
Parameters: chunktype, chunkindex, chunkoffset, chunklen, paramtype, paramoffset, paramlen, padlen, pkt
Explanation: A padding parameter according to RFC4820 was found within a chunk that is not an INIT chunk. According to RFC4820, apart from an INIT chunk, the padding parameter must not be included in any other chunk.
Gateway Action: Drop
Action Description: None
Proposed Action: This packet is invalid. If the packet sender is one of your network devices, investigate why the unit is sending packets with padding parameters included in other chunks than an INIT chunk.

2.40.85. [ID: 1195] Invalid SCTP chunk parameter length

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Invalid SCTP chunk parameter length.
Default Log Severity: Warning
Parameters: iplen, chunktype, chunkindex, chunkoffset, chunklen, paramtype, paramoffset, paramlen, pkt
Explanation: The parameter length exceeded the SCTP chunk length, or the parameter length did not match the length specified for that parameter type.
Gateway Action: Drop
Action Description: None
Proposed Action: This packet is broken. If the packet sender is one of your network devices, investigate why the unit is sending malformed packets.

2.40.86. [ID: 1354] Invalid source interface

Log Categories: SCTP,ROUTE,STATEFUL,VALIDATE
Log Message: Invalid source interface.
Default Log Severity: Warning
Parameters: recviface, iface, flow, assoc, rule, user, userid
Explanation: The source IP was received by interface recviface that is not security equivalent with the corresponding interface iface that was used when the association was setup. From the moment the association is setup, the initiator is assumed to be reached via the interface from which the INIT message was received, or one that is security equivalent with it. Similarly the responder is assumed to be reached via the original destination interface of the INIT message, or one that is security equivalent with it. This log message is generated when the assumption is violated by the traffic.
Gateway Action: Drop
Action Description: The system prevented an SCTP flow from being opened because the source route is deemed not to be security equivalent with those used during association setup
Proposed Action: Establish whether the IP address was received by the correct interface. Verify whether the IP address is valid for the association. Review whether the receive interface recviface should be security equivalent with the corresponding interface iface used at the association setup.

2.40.87. [ID: 1167] Invalid SCTP source port

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Invalid SCTP source port.
Default Log Severity: Notice
Parameters: matchkey
Explanation: The source port of the SCTP message was zero.
Gateway Action: Drop
Action Description: None
Proposed Action: None

2.40.88. [ID: 1181] Invalid SCTP verification tag

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Invalid SCTP verification tag.
Default Log Severity: Notice
Parameters: vtag, pkt
Explanation: The SCTP verification tag was zero for an INIT message.
Gateway Action: Drop
Action Description: None
Proposed Action: None

2.40.89. [ID: 1301] Chunk length includes the padding of the last[...]

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Chunk length includes the padding of the last parameter.
Default Log Severity: Notice
Parameters: iplen, chunktype, chunkindex, chunkoffset, chunklen, paramtype, paramoffset, paramlen, padlen, pkt
Explanation: The length parameter of a chunk includes tha padding of the chunk's last parameter.
Gateway Action: Allow
Action Description: None
Proposed Action: This log message is controlled by SCTPSettings:SCTPLogFormatError.

2.40.90. [ID: 1340] Max IP addresses exceeded

Log Categories: SCTP,STATEFUL,VALIDATE
Log Message: Max IP addresses exceeded.
Default Log Severity: Warning
Parameters: iplen, chunktype, chunkindex, chunkoffset, chunklen, max, ip, pkt, assoc, rule
Explanation: Maximum number of IP addresses allowed for a peer of an association was reached. The IP address will be stripped from the packet.
Gateway Action: Strip
Action Description: None
Proposed Action: None

2.40.91. [ID: 1370] Max control chunks exceeded

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Max control chunks exceeded.
Default Log Severity: Warning
Parameters: iplen, chunktype, chunkindex, chunkoffset, chunklen, count, max, pkt
Explanation: The configured maximum number of allowed SCTP control chunks for an SCTP packet per service used has been reached.
Gateway Action: Drop
Action Description: None
Proposed Action: If the maximum number of allowed SCTP control chunks for an SCTP packet per SCTP service is too low, increase it.

2.40.92. [ID: 1364] Max DATA chunks exceeded

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Max DATA chunks exceeded.
Default Log Severity: Warning
Parameters: iplen, chunktype, chunkindex, chunkoffset, chunklen, count, max, pkt
Explanation: The configured maximum number of allowed SCTP DATA chunks for an SCTP packet per service used has been reached.
Gateway Action: Drop
Action Description: None
Proposed Action: If the maximum number of allowed SCTP DATA chunks for an SCTP packet per SCTP service is too low, increase it.

2.40.93. [ID: 1360] Max inbound streams adjusted

Log Categories: SCTP,STATEFUL,VALIDATE
Log Message: Max inbound streams adjusted.
Default Log Severity: Notice
Parameters: iplen, chunktype, chunkindex, chunkoffset, chunklen, instreams, max, pkt, assoc, rule
Explanation: The maximum number of inbound streams in an INIT or INIT_ACK chunk was reduced due to the setting of the maximum allowed inbound streams set on the SCTP service used by the IP rule allowing the traffic in the case of an INIT chunk or because of the setting of the maximum allowed outbound streams in the case of an INIT_ACK chunk.
Gateway Action: Adjust
Action Description: None
Proposed Action: Increment the maximum inbound streams setting on the SCTP service used by the IP rule in case of an INIT chunk or the maximum outbound streams setting in case of an INIT_ACK chunk.

2.40.94. [ID: 1356] Max outbound streams adjusted

Log Categories: SCTP,STATEFUL,VALIDATE
Log Message: Max outbound streams adjusted.
Default Log Severity: Notice
Parameters: iplen, chunktype, chunkindex, chunkoffset, chunklen, outstreams, max, pkt, assoc, rule
Explanation: The maximum number of outbound streams in an INIT or INIT_ACK chunk was reduced either due to the setting of the maximum allowed outbound streams set on the SCTP service used by the IP rule allowing the traffic in the case of an INIT chunk or because of the setting of the maximum allowed inbound streams in the case of an INIT_ACK chunk.
Gateway Action: Adjust
Action Description: None
Proposed Action: Increment the maximum outbound streams setting on the SCTP service used by the IP rule in case of an INIT chunk or the maximum inbound streams setting in case of an INIT_ACK chunk.

2.40.95. [ID: 1299] Missing SCTP chunk padding

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Missing SCTP chunk padding.
Default Log Severity: Warning
Parameters: chunktype, chunkindex, chunkoffset, chunklen, pkt
Explanation: A packet with a chunk that is not padded to a multiple of four was detected.
Gateway Action: Drop
Action Description: None
Proposed Action: This log message is controlled by SCTPSettings:SCTPLogFormatError. This packet is invalid. If the packet sender is one of your network devices, investigate why the unit is sending packets containing chunks not padded to a multiple of four.

2.40.96. [ID: 1285] Missing mandatory SCTP parameter from a chunk

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Missing mandatory SCTP parameter from a chunk.
Default Log Severity: Warning
Parameters: iplen, chunktype, chunkindex, chunkoffset, chunklen, paramtype, pkt
Explanation: A mandatory parameter is missing from a chunk.
Gateway Action: Drop
Action Description: None
Proposed Action: This packet is invalid. If the packet sender is one of your network devices, investigate why the unit is sending SCTP packets with chunks that are missing mandatory parameters.

2.40.97. [ID: 1168] Missing SCTP cookie

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Missing SCTP cookie.
Default Log Severity: Warning
Parameters: iplen, chunktype, chunkindex, chunkoffset, chunklen, pkt
Explanation: The SCTP message contained an COOKIE ECHO chunk without cookie data.
Gateway Action: Drop
Action Description: None
Proposed Action: None

2.40.98. [ID: 1330] No association found

Log Categories: SCTP,STATEFUL,VALIDATE
Log Message: No association found.
Default Log Severity: Warning
Parameters: iplen, vtag, chunktype, chunkindex, chunkoffset, chunklen, pkt
Explanation: No association was found for a received SCTP chunk.
Gateway Action: Drop
Action Description: None
Proposed Action: None

2.40.99. [ID: 1688] No valid association found

Log Categories: SCTP,STATEFUL,VALIDATE
Log Message: No valid association found.
Default Log Severity: Notice
Parameters: pkt
Explanation: An SCTP packet was dropped even though a matching association had been found. This is related to policy updates and can either mean that the association ended up being forcefully closed, or it indicates a temporary condition where the system was unable to verify that the association conformed with the system policy.
Gateway Action: Drop
Action Description: None
Proposed Action: None

2.40.100. [ID: 1341] No whitelisted PPIDs

Log Categories: SCTP,STATEFUL,VALIDATE
Log Message: No whitelisted PPIDs.
Default Log Severity: Warning
Parameters: iplen, chunktype, chunkindex, chunkoffset, chunklen, ppid, pkt, assoc, rule
Explanation: Whitelist of Payload Protocol Identifiers is used in the SCTP service configured without any members. All Payload Protocol Identifiers are disallowed.
Gateway Action: Drop
Action Description: None
Proposed Action: Include the Payload Protocol Identifiers you want to be allowed to the whitelist list of the SCTP service used by the IP rule that allows the traffic.

2.40.101. [ID: 1349] No possible association restart

Log Categories: SCTP,STATEFUL,VALIDATE
Log Message: No possible association restart.
Default Log Severity: Warning
Parameters: iplen, chunktype, chunkindex, chunkoffset, chunklen, pkt, assoc, rule
Explanation: An established association which has not previously encountered chunks that justify an association restart, receives a chunk that could be valid only if there was an ongoing possible restart.
Gateway Action: Drop
Action Description: None
Proposed Action: None

2.40.102. [ID: 1292] Non-zero SCTP chunk padding inside chunk

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Non-zero SCTP chunk padding inside chunk.
Default Log Severity: Warning
Parameters: iplen, chunktype, chunkindex, chunkoffset, chunklen, offset, padlen, pkt
Explanation: The SCTP chunk contained a padding parameter, a padding chunk, a padding trailer inside the chunk or some other non-standard padding construct beginning. The padding is located at offset offset (relative the SCTP header), inside the chunk with index chunkindex. The padding contains non-zero data; most likely unintentionally leaked data. This may also be a severely malformed packet, whose content is impossible to interpret.
Gateway Action: Allow
Action Description: None
Proposed Action: Investigate why non-standard padding is leaking data; try to locate the source. Padding chunks (chunktype equals 132) and padding parameters (only possible when chunktype equals 1) are likely an attempt by network appliance to disable a specific SCTP feature without a need to rewrite the packet. Non-zero padding inside error chunks (chunktype equals 9) is probably caused by the SCTP end point leaking internal data from network handling. The setting SCTPSettings:SCTPPaddingInsideChunk can be modified to change the handling of padding parameters, padding chunks and padding trailers. The setting SCTPSettings:SCTPNonZeroPadding can be modified to change the general handling of non-zero padding data.

2.40.103. [ID: 1297] Non-zero SCTP chunk padding inside chunk

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Non-zero SCTP chunk padding inside chunk.
Default Log Severity: Warning
Parameters: iplen, chunktype, chunkindex, chunkoffset, chunklen, offset, padlen, pkt
Explanation: The SCTP chunk contained a padding parameter, a padding chunk, a padding trailer inside the chunk or some other non-standard padding construct beginning. The padding is located at offset offset (relative the SCTP header), inside the chunk with index chunkindex. The padding contains non-zero data; most likely unintentionally leaked data. This may also be a severely malformed packet, whose content is impossible to interpret.
Gateway Action: Drop
Action Description: None
Proposed Action: Investigate why non-standard padding is leaking data; try to locate the source. Padding chunks (chunktype equals 132) and padding parameters (only possible when chunktype equals 1) are likely an attempt by network appliance to disable a specific SCTP feature without a need to rewrite the packet. Non-zero padding inside error chunks (chunktype equals 9) is probably caused by the SCTP end point leaking internal data from network handling. The setting SCTPSettings:SCTPPaddingInsideChunk can be modified to change the handling of padding parameters, padding chunks and padding trailers. The setting SCTPSettings:SCTPNonZeroPadding can be modified to change the general handling of non-zero padding data.

2.40.104. [ID: 1289] Non-zero SCTP chunk padding inside chunk

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Non-zero SCTP chunk padding inside chunk.
Default Log Severity: Warning
Parameters: iplen, chunktype, chunkindex, chunkoffset, chunklen, offset, padlen, pkt
Explanation: The SCTP chunk contained a padding parameter, a padding chunk, a padding trailer inside the chunk or some other non-standard padding construct beginning. The padding is located at offset offset (relative the SCTP header), inside the chunk with index chunkindex. The padding contains non-zero data; most likely unintentionally leaked data. This may also be a severely malformed packet, whose content is impossible to interpret.
Gateway Action: Strip
Action Description: None
Proposed Action: Investigate why non-standard padding is leaking data; try to locate the source. Padding chunks (chunktype equals 132) and padding parameters (only possible when chunktype equals 1) are likely an attempt by network appliance to disable a specific SCTP feature without a need to rewrite the packet. Non-zero padding inside error chunks (chunktype equals 9) is probably caused by the SCTP end point leaking internal data from network handling. The setting SCTPSettings:SCTPPaddingInsideChunk can be modified to change the handling of padding parameters, padding chunks and padding trailers. The setting SCTPSettings:SCTPNonZeroPadding can be modified to change the general handling of non-zero padding data.

2.40.105. [ID: 1197] SCTP chunk padding inside chunk

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: SCTP chunk padding inside chunk.
Default Log Severity: Notice
Parameters: chunktype, chunkindex, chunkoffset, chunklen, offset, padlen, pkt
Explanation: The SCTP chunk contained a padding parameter, a padding trailer inside the chunk or some other valid, but more or less non-standard padding construct. The system did not investigate whether the padding data is non-zero or not, because of the current setting of SCTPSettings:SCTPNonZeroPadding. RFC 4820 describes the purpose of padding parameters and padding chunks as a mean to enlarge SCTP INIT chunks and SCTP packets, respectively. Another (more likely) usage is that firewalls can use padding parameters and padding chunks to remove features from an SCTP packet without affecting the packet layout.
Gateway Action: Allow
Action Description: None
Proposed Action: Set SCTPSettings:SCTPPaddingInsideChunk to change the handling of padding parameters, padding chunks and padding trailers. The setting SCTPSettings:SCTPNonZeroPadding can be modified to change the general handling of non-zero padding data.

2.40.106. [ID: 1290] SCTP chunk padding inside chunk

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: SCTP chunk padding inside chunk.
Default Log Severity: Information
Parameters: chunktype, chunkindex, chunkoffset, chunklen, offset, padlen, pkt
Explanation: The SCTP chunk contained a padding parameter, a padding trailer inside the chunk or some other valid, but more or less non-standard padding construct. This log message will only be generated for valid padding; data consisting of all zeroes. RFC 4820 describes the purpose of padding parameters and padding chunks as a mean to enlarge SCTP INIT chunks and SCTP packets, respectively. Another (more likely) usage is that firewalls can use padding parameters and padding chunks to remove features from an SCTP packet without affecting the packet layout.
Gateway Action: Allow
Action Description: None
Proposed Action: Set SCTPSettings:SCTPPaddingInsideChunk to change the handling of padding parameters, padding chunks and padding trailers. The setting SCTPSettings:SCTPNonZeroPadding can be modified to change the general handling of non-zero padding data.

2.40.107. [ID: 1282] SCTP chunk padding inside chunk

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: SCTP chunk padding inside chunk.
Default Log Severity: Warning
Parameters: chunktype, chunkindex, chunkoffset, chunklen, offset, padlen, pkt
Explanation: The SCTP chunk contained a padding parameter, a padding trailer inside the chunk or some other valid, but more or less non-standard padding construct. The system did not investigate whether the padding data is non-zero or not, because of the current setting of SCTPSettings:SCTPPaddingInsideChunk. RFC 4820 describes the purpose of padding parameters and padding chunks as a mean to enlarge SCTP INIT chunks and SCTP packets, respectively. Another (more likely) usage is that firewalls can use padding parameters and padding chunks to remove features from an SCTP packet without affecting the packet layout.
Gateway Action: Drop
Action Description: None
Proposed Action: Set SCTPSettings:SCTPPaddingInsideChunk to change the handling of padding parameters, padding chunks and padding trailers. The setting SCTPSettings:SCTPNonZeroPadding can be modified to change the general handling of non-zero padding data.

2.40.108. [ID: 1281] SCTP chunk padding inside chunk

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: SCTP chunk padding inside chunk.
Default Log Severity: Warning
Parameters: chunktype, chunkindex, chunkoffset, chunklen, offset, padlen, pkt
Explanation: The SCTP chunk contained a padding parameter, a padding trailer inside the chunk or some other valid, but more or less non-standard padding construct. The system did not investigate whether the padding data is non-zero or not, because of the current setting of SCTPSettings:SCTPPaddingInsideChunk. RFC 4820 describes the purpose of padding parameters and padding chunks as a mean to enlarge SCTP INIT chunks and SCTP packets, respectively. Another (more likely) usage is that firewalls can use padding parameters and padding chunks to remove features from an SCTP packet without affecting the packet layout.
Gateway Action: Strip
Action Description: None
Proposed Action: Set SCTPSettings:SCTPPaddingInsideChunk to change the handling of padding parameters, padding chunks and padding trailers. The setting SCTPSettings:SCTPNonZeroPadding can be modified to change the general handling of non-zero padding data.

2.40.109. [ID: 1190] Non-zero SCTP chunk padding

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Non-zero SCTP chunk padding.
Default Log Severity: Notice
Parameters: iplen, chunktype, chunkindex, chunkoffset, chunklen, padlen, pkt
Explanation: The padding for an SCTP chunk (after the chunk) contained non-zero data. This is most likely unintentionally leaked internal data, remaining from packet handling.
Gateway Action: Allow
Action Description: None
Proposed Action: Set SCTPSettings:SCTPNonZeroPadding to change the handling of non-zero padding.

2.40.110. [ID: 1278] Non-zero SCTP chunk padding

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Non-zero SCTP chunk padding.
Default Log Severity: Warning
Parameters: iplen, chunktype, chunkindex, chunkoffset, chunklen, padlen, pkt
Explanation: The padding for an SCTP chunk (after the chunk) contained non-zero data. This is most likely unintentionally leaked internal data, remaining from packet handling.
Gateway Action: Drop
Action Description: None
Proposed Action: Set SCTPSettings:SCTPNonZeroPadding to change the handling of non-zero padding.

2.40.111. [ID: 1279] Non-zero SCTP chunk padding

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Non-zero SCTP chunk padding.
Default Log Severity: Warning
Parameters: iplen, chunktype, chunkindex, chunkoffset, chunklen, padlen, pkt
Explanation: The padding for an SCTP chunk (after the chunk) contained non-zero data. This is most likely unintentionally leaked internal data, remaining from packet handling.
Gateway Action: Strip
Action Description: None
Proposed Action: Set SCTPSettings:SCTPNonZeroPadding to change the handling of non-zero padding.

2.40.112. [ID: 1173] Non-zero reserved field in SCTP error cause

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Non-zero reserved field in SCTP error cause.
Default Log Severity: Warning
Parameters: iplen, chunktype, chunkindex, chunkoffset, chunklen, code, offset, datalen, pkt
Explanation: The SCTP message contained an error cause with a reserved field that was not zero. This log is controlled by SCTPSettings:SCTPLogFormatError.
Gateway Action: Drop
Action Description: None
Proposed Action: None

2.40.113. [ID: 1269] Non-zero SCTP chunk parameter padding

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Non-zero SCTP chunk parameter padding.
Default Log Severity: Notice
Parameters: iplen, chunktype, chunkindex, chunkoffset, chunklen, paramoffset, paramlen, padlen, pkt
Explanation: The padding after an SCTP parameter (inside a chunk) contained non-zero data. This is most likely unintentionally leaked internal data, remaining from packet handling.
Gateway Action: Allow
Action Description: None
Proposed Action: Set SCTPSettings:SCTPNonZeroPadding to change the handling of non-zero padding.

2.40.114. [ID: 1268] Non-zero SCTP chunk parameter padding

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Non-zero SCTP chunk parameter padding.
Default Log Severity: Warning
Parameters: iplen, chunktype, chunkindex, chunkoffset, chunklen, paramoffset, paramlen, padlen, pkt
Explanation: The padding after an SCTP parameter (inside a chunk) contained non-zero data. This is most likely unintentionally leaked internal data, remaining from packet handling.
Gateway Action: Drop
Action Description: None
Proposed Action: Set SCTPSettings:SCTPNonZeroPadding to change the handling of non-zero padding.

2.40.115. [ID: 1196] Non-zero SCTP chunk parameter padding

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Non-zero SCTP chunk parameter padding.
Default Log Severity: Warning
Parameters: iplen, chunktype, chunkindex, chunkoffset, chunklen, paramoffset, paramlen, padlen, pkt
Explanation: The padding after an SCTP parameter (inside a chunk) contained non-zero data. This is most likely unintentionally leaked internal data, remaining from packet handling.
Gateway Action: Strip
Action Description: None
Proposed Action: Set SCTPSettings:SCTPNonZeroPadding to change the handling of non-zero padding.

2.40.116. [ID: 1344] Non-first SCTP cookie ack

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Non-first SCTP cookie ack.
Default Log Severity: Warning
Parameters: chunktype, chunkindex, chunkoffset, chunklen, offset, pkt
Explanation: A COOKIE ACK chunk was found that was not the first chunk in the packet.
Gateway Action: Drop
Action Description: None
Proposed Action: None

2.40.117. [ID: 1295] Non-first SCTP cookie

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Non-first SCTP cookie.
Default Log Severity: Warning
Parameters: chunktype, chunkindex, chunkoffset, chunklen, offset, pkt
Explanation: A COOKIE ECHO chunk was found that was not the first chunk in the packet.
Gateway Action: Drop
Action Description: None
Proposed Action: None

2.40.118. [ID: 1365] PPID not whitelisted

Log Categories: SCTP,STATEFUL,VALIDATE
Log Message: PPID not whitelisted.
Default Log Severity: Warning
Parameters: iplen, chunktype, chunkindex, chunkoffset, chunklen, ppid, pkt, assoc, rule
Explanation: The Payload Protocol Identifier of a DATA chunk was not whitelisted by the SCTP service that is used by the IP rule that allows the traffic.
Gateway Action: Drop
Action Description: None
Proposed Action: Include the Payload Protocol Identifier in the whitelist of the SCTP service used if you want to allow it.

2.40.119. [ID: 1441] SCTP padding chunk

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: SCTP padding chunk.
Default Log Severity: Notice
Parameters: chunktype, chunkindex, chunkoffset, chunklen, offset, padlen, pkt
Explanation: The SCTP contained a padding chunk. The system did not investigate whether the padding data is non-zero or not, because of the current setting of SCTPSettings:SCTPNonZeroPadding. RFC 4820 describes the purpose of padding parameters and padding chunks as a mean to enlarge SCTP INIT chunks and SCTP packets, respectively. Another (more likely) usage is that firewalls can use padding parameters and padding chunks to remove features from an SCTP packet without affecting the packet layout.
Gateway Action: Allow
Action Description: None
Proposed Action: Set SCTPSettings:SCTPPaddingChunk to change the handling of chunks. The setting SCTPSettings:SCTPNonZeroPadding can be modified to change the general handling of non-zero padding data.

2.40.120. [ID: 1438] SCTP padding chunk

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: SCTP padding chunk.
Default Log Severity: Information
Parameters: chunktype, chunkindex, chunkoffset, chunklen, offset, padlen, pkt
Explanation: The SCTP contained a padding chunk. This log message will only be generated for valid padding; data consisting of all zeroes. RFC 4820 describes the purpose of padding parameters and padding chunks as a mean to enlarge SCTP INIT chunks and SCTP packets, respectively. Another (more likely) usage is that firewalls can use padding parameters and padding chunks to remove features from an SCTP packet without affecting the packet layout.
Gateway Action: Allow
Action Description: None
Proposed Action: Set SCTPSettings:SCTPPaddingChunk to change the handling of padding chunks. The setting SCTPSettings:SCTPNonZeroPadding can be modified to change the general handling of non-zero padding data.

2.40.121. [ID: 1440] SCTP padding chunk

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: SCTP padding chunk.
Default Log Severity: Warning
Parameters: chunktype, chunkindex, chunkoffset, chunklen, offset, padlen, pkt
Explanation: The SCTP chunk contained a padding chunk. The system did not investigate whether the padding data is non-zero or not, because of the current setting of SCTPSettings:SCTPPaddingChunk. RFC 4820 describes the purpose of padding parameters and padding chunks as a mean to enlarge SCTP INIT chunks and SCTP packets, respectively. Another (more likely) usage is that firewalls can use padding parameters and padding chunks to remove features from an SCTP packet without affecting the packet layout.
Gateway Action: Drop
Action Description: None
Proposed Action: Set SCTPSettings:SCTPPaddingChunk to change the handling of chunks. The setting SCTPSettings:SCTPNonZeroPadding can be modified to change the general handling of non-zero padding data.

2.40.122. [ID: 1437] SCTP padding chunk

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: SCTP padding chunk.
Default Log Severity: Notice
Parameters: chunktype, chunkindex, chunkoffset, chunklen, offset, padlen, pkt
Explanation: The SCTP contained a padding chunk. The system did not investigate whether the padding data is non-zero or not, because of the current setting of SCTPSettings:SCTPNonZeroPadding. RFC 4820 describes the purpose of padding parameters and padding chunks as a mean to enlarge SCTP INIT chunks and SCTP packets, respectively. Another (more likely) usage is that firewalls can use padding parameters and padding chunks to remove features from an SCTP packet without affecting the packet layout.
Gateway Action: Strip
Action Description: None
Proposed Action: Set SCTPSettings:SCTPPaddingChunk to change the handling of chunks. The setting SCTPSettings:SCTPNonZeroPadding can be modified to change the general handling of non-zero padding data.

2.40.123. [ID: 1380] Association restart from responder failed

Log Categories: SCTP,STATEFUL,VALIDATE
Log Message: Association restart from responder failed.
Default Log Severity: Warning
Parameters: pkt, assoc, rule
Explanation: The responder of an association issued a restart but no matching IP rule was found to allow it.
Gateway Action: Drop
Action Description: None
Proposed Action: Configure an IP rule that allows the restart from the responder.

2.40.124. [ID: 1328] Responder vtag mismatch

Log Categories: SCTP,STATEFUL,VALIDATE
Log Message: Responder vtag mismatch.
Default Log Severity: Warning
Parameters: iplen, chunktype, chunkindex, chunkoffset, chunklen, vtag, pkt, assoc, rule
Explanation: The verification tag of an SCTP common header sent by the initiator of an SCTP association does not match the verification tag of the responder.
Gateway Action: Drop
Action Description: None
Proposed Action: None

2.40.125. [ID: 1351] Source port mismatch

Log Categories: SCTP,STATEFUL,VALIDATE
Log Message: Source port mismatch.
Default Log Severity: Warning
Parameters: iplen, chunktype, chunkindex, chunkoffset, chunklen, srcport, pkt, assoc, rule
Explanation: The source port of an SCTP packet sent by the initiator of an association does not match the source port of the association the packet belongs to.
Gateway Action: Drop
Action Description: None
Proposed Action: None

2.40.126. [ID: 1270] Stateful SCTP is not supported

Log Categories: SCTP,STATEFUL
Log Message: Stateful SCTP is not supported. Packets will be dropped.
Default Log Severity: Warning
Parameters: matchkey
Explanation: A stateful IP rule has matched SCTP traffic. Stateful SCTP traffic will be dropped.
Gateway Action: Drop
Action Description: None
Proposed Action: In order to forward the SCTP traffic, configure the IP rule as 'stateless'. SCTP support can also be turned off with SCTPSettings:SCTPEnabled, in which case SCTP will be forwarded as the 'unknown' IP protocol 132.

2.40.127. [ID: 1283] Too many occurrences of SCTP parameter

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Too many occurrences of SCTP parameter.
Default Log Severity: Warning
Parameters: iplen, chunktype, chunkindex, chunkoffset, chunklen, paramtype, count, max, pkt
Explanation: The SCTP chunk chunktype contained too many parameters of type paramtype.
Gateway Action: Drop
Action Description: None
Proposed Action: None

2.40.128. [ID: 1334] Unexpected state cookie

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Unexpected state cookie.
Default Log Severity: Warning
Parameters: iplen, chunktype, chunkindex, chunkoffset, chunklen, pkt
Explanation: A state cookie parameter was discovered outside of an INIT-ACK chunk.
Gateway Action: Drop
Action Description: None
Proposed Action: None

2.40.129. [ID: 1280] Unknown mandatory chunk type

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Unknown mandatory chunk type.
Default Log Severity: Warning
Parameters: chunktype, flags, chunkindex, chunkoffset, chunklen, pkt
Explanation: An unknown "mandatory" chunk type has been encountered; what RFC 4960 mentions as "highest-order bit types" 00 and 01 in Section 3.2, and roughly translates into "when unknown, ignore the remaining chunks of this packet". While unknown, these types are typically used to modify the general actions an SCTP endpoint should take when acting upon chunks. The effect is likely limited to a single packet, and only those chunks following it.
Gateway Action: Abort
Action Description: None
Proposed Action: This log message is controlled by SCTPSettings:SCTPLogUnknownMandChunk. How to handle these types of unknown chunks is controlled by SCTPSettings:SCTPUnknownMandChunk and SCTPSettings:SCTPUnknownMandChunkNotify.

2.40.130. [ID: 1184] Unknown mandatory chunk type

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Unknown mandatory chunk type.
Default Log Severity: Notice
Parameters: chunktype, flags, chunkindex, chunkoffset, chunklen, pkt
Explanation: An unknown "mandatory" chunk type has been encountered; what RFC 4960 mentions as "highest-order bit types" 00 and 01 in Section 3.2, and roughly translates into "when unknown, ignore the remaining chunks of this packet". While unknown, these types are typically used to modify the general actions an SCTP endpoint should take when acting upon chunks. The effect is likely limited to a single packet, and only those chunks following it.
Gateway Action: Allow
Action Description: None
Proposed Action: This log message is controlled by SCTPSettings:SCTPLogUnknownMandChunk. How to handle these types of unknown chunks is controlled by SCTPSettings:SCTPUnknownMandChunk and SCTPSettings:SCTPUnknownMandChunkNotify.

2.40.131. [ID: 1193] Unknown mandatory chunk type

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Unknown mandatory chunk type.
Default Log Severity: Warning
Parameters: chunktype, flags, chunkindex, chunkoffset, chunklen, pkt
Explanation: An unknown "mandatory" chunk type has been encountered; what RFC 4960 mentions as "highest-order bit types" 00 and 01 in Section 3.2, and roughly translates into "when unknown, ignore the remaining chunks of this packet". While unknown, these types are typically used to modify the general actions an SCTP endpoint should take when acting upon chunks. The effect is likely limited to a single packet, and only those chunks following it.
Gateway Action: Drop
Action Description: None
Proposed Action: This log message is controlled by SCTPSettings:SCTPLogUnknownMandChunk. How to handle these types of unknown chunks is controlled by SCTPSettings:SCTPUnknownMandChunk and SCTPSettings:SCTPUnknownMandChunkNotify.

2.40.132. [ID: 1191] Unknown mandatory chunk type

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Unknown mandatory chunk type.
Default Log Severity: Warning
Parameters: chunktype, flags, chunkindex, chunkoffset, chunklen, pkt
Explanation: An unknown "mandatory" chunk type has been encountered; what RFC 4960 mentions as "highest-order bit types" 00 and 01 in Section 3.2, and roughly translates into "when unknown, ignore the remaining chunks of this packet". While unknown, these types are typically used to modify the general actions an SCTP endpoint should take when acting upon chunks. The effect is likely limited to a single packet, and only those chunks following it.
Gateway Action: Strip
Action Description: None
Proposed Action: This log message is controlled by SCTPSettings:SCTPLogUnknownMandChunk. How to handle these types of unknown chunks is controlled by SCTPSettings:SCTPUnknownMandChunk and SCTPSettings:SCTPUnknownMandChunkNotify.

2.40.133. [ID: 1236] Unknown mandatory parameter type

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Unknown mandatory parameter type.
Default Log Severity: Warning
Parameters: chunktype, chunkindex, chunkoffset, chunklen, paramtype, paramoffset, paramlen, pkt
Explanation: An unknown "mandatory" parameter type has been encountered; what RFC 4960 mentions as "highest-order bit types" 00 and 01 in Section 3.2.1, and roughly translates into "when unknown, ignore the remaining parameters of this chunk". While unknown, these types are typically carrying instructions to modify the interpretation of other parameters inside the same chunk.
Gateway Action: Abort
Action Description: None
Proposed Action: This log message is controlled by SCTPSettings:SCTPLogUnknownMandParam. How to handle these types of unknown parameters is controlled by SCTPSettings:SCTPUnknownMandParam and SCTPSettings:SCTPUnknownMandParamNotify.

2.40.134. [ID: 1171] Unknown mandatory parameter type

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Unknown mandatory parameter type.
Default Log Severity: Notice
Parameters: chunktype, chunkindex, chunkoffset, chunklen, paramtype, paramoffset, paramlen, pkt
Explanation: An unknown "mandatory" parameter type has been encountered; what RFC 4960 mentions as "highest-order bit types" 00 and 01 in Section 3.2.1, and roughly translates into "when unknown, ignore the remaining parameters of this chunk". While unknown, these types are typically carrying instructions to modify the interpretation of other parameters inside the same chunk.
Gateway Action: Allow
Action Description: None
Proposed Action: This log message is controlled by SCTPSettings:SCTPLogUnknownMandParam. How to handle these types of unknown parameters is controlled by SCTPSettings:SCTPUnknownMandParam and SCTPSettings:SCTPUnknownMandParamNotify.

2.40.135. [ID: 1166] Unknown mandatory parameter type

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Unknown mandatory parameter type.
Default Log Severity: Warning
Parameters: chunktype, chunkindex, chunkoffset, chunklen, paramtype, paramoffset, paramlen, pkt
Explanation: An unknown "mandatory" parameter type has been encountered; what RFC 4960 mentions as "highest-order bit types" 00 and 01 in Section 3.2.1, and roughly translates into "when unknown, ignore the remaining parameters of this chunk". While unknown, these types are typically carrying instructions to modify the interpretation of other parameters inside the same chunk.
Gateway Action: Drop
Action Description: None
Proposed Action: This log message is controlled by SCTPSettings:SCTPLogUnknownMandParam. How to handle these types of unknown parameters is controlled by SCTPSettings:SCTPUnknownMandParam and SCTPSettings:SCTPUnknownMandParamNotify.

2.40.136. [ID: 1186] Unknown mandatory parameter type

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Unknown mandatory parameter type.
Default Log Severity: Warning
Parameters: chunktype, chunkindex, chunkoffset, chunklen, paramtype, paramoffset, paramlen, pkt
Explanation: An unknown "mandatory" parameter type has been encountered; what RFC 4960 mentions as "highest-order bit types" 00 and 01 in Section 3.2.1, and roughly translates into "when unknown, ignore the remaining parameters of this chunk". While unknown, these types are typically carrying instructions to modify the interpretation of other parameters inside the same chunk.
Gateway Action: Strip
Action Description: None
Proposed Action: This log message is controlled by SCTPSettings:SCTPLogUnknownMandParam. How to handle these types of unknown parameters is controlled by SCTPSettings:SCTPUnknownMandParam and SCTPSettings:SCTPUnknownMandParamNotify.

2.40.137. [ID: 1248] Unknown optional chunk type

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Unknown optional chunk type.
Default Log Severity: Warning
Parameters: chunktype, flags, chunkindex, chunkoffset, chunklen, pkt
Explanation: An unknown "optional" chunk type has been encountered; what RFC 4960 mentions as "highest-order bit types" 10 and 11 in Section 3.2, and roughly translates into "when unknown, ignore chunk". While unknown, these types are typically carrying instructions to modify the SCTP association. Usually these instructions are not critical for the functionality of the association, though "type 11" is more likely to be of importance.
Gateway Action: Abort
Action Description: None
Proposed Action: This log message is controlled by SCTPSettings:SCTPLogUnknownOptChunk. How to handle these types of unknown chunks is controlled by SCTPSettings:SCTPUnknownOptChunk and SCTPSettings:SCTPUnknownOptChunkNotify.

2.40.138. [ID: 1180] Unknown optional chunk type

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Unknown optional chunk type.
Default Log Severity: Notice
Parameters: chunktype, flags, chunkindex, chunkoffset, chunklen, pkt
Explanation: An unknown "optional" chunk type has been encountered; what RFC 4960 mentions as "highest-order bit types" 10 and 11 in Section 3.2, and roughly translates into "when unknown, ignore chunk". While unknown, these types are typically carrying instructions to modify the SCTP association. Usually these instructions are not critical for the functionality of the association, though "type 11" is more likely to be of importance.
Gateway Action: Allow
Action Description: None
Proposed Action: This log message is controlled by SCTPSettings:SCTPLogUnknownOptChunk. How to handle these types of unknown chunks is controlled by SCTPSettings:SCTPUnknownOptChunk and SCTPSettings:SCTPUnknownOptChunkNotify.

2.40.139. [ID: 1172] Unknown optional chunk type

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Unknown optional chunk type.
Default Log Severity: Warning
Parameters: chunktype, flags, chunkindex, chunkoffset, chunklen, pkt
Explanation: An unknown "optional" chunk type has been encountered; what RFC 4960 mentions as "highest-order bit types" 10 and 11 in Section 3.2, and roughly translates into "when unknown, ignore chunk". While unknown, these types are typically carrying instructions to modify the SCTP association. Usually these instructions are not critical for the functionality of the association, though "type 11" is more likely to be of importance.
Gateway Action: Drop
Action Description: None
Proposed Action: This log message is controlled by SCTPSettings:SCTPLogUnknownOptChunk. How to handle these types of unknown chunks is controlled by SCTPSettings:SCTPUnknownOptChunk and SCTPSettings:SCTPUnknownOptChunkNotify.

2.40.140. [ID: 1175] Unknown optional chunk type

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Unknown optional chunk type.
Default Log Severity: Warning
Parameters: chunktype, flags, chunkindex, chunkoffset, chunklen, pkt
Explanation: An unknown "optional" chunk type has been encountered; what RFC 4960 mentions as "highest-order bit types" 10 and 11 in Section 3.2, and roughly translates into "when unknown, ignore chunk". While unknown, these types are typically carrying instructions to modify the SCTP association. Usually these instructions are not critical for the functionality of the association, though "type 11" is more likely to be of importance.
Gateway Action: Strip
Action Description: None
Proposed Action: This log message is controlled by SCTPSettings:SCTPLogUnknownOptChunk. How to handle these types of unknown chunks is controlled by SCTPSettings:SCTPUnknownOptChunk and SCTPSettings:SCTPUnknownOptChunkNotify.

2.40.141. [ID: 1214] Unknown optional parameter type

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Unknown optional parameter type.
Default Log Severity: Warning
Parameters: chunktype, chunkindex, chunkoffset, chunklen, paramtype, paramoffset, paramlen, pkt
Explanation: An unknown "optional" parameter type has been encountered; what RFC 4960 mentions as "highest-order bit types" 10 and 11 in Section 3.2.1, and roughly translates into "when unknown, ignore this parameter". While unknown, these types are typically carrying non-vital options for a chunk.
Gateway Action: Abort
Action Description: None
Proposed Action: This log message is controlled by SCTPSettings:SCTPLogUnknownOptParam. How to handle these types of unknown parameters is controlled by SCTPSettings:SCTPUnknownOptParam and SCTPSettings:SCTPUnknownOptParamNotify.

2.40.142. [ID: 1185] Unknown optional parameter type

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Unknown optional parameter type.
Default Log Severity: Notice
Parameters: chunktype, chunkindex, chunkoffset, chunklen, paramtype, paramoffset, paramlen, pkt
Explanation: An unknown "optional" parameter type has been encountered; what RFC 4960 mentions as "highest-order bit types" 10 and 11 in Section 3.2.1, and roughly translates into "when unknown, ignore this parameter". While unknown, these types are typically carrying non-vital options for a chunk.
Gateway Action: Allow
Action Description: None
Proposed Action: This log message is controlled by SCTPSettings:SCTPLogUnknownOptParam. How to handle these types of unknown parameters is controlled by SCTPSettings:SCTPUnknownOptParam and SCTPSettings:SCTPUnknownOptParamNotify.

2.40.143. [ID: 1182] Unknown optional parameter type

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Unknown optional parameter type.
Default Log Severity: Warning
Parameters: chunktype, chunkindex, chunkoffset, chunklen, paramtype, paramoffset, paramlen, pkt
Explanation: An unknown "optional" parameter type has been encountered; what RFC 4960 mentions as "highest-order bit types" 10 and 11 in Section 3.2.1, and roughly translates into "when unknown, ignore this parameter". While unknown, these types are typically carrying non-vital options for a chunk.
Gateway Action: Drop
Action Description: None
Proposed Action: This log message is controlled by SCTPSettings:SCTPLogUnknownOptParam. How to handle these types of unknown parameters is controlled by SCTPSettings:SCTPUnknownOptParam and SCTPSettings:SCTPUnknownOptParamNotify.

2.40.144. [ID: 1192] Unknown optional parameter type

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Unknown optional parameter type.
Default Log Severity: Warning
Parameters: chunktype, chunkindex, chunkoffset, chunklen, paramtype, paramoffset, paramlen, pkt
Explanation: An unknown "optional" parameter type has been encountered; what RFC 4960 mentions as "highest-order bit types" 10 and 11 in Section 3.2.1, and roughly translates into "when unknown, ignore this parameter". While unknown, these types are typically carrying non-vital options for a chunk.
Gateway Action: Strip
Action Description: None
Proposed Action: This log message is controlled by SCTPSettings:SCTPLogUnknownOptParam. How to handle these types of unknown parameters is controlled by SCTPSettings:SCTPUnknownOptParam and SCTPSettings:SCTPUnknownOptParamNotify.

2.40.145. [ID: 1169] Unknown supported address type

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Unknown supported address type.
Default Log Severity: Warning
Parameters: paramtype, pkt
Explanation: An unknown address type was found in the "supported address types" parameter. The packet may be broken.
Gateway Action: Allow
Action Description: None
Proposed Action: Unknown address types will be allowed if and only if SCTPSettings:SCTPUnknownAddressType allow this.

2.40.146. [ID: 1286] Unknown supported address type

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Unknown supported address type.
Default Log Severity: Warning
Parameters: paramtype, pkt
Explanation: An unknown address type was found in the "supported address types" parameter. The packet may be broken.
Gateway Action: Drop
Action Description: None
Proposed Action: Unknown address types will be allowed if and only if SCTPSettings:SCTPUnknownAddressType allow this.

2.40.147. [ID: 1179] Unknown supported address type

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Unknown supported address type.
Default Log Severity: Warning
Parameters: paramtype, pkt
Explanation: An unknown address type was found in the "supported address types" parameter. The packet may be broken.
Gateway Action: Strip
Action Description: None
Proposed Action: Unknown address types will be allowed if and only if SCTPSettings:SCTPUnknownAddressType allow this.

2.40.148. [ID: 1183] Unkown SCTP error cause

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Unkown SCTP error cause.
Default Log Severity: Notice
Parameters: iplen, offset, code, pkt
Explanation: The system does not recognize an error cause in the SCTP message. The body of the error cause will not be validated.
Gateway Action: Allow
Action Description: None
Proposed Action: None

2.40.149. [ID: 1747] Unresolved clash

Log Categories: SCTP,STATEFUL,HA
Log Message: Unresolved clash.
Default Log Severity: Critical
Parameters: assoc, rule
Explanation: The peer already has an existing association that partially overlaps the association assoc. The two associations have both been established in accordance with the policy of respective HA node, but the combination of the two over the HA cluster is not valid.
Gateway Action: Abort
Action Description: The node will try again
Proposed Action: Identify the two mutually exclusive associations, and manually resolve the situation. The peer is likely to have additional log messages. Consider rebooting one of the HA nodes.

2.40.150. [ID: 1745] Unresolved inconsistency

Log Categories: SCTP,STATEFUL,HA
Log Message: Unresolved inconsistency.
Default Log Severity: Notice
Parameters: assoc, rule
Explanation: Disallowed by peer, but allowed by the current node. This could occur temporarily when dynamic routes are involved.
Gateway Action: Ignore
Action Description: The node will try again
Proposed Action: None

2.40.151. [ID: 1746] Unresolved memory problem

Log Categories: SCTP,STATEFUL,HA
Log Message: Unresolved memory problem.
Default Log Severity: Warning
Parameters: assoc, rule
Explanation: Peer reported being unable to handle the synchronization attempt, likely because memory shortage.
Gateway Action: Ignore
Action Description: The node will try again, with decreased frequency
Proposed Action: Investigare the memory usage of the peer node, as well as periferal settings such as cache sizes. The peer is likely to have additional log messages. Consider making configuration changes in order to decrease the load.

2.40.152. [ID: 1744] Unresolved policies

Log Categories: SCTP,STATEFUL,HA
Log Message: Unresolved policies.
Default Log Severity: Warning
Parameters: assoc, rule
Explanation: Disallowed by peer, but allowed by the current node. The problem appears to be persistent.
Gateway Action: Ignore
Action Description: The node will try again, with decreased frequency
Proposed Action: Verify the the peer's configuration, and log messages.

2.40.153. [ID: 1208] Not supported address type

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: Not supported address type.
Default Log Severity: Notice
Parameters: paramtype, pkt
Explanation: An unsupported address type was found in the "supported address types" parameter.
Gateway Action: Strip
Action Description: None
Proposed Action: Whether an address type is considered unsupported or not depends primarily on the IP rule; address types used by the IP rule are supported, others are not. Any action on behalf of the unsupported address types will depend on SCTPSettings:SCTPMultihoming. The "host name address" type is a special case that is considered supported if and only if SCTPSettings:SCTPHostNameAddressParam is set to "Allow" this address type.

2.40.154. [ID: 1372] PPID whitelisted

Log Categories: SCTP,STATEFUL,VALIDATE
Log Message: PPID whitelisted.
Default Log Severity: Notice
Parameters: iplen, chunktype, chunkindex, chunkoffset, chunklen, ppid, pkt, assoc, rule
Explanation: The Payload Protocol Identifier of a DATA chunk is whitelisted by the SCTP service that is used by the IP rule that allows the traffic.
Gateway Action: Allow
Action Description: None
Proposed Action: Exclude the Payload Protocol Identifier from the whitelist of the SCTP service used if you want to disallow it.

2.40.155. [ID: 1300] State cookie parameter has zero for value

Log Categories: SCTP,STATELESS,VALIDATE
Log Message: State cookie parameter has zero for value.
Default Log Severity: Warning
Parameters: chunktype, chunkindex, chunkoffset, chunklen, paramtype, paramoffset, paramlen, pkt
Explanation: A state cookie parameter with zero for value was found within an INIT_ACK chunk.
Gateway Action: Drop
Action Description: None
Proposed Action: This packet is invalid. If the packet sender is one of your network devices, investigate why the unit is sending state cookie parameters with zero for value within INIT_ACK chunks.