cOS Stream 4.00.00 Log Reference Guide

Table of Contents

1. Introduction
1.1. Log Message Structure
1.2. Severity levels
2. Log Message Reference
2.1. APPCONTROL
2.1.1. [ID: 1643] Application changed
2.1.2. [ID: 1645] Application identified
2.1.3. [ID: 1021] Application Control license has just expired
2.2. ARP
2.2.1. [ID: 142] Allowed by access rule
2.2.2. [ID: 144] Hardware address changed
2.2.3. [ID: 279] Hardware address change disallowed
2.2.4. [ID: 638] Hardware address change detected
2.2.5. [ID: 123] IP conflict detected
2.2.6. [ID: 653] IP conflict detected
2.2.7. [ID: 534] Illegal ARP sender hardware address
2.2.8. [ID: 622] Out of memory initializing ARP
2.2.9. [ID: 240] Disallowed by access rule
2.2.10. [ID: 269] Mismatching hardware addresses
2.2.11. [ID: 618] Mismatching hardware addresses
2.2.12. [ID: 350] Unable to add ARP entry to cache due to no[...]
2.2.13. [ID: 377] ARP entry lost due to cache limit
2.2.14. [ID: 302] No sender IP
2.2.15. [ID: 626] No sender IP
2.2.16. [ID: 526] ARP resolve timeout
2.2.17. [ID: 106] ARP sender hardware address is broadcast[...]
2.2.18. [ID: 247] ARP sender hardware address is broadcast[...]
2.2.19. [ID: 262] ARP sender hardware address is multicast[...]
2.2.20. [ID: 117] ARP sender hardware address is multicast[...]
2.2.21. [ID: 308] ARP collides with static entry
2.2.22. [ID: 584] Unsolicited ARP reply received
2.2.23. [ID: 540] Unsolicited ARP reply received
2.3. AUTHSYS
2.3.1. [ID: 684] User is already logged in
2.3.2. [ID: 669] Failed to retrieve information from[...]
2.3.3. [ID: 690] Unknown user or invalid password
2.3.4. [ID: 679] Login prevented due to brute force attack[...]
2.3.5. [ID: 793] Invalid Charging characteristics attribute in[...]
2.3.6. [ID: 685] Received an invalid EAP packet
2.3.7. [ID: 774] Maximum number of user sessions for the[...]
2.3.8. [ID: 670] IMSI attribute missing in RADIUS Access-Accept
2.3.9. [ID: 810] MSISDN attribute missing in RADIUS[...]
2.3.10. [ID: 844] EAP type is not allowed by authentication[...]
2.3.11. [ID: 674] Out of memory while authenticating a user
2.3.12. [ID: 688] Denied access according to authentication[...]
2.3.13. [ID: 792] The authentication profile is still in[...]
2.3.14. [ID: 673] Received RADIUS Access-Accept message
2.3.15. [ID: 1666] Received RADIUS Access-Challenge message
2.3.16. [ID: 681] Received RADIUS Access-Reject message
2.3.17. [ID: 812] Challenges are not supported when using XAuth
2.3.18. [ID: 689] Internal RADIUS error
2.3.19. [ID: 665] User logged out due to session timeout
2.3.20. [ID: 809] Authentication source did not respond
2.3.21. [ID: 677] User belongs in too many groups
2.3.22. [ID: 676] User added
2.3.23. [ID: 761] User updated with new IP address
2.3.24. [ID: 760] Invalid user session found
2.3.25. [ID: 672] User logged in
2.3.26. [ID: 667] User logged out
2.3.27. [ID: 759] User updated with new username
2.3.28. [ID: 671] User replaced
2.3.29. [ID: 687] User table is full
2.4. BGP
2.4.1. [ID: 1311] Failed to lookup gateway of BGP route
2.4.2. [ID: 1699] BGP graceful restart not negotiated with[...]
2.4.3. [ID: 1687] Unable to enable BFD due to unroutable BGP[...]
2.4.4. [ID: 1316] BGP dynrouting event
2.4.5. [ID: 1315] BGP dynrouting event
2.4.6. [ID: 1318] BGP dynrouting event
2.4.7. [ID: 1310] Failed to add BGP route
2.4.8. [ID: 1313] Failed to remove BGP route
2.5. CLI
2.5.1. [ID: 272] Failed adding CLI command data resource
2.5.2. [ID: 443] All CLI commands could not be listed
2.5.3. [ID: 213] Failed allocating memory when starting CLI[...]
2.5.4. [ID: 1118] Attempt to access service command view
2.5.5. [ID: 1101] Service command view access granted
2.5.6. [ID: 1117] Maximum number of service command view access[...]
2.5.7. [ID: 765] Serial console CLI instance started
2.5.8. [ID: 769] Serial console CLI authentication failed
2.5.9. [ID: 767] Serial console CLI authentication succeeded
2.5.10. [ID: 773] Serial console CLI session ended
2.5.11. [ID: 764] Serial console CLI system error
2.5.12. [ID: 332] Resource Manager failed memory allocation[...]
2.5.13. [ID: 483] Resource Manager failed to read information[...]
2.6. CONFIG
2.6.1. [ID: 1071] Certificate created
2.6.2. [ID: 1070] Certificate is now revoked
2.6.3. [ID: 1069] Certificate has been updated
2.6.4. [ID: 512] Activating configuration changes
2.6.5. [ID: 105] Failed to establish bi-directional[...]
2.6.6. [ID: 1048] Configuration commit failed
2.6.7. [ID: 355] New configuration activated
2.6.8. [ID: 532] New configuration committed
2.6.9. [ID: 494] DCOS could not allocate memory when creating[...]
2.6.10. [ID: 216] DCOS could not allocate enough memory to[...]
2.6.11. [ID: 319] DCOS storage could not be initialized
2.6.12. [ID: 1080] An address object is dynamically updated
2.6.13. [ID: 251] Beginning system reconfigure
2.6.14. [ID: 593] Failed to reconfigure system
2.6.15. [ID: 594] Reconfigure completed successfully
2.6.16. [ID: 1408] Reconfigure is triggered by subsystem
2.7. DHCPCLIENT
2.7.1. [ID: 306] Interface has successfully acquired a lease
2.7.2. [ID: 191] Lease for the interface has expired
2.7.3. [ID: 1078] Lease for the interface was successfully[...]
2.7.4. [ID: 472] No DHCP offers were received by the DHCP[...]
2.7.5. [ID: 287] No valid DHCP offers were received
2.7.6. [ID: 1094] Interface received a lease where the offered[...]
2.7.7. [ID: 395] The lease was rejected by an address filter
2.7.8. [ID: 522] The lease was rejected by a server filter
2.7.9. [ID: 559] Interface received a lease which will cause[...]
2.7.10. [ID: 274] Interface received a lease with an offered IP[...]
2.7.11. [ID: 230] Interface received a lease with an invalid[...]
2.7.12. [ID: 435] Interface received a lease with an invalid[...]
2.7.13. [ID: 223] Interface received a lease with an invalid IP[...]
2.7.14. [ID: 325] Interface received a lease with an invalid[...]
2.7.15. [ID: 499] Interface received a lease with an invalid[...]
2.7.16. [ID: 481] The requested lease was rejected by the server
2.7.17. [ID: 222] Interface received a lease which will cause a[...]
2.7.18. [ID: 324] Too many DHCP offers received
2.8. DHCPSERVER
2.8.1. [ID: 1394] Invalid DHCP packet received
2.8.2. [ID: 892] All pools are depleted
2.8.3. [ID: 907] Blacklist item timed out
2.8.4. [ID: 888] Client accepted and bounded with IP
2.8.5. [ID: 884] Client renewed IP
2.8.6. [ID: 906] DHCP Server error
2.8.7. [ID: 905] Got decline for ip on wrong interface so[...]
2.8.8. [ID: 882] Client declined non offered IP
2.8.9. [ID: 898] Server identifier not specified in incoming[...]
2.8.10. [ID: 881] Server identifier in Decline message does not[...]
2.8.11. [ID: 886] Client declined IP
2.8.12. [ID: 883] Received DHCP packet is smaller than the[...]
2.8.13. [ID: 903] Got INFORM request from client
2.8.14. [ID: 1398] Received packet with invalid DHCP cookie
2.8.15. [ID: 921] Unable to load the lease database
2.8.16. [ID: 922] Lease database was successfully loaded
2.8.17. [ID: 924] Unable to auto save the lease database to disk
2.8.18. [ID: 923] Lease database was successfully auto saved to[...]
2.8.19. [ID: 896] Lease timed out
2.8.20. [ID: 889] Offer timed out
2.8.21. [ID: 887] The option section is too big
2.8.22. [ID: 948] All IPs in the pool are in use now
2.8.23. [ID: 890] All IPs in the pool are in use
2.8.24. [ID: 885] Got release for IP on wrong interface
2.8.25. [ID: 1043] The IP address the client tried to release is[...]
2.8.26. [ID: 1042] The IP address the client tried to release is[...]
2.8.27. [ID: 900] Client released IP
2.8.28. [ID: 901] Received a request from bounded client for[...]
2.8.29. [ID: 895] Received a request from bounded client for IP[...]
2.8.30. [ID: 899] Received a request from not-bounded client[...]
2.8.31. [ID: 904] Received a request from not-bounded client[...]
2.8.32. [ID: 891] Client requested non bound IP
2.8.33. [ID: 893] Client requested non offered IP
2.8.34. [ID: 894] Received request with bad UDP checksum
2.8.35. [ID: 902] Sending IP offer for received DISCOVER
2.8.36. [ID: 897] Failed to get buffer for sending
2.8.37. [ID: 919] The matching rule does not have useful lease[...]
2.8.38. [ID: 1399] Received DHCP option without message type
2.8.39. [ID: 920] The matching rule does not have useful lease[...]
2.8.40. [ID: 1392] Received DHCP message with unknown type
2.9. DNSALG
2.9.1. [ID: 1303] Failed to create new session
2.9.2. [ID: 1307] Flow failed
2.9.3. [ID: 1306] DNS packet rejected
2.9.4. [ID: 1308] Session closed
2.9.5. [ID: 1304] Session opened
2.9.6. [ID: 1302] Transaction closed
2.9.7. [ID: 1305] Transaction opened
2.10. DYNROUTE
2.10.1. [ID: 1319] Dynrouting message
2.10.2. [ID: 1698] Failed to add socket rules
2.10.3. [ID: 1697] Failed to remove socket rules
2.10.4. [ID: 1312] Route lookup for dynrouting peer failed
2.11. ETHERNET
2.11.1. [ID: 357] Broadcast Ethernet source
2.11.2. [ID: 613] Broadcast Ethernet source
2.11.3. [ID: 615] Multicast Ethernet source
2.11.4. [ID: 428] Multicast Ethernet source
2.11.5. [ID: 132] Not for me
2.11.6. [ID: 327] Null Ethernet source
2.11.7. [ID: 537] Unicast MAC with broadcast IP
2.11.8. [ID: 490] Unicast MAC with broadcast IP
2.11.9. [ID: 229] Unicast MAC with multicast IP
2.11.10. [ID: 104] Unicast MAC with multicast IP
2.11.11. [ID: 548] Non matching IP and MAC multicast
2.11.12. [ID: 340] Non matching IP and MAC multicast
2.11.13. [ID: 627] Multicast MAC with unicast IP
2.11.14. [ID: 423] Multicast MAC with unicast IP
2.11.15. [ID: 1665] IPv6 broadcast packet
2.11.16. [ID: 219] Unicast MAC with multicast IP
2.11.17. [ID: 362] Unicast MAC with multicast IP
2.11.18. [ID: 192] Non matching IP and MAC multicast
2.11.19. [ID: 438] Non matching IP and MAC multicast
2.11.20. [ID: 595] Multicast MAC with unicast IP
2.11.21. [ID: 397] Multicast MAC with unicast IP
2.12. FLOW
2.12.1. [ID: 788] Flow HA sync failed due to ruleset lookup[...]
2.12.2. [ID: 333] The flow cannot be updated to comply with[...]
2.12.3. [ID: 1007] Flow closed by application control
2.12.4. [ID: 1127] Flow closed by an ALG
2.12.5. [ID: 460] Flow closed by admin
2.12.6. [ID: 1644] Flow closed by module
2.12.7. [ID: 341] Flow closed due to random replacement
2.12.8. [ID: 379] Flow closed due to timeout
2.12.9. [ID: 367] Flow closed due to reopen
2.12.10. [ID: 111] The matching flow cannot be used for the[...]
2.12.11. [ID: 500] Out of memory during flow maintenance
2.12.12. [ID: 400] Flow maintenance failed
2.12.13. [ID: 300] There is no flow for the packet anymore
2.12.14. [ID: 224] Packet not allowed to trigger maintenance of[...]
2.12.15. [ID: 424] The flow is not allowed anymore
2.12.16. [ID: 1062] Not security equivalent after route change
2.12.17. [ID: 372] Flow opened
2.12.18. [ID: 1014] Flow opened stateless
2.12.19. [ID: 1390] Out of memory when attempting to allocate[...]
2.12.20. [ID: 543] Reject flow opened
2.12.21. [ID: 1646] Failed to reopen flow
2.12.22. [ID: 122] Flow reopened
2.12.23. [ID: 790] Failed to setup flow due to ruleset lookup[...]
2.12.24. [ID: 521] Flow maintenance failed
2.12.25. [ID: 1314] Packet MD5 digest did not match packet data
2.12.26. [ID: 1320] Failed to insert MD5 digest to packet
2.12.27. [ID: 1317] Packet did not contain md5 digest
2.12.28. [ID: 1309] Packet is too small to contain MD5 digest
2.12.29. [ID: 1056] Same pipe used twice in same flow
2.12.30. [ID: 1389] Not enough ICMP data for protocol translation
2.12.31. [ID: 1397] Protocol translation was not applicable
2.12.32. [ID: 1391] Unsupported media header in protocol[...]
2.12.33. [ID: 1388] Unsupported transport header in protocol[...]
2.13. FQDN
2.13.1. [ID: 1400] Added FQDN IP to netobject
2.13.2. [ID: 1413] All IP addresses expired for FQDN in netobject
2.13.3. [ID: 1422] Could not resolve FQDN for netobject
2.13.4. [ID: 1423] IP expired from netobject
2.14. FRAG
2.14.1. [ID: 505] Fragment with invalid offset
2.14.2. [ID: 617] The fragment has an invalid IP data length
2.14.3. [ID: 495] Dropping stored fragments of disallowed packet
2.14.4. [ID: 389] Dropping duplicate fragment
2.14.5. [ID: 174] Duplicate fragment with different data[...]
2.14.6. [ID: 525] Duplicate fragment with different length[...]
2.14.7. [ID: 343] Dropping duplicate fragment of suspect packet
2.14.8. [ID: 528] Dropping extraneous fragments of completed[...]
2.14.9. [ID: 473] Fragment offset plus length not in range
2.14.10. [ID: 171] Dropping extraneous fragment of completed[...]
2.14.11. [ID: 100] Dropping fragment of disallowed packet
2.14.12. [ID: 383] Dropping fragment of disallowed suspect packet
2.14.13. [ID: 582] Dropping fragment of failed packet
2.14.14. [ID: 248] Dropping fragment of failed suspect packet
2.14.15. [ID: 336] Dropping fragment of illegal packet
2.14.16. [ID: 203] Fragmented ICMP error
2.14.17. [ID: 577] Fragments partially overlap
2.14.18. [ID: 570] Dropping fragments of illegal packet
2.14.19. [ID: 380] Fragment offset plus length is greater than[...]
2.14.20. [ID: 265] Out of reassembly resources
2.14.21. [ID: 414] Out of reassembly resources for suspect packet
2.14.22. [ID: 159] Fragment overlapping next fragment offset
2.14.23. [ID: 516] Dropping stored fragments of disallowed[...]
2.14.24. [ID: 289] Time out reassembling
2.14.25. [ID: 326] Time out reassembling suspect
2.14.26. [ID: 126] Fragmented ICMP error
2.15. FTPALG
2.15.1. [ID: 1146] CLNT command not allowed
2.15.2. [ID: 1163] Command rate limit exceeded on session
2.15.3. [ID: 1144] Data channel traffic direction restricted
2.15.4. [ID: 1116] Disallowed client IP
2.15.5. [ID: 1096] Client port outside configured range
2.15.6. [ID: 1149] Disallowed MODE argument
2.15.7. [ID: 1103] Disallowed OPTS argument
2.15.8. [ID: 1154] Mismatched data channel IP protocol
2.15.9. [ID: 1125] Disallowed server IP
2.15.10. [ID: 1104] Server port outside configured range
2.15.11. [ID: 1145] Command is illegal since EPSV ALL is in effect
2.15.12. [ID: 1095] Failed setting up data channel rule from[...]
2.15.13. [ID: 1108] Failed setting up data channel rule from[...]
2.15.14. [ID: 1135] Failed parsing EPRT command
2.15.15. [ID: 1157] Failed parsing EPSV command
2.15.16. [ID: 1132] Failed parsing EPSV response
2.15.17. [ID: 1143] Failed parsing PASV response
2.15.18. [ID: 1124] Failed parsing PORT command
2.15.19. [ID: 1086] Failed to create new session
2.15.20. [ID: 1100] Control channel failed
2.15.21. [ID: 1113] Illegal command received
2.15.22. [ID: 1110] Illegal multiline response from server
2.15.23. [ID: 1089] Illegal numeric reply from server
2.15.24. [ID: 1112] Invalid command from client
2.15.25. [ID: 1156] Invalid MODE argument
2.15.26. [ID: 1092] Invalid OPTS argument
2.15.27. [ID: 1102] Maximum line length exceeded
2.15.28. [ID: 1161] No data channel setup yet
2.15.29. [ID: 1140] Data channel dynamic PREPBR rule added
2.15.30. [ID: 1148] Data channel dynamic PREPBR rule removed
2.15.31. [ID: 1093] Invalid command from client
2.15.32. [ID: 1097] Data channel dynamic rule added
2.15.33. [ID: 1099] Data channel dynamic rule removed
2.15.34. [ID: 1119] Session closed
2.15.35. [ID: 1105] Session opened
2.15.36. [ID: 1153] SITE EXEC not allowed
2.15.37. [ID: 1114] Unexpected telnet control chars from client
2.15.38. [ID: 1106] Unexpected telnet control chars from server
2.15.39. [ID: 1090] Unknown command received
2.15.40. [ID: 1321] Unknown FEAT response from server
2.15.41. [ID: 1111] Unknown OPTS argument
2.15.42. [ID: 1131] Unsolicited extended passive mode response[...]
2.15.43. [ID: 1122] Unsolicited passive mode response from server
2.15.44. [ID: 1137] Unsupported encryption FEAT response from[...]
2.15.45. [ID: 1162] Unsupported encryption command rejected
2.15.46. [ID: 1155] Data in wrong direction on data channel
2.16. GRE
2.16.1. [ID: 1650] GRE packet without any payload after GRE[...]
2.16.2. [ID: 1651] Mismatch between the GRE payload protocol[...]
2.16.3. [ID: 1649] Failed to reassemble fragmented GRE packet
2.16.4. [ID: 1647] Unsupported GRE flags
2.16.5. [ID: 1652] Unsupported GRE payload protocol type
2.16.6. [ID: 1648] Unsupported GRE version
2.17. GTP
2.17.1. [ID: 971] Failed to activate PDP context
2.17.2. [ID: 776] Active PDP context negotiation
2.17.3. [ID: 757] Failed to allocate message
2.17.4. [ID: 717] Bad GTP header length
2.17.5. [ID: 950] Failed to connect to GGSN
2.17.6. [ID: 960] Connection closed
2.17.7. [ID: 964] Connection established
2.17.8. [ID: 710] Failed to establish connection
2.17.9. [ID: 957] Invalid connection action
2.17.10. [ID: 969] Failed to create lookup for APN
2.17.11. [ID: 697] DNS resolve failed
2.17.12. [ID: 721] DNS resolve successful
2.17.13. [ID: 926] Populating recovery file failed
2.17.14. [ID: 983] Failed to find MM context
2.17.15. [ID: 975] Found dangling PDP context in GGSN
2.17.16. [ID: 708] GGSN restarted
2.17.17. [ID: 976] All GGSNs for APN unreachable
2.17.18. [ID: 754] Failed to register GTP-U session
2.17.19. [ID: 970] Incorrect packet header type
2.17.20. [ID: 967] Incorrect GTP packet version
2.17.21. [ID: 783] Invalid length in information element
2.17.22. [ID: 705] Invalid mandatory information element
2.17.23. [ID: 965] Invalid optional information element
2.17.24. [ID: 949] Packet with invalid header
2.17.25. [ID: 953] Packet with invalid length
2.17.26. [ID: 956] Invalid TEID
2.17.27. [ID: 981] Lingering MM context with no PDP context
2.17.28. [ID: 977] Could not create MM context
2.17.29. [ID: 748] Maximum number of tunnels reached
2.17.30. [ID: 726] Missing mandatory information element
2.17.31. [ID: 973] Missing PDP context for reponse
2.17.32. [ID: 958] Failed open connection
2.17.33. [ID: 779] Out of bounds information element
2.17.34. [ID: 784] Out of sequence information element
2.17.35. [ID: 980] Could not create PDP context
2.17.36. [ID: 963] Packet with extension headers
2.17.37. [ID: 962] Packet with unknown extension header
2.17.38. [ID: 740] Path check failed
2.17.39. [ID: 979] Received message
2.17.40. [ID: 972] Received not supported message
2.17.41. [ID: 945] Received User Plane packet for non-existent[...]
2.17.42. [ID: 944] Failed to register PDP context from User Plane
2.17.43. [ID: 930] Failed to register PDP context
2.17.44. [ID: 939] Failed to register GTP User Plane session
2.17.45. [ID: 982] Removing connection
2.17.46. [ID: 936] Removing invalid request
2.17.47. [ID: 961] Failed to remove all previous User Plane GTP[...]
2.17.48. [ID: 955] Failed re-open connection
2.17.49. [ID: 951] Request was rejected
2.17.50. [ID: 932] Request response mismatch
2.17.51. [ID: 694] IE TEID in create PDP context message is[...]
2.17.52. [ID: 978] Query resolve APN
2.17.53. [ID: 966] Route lookup failed
2.17.54. [ID: 959] Failed to send message
2.17.55. [ID: 952] Failed sending packet to GGSN
2.17.56. [ID: 937] Sending to GGSN
2.17.57. [ID: 943] Send Control Plane packet to User Plane failed
2.17.58. [ID: 777] GTP statefile read error
2.17.59. [ID: 941] GTP statefile read success
2.17.60. [ID: 762] GTP statefile write error
2.17.61. [ID: 934] GTP statefile write success
2.17.62. [ID: 749] GTP tunnel deleted by GGSN
2.17.63. [ID: 747] GTP tunnel deleted by the stitched interface
2.17.64. [ID: 756] GTP tunnel deleted due to being invalid
2.17.65. [ID: 716] GTP tunnel established
2.17.66. [ID: 723] Unexpected GTP message type
2.17.67. [ID: 1593] Unexpected signaling message
2.17.68. [ID: 968] Control Plane unknown PDP context
2.17.69. [ID: 940] Control Plane unknown PDP context
2.17.70. [ID: 974] Unknown GTP version
2.17.71. [ID: 712] Unknown information element
2.17.72. [ID: 695] Unknown GTP tunnel endpoint identifier
2.17.73. [ID: 929] Unknown User Plane action
2.17.74. [ID: 927] Unknown User Plane action
2.17.75. [ID: 709] Unknown GTP version
2.17.76. [ID: 942] Failed to remove PDP context from User Plane
2.17.77. [ID: 938] Failed to unregister PDP context from User[...]
2.17.78. [ID: 933] Failed to remove User Plane GTP session
2.17.79. [ID: 778] Version not supported by GGSN
2.17.80. [ID: 780] Version not supported by TTG
2.18. GTPINSPECTION
2.18.1. [ID: 1519] GTP-U bearer creation completely rejected by[...]
2.18.2. [ID: 1536] GTP-U bearer creation rejected by endpoint
2.18.3. [ID: 1528] GTP-U bearer deletion completely rejected by[...]
2.18.4. [ID: 1512] GTP-U bearer deletion rejected by endpoint
2.18.5. [ID: 1522] GTP-U bearer modification completely rejected[...]
2.18.6. [ID: 1534] GTP-U bearer modification rejected by endpoint
2.18.7. [ID: 1521] G-PDU dropped due to empty T-PDU
2.18.8. [ID: 1538] Flow closed
2.18.9. [ID: 1524] Flow failed
2.18.10. [ID: 1523] Flow opened
2.18.11. [ID: 1567] Bearer ID does not exist
2.18.12. [ID: 1624] Bearer ID does not exist
2.18.13. [ID: 1561] Bearer lacks F-TEID
2.18.14. [ID: 1598] Bearer lacks F-TEID
2.18.15. [ID: 1565] TEID of bearer should not be zero
2.18.16. [ID: 1632] TEID of bearer should not be zero
2.18.17. [ID: 1564] Could not add proposed GTP-U bearer
2.18.18. [ID: 1634] Could not add proposed GTP-U bearer
2.18.19. [ID: 1573] Could not delete GTP-U bearer
2.18.20. [ID: 1600] Could not delete GTP-U bearer
2.18.21. [ID: 1559] Could not finalize GTP-U bearer
2.18.22. [ID: 1614] Could not finalize GTP-U bearer
2.18.23. [ID: 1552] Could not set proposed values on GTP-U bearer
2.18.24. [ID: 1606] Could not set proposed values on GTP-U bearer
2.18.25. [ID: 1585] Disallowed GTP version
2.18.26. [ID: 1566] Duplicate Bearer ID
2.18.27. [ID: 1616] Duplicate Bearer ID
2.18.28. [ID: 1587] Zero size extension header
2.18.29. [ID: 1580] Failed to read IE
2.18.30. [ID: 1602] Failed to read IE
2.18.31. [ID: 1562] Incorrect optional IEs
2.18.32. [ID: 1628] Incorrect optional IEs
2.18.33. [ID: 1636] Invalid Bearer ID
2.18.34. [ID: 1635] Invalid Bearer ID
2.18.35. [ID: 1584] Invalid extension header content
2.18.36. [ID: 1568] Invalid mandatory IE
2.18.37. [ID: 1612] Invalid mandatory IE
2.18.38. [ID: 1558] Invalid optional IE
2.18.39. [ID: 1604] Invalid optional IE
2.18.40. [ID: 1578] GTP-C sender IP is invalid
2.18.41. [ID: 1607] GTP-C sender IP is invalid
2.18.42. [ID: 1621] Main message blocked due to invalid piggyback
2.18.43. [ID: 1583] Message in wrong direction
2.18.44. [ID: 1597] Message in wrong direction
2.18.45. [ID: 1574] Message too short
2.18.46. [ID: 1625] Message too short
2.18.47. [ID: 1575] Missing Conditionally Present IE
2.18.48. [ID: 1618] Missing Conditionally Present IE
2.18.49. [ID: 1563] Missing mandatorily present IE
2.18.50. [ID: 1603] Missing mandatorily present IE
2.18.51. [ID: 1572] Needs both GTP-U IP and TEID
2.18.52. [ID: 1622] Needs both GTP-U IP and TEID
2.18.53. [ID: 1553] Did not find outstanding request for response[...]
2.18.54. [ID: 1601] Did not find outstanding request for response[...]
2.18.55. [ID: 1613] Unknown message type
2.18.56. [ID: 1555] Unknown message type
2.18.57. [ID: 1615] Unknown message type
2.18.58. [ID: 1570] Unsupported GTP version
2.18.59. [ID: 1586] Out of sequence IE
2.18.60. [ID: 1633] Out of sequence IE
2.18.61. [ID: 1551] Repeated IEs
2.18.62. [ID: 1623] Repeated IEs
2.18.63. [ID: 1533] GTP-C session created
2.18.64. [ID: 1532] GTP-C session deleted
2.18.65. [ID: 1638] TEID of session should not be zero
2.18.66. [ID: 1637] TEID of session should not be zero
2.18.67. [ID: 1527] GTP-C session updated
2.18.68. [ID: 1549] Message header should have sequence number
2.18.69. [ID: 1577] Message header should have TEID
2.18.70. [ID: 1608] Message header should have TEID
2.18.71. [ID: 1554] Message header should not have TEID
2.18.72. [ID: 1605] Message header should not have TEID
2.18.73. [ID: 1560] Too many bearers
2.18.74. [ID: 1599] Too many bearers
2.18.75. [ID: 1579] Too many piggy back messages
2.18.76. [ID: 1629] Too many piggy back messages
2.18.77. [ID: 1576] Too many sessions
2.18.78. [ID: 1591] Too many sessions per IP
2.18.79. [ID: 1620] Too many sessions per IP
2.18.80. [ID: 1619] Too many sessions
2.18.81. [ID: 1617] Unexpected IE
2.18.82. [ID: 1571] Unexpected IE
2.18.83. [ID: 1626] Unexpected IE
2.18.84. [ID: 1556] Unexpected GTP signaling message
2.18.85. [ID: 1630] Unexpected GTP signaling message
2.18.86. [ID: 1627] Unknown IE
2.18.87. [ID: 1581] Unknown IE
2.18.88. [ID: 1610] Unknown IE
2.18.89. [ID: 1582] Unknown GTP signaling message
2.18.90. [ID: 1611] Unknown GTP signaling message
2.18.91. [ID: 1550] Wrong packet version of piggy back message
2.18.92. [ID: 1631] Wrong packet version of piggy back message
2.18.93. [ID: 1588] GTP-U bearer created
2.18.94. [ID: 1589] GTP-U bearer deleted
2.18.95. [ID: 1537] GTP-U bearer modified
2.18.96. [ID: 1518] Message received after GTP-U End Marker
2.18.97. [ID: 1511] Failed to validate GTP-U message
2.18.98. [ID: 1641] Missing mandatorily present IE
2.18.99. [ID: 1546] GTP-U message should have sequence number
2.18.100. [ID: 1642] Out of sequence IE
2.18.101. [ID: 1595] Repeated GTP-U IEs
2.18.102. [ID: 1539] GTP traffic inside a GTP tunnel detected
2.18.103. [ID: 1513] GTP traffic inside a GTP tunnel detected
2.18.104. [ID: 1545] Message is dropped due to internal error
2.18.105. [ID: 1540] Invalid GTP header
2.18.106. [ID: 1514] Invalid Recovery IE value
2.18.107. [ID: 1526] Invalid GTP-U message type
2.18.108. [ID: 1529] Invalid GTP-U message type
2.18.109. [ID: 1520] Invalid GTP version
2.18.110. [ID: 1542] No matching GTP-U bearer
2.18.111. [ID: 1531] GTP packet dropped
2.18.112. [ID: 1609] GTP packet dropped
2.18.113. [ID: 1547] GTP packet notice
2.18.114. [ID: 1517] GTP-C session update rejected by endpoint
2.18.115. [ID: 1515] GTP-C session creation rejected by endpoint
2.18.116. [ID: 1541] GTP-C session deletion rejected by endpoint
2.18.117. [ID: 1530] GTP-C session update rejected by endpoint
2.18.118. [ID: 1590] Unexpected GTP-U IE type
2.18.119. [ID: 1596] Unexpected GTP-U IE type
2.18.120. [ID: 1594] Unknown GTP-U IE type
2.18.121. [ID: 1592] Unknown GTP-U IE type
2.19. HA
2.19.1. [ID: 259] HA sync message reassembly failed
2.19.2. [ID: 398] HA sync message reassembly failed due to lack[...]
2.19.3. [ID: 597] HA sync message reassembly failed due to[...]
2.19.4. [ID: 364] Received invalid HA sync message fragment
2.19.5. [ID: 609] Received unexpected HA sync message fragment
2.19.6. [ID: 1044] Active-active scenario detected
2.19.7. [ID: 1047] Active-active scenario detected
2.19.8. [ID: 1049] Config in sync
2.19.9. [ID: 1051] Config not in sync
2.19.10. [ID: 580] Failed to establish sync connection
2.19.11. [ID: 546] Failure indication cleared
2.19.12. [ID: 605] Scheduling HA initiated system restart
2.19.13. [ID: 281] Failure indication set
2.19.14. [ID: 237] Going HA ACTIVE since HA peer is dead
2.19.15. [ID: 317] Going HA ACTIVE since outranking peer
2.19.16. [ID: 275] Going HA ACTIVE due to user request
2.19.17. [ID: 130] Going HA INACTIVE due to being outranked by[...]
2.19.18. [ID: 146] Going HA INACTIVE due to user request
2.19.19. [ID: 663] HA bidir heart-beat communication over[...]
2.19.20. [ID: 177] HA interface offline
2.19.21. [ID: 475] HA interface online
2.19.22. [ID: 1046] Inactive-inactive situation detected
2.19.23. [ID: 1045] Inactive-inactive situation detected
2.19.24. [ID: 629] Scheduling HA initiated system restart to[...]
2.19.25. [ID: 1509] No matching HA interface id found during HA[...]
2.19.26. [ID: 378] HA peer offline
2.19.27. [ID: 403] HA peer have an incompatible HA version
2.19.28. [ID: 1510] Invalid peer MAC received during HA Peer MAC[...]
2.19.29. [ID: 1507] HA Peer MAC learning successful
2.19.30. [ID: 1508] HA Peer MAC learning incomplete
2.19.31. [ID: 114] HA peer online
2.19.32. [ID: 630] Dataplane shutting down
2.19.33. [ID: 808] Main resynchronization aborted
2.19.34. [ID: 323] Main resynchronization done
2.19.35. [ID: 285] Commencing main resynchronization
2.19.36. [ID: 206] Sync connection established
2.19.37. [ID: 436] Sync connection failed
2.19.38. [ID: 1425] System versions not equal
2.19.39. [ID: 636] All flows closed due to HA activation or[...]
2.20. HWMON
2.20.1. [ID: 1081] Sensor value above monitor threshold
2.20.2. [ID: 1079] Sensor value below monitor threshold
2.20.3. [ID: 1082] Sensor returned to normal
2.21. ICMP
2.21.1. [ID: 204] Bad ICMP message checksum
2.21.2. [ID: 387] Bad ICMP message checksum
2.21.3. [ID: 365] ICMP error with embedded trailer
2.21.4. [ID: 328] Length of embedded header in ICMP error is[...]
2.21.5. [ID: 450] ICMP error with incompatible IP version
2.21.6. [ID: 134] ICMP error with incompatible IP version
2.21.7. [ID: 600] ICMP error to fragment
2.21.8. [ID: 296] Truncated embedded IP header in ICMPv4
2.21.9. [ID: 476] Dropped ICMP error message
2.21.10. [ID: 221] ICMP error to ICMP error
2.21.11. [ID: 376] Data in request differs from last request
2.21.12. [ID: 286] Data in request differs from last request
2.21.13. [ID: 426] Invalid ICMP type
2.21.14. [ID: 496] Mismatching ICMP reply data
2.21.15. [ID: 555] Mismatching ICMP reply data
2.21.16. [ID: 1504] ICMP error response to multicast
2.21.17. [ID: 1503] ICMP error response to multicast
2.21.18. [ID: 301] Sequence number in reply is outside expected[...]
2.21.19. [ID: 273] Sequence number in reply is outside expected[...]
2.21.20. [ID: 288] Problem pointer outside of data
2.21.21. [ID: 507] Problem pointer outside of data
2.21.22. [ID: 612] Header length parameter problem
2.21.23. [ID: 164] IP header version parameter problem
2.21.24. [ID: 807] Failed to allocate reassembly buffer
2.21.25. [ID: 805] Reassembled packet exceeds allowed size
2.21.26. [ID: 806] Failed to reassemble packet
2.21.27. [ID: 533] Received ICMP error message
2.21.28. [ID: 553] Sequence number in reply is above expected[...]
2.21.29. [ID: 422] Sequence number in reply is above expected[...]
2.21.30. [ID: 513] Sequence number in request is decreasing
2.21.31. [ID: 143] Sequence number in request is decreasing
2.21.32. [ID: 232] Truncated ICMPv4 payload
2.21.33. [ID: 497] Truncated ICMPv6 payload
2.21.34. [ID: 536] ICMP error with truncated payload
2.22. IFACE
2.22.1. [ID: 795] Ethernet interface is blocked
2.22.2. [ID: 662] Ethernet interface is flooded
2.22.3. [ID: 661] Ethernet interface is still flooded
2.22.4. [ID: 1054] Ethernet link down
2.22.5. [ID: 1055] Ethernet link up
2.23. IKE
2.23.1. [ID: 1694] Acquired address
2.23.2. [ID: 1695] No IP pool for address request
2.23.3. [ID: 1713] Failed to release address
2.23.4. [ID: 1691] Released address
2.23.5. [ID: 1690] Released address
2.23.6. [ID: 1693] Requesting address
2.23.7. [ID: 1692] Address request failed
2.23.8. [ID: 1700] Failed to schedule auto-establishment of[...]
2.23.9. [ID: 1061] Half open IKE SA limit exceeded
2.23.10. [ID: 813] IKE Max SA Warning
2.23.11. [ID: 642] IKE negotiation failed
2.23.12. [ID: 419] Failed to establish IKE SA
2.23.13. [ID: 530] Successfully established IKE SA
2.23.14. [ID: 590] Successfully deleted IKE SA
2.23.15. [ID: 161] Failed to rekey IKE SA
2.23.16. [ID: 616] Successfully rekeyed IKE SA
2.23.17. [ID: 556] Failed to create IPsec SA
2.23.18. [ID: 155] Successfully created IPsec SA
2.23.19. [ID: 183] Successfully deleted IPsec SA
2.23.20. [ID: 172] Failed to rekey IPsec SA
2.23.21. [ID: 628] Successfully rekeyed IPsec SA
2.23.22. [ID: 1060] Job limit exceeded
2.23.23. [ID: 803] Peer is dead
2.23.24. [ID: 1059] Peer too aggressive
2.23.25. [ID: 1655] Failed to re-initialize dynamic rules
2.23.26. [ID: 1664] Failed to re-insert IKE rule
2.23.27. [ID: 770] IKE thread watchdog triggered
2.23.28. [ID: 737] User logged out
2.24. IPPOOL
2.24.1. [ID: 909] Pool has reached the maximum allowed number[...]
2.24.2. [ID: 915] No offers received
2.24.3. [ID: 917] Received Offer not valid
2.24.4. [ID: 916] Request received from Subsystem
2.24.5. [ID: 918] Client Bound
2.24.6. [ID: 911] Handed address no longer available
2.24.7. [ID: 914] Address is returned back to IPPool system
2.24.8. [ID: 908] The lease is rejected as it already exists in[...]
2.24.9. [ID: 910] Pool has run out of prefetch
2.24.10. [ID: 913] Request to acquire an address from the IPPool[...]
2.24.11. [ID: 1077] Request to acquire an address is pending
2.24.12. [ID: 912] Acquired address
2.25. IPS
2.25.1. [ID: 1403] Threat detected based on custom signature
2.25.2. [ID: 1415] Threat prevented based on custom signature
2.25.3. [ID: 1405] Failed to scan data
2.25.4. [ID: 1406] Failed to scan data
2.25.5. [ID: 1420] Failed to read current signature files
2.25.6. [ID: 1418] Failed to read new signature files
2.25.7. [ID: 1402] Failed to parse HTTP URL
2.25.8. [ID: 1424] Failed to parse HTTP URL
2.25.9. [ID: 1407] IPS license is going to expire
2.25.10. [ID: 1426] IPS license has expired
2.25.11. [ID: 1414] Max signatures match limit exceeded
2.25.12. [ID: 1401] Max signatures match limit exceeded
2.25.13. [ID: 1419] No signature loaded
2.25.14. [ID: 1421] IPS Notice
2.25.15. [ID: 1417] IPS Notice
2.25.16. [ID: 1412] Failed to scan data
2.25.17. [ID: 1410] Failed to scan data
2.25.18. [ID: 1409] Scan detected
2.25.19. [ID: 1411] Scan detected
2.25.20. [ID: 1404] Threat detected
2.25.21. [ID: 1427] Threat prevented
2.26. IPSEC
2.26.1. [ID: 1683] Failed to add dynamic route
2.26.2. [ID: 278] Anti-replay check failed
2.26.3. [ID: 606] Bad ciphertext length
2.26.4. [ID: 254] Bad IP version
2.26.5. [ID: 464] Bad next header
2.26.6. [ID: 604] Bad padding
2.26.7. [ID: 282] Decryption failed
2.26.8. [ID: 768] ECN codepoint mismatch
2.26.9. [ID: 766] ECN codepoint mismatch
2.26.10. [ID: 572] Encryption failed
2.26.11. [ID: 1057] Failed to generate IV
2.26.12. [ID: 611] Integrity check failed
2.26.13. [ID: 413] Failed to allocate reassembly buffer
2.26.14. [ID: 133] Reassembled packet exceeds allowed size
2.26.15. [ID: 487] Failed to reassemble packet
2.26.16. [ID: 1682] Failed to remove dynamic route
2.26.17. [ID: 1696] Failed to remove IPsec policy rules
2.26.18. [ID: 579] Failed to resize buffer
2.26.19. [ID: 264] Packet too small
2.26.20. [ID: 135] Payload too small
2.26.21. [ID: 632] Low memory initializing SAD
2.26.22. [ID: 633] Out of memory initializing SAD
2.26.23. [ID: 339] Sequence number overflow
2.27. IPV4
2.27.1. [ID: 466] Invalid IP header checksum
2.27.2. [ID: 518] Invalid header length
2.27.3. [ID: 166] Bad IP version
2.27.4. [ID: 136] Non-zero IP Reserved Field
2.27.5. [ID: 568] Non-zero IP Reserved Field
2.27.6. [ID: 228] Non-zero IP Reserved Field
2.27.7. [ID: 140] Option too large for option space
2.27.8. [ID: 141] Invalid option length
2.27.9. [ID: 509] Received unknown IP option
2.27.10. [ID: 587] Received unknown IP option
2.27.11. [ID: 331] IP data is larger than the maximum allowed[...]
2.27.12. [ID: 1015] Packet too big
2.27.13. [ID: 1016] Packet too big
2.27.14. [ID: 371] Received RA IP option
2.27.15. [ID: 334] Invalid RA option length
2.27.16. [ID: 205] Received RA IP option
2.27.17. [ID: 549] Packet too small for ip header
2.27.18. [ID: 234] Received Source Route IP option
2.27.19. [ID: 108] Invalid SR option length
2.27.20. [ID: 176] Invalid SR pointer
2.27.21. [ID: 517] Received Source Route IP option
2.27.22. [ID: 196] Multiple source or return routes in SR IP[...]
2.27.23. [ID: 469] Non-zero IP TOS field
2.27.24. [ID: 149] Non-zero IP TOS field
2.27.25. [ID: 467] Non-zero IP TOS field
2.27.26. [ID: 175] Received TS IP option
2.27.27. [ID: 354] Invalid TS option length
2.27.28. [ID: 198] Invalid TS pointer
2.27.29. [ID: 589] Invalid TS pointer with overflow
2.27.30. [ID: 557] Received TS IP option
2.27.31. [ID: 233] Multiple time stamps in TS IP option
2.27.32. [ID: 442] TTL is zero
2.27.33. [ID: 298] TTL expired
2.27.34. [ID: 503] TTL expired
2.27.35. [ID: 405] TTL too low
2.27.36. [ID: 185] TTL too low
2.27.37. [ID: 409] TTL too low
2.27.38. [ID: 131] Packet too small for L4 header
2.27.39. [ID: 156] IP length is larger than packet
2.28. IPV6
2.28.1. [ID: 115] Max IPv6 options per extension header reached
2.28.2. [ID: 492] Max IPv6 options per extension header reached
2.28.3. [ID: 477] Order of extension headers is invalid
2.28.4. [ID: 304] Bad IP version
2.28.5. [ID: 401] Received unknown extension header
2.28.6. [ID: 263] Non-zero IP Flow Label
2.28.7. [ID: 486] Non-zero IP Flow Label
2.28.8. [ID: 621] Non-zero IP Flow Label
2.28.9. [ID: 804] Illegal sender address
2.28.10. [ID: 470] IPv6 extension header size limit reached
2.28.11. [ID: 249] IPv6 extension header size limit reached
2.28.12. [ID: 220] Non-zero IPv6 PADN data
2.28.13. [ID: 575] Non-zero IPv6 PADN data
2.28.14. [ID: 268] Non-zero IPv6 PADN data
2.28.15. [ID: 347] Fragment header in non-fragment
2.28.16. [ID: 283] Fragment header in non-fragment
2.28.17. [ID: 260] Received fragmented jumbogram
2.28.18. [ID: 128] Received fragmented jumbogram
2.28.19. [ID: 157] Received Home Address option
2.28.20. [ID: 150] Received Home Address option
2.28.21. [ID: 535] Multicast Home Address option
2.28.22. [ID: 457] Received Home Address option
2.28.23. [ID: 412] Received Home Address option
2.28.24. [ID: 121] IP6 option with invalid size
2.28.25. [ID: 458] Received Jumbogram option
2.28.26. [ID: 586] Received Jumbogram option
2.28.27. [ID: 101] Received Jumbogram option
2.28.28. [ID: 417] Received malformed Jumbogram
2.28.29. [ID: 603] Received malformed Jumbogram
2.28.30. [ID: 407] Received unknown option
2.28.31. [ID: 197] Received unknown option
2.28.32. [ID: 314] Processed unknown option
2.28.33. [ID: 280] Processed unknown option
2.28.34. [ID: 154] Processed unknown option
2.28.35. [ID: 344] Processed unknown option
2.28.36. [ID: 356] Processed unknown option
2.28.37. [ID: 563] Received Router Alert option
2.28.38. [ID: 396] Received Router Alert option
2.28.39. [ID: 214] Received Router Alert option
2.28.40. [ID: 178] Received Routing Header option
2.28.41. [ID: 531] Received Routing Header option
2.28.42. [ID: 363] Received Routing Header option
2.28.43. [ID: 578] IPv6 option extension header overflow
2.28.44. [ID: 562] IPv6 option extension header overflow
2.28.45. [ID: 439] IP data is larger than the maximum allowed[...]
2.28.46. [ID: 1012] Packet too big
2.28.47. [ID: 1013] Packet too big
2.28.48. [ID: 656] Reserved bits in fragment header are non-zero
2.28.49. [ID: 660] Reserved bits in fragment header are non-zero
2.28.50. [ID: 650] Reserved bits in fragment header are non-zero
2.28.51. [ID: 658] Reserved field in fragment header is non-zero
2.28.52. [ID: 648] Reserved field in fragment header is non-zero
2.28.53. [ID: 645] Reserved field in fragment header is non-zero
2.28.54. [ID: 508] Fragment truncated at L3 header
2.28.55. [ID: 358] Packet truncated at L3 header
2.28.56. [ID: 158] Non-zero IP Traffic Class field
2.28.57. [ID: 585] Non-zero IP Traffic Class field
2.28.58. [ID: 284] Non-zero IP Traffic Class field
2.28.59. [ID: 489] Hop Limit is zero
2.28.60. [ID: 408] HopLimit reached
2.28.61. [ID: 295] HopLimit reached
2.28.62. [ID: 148] Hop Limit too low
2.28.63. [ID: 402] Hop Limit too low
2.28.64. [ID: 453] Hop Limit too low
2.28.65. [ID: 118] Fragment truncated at L4 header
2.28.66. [ID: 125] Header payload in fragment is truncated
2.28.67. [ID: 294] Header payload is truncated
2.28.68. [ID: 415] Packet truncated at L4 header
2.28.69. [ID: 523] IPv6 payload is truncated
2.28.70. [ID: 1025] Unrecognized IPv6 next header
2.28.71. [ID: 1024] Unrecognized IPv6 next header
2.28.72. [ID: 511] Adjacent PAD option
2.28.73. [ID: 598] Unaligned IPv6 option
2.28.74. [ID: 277] Fragment with invalid extension header
2.28.75. [ID: 610] Out of scope option
2.28.76. [ID: 110] Repeated extension header
2.28.77. [ID: 311] Repeated option
2.28.78. [ID: 567] IPv6 Too large PADN
2.29. LICENSE
2.29.1. [ID: 1083] Remaining demo period
2.29.2. [ID: 1084] Demo license expired
2.29.3. [ID: 623] Failed to activate license
2.29.4. [ID: 506] A new license has been activated
2.29.5. [ID: 564] Lockdown is in effect due to invalid license
2.29.6. [ID: 310] Failed to remove license
2.29.7. [ID: 151] The license has been removed
2.30. MANAGEMENT
2.30.1. [ID: 1676] Centralized management control re-enabled
2.30.2. [ID: 1672] Centralized management control being disabled[...]
2.30.3. [ID: 1001] Centralized management control has been[...]
2.30.4. [ID: 1000] Centralized management control has been[...]
2.31. NATPOOL
2.31.1. [ID: 1091] Deterministic NATPool found no free ports for[...]
2.31.2. [ID: 1120] Deterministic NATPool current configuration
2.31.3. [ID: 1109] Deterministic NATPool deleted
2.31.4. [ID: 1087] Deterministic NATPool denied translation
2.31.5. [ID: 1098] Deterministic NATPool dynamic release
2.31.6. [ID: 1121] Deterministic NATPool dynamic assignment
2.31.7. [ID: 984] Failed to map peer NAT flow translation on[...]
2.31.8. [ID: 985] Out of memory loading NAT Pool
2.31.9. [ID: 1152] Unable to re-map flow translation in the new[...]
2.31.10. [ID: 989] Max NATPool states reached replacing active
2.31.11. [ID: 988] Max NATPool states reached replacing lingering
2.31.12. [ID: 986] Out of memory while allocating state in pool
2.32. NDP
2.32.1. [ID: 165] Advertisement delayed
2.32.2. [ID: 184] Advertisement for static entry
2.32.3. [ID: 1719] Anycast address ignored
2.32.4. [ID: 179] Unknown ICMP code
2.32.5. [ID: 569] Illegal option size
2.32.6. [ID: 276] Forged reply
2.32.7. [ID: 1714] Confusing reply
2.32.8. [ID: 1720] Confusing reply
2.32.9. [ID: 1718] Confusing solicitation HW address
2.32.10. [ID: 1717] Confusing solicitation HW address
2.32.11. [ID: 226] DAD reply delayed
2.32.12. [ID: 153] Received DAD probe
2.32.13. [ID: 462] Duplicated option
2.32.14. [ID: 430] Duplicated option
2.32.15. [ID: 552] ND hop limit reached
2.32.16. [ID: 1715] HW source inconsistent with static IP
2.32.17. [ID: 434] Linklayer option contains multicast address
2.32.18. [ID: 454] Dead peer probe answered with multicast[...]
2.32.19. [ID: 619] Multicast target
2.32.20. [ID: 574] Neighbor cache updated with new HW address
2.32.21. [ID: 330] New HW address advertised for resolved IP
2.32.22. [ID: 418] New HW address advertised for resolved IP
2.32.23. [ID: 211] Advertisement from the Unknown Address
2.32.24. [ID: 195] No target route for packet
2.32.25. [ID: 599] No source route for packet
2.32.26. [ID: 107] Reply without target link-layer option
2.32.27. [ID: 1716] Noisy reply
2.32.28. [ID: 309] Linklayer option does not match HW sender
2.32.29. [ID: 120] Linklayer option does not match HW sender
2.32.30. [ID: 180] Neighbor entry lost
2.32.31. [ID: 163] Probe from unknown host
2.32.32. [ID: 303] Dead Peer probe delayed
2.32.33. [ID: 266] Reply to Dead Peer probe delayed
2.32.34. [ID: 338] NDP resolve timeout
2.32.35. [ID: 445] Packet truncated at L4 header
2.32.36. [ID: 519] Option is truncated
2.32.37. [ID: 348] ND message allowed by access rule
2.32.38. [ID: 127] ND message disallowed by access rule
2.32.39. [ID: 1657] ND message disallowed by route to source IP
2.32.40. [ID: 212] Solicitation delayed
2.32.41. [ID: 625] Solicitation from unknown host
2.32.42. [ID: 316] Spoofed HW sender
2.32.43. [ID: 239] Dead peer probe answered from unknown HW[...]
2.32.44. [ID: 315] Spoofed IP sender
2.32.45. [ID: 271] Spoofed source linklayer option
2.32.46. [ID: 446] Spoofed IP target
2.32.47. [ID: 1160] IPv6 DNS was discovered
2.32.48. [ID: 1136] IPv6 DNS has expired
2.32.49. [ID: 1139] Generated IPv6 address appear to be occupied
2.32.50. [ID: 1134] No routers were discovered
2.32.51. [ID: 1159] IPv6 prefix was discovered
2.32.52. [ID: 1151] IPv6 prefix has expired
2.32.53. [ID: 1284] IPv6 prefix preferred lifetime exceeds valid[...]
2.32.54. [ID: 1138] Router was discovered
2.32.55. [ID: 1142] IPv6 router has expired
2.33. NETCON
2.33.1. [ID: 588] Netcon CLI instance closed
2.33.2. [ID: 305] Netcon CLI instance failed
2.33.3. [ID: 620] Too many Netcon CLI instances
2.33.4. [ID: 501] Netcon CLI instance started
2.33.5. [ID: 608] Failed to open file for writing
2.33.6. [ID: 346] New Netcon connection
2.33.7. [ID: 243] Disconnecting Netcon peer
2.33.8. [ID: 539] Uploaded file could not be written to disk
2.33.9. [ID: 480] File transfer to host completed
2.33.10. [ID: 349] File download requested by host failed
2.33.11. [ID: 160] Could not open requested file
2.33.12. [ID: 201] File transfer to host started
2.33.13. [ID: 550] File cannot be received since too many Netcon[...]
2.33.14. [ID: 152] File cannot be sent since too many Netcon[...]
2.33.15. [ID: 112] Receiving file from host
2.33.16. [ID: 1721] Invalid file name
2.33.17. [ID: 441] A listening socket for Netcon could not be[...]
2.33.18. [ID: 137] Netcon logger instance closed
2.33.19. [ID: 544] Netcon logger instance failed
2.33.20. [ID: 368] Netcon logger instance started
2.33.21. [ID: 138] Insufficient RAM to start CLI session
2.33.22. [ID: 116] Insufficient RAM to initialize Netcon
2.33.23. [ID: 502] File upload aborted by host
2.33.24. [ID: 255] File upload completed successfully
2.33.25. [ID: 542] File upload from host failed
2.34. OSPF
2.34.1. [ID: 848] Unable to send ACK
2.34.2. [ID: 870] Failed to add route
2.34.3. [ID: 861] Bad area
2.34.4. [ID: 867] Authentication failed due to bad crypto digest
2.34.5. [ID: 851] Authentication failed due to bad crypto key[...]
2.34.6. [ID: 824] Bad authentication password
2.34.7. [ID: 814] Authentication failed since received crypto[...]
2.34.8. [ID: 854] Authentication type mismatch with neighbor[...]
2.34.9. [ID: 855] Received OSPF packet with bad length
2.34.10. [ID: 868] Checksum error
2.34.11. [ID: 836] Neighbor implied AS-EXT on stub area
2.34.12. [ID: 856] Received LSA with bad max-age value
2.34.13. [ID: 876] Received LSA with bad sequence number
2.34.14. [ID: 826] Neighbor replied with unexpected sequence[...]
2.34.15. [ID: 837] Neighbor DD packet has too high MTU
2.34.16. [ID: 825] Neighbor sent non-duplicate in wrong state
2.34.17. [ID: 871] Neighbor changed options during exchange phase
2.34.18. [ID: 815] Unknown LSA type
2.34.19. [ID: 835] Neighbor misused the I-flag
2.34.20. [ID: 845] Neighbor M-MS mismatch
2.34.21. [ID: 853] Generic event
2.34.22. [ID: 830] Generic event
2.34.23. [ID: 874] Cannot map PTP neighbor to local IP
2.34.24. [ID: 823] Generic event
2.34.25. [ID: 817] Hello packet E-flag mismatch
2.34.26. [ID: 832] Hello packet N-flag and E-flags are both set[...]
2.34.27. [ID: 872] Hello packet interval mismatch
2.34.28. [ID: 834] Hello packet N-flag mismatch
2.34.29. [ID: 839] Hello packet netmask mismatch
2.34.30. [ID: 875] Hello packet router dead interval mismatch
2.34.31. [ID: 852] LSA internal checksum error
2.34.32. [ID: 865] Got ACK for mismatched LSA
2.34.33. [ID: 864] Received AS-EXT LSA on stub
2.34.34. [ID: 843] Received LSA with bad checksum
2.34.35. [ID: 840] Bad LSA sequence number
2.34.36. [ID: 846] Bad LSA sequence number
2.34.37. [ID: 819] Generic event
2.34.38. [ID: 857] Failed to prepare replacement LSA
2.34.39. [ID: 863] Received LSA is older then DB copy
2.34.40. [ID: 827] REQ packet LSA size mismatch
2.34.41. [ID: 842] ACK packet LSA size mismatch
2.34.42. [ID: 821] Requested LSA size too large
2.34.43. [ID: 828] Received selforiginated LSA for unknown type
2.34.44. [ID: 858] UPD packet LSA size mismatch
2.34.45. [ID: 1442] Received malformed packet
2.34.46. [ID: 822] Unable to find VLINK transport area
2.34.47. [ID: 831] Neighbor died
2.34.48. [ID: 820] AS disabled due to failed memory allocation
2.34.49. [ID: 850] Unable to allocate memory for LSA
2.34.50. [ID: 866] Unable to allocate memory for LSA link states
2.34.51. [ID: 841] Unable to allocate memory for LSA shell states
2.34.52. [ID: 873] Unable to allocate memory for router neighbor[...]
2.34.53. [ID: 829] Unable to allocate memory for SPF vertex[...]
2.34.54. [ID: 818] Generic event
2.34.55. [ID: 859] Generic event
2.34.56. [ID: 1053] Received Router LSA which contains mismatched[...]
2.34.57. [ID: 838] Generic event
2.34.58. [ID: 833] Unable to send data on interface
2.34.59. [ID: 849] Sender source IP not in interface range
2.34.60. [ID: 869] Too many neighbors on interface
2.34.61. [ID: 862] Unknown LSA type
2.34.62. [ID: 860] Unknown neighbor
2.34.63. [ID: 816] Unknown OSPF packet type
2.34.64. [ID: 847] Packet version is not OSPFv2
2.35. PIPES
2.35.1. [ID: 1393] Out of non-uniform memory
2.35.2. [ID: 1396] No longer out of non-uniform memory
2.35.3. [ID: 1416] Pipe memory limit reached
2.36. PORTMGR
2.36.1. [ID: 410] Failed to allocate dynamic port
2.36.2. [ID: 167] Switching to High Load Mode
2.36.3. [ID: 170] Switching to Low Load Mode
2.36.4. [ID: 421] Out of memory when allocating dynamic port
2.36.5. [ID: 451] Out of memory while switching to High Load[...]
2.36.6. [ID: 432] Out of memory initializing port manager
2.37. RADIUS
2.37.1. [ID: 666] Access-Accept packet received from RADIUS[...]
2.37.2. [ID: 1667] Access-Challenge packet received from RADIUS[...]
2.37.3. [ID: 678] Access-Reject packet received from RADIUS[...]
2.37.4. [ID: 691] Access-Request packet sent to RADIUS server
2.37.5. [ID: 771] RADIUS challenge expired
2.37.6. [ID: 675] Non-responding RADIUS server
2.37.7. [ID: 1075] Failed to initiate connection with RADIUS[...]
2.37.8. [ID: 664] Failed to parse incoming RADIUS packet
2.37.9. [ID: 791] Access-Request packet could not be created
2.37.10. [ID: 683] Access-Request packet could not be sent to[...]
2.38. ROUTE
2.38.1. [ID: 1064] Monitored host treated as reachable due to[...]
2.38.2. [ID: 1067] Monitored host treated as unreachable due to[...]
2.38.3. [ID: 1063] Monitored host reachable
2.38.4. [ID: 1066] Monitored host unreachable
2.38.5. [ID: 1068] Monitored route disabled
2.38.6. [ID: 1065] Monitored route enabled
2.38.7. [ID: 652] Dynamic route added
2.38.8. [ID: 654] Dynamic route removed
2.39. RULE
2.39.1. [ID: 1230] IPC error managing dynamic rules
2.39.2. [ID: 1240] Dynamic rules leaked
2.39.3. [ID: 1133] Blacklist rule added
2.39.4. [ID: 1164] Blacklist rule table size set to
2.39.5. [ID: 1141] Blacklist rule removed
2.39.6. [ID: 1165] Blacklist rule replaced
2.39.7. [ID: 649] Flow HA sync disallowed by access rule
2.39.8. [ID: 643] Flow HA sync failed due to address[...]
2.39.9. [ID: 1150] Flow HA sync disallowed by blacklist rule
2.39.10. [ID: 1662] Source IP not routed on receive interface
2.39.11. [ID: 647] Flow HA sync failed due to no route to[...]
2.39.12. [ID: 659] Flow HA sync failed due to no route to source
2.39.13. [ID: 1395] Source address matches translation prefix
2.39.14. [ID: 1088] Max sessions reached on ALG
2.39.15. [ID: 109] Packet received open
2.39.16. [ID: 431] Packet received reject
2.39.17. [ID: 1209] Unsupported protocol combination for ALG
2.39.18. [ID: 238] Allowed by access rule
2.39.19. [ID: 242] Disallowed by access rule
2.39.20. [ID: 1661] Source IP not routed on receive interface
2.39.21. [ID: 1653] Receive sub interface id mismatch with route[...]
2.39.22. [ID: 394] Local Undelivered
2.39.23. [ID: 471] No route to destination
2.39.24. [ID: 129] No route to source
2.39.25. [ID: 514] Packet dropped by the ruleset
2.39.26. [ID: 384] Non-NATable IP protocol
2.39.27. [ID: 520] Could not allocate NAT port
2.39.28. [ID: 987] Could not allocate NAT IP from NATPool
2.39.29. [ID: 1158] Whitelist prevents blacklist action from[...]
2.40. SCTP
2.40.1. [ID: 1335] IP address outside IP rule filter
2.40.2. [ID: 1350] IP address outside IP rule filter
2.40.3. [ID: 1371] ABORT bundled with DATA chunk
2.40.4. [ID: 1216] Advertised receiver window credit too low
2.40.5. [ID: 1324] Association abort
2.40.6. [ID: 1361] Established association exists
2.40.7. [ID: 1367] Association established
2.40.8. [ID: 1658] Association establishment clash
2.40.9. [ID: 1689] Association no longer allowed
2.40.10. [ID: 1362] Association closed due to idle timeout
2.40.11. [ID: 1359] Handshake random replace
2.40.12. [ID: 1326] Association handshake timeout
2.40.13. [ID: 1332] Association handshake initiated
2.40.14. [ID: 1639] Association handshake restart
2.40.15. [ID: 1659] Association restart clash
2.40.16. [ID: 1329] Association restart initiated
2.40.17. [ID: 1384] Association restart initiated
2.40.18. [ID: 1339] Association restarted
2.40.19. [ID: 1347] Association random replace
2.40.20. [ID: 1327] Association timeout on shutdown
2.40.21. [ID: 1358] Association closed
2.40.22. [ID: 1343] Association shutdown received
2.40.23. [ID: 1640] Association linger timeout
2.40.24. [ID: 1357] PPID blacklisted
2.40.25. [ID: 1239] Bundled singular chunk type
2.40.26. [ID: 1377] Unexpected cookie ack from initiator of[...]
2.40.27. [ID: 1375] Unexpected cookie echo from responder of[...]
2.40.28. [ID: 1298] Chunk length includes padding at end
2.40.29. [ID: 1660] Cookie echoed
2.40.30. [ID: 1439] Stripped DATA chunk from packet containing[...]
2.40.31. [ID: 1363] Destination port mismatch
2.40.32. [ID: 1369] Unexpected DATA from shutdown initiator
2.40.33. [ID: 1352] Initial vtag changed
2.40.34. [ID: 1345] No init seen
2.40.35. [ID: 1386] Restart changed initiator IP address number
2.40.36. [ID: 1376] Restart added initiator IP address
2.40.37. [ID: 1383] Restart added responder IP address
2.40.38. [ID: 1387] Restart changed responder IP address number
2.40.39. [ID: 1338] Wrong association restart state
2.40.40. [ID: 1368] Shutdown during establishment
2.40.41. [ID: 1355] Expired restart period
2.40.42. [ID: 1333] Too many shutdown requests
2.40.43. [ID: 1346] Unexpected COOKIE ACK
2.40.44. [ID: 1331] Unexpected COOKIE ECHO
2.40.45. [ID: 1656] Unexpected DATA from initiator
2.40.46. [ID: 1654] Unexpected DATA from responder
2.40.47. [ID: 1342] Unexpected shutdown chunk
2.40.48. [ID: 1288] Empty state cookie parameter found
2.40.49. [ID: 1686] Clash
2.40.50. [ID: 1685] Clash
2.40.51. [ID: 1684] Disallowed
2.40.52. [ID: 1170] Host name address detected
2.40.53. [ID: 1189] Host name address detected
2.40.54. [ID: 1374] Host name address detected
2.40.55. [ID: 1381] Wrong initiator primary IP
2.40.56. [ID: 1379] Wrong responder primary IP
2.40.57. [ID: 1373] IP address inside IP rule filter
2.40.58. [ID: 1198] IP address outside IP rule filter
2.40.59. [ID: 1177] IP address outside IP rule filter
2.40.60. [ID: 1348] Source IP disallowed by association
2.40.61. [ID: 1385] IP disallowed by initiator of restart
2.40.62. [ID: 1336] Destination IP disallowed by association
2.40.63. [ID: 1378] IP disallowed by responder of restart
2.40.64. [ID: 1294] SCTP padding with illegal length
2.40.65. [ID: 1271] SCTP mis-aligned by padding
2.40.66. [ID: 1277] SCTP chunk end mis-aligned by padding
2.40.67. [ID: 1291] Address type illegal with Host Name Address[...]
2.40.68. [ID: 1663] Init-ack seen
2.40.69. [ID: 1382] Association restart from initiator failed
2.40.70. [ID: 1366] Initiator vtag mismatch
2.40.71. [ID: 1176] Invalid SCTP checksum
2.40.72. [ID: 1242] Invalid SCTP checksum
2.40.73. [ID: 1178] Invalid SCTP chunk length
2.40.74. [ID: 1174] Invalid SCTP destination port
2.40.75. [ID: 1337] Invalid destination route
2.40.76. [ID: 1194] Invalid SCTP error cause length
2.40.77. [ID: 1273] Invalid SCTP heartbeat information
2.40.78. [ID: 1187] Invalid Host Name address format
2.40.79. [ID: 1353] Invalid stream ID
2.40.80. [ID: 1258] Illegal initiate tag
2.40.81. [ID: 1257] Invalid number of streams
2.40.82. [ID: 1188] Invalid number of mandatory SCTP parameters
2.40.83. [ID: 1325] Invalid stream ID
2.40.84. [ID: 1296] Invalid pad parameter inside chunk
2.40.85. [ID: 1195] Invalid SCTP chunk parameter length
2.40.86. [ID: 1354] Invalid source interface
2.40.87. [ID: 1167] Invalid SCTP source port
2.40.88. [ID: 1181] Invalid SCTP verification tag
2.40.89. [ID: 1301] Chunk length includes the padding of the last[...]
2.40.90. [ID: 1340] Max IP addresses exceeded
2.40.91. [ID: 1370] Max control chunks exceeded
2.40.92. [ID: 1364] Max DATA chunks exceeded
2.40.93. [ID: 1360] Max inbound streams adjusted
2.40.94. [ID: 1356] Max outbound streams adjusted
2.40.95. [ID: 1299] Missing SCTP chunk padding
2.40.96. [ID: 1285] Missing mandatory SCTP parameter from a chunk
2.40.97. [ID: 1168] Missing SCTP cookie
2.40.98. [ID: 1330] No association found
2.40.99. [ID: 1688] No valid association found
2.40.100. [ID: 1341] No whitelisted PPIDs
2.40.101. [ID: 1349] No possible association restart
2.40.102. [ID: 1292] Non-zero SCTP chunk padding inside chunk
2.40.103. [ID: 1297] Non-zero SCTP chunk padding inside chunk
2.40.104. [ID: 1289] Non-zero SCTP chunk padding inside chunk
2.40.105. [ID: 1197] SCTP chunk padding inside chunk
2.40.106. [ID: 1290] SCTP chunk padding inside chunk
2.40.107. [ID: 1282] SCTP chunk padding inside chunk
2.40.108. [ID: 1281] SCTP chunk padding inside chunk
2.40.109. [ID: 1190] Non-zero SCTP chunk padding
2.40.110. [ID: 1278] Non-zero SCTP chunk padding
2.40.111. [ID: 1279] Non-zero SCTP chunk padding
2.40.112. [ID: 1173] Non-zero reserved field in SCTP error cause
2.40.113. [ID: 1269] Non-zero SCTP chunk parameter padding
2.40.114. [ID: 1268] Non-zero SCTP chunk parameter padding
2.40.115. [ID: 1196] Non-zero SCTP chunk parameter padding
2.40.116. [ID: 1344] Non-first SCTP cookie ack
2.40.117. [ID: 1295] Non-first SCTP cookie
2.40.118. [ID: 1365] PPID not whitelisted
2.40.119. [ID: 1441] SCTP padding chunk
2.40.120. [ID: 1438] SCTP padding chunk
2.40.121. [ID: 1440] SCTP padding chunk
2.40.122. [ID: 1437] SCTP padding chunk
2.40.123. [ID: 1380] Association restart from responder failed
2.40.124. [ID: 1328] Responder vtag mismatch
2.40.125. [ID: 1351] Source port mismatch
2.40.126. [ID: 1270] Stateful SCTP is not supported
2.40.127. [ID: 1283] Too many occurrences of SCTP parameter
2.40.128. [ID: 1334] Unexpected state cookie
2.40.129. [ID: 1280] Unknown mandatory chunk type
2.40.130. [ID: 1184] Unknown mandatory chunk type
2.40.131. [ID: 1193] Unknown mandatory chunk type
2.40.132. [ID: 1191] Unknown mandatory chunk type
2.40.133. [ID: 1236] Unknown mandatory parameter type
2.40.134. [ID: 1171] Unknown mandatory parameter type
2.40.135. [ID: 1166] Unknown mandatory parameter type
2.40.136. [ID: 1186] Unknown mandatory parameter type
2.40.137. [ID: 1248] Unknown optional chunk type
2.40.138. [ID: 1180] Unknown optional chunk type
2.40.139. [ID: 1172] Unknown optional chunk type
2.40.140. [ID: 1175] Unknown optional chunk type
2.40.141. [ID: 1214] Unknown optional parameter type
2.40.142. [ID: 1185] Unknown optional parameter type
2.40.143. [ID: 1182] Unknown optional parameter type
2.40.144. [ID: 1192] Unknown optional parameter type
2.40.145. [ID: 1169] Unknown supported address type
2.40.146. [ID: 1286] Unknown supported address type
2.40.147. [ID: 1179] Unknown supported address type
2.40.148. [ID: 1183] Unkown SCTP error cause
2.40.149. [ID: 1208] Not supported address type
2.40.150. [ID: 1372] PPID whitelisted
2.40.151. [ID: 1300] State cookie parameter has zero for value
2.41. SIPALG
2.41.1. [ID: 1206] SIP ALG call leg deleted
2.41.2. [ID: 1229] SIP ALG call leg state updated
2.41.3. [ID: 1260] Failed to create call leg
2.41.4. [ID: 1266] Failed to create new transaction
2.41.5. [ID: 1267] Failed to do dns resolve
2.41.6. [ID: 1247] Failed to create SIP ALG session
2.41.7. [ID: 1262] Failed to find SIP ALG session
2.41.8. [ID: 1259] Unsuccessful registration
2.41.9. [ID: 1221] Failed unregistration
2.41.10. [ID: 1210] Failed to find call leg
2.41.11. [ID: 1219] Failed to find role
2.41.12. [ID: 1202] Failed to find transaction
2.41.13. [ID: 1213] Flow failed
2.41.14. [ID: 1224] Failed to get free NAT port pair for the[...]
2.41.15. [ID: 1322] Failed to install HA synced object
2.41.16. [ID: 1323] Failed to apply HA update to object
2.41.17. [ID: 1205] Invalid SIP UDP packet received
2.41.18. [ID: 1211] Invalid session state change
2.41.19. [ID: 1237] Maximum number of transaction per session has[...]
2.41.20. [ID: 1203] Maximum number of sessions per SIP URI has[...]
2.41.21. [ID: 1220] Maximum number of sessions per Service has[...]
2.41.22. [ID: 1223] Failed to parse media
2.41.23. [ID: 1274] Media stream rules created
2.41.24. [ID: 1272] Failed to create media stream rules
2.41.25. [ID: 1204] Out of memory
2.41.26. [ID: 1245] Expire value modified in registration request
2.41.27. [ID: 1199] Failed to modify contact tag in message
2.41.28. [ID: 1235] Failed to modify FROM tag in message
2.41.29. [ID: 1263] Failed to modify request URI in message
2.41.30. [ID: 1200] Failed to modify the request
2.41.31. [ID: 1251] Failed to modify the response
2.41.32. [ID: 1231] Failed to modify SDP message
2.41.33. [ID: 1238] Failed to modify the SAT request
2.41.34. [ID: 1207] Call leg created
2.41.35. [ID: 1232] New SIP ALG session created
2.41.36. [ID: 1234] New transaction created
2.41.37. [ID: 1261] Failed to find route for given host
2.41.38. [ID: 1256] General Error
2.41.39. [ID: 1217] Registration hijack attempt detected
2.41.40. [ID: 1246] Successful Registration
2.41.41. [ID: 1264] SDP message parsing failed
2.41.42. [ID: 1243] SDP message validation failed
2.41.43. [ID: 1227] SIP ALG packet reception error
2.41.44. [ID: 1265] SIP message parsing failed
2.41.45. [ID: 1254] SIP message validation failed due to[...]
2.41.46. [ID: 1212] SIP request-response timeout
2.41.47. [ID: 1255] SIP signal timeout
2.41.48. [ID: 1233] SIP ALG session deleted
2.41.49. [ID: 1201] SIP ALG session state updated
2.41.50. [ID: 1250] Block third party SIP request
2.41.51. [ID: 1244] Transaction state updated
2.41.52. [ID: 1253] SIP ALG transaction deleted
2.41.53. [ID: 1226] Invalid transaction state change
2.41.54. [ID: 1252] Successful unregistration
2.41.55. [ID: 1222] Method not supported
2.41.56. [ID: 1249] Failed to update call leg
2.41.57. [ID: 1225] Failed to update contact
2.41.58. [ID: 1241] Failed to update port information
2.41.59. [ID: 1228] Registration entry not found
2.41.60. [ID: 1215] Failed to modify via in message
2.42. SNMP
2.42.1. [ID: 478] SNMP access
2.42.2. [ID: 1506] SNMP authentication failure
2.42.3. [ID: 1505] Max restart counter
2.42.4. [ID: 1680] SNMP not in time window
2.42.5. [ID: 763] SNMP unexpected version
2.42.6. [ID: 1681] SNMP unknown engine ID
2.43. SSHCLIENT
2.43.1. [ID: 1703] SSH client error
2.43.2. [ID: 1704] SSH client fatal error
2.43.3. [ID: 1702] SSH client info
2.43.4. [ID: 1701] SSH client notice
2.44. SSHD
2.44.1. [ID: 370] Administrative user logged in
2.44.2. [ID: 297] Incorrect user name or insufficient[...]
2.44.3. [ID: 186] Administrative user failed to login because[...]
2.44.4. [ID: 455] Administrative user logged out
2.44.5. [ID: 1287] Fatal sshd error
2.44.6. [ID: 877] Failed to get traffic parameters from[...]
2.44.7. [ID: 474] SSH session inactivity time limit has been[...]
2.44.8. [ID: 448] Username change
2.44.9. [ID: 256] Invalid service request received
2.44.10. [ID: 576] Username change
2.44.11. [ID: 425] SSH Login grace timeout expired
2.44.12. [ID: 554] Maximum number of authentication retries[...]
2.44.13. [ID: 225] The maximum number of simultaneously[...]
2.44.14. [ID: 406] The maximum number of connection attempts[...]
2.44.15. [ID: 640] Incompatible encryption
2.44.16. [ID: 1293] Incompatible key exchange algorithm
2.44.17. [ID: 639] Incompatible mac
2.44.18. [ID: 996] Request to copy file
2.44.19. [ID: 995] Request to copy file failed
2.44.20. [ID: 994] Request to copy file successful
2.44.21. [ID: 624] SSH connection is no longer valid
2.44.22. [ID: 997] Closing session for subsystem
2.44.23. [ID: 993] Creating session for subsystem request
2.45. SSLINSPECTION
2.45.1. [ID: 1460] Abnormal close
2.45.2. [ID: 1462] Error accepting client connection
2.45.3. [ID: 1480] Session allocation failure
2.45.4. [ID: 1485] Certificate error
2.45.5. [ID: 1495] Client cipher suites mismatch
2.45.6. [ID: 1500] Client TLS version error
2.45.7. [ID: 1466] Error connecting to server
2.45.8. [ID: 1498] Flow failed
2.45.9. [ID: 1447] Failed to forward SNI
2.45.10. [ID: 1502] Handshake timeout with
2.45.11. [ID: 1490] IPS protection closed connection
2.45.12. [ID: 1474] No server matched SNI
2.45.13. [ID: 1483] Error reading data from client
2.45.14. [ID: 1450] Error reading data from server
2.45.15. [ID: 1492] Received SNI from client
2.45.16. [ID: 1484] Server cipher suites mismatch
2.45.17. [ID: 1481] Server TLS version error
2.45.18. [ID: 1487] Session closed
2.45.19. [ID: 1456] Connection established
2.45.20. [ID: 1494] Session opened
2.45.21. [ID: 1444] Error writing data to client
2.45.22. [ID: 1499] Error writing data to client
2.46. SSLVPN
2.46.1. [ID: 1491] Allocated client IP
2.46.2. [ID: 1448] Client certificate verification failed
2.46.3. [ID: 1459] Client certificate verification successful
2.46.4. [ID: 1471] Verification of client options failed
2.46.5. [ID: 1461] Closed TLS session due to unacknowledged[...]
2.46.6. [ID: 1451] Connected SSLVPN client
2.46.7. [ID: 1467] Could not allocate client IP
2.46.8. [ID: 1457] Internal error when decrypting packet
2.46.9. [ID: 1465] Decryption failed for data channel packet
2.46.10. [ID: 1443] Disconnected SSLVPN client
2.46.11. [ID: 1496] Data packet before negotiated data channel
2.46.12. [ID: 1464] Encryption failed for data channel packet
2.46.13. [ID: 1455] Encrypted packet did not fit packet buffer
2.46.14. [ID: 1482] Failed to send packet to control plane
2.46.15. [ID: 1486] Failed to set encryption key for packet
2.46.16. [ID: 1473] Failed to write encrypted packet
2.46.17. [ID: 1668] Failed to get server
2.46.18. [ID: 1669] Failed to get session
2.46.19. [ID: 1678] Failed to get user session
2.46.20. [ID: 1463] TLS handshake timed out
2.46.21. [ID: 1478] Integrity check failed during decryption
2.46.22. [ID: 1472] Maximum number of authenticated SSLVPN[...]
2.46.23. [ID: 1446] Number of authenticated SSLVPN sessions[...]
2.46.24. [ID: 1453] Malformed packet on data channel
2.46.25. [ID: 1673] Failed to read challenge text from[...]
2.46.26. [ID: 1679] Peer did not send client certificate
2.46.27. [ID: 1674] Failed to find server configuration
2.46.28. [ID: 1476] Non active key ID on data channel
2.46.29. [ID: 1470] Verification of client peer info failed
2.46.30. [ID: 1493] Rate limit exceeded
2.46.31. [ID: 1469] Released client IP
2.46.32. [ID: 1452] Key renegotiation failed
2.46.33. [ID: 1475] Key renegotiation successful
2.46.34. [ID: 1449] Replay check failed on data channel
2.46.35. [ID: 1670] Failed to send challenge to client
2.46.36. [ID: 1677] Failed to send challenge response
2.46.37. [ID: 1489] Server reset from client
2.46.38. [ID: 1477] TLS handshake error
2.46.39. [ID: 1497] Too short packet payload
2.46.40. [ID: 1501] Unacknowledged control channel message
2.46.41. [ID: 1488] Received ACK for unknown packet id
2.46.42. [ID: 1479] Unknown protocol opcode
2.46.43. [ID: 1671] Unprintable characters in challenge text
2.46.44. [ID: 1454] Unsupported key exchange method v1
2.46.45. [ID: 1445] User failed to log in to SSLVPN
2.46.46. [ID: 1458] User logged in to SSLVPN
2.46.47. [ID: 1468] User logged out from SSLVPN by authentication[...]
2.46.48. [ID: 1675] Username not allowed to change
2.47. STATISTICS
2.47.1. [ID: 1432] Failed to add statistical values for BGP peer
2.47.2. [ID: 1428] Failed to remove statistical values of BGP[...]
2.47.3. [ID: 1436] Failed to create AgentX talker thread
2.47.4. [ID: 1431] Failed to parse AgentX message
2.47.5. [ID: 1433] No support for IPv6 peer identifiers
2.47.6. [ID: 1429] AgentX session closed
2.47.7. [ID: 1434] AgentX session opened
2.47.8. [ID: 1430] Failed to setup listening socket
2.47.9. [ID: 1435] Update of statistics value failed
2.48. SYSLOGALG
2.48.1. [ID: 1707] Failed to create new session
2.48.2. [ID: 1711] Flow failed
2.48.3. [ID: 1710] Session closed
2.48.4. [ID: 1706] Session opened
2.48.5. [ID: 1708] Too large syslog packet received
2.48.6. [ID: 1705] Syslog packet rejected
2.48.7. [ID: 1712] Prohibited keyword detected in syslog data
2.48.8. [ID: 1709] Reverse traffic detected on syslog flow
2.49. SYSTEM
2.49.1. [ID: 641] A new kernel exception report was generated
2.49.2. [ID: 235] Out of memory initializing data plane[...]
2.49.3. [ID: 583] All systems shutdown
2.49.4. [ID: 313] Aborted shutdown of all systems
2.49.5. [ID: 231] All systems shutdown notice
2.49.6. [ID: 392] Failed to create backup file
2.49.7. [ID: 193] Backup file created
2.49.8. [ID: 1073] Leaving Daylight Saving Time
2.49.9. [ID: 1074] Entering Daylight Saving Time
2.49.10. [ID: 390] Exception report generated
2.49.11. [ID: 1072] System time set
2.49.12. [ID: 404] PKG file was successfully applied
2.49.13. [ID: 244] Failed to apply PKG file
2.49.14. [ID: 190] Failed to validate PKG file
2.49.15. [ID: 786] Process exited with non-zero status code
2.49.16. [ID: 785] Process exited because of signal
2.49.17. [ID: 794] Generating crashdump report
2.49.18. [ID: 800] Killing process that did not exit in time
2.49.19. [ID: 798] Process is not responding
2.49.20. [ID: 799] Removing unresponsive process
2.49.21. [ID: 797] Restarting process
2.49.22. [ID: 796] Process did not exit in time
2.49.23. [ID: 1058] Process exited unexpectedly
2.49.24. [ID: 990] Configuration has been reset to factory[...]
2.49.25. [ID: 991] System has been reset to factory default
2.49.26. [ID: 459] Revert has been applied
2.49.27. [ID: 558] Failed to revert
2.49.28. [ID: 361] System shutting down
2.49.29. [ID: 1023] Preparing to shut down
2.49.30. [ID: 427] System started
2.49.31. [ID: 1002] System could not be rebooted using the[...]
2.49.32. [ID: 992] System could not be reconfigured using the[...]
2.49.33. [ID: 1003] System was successfully upgraded
2.49.34. [ID: 382] Out of memory setting up virtual system
2.49.35. [ID: 290] Module was restarted
2.49.36. [ID: 318] Failed to start module
2.50. TCP
2.50.1. [ID: 102] Ambiguous MSS announcement
2.50.2. [ID: 189] TCP MSS too high
2.50.3. [ID: 393] TCP MSS too low
2.50.4. [ID: 591] Oversized TCP window
2.50.5. [ID: 416] Ambiguous SACK permission announced
2.50.6. [ID: 307] Ambiguous SACK permission announced
2.50.7. [ID: 246] Ambiguous window scale negotiation
2.50.8. [ID: 551] Ambiguous window scale negotiation
2.50.9. [ID: 565] SACK block with invalid range
2.50.10. [ID: 411] Resent SYN with mismatching window scale[...]
2.50.11. [ID: 545] Disallowed flag set
2.50.12. [ID: 202] Bad TCP option length
2.50.13. [ID: 596] TCP segment exceeds previous FIN
2.50.14. [ID: 547] TCP FIN flag set without the ACK flag
2.50.15. [ID: 113] Disallowed flag combination
2.50.16. [ID: 388] Invalid TCP checksum
2.50.17. [ID: 359] Invalid TCP option length
2.50.18. [ID: 139] Invalid reset sequence number in state SYN[...]
2.50.19. [ID: 187] TCP MSS too high
2.50.20. [ID: 312] TCP MSS too low
2.50.21. [ID: 571] New acknowledgment in ICMP message
2.50.22. [ID: 375] Not forwarded sequence number in ICMP message
2.50.23. [ID: 456] Non-zero header padding
2.50.24. [ID: 493] SACK block announced data not sent
2.50.25. [ID: 447] TCP NULL packet
2.50.26. [ID: 449] Non-first SACK block announced acknowledged[...]
2.50.27. [ID: 437] Disallowed TCP option
2.50.28. [ID: 173] SYN only option in non-SYN segment
2.50.29. [ID: 373] TCP option length missing
2.50.30. [ID: 182] Oversized TCP segment
2.50.31. [ID: 369] Oversized TCP window in ICMP message
2.50.32. [ID: 227] TCP option does not fit in the header
2.50.33. [ID: 200] Too high TCP sequence number
2.50.34. [ID: 463] Too low FIN sequence number
2.50.35. [ID: 168] Too low TCP sequence number
2.50.36. [ID: 103] Too low sequence number in ICMP message
2.50.37. [ID: 145] Truncated TCP header encapsulated in ICMP[...]
2.50.38. [ID: 210] Too high TCP acknowledgment
2.50.39. [ID: 444] Unacceptable initial TCP acknowledgment
2.50.40. [ID: 217] Unused non-zero ACK
2.50.41. [ID: 527] Unused non-zero urgent pointer
2.50.42. [ID: 538] Fragmented TCP header encapsulated in ICMP[...]
2.50.43. [ID: 267] TCP header length exceeds IP payload length
2.50.44. [ID: 299] Ambiguous MSS announcement
2.50.45. [ID: 258] Unexpected invalid FIN
2.50.46. [ID: 561] Invalid TCP header length
2.50.47. [ID: 399] Window scale shift count exceeds 14
2.50.48. [ID: 342] Suspicious flag set
2.50.49. [ID: 320] TCP segment exceeds previous FIN
2.50.50. [ID: 468] TCP FIN flag set without the ACK flag
2.50.51. [ID: 504] Suspicious flag combination
2.50.52. [ID: 218] TCP MSS exceeds log level
2.50.53. [ID: 270] Invalid TCP checksum
2.50.54. [ID: 147] Invalid reset sequence number in state SYN[...]
2.50.55. [ID: 209] TCP MSS too high
2.50.56. [ID: 215] TCP MSS too low
2.50.57. [ID: 592] New acknowledgment in ICMP message
2.50.58. [ID: 353] Not forwarded sequence number in ICMP message
2.50.59. [ID: 169] Non-zero header padding
2.50.60. [ID: 484] SACK block announced data not sent
2.50.61. [ID: 257] TCP NULL packet
2.50.62. [ID: 345] Non-first SACK block announced acknowledged[...]
2.50.63. [ID: 614] TCP option
2.50.64. [ID: 366] SYN only option in non-SYN segment
2.50.65. [ID: 181] Oversized TCP segment
2.50.66. [ID: 199] Oversized TCP window
2.50.67. [ID: 461] Too high TCP sequence number
2.50.68. [ID: 207] Too low FIN sequence number
2.50.69. [ID: 420] Too low TCP sequence number
2.50.70. [ID: 601] Too low sequence number in ICMP message
2.50.71. [ID: 560] Truncated TCP header encapsulated in ICMP[...]
2.50.72. [ID: 498] Too high TCP acknowledgment
2.50.73. [ID: 479] Unacceptable initial TCP acknowledgment
2.50.74. [ID: 541] Unused non-zero ACK
2.50.75. [ID: 337] Unused non-zero urgent pointer
2.50.76. [ID: 335] Multiple TCP options of the same kind
2.50.77. [ID: 250] No new flow for this packet
2.50.78. [ID: 252] TCP option not negotiated
2.50.79. [ID: 381] SACK option without the ACK flag set
2.50.80. [ID: 1011] New TCP flow denied
2.50.81. [ID: 208] Disallowed flag set
2.50.82. [ID: 491] Bad TCP option length
2.50.83. [ID: 322] Disallowed flag combination
2.50.84. [ID: 329] Invalid TCP option length
2.50.85. [ID: 241] Non-zero header padding
2.50.86. [ID: 352] SACK block announced data not sent
2.50.87. [ID: 581] Non-first SACK block announced acknowledged[...]
2.50.88. [ID: 253] Disallowed TCP option
2.50.89. [ID: 391] SYN only option in non-SYN segment
2.50.90. [ID: 194] TCP option length missing
2.50.91. [ID: 351] TCP option does not fit in the header
2.50.92. [ID: 429] Unused non-zero ACK
2.50.93. [ID: 245] Unused non-zero urgent pointer
2.50.94. [ID: 188] Unexpected TCP flags
2.50.95. [ID: 433] Unexpected SYN packet
2.50.96. [ID: 510] TCP state tracking requires stricter[...]
2.50.97. [ID: 293] TCP window shrinking
2.51. THRESHOLD
2.51.1. [ID: 1115] Threshold notice
2.51.2. [ID: 1085] Threshold blacklist
2.51.3. [ID: 1128] Threshold block flow
2.51.4. [ID: 1147] Threshold reject flow
2.51.5. [ID: 1123] Threshold tag flow
2.51.6. [ID: 1126] Threshold is no longer exceeded
2.51.7. [ID: 1107] Threshold is exceeded
2.51.8. [ID: 1130] Random group replacement
2.52. TIMESYNC
2.52.1. [ID: 772] An internal error has occurred
2.52.2. [ID: 634] Time synchronization prevented due to[...]
2.52.3. [ID: 635] Time synchronization prevented due to[...]
2.52.4. [ID: 386] Communication with server has failed
2.52.5. [ID: 524] Time synchronization is currently impossible
2.52.6. [ID: 385] The clock has drifted so much that it is not[...]
2.52.7. [ID: 529] Time has been synchronized
2.53. UDP
2.53.1. [ID: 482] Mismatching UDP IP payload length
2.53.2. [ID: 573] Bad UDP checksum
2.53.3. [ID: 119] Bad UDP checksum
2.53.4. [ID: 602] Bad UDP checksum
2.53.5. [ID: 1076] Bad UDP checksum
2.53.6. [ID: 374] Invalid jumbogram UDP header length
2.53.7. [ID: 292] Truncated UDP header
2.54. VLAN
2.54.1. [ID: 879] VLAN packet with CFI set
2.54.2. [ID: 880] Packet is too small to contain VLAN header
2.54.3. [ID: 878] VLAN packet with unknown VLAN id

Chapter 1: Introduction

[Note] Note: This document is also available in other formats

A PDF version of this document along with all current and older documentation in PDF format can be found at https://my.clavister.com.

It is also available in a framed HTML version.

This guide is a reference for all log messages generated by the Clavister cOS Stream. It is designed to be a valuable information source for both management and troubleshooting.

1.1. Log Message Structure

All log messages have a common design with attributes that include category, severity and recommended actions. These attributes enable the easy filtering of log messages, either within the system prior to sending them to a log receiver, or as part of analysis that takes place after the logging and storage of messages on an external log server.

The following information is provided for each specific log message:

Name

The name of the log message, which is the message's main category followed by "_" followed by a short string in which each new word begins with a capital letter.

ID

The ID is a string of digits which uniquely identifies the log message.

[Note] Note
The Name and the ID of the log message form the title of the section describing the log message.

Log Categories

Log messages belong to categories, where each category maps to a specific subsystem. For instance, the IPSEC category includes some hundreds of log messages, all related to IPSec VPN activities. A log message can belong to more than one category and each message has a main category.

In this guide, categories are listed as sections in Chapter 2, Log Message Reference and each section includes log messages with that category as their main category.

Log Message
A brief explanation of the event that took place.
Default Log Severity

The default severity level for this log message. For a list of severity levels, please see section Section 1.2, Severity levels.

SNMP Trap Category

The category of an associated SNMP Trap.

SNMP Trap MIB Name

The name of an associated SNMP Trap in the trap MIB.

SNMP Trap MIB OID

The OID of an associated SNMP Trap in the trap MIB.

Parameters

The parameter values that are included in the log message.

Explanation

A detailed explanation of the event.

Note that this information is only featured in this reference guide, and is never actually included in the log message.

Gateway Action

A short string, 1-3 words separated by _, of what action the system will take. If the log message is purely informative, this is set to "None".

Action Description

Describes what is actually meant by the specified gateway action. Note that this piece of information is only featured in this reference guide, and is never actually included in the log message.

Proposed Action

A detailed proposal of what the administrator can do if this log message is received. If the log message is purely informative, this is set to "None".

Note that this information is only featured in this reference guide, and is never actually included in the log message.

1.2. Severity levels

An event has a default severity level, based on how serious the event is. The following eight severity levels are possible, as defined by the Syslog protocol:

0 - Emergency
Emergency conditions, which most likely led to the system being unusable.
1 - Alert
Alert conditions, which affected the functionality of the unit. Needs attention immediately.
2 - Critical
Critical conditions, which affected the functionality of the unit. Action should be taken as soon as possible.
3 - Error
Error conditions, which probably affected the functionality of the unit.
4 - Warning
Warning conditions, which could affect the functionality of the unit.
5 - Notice
Normal, but significant, conditions.
6 - Informational
Informational conditions.
7 - Debug
Debug level events.

The Dynamic Severity

There is an additional severity type called Dynamic which does not fit into the progressive severity list given above. A severity of Dynamic means that the severity of the log event can change. There are two uses for this severity type:

  • The system can set the severity of the event to a specific level to indicate that the triggering condition has not been dealt with.
  • The severity of the event can be explicitly set by the administrator.

Priority in Syslog Messages

In Syslog messages the priority is indicated by the parameter prio=nn.

Excluding Logged Messages

The Clavister cOS Stream allows the exclusion from logging of entire catageories of log messages or just specific log messages. It is also possible to change the severity level of log messages so that a specific category or a specific message has the severity reset to a particular level when it is sent. These features are documented further in the separate Clavister cOS Stream Administrators Guide.

Chapter 2: Log Message Reference

This chapter lists all the log event messages that can be generated by cOS Stream. The messages are grouped by category and the ID of each message is unique.

[Note] Sort Order
All log messages are sorted by their category and then by their ID number.

2.1. APPCONTROL

These log messages refer to the APPCONTROL category.

2.1.1. [ID: 1643] Application changed

Log Categories
APPCONTROL
Log Message
Application changed.
Default Log Severity
Information
Parameters
flow, flowusage, app, user, userid
Explanation
Application control has identified that the application of the flow has changed.
Gateway Action
None
Action Description
None
Proposed Action
None

2.1.2. [ID: 1645] Application identified

Log Categories
APPCONTROL
Log Message
Application identified.
Default Log Severity
Information
Parameters
flow, flowusage, app, user, userid
Explanation
Application control has identified the application of the flow.
Gateway Action
None
Action Description
None
Proposed Action
None

2.1.3. [ID: 1021] Application Control license has just expired

Log Categories
APPCONTROL
Log Message
Application Control license has just expired. Application Control will not work until subscription is renewed.
Default Log Severity
Critical
Parameters
 
Explanation
The Application Control part of the license has just expired.
Gateway Action
None
Action Description
None
Proposed Action
Renew the subscription.

2.2. ARP

These log messages refer to the ARP category.

2.2.1. [ID: 142] Allowed by access rule

Log Categories
ARP
Log Message
Allowed by access rule.
Default Log Severity
Notice
Parameters
srchw, srcip, destip, recviface, rule
Explanation
The ARP sender IP address was verified and accepted by an access rule in the access section.
Gateway Action
Allow
Action Description
None
Proposed Action
Modify the access rule accordingly, if the sender should not be allowed.

2.2.2. [ID: 144] Hardware address changed

Log Categories
ARP
Log Message
Hardware address changed.
Default Log Severity
Notice
Parameters
knownip, knownhw, newhw
Explanation
The received ARP packet has a different hardware address compared to the previously known dynamic entry.
Gateway Action
Allow
Action Description
None
Proposed Action
If this is not the wanted behavior, change the setting ARPTableSettings:ARPChanges.

2.2.3. [ID: 279] Hardware address change disallowed

Log Categories
ARP
Log Message
Hardware address change disallowed.
Default Log Severity
Notice
Parameters
knownip, knownhw, newhw, pkt
Explanation
The received ARP packet has a different hardware address compared to the previously known dynamic entry.
Gateway Action
Drop
Action Description
None
Proposed Action
If this is not the wanted behavior, change the setting ARPTableSettings:ARPChanges.

2.2.4. [ID: 638] Hardware address change detected

Log Categories
ARP
Log Message
Hardware address change detected.
Default Log Severity
Warning
Parameters
knownip, knownhw, newhw, pkt
Explanation
The received ARP packet has a different hardware address compared to the previously known dynamic entry. The address will not be updated since ARPTableSettings:ARPRequests setting does not allow updates from requests.
Gateway Action
Ignore
Action Description
None
Proposed Action
If hardware address changes should be allowed, both ARPTableSettings:ARPRequests and ARPTableSettings:ARPChanges must be set to allow.

2.2.5. [ID: 123] IP conflict detected

Log Categories
ARP
Log Message
IP conflict detected.
Default Log Severity
Warning
Parameters
srcip, srchw, iface, pkt
Explanation
A host/device using one the firewall interfaces IPs as source address were detected which could lead to connectivity problems.
Gateway Action
Reject
Action Description
Attempted to resolve the conflict by broadcasting ARP (gratuitous) ownership updates
Proposed Action
Check the network for incorrectly configured devices/hosts.

2.2.6. [ID: 653] IP conflict detected

Log Categories
ARP
Log Message
IP conflict detected.
Default Log Severity
Warning
Parameters
srcip, srchw, iface, pkt
Explanation
A host/device using one the firewall interfaces IPs as source address were detected which could lead to connectivity problems.
Gateway Action
Drop
Action Description
None
Proposed Action
Check the network for incorrectly configured devices/hosts.

2.2.7. [ID: 534] Illegal ARP sender hardware address

Log Categories
ARP,VALIDATE
Log Message
Illegal ARP sender hardware address.
Default Log Severity
Warning
Parameters
srchw, pkt
Explanation
A host in the network is using an illegal Ethernet sender address.
Gateway Action
Drop
Action Description
None
Proposed Action
Trace down the host and verify that it is not faulty/compromised.

2.2.8. [ID: 622] Out of memory initializing ARP

Log Categories
ARP,SYSTEM
Log Message
Out of memory initializing ARP.
Default Log Severity
Critical
Parameters
 
Explanation
The ARP subsystem could not be initialized due to insufficient free memory.
Gateway Action
Abort
Action Description
None
Proposed Action
Review system wide settings and try to tweak memory consuming features to use less memory.

2.2.9. [ID: 240] Disallowed by access rule

Log Categories
ARP,VALIDATE
Log Message
Disallowed by access rule.
Default Log Severity
Warning
Parameters
srchw, srcip, destip, recviface, pkt, rule
Explanation
The sender IP is not allowed according to the access rules and/or routing table.
Gateway Action
Drop
Action Description
None
Proposed Action
If the address should be allowed modify the access rule and/or routing table accordingly.

2.2.10. [ID: 269] Mismatching hardware addresses

Log Categories
ARP,VALIDATE
Log Message
Mismatching hardware addresses.
Default Log Severity
Notice
Parameters
hwaddr, arphw, pkt
Explanation
The hardware sender address specified in the ARP data does not match the Ethernet hardware sender address.
Gateway Action
Allow
Action Description
None
Proposed Action
If this is not the wanted behavior, change the setting ARPTableSettings:ARPMatchEnetSender.

2.2.11. [ID: 618] Mismatching hardware addresses

Log Categories
ARP,VALIDATE
Log Message
Mismatching hardware addresses.
Default Log Severity
Notice
Parameters
hwaddr, arphw, pkt
Explanation
The hardware sender address specified in the ARP data does not match the Ethernet hardware sender address.
Gateway Action
Drop
Action Description
None
Proposed Action
If this is not the wanted behavior, change the setting ARPTableSettings:ARPMatchEnetSender.

2.2.12. [ID: 350] Unable to add ARP entry to cache due to no[...]

Log Categories
ARP
Log Message
Unable to add ARP entry to cache due to no free entries.
Default Log Severity
Error
Parameters
hwaddr, ip, iface, pkt
Explanation
Unable to store ARP cache entry due exhaustion.
Gateway Action
Drop
Action Description
None
Proposed Action
If the number of communication devices/hosts is as expected the setting ARPTableSettings:ARPCacheSize might need to be increased.

2.2.13. [ID: 377] ARP entry lost due to cache limit

Log Categories
ARP,STATEFUL
Log Message
ARP entry lost due to cache limit.
Default Log Severity
Warning
Parameters
ip, knownhw, iface
Explanation
The firewall need to resolve an IP address, but the current virtual system is out of free ARP entries. The ARP entry for IP ip at interface iface has been freed in order to continue.
Gateway Action
Discard
Action Description
The firewall has been forced to discard one existing ARP entry in use
Proposed Action
This log is commonly seen during some denial-of-service attacks. If you think that the system should be able to handle this amount of dynamic ARP entries, review the ARPTableSettings:ARPCacheSize setting and consider increasing it. Whether to log this event is controlled by the ARPTableSettings:LogARPOutOfEntries setting.

2.2.14. [ID: 302] No sender IP

Log Categories
ARP,VALIDATE
Log Message
No sender IP.
Default Log Severity
Notice
Parameters
pkt
Explanation
The source IP address of an ARP query is 0.0.0.0 which may introduce problems.
Gateway Action
Allow
Action Description
None
Proposed Action
If this is not the wanted behavior, change the setting ARPTableSettings:ARPQueryNoSenderIP.

2.2.15. [ID: 626] No sender IP

Log Categories
ARP,VALIDATE
Log Message
No sender IP.
Default Log Severity
Notice
Parameters
pkt
Explanation
The source IP address of an ARP query is 0.0.0.0 which may introduce problems.
Gateway Action
Drop
Action Description
None
Proposed Action
If this is not the wanted behavior, change the setting ARPTableSettings:ARPQueryNoSenderIP.

2.2.16. [ID: 526] ARP resolve timeout

Log Categories
ARP,STATEFUL
Log Message
ARP resolve timeout.
Default Log Severity
Notice
Parameters
localip, ip, iface, flow, user, userid
Explanation
The firewall failed to resolve IP ip at interface iface. The IP is not reachable via the local network; traffic to and from this address will be dropped.
Gateway Action
Drop
Action Description
None
Proposed Action
The "arpsnoop" feature will allow realtime examination of the ARP traffic at interface iface; use this to pinpoint the problem. Review the route configuration and the access rules, especially when seemingly valid ARP replies are discarded. Verify whether is possible to route bidirectional traffic to and from IP ip at interface iface. Whether to log this event is controlled by the ARPTableSettings:LogARPResolveFailure setting.

2.2.17. [ID: 106] ARP sender hardware address is broadcast[...]

Log Categories
ARP,VALIDATE
Log Message
ARP sender hardware address is broadcast address.
Default Log Severity
Notice
Parameters
pkt
Explanation
The sender address specified in the ARP data matches the broadcast address which may introduce problems.
Gateway Action
Allow
Action Description
None
Proposed Action
If this is not the wanted behavior, change the setting ARPTableSettings:ARPBroadcast.

2.2.18. [ID: 247] ARP sender hardware address is broadcast[...]

Log Categories
ARP,VALIDATE
Log Message
ARP sender hardware address is broadcast address.
Default Log Severity
Warning
Parameters
pkt
Explanation
The sender address specified in the ARP data matches the broadcast address which may introduce problems.
Gateway Action
Drop
Action Description
None
Proposed Action
If this is not the wanted behavior, change the setting ARPTableSettings:ARPBroadcast.

2.2.19. [ID: 262] ARP sender hardware address is multicast[...]

Log Categories
ARP,VALIDATE
Log Message
ARP sender hardware address is multicast address.
Default Log Severity
Notice
Parameters
 
Explanation
The sender address specified in the ARP data matches the multicast address range which may introduce problems.
Gateway Action
Allow
Action Description
None
Proposed Action
If this is not the wanted behavior, change the setting ARPTableSettings:ARPMulticast.

2.2.20. [ID: 117] ARP sender hardware address is multicast[...]

Log Categories
ARP,VALIDATE
Log Message
ARP sender hardware address is multicast address.
Default Log Severity
Notice
Parameters
pkt
Explanation
The sender address specified in the ARP data matches the multicast address range which may introduce problems.
Gateway Action
Drop
Action Description
None
Proposed Action
If this is not the wanted behavior, change the setting ARPTableSettings:ARPMulticast.

2.2.21. [ID: 308] ARP collides with static entry

Log Categories
ARP
Log Message
ARP collides with static entry.
Default Log Severity
Warning
Parameters
knowntype, knownip, knownhw, pkt
Explanation
The hardware sender address does not match the static entry in the ARP table and static ARP changes are not allowed.
Gateway Action
Drop
Action Description
None
Proposed Action
If the new address is correct, update the static ARP entry.

2.2.22. [ID: 584] Unsolicited ARP reply received

Log Categories
ARP
Log Message
Unsolicited ARP reply received.
Default Log Severity
Notice
Parameters
pkt
Explanation
An ARP reply was received even though no reply was currently expected for this IP.
Gateway Action
Allow
Action Description
The ARP reply was accepted and local ARP cache updated
Proposed Action
If this is not the wanted behavior, change the setting ARPTableSettings:UnsolicitedARPReplies.

2.2.23. [ID: 540] Unsolicited ARP reply received

Log Categories
ARP
Log Message
Unsolicited ARP reply received.
Default Log Severity
Notice
Parameters
pkt
Explanation
An ARP reply was received even though no reply was currently expected for this IP.
Gateway Action
Drop
Action Description
The ARP reply was dropped
Proposed Action
If this is not the wanted behavior, change the setting ARPTableSettings:UnsolicitedARPReplies.

2.3. AUTHSYS

These log messages refer to the AUTHSYS category.

2.3.1. [ID: 684] User is already logged in

Log Categories
AUTHSYS
Log Message
User is already logged in.
Default Log Severity
Warning
Parameters
userid, user, ip, profile, agent
Explanation
A user with the same username as an already authenticated user tried to log in and was rejected.
Gateway Action
None
Action Description
None
Proposed Action
None

2.3.2. [ID: 669] Failed to retrieve information from[...]

Log Categories
AUTHSYS
Log Message
Failed to retrieve information from authentication source.
Default Log Severity
Warning
Parameters
userid, user, ip, profile, agent, userdb
Explanation
Information regarding a user session could not be retrieved from the source database.
Gateway Action
None
Action Description
None
Proposed Action
None

2.3.3. [ID: 690] Unknown user or invalid password

Log Categories
AUTHSYS
Log Message
Unknown user or invalid password.
Default Log Severity
Notice
Parameters
userid, user, ip, profile, agent
Explanation
A user failed to log in. The entered username or password was invalid.
Gateway Action
None
Action Description
None
Proposed Action
None

2.3.4. [ID: 679] Login prevented due to brute force attack[...]

Log Categories
AUTHSYS
Log Message
Login prevented due to brute force attack prevention.
Default Log Severity
Warning
Parameters
userid, user, ip, profile, agent
Explanation
A login attempt was prevented due to quick repeated failures when validating user credentials.
Gateway Action
None
Action Description
None
Proposed Action
None

2.3.5. [ID: 793] Invalid Charging characteristics attribute in[...]

Log Categories
AUTHSYS
Log Message
Invalid Charging characteristics attribute in RADIUS Access-Accept.
Default Log Severity
Warning
Parameters
userid, user, ip, profile, agent, userdb
Explanation
The RADIUS server sent a Charging Characteristics attribute which could not be interpreted.
Gateway Action
None
Action Description
None
Proposed Action
Verify that the Charging Characteristics attribute on the RADIUS server is configured correctly.

2.3.6. [ID: 685] Received an invalid EAP packet

Log Categories
AUTHSYS
Log Message
Received an invalid EAP packet.
Default Log Severity
Warning
Parameters
userid, user, ip, profile, agent, userdb
Explanation
Received an invalid EAP packet from an authentication source.
Gateway Action
None
Action Description
None
Proposed Action
None

2.3.7. [ID: 774] Maximum number of user sessions for the[...]

Log Categories
AUTHSYS
Log Message
Maximum number of user sessions for the username has been reached.
Default Log Severity
Warning
Parameters
user, profile, agent
Explanation
The maximum allowed number of simultaneous session for a user has been reached and the new session is rejected.
Gateway Action
None
Action Description
None
Proposed Action
None

2.3.8. [ID: 670] IMSI attribute missing in RADIUS Access-Accept

Log Categories
AUTHSYS
Log Message
IMSI attribute missing in RADIUS Access-Accept.
Default Log Severity
Warning
Parameters
userid, user, ip, profile, agent, userdb
Explanation
No IMSI could be extracted from the user identity (IDi) or fetched from the RADIUS server.
Gateway Action
None
Action Description
None
Proposed Action
None

2.3.9. [ID: 810] MSISDN attribute missing in RADIUS[...]

Log Categories
AUTHSYS
Log Message
MSISDN attribute missing in RADIUS Access-Accept.
Default Log Severity
Notice
Parameters
userid, user, ip, profile, agent, userdb
Explanation
The MSISDN attribute (Callback-Number) was missing in the Access-Accept message.
Gateway Action
None
Action Description
None
Proposed Action
Check the RADIUS server's user configuration.

2.3.10. [ID: 844] EAP type is not allowed by authentication[...]

Log Categories
AUTHSYS
Log Message
EAP type is not allowed by authentication profile.
Default Log Severity
Warning
Parameters
userid, user, ip, profile, agent, type
Explanation
A user and server used an EAP type that was not allowed by the authentication profile.
Gateway Action
None
Action Description
None
Proposed Action
Check the authentication profile configuration if the EAP type should be allowed.

2.3.11. [ID: 674] Out of memory while authenticating a user

Log Categories
AUTHSYS
Log Message
Out of memory while authenticating a user.
Default Log Severity
Alert
Parameters
userid, user, ip, profile, agent
Explanation
The unit failed to allocate and is out of memory.
Gateway Action
None
Action Description
None
Proposed Action
None

2.3.12. [ID: 688] Denied access according to authentication[...]

Log Categories
AUTHSYS
Log Message
Denied access according to authentication profile.
Default Log Severity
Warning
Parameters
 
Explanation
A user is not allowed to authenticate according to the authentication profile settings.
Gateway Action
None
Action Description
None
Proposed Action
None

2.3.13. [ID: 792] The authentication profile is still in[...]

Log Categories
AUTHSYS
Log Message
The authentication profile is still in initialization process.
Default Log Severity
Warning
Parameters
profile, agent
Explanation
A user requesting login was rejected as the authentication profile has not been fully initialized yet.
Gateway Action
None
Action Description
None
Proposed Action
None

2.3.14. [ID: 673] Received RADIUS Access-Accept message

Log Categories
AUTHSYS
Log Message
Received RADIUS Access-Accept message.
Default Log Severity
Notice
Parameters
userid, user, ip, profile, agent, userdb
Explanation
Access-Accept message received from RADIUS server.
Gateway Action
None
Action Description
None
Proposed Action
None

2.3.15. [ID: 1666] Received RADIUS Access-Challenge message

Log Categories
AUTHSYS
Log Message
Received RADIUS Access-Challenge message.
Default Log Severity
Information
Parameters
userid, user, ip, profile, agent, userdb
Explanation
Access-Challenge message received from RADIUS server.
Gateway Action
None
Action Description
None
Proposed Action
None

2.3.16. [ID: 681] Received RADIUS Access-Reject message

Log Categories
AUTHSYS
Log Message
Received RADIUS Access-Reject message.
Default Log Severity
Warning
Parameters
userid, user, ip, profile, agent, userdb
Explanation
Access-Reject message received from RADIUS server.
Gateway Action
None
Action Description
None
Proposed Action
None

2.3.17. [ID: 812] Challenges are not supported when using XAuth

Log Categories
AUTHSYS
Log Message
Challenges are not supported when using XAuth.
Default Log Severity
Warning
Parameters
userid, user, ip, profile, agent, userdb
Explanation
The XAuth agent does not support the challenge-and-response method.
Gateway Action
None
Action Description
None
Proposed Action
Disable the challenge-and-response feature in the RADIUS server, and use password verification instead.

2.3.18. [ID: 689] Internal RADIUS error

Log Categories
AUTHSYS
Log Message
Internal RADIUS error.
Default Log Severity
Warning
Parameters
userid, user, ip, profile, agent, userdb
Explanation
An internal error occurred within the RADIUS client.
Gateway Action
None
Action Description
None
Proposed Action
Check RADIUS logs for details.

2.3.19. [ID: 665] User logged out due to session timeout

Log Categories
AUTHSYS
Log Message
User logged out due to session timeout.
Default Log Severity
Notice
Parameters
userid, user, ip, profile, agent
Explanation
A user was logged out due to session timeout.
Gateway Action
None
Action Description
None
Proposed Action
None

2.3.20. [ID: 809] Authentication source did not respond

Log Categories
AUTHSYS
Log Message
Authentication source did not respond.
Default Log Severity
Warning
Parameters
userid, user, ip, profile, agent, userdb
Explanation
A request that was sent for a user did not receive a response in time from an authentication source.
Gateway Action
None
Action Description
None
Proposed Action
None

2.3.21. [ID: 677] User belongs in too many groups

Log Categories
AUTHSYS
Log Message
User belongs in too many groups. Keeping the 32 first.
Default Log Severity
Warning
Parameters
userid, user, ip, profile, agent
Explanation
A user can only be a member of a maximum of 32 groups. This user is a member of too many groups, and only the 32 first groups will be used.
Gateway Action
None
Action Description
None
Proposed Action
Lower the number of groups that this user belongs to.

2.3.22. [ID: 676] User added

Log Categories
AUTHSYS
Log Message
User added.
Default Log Severity
Notice
Parameters
userid, user, ip, profile, agent
Explanation
A user was added and is now awaiting confirmation.
Gateway Action
None
Action Description
None
Proposed Action
None

2.3.23. [ID: 761] User updated with new IP address

Log Categories
AUTHSYS
Log Message
User updated with new IP address.
Default Log Severity
Notice
Parameters
userid, user, ip, profile, agent, old
Explanation
The authenticated IP address for a logged in user was changed.
Gateway Action
None
Action Description
None
Proposed Action
None

2.3.24. [ID: 760] Invalid user session found

Log Categories
AUTHSYS
Log Message
Invalid user session found.
Default Log Severity
Warning
Parameters
userid, user, ip, profile, agent
Explanation
An invalid user session has been found and will be removed.
Gateway Action
None
Action Description
None
Proposed Action
None

2.3.25. [ID: 672] User logged in

Log Categories
AUTHSYS
Log Message
User logged in.
Default Log Severity
Notice
Parameters
userid, user, ip, profile, agent, userdb, usergroups
Explanation
A user logged in and has been granted access, according to the group membership or user name information.
Gateway Action
None
Action Description
None
Proposed Action
None

2.3.26. [ID: 667] User logged out

Log Categories
AUTHSYS
Log Message
User logged out.
Default Log Severity
Notice
Parameters
userid, user, ip, profile, agent
Explanation
A user logged out and is no longer authenticated.
Gateway Action
None
Action Description
None
Proposed Action
None

2.3.27. [ID: 759] User updated with new username

Log Categories
AUTHSYS
Log Message
User updated with new username.
Default Log Severity
Notice
Parameters
userid, user, ip, profile, agent, old
Explanation
A user logged in with a pseudonym and its username was changed to its full username.
Gateway Action
None
Action Description
None
Proposed Action
None

2.3.28. [ID: 671] User replaced

Log Categories
AUTHSYS
Log Message
User replaced.
Default Log Severity
Notice
Parameters
userid, user, ip, profile, agent
Explanation
An old user session was replaced with a new one.
Gateway Action
None
Action Description
None
Proposed Action
None

2.3.29. [ID: 687] User table is full

Log Categories
AUTHSYS
Log Message
User table is full.
Default Log Severity
Warning
Parameters
 
Explanation
Maximum number of allowed logged in users has been reached.
Gateway Action
None
Action Description
None
Proposed Action
None

2.4. BGP

These log messages refer to the BGP category.

2.4.1. [ID: 1311] Failed to lookup gateway of BGP route

Log Categories
BGP,DYNROUTE
Log Message
Failed to lookup gateway of BGP route.
Default Log Severity
Error
Parameters
gwip, iprange, table
Explanation
BGP was unable to export the route due to route-lookup failure of the gateway IP.
Gateway Action
Discard
Action Description
Route is discarded
Proposed Action
Update the referred routing table so that the gateway IP becomes routable.

2.4.2. [ID: 1699] BGP graceful restart not negotiated with[...]

Log Categories
BGP
Log Message
BGP graceful restart not negotiated with established neighbor.
Default Log Severity
Warning
Parameters
neighborip
Explanation
System is running HA and graceful restart has not been negotiated for an established BGP neighbor. This will result in withdrawn prefixes and possible traffic disruptions at HA failover.
Gateway Action
None
Action Description
None
Proposed Action
Verify that both the local BGP configuration as well as the configuration on the peer is configured for graceful restart.

2.4.3. [ID: 1687] Unable to enable BFD due to unroutable BGP[...]

Log Categories
BGP,BFD
Log Message
Unable to enable BFD due to unroutable BGP neighbor.
Default Log Severity
Warning
Parameters
neighborip, table
Explanation
A BFD session cannot be created for the BGP neighbor due to missing route.
Gateway Action
Disable
Action Description
None
Proposed Action
Make sure the BGP peer IP has route coverage in the routing table used when communicating with the peer.

2.4.4. [ID: 1316] BGP dynrouting event

Log Categories
BGP,DYNROUTE
Log Message
BGP dynrouting event.
Default Log Severity
Error
Parameters
msg
Explanation
This is a generic message for BGP classified as erroneous.
Gateway Action
Inconclusive
Action Description
None
Proposed Action
Investigate the nature of the error message and how it affects the system.

2.4.5. [ID: 1315] BGP dynrouting event

Log Categories
BGP,DYNROUTE
Log Message
BGP dynrouting event.
Default Log Severity
Information
Parameters
msg
Explanation
This is a generic message for BGP classified as informational.
Gateway Action
None
Action Description
None
Proposed Action
None

2.4.6. [ID: 1318] BGP dynrouting event

Log Categories
BGP,DYNROUTE
Log Message
BGP dynrouting event.
Default Log Severity
Warning
Parameters
msg
Explanation
This is a generic message for BGP classified as warning.
Gateway Action
None
Action Description
None
Proposed Action
Investigate the nature of the warning message and how it affects the system.

2.4.7. [ID: 1310] Failed to add BGP route

Log Categories
BGP,DYNROUTE
Log Message
Failed to add BGP route.
Default Log Severity
Error
Parameters
iprange, gwip, table
Explanation
BGP was unable to add the route to the routing table for unknown reasons.
Gateway Action
Discard
Action Description
None
Proposed Action
Contact customer support.

2.4.8. [ID: 1313] Failed to remove BGP route

Log Categories
BGP,DYNROUTE
Log Message
Failed to remove BGP route.
Default Log Severity
Error
Parameters
iprange, gwip, table
Explanation
BGP was unable to remove the route to the routing table for unknown reasons.
Gateway Action
Discard
Action Description
None
Proposed Action
Contact customer support.

2.5. CLI

These log messages refer to the CLI category.

2.5.1. [ID: 272] Failed adding CLI command data resource

Log Categories
CLI
Log Message
Failed adding CLI command data resource.
Default Log Severity
Critical
Parameters
 
Explanation
A CLI command data resource could not be added.
Gateway Action
None
Action Description
None
Proposed Action
Verify that the system has sufficient memory available.

2.5.2. [ID: 443] All CLI commands could not be listed

Log Categories
CLI
Log Message
All CLI commands could not be listed.
Default Log Severity
Critical
Parameters
 
Explanation
All CLI commands could not be listed by the CLI during the initiation phase. This could result in that some commands are unavailable.
Gateway Action
None
Action Description
None
Proposed Action
Verify that the disk media is intact and functions correctly.

2.5.3. [ID: 213] Failed allocating memory when starting CLI[...]

Log Categories
CLI,SYSTEM
Log Message
Failed allocating memory when starting CLI command.
Default Log Severity
Alert
Parameters
 
Explanation
The CLI failed to allocate the amount of memory needed to start the command.
Gateway Action
None
Action Description
None
Proposed Action
Verify that the system has a sufficient amount of free memory.

2.5.4. [ID: 1118] Attempt to access service command view

Log Categories
CLI,SYSTEM
Log Message
Attempt to access service command view.
Default Log Severity
Information
Parameters
user, userid, count, max
Explanation
User tried to access to "service" command view.
Gateway Action
Deny
Action Description
None
Proposed Action
None

2.5.5. [ID: 1101] Service command view access granted

Log Categories
CLI,SYSTEM
Log Message
Service command view access granted.
Default Log Severity
Information
Parameters
user, userid
Explanation
Access to "service" command view was granted to user.
Gateway Action
Allow
Action Description
None
Proposed Action
None

2.5.6. [ID: 1117] Maximum number of service command view access[...]

Log Categories
CLI,SYSTEM
Log Message
Maximum number of service command view access attempts reached.
Default Log Severity
Information
Parameters
user, userid
Explanation
Maximum number of "service" command view access attempts was reached. Access to "service" command view was rejected and new challenge is generated.
Gateway Action
Deny
Action Description
None
Proposed Action
None

2.5.7. [ID: 765] Serial console CLI instance started

Log Categories
CLI
Log Message
Serial console CLI instance started.
Default Log Severity
Notice
Parameters
user, accesslevel, profile
Explanation
A serial console CLI session was started.
Gateway Action
None
Action Description
None
Proposed Action
None

2.5.8. [ID: 769] Serial console CLI authentication failed

Log Categories
CLI
Log Message
Serial console CLI authentication failed.
Default Log Severity
Notice
Parameters
user, profile
Explanation
A serial console login attempt failed since the supplied username and password could not be verified towards the correct authentication group.
Gateway Action
None
Action Description
None
Proposed Action
Verify that the user exists with the specified password. Make sure that the user has the appropriate access group(s) (Administrators and/or Auditor) set.

2.5.9. [ID: 767] Serial console CLI authentication succeeded

Log Categories
CLI
Log Message
Serial console CLI authentication succeeded.
Default Log Severity
Notice
Parameters
user, profile
Explanation
A serial console login authentication succeeded towards the authentication profile.
Gateway Action
None
Action Description
None
Proposed Action
None

2.5.10. [ID: 773] Serial console CLI session ended

Log Categories
CLI
Log Message
Serial console CLI session ended.
Default Log Severity
Notice
Parameters
user, profile
Explanation
None
Gateway Action
None
Action Description
None
Proposed Action
None

2.5.11. [ID: 764] Serial console CLI system error

Log Categories
CLI,SYSTEM
Log Message
Serial console CLI system error.
Default Log Severity
Alert
Parameters
 
Explanation
The configuration and authentication of the serial console access is not available. As a result, and for debugging purposes the serial console CLI is started with administrator privileges.
Gateway Action
None
Action Description
None
Proposed Action
Verify the serial console configuration and restart the system.

2.5.12. [ID: 332] Resource Manager failed memory allocation[...]

Log Categories
CLI,SYSTEM
Log Message
Resource Manager failed memory allocation when adding data resources.
Default Log Severity
Alert
Parameters
 
Explanation
Additional memory could not be allocated when adding data resources.
Gateway Action
None
Action Description
None
Proposed Action
Verify that the system has a sufficient amount of free memory available.

2.5.13. [ID: 483] Resource Manager failed to read information[...]

Log Categories
CLI
Log Message
Resource Manager failed to read information from resource files.
Default Log Severity
Critical
Parameters
 
Explanation
The management system data resources could not be fully updated. This could result in that management systems such as the CLI no longer functions correctly.
Gateway Action
None
Action Description
None
Proposed Action
Verify that the system has sufficient amount of resources, e.g. free memory. Verify that the storage media is intact.

2.6. CONFIG

These log messages refer to the CONFIG category.

2.6.1. [ID: 1071] Certificate created

Log Categories
CONFIG
Log Message
Certificate created.
Default Log Severity
Notice
Parameters
name
Explanation
Certificate name has been created.
Gateway Action
Accept
Action Description
None
Proposed Action
None

2.6.2. [ID: 1070] Certificate is now revoked

Log Categories
CONFIG
Log Message
Certificate is now revoked.
Default Log Severity
Notice
Parameters
name
Explanation
Certificate name has been revoked and is no longer valid.
Gateway Action
Accept
Action Description
None
Proposed Action
None

2.6.3. [ID: 1069] Certificate has been updated

Log Categories
CONFIG
Log Message
Certificate has been updated.
Default Log Severity
Notice
Parameters
name
Explanation
Certificate name has been updated.
Gateway Action
Accept
Action Description
None
Proposed Action
None

2.6.4. [ID: 512] Activating configuration changes

Log Categories
CONFIG
Log Message
Activating configuration changes.
Default Log Severity
Notice
Parameters
cfgver, mgmtsys, clientip, user, userid
Explanation
A new configuration will be activated.
Gateway Action
None
Action Description
None
Proposed Action
None

2.6.5. [ID: 105] Failed to establish bi-directional[...]

Log Categories
CONFIG
Log Message
Failed to establish bi-directional communication with peer.
Default Log Severity
Critical
Parameters
 
Explanation
The system failed to establish a connection back to peer, using the new configuration.
Gateway Action
None
Action Description
The system will revert to the previous configuration
Proposed Action
Verify that the new configuration file does not contain errors that would cause bi-directional communication failure.

2.6.6. [ID: 1048] Configuration commit failed

Log Categories
CONFIG
Log Message
Configuration commit failed.
Default Log Severity
Error
Parameters
cfgver, mgmtsys, clientip, user, userid
Explanation
The configuration could not be commited.
Gateway Action
None
Action Description
None
Proposed Action
This could be due to lack of storage space. Try freeing up allocated disk space.

2.6.7. [ID: 355] New configuration activated

Log Categories
CONFIG
Log Message
New configuration activated.
Default Log Severity
Notice
SNMP Trap Category
STARTUP
SNMP Trap MIB name
warmStart
SNMP Trap MIB OID
1.3.6.1.6.3.1.1.5.2   (SNMPv2-MIB, RFC3418)
Parameters
cfgver, mgmtsys, clientip, user, userid
Explanation
The firewall is up and running using the new configuration.
Gateway Action
None
Action Description
None
Proposed Action
None

2.6.8. [ID: 532] New configuration committed

Log Categories
CONFIG
Log Message
New configuration committed.
Default Log Severity
Notice
Parameters
cfgver, mgmtsys, clientip, user, userid
Explanation
The firewall has written a new version of the configuration to permanent storage.
Gateway Action
None
Action Description
None
Proposed Action
None

2.6.9. [ID: 494] DCOS could not allocate memory when creating[...]

Log Categories
CONFIG,SYSTEM
Log Message
DCOS could not allocate memory when creating new netobject.
Default Log Severity
Critical
Parameters
 
Explanation
DCOS could not allocate the amount of memory needed to create a new netobject. DCOS and netobject functionality might not be fully functional.
Gateway Action
None
Action Description
None
Proposed Action
Verify that there is enough free memory within the system.

2.6.10. [ID: 216] DCOS could not allocate enough memory to[...]

Log Categories
CONFIG,SYSTEM
Log Message
DCOS could not allocate enough memory to execute the netobjects CLI command.
Default Log Severity
Critical
Parameters
 
Explanation
The system does not have enough free memory to execute the netobjects command with the given parameters.
Gateway Action
None
Action Description
None
Proposed Action
Verify the amount of free memory and/or try executing the netobjects command with another parameter combination.

2.6.11. [ID: 319] DCOS storage could not be initialized

Log Categories
CONFIG
Log Message
DCOS storage could not be initialized.
Default Log Severity
Critical
Parameters
 
Explanation
DCOS could not re-initialize properly during the reconfigure phase. All netobject functionality will be unavailable.
Gateway Action
None
Action Description
None
Proposed Action
Verify that there is enough free memory within the system.

2.6.12. [ID: 1080] An address object is dynamically updated

Log Categories
CONFIG
Log Message
An address object is dynamically updated.
Default Log Severity
Notice
Parameters
module, name, value
Explanation
 
Gateway Action
None
Action Description
None
Proposed Action
None

2.6.13. [ID: 251] Beginning system reconfigure

Log Categories
CONFIG,SYSTEM
Log Message
Beginning system reconfigure.
Default Log Severity
Notice
Parameters
type, reason
Explanation
The firewall will load a new configuration, or reload the running configuration.
Gateway Action
None
Action Description
None
Proposed Action
None

2.6.14. [ID: 593] Failed to reconfigure system

Log Categories
CONFIG,SYSTEM
Log Message
Failed to reconfigure system.
Default Log Severity
Error
Parameters
user, userid
Explanation
Failed to load configuration.
Gateway Action
None
Action Description
None
Proposed Action
None

2.6.15. [ID: 594] Reconfigure completed successfully

Log Categories
CONFIG,SYSTEM
Log Message
Reconfigure completed successfully.
Default Log Severity
Notice
Parameters
user, userid
Explanation
The system has finished loading configuration.
Gateway Action
None
Action Description
None
Proposed Action
None

2.6.16. [ID: 1408] Reconfigure is triggered by subsystem

Log Categories
CONFIG,SYSTEM
Log Message
Reconfigure is triggered by subsystem.
Default Log Severity
Notice
Parameters
module, reason
Explanation
Reconfigure is triggered by subsystem.
Gateway Action
None
Action Description
None
Proposed Action
None

2.7. DHCPCLIENT

These log messages refer to the DHCPCLIENT category.

2.7.1. [ID: 306] Interface has successfully acquired a lease

Log Categories
DHCPCLIENT
Log Message
Interface has successfully acquired a lease.
Default Log Severity
Notice
Parameters
clientip, netmask, bcastip, gwip, serverip, iface
Explanation
An interface has successfully acquired a lease.
Gateway Action
None
Action Description
None
Proposed Action
None

2.7.2. [ID: 191] Lease for the interface has expired

Log Categories
DHCPCLIENT
Log Message
Lease for the interface has expired.
Default Log Severity
Warning
Parameters
iface
Explanation
A lease has expired and the IP data for this interface is no longer valid.
Gateway Action
None
Action Description
None
Proposed Action
Check connection and DHCP server reachability.

2.7.3. [ID: 1078] Lease for the interface was successfully[...]

Log Categories
DHCPCLIENT
Log Message
Lease for the interface was successfully updated.
Default Log Severity
Notice
Parameters
clientip, netmask, bcastip, gwip, serverip, iface
Explanation
An interface has successfully updated its lease.
Gateway Action
None
Action Description
None
Proposed Action
None

2.7.4. [ID: 472] No DHCP offers were received by the DHCP[...]

Log Categories
DHCPCLIENT
Log Message
No DHCP offers were received by the DHCP service.
Default Log Severity
Warning
Parameters
iface
Explanation
No DHCP offers were received from DHCP servers.
Gateway Action
None
Action Description
None
Proposed Action
Check if selected DHCP servers are available and configured properly.

2.7.5. [ID: 287] No valid DHCP offers were received

Log Categories
DHCPCLIENT
Log Message
No valid DHCP offers were received.
Default Log Severity
Warning
Parameters
iface
Explanation
No valid DHCP offers were received from DHCP servers.
Gateway Action
None
Action Description
None
Proposed Action
Check if DHCP client filters are properly configured.

2.7.6. [ID: 1094] Interface received a lease where the offered[...]

Log Categories
DHCPCLIENT
Log Message
Interface received a lease where the offered broadcast address equals the offered gateway.
Default Log Severity
Warning
Parameters
bcastip, iface
Explanation
An interface received a lease where the offered broadcast address equals the offered gateway address.
Gateway Action
Reject
Action Description
None
Proposed Action
Check DHCP server configuration.

2.7.7. [ID: 395] The lease was rejected by an address filter

Log Categories
DHCPCLIENT
Log Message
The lease was rejected by an address filter.
Default Log Severity
Notice
Parameters
clientip, iface
Explanation
The lease was rejected due to an address filter.
Gateway Action
Reject
Action Description
None
Proposed Action
Change DHCP client address filter to allow lease.

2.7.8. [ID: 522] The lease was rejected by a server filter

Log Categories
DHCPCLIENT
Log Message
The lease was rejected by a server filter.
Default Log Severity
Notice
Parameters
serverip, iface
Explanation
The lease was rejected due to a server filter.
Gateway Action
Reject
Action Description
None
Proposed Action
Change DHCP client server filter to allow lease.

2.7.9. [ID: 559] Interface received a lease which will cause[...]

Log Categories
DHCPCLIENT
Log Message
Interface received a lease which will cause an IP collision with a configured route.
Default Log Severity
Warning
Parameters
clientip, iface
Explanation
An interface received a lease which will cause an IP collision with a configured route.
Gateway Action
Reject
Action Description
None
Proposed Action
Check DHCP server configuration and system interface configuration.

2.7.10. [ID: 274] Interface received a lease with an offered IP[...]

Log Categories
DHCPCLIENT
Log Message
Interface received a lease with an offered IP that appear to be occupied.
Default Log Severity
Warning
Parameters
clientip, iface
Explanation
An interface received a lease which appears to be in use by someone else.
Gateway Action
Reject
Action Description
None
Proposed Action
Check network for statically configured hosts or incorrectly proxy ARPed routes.

2.7.11. [ID: 230] Interface received a lease with an invalid[...]

Log Categories
DHCPCLIENT
Log Message
Interface received a lease with an invalid broadcast address.
Default Log Severity
Warning
Parameters
bcastip, iface
Explanation
An interface received a lease with an invalid broadcast address.
Gateway Action
Reject
Action Description
None
Proposed Action
Check DHCP server configuration.

2.7.12. [ID: 435] Interface received a lease with an invalid[...]

Log Categories
DHCPCLIENT
Log Message
Interface received a lease with an invalid gateway address.
Default Log Severity
Warning
Parameters
gwip, iface
Explanation
An interface received a lease with an invalid gateway address.
Gateway Action
Reject
Action Description
None
Proposed Action
Check DHCP server configuration.

2.7.13. [ID: 223] Interface received a lease with an invalid IP[...]

Log Categories
DHCPCLIENT
Log Message
Interface received a lease with an invalid IP address.
Default Log Severity
Warning
Parameters
clientip, iface
Explanation
An interface received a lease with an invalid offered IP address.
Gateway Action
Reject
Action Description
None
Proposed Action
Check DHCP server configuration.

2.7.14. [ID: 325] Interface received a lease with an invalid[...]

Log Categories
DHCPCLIENT
Log Message
Interface received a lease with an invalid netmask address.
Default Log Severity
Warning
Parameters
netmask, iface
Explanation
An interface received a lease with an invalid netmask.
Gateway Action
Reject
Action Description
None
Proposed Action
Check DHCP server configuration.

2.7.15. [ID: 499] Interface received a lease with an invalid[...]

Log Categories
DHCPCLIENT
Log Message
Interface received a lease with an invalid DHCP server address.
Default Log Severity
Warning
Parameters
serverip, iface
Explanation
An interface received an invalid DHCP server address.
Gateway Action
Reject
Action Description
None
Proposed Action
Check DHCP server configuration.

2.7.16. [ID: 481] The requested lease was rejected by the server

Log Categories
DHCPCLIENT
Log Message
The requested lease was rejected by the server.
Default Log Severity
Warning
Parameters
clientip, serverip, iface
Explanation
A requested lease was rejected by a DHCP server.
Gateway Action
Reject
Action Description
None
Proposed Action
Check if client has moved to new subnet or if client's lease has expired.

2.7.17. [ID: 222] Interface received a lease which will cause a[...]

Log Categories
DHCPCLIENT
Log Message
Interface received a lease which will cause a route collision with a configured route.
Default Log Severity
Warning
Parameters
clientip, iface
Explanation
An interface received a lease which will cause a route collision with a configured route.
Gateway Action
Reject
Action Description
None
Proposed Action
Check DHCP server configuration and system interface configuration.

2.7.18. [ID: 324] Too many DHCP offers received

Log Categories
DHCPCLIENT
Log Message
Too many DHCP offers received.
Default Log Severity
Warning
Parameters
iface
Explanation
To many DHCP offers received for the interface.
Gateway Action
Ignore
Action Description
This and subsequent offers will be ignored
Proposed Action
Change DHCP client configuration to filter leases.

2.8. DHCPSERVER

These log messages refer to the DHCPSERVER category.

2.8.1. [ID: 1394] Invalid DHCP packet received

Log Categories
DHCPSERVER,DHCPCLIENT
Log Message
Invalid DHCP packet received.
Default Log Severity
Warning
Parameters
len, iface
Explanation
The system received a DHCP packet that was too short to process.
Gateway Action
Drop
Action Description
 
Proposed Action
Investigate why broken DHCP packets are sent on the network.

2.8.2. [ID: 892] All pools are depleted

Log Categories
DHCPSERVER
Log Message
All pools are depleted. Unable to handle request. Ignoring.
Default Log Severity
Warning
Parameters
 
Explanation
All pools have depleted.
Gateway Action
None
Action Description
None
Proposed Action
Extend the pools to support more clients.

2.8.3. [ID: 907] Blacklist item timed out

Log Categories
DHCPSERVER
Log Message
Blacklist item timed out. IP is.
Default Log Severity
Notice
Parameters
clientip
Explanation
Blacklisted ip automatically timeout.
Gateway Action
None
Action Description
None
Proposed Action
None

2.8.4. [ID: 888] Client accepted and bounded with IP

Log Categories
DHCPSERVER
Log Message
Client accepted and bounded with IP.
Default Log Severity
Notice
Parameters
srchw, clientip
Explanation
Client accepted the IP address and are now bound.
Gateway Action
None
Action Description
None
Proposed Action
None

2.8.5. [ID: 884] Client renewed IP

Log Categories
DHCPSERVER
Log Message
Client renewed IP.
Default Log Severity
Notice
Parameters
srchw, clientip
Explanation
Client successfully renewed its lease.
Gateway Action
None
Action Description
None
Proposed Action
None

2.8.6. [ID: 906] DHCP Server error

Log Categories
DHCPSERVER
Log Message
DHCP Server error.
Default Log Severity
Warning
Parameters
value, code, option
Explanation
DHCP Server error.
Gateway Action
None
Action Description
None
Proposed Action
None

2.8.7. [ID: 905] Got decline for ip on wrong interface so[...]

Log Categories
DHCPSERVER
Log Message
Got decline for ip on wrong interface so ignored it.
Default Log Severity
Notice
Parameters
srchw, clientip, iface, recviface
Explanation
Got decline from a client on the wrong interface.
Gateway Action
None
Action Description
None
Proposed Action
Check network for inconsistent routes.

2.8.8. [ID: 882] Client declined non offered IP

Log Categories
DHCPSERVER
Log Message
Client declined non offered IP. Decline is ignored.
Default Log Severity
Notice
Parameters
srchw
Explanation
Client rejected non a offered IP.
Gateway Action
None
Action Description
None
Proposed Action
None

2.8.9. [ID: 898] Server identifier not specified in incoming[...]

Log Categories
DHCPSERVER
Log Message
Server identifier not specified in incoming Decline message.
Default Log Severity
Notice
Parameters
 
Explanation
Server identifier not specified in incoming Decline message.
Gateway Action
None
Action Description
None
Proposed Action
None

2.8.10. [ID: 881] Server identifier in Decline message does not[...]

Log Categories
DHCPSERVER
Log Message
Server identifier in Decline message does not match this server.
Default Log Severity
Notice
Parameters
 
Explanation
Server identifier in Decline message does not match this server.
Gateway Action
None
Action Description
None
Proposed Action
None

2.8.11. [ID: 886] Client declined IP

Log Categories
DHCPSERVER
Log Message
Client declined IP. Blacklisted it.
Default Log Severity
Warning
Parameters
srchw, clientip
Explanation
A client declined (indicated that the IP is already in use someone else) offered IP.
Gateway Action
None
Action Description
None
Proposed Action
Check network for statically configured hosts or incorrectly proxy ARPed routes.

2.8.12. [ID: 883] Received DHCP packet is smaller than the[...]

Log Categories
DHCPSERVER
Log Message
Received DHCP packet is smaller than the minimum allowed 300 bytes. Dropping.
Default Log Severity
Warning
Parameters
 
Explanation
Received a DHCP packet which is smaller than the minimum allowed 300 bytes.
Gateway Action
Drop
Action Description
None
Proposed Action
Investigate what client implementation is being used.

2.8.13. [ID: 903] Got INFORM request from client

Log Categories
DHCPSERVER
Log Message
Got INFORM request from client. Acknowledging.
Default Log Severity
Notice
Parameters
srchw, clientip
Explanation
Got an inform (client already got an IP and asks for configuration parameters) request from a client.
Gateway Action
None
Action Description
None
Proposed Action
None

2.8.14. [ID: 1398] Received packet with invalid DHCP cookie

Log Categories
DHCPSERVER
Log Message
Received packet with invalid DHCP cookie. Dropping.
Default Log Severity
Warning
Parameters
 
Explanation
The system received a DHCP packet without the proper DHCP cookie.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.8.15. [ID: 921] Unable to load the lease database

Log Categories
DHCPSERVER
Log Message
Unable to load the lease database.
Default Log Severity
Error
Parameters
 
Explanation
Unable to load the lease database.
Gateway Action
None
Action Description
None
Proposed Action
None

2.8.16. [ID: 922] Lease database was successfully loaded

Log Categories
DHCPSERVER
Log Message
Lease database was successfully loaded.
Default Log Severity
Notice
Parameters
 
Explanation
Lease database was successfully loaded.
Gateway Action
None
Action Description
None
Proposed Action
None

2.8.17. [ID: 924] Unable to auto save the lease database to disk

Log Categories
DHCPSERVER
Log Message
Unable to auto save the lease database to disk.
Default Log Severity
Error
Parameters
 
Explanation
Unable to auto save the lease database to disk.
Gateway Action
None
Action Description
None
Proposed Action
None

2.8.18. [ID: 923] Lease database was successfully auto saved to[...]

Log Categories
DHCPSERVER
Log Message
Lease database was successfully auto saved to disk.
Default Log Severity
Notice
Parameters
 
Explanation
Lease database was successfully auto saved to disk.
Gateway Action
None
Action Description
None
Proposed Action
None

2.8.19. [ID: 896] Lease timed out

Log Categories
DHCPSERVER
Log Message
Lease timed out. Was bound to client.
Default Log Severity
Notice
Parameters
clientip, srchw
Explanation
A client lease wasn't renewed and timed out.
Gateway Action
None
Action Description
None
Proposed Action
None

2.8.20. [ID: 889] Offer timed out

Log Categories
DHCPSERVER
Log Message
Offer timed out. Was bound to client.
Default Log Severity
Notice
Parameters
clientip, srchw
Explanation
An offer to a client was never accepted and timed out.
Gateway Action
None
Action Description
None
Proposed Action
None

2.8.21. [ID: 887] The option section is too big

Log Categories
DHCPSERVER
Log Message
The option section is too big. Unable to reply. Dropping.
Default Log Severity
Warning
Parameters
 
Explanation
Unable to send reply since the DHCP option section is too big.
Gateway Action
Drop
Action Description
None
Proposed Action
Reduce the number of used DHCP options.

2.8.22. [ID: 948] All IPs in the pool are in use now

Log Categories
DHCPSERVER
Log Message
All IPs in the pool are in use now.
Default Log Severity
Notice
Parameters
 
Explanation
There is no address left in the pool for fulfilling the next DHCPDISCOVER.
Gateway Action
None
Action Description
None
Proposed Action
None

2.8.23. [ID: 890] All IPs in the pool are in use

Log Categories
DHCPSERVER
Log Message
All IPs in the pool are in use. Discover cannot be fulfilled.
Default Log Severity
Notice
Parameters
 
Explanation
A DISCOVER cannot be fulfilled since all pools are in use.
Gateway Action
None
Action Description
None
Proposed Action
Extend the pools to support more clients.

2.8.24. [ID: 885] Got release for IP on wrong interface

Log Categories
DHCPSERVER
Log Message
Got release for IP on wrong interface. Release is ignored.
Default Log Severity
Warning
Parameters
srchw, clientip, recviface, iface
Explanation
Got release from a client on the wrong interface.
Gateway Action
None
Action Description
None
Proposed Action
Check network for inconsistent routes.

2.8.25. [ID: 1043] The IP address the client tried to release is[...]

Log Categories
DHCPSERVER
Log Message
The IP address the client tried to release is not associated with the offered client identifier. Dropping.
Default Log Severity
Notice
Parameters
id, ip, knownip
Explanation
The IP address the client tried to release is not associated with the offered client identifier. Dropping. Argument id is client identifier of the lease.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.8.26. [ID: 1042] The IP address the client tried to release is[...]

Log Categories
DHCPSERVER
Log Message
The IP address the client tried to release is not associated with the offered MAC address. Dropping.
Default Log Severity
Notice
Parameters
srchw, ip, knownip
Explanation
The IP address the client tried to release is not associated with the offered client identifier. Dropping.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.8.27. [ID: 900] Client released IP

Log Categories
DHCPSERVER
Log Message
Client released IP.
Default Log Severity
Notice
Parameters
srchw, clientip
Explanation
A client released (prematurely ended) its lease.
Gateway Action
None
Action Description
None
Proposed Action
None

2.8.28. [ID: 901] Received a request from bounded client for[...]

Log Categories
DHCPSERVER
Log Message
Received a request from bounded client for not known IP with correct serverident. Ignoring.
Default Log Severity
Warning
Parameters
srchw, clientip
Explanation
Received a request from bounded client for not known IP with correct serverident. Ignoring.
Gateway Action
None
Action Description
None
Proposed Action
None

2.8.29. [ID: 895] Received a request from bounded client for IP[...]

Log Categories
DHCPSERVER
Log Message
Received a request from bounded client for IP with incorrect serverident. Rejecting.
Default Log Severity
Warning
Parameters
srchw, clientip
Explanation
Received a request from bounded client for IP with incorrect serverident. Rejecting.
Gateway Action
Reject
Action Description
None
Proposed Action
None

2.8.30. [ID: 899] Received a request from not-bounded client[...]

Log Categories
DHCPSERVER
Log Message
Received a request from not-bounded client for not known IP with correct serverident. Ignoring.
Default Log Severity
Warning
Parameters
srchw, newip
Explanation
Received a request from not-bounded client for not known IP with correct serverident. Ignoring.
Gateway Action
None
Action Description
None
Proposed Action
None

2.8.31. [ID: 904] Received a request from not-bounded client[...]

Log Categories
DHCPSERVER
Log Message
Received a request from not-bounded client for IP with incorrect serverident. Rejecting.
Default Log Severity
Warning
Parameters
srchw, newip
Explanation
Received a request from not-bounded client for IP with incorrect serverident. Rejecting.
Gateway Action
Reject
Action Description
None
Proposed Action
None

2.8.32. [ID: 891] Client requested non bound IP

Log Categories
DHCPSERVER
Log Message
Client requested non bound IP. Rejecting.
Default Log Severity
Warning
Parameters
srchw, ip, knownip
Explanation
Client sent a request for a non bound IP.
Gateway Action
Reject
Action Description
None
Proposed Action
None

2.8.33. [ID: 893] Client requested non offered IP

Log Categories
DHCPSERVER
Log Message
Client requested non offered IP. Rejecting.
Default Log Severity
Warning
Parameters
srchw, ip, knownip
Explanation
Client requested a non bound IP.
Gateway Action
Reject
Action Description
None
Proposed Action
None

2.8.34. [ID: 894] Received request with bad UDP checksum

Log Categories
DHCPSERVER
Log Message
Received request with bad UDP checksum. Dropping.
Default Log Severity
Warning
Parameters
 
Explanation
Received request with bad UDP checksum.
Gateway Action
Drop
Action Description
None
Proposed Action
Check network equipment for errors.

2.8.35. [ID: 902] Sending IP offer for received DISCOVER

Log Categories
DHCPSERVER
Log Message
Sending IP offer for received DISCOVER.
Default Log Severity
Notice
Parameters
srchw, knownip
Explanation
Received discover (initial IP query) from a client.
Gateway Action
None
Action Description
None
Proposed Action
None

2.8.36. [ID: 897] Failed to get buffer for sending

Log Categories
DHCPSERVER
Log Message
Failed to get buffer for sending. Unable to reply.
Default Log Severity
Warning
Parameters
 
Explanation
Unable to get a buffer for sending.
Gateway Action
None
Action Description
None
Proposed Action
Check buffer consumption.

2.8.37. [ID: 919] The matching rule does not have useful lease[...]

Log Categories
DHCPSERVER
Log Message
The matching rule does not have useful lease and allows further matching. Rematching with the next rule.
Default Log Severity
Notice
Parameters
 
Explanation
The matching rule does not have useful lease and allows further matching. Rematching with the next rule.
Gateway Action
None
Action Description
None
Proposed Action
None

2.8.38. [ID: 1399] Received DHCP option without message type

Log Categories
DHCPSERVER
Log Message
Received DHCP option without message type. Dropping.
Default Log Severity
Warning
Parameters
 
Explanation
The system received a DHCP message with an option without type.
Gateway Action
Drop
Action Description
None
Proposed Action
Investigate why broken DHCP packets are sent on the network.

2.8.39. [ID: 920] The matching rule does not have useful lease[...]

Log Categories
DHCPSERVER
Log Message
The matching rule does not have useful lease and does not allow further matching. Dropping.
Default Log Severity
Notice
Parameters
 
Explanation
The matching rule does not have useful lease and does not allow further matching. Dropping.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.8.40. [ID: 1392] Received DHCP message with unknown type

Log Categories
DHCPSERVER
Log Message
Received DHCP message with unknown type. Dropping.
Default Log Severity
Warning
Parameters
type
Explanation
The system received a DHCP message with an unknown DHCP type.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.9. DNSALG

These log messages refer to the DNSALG category.

2.9.1. [ID: 1303] Failed to create new session

Log Categories
DNSALG
Log Message
Failed to create new session.
Default Log Severity
Error
Parameters
 
Explanation
An attempt to create a new DNSALG session failed, because the unit is out of memory.
Gateway Action
Close
Action Description
None
Proposed Action
Decrease the maximum allowed DNSALG session, or try to free some of the RAM used.

2.9.2. [ID: 1307] Flow failed

Log Categories
DNSALG
Log Message
Flow failed.
Default Log Severity
Notice
Parameters
reason, originator, sessionid, flow, rule
Explanation
An error occurred that caused the DNS flow to be aborted.
Gateway Action
Abort
Action Description
None
Proposed Action
None

2.9.3. [ID: 1306] DNS packet rejected

Log Categories
DNSALG
Log Message
DNS packet rejected.
Default Log Severity
Information
Parameters
sessionid, profile, reason, flow
Explanation
A DNS packet was rejected by the ALG.
Gateway Action
Drop
Action Description
None
Proposed Action
Verify that the DNS clients are correctly configured.

2.9.4. [ID: 1308] Session closed

Log Categories
DNSALG
Log Message
Session closed.
Default Log Severity
Information
Parameters
sessionid, profile, flow
Explanation
A session using the DNS ALG was closed.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.9.5. [ID: 1304] Session opened

Log Categories
DNSALG
Log Message
Session opened.
Default Log Severity
Information
Parameters
sessionid, profile, flow
Explanation
A session using the DNS ALG was opened.
Gateway Action
Open
Action Description
None
Proposed Action
None

2.9.6. [ID: 1302] Transaction closed

Log Categories
DNSALG
Log Message
Transaction closed.
Default Log Severity
Information
Parameters
sessionid, profile, transactionid, flow
Explanation
A transaction using the DNS ALG was closed.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.9.7. [ID: 1305] Transaction opened

Log Categories
DNSALG
Log Message
Transaction opened.
Default Log Severity
Information
Parameters
sessionid, profile, transactionid, flow
Explanation
A transaction using the DNS ALG was opened.
Gateway Action
Open
Action Description
None
Proposed Action
None

2.10. DYNROUTE

These log messages refer to the DYNROUTE category.

2.10.1. [ID: 1319] Dynrouting message

Log Categories
DYNROUTE
Log Message
Dynrouting message.
Default Log Severity
Error
Parameters
module, msg
Explanation
This is a generic warning/error message from a dynroute module.
Gateway Action
None
Action Description
None
Proposed Action
Contact customer support.

2.10.2. [ID: 1698] Failed to add socket rules

Log Categories
DYNROUTE
Log Message
Failed to add socket rules.
Default Log Severity
Warning
Parameters
remoteip, srcport, destport
Explanation
Failed to add socket rules in dataplane.
Gateway Action
Drop
Action Description
None
Proposed Action
Contact customer support.

2.10.3. [ID: 1697] Failed to remove socket rules

Log Categories
DYNROUTE
Log Message
Failed to remove socket rules.
Default Log Severity
Warning
Parameters
remoteip, srcport, destport
Explanation
Failed to remove socket rules in dataplane.
Gateway Action
None
Action Description
None
Proposed Action
Contact customer support.

2.10.4. [ID: 1312] Route lookup for dynrouting peer failed

Log Categories
DYNROUTE
Log Message
Route lookup for dynrouting peer failed.
Default Log Severity
Error
Parameters
remoteip, destport, table
Explanation
Unable to perform a route lookup for the dynrouting peer.
Gateway Action
Drop
Action Description
None
Proposed Action
Update the referred routing table so that the peer IP becomes routable.

2.11. ETHERNET

These log messages refer to the ETHERNET category.

2.11.1. [ID: 357] Broadcast Ethernet source

Log Categories
ETHERNET,STATELESS,VALIDATE
Log Message
Broadcast Ethernet source.
Default Log Severity
Warning
Parameters
srchw, pkt
Explanation
An Ethernet packet with the sender address set to the broadcast address was received.
Gateway Action
Allow
Action Description
None
Proposed Action
Legal uses for network packets with a broadcast Ethernet sender are rare. Consider adjusting the TransparencySettings:BroadcastEnetSender setting to drop these kind of packets.

2.11.2. [ID: 613] Broadcast Ethernet source

Log Categories
ETHERNET,STATELESS,VALIDATE
Log Message
Broadcast Ethernet source.
Default Log Severity
Warning
Parameters
srchw, pkt
Explanation
An Ethernet packet with the sender address set to the broadcast address was received.
Gateway Action
Drop
Action Description
None
Proposed Action
Legal uses for network packets with a broadcast Ethernet sender are rare. The TransparencySettings:BroadcastEnetSender setting can be changed to allow these kind of packets.

2.11.3. [ID: 615] Multicast Ethernet source

Log Categories
ETHERNET,STATELESS,VALIDATE
Log Message
Multicast Ethernet source.
Default Log Severity
Warning
Parameters
srchw, pkt
Explanation
An Ethernet packet with the sender address set to a multicast address was received.
Gateway Action
Allow
Action Description
None
Proposed Action
Legal uses for network packets with a multicast Ethernet sender are rare. Consider adjusting the TransparencySettings:MulticastEnetSender setting to drop these kind of packets.

2.11.4. [ID: 428] Multicast Ethernet source

Log Categories
ETHERNET,STATELESS,VALIDATE
Log Message
Multicast Ethernet source.
Default Log Severity
Warning
Parameters
srchw, pkt
Explanation
An Ethernet packet with the sender address set to a multicast address was received.
Gateway Action
Drop
Action Description
None
Proposed Action
Legal uses for network packets with a multicast Ethernet sender are rare. The TransparencySettings:MulticastEnetSender setting can be changed to allow these kind of packets.

2.11.5. [ID: 132] Not for me

Log Categories
ETHERNET,STATELESS,VALIDATE
Log Message
Not for me.
Default Log Severity
Debug
Parameters
srchw, desthw, recviface, pkt
Explanation
A unicast Ethernet packet has been received by interface recviface, but was dropped because the Ethernet destination of the packet was not that of this interface.
Gateway Action
Drop
Action Description
None
Proposed Action
This message can be turned off using the setting MiscSettings:NotLocalEnetDest.

2.11.6. [ID: 327] Null Ethernet source

Log Categories
ETHERNET,STATELESS,VALIDATE
Log Message
Null Ethernet source.
Default Log Severity
Warning
Parameters
pkt
Explanation
An Ethernet packet with a sender address consisting of all zeroes was dropped.
Gateway Action
Drop
Action Description
None
Proposed Action
Change the TransparencySettings:NullEnetSender advanced setting to modify the logging Ethernet packets with a zero sender address.

2.11.7. [ID: 537] Unicast MAC with broadcast IP

Log Categories
ETHERNET,IPV4,STATELESS,VALIDATE
Log Message
Unicast MAC with broadcast IP.
Default Log Severity
Warning
Parameters
destip, desthw, pkt
Explanation
The Ethernet destination is unicast, but the IP destination is broadcast.
Gateway Action
Drop
Action Description
None
Proposed Action
The IPSettings:MulticastIPEnetOnMismatch setting can be changed to control the gateway's behavior for multicast/broadcast IP packets on an Ethernet network, where the Ethernet and the IP destination do not match.

2.11.8. [ID: 490] Unicast MAC with broadcast IP

Log Categories
ETHERNET,IPV4,STATELESS,VALIDATE
Log Message
Unicast MAC with broadcast IP.
Default Log Severity
Warning
Parameters
destip, desthw, pkt
Explanation
The Ethernet destination is unicast, but the IP destination is broadcast.
Gateway Action
None
Action Description
None
Proposed Action
The IPSettings:MulticastIPEnetOnMismatch setting can be changed to control the gateway's behavior for multicast/broadcast IP packets on an Ethernet network, where the Ethernet and the IP destination do not match. The recommended action is to drop these packets.

2.11.9. [ID: 229] Unicast MAC with multicast IP

Log Categories
ETHERNET,IPV4,STATELESS,VALIDATE
Log Message
Unicast MAC with multicast IP.
Default Log Severity
Warning
Parameters
destip, desthw, pkt
Explanation
The Ethernet destination is unicast, but the IP destination is multicast. This is a known exploit against some multicast protocol.
Gateway Action
Drop
Action Description
None
Proposed Action
The IPSettings:MulticastIPEnetOnMismatch setting can be changed to control the gateway's behavior for multicast/broadcast IP packets on an Ethernet network, where the Ethernet and the IP destination do not match.

2.11.10. [ID: 104] Unicast MAC with multicast IP

Log Categories
ETHERNET,IPV4,STATELESS,VALIDATE
Log Message
Unicast MAC with multicast IP.
Default Log Severity
Warning
Parameters
destip, desthw, pkt
Explanation
The Ethernet destination is unicast, but the IP destination is multicast. This is a known exploit against some multicast protocol.
Gateway Action
None
Action Description
None
Proposed Action
The IPSettings:MulticastIPEnetOnMismatch setting can be changed to control the gateway's behavior for multicast/broadcast IP packets on an Ethernet network, where the Ethernet and the IP destination do not match. The recommended action is to drop these packets.

2.11.11. [ID: 548] Non matching IP and MAC multicast

Log Categories
ETHERNET,IPV4,STATELESS,VALIDATE
Log Message
Non matching IP and MAC multicast.
Default Log Severity
Warning
Parameters
destip, desthw, pkt
Explanation
The Ethernet multicast destination does not match that of the IP multicast destination.
Gateway Action
Drop
Action Description
None
Proposed Action
The IPSettings:MulticastIPEnetOnMismatch setting can be changed to control the gateway's behavior for multicast/broadcast IP packets on an Ethernet network, where the Ethernet and the IP destination do not match.

2.11.12. [ID: 340] Non matching IP and MAC multicast

Log Categories
ETHERNET,IPV4,STATELESS,VALIDATE
Log Message
Non matching IP and MAC multicast.
Default Log Severity
Warning
Parameters
destip, desthw, pkt
Explanation
The Ethernet multicast destination does not match that of the IP multicast destination.
Gateway Action
None
Action Description
None
Proposed Action
The IPSettings:MulticastIPEnetOnMismatch setting can be changed to control the gateway's behavior for multicast/broadcast IP packets on an Ethernet network, where the Ethernet and the IP destination do not match. The recommended action is to drop these packets.

2.11.13. [ID: 627] Multicast MAC with unicast IP

Log Categories
ETHERNET,IPV4,STATELESS,VALIDATE
Log Message
Multicast MAC with unicast IP.
Default Log Severity
Warning
Parameters
destip, desthw, pkt
Explanation
The Ethernet destination is multicast, but the IP destination is not multicast.
Gateway Action
Drop
Action Description
None
Proposed Action
The IPSettings:MulticastIPEnetOnMismatch setting can be changed to control the gateway's behavior for multicast/broadcast IP packets on an Ethernet network, where the Ethernet and the IP destination do not match.

2.11.14. [ID: 423] Multicast MAC with unicast IP

Log Categories
ETHERNET,IPV4,STATELESS,VALIDATE
Log Message
Multicast MAC with unicast IP.
Default Log Severity
Warning
Parameters
destip, desthw, pkt
Explanation
The Ethernet destination is multicast, but the IP destination is not multicast.
Gateway Action
None
Action Description
None
Proposed Action
The IPSettings:MulticastIPEnetOnMismatch setting can be changed to control the gateway's behavior for multicast/broadcast IP packets on an Ethernet network, where the Ethernet and the IP destination do not match. The recommended action is to drop these packets.

2.11.15. [ID: 1665] IPv6 broadcast packet

Log Categories
ETHERNET,IPV6,STATELESS,VALIDATE
Log Message
IPv6 broadcast packet.
Default Log Severity
Warning
Parameters
srchw, desthw, recviface, pkt
Explanation
A multicast IPv6 packet, using a broadcast (or possibly some other type of non-conformal multicast) Ethernet destination, was received. This is not supported by the IPv6 standard, and most appliances will ignore such traffic.
Gateway Action
Drop
Action Description
None
Proposed Action
Investigate why these packets appear; identify, isolate and optionally update the source of the packets. As this type of messages are illegal to use in IPv6 networks, yet are universally supported by all Ethernet II capable devices, there is still a possibility that some network appliances will act in unexpected ways on the traffic. This in turn makes it a possible attack vector against IPv6 multicast services such as, but not limited to, ND (neighbour discovery) and MLD. This log message can be disabled by the IPSettings:LogNonIP4 setting.

2.11.16. [ID: 219] Unicast MAC with multicast IP

Log Categories
ETHERNET,IPV6,STATELESS,VALIDATE
Log Message
Unicast MAC with multicast IP.
Default Log Severity
Warning
Parameters
destip, desthw, pkt
Explanation
The Ethernet destination is unicast, but the IP destination is multicast. This is a known exploit against some multicast protocol.
Gateway Action
Drop
Action Description
None
Proposed Action
The IPSettings:MulticastIPEnetOnMismatch setting can be changed to control the gateway's behavior for multicast/broadcast IP packets on an Ethernet network, where the Ethernet and the IP destination do not match.
Proposed Action
The IPSettings:MulticastIPEnetOnMismatch setting can be changed to control the gateway's behavior for multicast/broadcast IP packets on an Ethernet network, where the Ethernet and the IP destination do not match.

2.11.17. [ID: 362] Unicast MAC with multicast IP

Log Categories
ETHERNET,IPV6,STATELESS,VALIDATE
Log Message
Unicast MAC with multicast IP.
Default Log Severity
Warning
Parameters
destip, desthw, pkt
Explanation
The Ethernet destination is unicast, but the IP destination is multicast. This is a known exploit against some multicast protocol.
Gateway Action
None
Action Description
None
Proposed Action
The IPSettings:MulticastIPEnetOnMismatch setting can be changed to control the gateway's behavior for multicast/broadcast IP packets on an Ethernet network, where the Ethernet and the IP destination do not match. The recommended action is to drop these packets.
Proposed Action
The IPSettings:MulticastIPEnetOnMismatch setting can be changed to control the gateway's behavior for multicast/broadcast IP packets on an Ethernet network, where the Ethernet and the IP destination do not match. The recommended action is to drop these packets.

2.11.18. [ID: 192] Non matching IP and MAC multicast

Log Categories
ETHERNET,IPV6,STATELESS,VALIDATE
Log Message
Non matching IP and MAC multicast.
Default Log Severity
Notice
Parameters
destip, desthw, pkt
Explanation
The Ethernet multicast destination does not match that of the IP multicast destination.
Gateway Action
Drop
Action Description
None
Proposed Action
The IPSettings:MulticastIPEnetOnMismatch setting can be changed to control the gateway's behavior for multicast/broadcast IP packets on an Ethernet network, where the Ethernet and the IP destination do not match.

2.11.19. [ID: 438] Non matching IP and MAC multicast

Log Categories
ETHERNET,IPV6,STATELESS,VALIDATE
Log Message
Non matching IP and MAC multicast.
Default Log Severity
Notice
Parameters
destip, desthw, pkt
Explanation
The Ethernet multicast destination does not match that of the IP multicast destination.
Gateway Action
None
Action Description
None
Proposed Action
The IPSettings:MulticastIPEnetOnMismatch setting can be changed to control the gateway's behavior for multicast/broadcast IP packets on an Ethernet network, where the Ethernet and the IP destination do not match. The recommended action is to drop these packets.

2.11.20. [ID: 595] Multicast MAC with unicast IP

Log Categories
ETHERNET,IPV6,STATELESS,VALIDATE
Log Message
Multicast MAC with unicast IP.
Default Log Severity
Warning
Parameters
destip, desthw, pkt
Explanation
The Ethernet destination is multicast, but the IP destination is not multicast.
Gateway Action
Drop
Action Description
None
Proposed Action
The IPSettings:MulticastIPEnetOnMismatch setting can be changed to control the gateway's behavior for multicast/broadcast IP packets on an Ethernet network, where the Ethernet and the IP destination do not match.

2.11.21. [ID: 397] Multicast MAC with unicast IP

Log Categories
ETHERNET,IPV6,STATELESS,VALIDATE
Log Message
Multicast MAC with unicast IP.
Default Log Severity
Warning
Parameters
destip, desthw, pkt
Explanation
The Ethernet destination is multicast, but the IP destination is not multicast.
Gateway Action
None
Action Description
None
Proposed Action
The IPSettings:MulticastIPEnetOnMismatch setting can be changed to control the gateway's behavior for multicast/broadcast IP packets on an Ethernet network, where the Ethernet and the IP destination do not match. The recommended action is to drop these packets.

2.12. FLOW

These log messages refer to the FLOW category.

2.12.1. [ID: 788] Flow HA sync failed due to ruleset lookup[...]

Log Categories
FLOW
Log Message
Flow HA sync failed due to ruleset lookup failure.
Default Log Severity
Error
Parameters
matchkey
Explanation
The flow could not be installed on the inactive node since the ruleset lookup on the inactive node failed.
Gateway Action
Skip
Action Description
None
Proposed Action
Make sure that logging is enabled on the rules that matches the traffic and look for other logs that could reveal the actual cause of the ruleset lookup failure. Could, for instance, be related to resources (memory, port allocation, etc) or configuration.

2.12.2. [ID: 333] The flow cannot be updated to comply with[...]

Log Categories
FLOW
Log Message
The flow cannot be updated to comply with rule changes.
Default Log Severity
Notice
Parameters
conflictrule, flow, flowusage, app, rule, ruletype, ruleorigin, user, userid
Explanation
The rules had been changed in such a way that the flow state could not be updated to comply. Packets with the same traffic parameters would still be able to setup new, slightly different, flow states but this flow state had to be closed.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.12.3. [ID: 1007] Flow closed by application control

Log Categories
FLOW
Log Message
Flow closed by application control.
Default Log Severity
Information
Parameters
flow, flowusage, user, userid
Explanation
The flow was closed by the application control function.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.12.4. [ID: 1127] Flow closed by an ALG

Log Categories
FLOW
Log Message
Flow closed by an ALG.
Default Log Severity
Information
Parameters
flow, flowusage, geoip, app, rule, ruletype, ruleorigin, user, userid
Explanation
A flow was closed by an ALG.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.12.5. [ID: 460] Flow closed by admin

Log Categories
FLOW
Log Message
Flow closed by admin.
Default Log Severity
Notice
Parameters
flow, flowusage, geoip, app, user, userid
Explanation
The flow was closed by request of the administrator.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.12.6. [ID: 1644] Flow closed by module

Log Categories
FLOW
Log Message
Flow closed by module.
Default Log Severity
Information
Parameters
module, reason, flow, flowusage, geoip, app, user, userid
Explanation
A module in the system closed the flow, due to error condition or rule violation.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.12.7. [ID: 341] Flow closed due to random replacement

Log Categories
FLOW
Log Message
Flow closed due to random replacement.
Default Log Severity
Warning
Parameters
flow, flowusage, geoip, app, user, userid
Explanation
There was a shortage of free flows and therefore, one randomly selected active flow or flow-pair was removed. This only happens when someone is trying to open more flows than the system has been configured to support. For instance, a distributed denial-of-service attack might trigger this event.
Gateway Action
Close
Action Description
None
Proposed Action
Configure the system to support more simultaneous flows, or try to track down the host(s) that overloads the network.

2.12.8. [ID: 379] Flow closed due to timeout

Log Categories
FLOW
Log Message
Flow closed due to timeout.
Default Log Severity
Information
Parameters
flow, flowusage, geoip, app, rule, ruletype, ruleorigin, user, userid
Explanation
The flow or flow-pair was closed since it had exceeded its idle lifetime.
Gateway Action
Close
Action Description
None
Proposed Action
The idle lifetime can be increased or decreased per protocol type or service.

2.12.9. [ID: 367] Flow closed due to reopen

Log Categories
FLOW
Log Message
Flow closed due to reopen.
Default Log Severity
Information
Parameters
flow, flowusage, app, user, userid
Explanation
A received packet belonged to another logical connection than the one represented by the flow state that matched the packet. The flow state was closed so that a new flow state could be opened for the packet. Currently, this applies when receiving a TCP SYN that does not match the state of the existing flow state.
Gateway Action
Close
Action Description
None
Proposed Action
If a new TCP SYN is allowed to close an existing flow state and create a new flow state is controlled by the setting TCPSettings:TCPAllowReopen.

2.12.10. [ID: 111] The matching flow cannot be used for the[...]

Log Categories
FLOW
Log Message
The matching flow cannot be used for the packet anymore.
Default Log Severity
Debug
Parameters
pkt
Explanation
The flow that matched the packet was changed, that is, updated or closed and opened up again, while the packet was processed by the gateway. The changes in the flow made it impossible to continue processing the packet so the packet had to be dropped.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.12.11. [ID: 500] Out of memory during flow maintenance

Log Categories
FLOW,SYSTEM
Log Message
Out of memory during flow maintenance.
Default Log Severity
Emergency
Parameters
 
Explanation
A memory allocation attempt failed while allocating memory needed for flow maintenance. Normal operation cannot be guaranteed.
Gateway Action
Abort
Action Description
None
Proposed Action
Investigate why the system is low on RAM. Review the configuration and try to free more RAM.

2.12.12. [ID: 400] Flow maintenance failed

Log Categories
FLOW
Log Message
Flow maintenance failed.
Default Log Severity
Error
Parameters
error, flow, flowusage, app, rule, ruletype, ruleorigin, user, userid
Explanation
The device failed to update a flow and had to close it. This can be a sign of a system-wide problem, for instance, low on memory.
Gateway Action
Close
Action Description
None
Proposed Action
Search for other logs that can provide more information.

2.12.13. [ID: 300] There is no flow for the packet anymore

Log Categories
FLOW
Log Message
There is no flow for the packet anymore.
Default Log Severity
Debug
Parameters
pkt
Explanation
The flow that matched the packet was closed while the packet was processed by the gateway. Since the packet was partially processed it could not safely be used to setup a new flow so the packet had to be dropped.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.12.14. [ID: 224] Packet not allowed to trigger maintenance of[...]

Log Categories
FLOW
Log Message
Packet not allowed to trigger maintenance of the flow state.
Default Log Severity
Warning
Parameters
flow, pkt, user, userid
Explanation
When trying to process a packet using a flow state, the flow state was found to be outdated. This packet could not be used to update the flow state so the packet was dropped. There are several reasons why a packet cannot be used to trigger an update of a flow state, for instance, that the packet has been partially processed or that the packet is related to the flow state rather than belonging to the connection that the flow state represents. One example of related packets is ICMP errors.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.12.15. [ID: 424] The flow is not allowed anymore

Log Categories
FLOW
Log Message
The flow is not allowed anymore.
Default Log Severity
Notice
Parameters
conflictrule, flow, flowusage, app, rule, ruletype, ruleorigin, user, userid
Explanation
The rules had been changed so that the flow was not allowed anymore.
Gateway Action
Close
Action Description
None
Proposed Action
If this flow should be allowed then verify that recent configuration changes are correct.

2.12.16. [ID: 1062] Not security equivalent after route change

Log Categories
FLOW
Log Message
Not security equivalent after route change.
Default Log Severity
Notice
Parameters
conflictrule, flow, flowusage, app, rule, ruletype, ruleorigin, user, userid
Explanation
The routes had been changed in such a way that the flow state would have been routed through interfaces that were not security equivalent with the ones originally used. Packets with the same traffic parameters would still be able to setup new, slightly different, flow states but this flow state had to be closed.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.12.17. [ID: 372] Flow opened

Log Categories
FLOW
Log Message
Flow opened.
Default Log Severity
Information
Parameters
trafficshaping, route, sessionid, ipsrule, flow, geoip, app, rule, ruletype, ruleorigin, user, userid
Explanation
A packet was received that triggered a new stateful flow to be created.
Gateway Action
Open
Action Description
None
Proposed Action
None

2.12.18. [ID: 1014] Flow opened stateless

Log Categories
FLOW
Log Message
Flow opened stateless.
Default Log Severity
Information
Parameters
trafficshaping, route, sessionid, ipsrule, flow, geoip, rule, ruletype, ruleorigin, user, userid
Explanation
A packet was received that triggered a new stateless flow to be created. Packets forwarded on stateless flows are only subject for stateless packet validation.
Gateway Action
Open
Action Description
None
Proposed Action
None

2.12.19. [ID: 1390] Out of memory when attempting to allocate[...]

Log Categories
FLOW,SYSTEM
Log Message
Out of memory when attempting to allocate flow data.
Default Log Severity
Emergency
Parameters
matchkey
Explanation
The system was out of memory and failed to allocate a new flow. All new traffic may have been completely locked out.
Gateway Action
Discard
Action Description
The system was unable to open a flow, even though policy allowed it
Proposed Action
Investigate why the system is low on RAM. Contact technical support if the cause is not obvious.

2.12.20. [ID: 543] Reject flow opened

Log Categories
FLOW
Log Message
Reject flow opened.
Default Log Severity
Warning
Parameters
trafficshaping, route, flow, geoip, rule, user, userid
Explanation
A packet matched a reject rule and a corresponding reject flow was created. A reject flow is a flow with the purpose of rejecting future packets matching the same parameters as the original packet.
Gateway Action
Open
Action Description
None
Proposed Action
None

2.12.21. [ID: 1646] Failed to reopen flow

Log Categories
FLOW
Log Message
Failed to reopen flow.
Default Log Severity
Error
Parameters
error, flow, rule, ruletype, ruleorigin, user, userid
Explanation
The system failed to reopen the flow. The flow will remain closed and the packet will be dropped.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.12.22. [ID: 122] Flow reopened

Log Categories
FLOW
Log Message
Flow reopened.
Default Log Severity
Information
Parameters
flow, app, user, userid
Explanation
A packet was received that triggered a new stateful flow to be created.
Gateway Action
Open
Action Description
None
Proposed Action
None

2.12.23. [ID: 790] Failed to setup flow due to ruleset lookup[...]

Log Categories
FLOW
Log Message
Failed to setup flow due to ruleset lookup failure.
Default Log Severity
Error
Parameters
pkt
Explanation
A flow could not be opened for the packet since the ruleset lookup failed. The packet was dropped.
Gateway Action
Drop
Action Description
None
Proposed Action
Make sure that logging is enabled on the rules that matches the traffic and look for other logs that could reveal the actual cause of the ruleset lookup failure. Could, for instance, be related to resources (memory, port allocation, etc) or configuration.

2.12.24. [ID: 521] Flow maintenance failed

Log Categories
FLOW
Log Message
Flow maintenance failed.
Default Log Severity
Notice
Parameters
error, flow, flowusage, app, rule, ruletype, ruleorigin, user, userid
Explanation
The device failed to update a flow and had to close it. This can be a sign of a problem related to this particular flow but it can also be sign of a system-wide problem, for instance, out of memory.
Gateway Action
Close
Action Description
None
Proposed Action
Search for other logs that can provide more information.

2.12.25. [ID: 1314] Packet MD5 digest did not match packet data

Log Categories
FLOW,TCP,BGP
Log Message
Packet MD5 digest did not match packet data.
Default Log Severity
Error
Parameters
pkt
Explanation
MD5 digest included in packet did not match rest of the packet data.
Gateway Action
Drop
Action Description
None
Proposed Action
Check BGP neighbor configuration.

2.12.26. [ID: 1320] Failed to insert MD5 digest to packet

Log Categories
FLOW,TCP,BGP
Log Message
Failed to insert MD5 digest to packet.
Default Log Severity
Error
Parameters
pkt
Explanation
System was unable to add MD5 digest to packet.
Gateway Action
Drop
Action Description
None
Proposed Action
Contact customer support.

2.12.27. [ID: 1317] Packet did not contain md5 digest

Log Categories
FLOW,TCP,BGP
Log Message
Packet did not contain md5 digest.
Default Log Severity
Error
Parameters
pkt
Explanation
Packet did not contain any MD5 digest.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.12.28. [ID: 1309] Packet is too small to contain MD5 digest

Log Categories
FLOW,TCP,BGP
Log Message
Packet is too small to contain MD5 digest.
Default Log Severity
Error
Parameters
pkt
Explanation
Packet is too small to contain MD5 digest.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.12.29. [ID: 1056] Same pipe used twice in same flow

Log Categories
FLOW,PIPES
Log Message
Same pipe used twice in same flow.
Default Log Severity
Warning
Parameters
pipe, conflictrule, rule
Explanation
The same pipe object pipe has been applied twice to the same flow by two different rules (rule and conflictrule). The effect of this is probably undesirable. Whether to log this event is controlled by the MiscSettings:PipeDupLog setting.
Gateway Action
Ignore
Action Description
None
Proposed Action
Review the configuration and consider re-arranging rules and traffic profiles so that no pipe object can be added by different rules matching the same traffic.

2.12.30. [ID: 1389] Not enough ICMP data for protocol translation

Log Categories
FLOW,NAT64
Log Message
Not enough ICMP data for protocol translation.
Default Log Severity
Notice
Parameters
pkt
Explanation
An ICMP error was dropped because its payload was not large enough for protocol translation.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.12.31. [ID: 1397] Protocol translation was not applicable

Log Categories
FLOW,NAT64
Log Message
Protocol translation was not applicable.
Default Log Severity
Notice
Parameters
pkt
Explanation
An ICMP message was dropped because there was no applicable protocol translation.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.12.32. [ID: 1391] Unsupported media header in protocol[...]

Log Categories
FLOW,NAT64
Log Message
Unsupported media header in protocol translation.
Default Log Severity
Notice
Parameters
pkt
Explanation
A packet with an unsupported media header was dropped when attempting protocol translation.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.12.33. [ID: 1388] Unsupported transport header in protocol[...]

Log Categories
FLOW,NAT64
Log Message
Unsupported transport header in protocol translation.
Default Log Severity
Notice
Parameters
pkt
Explanation
A packet with an unsupported transport header was dropped when attempting protocol translation.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.13. FQDN

These log messages refer to the FQDN category.

2.13.1. [ID: 1400] Added FQDN IP to netobject

Log Categories
FQDN
Log Message
Added FQDN IP to netobject.
Default Log Severity
Information
Parameters
name, fqdn, ip
Explanation
A new IP address has been resolved and added for a FQDN set on a netobject.
Gateway Action
None
Action Description
None
Proposed Action
None

2.13.2. [ID: 1413] All IP addresses expired for FQDN in netobject

Log Categories
FQDN
Log Message
All IP addresses expired for FQDN in netobject.
Default Log Severity
Warning
Parameters
name, fqdn
Explanation
All IP addresses for a FQDN in a netobject has expired. This might mean that the DNS server is no longer reachable.
Gateway Action
None
Action Description
None
Proposed Action
Check the DNS server.

2.13.3. [ID: 1422] Could not resolve FQDN for netobject

Log Categories
FQDN
Log Message
Could not resolve FQDN for netobject.
Default Log Severity
Warning
Parameters
name, fqdn, type
Explanation
It was not possible to resolve a FQDN set on a netobject. Either the FQDN does not exist, or it was not possible to reach DNS server.
Gateway Action
None
Action Description
None
Proposed Action
Check the FQDN for spelling mistakes, and that the DNS server is reachable.

2.13.4. [ID: 1423] IP expired from netobject

Log Categories
FQDN
Log Message
IP expired from netobject.
Default Log Severity
Notice
Parameters
name, fqdn, ip
Explanation
An IP address reached the time it is valid after TTL has expired, and was removed from netobject.
Gateway Action
None
Action Description
None
Proposed Action
Increase the FQDNValidAfterTTL if it is necessary to keep IP addresses longer after the TTL has expired.

2.14. FRAG

These log messages refer to the FRAG category.

2.14.1. [ID: 505] Fragment with invalid offset

Log Categories
FRAG,VALIDATE,STATEFUL
Log Message
Fragment with invalid offset.
Default Log Severity
Error
Parameters
pkt
Explanation
A fragment with invalid offset was received.
Gateway Action
Drop
Action Description
None
Proposed Action
Change the FragSettings:IllegalFrags setting to modify the handling of illegal fragments.

2.14.2. [ID: 617] The fragment has an invalid IP data length

Log Categories
FRAG,VALIDATE,STATELESS
Log Message
The fragment has an invalid IP data length.
Default Log Severity
Error
Parameters
datalen, pkt
Explanation
The partly reassembled IP packet has an invalid IP data length.
Gateway Action
Drop
Action Description
None
Proposed Action
Change the FragSettings:IllegalFrags setting to modify the handling of illegal fragments.

2.14.3. [ID: 495] Dropping stored fragments of disallowed packet

Log Categories
FRAG,VALIDATE,STATEFUL
Log Message
Dropping stored fragments of disallowed packet.
Default Log Severity
Warning
Parameters
count, srcip, destip, ipproto, fragid, state, value
Explanation
The fragments of a disallowed IP packet were dropped. The count parameter displays the number of freed fragments while the value parameter contains fragment offset and IP length for the freed fragments.
Gateway Action
Drop
Action Description
None
Proposed Action
Change the FragSettings:DroppedFrags setting to modify the logging of dropped fragments.

2.14.4. [ID: 389] Dropping duplicate fragment

Log Categories
FRAG,VALIDATE,STATEFUL
Log Message
Dropping duplicate fragment.
Default Log Severity
Warning
Parameters
pkt
Explanation
A duplicate fragment of an IP packet was received.
Gateway Action
Drop
Action Description
None
Proposed Action
Change the FragSettings:DuplicateFrags setting to modify the logging of duplicate fragments.

2.14.5. [ID: 174] Duplicate fragment with different data[...]

Log Categories
FRAG,VALIDATE,STATEFUL
Log Message
Duplicate fragment with different data received.
Default Log Severity
Error
Parameters
pkt
Explanation
The fragment was a duplicate of an already received fragment, but the fragment data differed.
Gateway Action
Drop
Action Description
None
Proposed Action
Change the FragSettings:IllegalFrags setting to modify the handling of illegal fragments.

2.14.6. [ID: 525] Duplicate fragment with different length[...]

Log Categories
FRAG,VALIDATE,STATEFUL
Log Message
Duplicate fragment with different length received.
Default Log Severity
Error
Parameters
pkt
Explanation
The fragment was a duplicate of an already received fragment, but the fragment lengths differed.
Gateway Action
Drop
Action Description
None
Proposed Action
Change the FragSettings:IllegalFrags setting to modify the handling of illegal fragments.

2.14.7. [ID: 343] Dropping duplicate fragment of suspect packet

Log Categories
FRAG,VALIDATE,STATEFUL
Log Message
Dropping duplicate fragment of suspect packet.
Default Log Severity
Warning
Parameters
pkt
Explanation
A duplicate fragment of a suspect IP packet was received.
Gateway Action
Drop
Action Description
None
Proposed Action
Change the FragSettings:DuplicateFrags setting to modify the logging of duplicate fragments.

2.14.8. [ID: 528] Dropping extraneous fragments of completed[...]

Log Categories
FRAG,VALIDATE,STATEFUL
Log Message
Dropping extraneous fragments of completed packet.
Default Log Severity
Warning
Parameters
count, srcip, destip, ipproto, fragid, state, value
Explanation
A completed reassembled IP packet contained extraneous fragments, which were dropped. The count parameter displays the number of freed fragments while the value parameter contains fragment offset and IP length for the freed fragments.
Gateway Action
Drop
Action Description
None
Proposed Action
Change the FragSettings:IllegalFrags setting to modify the handling of illegal fragments.

2.14.9. [ID: 473] Fragment offset plus length not in range

Log Categories
FRAG,VALIDATE,STATELESS
Log Message
Fragment offset plus length not in range.
Default Log Severity
Error
Parameters
minlen, maxlen, pkt
Explanation
The fragment offset and length would be outside of the allowed IP size range.
Gateway Action
Drop
Action Description
None
Proposed Action
Change the LengthLimSettings:LogOversizedPackets setting to modify the logging of over sized packets.

2.14.10. [ID: 171] Dropping extraneous fragment of completed[...]

Log Categories
FRAG,VALIDATE,STATEFUL
Log Message
Dropping extraneous fragment of completed packet.
Default Log Severity
Warning
Parameters
pkt
Explanation
A completed reassembled IP packet contained an extraneous fragment, which was dropped.
Gateway Action
Drop
Action Description
None
Proposed Action
Change the FragSettings:IllegalFrags setting to modify the handling of illegal fragments.

2.14.11. [ID: 100] Dropping fragment of disallowed packet

Log Categories
FRAG,VALIDATE,STATEFUL
Log Message
Dropping fragment of disallowed packet.
Default Log Severity
Warning
Parameters
pkt
Explanation
A fragment of a disallowed IP packet was dropped.
Gateway Action
Drop
Action Description
None
Proposed Action
Change the FragSettings:DroppedFrags setting to modify the logging of dropped fragments.

2.14.12. [ID: 383] Dropping fragment of disallowed suspect packet

Log Categories
FRAG,VALIDATE,STATEFUL
Log Message
Dropping fragment of disallowed suspect packet.
Default Log Severity
Warning
Parameters
pkt
Explanation
A fragment of a disallowed suspect IP packet was dropped.
Gateway Action
Drop
Action Description
None
Proposed Action
Change the FragSettings:DroppedFrags setting to modify the logging of dropped fragments.

2.14.13. [ID: 582] Dropping fragment of failed packet

Log Categories
FRAG,VALIDATE,STATEFUL
Log Message
Dropping fragment of failed packet.
Default Log Severity
Warning
Parameters
pkt
Explanation
A fragment of a failed IP packet was dropped.
Gateway Action
Drop
Action Description
None
Proposed Action
Change the FragSettings:FragReassemblyFail setting to modify the logging of failed packet reassembly attempts.

2.14.14. [ID: 248] Dropping fragment of failed suspect packet

Log Categories
FRAG,VALIDATE,STATEFUL
Log Message
Dropping fragment of failed suspect packet.
Default Log Severity
Warning
Parameters
pkt
Explanation
A fragment of a failed suspect IP packet was dropped.
Gateway Action
Drop
Action Description
None
Proposed Action
Change the FragSettings:FragReassemblyFail setting to modify the logging of failed packet reassembly attempts.

2.14.15. [ID: 336] Dropping fragment of illegal packet

Log Categories
FRAG,VALIDATE,STATEFUL
Log Message
Dropping fragment of illegal packet.
Default Log Severity
Warning
Parameters
pkt
Explanation
A fragment of an illegal IP packet was dropped.
Gateway Action
Drop
Action Description
None
Proposed Action
FRAG_DropIllegal

2.14.16. [ID: 203] Fragmented ICMP error

Log Categories
FRAG,VALIDATE,STATELESS
Log Message
Fragmented ICMP error.
Default Log Severity
Warning
Parameters
type, pkt
Explanation
A disallowed fragmented ICMP error message was received. Only "Echo" and "EchoReply" are allowed to be fragmented.
Gateway Action
Drop
Action Description
None
Proposed Action
Change the FragSettings:FragmentedICMP setting to modify the handling of fragmented ICMP error messages.

2.14.17. [ID: 577] Fragments partially overlap

Log Categories
FRAG,VALIDATE,STATEFUL
Log Message
Fragments partially overlap.
Default Log Severity
Error
Parameters
pkt
Explanation
Two fragments partially overlap.
Gateway Action
Drop
Action Description
None
Proposed Action
Change the FragSettings:IllegalFrags setting to modify the handling of illegal fragments.

2.14.18. [ID: 570] Dropping fragments of illegal packet

Log Categories
FRAG,VALIDATE,STATEFUL
Log Message
Dropping fragments of illegal packet.
Default Log Severity
Warning
Parameters
count, srcip, destip, ipproto, fragid, state, value
Explanation
The fragments of an illegal IP packet were dropped. The count parameter displays the number of freed fragments while the value parameter contains fragment offset and IP length for the freed fragments.
Gateway Action
Drop
Action Description
None
Proposed Action
Change the FragSettings:IllegalFrags setting to modify the handling of illegal fragments.

2.14.19. [ID: 380] Fragment offset plus length is greater than[...]

Log Categories
FRAG,VALIDATE,STATELESS
Log Message
Fragment offset plus length is greater than the configured maximum.
Default Log Severity
Error
Parameters
max, pkt
Explanation
The fragment offset plus length would result in a greater length than the configured maximum length of an IP packet.
Gateway Action
Drop
Action Description
None
Proposed Action
Change the LengthLimSettings:LogOversizedPackets setting to modify the logging of over sized packets.

2.14.20. [ID: 265] Out of reassembly resources

Log Categories
FRAG,VALIDATE,STATELESS
Log Message
Out of reassembly resources.
Default Log Severity
Critical
Parameters
count, srcip, destip, ipproto, fragid, state, value
Explanation
Out of fragmentation reassembly resources when processing the IP packet. Dropping packet and freeing resources. The count parameter displays the number of freed fragments while the value parameter contains fragment offset and IP length for the freed fragments.
Gateway Action
Drop
Action Description
None
Proposed Action
Change the FragSettings:FragReassemblyFail setting to modify the logging of failed packet reassembly attempts.

2.14.21. [ID: 414] Out of reassembly resources for suspect packet

Log Categories
FRAG,VALIDATE,STATELESS
Log Message
Out of reassembly resources for suspect packet.
Default Log Severity
Critical
Parameters
count, srcip, destip, ipproto, fragid, state, value
Explanation
Out of fragmentation reassembly resources when processing the suspect IP packet. Dropping packet and freeing resources. The count parameter displays the number of freed fragments while the value parameter contains fragment offset and IP length for the freed fragments.
Gateway Action
Drop
Action Description
None
Proposed Action
Change the FragSettings:FragReassemblyFail setting to modify the logging of failed packet reassembly attempts.

2.14.22. [ID: 159] Fragment overlapping next fragment offset

Log Categories
FRAG,VALIDATE,STATEFUL
Log Message
Fragment overlapping next fragment offset.
Default Log Severity
Error
Parameters
pkt
Explanation
This fragment would overlap the next fragment offset.
Gateway Action
Drop
Action Description
None
Proposed Action
Change the FragSettings:IllegalFrags setting to modify the handling of illegal fragments.

2.14.23. [ID: 516] Dropping stored fragments of disallowed[...]

Log Categories
FRAG,VALIDATE,STATEFUL
Log Message
Dropping stored fragments of disallowed suspect packet.
Default Log Severity
Warning
Parameters
count, srcip, destip, ipproto, fragid, state, value
Explanation
The fragments of a disallowed suspect IP packet were dropped. The count parameter displays the number of freed fragments while the value parameter contains fragment offset and IP length for the freed fragments.
Gateway Action
Drop
Action Description
None
Proposed Action
FRAG_DropDisallowed

2.14.24. [ID: 289] Time out reassembling

Log Categories
FRAG,VALIDATE,STATEFUL
Log Message
Time out reassembling.
Default Log Severity
Critical
Parameters
count, srcip, destip, ipproto, fragid, state, value
Explanation
Timed out when reassembling a fragmented IP packet. Dropping packet. The count parameter displays the number of freed fragments while the value parameter contains fragment offset and IP length for the freed fragments.
Gateway Action
Drop
Action Description
None
Proposed Action
Change the FragSettings:FragReassemblyFail setting to modify the logging of failed packet reassembly attempts.

2.14.25. [ID: 326] Time out reassembling suspect

Log Categories
FRAG,VALIDATE,STATEFUL
Log Message
Time out reassembling suspect.
Default Log Severity
Critical
Parameters
count, srcip, destip, ipproto, fragid, state, value
Explanation
Timed out when reassembling a fragmented suspect IP packet. The count parameter displays the number of freed fragments while the value parameter contains fragment offset and IP length for the freed fragments.
Gateway Action
Drop
Action Description
None
Proposed Action
Change the FragSettings:FragReassemblyFail setting to modify the logging of failed packet reassembly attempts.

2.14.26. [ID: 126] Fragmented ICMP error

Log Categories
FRAG,VALIDATE,STATELESS
Log Message
Fragmented ICMP error.
Default Log Severity
Warning
Parameters
type, pkt
Explanation
A disallowed fragmented ICMP error message was received. Only "Echo" and "EchoReply" are allowed to be fragmented.
Gateway Action
Allow
Action Description
None
Proposed Action
Change the FragSettings:FragmentedICMP setting to modify the handling of fragmented ICMP error messages.

2.15. FTPALG

These log messages refer to the FTPALG category.

2.15.1. [ID: 1146] CLNT command not allowed

Log Categories
FTPALG
Log Message
CLNT command not allowed.
Default Log Severity
Warning
Parameters
sessionid, profile, cmdline, flow
Explanation
The client tried to issue a "CLNT" command, which is not valid since the client is not allowed to do this. The command will be rejected.
Gateway Action
Reject
Action Description
None
Proposed Action
If the client should be allowed to issue "CLNT" commands, modify the FTP profile configuration.

2.15.2. [ID: 1163] Command rate limit exceeded on session

Log Categories
FTPALG
Log Message
Command rate limit exceeded on session.
Default Log Severity
Warning
Parameters
sessionid, profile, max, flow
Explanation
The configured command rate limit was exceeded on a session.
Gateway Action
None
Action Description
None
Proposed Action
If this occurs during normal usage, consider increasing the limit configured on the FTP profile.

2.15.3. [ID: 1144] Data channel traffic direction restricted

Log Categories
FTPALG
Log Message
Data channel traffic direction restricted.
Default Log Severity
Information
Parameters
profile, sessionid, command, alloweddir
Explanation
Traffic on the data channel should only flow in one direction depending on which FTP command was issued. As the rule allowing the data channel is created before the direction is known, it is modified to restrict the direction once the allowed direction is learned.
Gateway Action
None
Action Description
None
Proposed Action
None

2.15.4. [ID: 1116] Disallowed client IP

Log Categories
FTPALG
Log Message
Disallowed client IP.
Default Log Severity
Warning
Parameters
sessionid, profile, ip, flow
Explanation
The client want the server to connect the data channel to an IP which is not the clients own IP.
Gateway Action
Deny
Action Description
None
Proposed Action
None

2.15.5. [ID: 1096] Client port outside configured range

Log Categories
FTPALG
Log Message
Client port outside configured range.
Default Log Severity
Warning
Parameters
sessionid, profile, port, portrange, flow
Explanation
The client tried to use a port for the data channel which is disallowed by the ClientPorts setting in the FTPAlgProfile used.
Gateway Action
Deny
Action Description
None
Proposed Action
None

2.15.6. [ID: 1149] Disallowed MODE argument

Log Categories
FTPALG
Log Message
Disallowed MODE argument.
Default Log Severity
Warning
Parameters
sessionid, profile, cmdline, flow
Explanation
The client has tried to issue a MODE command to use block mode or compressed mode, which is disallowed. Command is rejected.
Gateway Action
Reject
Action Description
None
Proposed Action
None

2.15.7. [ID: 1103] Disallowed OPTS argument

Log Categories
FTPALG
Log Message
Disallowed OPTS argument.
Default Log Severity
Warning
Parameters
sessionid, profile, cmdline, flow
Explanation
A disallowed OPTS argument was received, and the command will be rejected.
Gateway Action
Reject
Action Description
None
Proposed Action
None

2.15.8. [ID: 1154] Mismatched data channel IP protocol

Log Categories
FTPALG
Log Message
Mismatched data channel IP protocol.
Default Log Severity
Warning
Parameters
sessionid, profile, ipver, flow
Explanation
The client has tried to negotiate a different IP protocol for the data channel than the protocol it is using to connect to the ftp server on the control channel.
Gateway Action
Deny
Action Description
None
Proposed Action
None

2.15.9. [ID: 1125] Disallowed server IP

Log Categories
FTPALG
Log Message
Disallowed server IP.
Default Log Severity
Warning
Parameters
sessionid, profile, ip, flow
Explanation
The server wants the client to connect the data channel to an IP which is not the servers own IP.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.15.10. [ID: 1104] Server port outside configured range

Log Categories
FTPALG
Log Message
Server port outside configured range.
Default Log Severity
Warning
Parameters
sessionid, profile, port, portrange, flow
Explanation
The server tried to use a port for the data channel which is disallowed by the ServerPorts setting in the FTPAlgProfile used.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.15.11. [ID: 1145] Command is illegal since EPSV ALL is in effect

Log Categories
FTPALG
Log Message
Command is illegal since EPSV ALL is in effect.
Default Log Severity
Warning
Parameters
sessionid, profile, cmdline, flow
Explanation
The client has already issued an "EPSV ALL" command and may no longer use any of the commands PORT, PASV or EPRT.
Gateway Action
Reject
Action Description
None
Proposed Action
None

2.15.12. [ID: 1095] Failed setting up data channel rule from[...]

Log Categories
FTPALG
Log Message
Failed setting up data channel rule from server to client.
Default Log Severity
Error
Parameters
sessionid, profile, srcip, destip, srcport, destport, flow
Explanation
An error occurred when creating a data connection from the server to client. This could possibly be a result of lack of memory.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.15.13. [ID: 1108] Failed setting up data channel rule from[...]

Log Categories
FTPALG
Log Message
Failed setting up data channel rule from client to server.
Default Log Severity
Error
Parameters
sessionid, profile, srcip, destip, srcport, destport, flow
Explanation
An error occurred when creating a data connection from the client to server. This could possibly be a result of lack of memory.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.15.14. [ID: 1135] Failed parsing EPRT command

Log Categories
FTPALG
Log Message
Failed parsing EPRT command.
Default Log Severity
Warning
Parameters
sessionid, profile, cmdline, flow
Explanation
Invalid parameters to the "EPRT" command were received. The connection will be closed.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.15.15. [ID: 1157] Failed parsing EPSV command

Log Categories
FTPALG
Log Message
Failed parsing EPSV command.
Default Log Severity
Warning
Parameters
sessionid, profile, cmdline, flow
Explanation
Invalid parameters to the "EPSV" command were received. The command was rejected with an error message to the client.
Gateway Action
Reject
Action Description
None
Proposed Action
None

2.15.16. [ID: 1132] Failed parsing EPSV response

Log Categories
FTPALG
Log Message
Failed parsing EPSV response.
Default Log Severity
Warning
Parameters
sessionid, profile, cmdline, flow
Explanation
The response to the "EPSV" command was not formatted according to the standard. The connection will be closed.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.15.17. [ID: 1143] Failed parsing PASV response

Log Categories
FTPALG
Log Message
Failed parsing PASV response.
Default Log Severity
Warning
Parameters
sessionid, profile, cmdline, flow
Explanation
The response to the "PASV" command was not formatted according to the standard. The connection will be closed.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.15.18. [ID: 1124] Failed parsing PORT command

Log Categories
FTPALG
Log Message
Failed parsing PORT command.
Default Log Severity
Warning
Parameters
sessionid, profile, cmdline, flow
Explanation
Invalid parameters to the "PORT" command were received. The connection will be closed.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.15.19. [ID: 1086] Failed to create new session

Log Categories
FTPALG
Log Message
Failed to create new session.
Default Log Severity
Error
Parameters
 
Explanation
An attempt to create a new FTPALG session failed, because the unit is out of memory.
Gateway Action
Close
Action Description
None
Proposed Action
Decrease the maximum allowed FTPALG sessions, or try to free some of the RAM used.

2.15.20. [ID: 1100] Control channel failed

Log Categories
FTPALG
Log Message
Control channel failed.
Default Log Severity
Notice
Parameters
reason, originator, sessionid, flow, rule
Explanation
An error occurred that caused the FTP control channel to be aborted.
Gateway Action
Abort
Action Description
None
Proposed Action
None

2.15.21. [ID: 1113] Illegal command received

Log Categories
FTPALG
Log Message
Illegal command received.
Default Log Severity
Warning
Parameters
sessionid, profile, cmdline, flow
Explanation
An illegal command was received, and the command will be rejected.
Gateway Action
Reject
Action Description
None
Proposed Action
None

2.15.22. [ID: 1110] Illegal multiline response from server

Log Categories
FTPALG
Log Message
Illegal multiline response from server.
Default Log Severity
Warning
Parameters
sessionid, profile, cmdline, flow
Explanation
An illegal multiline response was received from server, and the connection will be closed.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.15.23. [ID: 1089] Illegal numeric reply from server

Log Categories
FTPALG
Log Message
Illegal numeric reply from server.
Default Log Severity
Warning
Parameters
sessionid, profile, cmdline, flow
Explanation
An illegal numerical reply was received from server, and the connection will be closed.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.15.24. [ID: 1112] Invalid command from client

Log Categories
FTPALG
Log Message
Invalid command from client.
Default Log Severity
Warning
Parameters
sessionid, profile, cmdline, flow
Explanation
An invalid command was received on the control channel. This is not allowed, and the connection will be closed.
Gateway Action
Close
Action Description
None
Proposed Action
If unknown commands should be allowed, modify the FTP profile configuration.

2.15.25. [ID: 1156] Invalid MODE argument

Log Categories
FTPALG
Log Message
Invalid MODE argument.
Default Log Severity
Warning
Parameters
sessionid, profile, cmdline, flow
Explanation
The client has issued a MODE command with an invalid argument. Command is rejected.
Gateway Action
Reject
Action Description
None
Proposed Action
None

2.15.26. [ID: 1092] Invalid OPTS argument

Log Categories
FTPALG
Log Message
Invalid OPTS argument.
Default Log Severity
Warning
Parameters
sessionid, profile, cmdline, flow
Explanation
An invalid OPTS argument was received. The argument does not start with an alphabetic letter, and the command will be rejected.
Gateway Action
Reject
Action Description
None
Proposed Action
None

2.15.27. [ID: 1102] Maximum line length exceeded

Log Categories
FTPALG
Log Message
Maximum line length exceeded.
Default Log Severity
Error
Parameters
maxlen, len, originator, sessionid, profile, flow, rule
Explanation
The maximum length of a text line sent over the control channel was exceeded, and the session will be closed. Note that the len parameter may or may not contain the full length of the violating line, it may contain the length of a partial line that exceeds the limit.
Gateway Action
Abort
Action Description
None
Proposed Action
Sending long lines might be an attempt to attack software that fails to handle lines above a certain length. If this incident is unlikely to be an attack then consider increasing the limit. The maximum line length is a configuration property of the FTP profile object.

2.15.28. [ID: 1161] No data channel setup yet

Log Categories
FTPALG
Log Message
No data channel setup yet.
Default Log Severity
Warning
Parameters
sessionid, profile, cmdline, flow
Explanation
A command which requires a data channel was issued without first having setup a data channel. The command is rejected.
Gateway Action
Reject
Action Description
None
Proposed Action
None

2.15.29. [ID: 1140] Data channel dynamic PREPBR rule added

Log Categories
FTPALG
Log Message
Data channel dynamic PREPBR rule added.
Default Log Severity
Information
Parameters
profile, sessionid, command, srcip, destip, srcport, destport, srciface
Explanation
To ensure that the data channel always uses the same routing tables as the control channel, a PREPBR rule has been added to the system.
Gateway Action
None
Action Description
None
Proposed Action
None

2.15.30. [ID: 1148] Data channel dynamic PREPBR rule removed

Log Categories
FTPALG
Log Message
Data channel dynamic PREPBR rule removed.
Default Log Severity
Information
Parameters
profile, sessionid, command, srcip, destip, srcport, destport, srciface
Explanation
A PREPBR rule, which was added to ensure that the data channel always uses the same routing tables as the control channel, has now been removed.
Gateway Action
None
Action Description
None
Proposed Action
None

2.15.31. [ID: 1093] Invalid command from client

Log Categories
FTPALG
Log Message
Invalid command from client.
Default Log Severity
Warning
Parameters
sessionid, profile, cmdline, flow
Explanation
An invalid command was received on the control channel. This is allowed, but the command will be rejected as it is not understood.
Gateway Action
Reject
Action Description
None
Proposed Action
If unknown commands should not be allowed, modify the FTP profile configuration.

2.15.32. [ID: 1097] Data channel dynamic rule added

Log Categories
FTPALG
Log Message
Data channel dynamic rule added.
Default Log Severity
Information
Parameters
profile, sessionid, command, srcip, destip, srcport, destport, srciface, destiface
Explanation
FTPALG has added a dynamic rule to allow the data channel for FTP.
Gateway Action
None
Action Description
None
Proposed Action
None

2.15.33. [ID: 1099] Data channel dynamic rule removed

Log Categories
FTPALG
Log Message
Data channel dynamic rule removed.
Default Log Severity
Information
Parameters
profile, sessionid, command, srcip, destip, srcport, destport, srciface, destiface
Explanation
FTPALG has removed a dynamic rule it added previously to allow the data channel for FTP.
Gateway Action
None
Action Description
None
Proposed Action
None

2.15.34. [ID: 1119] Session closed

Log Categories
FTPALG
Log Message
Session closed.
Default Log Severity
Information
Parameters
sessionid, profile, flow
Explanation
A session using the FTP ALG was closed.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.15.35. [ID: 1105] Session opened

Log Categories
FTPALG
Log Message
Session opened.
Default Log Severity
Information
Parameters
sessionid, profile, flow
Explanation
A session using the FTP ALG was opened.
Gateway Action
Open
Action Description
None
Proposed Action
None

2.15.36. [ID: 1153] SITE EXEC not allowed

Log Categories
FTPALG
Log Message
SITE EXEC not allowed.
Default Log Severity
Warning
Parameters
sessionid, profile, cmdline, flow
Explanation
The client tried to issue a "SITE EXEC" command, which is not valid since the client is not allowed to do this. The command will be rejected.
Gateway Action
Reject
Action Description
None
Proposed Action
If the client should be allowed to issue "SITE EXEC" commands, modify the FTP profile configuration.

2.15.37. [ID: 1114] Unexpected telnet control chars from client

Log Categories
FTPALG
Log Message
Unexpected telnet control chars from client.
Default Log Severity
Warning
Parameters
sessionid, profile, flow
Explanation
Unexpected telnet control characters were discovered in the control channel. This is not allowed according to the FTPALG profile configuration, and the connection will be closed.
Gateway Action
Close
Action Description
None
Proposed Action
If unknown commands should be allowed, modify the FTP profile configuration.

2.15.38. [ID: 1106] Unexpected telnet control chars from server

Log Categories
FTPALG
Log Message
Unexpected telnet control chars from server.
Default Log Severity
Warning
Parameters
sessionid, profile, flow
Explanation
Unexpected telnet control characters were discovered in the control channel. This is not allowed according to the FTP profile configuration, and the connection will be closed.
Gateway Action
Close
Action Description
None
Proposed Action
If unknown commands should be allowed, modify the FTP profile configuration.

2.15.39. [ID: 1090] Unknown command received

Log Categories
FTPALG
Log Message
Unknown command received.
Default Log Severity
Warning
Parameters
sessionid, profile, cmdline, flow
Explanation
An unknown command was received, and the command will be rejected.
Gateway Action
Reject
Action Description
None
Proposed Action
If unknown commands should be allowed, modify the FTP profile configuration.

2.15.40. [ID: 1321] Unknown FEAT response from server

Log Categories
FTPALG
Log Message
Unknown FEAT response from server.
Default Log Severity
Information
Parameters
sessionid, profile, cmdline, flow
Explanation
An unknown FEAT response was received from server and was stripped.
Gateway Action
Strip
Action Description
None
Proposed Action
If the FEAT response the server sent is needed, change the FTP profile to allow unknown commands.

2.15.41. [ID: 1111] Unknown OPTS argument

Log Categories
FTPALG
Log Message
Unknown OPTS argument.
Default Log Severity
Warning
Parameters
sessionid, profile, cmdline, flow
Explanation
An unknown OPTS argument was received, and the command will be rejected.
Gateway Action
Reject
Action Description
None
Proposed Action
If unknown commands should be allowed, modify the FTP profile configuration.

2.15.42. [ID: 1131] Unsolicited extended passive mode response[...]

Log Categories
FTPALG
Log Message
Unsolicited extended passive mode response from server.
Default Log Severity
Warning
Parameters
sessionid, profile, flow
Explanation
An illegal response was received from the server, and the connection is closed.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.15.43. [ID: 1122] Unsolicited passive mode response from server

Log Categories
FTPALG
Log Message
Unsolicited passive mode response from server.
Default Log Severity
Warning
Parameters
sessionid, profile, flow
Explanation
An illegal response was received from the server, and the connection is closed.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.15.44. [ID: 1137] Unsupported encryption FEAT response from[...]

Log Categories
FTPALG
Log Message
Unsupported encryption FEAT response from server.
Default Log Severity
Information
Parameters
sessionid, profile, cmdline, flow
Explanation
A feature response from the server announcing support for encryption unsupported by the FTPALG has been stripped from the response.
Gateway Action
Strip
Action Description
None
Proposed Action
None

2.15.45. [ID: 1162] Unsupported encryption command rejected

Log Categories
FTPALG
Log Message
Unsupported encryption command rejected.
Default Log Severity
Warning
Parameters
sessionid, profile, cmdline, flow
Explanation
An FTP command related to encryption, that is not supported by the FTPALG, has been rejected.
Gateway Action
Reject
Action Description
None
Proposed Action
None

2.15.46. [ID: 1155] Data in wrong direction on data channel

Log Categories
FTPALG
Log Message
Data in wrong direction on data channel.
Default Log Severity
Warning
Parameters
sessionid, profile, command, alloweddir, flow, user, userid
Explanation
Data has been sent on the data channel in a direction not expected according to the command issued to retrieve or store file. The control channel and data channel will be closed.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.16. GRE

These log messages refer to the GRE category.

2.16.1. [ID: 1650] GRE packet without any payload after GRE[...]

Log Categories
GRE
Log Message
GRE packet without any payload after GRE header.
Default Log Severity
Warning
Parameters
flow, pkt, user, userid
Explanation
Received a GRE packet without any payload after the GRE header.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.16.2. [ID: 1651] Mismatch between the GRE payload protocol[...]

Log Categories
GRE
Log Message
Mismatch between the GRE payload protocol type and the payload IP version.
Default Log Severity
Warning
Parameters
proto, ipver, flow, pkt, user, userid
Explanation
Received a GRE packet with header protocol type and payload IP version mismatch.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.16.3. [ID: 1649] Failed to reassemble fragmented GRE packet

Log Categories
GRE,FRAG
Log Message
Failed to reassemble fragmented GRE packet.
Default Log Severity
Warning
Parameters
pktlen, flow, pkt, user, userid
Explanation
The packet was fragmented and could not be reassembled.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.16.4. [ID: 1647] Unsupported GRE flags

Log Categories
GRE
Log Message
Unsupported GRE flags.
Default Log Severity
Warning
Parameters
flags, flow, pkt, user, userid
Explanation
Received a GRE packet with unsupported flags. Only support "checksum present", "key present", "sequence number present" flags.
Gateway Action
Drop
Action Description
None
Proposed Action
Check GRE endpoint configuration.

2.16.5. [ID: 1652] Unsupported GRE payload protocol type

Log Categories
GRE
Log Message
Unsupported GRE payload protocol type.
Default Log Severity
Warning
Parameters
proto, flow, pkt, user, userid
Explanation
Received a GRE packet with unsupported payload protocol type. Only IPv4 (0x0800) and IPv6 (0x86DD) are supported.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.16.6. [ID: 1648] Unsupported GRE version

Log Categories
GRE
Log Message
Unsupported GRE version.
Default Log Severity
Warning
Parameters
version, flow, pkt, user, userid
Explanation
Received a GRE packet with unsupported version. Only version 0 is supported.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.17. GTP

These log messages refer to the GTP category.

2.17.1. [ID: 971] Failed to activate PDP context

Log Categories
GTP
Log Message
Failed to activate PDP context.
Default Log Severity
Warning
Parameters
imsi, msisdn, eua, teiddi, iface
Explanation
The system received a PDP context response, and a GTP tunnel negotiation was almost finished, when it was interrupted.
Gateway Action
Close
Action Description
None
Proposed Action
Verify that the GGSN is correctly configured.

2.17.2. [ID: 776] Active PDP context negotiation

Log Categories
GTP
Log Message
Active PDP context negotiation.
Default Log Severity
Notice
Parameters
imsi, msisdn, eua, teiddi, type, iface
Explanation
A PDP context negotiation is active.
Gateway Action
None
Action Description
None
Proposed Action
None

2.17.3. [ID: 757] Failed to allocate message

Log Categories
GTP
Log Message
Failed to allocate message.
Default Log Severity
Error
Parameters
localip, remoteip, scope, iface
Explanation
The system could not allocate a message buffer.
Gateway Action
Abort
Action Description
None
Proposed Action
None

2.17.4. [ID: 717] Bad GTP header length

Log Categories
GTP
Log Message
Bad GTP header length.
Default Log Severity
Notice
Parameters
pkt
Explanation
Received GTP packet with a bad length.
Gateway Action
Drop
Action Description
None
Proposed Action
Verify the integrity of the sending device.

2.17.5. [ID: 950] Failed to connect to GGSN

Log Categories
GTP
Log Message
Failed to connect to GGSN.
Default Log Severity
Warning
Parameters
imsi, msisdn, eua, teiddi, iface
Explanation
The system could not create a connection to the GGSN by preforming a APN lookup to the DNS server.
Gateway Action
Abort
Action Description
None
Proposed Action
Verify that the APN can be resolved by a DNS server lookup.

2.17.6. [ID: 960] Connection closed

Log Categories
GTP
Log Message
Connection closed.
Default Log Severity
Notice
Parameters
localip, remoteip, scope, iface
Explanation
A GTP connection to a GGSN has been closed.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.17.7. [ID: 964] Connection established

Log Categories
GTP
Log Message
Connection established.
Default Log Severity
Information
Parameters
localip, remoteip, scope, iface
Explanation
A new GTP connection to a GGSN has been established.
Gateway Action
Open
Action Description
None
Proposed Action
None

2.17.8. [ID: 710] Failed to establish connection

Log Categories
GTP
Log Message
Failed to establish connection.
Default Log Severity
Warning
Parameters
localip, remoteip, scope, iface
Explanation
A connection to a GGSN could not be established.
Gateway Action
Abort
Action Description
None
Proposed Action
None

2.17.9. [ID: 957] Invalid connection action

Log Categories
GTP
Log Message
Invalid connection action.
Default Log Severity
Warning
Parameters
localip, remoteip, scope, type, iface
Explanation
A GGSN connection has been closed, but still receives GTP-C traffic.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.17.10. [ID: 969] Failed to create lookup for APN

Log Categories
GTP
Log Message
Failed to create lookup for APN.
Default Log Severity
Error
Parameters
fqdn, iface
Explanation
The system tried unsuccessfully to resolve the APN for a remote gateway.
Gateway Action
None
Action Description
None
Proposed Action
None

2.17.11. [ID: 697] DNS resolve failed

Log Categories
GTP
Log Message
DNS resolve failed.
Default Log Severity
Warning
Parameters
fqdn, iface
Explanation
The IP address for the APN could not be resolved.
Gateway Action
None
Action Description
None
Proposed Action
None

2.17.12. [ID: 721] DNS resolve successful

Log Categories
GTP
Log Message
DNS resolve successful.
Default Log Severity
Information
Parameters
fqdn, iface
Explanation
The IP address for the APN was resolved successfully.
Gateway Action
None
Action Description
None
Proposed Action
None

2.17.13. [ID: 926] Populating recovery file failed

Log Categories
GTP
Log Message
Populating recovery file failed.
Default Log Severity
Warning
Parameters
file
Explanation
Recovery values were not successfully retrieved from the persistent storage file.
Gateway Action
None
Action Description
None
Proposed Action
None

2.17.14. [ID: 983] Failed to find MM context

Log Categories
GTP
Log Message
Failed to find MM context.
Default Log Severity
Notice
Parameters
imsi, msisdn, eua, teiddi, iface
Explanation
A MM context and its PDP context were in inconsistent states.
Gateway Action
None
Action Description
None
Proposed Action
None

2.17.15. [ID: 975] Found dangling PDP context in GGSN

Log Categories
GTP
Log Message
Found dangling PDP context in GGSN.
Default Log Severity
Warning
Parameters
imsi, msisdn, eua, teiddi, iface
Explanation
The TTG determined that the GGSN had a dangling PDP context with non matching TEID.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.17.16. [ID: 708] GGSN restarted

Log Categories
GTP
Log Message
GGSN restarted.
Default Log Severity
Warning
Parameters
localip, remoteip, scope, iface
Explanation
The remote GGSN has restarted and the current tunnels connected to that host is invalid.
Gateway Action
Close
Action Description
The tunnels that are connected to the specified GGSN will be deleted
Proposed Action
None

2.17.17. [ID: 976] All GGSNs for APN unreachable

Log Categories
GTP
Log Message
All GGSNs for APN unreachable.
Default Log Severity
Error
Parameters
localip, remoteip, scope, iface
Explanation
No GGSN responded on any of the IP addresses for which the APN resolved.
Gateway Action
None
Action Description
None
Proposed Action
Verify that GGSNs are reachable from the TTG using the IP associated with the APN.

2.17.18. [ID: 754] Failed to register GTP-U session

Log Categories
GTP
Log Message
Failed to register GTP-U session.
Default Log Severity
Critical
Parameters
remoteip, teiddi, iface
Explanation
GTP failed to initialize Control plane to User plane communication.
Gateway Action
None
Action Description
None
Proposed Action
None

2.17.19. [ID: 970] Incorrect packet header type

Log Categories
GTP
Log Message
Incorrect packet header type.
Default Log Severity
Warning
Parameters
localip, remoteip, scope, messagetype, version, iface
Explanation
The TTG received a messagetype packet using a GTP header version.
Gateway Action
Drop
Action Description
None
Proposed Action
Verify that the GGSN uses GTPv1.

2.17.20. [ID: 967] Incorrect GTP packet version

Log Categories
GTP
Log Message
Incorrect GTP packet version.
Default Log Severity
Warning
Parameters
imsi, msisdn, eua, teiddi, messagetype, iface
Explanation
The TTG received a non GTPv1 packet of messagetype.
Gateway Action
None
Action Description
None
Proposed Action
Verify that the GGSN uses GTPv1.

2.17.21. [ID: 783] Invalid length in information element

Log Categories
GTP
Log Message
Invalid length in information element.
Default Log Severity
Error
Parameters
imsi, msisdn, eua, teiddi, messagetype, iface
Explanation
An information element specified a bad length in a GTP packet.
Gateway Action
None
Action Description
None
Proposed Action
None

2.17.22. [ID: 705] Invalid mandatory information element

Log Categories
GTP
Log Message
Invalid mandatory information element.
Default Log Severity
Warning
Parameters
localip, remoteip, scope, messagetype, ie, iface
Explanation
Invalid mandatory information element in received message.
Gateway Action
None
Action Description
None
Proposed Action
None

2.17.23. [ID: 965] Invalid optional information element

Log Categories
GTP
Log Message
Invalid optional information element.
Default Log Severity
Warning
Parameters
localip, remoteip, scope, messagetype, ie, iface
Explanation
Invalid optional information element in received message.
Gateway Action
None
Action Description
None
Proposed Action
None

2.17.24. [ID: 949] Packet with invalid header

Log Categories
GTP
Log Message
Packet with invalid header.
Default Log Severity
Warning
Parameters
localip, remoteip, scope, messagetype, iface
Explanation
Invalid header in received message.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.17.25. [ID: 953] Packet with invalid length

Log Categories
GTP
Log Message
Packet with invalid length.
Default Log Severity
Notice
Parameters
localip, remoteip, len, minlen
Explanation
Received a GTP-C packet with invalid length.
Gateway Action
Drop
Action Description
None
Proposed Action
Verify the integrity of the sending device.

2.17.26. [ID: 956] Invalid TEID

Log Categories
GTP
Log Message
Invalid TEID.
Default Log Severity
Warning
Parameters
imsi, msisdn, eua, teiddi, messagetype, iface
Explanation
The TTG received a message using a reserved TEID.
Gateway Action
None
Action Description
None
Proposed Action
None

2.17.27. [ID: 981] Lingering MM context with no PDP context

Log Categories
GTP
Log Message
Lingering MM context with no PDP context.
Default Log Severity
Warning
Parameters
imsi, msisdn, iface
Explanation
A MM context without associated PDP context lingered in the TTG.
Gateway Action
None
Action Description
None
Proposed Action
None

2.17.28. [ID: 977] Could not create MM context

Log Categories
GTP
Log Message
Could not create MM context.
Default Log Severity
Error
Parameters
imsi, msisdn, iface
Explanation
A client tried to connect but a MM context could not be created, possibly because of an invalid configuration.
Gateway Action
Abort
Action Description
None
Proposed Action
None

2.17.29. [ID: 748] Maximum number of tunnels reached

Log Categories
GTP
Log Message
Maximum number of tunnels reached.
Default Log Severity
Warning
Parameters
max, iface
Explanation
Maximum number of allowed tunnels has been established, no more clients can connect.
Gateway Action
Abort
Action Description
None
Proposed Action
Increase tunnel limit in configuration.

2.17.30. [ID: 726] Missing mandatory information element

Log Categories
GTP
Log Message
Missing mandatory information element.
Default Log Severity
Warning
Parameters
localip, remoteip, scope, messagetype, ie, iface
Explanation
A message that is missing a mandatory information element was received.
Gateway Action
None
Action Description
None
Proposed Action
None

2.17.31. [ID: 973] Missing PDP context for reponse

Log Categories
GTP
Log Message
Missing PDP context for reponse.
Default Log Severity
Warning
Parameters
imsi, msisdn, eua, teiddi, messagetype, iface
Explanation
The TTG received a GGSN response but no PDP context existed in the TTG with TEID teiddi.
Gateway Action
Drop
Action Description
None
Proposed Action
Make sure that the correct GGSN is configured to the TTG.

2.17.32. [ID: 958] Failed open connection

Log Categories
GTP
Log Message
Failed open connection.
Default Log Severity
Warning
Parameters
localip, remoteip, scope, iface
Explanation
The TTG was unable to initialize a control plane connection to the GGSN.
Gateway Action
Abort
Action Description
None
Proposed Action
None

2.17.33. [ID: 779] Out of bounds information element

Log Categories
GTP
Log Message
Out of bounds information element.
Default Log Severity
Error
Parameters
imsi, msisdn, eua, teiddi, messagetype, iface
Explanation
The GTP implementation does not have enough space to extract the number of information elements present in the packet.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.17.34. [ID: 784] Out of sequence information element

Log Categories
GTP
Log Message
Out of sequence information element.
Default Log Severity
Error
Parameters
imsi, msisdn, eua, teiddi, messagetype, iface
Explanation
The information elements in a GTP packet were out of sequence.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.17.35. [ID: 980] Could not create PDP context

Log Categories
GTP
Log Message
Could not create PDP context.
Default Log Severity
Error
Parameters
imsi, msisdn, type, iface
Explanation
A client tried to connect but a PDP context could not be created, possibly because of an invalid configuration.
Gateway Action
Abort
Action Description
None
Proposed Action
None

2.17.36. [ID: 963] Packet with extension headers

Log Categories
GTP
Log Message
Packet with extension headers.
Default Log Severity
Notice
Parameters
localip, remoteip, scope, type, iface
Explanation
The TTG received a GTP-C packet containing extension headers which was dropped.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.17.37. [ID: 962] Packet with unknown extension header

Log Categories
GTP
Log Message
Packet with unknown extension header.
Default Log Severity
Warning
Parameters
localip, remoteip, scope, type, iface
Explanation
The TTG received a GTP-U packet with unknown extension headers.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.17.38. [ID: 740] Path check failed

Log Categories
GTP
Log Message
Path check failed.
Default Log Severity
Warning
Parameters
localip, remoteip, scope, iface
Explanation
A GGSN did not respond to echo requests in time and is considered as unreachable.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.17.39. [ID: 979] Received message

Log Categories
GTP
Log Message
Received message.
Default Log Severity
Notice
Parameters
localip, remoteip, scope, messagetype, iface
Explanation
The TTG received a messagetype message for scope .
Gateway Action
None
Action Description
None
Proposed Action
None

2.17.40. [ID: 972] Received not supported message

Log Categories
GTP
Log Message
Received not supported message.
Default Log Severity
Notice
Parameters
localip, remoteip, scope, messagetype, iface
Explanation
The TTG received an unknown control plane message of messagetype .
Gateway Action
None
Action Description
None
Proposed Action
None

2.17.41. [ID: 945] Received User Plane packet for non-existent[...]

Log Categories
GTP
Log Message
Received User Plane packet for non-existent interface.
Default Log Severity
Notice
Parameters
srcip, destip, messagetype, iface
Explanation
Received User Plane packet addressed for a non-existent GTP interface.
Gateway Action
None
Action Description
None
Proposed Action
None

2.17.42. [ID: 944] Failed to register PDP context from User Plane

Log Categories
GTP
Log Message
Failed to register PDP context from User Plane.
Default Log Severity
Warning
Parameters
teiddi, srcip, destip, iface
Explanation
Failed to register PDP context from User Plane .
Gateway Action
None
Action Description
None
Proposed Action
None

2.17.43. [ID: 930] Failed to register PDP context

Log Categories
GTP
Log Message
Failed to register PDP context.
Default Log Severity
Notice
Parameters
teiddi, type, code, iface
Explanation
GTP failed to register a PDP context with the User plane.
Gateway Action
None
Action Description
None
Proposed Action
None

2.17.44. [ID: 939] Failed to register GTP User Plane session

Log Categories
GTP
Log Message
Failed to register GTP User Plane session.
Default Log Severity
Notice
Parameters
code, iface
Explanation
Failed to register GTP User Plane session.
Gateway Action
None
Action Description
None
Proposed Action
None

2.17.45. [ID: 982] Removing connection

Log Categories
GTP
Log Message
Removing connection.
Default Log Severity
Information
Parameters
localip, remoteip, scope, reason, iface
Explanation
The TTG tried to close down a scope connection because of reason.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.17.46. [ID: 936] Removing invalid request

Log Categories
GTP
Log Message
Removing invalid request.
Default Log Severity
Notice
Parameters
localip, remoteip, imsi, msisdn, eua, teiddi, seqno, type, scope, iface
Explanation
A remaining GTP message was detected intended for a no longer existing PDP context.
Gateway Action
None
Action Description
None
Proposed Action
None

2.17.47. [ID: 961] Failed to remove all previous User Plane GTP[...]

Log Categories
GTP
Log Message
Failed to remove all previous User Plane GTP sessions.
Default Log Severity
Notice
Parameters
 
Explanation
Failed to remove all previous User Plane GTP sessions.
Gateway Action
None
Action Description
None
Proposed Action
None

2.17.48. [ID: 955] Failed re-open connection

Log Categories
GTP
Log Message
Failed re-open connection.
Default Log Severity
Warning
Parameters
iface
Explanation
A previous opened and then closed connection could not be re-openend.
Gateway Action
Abort
Action Description
None
Proposed Action
Verify that the GGSN can be reached.

2.17.49. [ID: 951] Request was rejected

Log Categories
GTP
Log Message
Request was rejected.
Default Log Severity
Warning
Parameters
imsi, msisdn, eua, teiddi, messagetype, cause, iface
Explanation
The TTG sent a request to the GGSN. The GGSN rejected the messagetype request for reason cause.
Gateway Action
None
Action Description
None
Proposed Action
None

2.17.50. [ID: 932] Request response mismatch

Log Categories
GTP
Log Message
Request response mismatch.
Default Log Severity
Notice
Parameters
localip, remoteip, imsi, msisdn, eua, teiddi, seqno, type, scope, iface
Explanation
The received message and the expected message differ.
Gateway Action
Drop
Action Description
None
Proposed Action
Verify that the firewall is connected to the correct GGSN.

2.17.51. [ID: 694] IE TEID in create PDP context message is[...]

Log Categories
GTP
Log Message
IE TEID in create PDP context message is reserved.
Default Log Severity
Warning
Parameters
 
Explanation
The received create PDP context message contained the reserved value (0) in the TEID information element.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.17.52. [ID: 978] Query resolve APN

Log Categories
GTP
Log Message
Query resolve APN.
Default Log Severity
Notice
Parameters
fqdn, state, iface
Explanation
The TTG issued a query to preform a DNS resolve for the APN fqdn, and is currently state.
Gateway Action
None
Action Description
None
Proposed Action
None

2.17.53. [ID: 966] Route lookup failed

Log Categories
GTP
Log Message
Route lookup failed.
Default Log Severity
Warning
Parameters
remoteip, reason
Explanation
The TTG could not find a route table when preforming a route lookup.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.17.54. [ID: 959] Failed to send message

Log Categories
GTP
Log Message
Failed to send message.
Default Log Severity
Warning
Parameters
localip, remoteip, scope, iface
Explanation
The TTG tried to send scope traffic to the GGSN, but failed to do so.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.17.55. [ID: 952] Failed sending packet to GGSN

Log Categories
GTP
Log Message
Failed sending packet to GGSN.
Default Log Severity
Warning
Parameters
localip, remoteip, scope, messagetype, iface
Explanation
The TTG tried unsuccessfully to send a response of messagetypeto a GGSN .
Gateway Action
None
Action Description
None
Proposed Action
Verify that the GGSN can be reached from the TTG.

2.17.56. [ID: 937] Sending to GGSN

Log Categories
GTP
Log Message
Sending to GGSN.
Default Log Severity
Notice
Parameters
localip, remoteip, imsi, msisdn, eua, teiddi, seqno, type, scope, iface
Explanation
GTP informational sending message to a GGSN.
Gateway Action
None
Action Description
None
Proposed Action
None

2.17.57. [ID: 943] Send Control Plane packet to User Plane failed

Log Categories
GTP
Log Message
Send Control Plane packet to User Plane failed.
Default Log Severity
Notice
Parameters
srcip, destip, iface
Explanation
Communication by sending a packet to User Plane failed.
Gateway Action
None
Action Description
None
Proposed Action
None

2.17.58. [ID: 777] GTP statefile read error

Log Categories
GTP
Log Message
GTP statefile read error.
Default Log Severity
Notice
Parameters
file
Explanation
The state file for GTP containing connection information for GTP tunnels could not be retrieved from storage.
Gateway Action
None
Action Description
None
Proposed Action
None

2.17.59. [ID: 941] GTP statefile read success

Log Categories
GTP
Log Message
GTP statefile read success.
Default Log Severity
Information
Parameters
file
Explanation
Recovery values were successfully retrieved from the persistent storage file containing them.
Gateway Action
None
Action Description
None
Proposed Action
None

2.17.60. [ID: 762] GTP statefile write error

Log Categories
GTP
Log Message
GTP statefile write error.
Default Log Severity
Warning
Parameters
file
Explanation
The state file for GTP containing connection information for GTP tunnels could not be stored.
Gateway Action
None
Action Description
None
Proposed Action
None

2.17.61. [ID: 934] GTP statefile write success

Log Categories
GTP
Log Message
GTP statefile write success.
Default Log Severity
Notice
Parameters
file
Explanation
Recovery values were successfully stored to the persistent storage file.
Gateway Action
None
Action Description
None
Proposed Action
None

2.17.62. [ID: 749] GTP tunnel deleted by GGSN

Log Categories
GTP
Log Message
GTP tunnel deleted by GGSN.
Default Log Severity
Notice
Parameters
imsi, msisdn, eua, teiddi, iface
Explanation
A GTP tunnel was deleted due a delete PDP context request from the GGSN.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.17.63. [ID: 747] GTP tunnel deleted by the stitched interface

Log Categories
GTP
Log Message
GTP tunnel deleted by the stitched interface.
Default Log Severity
Notice
Parameters
imsi, msisdn, eua, teiddi, iface
Explanation
A GTP tunnel was deleted upon a request from the stitched interface.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.17.64. [ID: 756] GTP tunnel deleted due to being invalid

Log Categories
GTP
Log Message
GTP tunnel deleted due to being invalid.
Default Log Severity
Notice
Parameters
imsi, msisdn, eua, teiddi, iface
Explanation
A GTP tunnel was deleted because the TEID was unknown to the GGSN.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.17.65. [ID: 716] GTP tunnel established

Log Categories
GTP
Log Message
GTP tunnel established.
Default Log Severity
Information
Parameters
imsi, msisdn, eua, teiddi, iface
Explanation
A new GTP tunnel has been established for a client. The client has been assigned eua as its IP address.
Gateway Action
None
Action Description
None
Proposed Action
None

2.17.66. [ID: 723] Unexpected GTP message type

Log Categories
GTP
Log Message
Unexpected GTP message type.
Default Log Severity
Warning
Parameters
type
Explanation
A GTP message with an unexpected and unhandled type was received.
Gateway Action
Drop
Action Description
None
Proposed Action
Check the logs for other types of erroneous events that might result in this scenario.

2.17.67. [ID: 1593] Unexpected signaling message

Log Categories
GTP
Log Message
Unexpected signaling message.
Default Log Severity
Notice
Parameters
localip, remoteip, scope, messagetype, iface
Explanation
 
Gateway Action
None
Action Description
None
Proposed Action
None

2.17.68. [ID: 968] Control Plane unknown PDP context

Log Categories
GTP
Log Message
Control Plane unknown PDP context.
Default Log Severity
Notice
Parameters
localip, remoteip, teiddi
Explanation
Received a GTP-C packet with an unknown tunnel endpoint identifier.
Gateway Action
None
Action Description
None
Proposed Action
None

2.17.69. [ID: 940] Control Plane unknown PDP context

Log Categories
GTP
Log Message
Control Plane unknown PDP context.
Default Log Severity
Notice
Parameters
teiddi, type, code, iface
Explanation
A PDP context unknown to the Control plane was registered with the User Plane.
Gateway Action
None
Action Description
None
Proposed Action
None

2.17.70. [ID: 974] Unknown GTP version

Log Categories
GTP
Log Message
Unknown GTP version.
Default Log Severity
Warning
Parameters
localip, remoteip, scope, messagetype, iface
Explanation
The TTG detected use of an unknown GTP version.
Gateway Action
None
Action Description
None
Proposed Action
None

2.17.71. [ID: 712] Unknown information element

Log Categories
GTP
Log Message
Unknown information element.
Default Log Severity
Notice
Parameters
imsi, msisdn, eua, teiddi, messagetype, iface
Explanation
An unknown or unsupported information element was found in a GTP packet.
Gateway Action
None
Action Description
None
Proposed Action
None

2.17.72. [ID: 695] Unknown GTP tunnel endpoint identifier

Log Categories
GTP
Log Message
Unknown GTP tunnel endpoint identifier.
Default Log Severity
Notice
Parameters
id, direction
Explanation
Received a GTP G-PDU packet with an unknown tunnel endpoint identifier. direction refers to the direction of the GTP packet, in or out of the GTP-tunnel.
Gateway Action
Drop
Action Description
None
Proposed Action
Check the logs for other types of erroneous events that might result in this scenario.

2.17.73. [ID: 929] Unknown User Plane action

Log Categories
GTP
Log Message
Unknown User Plane action.
Default Log Severity
Notice
Parameters
srcip, destip, type, iface
Explanation
GTP received a User Plane message with an associated action that didn't make sense in that context.
Gateway Action
None
Action Description
None
Proposed Action
None

2.17.74. [ID: 927] Unknown User Plane action

Log Categories
GTP
Log Message
Unknown User Plane action.
Default Log Severity
Warning
Parameters
teiddi, type, code, iface
Explanation
The Control plane received an unknown response message from User plane.
Gateway Action
None
Action Description
None
Proposed Action
None

2.17.75. [ID: 709] Unknown GTP version

Log Categories
GTP
Log Message
Unknown GTP version.
Default Log Severity
Notice
Parameters
version
Explanation
Received a GTP packet with a unknown or unsupported version.
Gateway Action
Drop
Action Description
None
Proposed Action
Reconfigure the sender to use a supported GTP version.

2.17.76. [ID: 942] Failed to remove PDP context from User Plane

Log Categories
GTP
Log Message
Failed to remove PDP context from User Plane.
Default Log Severity
Notice
Parameters
teiddi, iface
Explanation
Failed to remove PDP context from User Plane.
Gateway Action
None
Action Description
None
Proposed Action
None

2.17.77. [ID: 938] Failed to unregister PDP context from User[...]

Log Categories
GTP
Log Message
Failed to unregister PDP context from User Plane.
Default Log Severity
Notice
Parameters
teiddi, type, code, iface
Explanation
Failed to unregister PDP context from User Plane.
Gateway Action
None
Action Description
None
Proposed Action
None

2.17.78. [ID: 933] Failed to remove User Plane GTP session

Log Categories
GTP
Log Message
Failed to remove User Plane GTP session.
Default Log Severity
Warning
Parameters
iface
Explanation
Failed to remove a previous User Plane GTP session .
Gateway Action
None
Action Description
None
Proposed Action
None

2.17.79. [ID: 778] Version not supported by GGSN

Log Categories
GTP
Log Message
Version not supported by GGSN.
Default Log Severity
Critical
Parameters
localip, remoteip, scope, version, iface
Explanation
The peer does not support the GTP version currently used. version indicates the latest supported version.
Gateway Action
None
Action Description
None
Proposed Action
None

2.17.80. [ID: 780] Version not supported by TTG

Log Categories
GTP
Log Message
Version not supported by TTG.
Default Log Severity
Notice
Parameters
localip, remoteip, scope, messagetype, version, iface
Explanation
The peer does not support the GTP version currently used. version indicates the latest supported version.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.18. GTPINSPECTION

These log messages refer to the GTPINSPECTION category.

2.18.1. [ID: 1519] GTP-U bearer creation completely rejected by[...]

Log Categories
GTPINSPECTION
Log Message
GTP-U bearer creation completely rejected by endpoint.
Default Log Severity
Notice
Parameters
sessionid, cause, flow
Explanation
All of the request to create GTP-U bearer was rejected by endpoint.
Gateway Action
Discard
Action Description
None
Proposed Action
None

2.18.2. [ID: 1536] GTP-U bearer creation rejected by endpoint

Log Categories
GTPINSPECTION
Log Message
GTP-U bearer creation rejected by endpoint.
Default Log Severity
Notice
Parameters
sessionid, bearerid, cause, flow
Explanation
The other endpoint rejected the request to create GTP-U bearer.
Gateway Action
Discard
Action Description
None
Proposed Action
None

2.18.3. [ID: 1528] GTP-U bearer deletion completely rejected by[...]

Log Categories
GTPINSPECTION
Log Message
GTP-U bearer deletion completely rejected by endpoint.
Default Log Severity
Notice
Parameters
sessionid, cause, flow
Explanation
All of the request to delete GTP-U bearer was rejected by endpoint.
Gateway Action
Discard
Action Description
None
Proposed Action
None

2.18.4. [ID: 1512] GTP-U bearer deletion rejected by endpoint

Log Categories
GTPINSPECTION
Log Message
GTP-U bearer deletion rejected by endpoint.
Default Log Severity
Notice
Parameters
sessionid, bearerid, cause, flow
Explanation
The other endpoint rejected the request to delete GTP-U bearer.
Gateway Action
Discard
Action Description
None
Proposed Action
None

2.18.5. [ID: 1522] GTP-U bearer modification completely rejected[...]

Log Categories
GTPINSPECTION
Log Message
GTP-U bearer modification completely rejected by endpoint.
Default Log Severity
Notice
Parameters
sessionid, cause, flow
Explanation
All of the request to modify GTP-U bearer was rejected by endpoint.
Gateway Action
Discard
Action Description
None
Proposed Action
None

2.18.6. [ID: 1534] GTP-U bearer modification rejected by endpoint

Log Categories
GTPINSPECTION
Log Message
GTP-U bearer modification rejected by endpoint.
Default Log Severity
Notice
Parameters
sessionid, bearerid, cause, flow
Explanation
The other endpoint rejected the request to modify GTP-U bearer.
Gateway Action
Discard
Action Description
None
Proposed Action
None

2.18.7. [ID: 1521] G-PDU dropped due to empty T-PDU

Log Categories
GTPINSPECTION,VALIDATE
Log Message
G-PDU dropped due to empty T-PDU.
Default Log Severity
Notice
Parameters
flow, user, userid
Explanation
G-PDU message dropped due to empty T-PDU.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.18.8. [ID: 1538] Flow closed

Log Categories
GTPINSPECTION
Log Message
Flow closed.
Default Log Severity
Information
Parameters
flow
Explanation
A flow using GTP inspection was closed.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.18.9. [ID: 1524] Flow failed

Log Categories
GTPINSPECTION
Log Message
Flow failed.
Default Log Severity
Notice
Parameters
reason, originator, flow, rule
Explanation
An error occurred that caused the GTP inspection flow to be aborted.
Gateway Action
Abort
Action Description
None
Proposed Action
None

2.18.10. [ID: 1523] Flow opened

Log Categories
GTPINSPECTION
Log Message
Flow opened.
Default Log Severity
Information
Parameters
flow
Explanation
A flow using GTP inspection was opened.
Gateway Action
Open
Action Description
None
Proposed Action
None

2.18.11. [ID: 1567] Bearer ID does not exist

Log Categories
GTPINSPECTION
Log Message
Bearer ID does not exist.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, flow
Explanation
The received GTP-C message containing a NSAPI/EPS bearer ID for which no GTP-U bearer exist.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.18.12. [ID: 1624] Bearer ID does not exist

Log Categories
GTPINSPECTION
Log Message
Bearer ID does not exist.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, flow
Explanation
The received GTP-C message containing a NSAPI/EPS bearer ID for which no GTP-U bearer exist.
Gateway Action
Strippiggyback
Action Description
None
Proposed Action
None

2.18.13. [ID: 1561] Bearer lacks F-TEID

Log Categories
GTPINSPECTION
Log Message
Bearer lacks F-TEID.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, flow
Explanation
The GTP-C message does not contain a F-TEID for a GTP-U bearer.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.18.14. [ID: 1598] Bearer lacks F-TEID

Log Categories
GTPINSPECTION
Log Message
Bearer lacks F-TEID.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, flow
Explanation
The GTP-C message does not contain a F-TEID for a GTP-U bearer.
Gateway Action
Strippiggyback
Action Description
None
Proposed Action
None

2.18.15. [ID: 1565] TEID of bearer should not be zero

Log Categories
GTPINSPECTION
Log Message
TEID of bearer should not be zero.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, flow
Explanation
The GTP-C message contained a zero F-TEID for a GTP-U bearer.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.18.16. [ID: 1632] TEID of bearer should not be zero

Log Categories
GTPINSPECTION
Log Message
TEID of bearer should not be zero.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, flow
Explanation
The GTP-C message contained a zero F-TEID for a GTP-U bearer.
Gateway Action
Strippiggyback
Action Description
None
Proposed Action
None

2.18.17. [ID: 1564] Could not add proposed GTP-U bearer

Log Categories
GTPINSPECTION
Log Message
Could not add proposed GTP-U bearer.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, flow
Explanation
The system could not create a new GTP-U bearer.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.18.18. [ID: 1634] Could not add proposed GTP-U bearer

Log Categories
GTPINSPECTION
Log Message
Could not add proposed GTP-U bearer.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, flow
Explanation
The system could not create a new GTP-U bearer.
Gateway Action
Strippiggyback
Action Description
None
Proposed Action
None

2.18.19. [ID: 1573] Could not delete GTP-U bearer

Log Categories
GTPINSPECTION
Log Message
Could not delete GTP-U bearer.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, flow
Explanation
The system could not delete a GTP-U bearer.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.18.20. [ID: 1600] Could not delete GTP-U bearer

Log Categories
GTPINSPECTION
Log Message
Could not delete GTP-U bearer.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, flow
Explanation
The system could not delete a GTP-U bearer.
Gateway Action
Strippiggyback
Action Description
None
Proposed Action
None

2.18.21. [ID: 1559] Could not finalize GTP-U bearer

Log Categories
GTPINSPECTION
Log Message
Could not finalize GTP-U bearer.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, flow
Explanation
The system could not finalize the creation of a new GTP-U bearer.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.18.22. [ID: 1614] Could not finalize GTP-U bearer

Log Categories
GTPINSPECTION
Log Message
Could not finalize GTP-U bearer.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, flow
Explanation
The system could not finalize the creation of a new GTP-U bearer.
Gateway Action
Strippiggyback
Action Description
None
Proposed Action
None

2.18.23. [ID: 1552] Could not set proposed values on GTP-U bearer

Log Categories
GTPINSPECTION
Log Message
Could not set proposed values on GTP-U bearer.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, flow
Explanation
The GTP-U bearer could not be updated with the values in the received GTP-C message.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.18.24. [ID: 1606] Could not set proposed values on GTP-U bearer

Log Categories
GTPINSPECTION
Log Message
Could not set proposed values on GTP-U bearer.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, flow
Explanation
The GTP-U bearer could not be updated with the values in the received GTP-C message.
Gateway Action
Strippiggyback
Action Description
None
Proposed Action
None

2.18.25. [ID: 1585] Disallowed GTP version

Log Categories
GTPINSPECTION
Log Message
Disallowed GTP version.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, flow
Explanation
The GTP-C message with a version that is not allowed by the configuration.
Gateway Action
Drop
Action Description
None
Proposed Action
Reconfigure the sender to use a supported GTP version.

2.18.26. [ID: 1566] Duplicate Bearer ID

Log Categories
GTPINSPECTION
Log Message
Duplicate Bearer ID.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, flow
Explanation
The received GTP-C message contained a NSAPI/EPS bearer ID for which a GPT-U bearer already exist.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.18.27. [ID: 1616] Duplicate Bearer ID

Log Categories
GTPINSPECTION
Log Message
Duplicate Bearer ID.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, flow
Explanation
The received GTP-C message contained a NSAPI/EPS bearer ID for which a GPT-U bearer already exist.
Gateway Action
Strippiggyback
Action Description
None
Proposed Action
None

2.18.28. [ID: 1587] Zero size extension header

Log Categories
GTPINSPECTION
Log Message
Zero size extension header.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, flow
Explanation
The received GTP-C message contained an empty extension header.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.18.29. [ID: 1580] Failed to read IE

Log Categories
GTPINSPECTION
Log Message
Failed to read IE.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, ie, flow
Explanation
The system could not read an information element from the received GTP-C message.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.18.30. [ID: 1602] Failed to read IE

Log Categories
GTPINSPECTION
Log Message
Failed to read IE.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, ie, flow
Explanation
The system could not read an information element from the received GTP-C message.
Gateway Action
Strippiggyback
Action Description
None
Proposed Action
None

2.18.31. [ID: 1562] Incorrect optional IEs

Log Categories
GTPINSPECTION
Log Message
Incorrect optional IEs.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, flow
Explanation
The received GTP-C message contained an incorrect optional information element.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.18.32. [ID: 1628] Incorrect optional IEs

Log Categories
GTPINSPECTION
Log Message
Incorrect optional IEs.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, flow
Explanation
The received GTP-C message contained an incorrect optional information element.
Gateway Action
Strippiggyback
Action Description
None
Proposed Action
None

2.18.33. [ID: 1636] Invalid Bearer ID

Log Categories
GTPINSPECTION
Log Message
Invalid Bearer ID.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, flow
Explanation
The received GTP-C message contained an invalid EPS bearer ID, due to spare bits being non-zero.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.18.34. [ID: 1635] Invalid Bearer ID

Log Categories
GTPINSPECTION
Log Message
Invalid Bearer ID.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, flow
Explanation
The received GTP-C message contained an invalid EPS bearer ID, due to spare bits being non-zero.
Gateway Action
Strippiggyback
Action Description
None
Proposed Action
None

2.18.35. [ID: 1584] Invalid extension header content

Log Categories
GTPINSPECTION
Log Message
Invalid extension header content.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, flow
Explanation
The received GTP-C message contained an extension header with invalid data.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.18.36. [ID: 1568] Invalid mandatory IE

Log Categories
GTPINSPECTION
Log Message
Invalid mandatory IE.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, flow
Explanation
The received GTP-C message contained an invalid mandatory information element.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.18.37. [ID: 1612] Invalid mandatory IE

Log Categories
GTPINSPECTION
Log Message
Invalid mandatory IE.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, flow
Explanation
The received GTP-C message contained an invalid mandatory information element.
Gateway Action
Strippiggyback
Action Description
None
Proposed Action
None

2.18.38. [ID: 1558] Invalid optional IE

Log Categories
GTPINSPECTION
Log Message
Invalid optional IE.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, flow
Explanation
The received GTP-C message contained an invalid optional information element.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.18.39. [ID: 1604] Invalid optional IE

Log Categories
GTPINSPECTION
Log Message
Invalid optional IE.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, flow
Explanation
The received GTP-C message contained an invalid optional information element.
Gateway Action
Strippiggyback
Action Description
None
Proposed Action
None

2.18.40. [ID: 1578] GTP-C sender IP is invalid

Log Categories
GTPINSPECTION
Log Message
GTP-C sender IP is invalid.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, flow
Explanation
GTP-C sender IP address was invalid.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.18.41. [ID: 1607] GTP-C sender IP is invalid

Log Categories
GTPINSPECTION
Log Message
GTP-C sender IP is invalid.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, flow
Explanation
GTP-C sender IP address was invalid.
Gateway Action
Strippiggyback
Action Description
None
Proposed Action
None

2.18.42. [ID: 1621] Main message blocked due to invalid piggyback

Log Categories
GTPINSPECTION
Log Message
Main message blocked due to invalid piggyback.
Default Log Severity
Notice
Parameters
sessionid, flow
Explanation
According to setting the piggy back message was dropped, and with it the main message was blocked.
Gateway Action
Block
Action Description
None
Proposed Action
None

2.18.43. [ID: 1583] Message in wrong direction

Log Categories
GTPINSPECTION
Log Message
Message in wrong direction.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, flow
Explanation
The receive GTP-C message was sent in the wrong direction.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.18.44. [ID: 1597] Message in wrong direction

Log Categories
GTPINSPECTION
Log Message
Message in wrong direction.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, flow
Explanation
The receive GTP-C message was sent in the wrong direction.
Gateway Action
Strippiggyback
Action Description
None
Proposed Action
None

2.18.45. [ID: 1574] Message too short

Log Categories
GTPINSPECTION
Log Message
Message too short.
Default Log Severity
Notice
Parameters
sessionid, paylen, flow
Explanation
The received GTP-C message was too short.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.18.46. [ID: 1625] Message too short

Log Categories
GTPINSPECTION
Log Message
Message too short.
Default Log Severity
Notice
Parameters
sessionid, paylen, flow
Explanation
The received GTP-C message was too short.
Gateway Action
Strippiggyback
Action Description
None
Proposed Action
None

2.18.47. [ID: 1575] Missing Conditionally Present IE

Log Categories
GTPINSPECTION
Log Message
Missing Conditionally Present IE.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, ie, flow
Explanation
The GTP-C message did not contain a mandatory information element.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.18.48. [ID: 1618] Missing Conditionally Present IE

Log Categories
GTPINSPECTION
Log Message
Missing Conditionally Present IE.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, ie, flow
Explanation
The GTP-C message did not contain a mandatory information element.
Gateway Action
Strippiggyback
Action Description
None
Proposed Action
None

2.18.49. [ID: 1563] Missing mandatorily present IE

Log Categories
GTPINSPECTION
Log Message
Missing mandatorily present IE.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, ie, flow
Explanation
The GTP-C message did not contain a mandatory information element.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.18.50. [ID: 1603] Missing mandatorily present IE

Log Categories
GTPINSPECTION
Log Message
Missing mandatorily present IE.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, ie, flow
Explanation
The GTP-C message did not contain a mandatory information element.
Gateway Action
Strippiggyback
Action Description
None
Proposed Action
None

2.18.51. [ID: 1572] Needs both GTP-U IP and TEID

Log Categories
GTPINSPECTION
Log Message
Needs both GTP-U IP and TEID.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, flow
Explanation
The IP address or the TEID for the GTP-U bearer was not known.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.18.52. [ID: 1622] Needs both GTP-U IP and TEID

Log Categories
GTPINSPECTION
Log Message
Needs both GTP-U IP and TEID.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, flow
Explanation
The IP address or the TEID for the GTP-U bearer was not known.
Gateway Action
Strippiggyback
Action Description
None
Proposed Action
None

2.18.53. [ID: 1553] Did not find outstanding request for response[...]

Log Categories
GTPINSPECTION
Log Message
Did not find outstanding request for response message.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, flow
Explanation
The system received a GTP-C response message for which it had not received a corresponding request message.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.18.54. [ID: 1601] Did not find outstanding request for response[...]

Log Categories
GTPINSPECTION
Log Message
Did not find outstanding request for response message.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, flow
Explanation
The system received a GTP-C response message for which it had not received a corresponding request message.
Gateway Action
Strippiggyback
Action Description
None
Proposed Action
None

2.18.55. [ID: 1613] Unknown message type

Log Categories
GTPINSPECTION
Log Message
Unknown message type.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, flow
Explanation
The received GTP-C message type messagetype is not supported by the system.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.18.56. [ID: 1555] Unknown message type

Log Categories
GTPINSPECTION
Log Message
Unknown message type.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, flow
Explanation
The received GTP-C message type messagetype is not supported by the system.
Gateway Action
Allow
Action Description
None
Proposed Action
None

2.18.57. [ID: 1615] Unknown message type

Log Categories
GTPINSPECTION
Log Message
Unknown message type.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, flow
Explanation
The received GTP-C message type messagetype is not supported by the system.
Gateway Action
Strippiggyback
Action Description
None
Proposed Action
None

2.18.58. [ID: 1570] Unsupported GTP version

Log Categories
GTPINSPECTION
Log Message
Unsupported GTP version.
Default Log Severity
Notice
Parameters
sessionid, version, flow
Explanation
Received a GTP packet with a unknown or unsupported version.
Gateway Action
Drop
Action Description
None
Proposed Action
Reconfigure the sender to use a supported GTP version.

2.18.59. [ID: 1586] Out of sequence IE

Log Categories
GTPINSPECTION
Log Message
Out of sequence IE.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, flow
Explanation
The received GTP-C message contained information elements that were not in increasing order.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.18.60. [ID: 1633] Out of sequence IE

Log Categories
GTPINSPECTION
Log Message
Out of sequence IE.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, flow
Explanation
The received GTP-C message contained information elements that were not in increasing order.
Gateway Action
Strippiggyback
Action Description
None
Proposed Action
None

2.18.61. [ID: 1551] Repeated IEs

Log Categories
GTPINSPECTION
Log Message
Repeated IEs.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, ie, flow
Explanation
The GTP-C message contained to many information elements of the same type.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.18.62. [ID: 1623] Repeated IEs

Log Categories
GTPINSPECTION
Log Message
Repeated IEs.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, ie, flow
Explanation
The GTP-C message contained to many information elements of the same type.
Gateway Action
Strippiggyback
Action Description
None
Proposed Action
None

2.18.63. [ID: 1533] GTP-C session created

Log Categories
GTPINSPECTION
Log Message
GTP-C session created.
Default Log Severity
Notice
Parameters
sessionid, version, origip, origteid, termip, termteid, flow
Explanation
A GTP-C session has been successfully created.
Gateway Action
Open
Action Description
None
Proposed Action
None

2.18.64. [ID: 1532] GTP-C session deleted

Log Categories
GTPINSPECTION
Log Message
GTP-C session deleted.
Default Log Severity
Notice
Parameters
sessionid, origip, origteid, termip, termteid, reason
Explanation
A GTP-C session has been successfully deleted.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.18.65. [ID: 1638] TEID of session should not be zero

Log Categories
GTPINSPECTION
Log Message
TEID of session should not be zero.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, flow
Explanation
The GTP-C message contained a zero F-TEID.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.18.66. [ID: 1637] TEID of session should not be zero

Log Categories
GTPINSPECTION
Log Message
TEID of session should not be zero.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, flow
Explanation
The GTP-C message contained a zero F-TEID.
Gateway Action
Strippiggyback
Action Description
None
Proposed Action
None

2.18.67. [ID: 1527] GTP-C session updated

Log Categories
GTPINSPECTION
Log Message
GTP-C session updated.
Default Log Severity
Notice
Parameters
sessionid, origip, origteid, termip, termteid, flow
Explanation
A GTP-C session has been successfully updated.
Gateway Action
Adjust
Action Description
None
Proposed Action
None

2.18.68. [ID: 1549] Message header should have sequence number

Log Categories
GTPINSPECTION
Log Message
Message header should have sequence number.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, flow
Explanation
The received GTP message should contain a sequence number in its GTP header.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.18.69. [ID: 1577] Message header should have TEID

Log Categories
GTPINSPECTION
Log Message
Message header should have TEID.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, flow
Explanation
The received GTP message should contain a Tunnel Endpoint Identifier (TEID) in its GTP header.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.18.70. [ID: 1608] Message header should have TEID

Log Categories
GTPINSPECTION
Log Message
Message header should have TEID.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, flow
Explanation
The received GTP message should contain a Tunnel Endpoint Identifier (TEID) in its GTP header.
Gateway Action
Strippiggyback
Action Description
None
Proposed Action
None

2.18.71. [ID: 1554] Message header should not have TEID

Log Categories
GTPINSPECTION
Log Message
Message header should not have TEID.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, flow
Explanation
The received GTP message should not contain a Tunnel Endpoint Identifier (TEID) in its GTP header.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.18.72. [ID: 1605] Message header should not have TEID

Log Categories
GTPINSPECTION
Log Message
Message header should not have TEID.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, flow
Explanation
The received GTP message should not contain a Tunnel Endpoint Identifier (TEID) in its GTP header.
Gateway Action
Strippiggyback
Action Description
None
Proposed Action
None

2.18.73. [ID: 1560] Too many bearers

Log Categories
GTPINSPECTION
Log Message
Too many bearers.
Default Log Severity
Warning
Parameters
sessionid, version, messagetype, teid, max, flow
Explanation
The limit for the configured number of GTP-U bearers was exceeded.
Gateway Action
Drop
Action Description
None
Proposed Action
Review the limits configured in the GTP inspection profile used.

2.18.74. [ID: 1599] Too many bearers

Log Categories
GTPINSPECTION
Log Message
Too many bearers.
Default Log Severity
Warning
Parameters
sessionid, version, messagetype, teid, max, flow
Explanation
The limit for the configured number of GTP-U bearers was exceeded.
Gateway Action
Strippiggyback
Action Description
None
Proposed Action
Review the limits configured in the GTP inspection profile used.

2.18.75. [ID: 1579] Too many piggy back messages

Log Categories
GTPINSPECTION
Log Message
Too many piggy back messages.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, flow
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.18.76. [ID: 1629] Too many piggy back messages

Log Categories
GTPINSPECTION
Log Message
Too many piggy back messages.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, flow
Gateway Action
Strippiggyback
Action Description
None
Proposed Action
None

2.18.77. [ID: 1576] Too many sessions

Log Categories
GTPINSPECTION
Log Message
Too many sessions.
Default Log Severity
Warning
Parameters
sessionid, version, messagetype, teid, max, flow
Explanation
The limit for the configured number of GTP-C sessions was exceeded.
Gateway Action
Drop
Action Description
None
Proposed Action
Review the limits configured in the GTP inspection profile used.

2.18.78. [ID: 1591] Too many sessions per IP

Log Categories
GTPINSPECTION
Log Message
Too many sessions per IP.
Default Log Severity
Warning
Parameters
sessionid, version, messagetype, teid, max, flow
Explanation
The limit for the configured number of GTP-C sessions per source IP was exceeded.
Gateway Action
Drop
Action Description
None
Proposed Action
Review the limits configured in the GTP inspection profile used.

2.18.79. [ID: 1620] Too many sessions per IP

Log Categories
GTPINSPECTION
Log Message
Too many sessions per IP.
Default Log Severity
Warning
Parameters
sessionid, version, messagetype, teid, max, flow
Explanation
The limit for the configured number of GTP-C sessions per source IP was exceeded.
Gateway Action
Strippiggyback
Action Description
None
Proposed Action
Review the limits configured in the GTP inspection profile used.

2.18.80. [ID: 1619] Too many sessions

Log Categories
GTPINSPECTION
Log Message
Too many sessions.
Default Log Severity
Warning
Parameters
sessionid, version, messagetype, teid, max, flow
Explanation
The limit for the configured number of GTP-C sessions was exceeded.
Gateway Action
Strippiggyback
Action Description
None
Proposed Action
Review the limits configured in the GTP inspection profile used.

2.18.81. [ID: 1617] Unexpected IE

Log Categories
GTPINSPECTION
Log Message
Unexpected IE.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, ie, name, flow
Explanation
The received GTP-C message contained an information element of type ie that was not expected for the message type messagetype or for the current state.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.18.82. [ID: 1571] Unexpected IE

Log Categories
GTPINSPECTION
Log Message
Unexpected IE.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, ie, name, flow
Explanation
The received GTP-C message contained an information element of type ie that was not expected for the message type messagetype or for the current state.
Gateway Action
Allow
Action Description
None
Proposed Action
None

2.18.83. [ID: 1626] Unexpected IE

Log Categories
GTPINSPECTION
Log Message
Unexpected IE.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, ie, name, flow
Explanation
The received GTP-C message contained an information element of type ie that was not expected for the message type messagetype or for the current state .
Gateway Action
Strippiggyback
Action Description
None
Proposed Action
None

2.18.84. [ID: 1556] Unexpected GTP signaling message

Log Categories
GTPINSPECTION
Log Message
Unexpected GTP signaling message.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, flow
Explanation
A GTP-C message of type messagetype was not expected at this time.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.18.85. [ID: 1630] Unexpected GTP signaling message

Log Categories
GTPINSPECTION
Log Message
Unexpected GTP signaling message.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, flow
Explanation
A GTP-C message of type messagetype was not expected at this time.
Gateway Action
Strippiggyback
Action Description
None
Proposed Action
None

2.18.86. [ID: 1627] Unknown IE

Log Categories
GTPINSPECTION
Log Message
Unknown IE.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, ie, flow
Explanation
The received GTP-C message contained an unknown information element of type ie.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.18.87. [ID: 1581] Unknown IE

Log Categories
GTPINSPECTION
Log Message
Unknown IE.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, ie, flow
Explanation
The received GTP-C message contained an unknown information element of type ie.
Gateway Action
Allow
Action Description
None
Proposed Action
None

2.18.88. [ID: 1610] Unknown IE

Log Categories
GTPINSPECTION
Log Message
Unknown IE.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, ie, flow
Explanation
The received GTP-C message contained an unknown information element of type ie.
Gateway Action
Strippiggyback
Action Description
None
Proposed Action
None

2.18.89. [ID: 1582] Unknown GTP signaling message

Log Categories
GTPINSPECTION
Log Message
Unknown GTP signaling message.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, flow
Explanation
The received GTP-C message was of an unknown message type.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.18.90. [ID: 1611] Unknown GTP signaling message

Log Categories
GTPINSPECTION
Log Message
Unknown GTP signaling message.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, flow
Explanation
The received GTP-C message was of an unknown message type.
Gateway Action
Strippiggyback
Action Description
None
Proposed Action
None

2.18.91. [ID: 1550] Wrong packet version of piggy back message

Log Categories
GTPINSPECTION
Log Message
Wrong packet version of piggy back message.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, flow
Explanation
The piggybacked message contained the wrong GTP version. A piggybacked initial message is a message that is concatenated to a response message and shares its UDP header.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.18.92. [ID: 1631] Wrong packet version of piggy back message

Log Categories
GTPINSPECTION
Log Message
Wrong packet version of piggy back message.
Default Log Severity
Notice
Parameters
sessionid, version, messagetype, teid, flow
Explanation
The piggybacked message contained the wrong GTP version. A piggybacked initial message is a message that is concatenated to a response message and shares its UDP header.
Gateway Action
Strippiggyback
Action Description
None
Proposed Action
None

2.18.93. [ID: 1588] GTP-U bearer created

Log Categories
GTPINSPECTION
Log Message
GTP-U bearer created.
Default Log Severity
Notice
Parameters
sessionid, bearerid, origip, origteid, termip, termteid, flow
Explanation
A new GTP-U bearer has been created for the GTP-C session.
Gateway Action
Open
Action Description
None
Proposed Action
None

2.18.94. [ID: 1589] GTP-U bearer deleted

Log Categories
GTPINSPECTION
Log Message
GTP-U bearer deleted.
Default Log Severity
Notice
Parameters
sessionid, bearerid, origip, origteid, termip, termteid, reason
Explanation
A GTP-U bearer has been deleted from the GTP-C session.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.18.95. [ID: 1537] GTP-U bearer modified

Log Categories
GTPINSPECTION
Log Message
GTP-U bearer modified.
Default Log Severity
Notice
Parameters
sessionid, bearerid, origip, origteid, termip, termteid, flow
Explanation
A GTP-U bearer had one or both of its endpoints modified.
Gateway Action
Adjust
Action Description
None
Proposed Action
None

2.18.96. [ID: 1518] Message received after GTP-U End Marker

Log Categories
GTPINSPECTION,VALIDATE
Log Message
Message received after GTP-U End Marker.
Default Log Severity
Warning
Parameters
sessionid, origteid, termteid, flow, user, userid
Explanation
Message was dropped due to End Marker was previously received.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.18.97. [ID: 1511] Failed to validate GTP-U message

Log Categories
GTPINSPECTION,VALIDATE
Log Message
Failed to validate GTP-U message.
Default Log Severity
Warning
Parameters
messagetype, flow, user, userid
Explanation
Malformed GTP-U message.
Gateway Action
Drop
Action Description
None
Proposed Action
Investigate sending GTP node.

2.18.98. [ID: 1641] Missing mandatorily present IE

Log Categories
GTPINSPECTION,VALIDATE
Log Message
Missing mandatorily present IE.
Default Log Severity
Notice
Parameters
messagetype, ie, flow, user, userid
Explanation
The GTP-U message did not contain a mandatory information element.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.18.99. [ID: 1546] GTP-U message should have sequence number

Log Categories
GTPINSPECTION,VALIDATE
Log Message
GTP-U message should have sequence number.
Default Log Severity
Warning
Parameters
messagetype, flow, user, userid
Explanation
Message should have contained a sequence number but does not.
Gateway Action
Drop
Action Description
None
Proposed Action
Investigate sending GTP node.

2.18.100. [ID: 1642] Out of sequence IE

Log Categories
GTPINSPECTION,VALIDATE
Log Message
Out of sequence IE.
Default Log Severity
Notice
Parameters
messagetype, teid, flow, user, userid
Explanation
The received GTP-U message contained information elements that were not in increasing order.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.18.101. [ID: 1595] Repeated GTP-U IEs

Log Categories
GTPINSPECTION,VALIDATE
Log Message
Repeated GTP-U IEs.
Default Log Severity
Notice
Parameters
messagetype, teid, ie, flow, user, userid
Explanation
The GTP-U message contained to many information elements of the same type.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.18.102. [ID: 1539] GTP traffic inside a GTP tunnel detected

Log Categories
GTPINSPECTION,VALIDATE
Log Message
GTP traffic inside a GTP tunnel detected.
Default Log Severity
Warning
Parameters
flow, user, userid
Explanation
GTP traffic detected inside a GTP tunnel.
Gateway Action
Allow
Action Description
None
Proposed Action
Investigate the source of this GTP traffic.

2.18.103. [ID: 1513] GTP traffic inside a GTP tunnel detected

Log Categories
GTPINSPECTION,VALIDATE
Log Message
GTP traffic inside a GTP tunnel detected.
Default Log Severity
Warning
Parameters
flow, user, userid
Explanation
GTP traffic detected inside a GTP tunnel.
Gateway Action
Drop
Action Description
None
Proposed Action
Investigate the source of this GTP traffic.

2.18.104. [ID: 1545] Message is dropped due to internal error

Log Categories
GTPINSPECTION,VALIDATE
Log Message
Message is dropped due to internal error.
Default Log Severity
Error
Parameters
flow, user, userid
Explanation
Message is dropped due to internal error.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.18.105. [ID: 1540] Invalid GTP header

Log Categories
GTPINSPECTION,VALIDATE
Log Message
Invalid GTP header.
Default Log Severity
Warning
Parameters
reason, flow, user, userid
Explanation
Incoming GTP-U packet has invalid GTP header.
Gateway Action
Drop
Action Description
None
Proposed Action
Incoming packet is malformed. Investigate why GTP traffic sent is invalid.

2.18.106. [ID: 1514] Invalid Recovery IE value

Log Categories
GTPINSPECTION,VALIDATE
Log Message
Invalid Recovery IE value.
Default Log Severity
Warning
Parameters
type, flow, user, userid
Explanation
Recovery IE must be set to 0 by a sending peer.
Gateway Action
Drop
Action Description
None
Proposed Action
Investigate sending GTP node.

2.18.107. [ID: 1526] Invalid GTP-U message type

Log Categories
GTPINSPECTION,VALIDATE
Log Message
Invalid GTP-U message type.
Default Log Severity
Warning
Parameters
flow, user, userid
Explanation
Incoming GTP-U packet has invalid message type in it's GTP header.
Gateway Action
Allow
Action Description
None
Proposed Action
Received GTP-U has an unsupported message type. Supported message types are Echo Request, Echo Response, Encapsulated T-PDUs, Error Indication, Supported Extension Headers Notification and End Marker.

2.18.108. [ID: 1529] Invalid GTP-U message type

Log Categories
GTPINSPECTION,VALIDATE
Log Message
Invalid GTP-U message type.
Default Log Severity
Warning
Parameters
flow, user, userid
Explanation
Incoming GTP-U packet has invalid message type in it's GTP header.
Gateway Action
Drop
Action Description
None
Proposed Action
Received GTP-U has an unsupported message type. Supported message types are Echo Request, Echo Response, Encapsulated T-PDUs, Error Indication, Supported Extension Headers Notification and End Marker.

2.18.109. [ID: 1520] Invalid GTP version

Log Categories
GTPINSPECTION,VALIDATE
Log Message
Invalid GTP version.
Default Log Severity
Warning
Parameters
flow, user, userid
Explanation
Incoming GTP-U packet has unsupported GTP version.
Gateway Action
Drop
Action Description
None
Proposed Action
GTP-U is only supported in GTPv1.

2.18.110. [ID: 1542] No matching GTP-U bearer

Log Categories
GTPINSPECTION,VALIDATE
Log Message
No matching GTP-U bearer.
Default Log Severity
Warning
Parameters
teid, flow, user, userid
Explanation
GTP-U packet did not match any active bearers.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.18.111. [ID: 1531] GTP packet dropped

Log Categories
GTPINSPECTION
Log Message
GTP packet dropped.
Default Log Severity
Notice
Parameters
sessionid, reason, flow
Explanation
A GTP message was rejected by GTP inspection.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.18.112. [ID: 1609] GTP packet dropped

Log Categories
GTPINSPECTION
Log Message
GTP packet dropped.
Default Log Severity
Notice
Parameters
sessionid, reason, flow
Explanation
A GTP message was rejected by GTP inspection.
Gateway Action
Strippiggyback
Action Description
None
Proposed Action
None

2.18.113. [ID: 1547] GTP packet notice

Log Categories
GTPINSPECTION
Log Message
GTP packet notice.
Default Log Severity
Notice
Parameters
sessionid, reason, flow
Explanation
A GTP message that failed GTP inspection validation was forwarded.
Gateway Action
Allow
Action Description
None
Proposed Action
None

2.18.114. [ID: 1517] GTP-C session update rejected by endpoint

Log Categories
GTPINSPECTION
Log Message
GTP-C session update rejected by endpoint.
Default Log Severity
Notice
Parameters
sessionid, bearerid, cause, flow
Explanation
The other endpoint rejected the request to update GTP-C session.
Gateway Action
Discard
Action Description
None
Proposed Action
None

2.18.115. [ID: 1515] GTP-C session creation rejected by endpoint

Log Categories
GTPINSPECTION
Log Message
GTP-C session creation rejected by endpoint.
Default Log Severity
Notice
Parameters
sessionid, cause, flow
Explanation
The other endpoint rejected the request to create GTP-C session.
Gateway Action
Discard
Action Description
None
Proposed Action
None

2.18.116. [ID: 1541] GTP-C session deletion rejected by endpoint

Log Categories
GTPINSPECTION
Log Message
GTP-C session deletion rejected by endpoint.
Default Log Severity
Notice
Parameters
sessionid, cause, flow
Explanation
The other endpoint rejected the request to delete GTP-C session.
Gateway Action
Discard
Action Description
None
Proposed Action
None

2.18.117. [ID: 1530] GTP-C session update rejected by endpoint

Log Categories
GTPINSPECTION
Log Message
GTP-C session update rejected by endpoint.
Default Log Severity
Notice
Parameters
sessionid, cause, flow
Explanation
The other endpoint rejected the request to update GTP-C session.
Gateway Action
Discard
Action Description
None
Proposed Action
None

2.18.118. [ID: 1590] Unexpected GTP-U IE type

Log Categories
GTPINSPECTION,VALIDATE
Log Message
Unexpected GTP-U IE type.
Default Log Severity
Warning
Parameters
ie, flow, user, userid
Explanation
Unexpected GTP-U IE type found.
Gateway Action
Allow
Action Description
None
Proposed Action
Investigate the source of this GTP traffic.

2.18.119. [ID: 1596] Unexpected GTP-U IE type

Log Categories
GTPINSPECTION,VALIDATE
Log Message
Unexpected GTP-U IE type.
Default Log Severity
Warning
Parameters
ie, flow, user, userid
Explanation
Unexpected GTP-U IE type found.
Gateway Action
Drop
Action Description
None
Proposed Action
Investigate the source of this GTP traffic.

2.18.120. [ID: 1594] Unknown GTP-U IE type

Log Categories
GTPINSPECTION,VALIDATE
Log Message
Unknown GTP-U IE type.
Default Log Severity
Notice
Parameters
ie, flow, user, userid
Explanation
An unknown IE was encountered in the message, but was allowed due to settings.
Gateway Action
Allow
Action Description
None
Proposed Action
Investigate why the endpoints are sending unknown IEs.

2.18.121. [ID: 1592] Unknown GTP-U IE type

Log Categories
GTPINSPECTION,VALIDATE
Log Message
Unknown GTP-U IE type.
Default Log Severity
Warning
Parameters
ie, flow, user, userid
Explanation
An unknown IE was encountered in the message.
Gateway Action
Drop
Action Description
None
Proposed Action
Investigate why the endpoints are sending unknown IEs.

2.19. HA

These log messages refer to the HA category.

2.19.1. [ID: 259] HA sync message reassembly failed

Log Categories
HA
Log Message
HA sync message reassembly failed.
Default Log Severity
Warning
Parameters
 
Explanation
Some of the fragments matching this message reassembly were invalid or unexpected resulting in the whole message being dropped.
Gateway Action
Drop
Action Description
None
Proposed Action
Search for logs of invalid or unexpected HA sync message fragment and take action accordingly.

2.19.2. [ID: 398] HA sync message reassembly failed due to lack[...]

Log Categories
HA
Log Message
HA sync message reassembly failed due to lack of resources.
Default Log Severity
Notice
Parameters
 
Explanation
The reassembly of a HA sync message could not be initiated or was prematurely aborted due to lack of resources.
Gateway Action
Drop
Action Description
None
Proposed Action
If this happens frequently try increasing the setting HASyncFragSettings:MaxConcurrentReass.

2.19.3. [ID: 597] HA sync message reassembly failed due to[...]

Log Categories
HA
Log Message
HA sync message reassembly failed due to timeout.
Default Log Severity
Notice
Parameters
 
Explanation
Not all fragments of a HA sync message was received before the reassembly was aborted due to timeout.
Gateway Action
Drop
Action Description
None
Proposed Action
This event can be the result of packet loss on the HA sync interfaces. If it happens infrequently it should not be a problem but if it happens more frequently then it might be a good idea to check if the sync interfaces are fully functional. It could also indicate that the reassembler's configuration is not suitable for the current load so another possible action is to review the HASyncFragSettings and increase the number of concurrent reassemblies or adjust the timing values.

2.19.4. [ID: 364] Received invalid HA sync message fragment

Log Categories
HA
Log Message
Received invalid HA sync message fragment.
Default Log Severity
Warning
Parameters
 
Explanation
A packet that is not a valid HA sync message fragment was received.
Gateway Action
Drop
Action Description
None
Proposed Action
Verify that the HA sync interfaces are properly secured. Untrusted systems should not be able to inject packets on the sync interfaces. Other potential causes are software or hardware malfunction.

2.19.5. [ID: 609] Received unexpected HA sync message fragment

Log Categories
HA
Log Message
Received unexpected HA sync message fragment.
Default Log Severity
Warning
Parameters
 
Explanation
The fragment did not fit the partially reassembled message that it matched.
Gateway Action
Drop
Action Description
None
Proposed Action
If this happens frequently then it may be a sign that the load on the reassembler is too high or that reassembly timeouts are too low. Review the HASyncFragSettings and increase the number of concurrent reassemblies or adjust the timing values.

2.19.6. [ID: 1044] Active-active scenario detected

Log Categories
HA,SYSTEM
Log Message
Active-active scenario detected. Remaining active since role is master.
Default Log Severity
Notice
Parameters
 
Explanation
The cluster have ended up in a scenario where both members wants to be active. In these situations the master will remain active while the slave go inactive.
Gateway Action
None
Action Description
None
Proposed Action
This is a erroneous scenario but, unless occurring frequently, can occur normally under special conditions.

2.19.7. [ID: 1047] Active-active scenario detected

Log Categories
HA,SYSTEM
Log Message
Active-active scenario detected. Going inactive since role is slave.
Default Log Severity
Notice
Parameters
 
Explanation
The cluster have ended up in a scenario where both members wants to be active. In these situations the master will remain active while the slave go inactive.
Gateway Action
Failover
Action Description
None
Proposed Action
This is a erroneous scenario but, unless occurring frequently, can occur normally under special conditions.

2.19.8. [ID: 1049] Config in sync

Log Categories
HA,SYSTEM
Log Message
Config in sync.
Default Log Severity
Notice
Parameters
localcfgver, remotecfgver
Explanation
Config versions match in both nodes of the HA cluster.
Gateway Action
None
Action Description
None
Proposed Action
None

2.19.9. [ID: 1051] Config not in sync

Log Categories
HA,SYSTEM
Log Message
Config not in sync.
Default Log Severity
Warning
Parameters
localcfgver, remotecfgver
Explanation
Config changes are done but not synced to the other node.
Gateway Action
None
Action Description
Config is not the same between the nodes in the HA cluster
Proposed Action
Set AutoSyncCfg in HighAvailability to True or send/receive configure on one node to make sure both nodes are running the same configuration.

2.19.10. [ID: 580] Failed to establish sync connection

Log Categories
HA,SYSTEM
Log Message
Failed to establish sync connection.
Default Log Severity
Error
Parameters
 
Explanation
The handshake to establish a new sync connection failed. A new handshake will be initiated.
Gateway Action
None
Action Description
None
Proposed Action
If the cluster fails to recover from this state on its own consider rebooting the inactive node.

2.19.11. [ID: 546] Failure indication cleared

Log Categories
HA,SYSTEM
Log Message
Failure indication cleared.
Default Log Severity
Notice
Parameters
id, failure
Explanation
A previously indicated failure was reported to be resolved.
Gateway Action
None
Action Description
None
Proposed Action
None

2.19.12. [ID: 605] Scheduling HA initiated system restart

Log Categories
HA,SYSTEM
Log Message
Scheduling HA initiated system restart.
Default Log Severity
Critical
Parameters
node
Explanation
The HA monitor system detected a failure and initiated a system restart of the inactive HA member with the purpose of restoring system functionality.
Gateway Action
None
Action Description
None
Proposed Action
None

2.19.13. [ID: 281] Failure indication set

Log Categories
HA,SYSTEM
Log Message
Failure indication set.
Default Log Severity
Notice
Parameters
id, failure
Explanation
A failure was reported to the HA system which may result in a HA hand-over.
Gateway Action
None
Action Description
None
Proposed Action
Review the listed failure parameter and check for related logs to determine the cause of the malfunction.

2.19.14. [ID: 237] Going HA ACTIVE since HA peer is dead

Log Categories
HA,SYSTEM
Log Message
Going HA ACTIVE since HA peer is dead.
Default Log Severity
Alert
SNMP Trap Category
HA
SNMP Trap MIB name
ssmHAActivePeerDead
SNMP Trap MIB OID
1.3.6.1.4.1.5089.3.0.2010.0.1005   (STREAM-TRAPS-MIB)
Parameters
node
Explanation
The previously active HA peer became offline and the inactive node took over in a failover.
Gateway Action
Failover
Action Description
None
Proposed Action
If this was an unplanned event, check the logs for hints on why the peer node became offline.

2.19.15. [ID: 317] Going HA ACTIVE since outranking peer

Log Categories
HA,SYSTEM
Log Message
Going HA ACTIVE since outranking peer.
Default Log Severity
Alert
SNMP Trap Category
HA
SNMP Trap MIB name
ssmHAActiveOutrankingPeer
SNMP Trap MIB OID
1.3.6.1.4.1.5089.3.0.2010.0.1010   (STREAM-TRAPS-MIB)
Parameters
node, decider, localcriteria, peercriteria
Explanation
The previously active HA peer had some sort of malfunction and the inactive node took over.
Gateway Action
Failover
Action Description
None
Proposed Action
If this was an unplanned event, check the logs for hints on what type of malfunction occurred on the peer node.

2.19.16. [ID: 275] Going HA ACTIVE due to user request

Log Categories
HA,SYSTEM
Log Message
Going HA ACTIVE due to user request.
Default Log Severity
Notice
SNMP Trap Category
HA
SNMP Trap MIB name
ssmHAActiveUserRequest
SNMP Trap MIB OID
1.3.6.1.4.1.5089.3.0.2010.0.1015   (STREAM-TRAPS-MIB)
Parameters
node
Explanation
The system administrator triggered a hand-over and the node became HA active.
Gateway Action
Failover
Action Description
None
Proposed Action
None

2.19.17. [ID: 130] Going HA INACTIVE due to being outranked by[...]

Log Categories
HA,SYSTEM
Log Message
Going HA INACTIVE due to being outranked by peer.
Default Log Severity
Alert
SNMP Trap Category
HA
SNMP Trap MIB name
ssmHAInactiveOutrankedByPeer
SNMP Trap MIB OID
1.3.6.1.4.1.5089.3.0.2010.0.1020   (STREAM-TRAPS-MIB)
Parameters
node, failure, decider, localcriteria, peercriteria
Explanation
A hand-over was performed due to the peer node being deemed to be better fit to be active.
Gateway Action
Failover
Action Description
None
Proposed Action
Review the listed failures and check for related logs to determine the cause of the hand-over.

2.19.18. [ID: 146] Going HA INACTIVE due to user request

Log Categories
HA,SYSTEM
Log Message
Going HA INACTIVE due to user request.
Default Log Severity
Notice
SNMP Trap Category
HA
SNMP Trap MIB name
ssmHAInactiveUserRequest
SNMP Trap MIB OID
1.3.6.1.4.1.5089.3.0.2010.0.1025   (STREAM-TRAPS-MIB)
Parameters
node
Explanation
The system administrator triggered a hand-over and the node became HA inactive.
Gateway Action
Failover
Action Description
None
Proposed Action
None

2.19.19. [ID: 663] HA bidir heart-beat communication over[...]

Log Categories
HA,IFACE
Log Message
HA bidir heart-beat communication over interface failed.
Default Log Severity
Notice
Parameters
iface
Explanation
The HA nodes were unable to successfully communicate through the heart-beats sent over the specific interface. This communication is used to monitor the health of the peer node and is the primary mean of monitoring the health of the interfaces.
Gateway Action
None
Action Description
None
Proposed Action
Check interface cabling and load and verify proper operation. If the interface pair has been intentionally left unconnected then it is possible set the HAType property on the interfaces to NonCritical to stop the log from triggering, however, it is probably desirable to restore the HAType to Critical when the interface is taken into service again to get normal monitoring of the interface.

2.19.20. [ID: 177] HA interface offline

Log Categories
HA,SYSTEM
Log Message
HA interface offline.
Default Log Severity
Alert
Parameters
iface
Explanation
An interface became offline due to loss of connectivity.
Gateway Action
None
Action Description
None
Proposed Action
Check interface cabling and verify proper operation.

2.19.21. [ID: 475] HA interface online

Log Categories
HA,SYSTEM
Log Message
HA interface online.
Default Log Severity
Alert
Parameters
iface
Explanation
An interface which was previously offline became online.
Gateway Action
None
Action Description
None
Proposed Action
None

2.19.22. [ID: 1046] Inactive-inactive situation detected

Log Categories
HA,SYSTEM
Log Message
Inactive-inactive situation detected. Going active since role is master.
Default Log Severity
Notice
Parameters
 
Explanation
The cluster has ended up in a scenario where both members wants to be inactive. In these situations the master will go active while the slave remains inactive.
Gateway Action
Failover
Action Description
None
Proposed Action
This is an erroneous scenario but, unless occurring frequently, can occur normally under special conditions.

2.19.23. [ID: 1045] Inactive-inactive situation detected

Log Categories
HA,SYSTEM
Log Message
Inactive-inactive situation detected. Remaining inactive since role is slave.
Default Log Severity
Notice
Parameters
 
Explanation
The cluster has ended up in a scenario where both members wants to be inactive. In these situations the master will go active while the slave remains inactive.
Gateway Action
None
Action Description
None
Proposed Action
This is an erroneous scenario but, unless occurring frequently, can occur normally under special conditions.

2.19.24. [ID: 629] Scheduling HA initiated system restart to[...]

Log Categories
HA,SYSTEM
Log Message
Scheduling HA initiated system restart to resynchronize.
Default Log Severity
Warning
Parameters
node
Explanation
The HA system is restarting the inactive HA member in order to prepare the member to receive new sync data.
Gateway Action
None
Action Description
None
Proposed Action
None

2.19.25. [ID: 1509] No matching HA interface id found during HA[...]

Log Categories
HA,IFACE,SYSTEM
Log Message
No matching HA interface id found during HA Peer MAC learning.
Default Log Severity
Warning
Parameters
hwaddr
Explanation
When exchanging hardware addresses with HA peer, the node received data on one interface that could not be matched to existing interfaces.
Gateway Action
None
Action Description
None
Proposed Action
Verify if both HA nodes have the same number of interfaces and that their HA Types match. Also verify that the sync interface is not on a shared network with other HA clusters.

2.19.26. [ID: 378] HA peer offline

Log Categories
HA,SYSTEM
Log Message
HA peer offline.
Default Log Severity
Notice
Parameters
 
Explanation
The previously online HA peer is now offline.
Gateway Action
None
Action Description
None
Proposed Action
If this was an unplanned event, check the logs for hints on why the peer node became offline.

2.19.27. [ID: 403] HA peer have an incompatible HA version

Log Categories
HA,SYSTEM
Log Message
HA peer have an incompatible HA version.
Default Log Severity
Alert
Parameters
version, min
Explanation
Contact was established with a HA peer with an incompatible HA implementation.
Gateway Action
Abort
Action Description
HA synchronization will not be performed
Proposed Action
Make sure the HA peers run core binaries with the same version. All flows/states will be lost when upgrading.

2.19.28. [ID: 1510] Invalid peer MAC received during HA Peer MAC[...]

Log Categories
HA,IFACE,SYSTEM
Log Message
Invalid peer MAC received during HA Peer MAC learning.
Default Log Severity
Warning
Parameters
newhw, iface
Explanation
When exchanging hardware addresses with HA peer, the node received one invalid hardware address from one of the peer configured interfaces.
Gateway Action
None
Action Description
None
Proposed Action
Verify if the configuration is correct, and that interfaces using HA over Interface MAC are correctly paired.

2.19.29. [ID: 1507] HA Peer MAC learning successful

Log Categories
HA,IFACE,SYSTEM
Log Message
HA Peer MAC learning successful.
Default Log Severity
Information
Parameters
learnt
Explanation
The node received a packet containing all peer interfaces hardware address and updated values where needed.
Gateway Action
None
Action Description
None
Proposed Action
If automatic peer discovery is not intended, then the peer MAC addresses should be set using property EthernetAddress on the EthernetInterface.

2.19.30. [ID: 1508] HA Peer MAC learning incomplete

Log Categories
HA,IFACE,SYSTEM
Log Message
HA Peer MAC learning incomplete.
Default Log Severity
Warning
Parameters
learnt
Explanation
The node received a packet containing all peer interfaces hardware address but some interfaces contained errors. These errors were separately logged.
Gateway Action
None
Action Description
None
Proposed Action
If automatic peer discovery is not intended, then the peer MAC addresses should be set when configuring the interface, using property 'EthernetAddress'. Also verify if both HA nodes have matching interface HA Types.

2.19.31. [ID: 114] HA peer online

Log Categories
HA,SYSTEM
Log Message
HA peer online.
Default Log Severity
Notice
Parameters
 
Explanation
The previously offline HA peer is now online.
Gateway Action
None
Action Description
None
Proposed Action
None

2.19.32. [ID: 630] Dataplane shutting down

Log Categories
HA,SYSTEM
Log Message
Dataplane shutting down.
Default Log Severity
Notice
Parameters
 
Explanation
Dataplane is shutting down.
Gateway Action
None
Action Description
None
Proposed Action
None

2.19.33. [ID: 808] Main resynchronization aborted

Log Categories
HA,SYSTEM
Log Message
Main resynchronization aborted.
Default Log Severity
Notice
Parameters
node, state, count
Explanation
The resynchronization of all HA state from the active node to the inactive node was aborted. Not all HA state was synchronized. One of the nodes must be restarted to begin a new full resynchronization.
Gateway Action
None
Action Description
None
Proposed Action
None

2.19.34. [ID: 323] Main resynchronization done

Log Categories
HA,SYSTEM
Log Message
Main resynchronization done.
Default Log Severity
Information
Parameters
node, state, count
Explanation
Resynchronization of all HA state from the active node to the inactive node has finished. The inactive node now has sufficient HA state information to take over if the active node fails.
Gateway Action
None
Action Description
None
Proposed Action
None

2.19.35. [ID: 285] Commencing main resynchronization

Log Categories
HA,SYSTEM
Log Message
Commencing main resynchronization.
Default Log Severity
Information
Parameters
node, state, count
Explanation
Resynchronization of all HA state from the active node to the inactive node has started. Once an inactive node is booted up, it has no HA state information. The active node then starts to send all HA state information to its inactive peer.
Gateway Action
None
Action Description
None
Proposed Action
None

2.19.36. [ID: 206] Sync connection established

Log Categories
HA,SYSTEM
Log Message
Sync connection established.
Default Log Severity
Information
Parameters
id
Explanation
The two HA peer nodes have successfully completed a handshake over the sync interface(s) and are now ready for state synchronization.
Gateway Action
None
Action Description
None
Proposed Action
None

2.19.37. [ID: 436] Sync connection failed

Log Categories
HA,SYSTEM
Log Message
Sync connection failed.
Default Log Severity
Critical
Parameters
 
Explanation
The device was unable to communicate with the HA peer node over the sync interface(s). Until this condition is resolved no state will be synchronized from the active node to the inactive node.
Gateway Action
None
Action Description
None
Proposed Action
Urgently investigate why the communication is not working.

2.19.38. [ID: 1425] System versions not equal

Log Categories
HA,SYSTEM
Log Message
System versions not equal.
Default Log Severity
Warning
Parameters
localsystemver, remotesystemver
Explanation
Config changes are done but not synced to the other node.
Gateway Action
None
Action Description
System versions are not the same in the HA cluster nodes
Proposed Action
Update the nodes in the HighAvailability cluster to the same system version.

2.19.39. [ID: 636] All flows closed due to HA activation or[...]

Log Categories
HA,SYSTEM,FLOW
Log Message
All flows closed due to HA activation or deactivation.
Default Log Severity
Warning
Parameters
state
Explanation
Enabling or disabling HA is a major configuration change. The event requires all flows to be closed.
Gateway Action
Close
Action Description
All flows are closed
Proposed Action
None

2.20. HWMON

These log messages refer to the HWMON category.

2.20.1. [ID: 1081] Sensor value above monitor threshold

Log Categories
HWMON,SYSTEM
Log Message
Sensor value above monitor threshold.
Default Log Severity
Dynamic
Parameters
sensorid, description, name, value, threshold
Explanation
Read sensor value is above the upper limit set by the monitor.
Gateway Action
None
Action Description
None
Proposed Action
Review sensor retrieved value and monitor setting for upper limit value.

2.20.2. [ID: 1079] Sensor value below monitor threshold

Log Categories
HWMON,SYSTEM
Log Message
Sensor value below monitor threshold.
Default Log Severity
Dynamic
Parameters
sensorid, description, name, value, threshold
Explanation
Read sensor value is below the lower limit set by the monitor.
Gateway Action
None
Action Description
None
Proposed Action
Review sensor retrieved value and monitor setting for lower limit value.

2.20.3. [ID: 1082] Sensor returned to normal

Log Categories
HWMON,SYSTEM
Log Message
Sensor returned to normal.
Default Log Severity
Dynamic
Parameters
sensorid, description, name, value
Explanation
The sensor value was outside monitor limits, but is now within monitor limits again.
Gateway Action
None
Action Description
None
Proposed Action
None

2.21. ICMP

These log messages refer to the ICMP category.

2.21.1. [ID: 204] Bad ICMP message checksum

Log Categories
ICMP,VALIDATE,STATELESS
Log Message
Bad ICMP message checksum.
Default Log Severity
Notice
Parameters
type, code, chksum, calcchksum, pkt
Explanation
An ICMP message has a bad checksum.
Gateway Action
Allow
Action Description
Node
Proposed Action
A bad checksum is normally an indication that the packet data has been corrupted, something that will happen spontaneously when transferred over a physical network medium. This is only a concern when it happens in excess; in this case it may be a sign of broken hardware inside the network. Try to locate and isolate the misbehaving unit. The ICMPSettings:ICMPValidateChecksum setting can be changed to control the gateway's behavior regarding packets with broken ICMP checksum.

2.21.2. [ID: 387] Bad ICMP message checksum

Log Categories
ICMP,VALIDATE,STATELESS
Log Message
Bad ICMP message checksum.
Default Log Severity
Warning
Parameters
type, code, chksum, calcchksum, pkt
Explanation
An ICMP message has a bad checksum.
Gateway Action
Drop
Action Description
None
Proposed Action
A bad checksum is normally an indication that the packet data has been corrupted, something that will happen spontaneously when transferred over a physical network medium. This is only a concern when it happens in excess; in this case it may be a sign of broken hardware inside the network. Try to locate and isolate the misbehaving unit. The ICMPSettings:ICMPValidateChecksum setting can be changed to control the gateway's behavior regarding packets with broken ICMP checksum.

2.21.3. [ID: 365] ICMP error with embedded trailer

Log Categories
ICMP,STATELESS,VALIDATE
Log Message
ICMP error with embedded trailer.
Default Log Severity
Warning
Parameters
type, code, srcip, destip, paylen, encapproto, encapsrcip, encapdestip, encappaylen, encaptrailer
Explanation
The embedded IP message inside the ICMP error, was shorter than the full payload of the ICMP error. A portion of the ICMP payload therefore consisted of "undefined data".
Gateway Action
Strip
Action Description
The embedded trailer inside the ICMP payload has been zeroed out
Proposed Action
The ICMP error was likely generated as a response to a packet containing a trailer of the "undefined data", but the point is that "undefined data" is a potential information leak and almost exclusively a sign of incorrect network handling. Try to locate the node producing the trailers if this happens more than once, and see if it can be upgraded. This log message can be turned off by modifying the IPSettings:LayerSizeConsistency setting, but the current handling cannot be turned off.

2.21.4. [ID: 328] Length of embedded header in ICMP error is[...]

Log Categories
ICMP,STATELESS,VALIDATE
Log Message
Length of embedded header in ICMP error is invalid.
Default Log Severity
Warning
Parameters
type, code, srcip, destip, paylen, encaphdrver, encaphdrlen, encappaylen
Explanation
An ICMP error message encapsulated an IPv4 header that was too large to be fully contained inside the original message together with at least the beginning 8 bytes of an L4 header, meaning that the information to forward this message was never even contained in the original message.
Gateway Action
Drop
Action Description
None
Proposed Action
This packet is severely broken. If the packet sender is one of your network devices, investigate why the unit is sending malformed packets. This log message can be disabled by the IPSettings:LayerSizeConsistency setting.

2.21.5. [ID: 450] ICMP error with incompatible IP version

Log Categories
ICMP,STATELESS,VALIDATE
Log Message
ICMP error with incompatible IP version.
Default Log Severity
Warning
Parameters
type, code, srcip, destip, encaphdrver, encapproto, encapsrcip, encapdestip
Explanation
An ICMP error message encapsulated a message with the incompatible IP version encaphdrver.
Gateway Action
Drop
Action Description
None
Proposed Action
This packet is severely broken. If the packet sender is one of your network devices, investigate why the unit is sending malformed packets. This log message can be disabled by the IPSettings:LayerSizeConsistency setting.

2.21.6. [ID: 134] ICMP error with incompatible IP version

Log Categories
ICMP,STATELESS,VALIDATE
Log Message
ICMP error with incompatible IP version.
Default Log Severity
Warning
Parameters
type, code, srcip, destip, encaphdrver, encapproto, encapsrcip, encapdestip
Explanation
An ICMP error message encapsulated a message with the incompatible IP version encaphdrver.
Gateway Action
Drop
Action Description
None
Proposed Action
This packet is severely broken. If the packet sender is one of your network devices, investigate why the unit is sending malformed packets. This log message can be disabled by the IPSettings:LayerSizeConsistency setting.

2.21.7. [ID: 600] ICMP error to fragment

Log Categories
ICMP,STATELESS,VALIDATE
Log Message
ICMP error to fragment.
Default Log Severity
Warning
Parameters
type, code, srcip, destip, encapproto, encapsrcip, encapdestip, encapfragid, encapfragoff
Explanation
An ICMP error message encapsulated a non-first IP fragment. Encapsulated non-first fragments are dropped since the protocol specific information required for forwarding does not exist.
Gateway Action
Drop
Action Description
None
Proposed Action
This packet is severely broken. If the packet sender is one of your network devices, investigate why the unit is sending malformed packets. This log message can be disabled by the IPSettings:LayerSizeConsistency setting.

2.21.8. [ID: 296] Truncated embedded IP header in ICMPv4

Log Categories
ICMP,STATELESS,VALIDATE
Log Message
Truncated embedded IP header in ICMPv4.
Default Log Severity
Warning
Parameters
type, code, srcip, destip, paylen, encaphdrver, encaphdrlen
Explanation
An ICMP error message did not carry enough data to contain information required to forward the packet. The encapsulated IPv4 header was larger than an ordinary IPv4 header, and the ICMP error did not encapsulate the whole header.
Gateway Action
Drop
Action Description
None
Proposed Action
This packet is severely broken. If the packet sender is one of your network devices, investigate why the unit is sending malformed packets. This log message can be disabled by the IPSettings:LayerSizeConsistency setting.

2.21.9. [ID: 476] Dropped ICMP error message

Log Categories
ICMP,VALIDATE,STATEFUL
Log Message
Dropped ICMP error message.
Default Log Severity
Warning
Parameters
type, code, srcip, destip, flow, rule, user, userid
Explanation
An ICMP error of type type and code code has been received by flow flow, but this ICMP error type is prohibited by the configuration.
Gateway Action
Drop
Action Description
None
Proposed Action
If you think the current behavior is incorrect, modify rule rule to use a service with an appropriate ICMP error filter.

2.21.10. [ID: 221] ICMP error to ICMP error

Log Categories
ICMP,STATELESS,VALIDATE
Log Message
ICMP error to ICMP error.
Default Log Severity
Warning
Parameters
type, code, srcip, destip, encaptype, encapcode, encapsrcip, encapdestip
Explanation
An ICMP error message was received, encapsulating another ICMP error. This is illegal according to RFC 792 (ICMPv4 spec) and RFC 2463 (ICMPv6 spec) because of the potential to cause a never-ending loop.
Gateway Action
Drop
Action Description
None
Proposed Action
Try to locate the node producing these errors, and see if it can be upgraded or replaced.

2.21.11. [ID: 376] Data in request differs from last request

Log Categories
ICMP,STATEFUL,VALIDATE
Log Message
Data in request differs from last request.
Default Log Severity
Information
Parameters
seqno, flow, pkt, user, userid
Explanation
The last seen ICMP ECHO REQUEST message did not contain the same data as the previous request message. This is legal but unexpected; "ping" requests are generally using statically defined data to test various network conditions. Some utilities will routinely use the first 8 bytes to contain a timestamp, so any change in the first 8 bytes since the last request have been ignored.
Gateway Action
Allow
Action Description
None
Proposed Action
The setting ICMPSettings:ICMP_DataTrack can be updated in order to modify how the firewall behaves with regards to the contents of the ICMP ECHO payload. Setting it to anything but "Ignore" will cause the firewall to inspect the entire payload of the ICMP packet and report when a difference has been detected between request and reply. This is mostly intended to aid tracking down some very special network anomalies. This event may be a false positive if a "flood ping" utility has been used (sending requests faster than replies are being received). In rare cases this can be a sign of hardware malfunction somewhere in the network, and in equally rare cases this may be an attempt to relay "secret" data using the ICMP "ping" protocol; Check the sender and destination to see if the traffic is legal. How to track down the kind of hardware malfunction that can give these symptoms is out of scope for this text, but as much can be said that the network hardware handles data as changes between ones and zeroes. Problems are more likely to arise with very few changes during a transfer (mostly ones or zeroes) or lots of changes (alternating ones and zeroes), so the suggestion would be to begin testing these bit-patterns.

2.21.12. [ID: 286] Data in request differs from last request

Log Categories
ICMP,STATEFUL,VALIDATE
Log Message
Data in request differs from last request.
Default Log Severity
Warning
Parameters
seqno, flow, pkt, user, userid
Explanation
The last seen ICMP ECHO REQUEST message did not contain the same data as the previous request message. This is legal but unexpected; "ping" requests are generally using statically defined data to test various network conditions. Some utilities will routinely use the first 8 bytes to contain a timestamp, so any change in the first 8 bytes since the last request have been ignored.
Gateway Action
Drop
Action Description
None
Proposed Action
The setting ICMPSettings:ICMP_DataTrack can be updated in order to modify how the firewall behaves with regards to the contents of the ICMP ECHO payload. Setting it to anything but "Ignore" will cause the firewall to inspect the entire payload of the ICMP packet and report when a difference has been detected between request and reply. This is mostly intended to aid tracking down some very special network anomalies. This event may be a false positive if a "flood ping" utility has been used (sending requests faster than replies are being received). In rare cases this can be a sign of hardware malfunction somewhere in the network, and in equally rare cases this may be an attempt to relay "secret" data using the ICMP "ping" protocol; Check the sender and destination to see if the traffic is legal. How to track down the kind of hardware malfunction that can give these symptoms is out of scope for this text, but as much can be said that the network hardware handles data as changes between ones and zeroes. Problems are more likely to arise with very few changes during a transfer (mostly ones or zeroes) or lots of changes (alternating ones and zeroes), so the suggestion would be to begin testing these bit-patterns.

2.21.13. [ID: 426] Invalid ICMP type

Log Categories
ICMP,STATELESS,VALIDATE
Log Message
Invalid ICMP type.
Default Log Severity
Warning
Parameters
type, code, pkt
Explanation
An ICMP message that is not allowed to setup stateful connections, tried to setup a stateful connection. The ICMP message in itself was allowed by the ruleset, but this particular message does not make sense to handle in a stateful manner.
Gateway Action
Drop
Action Description
None
Proposed Action
A rule to setup a stateful connection is apparently using a service that is not intended to handle a stateful connection. Either revise the ruleset, or split the used service in two: One for stateful traffic and one for traffic that is not stateful (allow, NAT and SAT rules are stateful, "fast forward" is non-stateful).

2.21.14. [ID: 496] Mismatching ICMP reply data

Log Categories
ICMP,STATEFUL,VALIDATE
Log Message
Mismatching ICMP reply data.
Default Log Severity
Notice
Parameters
seqno, flow, pkt, user, userid
Explanation
A received ICMP ECHO REPLY message did not contain the same data as the corresponding ICMP ECHO REQUEST message. This is not in compliance with the ICMP "ping" protocol.
Gateway Action
Allow
Action Description
None
Proposed Action
The setting ICMPSettings:ICMP_DataTrack can be updated in order to modify how the firewall behaves with regards to the contents of the ICMP ECHO payload. Setting it to anything but "Ignore" will cause the firewall to inspect the entire payload of the ICMP packet and report when a difference has been detected between request and reply. This is mostly intended to aid tracking down some very special network anomalies. This event may be a false positive if a "flood ping" utility has been used (sending requests faster than replies are being received). In rare cases this can be a sign of hardware malfunction somewhere in the network, and in equally rare cases this may be an attempt to relay "secret" data using the ICMP "ping" protocol; Check the sender and destination to see if the traffic is legal. How to track down the kind of hardware malfunction that can give these symptoms is out of scope for this text, but as much can be said that the network hardware handles data as changes between ones and zeroes. Problems are more likely to arise with very few changes during a transfer (mostly ones or zeroes) or lots of changes (alternating ones and zeroes), so the suggestion would be to begin testing these bit-patterns.

2.21.15. [ID: 555] Mismatching ICMP reply data

Log Categories
ICMP,STATEFUL,VALIDATE
Log Message
Mismatching ICMP reply data.
Default Log Severity
Warning
Parameters
seqno, flow, pkt, user, userid
Explanation
A received ICMP ECHO REPLY message did not contain the same data as the corresponding ICMP ECHO REQUEST message. This is not in compliance with the ICMP "ping" protocol.
Gateway Action
Drop
Action Description
None
Proposed Action
The setting ICMPSettings:ICMP_DataTrack can be updated in order to modify how the firewall behaves with regards to the contents of the ICMP ECHO payload. Setting it to anything but "Ignore" will cause the firewall to inspect the entire payload of the ICMP packet and report when a difference has been detected between request and reply. This is mostly intended to aid tracking down some very special network anomalies. This event may be a false positive if a "flood ping" utility has been used (sending requests faster than replies are being received). In rare cases this can be a sign of hardware malfunction somewhere in the network, and in equally rare cases this may be an attempt to relay "secret" data using the ICMP "ping" protocol; Check the sender and destination to see if the traffic is legal. How to track down the kind of hardware malfunction that can give these symptoms is out of scope for this text, but as much can be said that the network hardware handles data as changes between ones and zeroes. Problems are more likely to arise with very few changes during a transfer (mostly ones or zeroes) or lots of changes (alternating ones and zeroes), so the suggestion would be to begin testing these bit-patterns.

2.21.16. [ID: 1504] ICMP error response to multicast

Log Categories
ICMP,STATELESS,VALIDATE
Log Message
ICMP error response to multicast.
Default Log Severity
Warning
Parameters
type, code, srcip, destip, encaphdrver, encapproto, encapsrcip, encapdestip
Explanation
An ICMP error was made in response to a multicast message, or used an otherwise illegal combination of multicast and ICMP. Historically this has been used for amplification attacks, but is more frequently caused by devices misbehaving when exposed to multicast traffic.
Gateway Action
Drop
Action Description
None
Proposed Action
If this is a reoccurring issue, try to track down the sender of the ICMP error. The log message can also be disabled by IPSettings:LayerSizeConsistency, but even if there is no underlying malicious attempt, remember that software producing these messages may also be susceptible for the associated amplification attacks.

2.21.17. [ID: 1503] ICMP error response to multicast

Log Categories
ICMP,STATELESS,VALIDATE
Log Message
ICMP error response to multicast.
Default Log Severity
Notice
Parameters
type, code, srcip, destip, encaphdrver, encapproto, encapsrcip, encapdestip
Explanation
An ICMP error was made in response to a multicast message. Normally this is illegal, albeit this particular case this is considered legal. By nature it is a multicast reply, and needs tight control; without, it is a possible vector for amplification "attacks" against the multicast source.
Gateway Action
Allow
Action Description
None
Proposed Action
Normally nothing needs to be done. ICMP errors are rate limited with ICMPSettings:ICMPErrorPerSecLimit, ICMPSettings:ICMPMaxErrorsPerRule and ICMPSettings:ICMPMaxErrorsPerFlow. In some scenarios, blocking specific ICMP error messages may be an option: Consider using a more restrictive service and review the ICMP settings, in particular ICMPSettings:IP6PacketTooBig. This log message can be completely disabled by IPSettings:LayerSizeConsistency, but this will also disable many log messages that are of a more severe nature.

2.21.18. [ID: 301] Sequence number in reply is outside expected[...]

Log Categories
ICMP,STATEFUL,VALIDATE
Log Message
Sequence number in reply is outside expected range.
Default Log Severity
Notice
Parameters
min, max, seqno, flow, user, userid
Explanation
An ICMP reply had a sequence number outside the current window of expected sequence numbers. The sequence number seqno is below the lower bound min of the sequence window. This may occur if a stray message following a less efficient route or a duplicate message.
Gateway Action
Allow
Action Description
None
Proposed Action
When duplicate messages show up and/or messages are received out-of-order in abundance, the network should be examined for broken hardware or misconfigured equipment. Note that wireless networks often produce this kind of anomalies even when they are fully functional. The ICMPSettings:ICMP_SeqNoTrack setting can be changed to control the gateway's behavior regarding packets received out-of-order.

2.21.19. [ID: 273] Sequence number in reply is outside expected[...]

Log Categories
ICMP,STATEFUL,VALIDATE
Log Message
Sequence number in reply is outside expected range.
Default Log Severity
Warning
Parameters
min, max, seqno, flow, user, userid
Explanation
An ICMP reply had a sequence number outside the current window of expected sequence numbers. The sequence number seqno is below the lower bound min of the sequence window. This may occur if a stray message following a less efficient route or a duplicate message.
Gateway Action
Drop
Action Description
None
Proposed Action
When duplicate messages show up and/or messages are received out-of-order in abundance, the network should be examined for broken hardware or misconfigured equipment. Note that wireless networks often produce this kind of anomalies even when they are fully functional. The ICMPSettings:ICMP_SeqNoTrack setting can be changed to control the gateway's behavior regarding packets received out-of-order.

2.21.20. [ID: 288] Problem pointer outside of data

Log Categories
ICMP,STATELESS,VALIDATE
Log Message
Problem pointer outside of data.
Default Log Severity
Warning
Parameters
srcip, destip, paylen, encapproto, encapsrcip, encapdestip, encappaylen, ptr
Explanation
An ICMP "parameter problem" error message was received, but the "problem pointer" inside the error message did not point at any data contained in the packet.
Gateway Action
Drop
Action Description
None
Proposed Action
This packet is severely broken. If the packet sender is one of your network devices, investigate why the unit is sending malformed packets. This log message can be disabled by the IPSettings:LayerSizeConsistency setting.

2.21.21. [ID: 507] Problem pointer outside of data

Log Categories
ICMP,STATELESS,VALIDATE
Log Message
Problem pointer outside of data.
Default Log Severity
Warning
Parameters
type, code, srcip, destip, paylen, encapproto, encapsrcip, encapdestip, encappaylen, ptr
Explanation
An ICMP "parameter problem" error message was received, but the "problem pointer" inside the error message did not point at any data contained in the packet.
Gateway Action
Drop
Action Description
None
Proposed Action
This packet is severely broken. If the packet sender is one of your network devices, investigate why the unit is sending malformed packets. This log message can be disabled by the IPSettings:LayerSizeConsistency setting.

2.21.22. [ID: 612] Header length parameter problem

Log Categories
ICMP,STATELESS,VALIDATE
Log Message
Header length parameter problem.
Default Log Severity
Warning
Parameters
type, code, srcip, destip, paylen, encaphdrver, encaphdrlen, encappaylen
Explanation
An ICMP "parameter problem" message was received, pointing at the encapsulated IP headers length, total payload or possibly using the general "header length error" code. It appears as if the original packets IPv4 header was too large to be fully contained inside the original message itself. While this may be a legal ICMP error, the information needed to forward this packet was never even present in the original packet, and the firewall cannot forward it in an easy way.
Gateway Action
Drop
Action Description
None
Proposed Action
The encapsulated message inside the ICMP error is horribly broken. Judging from the information contained in the ICMP error, the node at srcip is the one that discovered the broken packet. The rest of the information is not reliable. Examine why this broken packet have been sent in the first place. If you need to forward this ICMP error, you need to setup a stateless ICMP rule that explicitly forwards it to its destination destip. You will also need to set the ICMPSettings:ICMPErrorPerSecToSPLimit to a non-null value. This log message itself can be disabled with the IPSettings:LayerSizeConsistency setting.

2.21.23. [ID: 164] IP header version parameter problem

Log Categories
ICMP,STATELESS,VALIDATE
Log Message
IP header version parameter problem.
Default Log Severity
Notice
Parameters
type, code, hdrver, srcip, destip, encaphdrver, encapproto, encapsrcip, encapdestip
Explanation
An ICMP "parameter problem" message was received, pointing at the encapsulated IP headers version. It appears as if an IP version hdrver only node is receiving IP traffic of version encaphdrver. While this may be a legal packet, the information needed to forward this packet is incompatible with the module that forwarded the original IP version encaphdrver packet, and the firewall cannot forward it in an easy way.
Gateway Action
None
Action Description
None
Proposed Action
Examine why IP version encaphdrver traffic is routed to the IP hdrver only node. If possible, upgrade or block IP version encaphdrver traffic to the node. If you need to forward this ICMP error, you need to setup a stateless ICMP rule that explicitly forwards it to its destination destip. You will also need to set the ICMPSettings:ICMPErrorPerSecToSPLimit to a non-null value. This log message itself can be disabled with the IPSettings:LayerSizeConsistency setting.

2.21.24. [ID: 807] Failed to allocate reassembly buffer

Log Categories
ICMP,FRAG
Log Message
Failed to allocate reassembly buffer.
Default Log Severity
Warning
Parameters
pktlen, pkt
Explanation
The received packet was fragmented and could not be reassembled because there were no free buffers available to hold the reassembled packet.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.21.25. [ID: 805] Reassembled packet exceeds allowed size

Log Categories
ICMP,FRAG
Log Message
Reassembled packet exceeds allowed size.
Default Log Severity
Warning
Parameters
maxlen, pkt
Explanation
The packet was fragmented and could not be reassembled because it exceeded the maximum allowed size.
Gateway Action
Drop
Action Description
None
Proposed Action
The FragSettings:LocalReass_MaxSize can be used to change the maximum allowed size for locally reassembled packets.

2.21.26. [ID: 806] Failed to reassemble packet

Log Categories
ICMP,FRAG
Log Message
Failed to reassemble packet.
Default Log Severity
Error
Parameters
pktlen, pkt
Explanation
The packet was fragmented and could not be reassembled.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.21.27. [ID: 533] Received ICMP error message

Log Categories
ICMP,VALIDATE,STATEFUL
Log Message
Received ICMP error message.
Default Log Severity
Notice
Parameters
type, code, srcip, destip, flow, rule, user, userid
Explanation
An ICMP error of type type and code code has been received by flow flow.
Gateway Action
Allow
Action Description
None
Proposed Action
If you think the current behavior is incorrect, modify rule rule to use a service with an appropriate ICMP error filter.

2.21.28. [ID: 553] Sequence number in reply is above expected[...]

Log Categories
ICMP,STATEFUL,VALIDATE
Log Message
Sequence number in reply is above expected window.
Default Log Severity
Notice
Parameters
min, max, seqno, flow, user, userid
Explanation
An ICMP reply had a sequence number above the current window of expected sequence numbers. The sequence number seqno is higher than the maximum value max in the sequence window (and at the same time closer to max than to the lower bound min of the window). Therefore this looks like an illegal reply to a message that hasn't been sent.
Gateway Action
Allow
Action Description
None
Proposed Action
When duplicate messages show up and/or messages are received out-of-order in abundance, the network should be examined for broken hardware or misconfigured equipment. Note that wireless networks often produce this kind of anomalies even when they are fully functional. The ICMPSettings:ICMP_SeqNoTrack setting can be changed to control the gateway's behavior regarding packets received out-of-order.

2.21.29. [ID: 422] Sequence number in reply is above expected[...]

Log Categories
ICMP,STATEFUL,VALIDATE
Log Message
Sequence number in reply is above expected window.
Default Log Severity
Warning
Parameters
min, max, seqno, flow, user, userid
Explanation
An ICMP reply had a sequence number above the current window of expected sequence numbers. The sequence number seqno is higher than the maximum value max in the sequence window (and at the same time closer to max than to the lower bound min of the window). Therefore this looks like an illegal reply to a message that hasn't been sent.
Gateway Action
Drop
Action Description
None
Proposed Action
When duplicate messages show up and/or messages are received out-of-order in abundance, the network should be examined for broken hardware or misconfigured equipment. Note that wireless networks often produce this kind of anomalies even when they are fully functional. The ICMPSettings:ICMP_SeqNoTrack setting can be changed to control the gateway's behavior regarding packets received out-of-order.

2.21.30. [ID: 513] Sequence number in request is decreasing

Log Categories
ICMP,STATEFUL,VALIDATE
Log Message
Sequence number in request is decreasing.
Default Log Severity
Information
Parameters
min, max, seqno, flow, user, userid
Explanation
The sequence numbers in ICMP requests are expected to be monotonically increasing. In this case the sequence number is lower than (or equal to) the highest sequence number max previously seen in the flow flow. While this is legal, it is still an odd and unexpected behavior. The most likely background is simply that the ICMP session has been restarted, but this can also be a sign of network disturbances.
Gateway Action
Allow
Action Description
None
Proposed Action
The ICMPSettings:ICMP_SeqNoTrack setting can be changed to control the gateway's behavior regarding packets received out-of-order.

2.21.31. [ID: 143] Sequence number in request is decreasing

Log Categories
ICMP,STATEFUL,VALIDATE
Log Message
Sequence number in request is decreasing.
Default Log Severity
Warning
Parameters
min, max, seqno, flow, user, userid
Explanation
The sequence numbers in ICMP requests are expected to be monotonically increasing. In this case the sequence number is lower than (or equal to) the highest sequence number max previously seen in the flow flow. While this is legal, it is still an odd and unexpected behavior. The most likely background is simply that the ICMP session has been restarted, but this can also be a sign of network disturbances.
Gateway Action
Drop
Action Description
None
Proposed Action
The ICMPSettings:ICMP_SeqNoTrack setting can be changed to control the gateway's behavior regarding packets received out-of-order.

2.21.32. [ID: 232] Truncated ICMPv4 payload

Log Categories
ICMP,STATELESS,VALIDATE
Log Message
Truncated ICMPv4 payload.
Default Log Severity
Warning
Parameters
type, code, srcip, destip, paylen
Explanation
An ICMPv4 error message did not carry enough data to encapsulate an IPv4 header.
Gateway Action
Drop
Action Description
None
Proposed Action
This packet is severely broken. If the packet sender is one of your network devices, investigate why the unit is sending malformed packets. This log message can be disabled by the IPSettings:LayerSizeConsistency setting.

2.21.33. [ID: 497] Truncated ICMPv6 payload

Log Categories
ICMP,IPV6,STATELESS,VALIDATE
Log Message
Truncated ICMPv6 payload.
Default Log Severity
Warning
Parameters
type, code, srcip, destip, paylen
Explanation
An ICMPv6 error message did not carry enough data to encapsulate an IPv6 header.
Gateway Action
Drop
Action Description
None
Proposed Action
This packet is severely broken. If the packet sender is one of your network devices, investigate why the unit is sending malformed packets. This log message can be disabled by the IPSettings:LayerSizeConsistency setting.

2.21.34. [ID: 536] ICMP error with truncated payload

Log Categories
ICMP,STATELESS,VALIDATE
Log Message
ICMP error with truncated payload.
Default Log Severity
Warning
Parameters
type, code, srcip, destip, paylen, encapproto, encapsrcip, encapdestip
Explanation
An ICMP error message did not carry enough data to encapsulate a minimal L4 header. The packet has been dropped since the protocol specific information required for forwarding does not exist.
Gateway Action
Drop
Action Description
None
Proposed Action
This packet is severely broken. If the packet sender is one of your network devices, investigate why the unit is sending malformed packets. This log message can be disabled by the IPSettings:LayerSizeConsistency setting.

2.22. IFACE

These log messages refer to the IFACE category.

2.22.1. [ID: 795] Ethernet interface is blocked

Log Categories
IFACE
Log Message
Ethernet interface is blocked.
Default Log Severity
Critical
Parameters
iface
Explanation
The software seemed to have stopped processing packets received on this interface leaving the interface unable to received any packets.
Gateway Action
None
Action Description
 
Proposed Action
Contact technical support. Check the load on the interface and verify that no packets are being picked up from that interface and processed by the system and consider restarting the unit if it seems to be malfunctioning to see if that resolves the situation.

2.22.2. [ID: 662] Ethernet interface is flooded

Log Categories
IFACE
Log Message
Ethernet interface is flooded.
Default Log Severity
Warning
Parameters
iface
Explanation
The interface started to drop packets since packets were arriving at a higher rate than the system was able to handle.
Gateway Action
None
Action Description
None
Proposed Action
None

2.22.3. [ID: 661] Ethernet interface is still flooded

Log Categories
IFACE
Log Message
Ethernet interface is still flooded.
Default Log Severity
Notice
Parameters
iface
Explanation
The interface has been dropping packets for some time since packets were arriving at a higher rate than the system was able to handle.
Gateway Action
None
Action Description
None
Proposed Action
None

2.22.4. [ID: 1054] Ethernet link down

Log Categories
IFACE,ETHERNET,SYSTEM
Log Message
Ethernet link down.
Default Log Severity
Critical
SNMP Trap Category
LINK
SNMP Trap MIB name
linkDown
SNMP Trap MIB OID
1.3.6.1.6.3.1.1.5.3   (IF-MIB, RFC2863)
Parameters
iface
Explanation
An Ethernet interface lost its link.
Gateway Action
None
Action Description
None
Proposed Action
If the condition persists then verify cabling and hardware on both the firewall and the peer device.

2.22.5. [ID: 1055] Ethernet link up

Log Categories
IFACE,ETHERNET,SYSTEM
Log Message
Ethernet link up.
Default Log Severity
Notice
SNMP Trap Category
LINK
SNMP Trap MIB name
linkUp
SNMP Trap MIB OID
1.3.6.1.6.3.1.1.5.4   (IF-MIB, RFC2863)
Parameters
linkspeed, duplex, iface
Explanation
An Ethernet interface's link has been successfully established/negotiated.
Gateway Action
None
Action Description
None
Proposed Action
None

2.23. IKE

These log messages refer to the IKE category.

2.23.1. [ID: 1694] Acquired address

Log Categories
IKE,IPSEC
Log Message
Acquired address.
Default Log Severity
Information
Parameters
ip, iface
Explanation
An internal address for the IPsec tunnel was succcessfully acquired from an IP pool.
Gateway Action
None
Action Description
None
Proposed Action
None

2.23.2. [ID: 1695] No IP pool for address request

Log Categories
IKE,IPSEC
Log Message
No IP pool for address request.
Default Log Severity
Information
Parameters
name, count, iface
Explanation
A suitable IP pool for aquiring an internal address for the IPsec tunnel was not found.
Gateway Action
None
Action Description
None
Proposed Action
None

2.23.3. [ID: 1713] Failed to release address

Log Categories
IKE,IPSEC
Log Message
Failed to release address.
Default Log Severity
Error
Parameters
ip, iface
Explanation
An internal address for the IPsec tunnel could not be returned back to the IP pool it was acquired from.
Gateway Action
None
Action Description
None
Proposed Action
None

2.23.4. [ID: 1691] Released address

Log Categories
IKE,IPSEC
Log Message
Released address.
Default Log Severity
Information
Parameters
ip, iface
Explanation
An internal address for the IPsec tunnel was returned back to the IPPool it was acquired from.
Gateway Action
None
Action Description
None
Proposed Action
None

2.23.5. [ID: 1690] Released address

Log Categories
IKE,IPSEC
Log Message
Released address.
Default Log Severity
Information
Parameters
ip, name
Explanation
An internal address for the IPsec tunnel was returned back to the IP pool it was acquired from.
Gateway Action
None
Action Description
None
Proposed Action
None

2.23.6. [ID: 1693] Requesting address

Log Categories
IKE,IPSEC
Log Message
Requesting address.
Default Log Severity
Information
Parameters
ip, iface
Explanation
The system is requesting an internal address for the IPsec tunnel from an IP pool.
Gateway Action
None
Action Description
None
Proposed Action
None

2.23.7. [ID: 1692] Address request failed

Log Categories
IKE,IPSEC
Log Message
Address request failed.
Default Log Severity
Warning
Parameters
ip, iface
Explanation
The system failed to acquire an internal address for the IPsec tunnel from an IP pool.
Gateway Action
None
Action Description
None
Proposed Action
Refer to IP pool related logs and statistics for more information.

2.23.8. [ID: 1700] Failed to schedule auto-establishment of[...]

Log Categories
IKE,IPSEC
Log Message
Failed to schedule auto-establishment of IPsec tunnels.
Default Log Severity
Error
Parameters
reason
Explanation
The system failed to start IKE negotiations for IPsec tunnels configured for auto-establishment.
Gateway Action
None
Action Description
None
Proposed Action
None

2.23.9. [ID: 1061] Half open IKE SA limit exceeded

Log Categories
IKE
Log Message
Half open IKE SA limit exceeded.
Default Log Severity
Notice
Parameters
localip, localport, remoteip, remoteport, max
Explanation
The system has too many ongoing IKE negotiations. The limit can be adjusted with IKESettings:MaxNegotiations.
Gateway Action
Drop
Action Description
The IKE negotiation will be dropped
Proposed Action
None

2.23.10. [ID: 813] IKE Max SA Warning

Log Categories
IKE
Log Message
IKE Max SA Warning.
Default Log Severity
Warning
Parameters
 
Explanation
Incoming IKE requests exceeded 90 percent of the allowed number of concurrent IKE SAs (license limitation).
Gateway Action
None
Action Description
None
Proposed Action
Add more hardware devices or extend your license to support more IKE SAs to secure that all incoming IKE requests can be properly established.

2.23.11. [ID: 642] IKE negotiation failed

Log Categories
IKE,IPSEC
Log Message
IKE negotiation failed.
Default Log Severity
Notice
Parameters
localip, localport, remoteip, remoteport, localid, remoteid, localikespi, remoteikespi, initiator, algorithms, rekeytime, reauthtime, ikeversion, reason, iface, recviface
Explanation
An IKE negotiation failed due to the reason specified. The IKE SA may be deleted as a result but that will be logged in another log event.
Gateway Action
None
Action Description
None
Proposed Action
Verify that the configuration on both peers are correct.

2.23.12. [ID: 419] Failed to establish IKE SA

Log Categories
IKE,IPSEC
Log Message
Failed to establish IKE SA.
Default Log Severity
Warning
Parameters
localip, localport, remoteip, remoteport, localid, remoteid, localikespi, remoteikespi, initiator, algorithms, rekeytime, reauthtime, ikeversion, reason, iface, recviface
Explanation
An IKE SA could not be established between the two endpoints.
Gateway Action
None
Action Description
None
Proposed Action
Verify the configuration of algorithms and authentication material on each endpoint.

2.23.13. [ID: 530] Successfully established IKE SA

Log Categories
IKE,IPSEC
Log Message
Successfully established IKE SA.
Default Log Severity
Notice
Parameters
localip, localport, remoteip, remoteport, localid, remoteid, localikespi, remoteikespi, initiator, algorithms, rekeytime, reauthtime, ikeversion, iface, recviface
Explanation
An IKE SA was successfully established between the two endpoints.
Gateway Action
None
Action Description
None
Proposed Action
None

2.23.14. [ID: 590] Successfully deleted IKE SA

Log Categories
IKE,IPSEC
Log Message
Successfully deleted IKE SA.
Default Log Severity
Notice
Parameters
localip, localport, remoteip, remoteport, localid, remoteid, localikespi, remoteikespi, initiator, algorithms, rekeytime, reauthtime, ikeversion, iface, recviface
Explanation
The IKE SA was successfully removed from the system.
Gateway Action
None
Action Description
None
Proposed Action
None

2.23.15. [ID: 161] Failed to rekey IKE SA

Log Categories
IKE,IPSEC
Log Message
Failed to rekey IKE SA.
Default Log Severity
Warning
Parameters
localip, localport, remoteip, remoteport, localid, remoteid, localikespi, remoteikespi, initiator, algorithms, rekeytime, reauthtime, ikeversion, reason, iface, recviface
Explanation
Failed to derive a new IKE SA from an existing IKE SA.
Gateway Action
None
Action Description
None
Proposed Action
Verify that each endpoint is able to perform rekey and that both use the same policy for Perfect Forward Secrecy (PFS).

2.23.16. [ID: 616] Successfully rekeyed IKE SA

Log Categories
IKE,IPSEC
Log Message
Successfully rekeyed IKE SA.
Default Log Severity
Notice
Parameters
localip, localport, remoteip, remoteport, localid, remoteid, localikespi, remoteikespi, oldlocalikespi, oldremoteikespi, initiator, algorithms, rekeytime, reauthtime, ikeversion, iface, recviface
Explanation
A new IKE SA was successfully derived from an existing IKE SA.
Gateway Action
None
Action Description
None
Proposed Action
None

2.23.17. [ID: 556] Failed to create IPsec SA

Log Categories
IKE,IPSEC
Log Message
Failed to create IPsec SA.
Default Log Severity
Warning
Parameters
localip, remoteip, inboundspi, outboundspi, proto, localts, remotets, lifetime, localikespi, remoteikespi, algorithms, initiator, reason, iface, recviface
Explanation
Failed to establish an IPsec SA between the two endpoints. The IPsec tunnel cannot be established.
Gateway Action
None
Action Description
None
Proposed Action
Verify the configuration of the IPsec proposals and traffic selectors on both endpoints.

2.23.18. [ID: 155] Successfully created IPsec SA

Log Categories
IKE,IPSEC
Log Message
Successfully created IPsec SA.
Default Log Severity
Notice
Parameters
localip, remoteip, inboundspi, outboundspi, proto, localts, remotets, lifetime, localikespi, remoteikespi, algorithms, initiator, iface, recviface
Explanation
An IPsec SA was successfully established between the two endpoints.
Gateway Action
None
Action Description
None
Proposed Action
None

2.23.19. [ID: 183] Successfully deleted IPsec SA

Log Categories
IKE,IPSEC
Log Message
Successfully deleted IPsec SA.
Default Log Severity
Notice
Parameters
localip, remoteip, inboundspi, outboundspi, proto, localts, remotets, lifetime, localikespi, remoteikespi, algorithms, initiator, iface, recviface
Explanation
The IPsec SA was successfully removed from the system.
Gateway Action
None
Action Description
None
Proposed Action
None

2.23.20. [ID: 172] Failed to rekey IPsec SA

Log Categories
IKE,IPSEC
Log Message
Failed to rekey IPsec SA.
Default Log Severity
Notice
Parameters
localip, remoteip, inboundspi, outboundspi, proto, localts, remotets, lifetime, localikespi, remoteikespi, algorithms, initiator, reason, iface, recviface
Explanation
Failed to derive a new IPsec SA. The IPsec tunnel will be torn down when the lifetime of the current IPsec SA expires.
Gateway Action
None
Action Description
None
Proposed Action
None

2.23.21. [ID: 628] Successfully rekeyed IPsec SA

Log Categories
IKE,IPSEC
Log Message
Successfully rekeyed IPsec SA.
Default Log Severity
Information
Parameters
localip, remoteip, inboundspi, outboundspi, oldinboundspi, oldoutboundspi, proto, localts, remotets, lifetime, localikespi, remoteikespi, algorithms, initiator, iface, recviface
Explanation
Successfully derived a new IPsec SA.
Gateway Action
None
Action Description
None
Proposed Action
None

2.23.22. [ID: 1060] Job limit exceeded

Log Categories
IKE
Log Message
Job limit exceeded.
Default Log Severity
Warning
Parameters
localip, localport, remoteip, remoteport, max
Explanation
The IKE subsystem is currently overloaded. It could also be a sign that IKESettings:MaxJobs is set too low.
Gateway Action
Drop
Action Description
The IKE negotiation will be dropped
Proposed Action
None

2.23.23. [ID: 803] Peer is dead

Log Categories
IKE
Log Message
Peer is dead.
Default Log Severity
Notice
Parameters
localip, localport, remoteip, remoteport, localid, remoteid, localikespi, remoteikespi, initiator, ikeversion, iface, recviface
Explanation
The peer didn't respond to DPD. The IKE SA and its child SAs will be deleted.
Gateway Action
None
Action Description
None
Proposed Action
None

2.23.24. [ID: 1059] Peer too aggressive

Log Categories
IKE
Log Message
Peer too aggressive.
Default Log Severity
Notice
Parameters
localip, localport, remoteip, remoteport, max
Explanation
The peer has too many ongoing IKE negotiations. The limit can be adjusted with IKESettings:MaxPeerNegotiations.
Gateway Action
Drop
Action Description
The IKE negotiation will be dropped
Proposed Action
None

2.23.25. [ID: 1655] Failed to re-initialize dynamic rules

Log Categories
IKE,RULE
Log Message
Failed to re-initialize dynamic rules.
Default Log Severity
Critical
Parameters
 
Explanation
The system failed to re-initialize dynamic rules to recover from an unexpected event. This may result in reduced functionality.
Gateway Action
None
Action Description
None
Proposed Action
The device might need to be manually restarted to get full functionality. This should be reported to the vendor of the device.

2.23.26. [ID: 1664] Failed to re-insert IKE rule

Log Categories
IKE
Log Message
Failed to re-insert IKE rule.
Default Log Severity
Error
Parameters
srcip, srcport, destip, destport
Explanation
The system failed to re-insert a dynamic rule to recover from an unexpected event. This may result in reduced functionality.
Gateway Action
None
Action Description
None
Proposed Action
The device might need to be manually restarted to get full functionality. This should be reported to the vendor of the device.

2.23.27. [ID: 770] IKE thread watchdog triggered

Log Categories
IKE
Log Message
IKE thread watchdog triggered. Was not able to process jobs for 30s. IKE daemon will be restarted.
Default Log Severity
Alert
Parameters
 
Explanation
IKE daemon was not able to process tasks for 30s. IKE daemon will be restarted. All IKE negotiated IPsec tunnels will be taken down.
Gateway Action
None
Action Description
None
Proposed Action
Check for any new crashdumps and report the incident via your support channel.

2.23.28. [ID: 737] User logged out

Log Categories
IKE
Log Message
User logged out.
Default Log Severity
Notice
Parameters
userid, localikespi, remoteikespi
Explanation
User was logged out by the authentication system. Tunnels belonging to the user will be taken down.
Gateway Action
None
Action Description
None
Proposed Action
None

2.24. IPPOOL

These log messages refer to the IPPOOL category.

2.24.1. [ID: 909] Pool has reached the maximum allowed number[...]

Log Categories
IPPOOL
Log Message
Pool has reached the maximum allowed number of addresses.
Default Log Severity
Notice
Parameters
value, max
Explanation
A new client cannot be created as the pool has handed out the maximum allowed number of addresses.
Gateway Action
Reject
Action Description
Reject new requests
Proposed Action
Increase the Maxclients value in configuration for more addresses.

2.24.2. [ID: 915] No offers received

Log Categories
IPPOOL
Log Message
No offers received.
Default Log Severity
Notice
Parameters
 
Explanation
The Pool has not received any offers from the DHCP server.
Gateway Action
None
Action Description
None
Proposed Action
None

2.24.3. [ID: 917] Received Offer not valid

Log Categories
IPPOOL
Log Message
Received Offer not valid.
Default Log Severity
Warning
Parameters
 
Explanation
Pool received at least one offer but none passed the requirements set by configuration.
Gateway Action
Discard
Action Description
None
Proposed Action
None

2.24.4. [ID: 916] Request received from Subsystem

Log Categories
IPPOOL
Log Message
Request received from Subsystem.
Default Log Severity
Information
Parameters
 
Explanation
A request is made by the subsystem.
Gateway Action
None
Action Description
None
Proposed Action
None

2.24.5. [ID: 918] Client Bound

Log Categories
IPPOOL
Log Message
Client Bound.
Default Log Severity
Information
Parameters
clientip
Explanation
A response is sent to the subsystem when a client is bound.
Gateway Action
None
Action Description
None
Proposed Action
None

2.24.6. [ID: 911] Handed address no longer available

Log Categories
IPPOOL
Log Message
Handed address no longer available.
Default Log Severity
Notice
Parameters
ip
Explanation
Handed out address is no longer available. This is due to a release by the subsystem or a lease renew failure.
Gateway Action
None
Action Description
None
Proposed Action
None

2.24.7. [ID: 914] Address is returned back to IPPool system

Log Categories
IPPOOL
Log Message
Address is returned back to IPPool system.
Default Log Severity
Information
Parameters
ip
Explanation
Address is returned back to IPPool by the system using it.
Gateway Action
None
Action Description
None
Proposed Action
None

2.24.8. [ID: 908] The lease is rejected as it already exists in[...]

Log Categories
IPPOOL
Log Message
The lease is rejected as it already exists in the pool.
Default Log Severity
Warning
Parameters
ip
Explanation
The offered lease by DHCP server already exists.
Gateway Action
Discard
Action Description
None
Proposed Action
None

2.24.9. [ID: 910] Pool has run out of prefetch

Log Categories
IPPOOL
Log Message
Pool has run out of prefetch. Prefetching again.
Default Log Severity
Warning
Parameters
value, count
Explanation
The pool has run out of prefetched addresses. This happens during initial prefetch buildup or due to a lower prefetch value.
Gateway Action
None
Action Description
None
Proposed Action
Set a higher prefetch value.

2.24.10. [ID: 913] Request to acquire an address from the IPPool[...]

Log Categories
IPPOOL
Log Message
Request to acquire an address from the IPPool failed.
Default Log Severity
Information
Parameters
 
Explanation
Request by the subsystem to acquire an address from the IPPool failed. This is due to unavailability of addresses.
Gateway Action
None
Action Description
None
Proposed Action
None

2.24.11. [ID: 1077] Request to acquire an address is pending

Log Categories
IPPOOL
Log Message
Request to acquire an address is pending.
Default Log Severity
Information
Parameters
 
Explanation
A request was made by the subsystem to acquire an address from the IPPool, but one was not immediately avaliable.
Gateway Action
None
Action Description
None
Proposed Action
None

2.24.12. [ID: 912] Acquired address

Log Categories
IPPOOL
Log Message
Acquired address.
Default Log Severity
Information
Parameters
ip
Explanation
Request by the subsystem to acquire an address from the IPPool was successful.
Gateway Action
None
Action Description
None
Proposed Action
None

2.25. IPS

These log messages refer to the IPS category.

2.25.1. [ID: 1403] Threat detected based on custom signature

Log Categories
IPS
Log Message
Threat detected based on custom signature.
Default Log Severity
Dynamic
Parameters
signature, signatureid, revision, ipsrule, direction, flow, flowusage, pkt, user, userid
Explanation
A custom signature matched the traffic.
Gateway Action
None
Action Description
None
Proposed Action
Research the CVE database (searchable by the unique ID).

2.25.2. [ID: 1415] Threat prevented based on custom signature

Log Categories
IPS
Log Message
Threat prevented based on custom signature.
Default Log Severity
Dynamic
Parameters
signature, signatureid, revision, ipsrule, direction, flow, flowusage, pkt, user, userid
Explanation
A custom signature mapped to the "protect" action matched the traffic.
Gateway Action
Close
Action Description
None
Proposed Action
Research the CVE database (searchable by the unique ID).

2.25.3. [ID: 1405] Failed to scan data

Log Categories
IPS
Log Message
Failed to scan data.
Default Log Severity
Error
Parameters
reason, ipsrule, direction, flow, flowusage, pkt, user, userid
Explanation
The unit failed to scan data.
Gateway Action
Ignore
Action Description
None
Proposed Action
None

2.25.4. [ID: 1406] Failed to scan data

Log Categories
IPS
Log Message
Failed to scan data.
Default Log Severity
Error
Parameters
reason, ipsrule, direction, flow, flowusage, pkt, user, userid
Explanation
The unit failed to scan data.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.25.5. [ID: 1420] Failed to read current signature files

Log Categories
IPS
Log Message
Failed to read current signature files.
Default Log Severity
Error
Parameters
 
Explanation
IPS failed to read the signature files currently in the active folder. This may be due to memory shortage.
Gateway Action
None
Action Description
None
Proposed Action
None

2.25.6. [ID: 1418] Failed to read new signature files

Log Categories
IPS
Log Message
Failed to read new signature files.
Default Log Severity
Warning
Parameters
 
Explanation
IPS failed to read the new signature files. It will read the previously active signature files.
Gateway Action
None
Action Description
None
Proposed Action
Check if signature file content is according to the documentation.

2.25.7. [ID: 1402] Failed to parse HTTP URL

Log Categories
IPS
Log Message
Failed to parse HTTP URL.
Default Log Severity
Warning
Parameters
url, ipsrule, direction, flow, flowusage, pkt, user, userid
Explanation
The unit failed parsing an URL. The reason for this is probably because the URL has an invalid format, or it contains invalid UTF8 formatted characters.
Gateway Action
Ignore
Action Description
None
Proposed Action
Make sure that the URL is formatted correctly.

2.25.8. [ID: 1424] Failed to parse HTTP URL

Log Categories
IPS
Log Message
Failed to parse HTTP URL.
Default Log Severity
Error
Parameters
url, ipsrule, direction, flow, flowusage, pkt, user, userid
Explanation
The unit failed parsing an URL. The reason for this is probably because the URL has an invalid format, or it contains invalid UTF8 formatted characters.
Gateway Action
Close
Action Description
None
Proposed Action
Make sure that the URL is formatted correctly.

2.25.9. [ID: 1407] IPS license is going to expire

Log Categories
IPS,LICENSE
Log Message
IPS license is going to expire.
Default Log Severity
Warning
Parameters
date
Explanation
IPS license is going to expire in the near future. This log is sent periodically.
Gateway Action
None
Action Description
None
Proposed Action
Renew the license.

2.25.10. [ID: 1426] IPS license has expired

Log Categories
IPS,LICENSE
Log Message
IPS license has expired.
Default Log Severity
Critical
Parameters
 
Explanation
IPS scanning will stop working until new license is activated.
Gateway Action
None
Action Description
None
Proposed Action
Upload a valid license.

2.25.11. [ID: 1414] Max signatures match limit exceeded

Log Categories
IPS
Log Message
Max signatures match limit exceeded.
Default Log Severity
Notice
Parameters
max, ipsrule, direction, flow, pkt, user, userid
Explanation
Analysing a single chunk of data triggered more signatures that the system is designed to handle. Some signature matches will be ignored. The incident will be handled according to the fail mode.
Gateway Action
None
Action Description
Node
Proposed Action
None

2.25.12. [ID: 1401] Max signatures match limit exceeded

Log Categories
IPS
Log Message
Max signatures match limit exceeded.
Default Log Severity
Warning
Parameters
max, ipsrule, direction, flow, pkt, user, userid
Explanation
Analysing a single chunk of data triggered more signatures that the system is designed to handle. Some signature matches will be ignored. The incident will be handled according to the fail mode.
Gateway Action
Close
Action Description
Node
Proposed Action
None

2.25.13. [ID: 1419] No signature loaded

Log Categories
IPS
Log Message
No signature loaded.
Default Log Severity
Critical
Parameters
flow, flowusage, user, userid
Explanation
IPS signature file has been disabled or no signature file was found.
Gateway Action
Abort
Action Description
IPS Scanning has been aborted
Proposed Action
For IPS scanning, a valid license with IPS enabled must be installed. If already installed, manually initiate downloading of the latest signature file. IPS scanning can be disabled to avoid this log message.

2.25.14. [ID: 1421] IPS Notice

Log Categories
IPS
Log Message
IPS Notice.
Default Log Severity
Dynamic
Parameters
signature, signatureid, revision, ipsrule, direction, flow, flowusage, pkt, user, userid
Explanation
A notice signature matched the traffic.
Gateway Action
None
Action Description
None
Proposed Action
This is probably not an attack, but you may research the advisory (searchable by the unique ID).

2.25.15. [ID: 1417] IPS Notice

Log Categories
IPS
Log Message
IPS Notice.
Default Log Severity
Dynamic
Parameters
signature, signatureid, revision, ipsrule, direction, flow, flowusage, pkt, user, userid
Explanation
A notice signature mapped to the "protect" action matched the traffic, closing connection.
Gateway Action
Close
Action Description
None
Proposed Action
This is probably not an attack, but you may research the advisory (searchable by the unique ID).

2.25.16. [ID: 1412] Failed to scan data

Log Categories
IPS
Log Message
Failed to scan data.
Default Log Severity
Error
Parameters
ipsrule, direction, flow, flowusage, pkt, user, userid
Explanation
The unit failed to scan data. The reason for this is due to low amount of memory.
Gateway Action
Ignore
Action Description
None
Proposed Action
Review your configuration.

2.25.17. [ID: 1410] Failed to scan data

Log Categories
IPS
Log Message
Failed to scan data.
Default Log Severity
Error
Parameters
ipsrule, direction, flow, flowusage, pkt, user, userid
Explanation
The unit failed to scan data. The reason for this is due to low amount of memory.
Gateway Action
Close
Action Description
None
Proposed Action
Review your configuration.

2.25.18. [ID: 1409] Scan detected

Log Categories
IPS
Log Message
Scan detected.
Default Log Severity
Dynamic
Parameters
signature, signatureid, revision, ipsrule, direction, flow, flowusage, pkt, user, userid
Explanation
A scan signature matched the traffic.
Gateway Action
None
Action Description
None
Proposed Action
Research the advisory (searchable by the unique ID).

2.25.19. [ID: 1411] Scan detected

Log Categories
IPS
Log Message
Scan detected.
Default Log Severity
Dynamic
Parameters
signature, signatureid, revision, ipsrule, direction, flow, flowusage, pkt, user, userid
Explanation
A scan signature mapped to the "protect" action matched the traffic, closing connection.
Gateway Action
Close
Action Description
None
Proposed Action
Research the advisory (searchable by the unique ID), if you suspect an attack.

2.25.20. [ID: 1404] Threat detected

Log Categories
IPS
Log Message
Threat detected.
Default Log Severity
Dynamic
Parameters
signature, signatureid, revision, ipsrule, direction, flow, flowusage, pkt, user, userid
Explanation
An attack signature matched the traffic.
Gateway Action
None
Action Description
None
Proposed Action
Research the advisory (searchable by the unique ID).

2.25.21. [ID: 1427] Threat prevented

Log Categories
IPS
Log Message
Threat prevented.
Default Log Severity
Dynamic
Parameters
signature, signatureid, revision, ipsrule, direction, flow, flowusage, pkt, user, userid
Explanation
An attack signature mapped to the "protect" action matched the traffic.
Gateway Action
Close
Action Description
None
Proposed Action
Research the advisory (searchable by the unique ID).

2.26. IPSEC

These log messages refer to the IPSEC category.

2.26.1. [ID: 1683] Failed to add dynamic route

Log Categories
IPSEC
Log Message
Failed to add dynamic route.
Default Log Severity
Error
Parameters
table, network, iface
Explanation
The system failed to add a dynamic route associated with an IPsec tunnel. This route will remain active inside the routing table, where it will interfere with matching traffic.
Gateway Action
None
Action Description
None
Proposed Action
Disconnect and reconnect the IPsec tunnel.

2.26.2. [ID: 278] Anti-replay check failed

Log Categories
IPSEC
Log Message
Anti-replay check failed.
Default Log Severity
Notice
Parameters
seqno, windowbase, windowsize, matchkey
Explanation
A packet with the same sequence number of the received packet has already been received, or the sequence number is too small to fall within the sliding window. It may be the result of a lagging packet or the packet may have been replayed by a third party.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.26.3. [ID: 606] Bad ciphertext length

Log Categories
IPSEC
Log Message
Bad ciphertext length.
Default Log Severity
Notice
Parameters
seqno, iplen, paylen, datalen, blklen, matchkey
Explanation
The received packet could not be decrypted because the length of the encrypted data was not a multiple of the cipher block length.
Gateway Action
Drop
Action Description
None
Proposed Action
If manual keying is used, check that both endpoints are configured with the same encryption algorithm and key.

2.26.4. [ID: 254] Bad IP version

Log Categories
IPSEC
Log Message
Bad IP version.
Default Log Severity
Notice
Parameters
seqno, ipver, matchkey
Explanation
The packet has a disallowed IP version.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.26.5. [ID: 464] Bad next header

Log Categories
IPSEC
Log Message
Bad next header.
Default Log Severity
Notice
Parameters
seqno, nexthdr, matchkey
Explanation
The packet did not contain the expected next layer protocol. This typically means that the packet was decrypted incorrectly.
Gateway Action
Drop
Action Description
None
Proposed Action
If manual keying is used, check that both endpoints are configured with the same encryption algorithm and key.

2.26.6. [ID: 604] Bad padding

Log Categories
IPSEC
Log Message
Bad padding.
Default Log Severity
Notice
Parameters
seqno, datalen, padlen, matchkey
Explanation
The received packet contained ill formatted padding. This typically means that the packet was decrypted incorrectly, but it could also mean that the two endpoints use different padding types.
Gateway Action
Drop
Action Description
None
Proposed Action
If manual keying is used, check that both endpoints are configured with the same encryption algorithm and key. Also, verify that the same padding type is used.

2.26.7. [ID: 282] Decryption failed

Log Categories
IPSEC
Log Message
Decryption failed.
Default Log Severity
Notice
Parameters
seqno, datalen, matchkey
Explanation
The received packet could not be decrypted, for example due to hardware congestion.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.26.8. [ID: 768] ECN codepoint mismatch

Log Categories
IPSEC
Log Message
ECN codepoint mismatch.
Default Log Severity
Warning
Parameters
seqno, outer, inner, matchkey
Explanation
The ECN codepoint of the inner and outer IP header did not match. The packet was dropped as an indication of congestion.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.26.9. [ID: 766] ECN codepoint mismatch

Log Categories
IPSEC
Log Message
ECN codepoint mismatch.
Default Log Severity
Notice
Parameters
seqno, outer, inner, new, matchkey
Explanation
The ECN codepoint of the inner and outer IP header did not match. The conflict was resolved using new.
Gateway Action
Adjust
Action Description
None
Proposed Action
None

2.26.10. [ID: 572] Encryption failed

Log Categories
IPSEC
Log Message
Encryption failed.
Default Log Severity
Notice
Parameters
seqno, datalen, matchkey
Explanation
The packet could not be encrypted, for example due to hardware congestion.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.26.11. [ID: 1057] Failed to generate IV

Log Categories
IPSEC
Log Message
Failed to generate IV.
Default Log Severity
Notice
Parameters
seqno, len, matchkey
Explanation
A initialization vector for the packet could not be generated, for example due to hardware congestion.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.26.12. [ID: 611] Integrity check failed

Log Categories
IPSEC
Log Message
Integrity check failed.
Default Log Severity
Notice
Parameters
seqno, matchkey
Explanation
The integrity check value of the received packet and the computed value did not match. This can be a result of that the integrity key differs from the key at the peer, that the packet changed in transit, or that the packet was sent by a third party.
Gateway Action
Drop
Action Description
None
Proposed Action
If manual keying is used, check that both endpoints are configured with the same integrity algorithm and key.

2.26.13. [ID: 413] Failed to allocate reassembly buffer

Log Categories
IPSEC,FRAG
Log Message
Failed to allocate reassembly buffer.
Default Log Severity
Notice
Parameters
seqno, pktlen, pkt
Explanation
The packet was fragmented and could not be reassembled because there were no free buffers available to hold the reassembled packet.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.26.14. [ID: 133] Reassembled packet exceeds allowed size

Log Categories
IPSEC,FRAG
Log Message
Reassembled packet exceeds allowed size.
Default Log Severity
Notice
Parameters
seqno, pktlen, pkt
Explanation
The packet was fragmented and could not be reassembled because it exceeded the maximum allowed size. See FragSettings:LocalReass_MaxSize.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.26.15. [ID: 487] Failed to reassemble packet

Log Categories
IPSEC,FRAG
Log Message
Failed to reassemble packet.
Default Log Severity
Notice
Parameters
seqno, pktlen, pkt
Explanation
The packet was fragmented and could not be reassembled.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.26.16. [ID: 1682] Failed to remove dynamic route

Log Categories
IPSEC
Log Message
Failed to remove dynamic route.
Default Log Severity
Critical
Parameters
table, network, iface
Explanation
The system failed to remove a dynamic route associated with an IPsec tunnel. This route will remain active inside the routing table, where it will interfere with matching traffic.
Gateway Action
None
Action Description
 
Proposed Action
While it is possible that the system may recover by itself, proper operation can no longer be guaranteed and a manual reboot is recommended.

2.26.17. [ID: 1696] Failed to remove IPsec policy rules

Log Categories
IPSEC
Log Message
Failed to remove IPsec policy rules.
Default Log Severity
Error
Parameters
localip, remoteip, spi, proto, localts, remotets, iface
Explanation
Failed to remove the IPsec policy rule from the rule database. Packets sent over the IPsec SA may still be allowed.
Gateway Action
None
Action Description
None
Proposed Action
A reboot of the system is recommended. Contact technical support if the problem persist.

2.26.18. [ID: 579] Failed to resize buffer

Log Categories
IPSEC
Log Message
Failed to resize buffer.
Default Log Severity
Debug
Parameters
seqno, pktlen, len, matchkey
Explanation
A packet buffer could not be resized to hold additional data.
Gateway Action
Drop
Action Description
None
Proposed Action
If this happens frequently, consider lowering the MTU of the IPsec tunnel.

2.26.19. [ID: 264] Packet too small

Log Categories
IPSEC
Log Message
Packet too small.
Default Log Severity
Notice
Parameters
seqno, iplen, paylen, matchkey
Explanation
The received packet was too small to contain a valid ESP, AH, or IPComp packet.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.26.20. [ID: 135] Payload too small

Log Categories
IPSEC
Log Message
Payload too small.
Default Log Severity
Notice
Parameters
seqno, nexthdr, matchkey
Explanation
The received packet was too small to contain the specified next layer protocol.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.26.21. [ID: 632] Low memory initializing SAD

Log Categories
IPSEC
Log Message
Low memory initializing SAD.
Default Log Severity
Warning
Parameters
size, new
Explanation
The security association database could not be initialized according to current settings due to low memory. The performance of the system may be degraded.
Gateway Action
Adjust
Action Description
The security association database has been configured for a lower number of entries
Proposed Action
Review system wide settings and try to tweak memory consuming features to use less memory.

2.26.22. [ID: 633] Out of memory initializing SAD

Log Categories
IPSEC
Log Message
Out of memory initializing SAD.
Default Log Severity
Critical
Parameters
size
Explanation
The security association database could not be initialized due to insufficient free memory.
Gateway Action
Abort
Action Description
None
Proposed Action
Review system wide settings and try to tweak memory consuming features to use less memory.

2.26.23. [ID: 339] Sequence number overflow

Log Categories
IPSEC
Log Message
Sequence number overflow.
Default Log Severity
Warning
Parameters
seqno, matchkey
Explanation
Attempted to transmit a packet that would result in sequence number overflow.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.27. IPV4

These log messages refer to the IPV4 category.

2.27.1. [ID: 466] Invalid IP header checksum

Log Categories
IPV4,STATELESS,VALIDATE
Log Message
Invalid IP header checksum.
Default Log Severity
Warning
Parameters
chksum, calcchksum, pkt
Explanation
The received packet IP header checksum was invalid.
Gateway Action
Drop
Action Description
None
Proposed Action
This log message can be disabled by the IPSettings:LogCheckSumErrors setting.

2.27.2. [ID: 518] Invalid header length

Log Categories
IPV4,STATELESS,VALIDATE
Log Message
Invalid header length.
Default Log Severity
Warning
Parameters
pktlen, hdrlen, pkt
Explanation
The received packet IP header specifies an invalid length. The IP Header length can never be smaller than 20 bytes or longer than the total packet length.
Gateway Action
Drop
Action Description
None
Proposed Action
This packet is severely broken. If the packet sender is one of your network devices, investigate why the unit is sending malformed packets. This log message can be disabled by the IPSettings:LogNonIP4 setting.

2.27.3. [ID: 166] Bad IP version

Log Categories
IPV4,STATELESS,VALIDATE
Log Message
Bad IP version.
Default Log Severity
Warning
Parameters
ipver, pkt
Explanation
The received packet has a disallowed IP version. This typically means that there is a mismatch between the IP packet and a lower layer protocol (such as Ethernet).
Gateway Action
Drop
Action Description
None
Proposed Action
This packet is severely broken. If the packet sender is one of your network devices, investigate why the unit is sending malformed packets. This log message can be disabled by the IPSettings:LogNonIP4 setting.

2.27.4. [ID: 136] Non-zero IP Reserved Field

Log Categories
IPV4,STATELESS,VALIDATE
Log Message
Non-zero IP Reserved Field.
Default Log Severity
Warning
Parameters
flow, pkt, user, userid
Explanation
The reserved field in the IPv4 header was found to be set. According to standards, this field should always be zero.
Gateway Action
Drop
Action Description
None
Proposed Action
The IPSettings:IPRF setting can be changed to control the gateway's behavior for packets with the reserved field set.

2.27.5. [ID: 568] Non-zero IP Reserved Field

Log Categories
IPV4,STATELESS,VALIDATE
Log Message
Non-zero IP Reserved Field.
Default Log Severity
Notice
Parameters
flow, pkt, user, userid
Explanation
The reserved field in the IPv4 header was found to be set. According to standards, this field should always be zero.
Gateway Action
Allow
Action Description
None
Proposed Action
The IPSettings:IPRF setting can be changed to control the gateway's behavior for packets with the reserved field set.

2.27.6. [ID: 228] Non-zero IP Reserved Field

Log Categories
IPV4,STATELESS,VALIDATE
Log Message
Non-zero IP Reserved Field.
Default Log Severity
Warning
Parameters
flow, pkt, user, userid
Explanation
The reserved field in the IPv4 header was found to be set. According to standards, this field should always be zero.
Gateway Action
Strip
Action Description
None
Proposed Action
The IPSettings:IPRF setting can be changed to control the gateway's behavior for packets with the reserved field set.

2.27.7. [ID: 140] Option too large for option space

Log Categories
IPV4,STATELESS,VALIDATE
Log Message
Option too large for option space.
Default Log Severity
Warning
Parameters
option, avail, len, flow, pkt, user, userid
Explanation
The IP option is malformed. The claimed option does not fit within the option length of the packet.
Gateway Action
Drop
Action Description
None
Proposed Action
If the packet sender is one of your network devices, investigate why the unit is sending broken IP options.

2.27.8. [ID: 141] Invalid option length

Log Categories
IPV4,STATELESS,VALIDATE
Log Message
Invalid option length.
Default Log Severity
Warning
Parameters
option, avail, minlen, flow, pkt, user, userid
Explanation
The IP option type is of multi-byte type which requires at least two bytes. The size of the option with option number option had less than two bytes.
Gateway Action
Drop
Action Description
None
Proposed Action
If the packet sender is one of your network devices, investigate why the unit is sending malformed IP options.

2.27.9. [ID: 509] Received unknown IP option

Log Categories
IPV4,STATELESS,VALIDATE
Log Message
Received unknown IP option.
Default Log Severity
Notice
Parameters
option, flow, pkt, user, userid
Explanation
The packet contained an IP option other than Source Route, Timestamp and Router Alert.
Gateway Action
Allow
Action Description
None
Proposed Action
The IPSettings:IPOPT_OTHER setting can be changed to control the gateway's behavior for packets with an IP option other than Source Route, Timestamp and Router Alert.

2.27.10. [ID: 587] Received unknown IP option

Log Categories
IPV4,STATELESS,VALIDATE
Log Message
Received unknown IP option.
Default Log Severity
Warning
Parameters
option, flow, pkt, user, userid
Explanation
The packet contained an IP option other than Source Route, Timestamp and Router Alert.
Gateway Action
Drop
Action Description
None
Proposed Action
The IPSettings:IPOPT_OTHER setting can be changed to control the gateway's behavior for packets with an IP option other than Source Route, Timestamp and Router Alert.

2.27.11. [ID: 331] IP data is larger than the maximum allowed[...]

Log Categories
IPV4,STATELESS,VALIDATE
Log Message
IP data is larger than the maximum allowed size.
Default Log Severity
Warning
Parameters
ipproto, maxlen, paylen, pkt
Explanation
Total IP payload is larger than the maximum allowed size for the given protocol. For fragmented traffic this is the size of the reassembled payload, otherwise it is the data portion of one single packet.
Gateway Action
Drop
Action Description
None
Proposed Action
If the network supports packets of this size (and this is a desired property of the network), modify the size limit settings (LengthLimSettings:MaxTCPLen, LengthLimSettings:MaxUDPLen, LengthLimSettings:MaxICMPLen, LengthLimSettings:MaxGRELen, LengthLimSettings:MaxESPLen, LengthLimSettings:MaxAHLen, LengthLimSettings:MaxSKIPLen, LengthLimSettings:MaxOSPFLen, LengthLimSettings:MaxIPIPLen, LengthLimSettings:MaxIPCompLen, LengthLimSettings:MaxL2TPLen and LengthLimSettings:MaxOtherSubIPLen) accordingly. This log message can be turned off by modifying the LengthLimSettings:LogOversizedPackets setting.

2.27.12. [ID: 1015] Packet too big

Log Categories
IPV4,STATELESS,PMTU
Log Message
Packet too big.
Default Log Severity
Information
Parameters
mtu, iplen, flow, pkt, user, userid
Explanation
Packet was rejected in accordance with RFC 1191, since it was larger (iplen bytes) than the next-hop MTU (mtu bytes).
Gateway Action
Reject
Action Description
An ICMP error destination unreachable, fragment needed and DF set, was returned to the sender
Proposed Action
This is a normal part of the path-MTU discovery process. In the unlikely case where the path-MTU discovery process is becoming a performance bottleneck, consider manually modifying the next-hop MTU.

2.27.13. [ID: 1016] Packet too big

Log Categories
IPV4,STATELESS,PMTU
Log Message
Packet too big.
Default Log Severity
Warning
Parameters
mtu, iplen, flow, pkt, user, userid
Explanation
Packet was dropped because it was too large (iplen bytes) in order to be properly forwarded to the next hop (with an MTU of mtu bytes). No ICMP error (fragmentation needed) was sent to the source to notify about this condition. Most likely the upper limit of ICMP errors per second had been reached, but this can also be a sign of severe resource starvation. This breaks proper path-MTU discovery as described by RFC 1191 and may cause network malfunction.
Gateway Action
Drop
Action Description
Packet was silently lost; the system failed to send an ICMP error
Proposed Action
Review the upper limit of ICMP errors per second (ICMPSettings:ICMPSendPerSecLimit) to see if there is a bottleneck. While not being the preferred solution, a workaround may be to manually update the next-hop MTU at certain routes.

2.27.14. [ID: 371] Received RA IP option

Log Categories
IPV4,STATELESS,VALIDATE
Log Message
Received RA IP option.
Default Log Severity
Notice
Parameters
option, flow, pkt, user, userid
Explanation
The packet contained a Router Alert IP option, which according to configuration is allowed.
Gateway Action
Allow
Action Description
None
Proposed Action
The IPSettings:IPOPT_RTRALT setting can be changed to control the gateway's behavior for packets with Router Alert options.

2.27.15. [ID: 334] Invalid RA option length

Log Categories
IPV4,STATELESS,VALIDATE
Log Message
Invalid RA option length.
Default Log Severity
Warning
Parameters
option, optlen, flow, pkt, user, userid
Explanation
The length specified in the Router Alert IP option was invalid.
Gateway Action
Drop
Action Description
None
Proposed Action
The IPSettings:IPOPT_RTRALT setting can be changed to control the gateway's behavior for packets with Router Alert options.

2.27.16. [ID: 205] Received RA IP option

Log Categories
IPV4,STATELESS,VALIDATE
Log Message
Received RA IP option.
Default Log Severity
Warning
Parameters
option, flow, pkt, user, userid
Explanation
The packet contained a Router Alert IP option, which according to configuration is disallowed.
Gateway Action
Drop
Action Description
None
Proposed Action
The IPSettings:IPOPT_RTRALT setting can be changed to control the gateway's behavior for packets with Router Alert options.

2.27.17. [ID: 549] Packet too small for ip header

Log Categories
IPV4,STATELESS,VALIDATE
Log Message
Packet too small for ip header.
Default Log Severity
Warning
Parameters
pktlen, pkt
Explanation
The received packet is too small to contain an IP header.
Gateway Action
Drop
Action Description
None
Proposed Action
This packet is severely broken. If the packet sender is one of your network devices, investigate why the unit is sending malformed packets. This log message can be disabled by the IPSettings:LogNonIP4 setting.

2.27.18. [ID: 234] Received Source Route IP option

Log Categories
IPV4,STATELESS,VALIDATE
Log Message
Received Source Route IP option.
Default Log Severity
Notice
Parameters
option, flow, pkt, user, userid
Explanation
The packet contained a Source Route IP option, which according to configuration is allowed.
Gateway Action
Allow
Action Description
None
Proposed Action
The IPSettings:IPOPT_SR setting can be changed to control the gateway's behavior for packets with source or return routes.

2.27.19. [ID: 108] Invalid SR option length

Log Categories
IPV4,STATELESS,VALIDATE
Log Message
Invalid SR option length.
Default Log Severity
Warning
Parameters
option, optlen, type, flow, pkt, user, userid
Explanation
The length specified in the source/return routes IP option was invalid.
Gateway Action
Drop
Action Description
None
Proposed Action
The IPSettings:IPOPT_SR setting can be changed to control the gateway's behavior for packets with source or return routes.

2.27.20. [ID: 176] Invalid SR pointer

Log Categories
IPV4,STATELESS,VALIDATE
Log Message
Invalid SR pointer.
Default Log Severity
Warning
Parameters
option, ptr, flow, pkt, user, userid
Explanation
A route pointer in the source/return route IP option was invalid since it not aligned on a 4-byte boundary.
Gateway Action
Drop
Action Description
None
Proposed Action
The IPSettings:IPOPT_SR setting can be changed to control the gateway's behavior for packets with source or return routes.

2.27.21. [ID: 517] Received Source Route IP option

Log Categories
IPV4,STATELESS,VALIDATE
Log Message
Received Source Route IP option.
Default Log Severity
Warning
Parameters
option, flow, pkt, user, userid
Explanation
The packet contained a Source Route IP option, which according to configuration is disallowed.
Gateway Action
Drop
Action Description
None
Proposed Action
The IPSettings:IPOPT_SR setting can be changed to control the gateway's behavior for packets with source or return routes.

2.27.22. [ID: 196] Multiple source or return routes in SR IP[...]

Log Categories
IPV4,STATELESS,VALIDATE
Log Message
Multiple source or return routes in SR IP option.
Default Log Severity
Warning
Parameters
option, flow, pkt, user, userid
Explanation
Multiple source or return routes were specified in the Source Route IP option.
Gateway Action
Drop
Action Description
None
Proposed Action
The IPSettings:IPOPT_SR setting can be changed to control the gateway's behavior for packets with source or return routes.

2.27.23. [ID: 469] Non-zero IP TOS field

Log Categories
IPV4,STATELESS,VALIDATE
Log Message
Non-zero IP TOS field.
Default Log Severity
Notice
Parameters
value, flow, pkt, user, userid
Explanation
The Type of Service (TOS) field in the IPv4 header was non-zero. The TOS field may be used by Differentiated Services to group traffic into different traffic classes.
Gateway Action
Allow
Action Description
None
Proposed Action
The IPSettings:TrafficClass setting can be changed to control the gateway's behavior for packets with the TOS field set.

2.27.24. [ID: 149] Non-zero IP TOS field

Log Categories
IPV4,STATELESS,VALIDATE
Log Message
Non-zero IP TOS field.
Default Log Severity
Warning
Parameters
value, flow, pkt, user, userid
Explanation
The Type of Service (TOS) field in the IPv4 header was non-zero. The TOS field may be used by Differentiated Services to group traffic into different traffic classes.
Gateway Action
Drop
Action Description
None
Proposed Action
The IPSettings:TrafficClass setting can be changed to control the gateway's behavior for packets with the TOS field set.

2.27.25. [ID: 467] Non-zero IP TOS field

Log Categories
IPV4,STATELESS,VALIDATE
Log Message
Non-zero IP TOS field.
Default Log Severity
Warning
Parameters
value, flow, pkt, user, userid
Explanation
The Type of Service (TOS) field in the IPv4 header was non-zero. The TOS field may be used by Differentiated Services to group traffic into different traffic classes.
Gateway Action
Strip
Action Description
None
Proposed Action
The IPSettings:TrafficClass setting can be changed to control the gateway's behavior for packets with the TOS field set.

2.27.26. [ID: 175] Received TS IP option

Log Categories
IPV4,STATELESS,VALIDATE
Log Message
Received TS IP option.
Default Log Severity
Notice
Parameters
option, flow, pkt, user, userid
Explanation
The packet contained the Timestamp IP option, which according to configuration is allowed.
Gateway Action
Allow
Action Description
None
Proposed Action
The IPSettings:IPOPT_TS setting can be changed to control the gateway's behavior for packets with the Timestamp IP option.

2.27.27. [ID: 354] Invalid TS option length

Log Categories
IPV4,STATELESS,VALIDATE
Log Message
Invalid TS option length.
Default Log Severity
Warning
Parameters
option, optlen, flow, pkt, user, userid
Explanation
The length specified in the Timestamp IP option was invalid.
Gateway Action
Drop
Action Description
None
Proposed Action
The IPSettings:IPOPT_TS setting can be changed to control the gateway's behavior for packets with the Timestamp IP option.

2.27.28. [ID: 198] Invalid TS pointer

Log Categories
IPV4,STATELESS,VALIDATE
Log Message
Invalid TS pointer.
Default Log Severity
Warning
Parameters
option, ptr, flow, pkt, user, userid
Explanation
A time stamp pointer in the Timestamp IP option was invalid.
Gateway Action
Drop
Action Description
None
Proposed Action
The IPSettings:IPOPT_TS setting can be changed to control the gateway's behavior for packets with the Timestamp IP option.

2.27.29. [ID: 589] Invalid TS pointer with overflow

Log Categories
IPV4,STATELESS,VALIDATE
Log Message
Invalid TS pointer with overflow.
Default Log Severity
Warning
Parameters
option, ptr, value, flow, pkt, user, userid
Explanation
A packet was received with an invalid Timestamp pointer and overflow.
Gateway Action
Drop
Action Description
None
Proposed Action
The IPSettings:IPOPT_TS setting can be changed to control the gateway's behavior for packets with the Timestamp IP option.

2.27.30. [ID: 557] Received TS IP option

Log Categories
IPV4,STATELESS,VALIDATE
Log Message
Received TS IP option.
Default Log Severity
Warning
Parameters
option, flow, pkt, user, userid
Explanation
The packet contained the Timestamp IP option, which according to configuration is disallowed.
Gateway Action
Drop
Action Description
None
Proposed Action
The IPSettings:IPOPT_TS setting can be changed to control the gateway's behavior for packets with the Timestamp IP option.

2.27.31. [ID: 233] Multiple time stamps in TS IP option

Log Categories
IPV4,STATELESS,VALIDATE
Log Message
Multiple time stamps in TS IP option.
Default Log Severity
Warning
Parameters
flow, pkt, user, userid
Explanation
Multiple time stamps were specified in the IP option.
Gateway Action
Drop
Action Description
None
Proposed Action
The IPSettings:IPOPT_TS setting can be changed to control the gateway's behavior for packets with the Timestamp IP option.

2.27.32. [ID: 442] TTL is zero

Log Categories
IPV4,STATELESS,VALIDATE
Log Message
TTL is zero.
Default Log Severity
Warning
Parameters
flow, pkt, user, userid
Explanation
An IPv4 packet with a TTL value of zero was received and dropped. Transmission of IPv4 packets with a TTL value of zero violates the IP specification and should be dropped.
Gateway Action
Drop
Action Description
None
Proposed Action
This log message can be disabled by the IPSettings:LogReceivedTTL0 setting.

2.27.33. [ID: 298] TTL expired

Log Categories
IPV4,STATELESS,VALIDATE
Log Message
TTL expired.
Default Log Severity
Warning
Parameters
flow, pkt, user, userid
Explanation
An IPv4 packet with a TTL=1 was received. The packet was to be forwarded, at which point TTL reached zero and the packet had to be dropped.
Gateway Action
Drop
Action Description
The packet has been dropped
Proposed Action
This log message is only possible when IPSettings:TTLMin is set to 1. Whether to log and/or reject can be controlled by the MiscSettings:TTL0OnFwd setting.

2.27.34. [ID: 503] TTL expired

Log Categories
IPV4,STATELESS,VALIDATE
Log Message
TTL expired.
Default Log Severity
Warning
Parameters
flow, pkt, user, userid
Explanation
An IPv4 packet with a TTL=1 was received. The packet was to be forwarded, at which point TTL reached zero and the packet had to be dropped.
Gateway Action
Reject
Action Description
An ICMP error (TTL EXCEED) has been sent to the source IP of the packet
Proposed Action
This log message is only possible when IPSettings:TTLMin is set to 1. Whether to log and/or reject can be controlled by the MiscSettings:TTL0OnFwd setting.

2.27.35. [ID: 405] TTL too low

Log Categories
IPV4,STATELESS,VALIDATE
Log Message
TTL too low.
Default Log Severity
Notice
Parameters
value, min, flow, pkt, user, userid
Explanation
An IPv4 packet with a TTL value less than the configured minimum value was detected.
Gateway Action
Allow
Action Description
None
Proposed Action
The IPSettings:TTLMin value should be larger than 3 to prevent a user to map routers behind the firewall, i.e. firewalking. In order to support trace-route applications, the IPSettings:TTLMin value needs to be set to 1.

2.27.36. [ID: 185] TTL too low

Log Categories
IPV4,STATELESS,VALIDATE
Log Message
TTL too low.
Default Log Severity
Warning
Parameters
value, min, flow, pkt, user, userid
Explanation
An IPv4 packet with a TTL value less than the configured minimum value was detected.
Gateway Action
Drop
Action Description
None
Proposed Action
The IPSettings:TTLMin value should be larger than 3 to prevent a user to map routers behind the firewall, i.e. firewalking. In order to support trace-route applications, the IPSettings:TTLMin value needs to be set to 1.

2.27.37. [ID: 409] TTL too low

Log Categories
IPV4,STATELESS,VALIDATE
Log Message
TTL too low.
Default Log Severity
Warning
Parameters
value, min, flow, pkt, user, userid
Explanation
An IPv4 packet with a TTL value less than the configured minimum value was detected.
Gateway Action
Reject
Action Description
None
Proposed Action
The IPSettings:TTLMin value should be larger than 3 to prevent a user to map routers behind the firewall, i.e. firewalking. In order to support trace-route applications, the IPSettings:TTLMin value needs to be set to 1.

2.27.38. [ID: 131] Packet too small for L4 header

Log Categories
IPV4,STATELESS,VALIDATE
Log Message
Packet too small for L4 header.
Default Log Severity
Warning
Parameters
ipproto, paylen, pkt
Explanation
The received packet is too short to contain an L4 header of the specified protocol.
Gateway Action
Drop
Action Description
None
Proposed Action
This packet is severely broken. If the packet sender is one of your network devices, investigate why the unit is sending malformed packets. This log message can be disabled by the IPSettings:LogNonIP4 setting.

2.27.39. [ID: 156] IP length is larger than packet

Log Categories
IPV4,STATELESS,VALIDATE
Log Message
IP length is larger than packet.
Default Log Severity
Warning
Parameters
ipproto, pktlen, iplen, pkt
Explanation
The received packet IP total length is larger than the received transport data.
Gateway Action
Drop
Action Description
None
Proposed Action
This packet is severely broken. If the packet sender is one of your network devices, investigate why the unit is sending malformed packets. This log message can be disabled by the IPSettings:LogNonIP4 setting.

2.28. IPV6

These log messages refer to the IPV6 category.

2.28.1. [ID: 115] Max IPv6 options per extension header reached

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
Max IPv6 options per extension header reached.
Default Log Severity
Notice
Parameters
max, flow, pkt, user, userid
Explanation
The maximum amount of options within an extension header has been reached.
Gateway Action
Ignore
Action Description
None
Proposed Action
The IPSettings:IP6MaxOPH setting can be changed to increase or decrease the number of options allowed within an extension header. The IPSettings:IP6OnMaxOPH setting can be changed to control the gateway's behavior when the maximum number of options has been reached.

2.28.2. [ID: 492] Max IPv6 options per extension header reached

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
Max IPv6 options per extension header reached.
Default Log Severity
Warning
Parameters
max, flow, pkt, user, userid
Explanation
The maximum amount of options within an extension header has been reached.
Gateway Action
Drop
Action Description
None
Proposed Action
The IPSettings:IP6MaxOPH setting can be changed to increase or decrease the number of options allowed within an extension header. The IPSettings:IP6OnMaxOPH setting can be changed to control the gateway's behavior when the maximum number of options has been reached.

2.28.3. [ID: 477] Order of extension headers is invalid

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
Order of extension headers is invalid.
Default Log Severity
Warning
Parameters
exthdr, hdrver, offset, pkt
Explanation
IPv6 require a strict ordering between different extensions headers (the order among extension headers will change their semantics). A packet that did not comply with this ordering have been received.
Gateway Action
Drop
Action Description
None
Proposed Action
This packet is severely broken. If the packet sender is one of your network devices, investigate why the unit is sending malformed packets. This log message can be disabled by the IPSettings:LogNonIP4 setting.

2.28.4. [ID: 304] Bad IP version

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
Bad IP version.
Default Log Severity
Warning
Parameters
ipver, pkt
Explanation
The received packet has a disallowed IP version. This typically means that there is a mismatch between the IP packet and a lower layer protocol (such as Ethernet).
Gateway Action
Drop
Action Description
None
Proposed Action
This packet is severely broken. If the packet sender is one of your network devices, investigate why the unit is sending malformed packets. This log message can be disabled by the IPSettings:LogNonIP4 setting.

2.28.5. [ID: 401] Received unknown extension header

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
Received unknown extension header.
Default Log Severity
Error
Parameters
exthdr, flow, pkt, user, userid
Explanation
An unknown extension header was not allowed to be forwarded by the gateway.
Gateway Action
Drop
Action Description
None
Proposed Action
Verify that the packet was not malformed in any way using a network analysis tool. If the packet is valid, report the extension header with header id exthdr to customer support.

2.28.6. [ID: 263] Non-zero IP Flow Label

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
Non-zero IP Flow Label.
Default Log Severity
Warning
Parameters
flow, pkt, user, userid
Explanation
Flow Labels provides an alternative and efficient way for Flow Label capable IPv6 routers to forward IPv6 packets based only on data in the IP header at fixed positions. For more information see RFC3697.
Gateway Action
Drop
Action Description
None
Proposed Action
The IPSettings:IP6FL setting can be changed to control the gateway's behavior for packets with the Flow Label field set.

2.28.7. [ID: 486] Non-zero IP Flow Label

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
Non-zero IP Flow Label.
Default Log Severity
Notice
Parameters
flow, pkt, user, userid
Explanation
Flow Labels provides an alternative and efficient way for Flow Label capable IPv6 routers to forward IPv6 packets based only on data in the IP header at fixed positions. For more information see RFC3697.
Gateway Action
Allow
Action Description
None
Proposed Action
The IPSettings:IP6FL setting can be changed to control the gateway's behavior for packets with the Flow Label field set.

2.28.8. [ID: 621] Non-zero IP Flow Label

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
Non-zero IP Flow Label.
Default Log Severity
Warning
Parameters
flow, pkt, user, userid
Explanation
Flow Labels provides an alternative and efficient way for Flow Label capable IPv6 routers to forward IPv6 packets based only on data in the IP header at fixed positions. For more information see RFC3697.
Gateway Action
Strip
Action Description
None
Proposed Action
The IPSettings:IP6FL setting can be changed to control the gateway's behavior for packets with the Flow Label field set.

2.28.9. [ID: 804] Illegal sender address

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
Illegal sender address.
Default Log Severity
Notice
Parameters
srcip, pkt
Explanation
Received a packet where the source address does not identify a single node uniquely.
Gateway Action
Drop
Action Description
None
Proposed Action
If possible, trace down the originator and validate its configuration.

2.28.10. [ID: 470] IPv6 extension header size limit reached

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
IPv6 extension header size limit reached.
Default Log Severity
Notice
Parameters
maxlen, flow, pkt, user, userid
Explanation
The maximum total size of extension header within an IPv6 packet has been reached.
Gateway Action
Ignore
Action Description
None
Proposed Action
The IPSettings:IP6MaxExtHdr setting can be changed to increase or decrease the total size of extension headers allowed. The IPSettings:IP6OnMaxExtHdr setting can be changed to control the gateway's behavior when the maximum extension header size is reached.

2.28.11. [ID: 249] IPv6 extension header size limit reached

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
IPv6 extension header size limit reached.
Default Log Severity
Warning
Parameters
maxlen, flow, pkt, user, userid
Explanation
The maximum total size of extension header within an IPv6 packet has been reached.
Gateway Action
Drop
Action Description
None
Proposed Action
The IPSettings:IP6MaxExtHdr setting can be changed to increase or decrease the total size of extension headers allowed. The IPSettings:IP6OnMaxExtHdr setting can be changed to control the gateway's behavior when the maximum extension header size is reached.

2.28.12. [ID: 220] Non-zero IPv6 PADN data

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
Non-zero IPv6 PADN data.
Default Log Severity
Notice
Parameters
flow, pkt, user, userid
Explanation
The IPv6 PADN field(s) was found to be non-zero. It is recommended to at least strip this information from the packet to prevent unfiltered data to be tunneled within the pad fields.
Gateway Action
Allow
Action Description
None
Proposed Action
The IPSettings:IP6OPT_PADN setting can be changed to control the gateway's behavior when processing packets with non-zero pad fields.

2.28.13. [ID: 575] Non-zero IPv6 PADN data

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
Non-zero IPv6 PADN data.
Default Log Severity
Warning
Parameters
flow, pkt, user, userid
Explanation
The IPv6 PADN field(s) was found to be non-zero. It is recommended to at least strip this information from the packet to prevent unfiltered data to be tunneled within the pad fields.
Gateway Action
Drop
Action Description
None
Proposed Action
The IPSettings:IP6OPT_PADN setting can be changed to control the gateway's behavior when processing packets with non-zero pad fields.

2.28.14. [ID: 268] Non-zero IPv6 PADN data

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
Non-zero IPv6 PADN data.
Default Log Severity
Warning
Parameters
flow, pkt, user, userid
Explanation
The IPv6 PADN field(s) was found to be non-zero. It is recommended to at least strip this information from the packet to prevent unfiltered data to be tunneled within the pad fields.
Gateway Action
Strip
Action Description
None
Proposed Action
The IPSettings:IP6OPT_PADN setting can be changed to control the gateway's behavior when processing packets with non-zero pad fields.

2.28.15. [ID: 347] Fragment header in non-fragment

Log Categories
IPV6,FRAG,STATELESS,VALIDATE
Log Message
Fragment header in non-fragment.
Default Log Severity
Information
Parameters
offset, pktlen, pkt
Explanation
An IPv6 packet may include a fragment header that states that "this is the first and only fragment". By definition, this is not a fragment. This construction is perfectly legal, and is used when an IPv6 node have discovered that the path MTU is lower than the minimal IPv6 MTU. This situation is likely when IPv6 traffic is tunneled via a non-IPv6 network, such as a modem or an IPv4 network.
Gateway Action
None
Action Description
None
Proposed Action
The FragSettings:IP6NopFrags setting can be changed to control the gateway's behavior for non-fragmented packets with a fragment header.

2.28.16. [ID: 283] Fragment header in non-fragment

Log Categories
IPV6,FRAG,STATELESS,VALIDATE
Log Message
Fragment header in non-fragment.
Default Log Severity
Notice
Parameters
offset, pktlen, pkt
Explanation
An IPv6 packet may include a fragment header that states that "this is the first and only fragment". By definition, this is not a fragment. This construction is perfectly legal, and is used when an IPv6 node have discovered that the path MTU is lower than the minimal IPv6 MTU. This situation is likely when IPv6 traffic is tunneled via a non-IPv6 network, such as a modem or an IPv4 network.
Gateway Action
Drop
Action Description
None
Proposed Action
Under normal circumstances, it is recommended to NOT drop this kind of packets. The FragSettings:IP6NopFrags setting can be changed to control the gateway's behavior for non-fragmented packets with a fragment header.

2.28.17. [ID: 260] Received fragmented jumbogram

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
Received fragmented jumbogram.
Default Log Severity
Warning
Parameters
flow, pkt, user, userid
Explanation
A packet carrying both a jumbogram option and a fragmentation header was received. Jumbograms are not allowed to be fragmented.
Gateway Action
Drop
Action Description
None
Proposed Action
The IPSettings:IP6OPT_JUMBO setting can be changed to control the gateway's behavior for validating IPv6 packets with Jumbogram options.

2.28.18. [ID: 128] Received fragmented jumbogram

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
Received fragmented jumbogram.
Default Log Severity
Warning
Parameters
flow, pkt, user, userid
Explanation
A packet carrying both a jumbogram option and a fragmentation header was received. Jumbograms are not allowed to be fragmented.
Gateway Action
Reject
Action Description
None
Proposed Action
The IPSettings:IP6OPT_JUMBO setting can be changed to control the gateway's behavior for validating IPv6 packets with Jumbogram options.

2.28.19. [ID: 157] Received Home Address option

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
Received Home Address option.
Default Log Severity
Notice
Parameters
flow, pkt, user, userid
Explanation
The packet contained a Home Address IPv6 option, which according to configuration is allowed.
Gateway Action
Allow
Action Description
None
Proposed Action
The IPSettings:IP6OPT_HA setting can be changed to control the gateway's behavior for IPv6 packets with Home Address options.

2.28.20. [ID: 150] Received Home Address option

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
Received Home Address option.
Default Log Severity
Warning
Parameters
flow, pkt, user, userid
Explanation
The packet contained a Home Address IPv6 option, which according to configuration is disallowed.
Gateway Action
Drop
Action Description
None
Proposed Action
The IPSettings:IP6OPT_HA setting can be changed to control the gateway's behavior for IPv6 packets with Home Address options.

2.28.21. [ID: 535] Multicast Home Address option

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
Multicast Home Address option.
Default Log Severity
Warning
Parameters
flow, pkt, user, userid
Explanation
The packet contained a Home Address IPv6 option with a non-unicast home address. According to RFC3775, the home address must be a unicast address.
Gateway Action
Drop
Action Description
None
Proposed Action
The IPSettings:IP6OPT_HA setting can be changed to control the gateway's behavior for IPv6 packets with Home Address options.

2.28.22. [ID: 457] Received Home Address option

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
Received Home Address option.
Default Log Severity
Warning
Parameters
flow, pkt, user, userid
Explanation
The packet contained a Home Address IPv6 option, which according to configuration should be treated as if the gateway did not support that option.
Gateway Action
Drop
Action Description
The packet was dropped according to the action bits in the Home Address option
Proposed Action
The IPSettings:IP6OPT_HA setting can be changed to control the gateway's behavior for IPv6 packets with Home Address options.

2.28.23. [ID: 412] Received Home Address option

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
Received Home Address option.
Default Log Severity
Warning
Parameters
flow, pkt, user, userid
Explanation
The packet contained a Home Address IPv6 option, which according to configuration should be treated as if the gateway did not support that option.
Gateway Action
Reject
Action Description
The packet was rejected according to the action bits in the Home Address option
Proposed Action
The IPSettings:IP6OPT_HA setting can be changed to control the gateway's behavior for IPv6 packets with Home Address options.

2.28.24. [ID: 121] IP6 option with invalid size

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
IP6 option with invalid size.
Default Log Severity
Warning
Parameters
option, len, expectlen, flow, pkt, user, userid
Explanation
An IPv6 option with a known static size, claimed to be of another size than specified by the IPv6 specification.
Gateway Action
Drop
Action Description
None
Proposed Action
If the packet sender is one of your network devices, investigate why the unit is sending malformed IP options.

2.28.25. [ID: 458] Received Jumbogram option

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
Received Jumbogram option.
Default Log Severity
Notice
Parameters
flow, pkt, user, userid
Explanation
The packet contained a Jumbogram IPv6 option, which according to configuration is allowed.
Gateway Action
Allow
Action Description
None
Proposed Action
The IPSettings:IP6OPT_JUMBO setting can be changed to control the gateway's behavior for IPv6 packets with Jumbogram options.

2.28.26. [ID: 586] Received Jumbogram option

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
Received Jumbogram option.
Default Log Severity
Warning
Parameters
flow, pkt, user, userid
Explanation
The packet contained a Jumbogram option, which according to configuration is disallowed.
Gateway Action
Drop
Action Description
None
Proposed Action
The IPSettings:IP6OPT_JUMBO setting can be changed to control the gateway's behavior for IPv6 packets with Jumbogram options.

2.28.27. [ID: 101] Received Jumbogram option

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
Received Jumbogram option.
Default Log Severity
Warning
Parameters
flow, pkt, user, userid
Explanation
The packet contained a Jumbogram option, which according to configuration should be treated as if the gateway did not support that option. RFC2675 states that devices not supporting the Jumbogram option should reject the packet.
Gateway Action
Reject
Action Description
None
Proposed Action
The IPSettings:IP6OPT_JUMBO setting can be changed to control the gateway's behavior for IPv6 packets with Jumbogram options.

2.28.28. [ID: 417] Received malformed Jumbogram

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
Received malformed Jumbogram.
Default Log Severity
Warning
Parameters
iplen, paylen, pktlen, flow, pkt, user, userid
Explanation
The packet contained a malformed Jumbogram option. The IP payload field iplen must be zero for jumbograms. The paylen parameter is the length indicated by the Jumbogram option. pktlen is the total packet length.
Gateway Action
Drop
Action Description
Ignoring RFC2675 reject behavior and dropping packet
Proposed Action
The IPSettings:IP6OPT_JUMBO setting can be changed to control the gateway's behavior for IPv6 packets with Jumbogram options. Unless the gateway is supposed to be completely transparent, it is recommended to change the setting's action to ValidateLogRejectBad.

2.28.29. [ID: 603] Received malformed Jumbogram

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
Received malformed Jumbogram.
Default Log Severity
Warning
Parameters
iplen, paylen, pktlen, flow, pkt, user, userid
Explanation
The packet contained a malformed Jumbogram option. The IP payload field iplen must be zero for jumbograms. The paylen parameter is the length indicated by the Jumbogram option. pktlen is the total packet length.
Gateway Action
Reject
Action Description
Rejecting packet according to RFC2675
Proposed Action
The IPSettings:IP6OPT_JUMBO setting can be changed to control the gateway's behavior for IPv6 packets with Jumbogram options. Unless the gateway is supposed to be completely transparent, it is recommended to change the setting's action to ValidateLogRejectBad.

2.28.30. [ID: 407] Received unknown option

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
Received unknown option.
Default Log Severity
Warning
Parameters
option, optlen, flow, pkt, user, userid
Explanation
The packet contained an option type that was not recognized. The current configuration allows all unknown IPv6 options.
Gateway Action
Allow
Action Description
The option's action bits were ignored and the packet was allowed
Proposed Action
The IPSettings:IP6OPT_Other setting can be changed to control the gateway's behavior for packets with unknown IPv6 options. It is recommended that the setting is set to RFC2460LogNoSupport which will make the gateway handle the packets according to the unknown option's action bits.

2.28.31. [ID: 197] Received unknown option

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
Received unknown option.
Default Log Severity
Warning
Parameters
option, optlen, flow, pkt, user, userid
Explanation
The packet contained an option type that was not recognized. The current configuration disallows all unknown IPv6 options.
Gateway Action
Drop
Action Description
The option's action bits were ignored and the packet was dropped
Proposed Action
The IPSettings:IP6OPT_Other setting can be changed to control the gateway's behavior for packets with unknown IPv6 options. It is recommended that the setting is set to RFC2460LogNoSupport which will make the gateway handle the packets according to the unknown option's action bits.

2.28.32. [ID: 314] Processed unknown option

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
Processed unknown option.
Default Log Severity
Warning
Parameters
option, optlen, flow, pkt, user, userid
Explanation
The packet contained an option type that was not recognized. RFC2460 states that network nodes that do not recognize an option should handle the packet according to the action bits within the unknown option.
Gateway Action
Drop
Action Description
The packet was dropped according to the unknown option's action bits
Proposed Action
The IPSettings:IP6OPT_Other setting can be changed to control the gateway's behavior for packets with unknown IPv6 options. It is recommended that the packet is handled according to the option's action bits by configure the IPSettings:IP6OPT_Other setting to RFC2460LogNoSupport.

2.28.33. [ID: 280] Processed unknown option

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
Processed unknown option.
Default Log Severity
Warning
Parameters
option, optlen, flow, pkt, user, userid
Explanation
The packet contained an option type that was not recognized. The IPv6 specification states that network nodes that do not recognize an option should handle the packet according to the action bits within the unknown option. The action bits for the option option stated that the unknown option should be dropped and not rejected since the destination address is a non-unicast address.
Gateway Action
Drop
Action Description
The packet is dropped
Proposed Action
The IPSettings:IP6OPT_Other setting can be changed to control the gateway's behavior for packets with unknown IPv6 options. It is recommended that the packet is handled according to the option's action bits by configure the IPSettings:IP6OPT_Other setting to RFC2460LogNoSupport.

2.28.34. [ID: 154] Processed unknown option

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
Processed unknown option.
Default Log Severity
Warning
Parameters
option, optlen, flow, pkt, user, userid
Explanation
The packet contained an option type that was not recognized. RFC2460 states that network nodes that do not recognize an option should handle the packet according to the action bits within the unknown option. The action bits for the option option stated that the packet should be rejected regardless of destination address.
Gateway Action
Reject
Action Description
The packet was rejected according to the unknown option's action bits
Proposed Action
The IPSettings:IP6OPT_Other setting can be changed to control the gateway's behavior for packets with unknown IPv6 options. It is recommended that the packet is handled according to the option's action bits by configure the IPSettings:IP6OPT_Other setting to RFC2460LogNoSupport.

2.28.35. [ID: 344] Processed unknown option

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
Processed unknown option.
Default Log Severity
Warning
Parameters
option, optlen, flow, pkt, user, userid
Explanation
The packet contained an option type that was not recognized. RFC2460 states that network nodes that do not recognize an option should handle the packet according to the action bits within the unknown option. The action bits for the option option stated that the packet should be rejected if the destination address is a unicast address and dropped silently otherwise.
Gateway Action
Reject
Action Description
The packet was rejected according to the unknown option's action bits
Proposed Action
The IPSettings:IP6OPT_Other setting can be changed to control the gateway's behavior for packets with unknown IPv6 options. It is recommended that the packet is handled according to the option's action bits by configure the IPSettings:IP6OPT_Other setting to RFC2460LogNoSupport.

2.28.36. [ID: 356] Processed unknown option

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
Processed unknown option.
Default Log Severity
Warning
Parameters
option, optlen, flow, pkt, user, userid
Explanation
The packet contained an option type that was not recognized. RFC2460 states that network nodes that do not recognize an option should handle the packet according to the action bits within the unknown option. The action bits for the option option stated that the unknown option should be ignored and that the packet processing should continue.
Gateway Action
Allow
Action Description
The option was ignored according to the unknown option's action bits
Proposed Action
The IPSettings:IP6OPT_Other setting can be changed to control the gateway's behavior for packets with unknown IPv6 options. It is recommended that the packet is handled according to the option's action bits by configure the IPSettings:IP6OPT_Other setting to RFC2460LogNoSupport.

2.28.37. [ID: 563] Received Router Alert option

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
Received Router Alert option.
Default Log Severity
Notice
Parameters
flow, pkt, user, userid
Explanation
The packet contained a Router Alert IPv6 option, which according to configuration is allowed.
Gateway Action
Allow
Action Description
None
Proposed Action
The IPSettings:IP6OPT_RA setting can be changed to control the gateway's behavior for IPv6 packets with Router Alert options. It is recommended that the setting is set to RFC3775LogNoSupport which will make the gateway ignore the option according to the option's action bits.

2.28.38. [ID: 396] Received Router Alert option

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
Received Router Alert option.
Default Log Severity
Warning
Parameters
flow, pkt, user, userid
Explanation
The packet contained a Router Alert IPv6 option, which according to configuration is disallowed.
Gateway Action
Drop
Action Description
The option's action bits were ignored and the packet was dropped
Proposed Action
The IPSettings:IP6OPT_RA setting can be changed to control the gateway's behavior for IPv6 packets with Router Alert options. It is recommended that the setting is set to RFC3775LogNoSupport which will make the gateway ignore the option according to the option's action bits.

2.28.39. [ID: 214] Received Router Alert option

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
Received Router Alert option.
Default Log Severity
Notice
Parameters
flow, pkt, user, userid
Explanation
The packet contained a Router Alert IPv6 option, which according to configuration should be treated as if the gateway did not support the option. RFC3775 states that the option should be ignored by devices not supporting it.
Gateway Action
Allow
Action Description
The option was ignored according to the action bits of the RA option
Proposed Action
The IPSettings:IP6OPT_RA setting can be changed to control the gateway's behavior for IPv6 packets with Router Alert options. It is recommended that the setting is set to RFC3775LogNoSupport which will make the gateway ignore the option according to the option's action bits.

2.28.40. [ID: 178] Received Routing Header option

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
Received Routing Header option.
Default Log Severity
Warning
Parameters
type, segmentsleft, flow, pkt, user, userid
Explanation
An IPv6 packet carrying a Routing Header of type type and segments left value of segmentsleft was dropped according to configuration.
Gateway Action
Drop
Action Description
The segments field was ignored and the packet was dropped
Proposed Action
The IPSettings:IP6OPT_RH0, IPSettings:IP6OPT_RH2 and IPSettings:IP6OPT_RHOther settings can be changed to control the gateway's behavior for packets with routing headers. The IPv6 specifications states that unknown routing headers should be rejected or accepted depending on the value of the segments left field in the routing header.

2.28.41. [ID: 531] Received Routing Header option

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
Received Routing Header option.
Default Log Severity
Notice
Parameters
type, segmentsleft, flow, pkt, user, userid
Explanation
An IPv6 packet carrying a Routing Header of type type and segments left value of segmentsleft was allowed since all routes provided in the packet had been processed and the packet was heading for its final destination.
Gateway Action
Allow
Action Description
Packet was allowed since segments field was zero
Proposed Action
The IPSettings:IP6OPT_RH0, IPSettings:IP6OPT_RH2 and IPSettings:IP6OPT_RHOther settings can be changed to control the gateway's behavior for packets with routing headers. The IPv6 specifications states that unknown routing headers should be rejected or accepted depending on the value of the segments left field in the routing header.

2.28.42. [ID: 363] Received Routing Header option

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
Received Routing Header option.
Default Log Severity
Warning
Parameters
type, segmentsleft, flow, pkt, user, userid
Explanation
An IPv6 packet carrying a Routing Header of type type and segments left value of segmentsleft was rejected since all routes provided in the packet had not been processed.
Gateway Action
Reject
Action Description
Packet was rejected since segments field was non-zero
Proposed Action
The IPSettings:IP6OPT_RH0, IPSettings:IP6OPT_RH2 and IPSettings:IP6OPT_RHOther settings can be changed to control the gateway's behavior for packets with routing headers. The IPv6 specifications states that unknown routing headers should be rejected or accepted depending on the value of the segments left field in the routing header.

2.28.43. [ID: 578] IPv6 option extension header overflow

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
IPv6 option extension header overflow.
Default Log Severity
Warning
Parameters
exthdr, option, optlen, avail, flow, pkt, user, userid
Explanation
An option option within an extension header of type exthdr, claimed to be larger than the size of the extension header. The extension headers and options within an IPv6 packet must be properly formatted so that routers and receivers can deliver and process the packet.
Gateway Action
Drop
Action Description
None
Proposed Action
If the packet sender is one of your network devices, investigate why the unit is sending malformed IP options.

2.28.44. [ID: 562] IPv6 option extension header overflow

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
IPv6 option extension header overflow.
Default Log Severity
Warning
Parameters
exthdr, option, avail, flow, pkt, user, userid
Explanation
An option option within an extension header of type exthdr, could not be processed since the available length within the extension header was less then the minimum required length of 2 bytes.
Gateway Action
Drop
Action Description
None
Proposed Action
If the packet sender is one of your network devices, investigate why the unit is sending malformed IP options.

2.28.45. [ID: 439] IP data is larger than the maximum allowed[...]

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
IP data is larger than the maximum allowed size.
Default Log Severity
Warning
Parameters
ipproto, maxlen, paylen, pkt
Explanation
Total IP payload is larger than the maximum allowed size for the given protocol. For fragmented traffic this is the size of the reassembled payload, otherwise it is the data portion of one single packet. Extension headers do not count as part of the IP payload.
Gateway Action
Drop
Action Description
None
Proposed Action
If the network supports packets of this size (and this is a desired property of the network), modify the size limit settings (LengthLimSettings:MaxTCPLen, LengthLimSettings:MaxUDPLen, LengthLimSettings:MaxICMPLen, LengthLimSettings:MaxGRELen, LengthLimSettings:MaxESPLen, LengthLimSettings:MaxAHLen, LengthLimSettings:MaxSKIPLen, LengthLimSettings:MaxOSPFLen, LengthLimSettings:MaxIPIPLen, LengthLimSettings:MaxIPCompLen, LengthLimSettings:MaxL2TPLen and LengthLimSettings:MaxOtherSubIPLen) accordingly. This log message can be turned off by modifying the LengthLimSettings:LogOversizedPackets setting.

2.28.46. [ID: 1012] Packet too big

Log Categories
IPV6,STATELESS,PMTU
Log Message
Packet too big.
Default Log Severity
Information
Parameters
mtu, iplen, flow, pkt, user, userid
Explanation
Packet was rejected in accordance with RFC 1191, since it was larger (iplen bytes) than the next-hop MTU (mtu bytes).
Gateway Action
Reject
Action Description
An ICMP error packet too big was returned to the sender
Proposed Action
This is a normal part of the path-MTU discovery process. In the unlikely case where the path-MTU discovery process is becoming a performance bottleneck, consider manually modifying the next-hop MTU.

2.28.47. [ID: 1013] Packet too big

Log Categories
IPV6,STATELESS,PMTU
Log Message
Packet too big.
Default Log Severity
Warning
Parameters
mtu, iplen, flow, pkt, user, userid
Explanation
Packet was dropped because it was too large (iplen bytes) in order to be properly forwarded to the next hop (with an MTU of mtu bytes). No ICMP error (packet too big) was sent to the source to notify about this condition. Most likely the upper limit of ICMP errors per second had been reached, but this can also be a sign of severe resource starvation. This breaks proper path-MTU discovery as described by RFC 1981 and may cause network malfunction.
Gateway Action
Drop
Action Description
Packet was silently lost; the system failed to send an ICMP error.
Proposed Action
Review the upper limit of ICMP errors per second (ICMPSettings:ICMPSendPerSecLimit) to see if there is a bottleneck. While not being the preferred solution, a workaround may be to manually update the next-hop MTU at certain routes.

2.28.48. [ID: 656] Reserved bits in fragment header are non-zero

Log Categories
IPV6,FRAG,STATELESS,VALIDATE
Log Message
Reserved bits in fragment header are non-zero.
Default Log Severity
Warning
Parameters
value, offset, pktlen, pkt
Explanation
The IPv6 fragment header contains two reserved bits (third and second LSB of the fragment offset field). The IPv6 RFC 2460 states that these bits should be initialized to zero and ignored by all parts (including firewalls and routers). In this particular case the bits were non-zero.
Gateway Action
None
Action Description
None
Proposed Action
While not RFC 2460 compliant, we recommend adjusting the setting FragSettings:IP6ResvBitFrags to 'strip' or 'striplog' in order to prevent information leakage.

2.28.49. [ID: 660] Reserved bits in fragment header are non-zero

Log Categories
IPV6,FRAG,STATELESS,VALIDATE
Log Message
Reserved bits in fragment header are non-zero.
Default Log Severity
Warning
Parameters
value, offset, pktlen, pkt
Explanation
The IPv6 fragment header contains two reserved bits (third and second LSB of the fragment offset field). The IPv6 RFC 2460 states that these bits should be initialized to zero and ignored by all parts (including firewalls and routers). In this particular case the bits were non-zero.
Gateway Action
Drop
Action Description
None
Proposed Action
This log message is controlled by the setting FragSettings:IP6ResvBitFrags.

2.28.50. [ID: 650] Reserved bits in fragment header are non-zero

Log Categories
IPV6,FRAG,STATELESS,VALIDATE
Log Message
Reserved bits in fragment header are non-zero.
Default Log Severity
Warning
Parameters
value, offset, pktlen, pkt
Explanation
The IPv6 fragment header contains two reserved bits (third and second LSB of the fragment offset field). The IPv6 RFC 2460 states that these bits should be initialized to zero and ignored by all parts (including firewalls and routers). In this particular case the bits were non-zero.
Gateway Action
Strip
Action Description
None
Proposed Action
This log message is controlled by the setting FragSettings:IP6ResvBitFrags.

2.28.51. [ID: 658] Reserved field in fragment header is non-zero

Log Categories
IPV6,FRAG,STATELESS,VALIDATE
Log Message
Reserved field in fragment header is non-zero.
Default Log Severity
Warning
Parameters
value, offset, pktlen, pkt
Explanation
The IPv6 fragment header contains a reserved field where all other IPv6 extension headers would contain a size field. The IPv6 RFC 2460 states that this field should be initialized to zero (which incidentally is what it would be if it had been a size field), and ignored by all parts (including firewalls and routers). In this particular case this field was non-zero.
Gateway Action
None
Action Description
None
Proposed Action
While not RFC 2460 compliant, we recommend adjusting the setting FragSettings:IP6ResvFldFrags to 'strip' or 'striplog' in order to prevent information leakage and/or software malfunction.

2.28.52. [ID: 648] Reserved field in fragment header is non-zero

Log Categories
IPV6,FRAG,STATELESS,VALIDATE
Log Message
Reserved field in fragment header is non-zero.
Default Log Severity
Warning
Parameters
value, offset, pktlen, pkt
Explanation
The IPv6 fragment header contains a reserved field where all other IPv6 extension headers would contain a size field. The IPv6 RFC 2460 states that this field should be initialized to zero (which incidentally is what it would be if it had been a size field), and ignored by all parts (including firewalls and routers). In this particular case this field was non-zero.
Gateway Action
Drop
Action Description
None
Proposed Action
This log message is controlled by the setting FragSettings:IP6ResvFldFrags.

2.28.53. [ID: 645] Reserved field in fragment header is non-zero

Log Categories
IPV6,FRAG,STATELESS,VALIDATE
Log Message
Reserved field in fragment header is non-zero.
Default Log Severity
Warning
Parameters
value, offset, pktlen, pkt
Explanation
The IPv6 fragment header contains a reserved field where all other IPv6 extension headers would contain a size field. The IPv6 RFC 2460 states that this field should be initialized to zero (which incidentally is what it would be if it had been a size field), and ignored by all parts (including firewalls and routers). In this particular case this field was non-zero.
Gateway Action
Strip
Action Description
None
Proposed Action
This log message is controlled by the setting FragSettings:IP6ResvFldFrags.

2.28.54. [ID: 508] Fragment truncated at L3 header

Log Categories
IPV6,FRAG,STATELESS,VALIDATE
Log Message
Fragment truncated at L3 header.
Default Log Severity
Warning
Parameters
exthdr, offset, pktlen, pkt, rule
Explanation
A first fragment was received, but a L4 header was not included inside. The fragment is truncated in the middle of an IPv6 extension header.
Gateway Action
Drop
Action Description
None
Proposed Action
First fragments that do not include the L4 header are considered a security threat. Examine why this kind of message have been sent. This log message can be disabled by the IPSettings:LogNonIP4 setting.

2.28.55. [ID: 358] Packet truncated at L3 header

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
Packet truncated at L3 header.
Default Log Severity
Warning
Parameters
exthdr, offset, pktlen, pkt
Explanation
The received message is either too small to contain the IPv6 header itself, or it is too small to contain an expected extension header.
Gateway Action
Drop
Action Description
None
Proposed Action
This packet is severely broken. If the packet sender is one of your network devices, investigate why the unit is sending malformed packets. This log message can be disabled by the IPSettings:LogNonIP4 setting.

2.28.56. [ID: 158] Non-zero IP Traffic Class field

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
Non-zero IP Traffic Class field.
Default Log Severity
Notice
Parameters
value, flow, pkt, user, userid
Explanation
The IPv6 Traffic Class field in the IPv6 header was non-zero. The Traffic Class field may be used by Differentiated Services to group traffic into different traffic classes.
Gateway Action
Allow
Action Description
None
Proposed Action
The IPSettings:TrafficClass setting can be changed to control the gateway's behavior for packets with non-zero Traffic Class fields .

2.28.57. [ID: 585] Non-zero IP Traffic Class field

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
Non-zero IP Traffic Class field.
Default Log Severity
Warning
Parameters
value, flow, pkt, user, userid
Explanation
The IPv6 Traffic Class field in the IPv6 header was non-zero. The Traffic Class field may be used by Differentiated Services to group traffic into different traffic classes.
Gateway Action
Drop
Action Description
None
Proposed Action
The IPSettings:TrafficClass setting can be changed to control the gateway's behavior for packets with non-zero Traffic Class fields .

2.28.58. [ID: 284] Non-zero IP Traffic Class field

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
Non-zero IP Traffic Class field.
Default Log Severity
Warning
Parameters
value, flow, pkt, user, userid
Explanation
The IPv6 Traffic Class field in the IPv6 header was non-zero. The Traffic Class field may be used by Differentiated Services to group traffic into different traffic classes.
Gateway Action
Strip
Action Description
None
Proposed Action
The IPSettings:TrafficClass setting can be changed to control the gateway's behavior for packets with non-zero Traffic Class fields .

2.28.59. [ID: 489] Hop Limit is zero

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
Hop Limit is zero.
Default Log Severity
Warning
Parameters
flow, pkt, user, userid
Explanation
An IPv6 packet with a Hop Limit value of zero was received and dropped. Transmission of IPv6 packets with a Hop Limit value of zero violates the IP specification and should be dropped.
Gateway Action
Drop
Action Description
None
Proposed Action
This log message can be disabled by the IPSettings:LogReceivedTTL0 setting.

2.28.60. [ID: 408] HopLimit reached

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
HopLimit reached.
Default Log Severity
Warning
Parameters
flow, pkt, user, userid
Explanation
An IPv4 packet with a TTL=1 was received. The packet was to be forwarded, at which point TTL reached zero and the packet had to be dropped.
Gateway Action
Drop
Action Description
The packet has been dropped.
Proposed Action
This log message is only possible when IPSettings:TTLMin is set to 1. Whether to log and/or reject can be controlled by the MiscSettings:TTL0OnFwd setting.

2.28.61. [ID: 295] HopLimit reached

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
HopLimit reached.
Default Log Severity
Warning
Parameters
flow, pkt, user, userid
Explanation
An IPv4 packet with a TTL=1 was received. The packet was to be forwarded, at which point TTL reached zero and the packet had to be dropped.
Gateway Action
Drop
Action Description
The packet has been dropped.
Proposed Action
This log message is only possible when IPSettings:TTLMin is set to 1. Whether to log and/or reject can be controlled by the MiscSettings:TTL0OnFwd setting.

2.28.62. [ID: 148] Hop Limit too low

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
Hop Limit too low.
Default Log Severity
Notice
Parameters
value, min, flow, pkt, user, userid
Explanation
An IPv6 packet with a Hop Limit value equal or less than the configured minimum value was detected.
Gateway Action
Allow
Action Description
None
Proposed Action
The Hop Limit value should be larger than 3 to prevent a user to map routers behind the firewall, i.e. firewalking. In order to support trace-route applications, the IPSettings:TTLMin value needs to be set to 1.

2.28.63. [ID: 402] Hop Limit too low

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
Hop Limit too low.
Default Log Severity
Warning
Parameters
value, min, flow, pkt, user, userid
Explanation
An IPv6 packet with a Hop Limit value equal or less than the configured minimum value was detected.
Gateway Action
Drop
Action Description
None
Proposed Action
The Hop Limit value should be larger than 3 to prevent a user to map routers behind the firewall, i.e. firewalking. In order to support trace-route applications, the IPSettings:TTLMin value needs to be set to 1.

2.28.64. [ID: 453] Hop Limit too low

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
Hop Limit too low.
Default Log Severity
Warning
Parameters
value, min, flow, pkt, user, userid
Explanation
An IPv6 packet with a Hop Limit value equal or less than the configured minimum value was detected.
Gateway Action
Reject
Action Description
None
Proposed Action
The Hop Limit value should be larger than 3 to prevent a user to map routers behind the firewall, i.e. firewalking. In order to support trace-route applications, the IPSettings:TTLMin value needs to be set to 1.

2.28.65. [ID: 118] Fragment truncated at L4 header

Log Categories
IPV6,FRAG,STATELESS,VALIDATE
Log Message
Fragment truncated at L4 header.
Default Log Severity
Warning
Parameters
ipproto, offset, pktlen, pkt, rule
Explanation
A first fragment was received. The fragment claims to contain an L4 header but the fragment is too short to contain a header of the specific protocol.
Gateway Action
Drop
Action Description
None
Proposed Action
This packet is severely broken. If the packet sender is one of your network devices, investigate why the unit is sending malformed packets. This log message can be disabled by the IPSettings:LogNonIP4 setting.

2.28.66. [ID: 125] Header payload in fragment is truncated

Log Categories
IPV6,FRAG,STATELESS,VALIDATE
Log Message
Header payload in fragment is truncated.
Default Log Severity
Warning
Parameters
exthdr, offset, hdrlen, pktlen, pkt, rule
Explanation
A first fragment was received, but a L4 header was not included inside. The fragment is truncated in the middle of an IPv6 extension headers payload.
Gateway Action
Drop
Action Description
None
Proposed Action
This packet is severely broken. If the packet sender is one of your network devices, investigate why the unit is sending malformed packets. This log message can be disabled by the IPSettings:LogNonIP4 setting.

2.28.67. [ID: 294] Header payload is truncated

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
Header payload is truncated.
Default Log Severity
Warning
Parameters
exthdr, offset, hdrlen, pktlen, pkt
Explanation
The received message is too small to contain the full payload of an IPv6 extension header.
Gateway Action
Drop
Action Description
None
Proposed Action
This packet is severely broken. If the packet sender is one of your network devices, investigate why the unit is sending malformed packets. This log message can be disabled by the IPSettings:LogNonIP4 setting.

2.28.68. [ID: 415] Packet truncated at L4 header

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
Packet truncated at L4 header.
Default Log Severity
Warning
Parameters
ipproto, offset, pktlen, pkt
Explanation
The received packet is too short to contain an L4 header of the protocol in question.
Gateway Action
Drop
Action Description
None
Proposed Action
This packet is severely broken. If the packet sender is one of your network devices, investigate why the unit is sending malformed packets. This log message can be disabled by the IPSettings:LogNonIP4 setting.

2.28.69. [ID: 523] IPv6 payload is truncated

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
IPv6 payload is truncated.
Default Log Severity
Warning
Parameters
paylen, size, pkt
Explanation
The IPv6 header claim that the packet is paylen bytes large (the value logged includes the size of the IPv6 header), but only size bytes of data have been received.
Gateway Action
Drop
Action Description
None
Proposed Action
This packet is severely broken. If the packet sender is one of your network devices, investigate why the unit is sending malformed packets. This log message can be disabled by the IPSettings:LogNonIP4 setting.

2.28.70. [ID: 1025] Unrecognized IPv6 next header

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
Unrecognized IPv6 next header. Dropping.
Default Log Severity
Warning
Parameters
exthdr, offset, flow, pkt, user, userid
Explanation
A packet with unrecognized IPv6 Next Header was received and dropped.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.28.71. [ID: 1024] Unrecognized IPv6 next header

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
Unrecognized IPv6 next header. Rejecting.
Default Log Severity
Warning
Parameters
exthdr, offset, flow, pkt, user, userid
Explanation
A packet with unrecognized IPv6 Next Header was received and rejected.
Gateway Action
Reject
Action Description
None
Proposed Action
None

2.28.72. [ID: 511] Adjacent PAD option

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
Adjacent PAD option.
Default Log Severity
Warning
Parameters
exthdr, option, prevoption, flow, pkt, user, userid
Explanation
IPv6 extension headers and options are aligned by PAD fields to minimize the amount of CPU resources needed by network elements to process IPv6 packets. Multiple adjacent PAD1 or PADN options can be used for denial-of-service attacks by forcing network elements to process an unnecessary amount of PAD options.
Gateway Action
Drop
Action Description
None
Proposed Action
The IPSettings:IP6ValidateSyntax setting can be changed to control the gateway's validation of IPv6 headers.

2.28.73. [ID: 598] Unaligned IPv6 option

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
Unaligned IPv6 option.
Default Log Severity
Warning
Parameters
option, offset, flow, pkt, user, userid
Explanation
IPv6 extension headers and options should according to IPv6 specifications be aligned at certain offsets within a packet to minimize the amount of CPU resources needed by network elements to process IPv6 packets. The option option was found not to be properly aligned.
Gateway Action
Drop
Action Description
None
Proposed Action
The IPSettings:IP6ValidateSyntax setting can be changed to control the gateway's validation of IPv6 headers.

2.28.74. [ID: 277] Fragment with invalid extension header

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
Fragment with invalid extension header.
Default Log Severity
Warning
Parameters
exthdr, flow, pkt, user, userid
Explanation
According to the IPv6 specification, some extension headers are not allowed to be present in fragmented IPv6 packets.
Gateway Action
Drop
Action Description
None
Proposed Action
The IPSettings:IP6ValidateSyntax setting can be changed to control the gateway's validation of IPv6 headers.

2.28.75. [ID: 610] Out of scope option

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
Out of scope option.
Default Log Severity
Warning
Parameters
exthdr, option, flow, pkt, user, userid
Explanation
The IPv6 option found in the extension header is according to the IPv6 specification not allowed to be used within the processed header.
Gateway Action
Drop
Action Description
None
Proposed Action
If the packet sender is one of your network devices, investigate why the unit is sending malformed IP options.

2.28.76. [ID: 110] Repeated extension header

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
Repeated extension header.
Default Log Severity
Warning
Parameters
exthdr, flow, pkt, user, userid
Explanation
Some extension headers are according to the IPv6 specifications only allowed to occur once within each IPv6 packet. The extension header exthdr occurred more than once within this packet.
Gateway Action
Drop
Action Description
None
Proposed Action
The IPSettings:IP6ValidateSyntax setting can be changed to control the gateway's validation of IPv6 headers.

2.28.77. [ID: 311] Repeated option

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
Repeated option.
Default Log Severity
Warning
Parameters
option, flow, pkt, user, userid
Explanation
Some options are according to the IPv6 specifications only allowed to occur once within each IPv6 packet. The option option occurred more than once within this packet.
Gateway Action
Drop
Action Description
None
Proposed Action
The IPSettings:IP6ValidateSyntax setting can be changed to control the gateway's validation of IPv6 headers.

2.28.78. [ID: 567] IPv6 Too large PADN

Log Categories
IPV6,STATELESS,VALIDATE
Log Message
IPv6 Too large PADN.
Default Log Severity
Warning
Parameters
len, maxlen, flow, pkt, user, userid
Explanation
IPv6 extension headers and options are aligned by PAD fields to minimize the amount of CPU resources needed by network elements to process IPv6 packets. It is however possible to overuse the PADN options with the purpose of consuming CPU resources.
Gateway Action
Drop
Action Description
None
Proposed Action
The IPSettings:IP6ValidateSyntax setting can be changed to control the gateway's validation of IPv6 headers.

2.29. LICENSE

These log messages refer to the LICENSE category.

2.29.1. [ID: 1083] Remaining demo period

Log Categories
LICENSE,SYSTEM
Log Message
Remaining demo period.
Default Log Severity
Notice
Parameters
time
Explanation
Time left of demo period.
Gateway Action
None
Action Description
None
Proposed Action
None

2.29.2. [ID: 1084] Demo license expired

Log Categories
LICENSE,SYSTEM,CONFIG
Log Message
Demo license expired. System entering lockdown.
Default Log Severity
Notice
Parameters
 
Explanation
Demo license expired.
Gateway Action
None
Action Description
None
Proposed Action
Acquire a valid license.

2.29.3. [ID: 623] Failed to activate license

Log Categories
LICENSE,SYSTEM,CONFIG
Log Message
Failed to activate license.
Default Log Severity
Warning
Parameters
reason, user, userid
Explanation
The system failed to activate the license, and will continue to use the previous license.
Gateway Action
None
Action Description
None
Proposed Action
Check the configuration log.

2.29.4. [ID: 506] A new license has been activated

Log Categories
LICENSE,SYSTEM,CONFIG
Log Message
A new license has been activated.
Default Log Severity
Notice
Parameters
user, userid
Explanation
A new license has been successfully activated.
Gateway Action
None
Action Description
None
Proposed Action
None

2.29.5. [ID: 564] Lockdown is in effect due to invalid license

Log Categories
LICENSE,SYSTEM
Log Message
Lockdown is in effect due to invalid license.
Default Log Severity
Critical
Parameters
reason
Explanation
Lockdown is in effect because the license is invalid. Only access from admin nets to the firewall itself is allowed, everything else is dropped.
Gateway Action
None
Action Description
None
Proposed Action
Upload a valid license.

2.29.6. [ID: 310] Failed to remove license

Log Categories
LICENSE,SYSTEM,CONFIG
Log Message
Failed to remove license.
Default Log Severity
Warning
Parameters
user, userid
Explanation
The system failed to remove the existing license file, and will continue to run using the existing license.
Gateway Action
None
Action Description
None
Proposed Action
Check the configuration log.

2.29.7. [ID: 151] The license has been removed

Log Categories
LICENSE,SYSTEM,CONFIG
Log Message
The license has been removed.
Default Log Severity
Notice
Parameters
user, userid
Explanation
The license has been removed.
Gateway Action
None
Action Description
None
Proposed Action
None

2.30. MANAGEMENT

These log messages refer to the MANAGEMENT category.

2.30.1. [ID: 1676] Centralized management control re-enabled

Log Categories
MANAGEMENT
Log Message
Centralized management control re-enabled.
Default Log Severity
Warning
Parameters
 
Explanation
A logged in user rejected local configuration changes that were disabling centralized management control. The System is now again under centralized management control.
Gateway Action
None
Action Description
None
Proposed Action
Audit the system for changes and if needed re-export configuration from the centralized management system.

2.30.2. [ID: 1672] Centralized management control being disabled[...]

Log Categories
MANAGEMENT
Log Message
Centralized management control being disabled by user request.
Default Log Severity
Warning
Parameters
 
Explanation
A user logged in via console issued the "localconfiguration -enable" command. Issuing this command will remove the node from centralized management system, allowing for local configuration changes to be performed and not tracked by centralized management. This may be a security breach.
Gateway Action
None
Action Description
None
Proposed Action
Verify eventual configuration changes, determine if they are correct. The original state and configuration can be reset by exporting the configuration from the centralized management system.

2.30.3. [ID: 1001] Centralized management control has been[...]

Log Categories
MANAGEMENT
Log Message
Centralized management control has been disabled.
Default Log Severity
Information
Parameters
 
Explanation
Centralized management control has been disabled and user management has been enabled.
Gateway Action
None
Action Description
None
Proposed Action
None

2.30.4. [ID: 1000] Centralized management control has been[...]

Log Categories
MANAGEMENT
Log Message
Centralized management control has been enabled.
Default Log Severity
Information
Parameters
 
Explanation
Centralized management control has been enabled and user management has been disabled.
Gateway Action
None
Action Description
None
Proposed Action
In order enable user management, use the CLI command usermanagement.

2.31. NATPOOL

These log messages refer to the NATPOOL category.

2.31.1. [ID: 1091] Deterministic NATPool found no free ports for[...]

Log Categories
NATPOOL
Log Message
Deterministic NATPool found no free ports for IP.
Default Log Severity
Warning
Parameters
name, internalip, blocksizedet, blocksizedyn, reason
Explanation
Deterministic NATPool has no more free ports (deterministic or dynamic) to assign for the internal IP internalip.
Gateway Action
Drop
Action Description
None
Proposed Action
Consider reviewing the configuration properties of the Deterministic NATPool.

2.31.2. [ID: 1120] Deterministic NATPool current configuration

Log Categories
NATPOOL
Log Message
Deterministic NATPool current configuration.
Default Log Severity
Information
Parameters
reason, name, compressionratio, internalnetwork, externalippool, dynamicpoolratio, maxdynamicblocks, blocksizedet, blocksizedyn, reservedports
Explanation
The configuration of Deterministic NATPool can be used for calculating deterministic mapping.
Gateway Action
None
Action Description
None
Proposed Action
None

2.31.3. [ID: 1109] Deterministic NATPool deleted

Log Categories
NATPOOL
Log Message
Deterministic NATPool deleted.
Default Log Severity
Notice
Parameters
name
Explanation
A deterministic NATPool was deleted.
Gateway Action
None
Action Description
None
Proposed Action
None

2.31.4. [ID: 1087] Deterministic NATPool denied translation

Log Categories
NATPOOL
Log Message
Deterministic NATPool denied translation.
Default Log Severity
Warning
Parameters
name, internalip
Explanation
Deterministic NATPool denied a translation request for internal IP internalip outside the configured internal network.
Gateway Action
Drop
Action Description
None
Proposed Action
Verify if the NATPool is configured to allow translating any IP.

2.31.5. [ID: 1098] Deterministic NATPool dynamic release

Log Categories
NATPOOL
Log Message
Deterministic NATPool dynamic release.
Default Log Severity
Notice
Parameters
name, internalip, externalip, port
Explanation
Deterministic NATPool has released a dynamic port block.
Gateway Action
None
Action Description
None
Proposed Action
None

2.31.6. [ID: 1121] Deterministic NATPool dynamic assignment

Log Categories
NATPOOL
Log Message
Deterministic NATPool dynamic assignment.
Default Log Severity
Notice
Parameters
name, internalip, externalip, port
Explanation
Deterministic NATPool has assigned a new dynamic port block.
Gateway Action
None
Action Description
None
Proposed Action
None

2.31.7. [ID: 984] Failed to map peer NAT flow translation on[...]

Log Categories
NATPOOL,FLOW
Log Message
Failed to map peer NAT flow translation on local NAT Pool.
Default Log Severity
Warning
Parameters
pool, srcip, newip
Explanation
A flow could not be synchronized to the inactive HA node since the configuration of the NAT Pool or the rules are not identical on the two HA nodes.
Gateway Action
Abort
Action Description
None
Proposed Action
Change the configuration so that NAT Pools and rules are configured in the same way.

2.31.8. [ID: 985] Out of memory loading NAT Pool

Log Categories
NATPOOL
Log Message
Out of memory loading NAT Pool .
Default Log Severity
Critical
Parameters
 
Explanation
The system could not allocate enough memory when installing a NAT Pool in dataplane.
Gateway Action
Abort
Action Description
None
Proposed Action
Modify the configuration to use less memory.

2.31.9. [ID: 1152] Unable to re-map flow translation in the new[...]

Log Categories
NATPOOL,FLOW
Log Message
Unable to re-map flow translation in the new NATPool.
Default Log Severity
Notice
Parameters
name, srcip, newip
Explanation
After the new configuration is activated, the system tries to re-map the old flow translation in the new NATPool, but is unable to do so. The flow will be closed.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.31.10. [ID: 989] Max NATPool states reached replacing active

Log Categories
NATPOOL
Log Message
Max NATPool states reached replacing active.
Default Log Severity
Error
Parameters
pool, max, replaced
Explanation
The maximum number of source-IP-to-NAT-IP states of a stateful NAT Pool has been reached. No lingering state was found so an active state was chosen to be replaced. Since the system has not enough configured states to track all source-IP-to-NAT-IP mappings, it is no longer guaranteed that flows from the same source IP always are mapped to the same NAT IP.
Gateway Action
Replace
Action Description
None
Proposed Action
Increase the pool's MaxStates setting to track more sources.

2.31.11. [ID: 988] Max NATPool states reached replacing lingering

Log Categories
NATPOOL
Log Message
Max NATPool states reached replacing lingering.
Default Log Severity
Warning
Parameters
pool, max, replaced
Explanation
The maximum number of source-IP-to-NAT-IP states of a stateful NAT Pool has been reached. A lingering state was found and replaced. Since the system has not enough configured states to track all source-IP-to-NAT-IP mappings, it is no longer guaranteed that flows from the same source IP always are mapped to the same NAT IP.
Gateway Action
Replace
Action Description
None
Proposed Action
Increase the pool's MaxStates setting to track more sources.

2.31.12. [ID: 986] Out of memory while allocating state in pool

Log Categories
NATPOOL
Log Message
Out of memory while allocating state in pool.
Default Log Severity
Critical
Parameters
pool
Explanation
The system failed to allocate memory when creating a new source-IP-to-NAT-IP state in a stateful NAT Pool.
Gateway Action
Drop
Action Description
None
Proposed Action
Modify the configuration to use less memory.

2.32. NDP

These log messages refer to the NDP category.

2.32.1. [ID: 165] Advertisement delayed

Log Categories
NDP,SYSTEM
Log Message
Advertisement delayed.
Default Log Severity
Warning
Parameters
ip, destip, desthw, iface
Explanation
Replies to address resolution requests have been put under rate limit and an advertisement to destip has been put on hold. This may in the pathological case prevent new hosts from establishing communication with the firewall.
Gateway Action
None
Action Description
None
Proposed Action
Review the NDSettings:NDMaxResolvReply setting and consider increasing it. Whether to log this event is controlled by the NDSettings:NDLogRatelimitDelay setting.

2.32.2. [ID: 184] Advertisement for static entry

Log Categories
NDP,STATEFUL,VALIDATE
Log Message
Advertisement for static entry.
Default Log Severity
Warning
Parameters
knownhw, srchw, srcip, destip, targetip, iface, pkt
Explanation
A Neighbor Advertisement message for a statically configured IP has been received, but the message advertised a different L2 address than what has been configured. Note that messages with the "override" flag cleared are not logged.
Gateway Action
Drop
Action Description
None
Proposed Action
First make sure that the statically configured L2 address is correct. If it is, then this is very likely an attack trying to re-route network traffic. The attacker must have access to a machine attached to the network in question, so take note of the srchw parameter. In order for traffic hijacking to work using this attack, this parameter must point at a compromised machine. Denial of service can be achieved by using a non-existing address. Whether to log this event is controlled by the NDSettings:StaticNDChanges setting.

2.32.3. [ID: 1719] Anycast address ignored

Log Categories
NDP,STATEFUL,VALIDATE
Log Message
Anycast address ignored.
Default Log Severity
Information
Parameters
knownhw, srchw, srcip, destip, targetip, iface, pkt
Explanation
While trying to resolve targetip, at least one anycast reply has been ignored.
Gateway Action
Ignore
Action Description
None
Proposed Action
None

2.32.4. [ID: 179] Unknown ICMP code

Log Categories
NDP,STATELESS,VALIDATE
Log Message
Unknown ICMP code.
Default Log Severity
Warning
Parameters
srchw, srcip, code, iface, pkt
Explanation
An ND message with an unknown ICMP code was received. The gateway is currently implementing ND according to RFC4861, and does not know how to handle this type of message.
Gateway Action
Drop
Action Description
None
Proposed Action
This log message can be turned off with the NDSettings:NDValidation setting.

2.32.5. [ID: 569] Illegal option size

Log Categories
NDP,STATELESS,VALIDATE
Log Message
Illegal option size.
Default Log Severity
Warning
Parameters
srchw, srcip, destip, targetip, type, expectlen, len, iface, pkt
Explanation
An ND message with a broken option has been received. The options size is incorrect for the given option type.
Gateway Action
Drop
Action Description
None
Proposed Action
This log message can be turned off with the NDSettings:NDValidation setting.

2.32.6. [ID: 276] Forged reply

Log Categories
NDP,STATEFUL,VALIDATE
Log Message
Forged reply.
Default Log Severity
Warning
Parameters
knownhw, srchw, srcip, destip, targetip, iface, pkt
Explanation
An ND message has been received with the "solicitation" and "override" flag set, but the gateway never asked for it (so it is not solicited). Additionally it has got a new target HW address. This can be a lingering reply for something that we already have resolved, but it is more likely a direct attempt to modify the neighbor cache.
Gateway Action
Drop
Action Description
The ND message has been dropped
Proposed Action
Take note of the srchw parameter. Identify that machine/user at the network and make sure that it is not compromised. Note that a seasoned attacker would spoof the HW sender. The machine or user pointed out by the sender address may be "innocent" in the case of an attack. Make sure that an appropriate value is used for the NDSettings:NDChanges setting.

2.32.7. [ID: 1714] Confusing reply

Log Categories
NDP,STATEFUL,VALIDATE
Log Message
Confusing reply.
Default Log Severity
Warning
Parameters
knownhw, srchw, srcip, destip, targetip, iface, pkt
Explanation
The system has, during IP targetip address resolution, received multiple different replies with conflicting link-layer options within the span of NDSettings:NDVerifyTimer seconds. In other words, there is an address conflict in the local network. The link-layer information has been updated to that of the second reply.
Gateway Action
Replace
Action Description
None
Proposed Action
Review the network. IPv6 allows multiple devices to share the same IP, but only when specifically configured for this purpose. In this case not all devices appear to have been configured as such, though a possibility is also that a device has been replaced or modified. Whether to log this event or not is controlled by NDSettings:NDValidation, but the actual decision to select either the first or the second conflicting reply is taken at random. This behavior can be disabled by setting NDSettings:NDVerifyTimer to zero, in which case conflicting replies will be handled in accordance with the NDSettings:NDChanges setting.

2.32.8. [ID: 1720] Confusing reply

Log Categories
NDP,STATEFUL,VALIDATE
Log Message
Confusing reply.
Default Log Severity
Warning
Parameters
knownhw, srchw, srcip, destip, targetip, iface, pkt
Explanation
The system has, during IP targetip address resolution, received multiple different replies with conflicting link-layer options within the span of NDSettings:NDVerifyTimer seconds. In other words, there is an address conflict in the local network. The link-layer information used is that of the first reply.
Gateway Action
Drop
Action Description
None
Proposed Action
Review the network. IPv6 allows multiple devices to share the same IP, but only when specifically configured for this purpose. In this case not all devices appear to have been configured as such, though a possibility is also that a device has been replaced or modified. Whether to log this event or not is controlled by NDSettings:NDValidation, but the actual decision to select either the first or the second conflicting reply is taken at random. This behavior can be disabled by setting NDSettings:NDVerifyTimer to zero, in which case conflicting replies will be handled in accordance with the NDSettings:NDChanges setting.

2.32.9. [ID: 1718] Confusing solicitation HW address

Log Categories
NDP,STATEFUL,VALIDATE
Log Message
Confusing solicitation HW address.
Default Log Severity
Warning
Parameters
knownhw, srchw, srcip, destip, targetip, iface, pkt
Explanation
The system has received a solicitation request with a conflicting link-layer option, for the address targetip. The conflict was seen either seen while performing address resolution (in which case we already have received advertisements for the destination with a different link-layer address), while probing the address (in which case we have an old link-layer destination known from the past), or while actively replying to dead-peer probes from another link-layer address (on behalf of the same IP). The system deemed the old information to be more trustworthy than the one found in the solicitation, and while a reply has been sent to the supplied link-layer addresses, no local information was been updated.
Gateway Action
Ignore
Action Description
None
Proposed Action
Apart from that the conflict has been seen in a very specific time interval (which may happen by coincidence), the event in itself has a very limited relevans. Review the network if this is a reoccurring phenomenon, or if it happens in conjunction with other suspicious activity. The behavior of the system is controlled by a combination of NDSettings:NDVerifyTimer and NDSettings:NDChanges. IPv6 allows multiple devices to share the same IP, but only when specifically configured for this purpose. In this case not all devices appear to have been configured as such, though a possibility is also that a device has been replaced or modified.

2.32.10. [ID: 1717] Confusing solicitation HW address

Log Categories
NDP,STATEFUL,VALIDATE
Log Message
Confusing solicitation HW address.
Default Log Severity
Warning
Parameters
knownhw, srchw, srcip, destip, targetip, iface, pkt
Explanation
The system has received a solicitation request with a conflicting link-layer option, for the address targetip. The system has been updated to use the supplied link-layer information. This only happens when NDSettings:NDChanges is set to accept all link-layer updates.
Gateway Action
Replace
Action Description
None
Proposed Action
Apart from that the conflict has been seen in a very specific time interval (which may happen by coincidence), the event in itself has a very limited relevans. Review the network if this is a reoccurring phenomenon, or if it happens in conjunction with other suspicious activity. The behavior of the system is controlled by a combination of NDSettings:NDVerifyTimer and NDSettings:NDChanges. IPv6 allows multiple devices to share the same IP, but only when specifically configured for this purpose. In this case not all devices appear to have been configured as such, though a possibility is also that a device has been replaced or modified.

2.32.11. [ID: 226] DAD reply delayed

Log Categories
NDP,SYSTEM
Log Message
DAD reply delayed.
Default Log Severity
Warning
Parameters
ip, desthw, iface
Explanation
Replies to Duplicate Address probes have been put under rate limit. The firewall might not be able to prevent the IP ip to be used by desthw.
Gateway Action
None
Action Description
None
Proposed Action
Review the NDSettings:NDMaxDupReply setting and consider increasing it. Whether to log this event is controlled by the NDSettings:NDLogRatelimitDelay setting.

2.32.12. [ID: 153] Received DAD probe

Log Categories
NDP
Log Message
Received DAD probe.
Default Log Severity
Information
Parameters
srchw, srcip, destip, targetip, iface, pkt
Explanation
Another host or server on the network is sending a Duplicate Address Probe to detect if the IP address targetip is not used by another device. The IP is used by the gateway and the probing host will be notified.
Gateway Action
None
Action Description
This message will not be used by the firewall, though an answer will be sent to the srchw address
Proposed Action
This log message can be turned off with the NDSettings:StaticNDChanges setting.

2.32.13. [ID: 462] Duplicated option

Log Categories
NDP,STATELESS,VALIDATE
Log Message
Duplicated option.
Default Log Severity
Warning
Parameters
srchw, srcip, destip, targetip, iface, pkt
Explanation
Two (or more) source link-layer options containing different data were found.
Gateway Action
Drop
Action Description
None
Proposed Action
This log message can be turned off with the NDSettings:NDValidation setting.

2.32.14. [ID: 430] Duplicated option

Log Categories
NDP,STATELESS,VALIDATE
Log Message
Duplicated option.
Default Log Severity
Warning
Parameters
srchw, srcip, destip, targetip, iface, pkt
Explanation
Two (or more) target link-layer options containing different data were found.
Gateway Action
Drop
Action Description
None
Proposed Action
This log message can be turned off with the NDSettings:NDValidation setting.

2.32.15. [ID: 552] ND hop limit reached

Log Categories
NDP,STATELESS,VALIDATE
Log Message
ND hop limit reached.
Default Log Severity
Warning
Parameters
srchw, srcip, destip, targetip, count, iface, pkt
Explanation
The hop-limit of an ND message is hardcoded to 255. The idea is to prevent these messages from being routed.
Gateway Action
Drop
Action Description
None
Proposed Action
Make sure that no router in the network is accidentally forwarding ND messages.

2.32.16. [ID: 1715] HW source inconsistent with static IP

Log Categories
NDP,STATEFUL,VALIDATE
Log Message
HW source inconsistent with static IP.
Default Log Severity
Information
Parameters
knownhw, newhw, srcip, destip, targetip, iface, pkt
Explanation
The system has received solicitation requests from a static IP, but with conflicting source link-layer information.
Gateway Action
Ignore
Action Description
None
Proposed Action
Review the network, the configuration may have to be updated.

2.32.17. [ID: 434] Linklayer option contains multicast address

Log Categories
NDP,STATELESS,VALIDATE
Log Message
Linklayer option contains multicast address.
Default Log Severity
Warning
Parameters
srchw, srcip, destip, targetip, type, hwaddr, iface, pkt
Explanation
At least one link-layer address option was found to contain a multicast address. This is illegal, and a known denial-of-service attack.
Gateway Action
Drop
Action Description
None
Proposed Action
Take note of the HW sender (the srchw parameter). Identify the machine/user at the network and make sure that it is not compromised. Note that a seasoned attacker would spoof the HW sender (the machine or user pointed out by the sender address may be "innocent" in the case of an attack). This log message can be turned off with the NDSettings:NDValidation setting.

2.32.18. [ID: 454] Dead peer probe answered with multicast[...]

Log Categories
NDP,STATEFUL,VALIDATE
Log Message
Dead peer probe answered with multicast message.
Default Log Severity
Warning
Parameters
knownhw, srchw, srcip, destip, targetip, iface, pkt
Explanation
The firewall has sent a dead peer probe to a previously resolved IP, and received a multicast answer. This is an illegal response.
Gateway Action
Drop
Action Description
The packet has been dropped and will not be considered an answer for the dead peer probe
Proposed Action
Whether to log this event or not is controlled by the NDSettings:NDValidation setting. The packet is considered invalid, so it will be dropped regardless of the setting. Examine the network to see why such a response was sent.

2.32.19. [ID: 619] Multicast target

Log Categories
NDP,STATELESS,VALIDATE
Log Message
Multicast target.
Default Log Severity
Warning
Parameters
srchw, srcip, destip, targetip, iface, pkt
Explanation
An ND message with a multicast target IP. This is illegal.
Gateway Action
Drop
Action Description
None
Proposed Action
This log message can be turned off with the NDSettings:NDValidation setting.

2.32.20. [ID: 574] Neighbor cache updated with new HW address

Log Categories
NDP,STATEFUL,VALIDATE
Log Message
Neighbor cache updated with new HW address.
Default Log Severity
Warning
Parameters
knownhw, newhw, srcip, destip, targetip, iface, pkt
Explanation
The L2 (hardware) address of the given target IP has been updated by an ND message. The setting NDSettings:NDChanges is currently in a mode to accept any advertised changes to L2 data, allowing data traffic to adjust very quickly to topological changes of the network (at the expense of certain vulnerabilities).
Gateway Action
Allow
Action Description
None
Proposed Action
Accepting any advertised changes to L2 data will open up for a number of exploits (including both crude denial-of-service, eavesdropping and more sophisticated router hi-jacking attacks). Consider changing the NDSettings:NDChanges setting to FavourOld or FavourOldLog, to allow for a more moderate acceptance of new L2 information.

2.32.21. [ID: 330] New HW address advertised for resolved IP

Log Categories
NDP,STATEFUL,VALIDATE
Log Message
New HW address advertised for resolved IP.
Default Log Severity
Warning
Parameters
knownhw, newhw, srcip, destip, targetip, iface, pkt
Explanation
An ND message tried to update the L2 (hardware) address of the given target IP. The packet have been dropped because the setting NDSettings:NDChanges is currently in a mode to drop any such packet.
Gateway Action
Drop
Action Description
None
Proposed Action
The current setting does not allow updates to known L2 information at all. This gives little extra security (and can in fact be exploited for subtle denial-of-service attacks). Consider adding known L2 addresses as 'static' ND entries instead.

2.32.22. [ID: 418] New HW address advertised for resolved IP

Log Categories
NDP,STATEFUL,VALIDATE
Log Message
New HW address advertised for resolved IP.
Default Log Severity
Notice
Parameters
knownhw, newhw, srcip, destip, targetip, iface, pkt
Explanation
An ND message tried to update the L2 (hardware) address of the given target IP. The old L2 address will be probed to see if it is still alive, in which case the new L2 address will be discarded. If no answer is received, the new address will be accepted.
Gateway Action
Ignore
Action Description
The ND message has been acknowledged, but was not allowed to update the current L2 information
Proposed Action
If the current behavior is not desired, modify the NDSettings:NDChanges setting accordingly.

2.32.23. [ID: 211] Advertisement from the Unknown Address

Log Categories
NDP,STATELESS,VALIDATE
Log Message
Advertisement from the Unknown Address.
Default Log Severity
Warning
Parameters
srchw, srcip, destip, targetip, iface, pkt
Explanation
A neighbor advertisement message has been received from the "unknown address" (the all zeroes address). This is illegal.
Gateway Action
Drop
Action Description
None
Proposed Action
Examine why this kind of advertisement has been sent. Whether to log this event or not is controlled by the NDSettings:NDValidation setting.

2.32.24. [ID: 195] No target route for packet

Log Categories
NDP,RULE
Log Message
No target route for packet.
Default Log Severity
Warning
Parameters
srchw, srcip, destip, targetip, iface, pkt
Explanation
An ND message targeted to the IP targetip was received via interface iface, but there is no route from this interface to to this address.
Gateway Action
Drop
Action Description
None
Proposed Action
Make sure that the route is not disabled, or that it is not "shadowed" by a default route. Examine all dynamic values (in all routes), including OSPF-managed routes, network prefixes from ND Router Advertisements and gateways from DHCP-leases. This log message can be turned off with the NDSettings:NDValidation setting.

2.32.25. [ID: 599] No source route for packet

Log Categories
NDP,RULE
Log Message
No source route for packet.
Default Log Severity
Warning
Parameters
srchw, srcip, destip, targetip, iface, pkt
Explanation
An ND message was received from the source IP srcip via interface iface, but there is no route to this address via that interface.
Gateway Action
Drop
Action Description
None
Proposed Action
Make sure that the route is not disabled, or that it is not "shadowed" by a default route. Examine all dynamic values (in all routes), including OSPF-managed routes, network prefixes from ND Router Advertisements and gateways from DHCP-leases. This log message can be turned off with the NDSettings:NDValidation setting.

2.32.26. [ID: 107] Reply without target link-layer option

Log Categories
NDP,STATEFUL,VALIDATE
Log Message
Reply without target link-layer option.
Default Log Severity
Warning
Parameters
knownhw, srchw, srcip, destip, targetip, iface, pkt
Explanation
The firewall is trying to resolve targetip. An answer has been received, but the answer did not include an L2 address and was thus useless.
Gateway Action
Drop
Action Description
None
Proposed Action
Examine why this kind of advertisement has been sent. Whether to log this event or not is controlled by the NDSettings:NDValidation setting.

2.32.27. [ID: 1716] Noisy reply

Log Categories
NDP,STATEFUL,VALIDATE
Log Message
Noisy reply.
Default Log Severity
Warning
Parameters
knownhw, srchw, srcip, destip, targetip, iface, pkt
Explanation
While trying to resolve targetip, multiple non-anycast replies were received for the same L2 address knownhw within a short timespan. While not a problem in itself, it is considered suspicious behavior.
Gateway Action
Adjust
Action Description
None
Proposed Action
Examine where the duplicate advertisements are coming from. Ideally an ND solicitation should never result in duplicate advertisements since the messages are link-local. A device could deliberately be sending multiple replies in order to try and direct address resolution away from the ordinary source, either for malicious or valid purposes. An example of a valid use would be HA failover. The NDSettings:NDNoiseThreshold defines how many replies (not counting anycast replies) that are required in order to be considered noisy, during the timespan defined by NDSettings:NDVerifyTimer. Whether to log this event or not is controlled by the NDSettings:NDValidation setting.

2.32.28. [ID: 309] Linklayer option does not match HW sender

Log Categories
NDP,STATELESS,VALIDATE
Log Message
Linklayer option does not match HW sender.
Default Log Severity
Warning
Parameters
srchw, srcip, destip, targetip, option, iface, pkt
Explanation
An ND message was received with a link-layer address option that did not match the HW sender address found in the L2 header.
Gateway Action
Drop
Action Description
The packet has been dropped and will not be further processed
Proposed Action
The advanced setting NDSettings:NDMatchL2Sender can be adjusted in order to control how the gateway will respond to mismatched link-layer options and the address found in the L2 header.

2.32.29. [ID: 120] Linklayer option does not match HW sender

Log Categories
NDP,STATELESS,VALIDATE
Log Message
Linklayer option does not match HW sender.
Default Log Severity
Notice
Parameters
srchw, srcip, destip, targetip, option, iface, pkt
Explanation
An ND message was received with a link-layer address option that did not match the HW sender address found in the L2 header.
Gateway Action
Allow
Action Description
The packet will be processed as if the link-layer address option would match that of the HW sender address found in the L2 header. The address found in the link-layer option will be used
Proposed Action
The advanced setting NDSettings:NDMatchL2Sender can be adjusted in order to control how the gateway will respond to mismatched link-layer options and the address found in the L2 header.

2.32.30. [ID: 180] Neighbor entry lost

Log Categories
NDP,SYSTEM
Log Message
Neighbor entry lost.
Default Log Severity
Warning
Parameters
ip, knownhw, iface
Explanation
The firewall need to resolve an IP address, but the current virtual system is out of neighbor entries. The neighbor entry for IP ip at interface iface has been freed in order to continue.
Gateway Action
Discard
Action Description
The firewall has been forced to discard one existing neighbor entry in use
Proposed Action
This log is commonly seen during some denial-of-service attacks. If you think that the system should be able to handle this amount of active neighbors, review the NDSettings:NDCacheSizeEther setting and consider increasing it. Whether to log this event is controlled by the NDSettings:NDLogOutOfEntries setting.

2.32.31. [ID: 163] Probe from unknown host

Log Categories
NDP,STATEFUL,VALIDATE
Log Message
Probe from unknown host.
Default Log Severity
Notice
Parameters
srchw, srcip, destip, targetip, iface, pkt
Explanation
Received a dead peer probe without source link-layer option, and there was no previous information about this IP in the neighbor cache. One valid case where this can happen is when the gateway is required to keep track of more neighbors than the NDSettings:NDCacheSizeEther setting allow for.
Gateway Action
None
Action Description
The firewall will query for the IP srcip before the probe can be answered
Proposed Action
Whether to log this event is controlled by the NDSettings:NDValidation setting.

2.32.32. [ID: 303] Dead Peer probe delayed

Log Categories
NDP,SYSTEM
Log Message
Dead Peer probe delayed.
Default Log Severity
Warning
Parameters
ip, knownhw, iface
Explanation
Dead Peer probes have been put under rate limit and a probe for the IP addresses ip have been put on hold. For the time being, the firewall will consider this address to be valid.
Gateway Action
None
Action Description
None
Proposed Action
Review the NDSettings:NDMaxUnreachProbe setting. Whether to log this event is controlled by the NDSettings:NDLogRatelimitDelay setting.

2.32.33. [ID: 266] Reply to Dead Peer probe delayed

Log Categories
NDP,SYSTEM
Log Message
Reply to Dead Peer probe delayed.
Default Log Severity
Warning
Parameters
ip, destip, knownhw, iface
Explanation
Replies to Dead Peer probes have been put under rate limit and the reply to destip have been delayed. This may in the pathological case break ongoing communications between destip and the firewall.
Gateway Action
None
Action Description
None
Proposed Action
Review the NDSettings:NDMaxUnreachReply setting and consider increasing it. Whether to log this event is controlled by the NDSettings:NDLogRatelimitDelay setting.

2.32.34. [ID: 338] NDP resolve timeout

Log Categories
NDP,STATEFUL
Log Message
NDP resolve timeout.
Default Log Severity
Notice
Parameters
localip, ip, iface, flow, pkt, user, userid
Explanation
The firewall failed to resolve IP ip at interface iface. The IP is not reachable via the local network; traffic to and from this address will be dropped.
Gateway Action
Drop
Action Description
None
Proposed Action
The "ndpsnoop" feature will allow realtime examination of the ND traffic at interface iface; use this to pinpoint the problem. Review the route configuration and the access rules, especially when seemingly valid Advertisements are discarded. Verify whether is possible to route bidirectional traffic to and from IP ip at interface iface. Whether to log this event is controlled by the NDSettings:NDLogResolveFailure setting.

2.32.35. [ID: 445] Packet truncated at L4 header

Log Categories
NDP,STATELESS,VALIDATE
Log Message
Packet truncated at L4 header.
Default Log Severity
Warning
Parameters
srchw, srcip, pktlen, iface, pkt
Explanation
The message contains enough data for an ICMP header, and this header identifies the message as an ND message. There is however not enough data for an ND message.
Gateway Action
Drop
Action Description
None
Proposed Action
This log message can be turned off with the NDSettings:NDValidation setting.

2.32.36. [ID: 519] Option is truncated

Log Categories
NDP,STATELESS,VALIDATE
Log Message
Option is truncated.
Default Log Severity
Warning
Parameters
srchw, srcip, destip, targetip, type, offset, maxlen, len, iface, pkt
Explanation
The message is truncated in the middle of option type type at offset offset. The option is supposed to be len bytes long, but there is only enough data for maxlen bytes in the packet.
Gateway Action
Drop
Action Description
None
Proposed Action
This log message can be turned off with the NDSettings:NDValidation setting.

2.32.37. [ID: 348] ND message allowed by access rule

Log Categories
NDP
Log Message
ND message allowed by access rule.
Default Log Severity
Notice
Parameters
srchw, srcip, destip, targetip, iface, pkt, rule
Explanation
The ND sender IP address srcip was verified and accepted by access rule rule in the access section.
Gateway Action
Allow
Action Description
None
Proposed Action
Modify the access rule accordingly, if the sender should not be allowed.

2.32.38. [ID: 127] ND message disallowed by access rule

Log Categories
NDP
Log Message
ND message disallowed by access rule.
Default Log Severity
Notice
Parameters
srchw, srcip, destip, targetip, recviface, pkt, rule
Explanation
Further processing of received ND packet is not allowed due to access rule rule did not allow the sender IP srcip.
Gateway Action
Drop
Action Description
None
Proposed Action
If the decision to drop the packet was correct but you don't want any logs then either change the LogEnabled property on the access rule (if the rule is an explicitly configured access rule), add an access rule to drop the packet silently or configure a log message exception in the log receiver to ignore this message. If the decision to drop the packet was incorrect then there are two cases: If the rule is an explicitly configured access rule then modify it, and possibly other, access rules accordingly. Otherwise start by verifying that the routing is correctly configured for the sender's address since routes provide automatic access rules. If that does not help, that is, in setups where packets arriving from the sender arrive on another interface than where packets going to the sender are routed, then add an access rule accepting the sender's address on the receive interface.

2.32.39. [ID: 1657] ND message disallowed by route to source IP

Log Categories
NDP,ROUTE,IPSPOOFING
Log Message
ND message disallowed by route to source IP.
Default Log Severity
Notice
Parameters
srchw, srcip, destip, targetip, recviface, srcroute, pkt
Explanation
Further processing of received ND packet is not allowed due to the source IP srcip not being routed over the receive interface recviface.
Gateway Action
Drop
Action Description
None
Proposed Action
This is an effect of the automatic reverse path ingress filtering of the system based on the routes known to the system. The default policy is basically "strict reverse path forwarding", that is, that a packet must be received on the interface where packets to the source IP of the packet would be routed out, to be acceptable. In some scenarios, for instance, where asymmetric routing is used, this is too strict. Exceptions can then be made by marking interfaces as security equvivalent or by adding explicit access rules to allow packets from the source IP on this interface even tough packets to the source IP will be sent over some other interface.

2.32.40. [ID: 212] Solicitation delayed

Log Categories
NDP,SYSTEM
Log Message
Solicitation delayed.
Default Log Severity
Warning
Parameters
ip, knownhw, iface
Explanation
Neighbor Solicitations have been put under rate limit and a solicitation for the IP addresses ip that the firewall it is supposed to resolve have been put on hold. Communication with this address will be impossible until the rate limit has been lifted. This log is commonly seen during some denial-of-service attacks.
Gateway Action
None
Action Description
None
Proposed Action
Review the NDSettings:NDMaxSolicitation setting. Whether to log this event is controlled by the NDSettings:NDLogRatelimitDelay setting.

2.32.41. [ID: 625] Solicitation from unknown host

Log Categories
NDP,STATELESS,VALIDATE
Log Message
Solicitation from unknown host.
Default Log Severity
Warning
Parameters
srchw, srcip, destip, targetip, iface, pkt
Explanation
Received a multicast neighbor solicitation without source link-layer option. This is illegal, and a possible denial-of-service attack mentioned in RFC4861.
Gateway Action
Drop
Action Description
The firewall will not process this solicitation any further, and no response will be sent
Proposed Action
Whether to log this event is controlled by the NDSettings:NDValidation setting.

2.32.42. [ID: 316] Spoofed HW sender

Log Categories
NDP,STATELESS,VALIDATE
Log Message
Spoofed HW sender.
Default Log Severity
Warning
Parameters
srchw, srcip, destip, targetip, iface, pkt
Explanation
An ND message has been received. The message has got an L2 header attached to it, and the L2 sender address inside that header belongs to the firewall. Either this is a forged message, or packets are leaking from one network into another.
Gateway Action
Drop
Action Description
None
Proposed Action
Examine why these packets are being received. There are two possible sources: An active attack, or that the firewall is hearing its own ND messages (the most common case is that one physical multicast-capable network have been partitioned into two or more "logical" subnet). Check the receive mode for the receiving interface. An attacker can attempt to "impersonate" the firewall by using a known address associated with the firewall, in order to "update" an unsecure host with false information. This kind of attack is usually not directed to the firewall, and so the likeliness that the firewall will of detecting this is very low for "normal" or "selective multicast" mode, and high for "promiscuous" or "all-multicast" mode. Whether to log this event is controlled by the NDSettings:NDValidation setting.

2.32.43. [ID: 239] Dead peer probe answered from unknown HW[...]

Log Categories
NDP,STATEFUL,VALIDATE
Log Message
Dead peer probe answered from unknown HW sender.
Default Log Severity
Warning
Parameters
knownhw, srchw, srcip, destip, targetip, iface, pkt
Explanation
The firewall has sent a dead peer probe to a previously resolved IP, and received an answer with a different L2 address. This is not expected to happen as the probe (from the firewall) was sent to the known address knownhw, and is an illegal response.
Gateway Action
Drop
Action Description
The packet has been dropped and will not be considered an answer for the dead peer probe
Proposed Action
Whether to log this event or not is controlled by the NDSettings:NDValidation setting. The packet is considered invalid, so it will be dropped regardless of the setting. Examine the network to see why such a response was sent. It may be an attempt to hijack traffic, in which case srchw must be the address of a compromised machine.

2.32.44. [ID: 315] Spoofed IP sender

Log Categories
NDP,STATELESS,VALIDATE
Log Message
Spoofed IP sender.
Default Log Severity
Warning
Parameters
srchw, srcip, destip, targetip, iface, pkt
Explanation
An ND message has been received from one IP owned (or proxied) by the firewall. Either this is a forged message, or packets are leaking from one network into another.
Gateway Action
Drop
Action Description
None
Proposed Action
Examine why these packets are being received. There are two possible sources: An active attack, or that the firewall is hearing its own ND messages (the most common case is that one physical multicast-capable network have been partitioned into two or more "logical" subnet). Check the receive mode for the receiving interface. An attacker can attempt to "impersonate" the firewall by using a known address associated with the firewall, in order to "update" an unsecure host with false information. This kind of attack is usually not directed to the firewall, and so the likeliness that the firewall will of detecting this is very low for "normal" or "selective multicast" mode, and high for "promiscuous" or "all-multicast" mode. Whether to log this event is controlled by the NDSettings:NDValidation setting.

2.32.45. [ID: 271] Spoofed source linklayer option

Log Categories
NDP,STATELESS,VALIDATE
Log Message
Spoofed source linklayer option.
Default Log Severity
Warning
Parameters
srchw, srcip, destip, targetip, option, iface, pkt
Explanation
An ND message contained a source link-layer option with an L2 address that belongs to the firewall. Either this is a forged message, or packets are leaking from one network into another.
Gateway Action
Drop
Action Description
None
Proposed Action
Examine why these packets are being received. There are two possible sources: An active attack, or that the firewall is hearing its own ND messages (the most common case is that one physical multicast-capable network have been partitioned into two or more "logical" subnet). Check the receive mode for the receiving interface. An attacker can attempt to "impersonate" the firewall by using a known address associated with the firewall, in order to "update" an unsecure host with false information. This kind of attack is usually not directed to the firewall, and so the likeliness that the firewall will of detecting this is very low for "normal" or "selective multicast" mode, and high for "promiscuous" or "all-multicast" mode. Whether to log this event is controlled by the NDSettings:NDValidation setting.

2.32.46. [ID: 446] Spoofed IP target

Log Categories
NDP,STATELESS,VALIDATE
Log Message
Spoofed IP target.
Default Log Severity
Warning
Parameters
srchw, srcip, destip, targetip, iface, pkt
Explanation
An ND message has been received for one target IP that is owned (or proxied) by the firewall. Either this is a forged message, or packets are leaking from one network into another.
Gateway Action
Drop
Action Description
None
Proposed Action
Examine why these packets are being received. There are two possible sources: An active attack, or that the firewall is hearing its own ND messages (the most common case is that one physical multicast-capable network have been partitioned into two or more "logical" subnet). Check the receive mode for the receiving interface. An attacker can attempt to "impersonate" the firewall by using a known address associated with the firewall, in order to "update" an unsecure host with false information. This kind of attack is usually not directed to the firewall, and so the likeliness that the firewall will of detecting this is very low for "normal" or "selective multicast" mode, and high for "promiscuous" or "all-multicast" mode. Whether to log this event is controlled by the NDSettings:NDValidation setting.

2.32.47. [ID: 1160] IPv6 DNS was discovered

Log Categories
NDP
Log Message
IPv6 DNS was discovered.
Default Log Severity
Notice
Parameters
ip, iface
Explanation
IPv6 DNS has been discovered on the interface.
Gateway Action
None
Action Description
None
Proposed Action
None

2.32.48. [ID: 1136] IPv6 DNS has expired

Log Categories
NDP
Log Message
IPv6 DNS has expired.
Default Log Severity
Notice
Parameters
ip, iface
Explanation
IPv6 DNS has expired.
Gateway Action
None
Action Description
None
Proposed Action
None

2.32.49. [ID: 1139] Generated IPv6 address appear to be occupied

Log Categories
NDP
Log Message
Generated IPv6 address appear to be occupied.
Default Log Severity
Warning
Parameters
ip, iface
Explanation
Generated IPv6 address appear to be occupied.
Gateway Action
Reject
Action Description
None
Proposed Action
This could mean that there is identical hardware on the network since IP is generated based on MAC.

2.32.50. [ID: 1134] No routers were discovered

Log Categories
NDP
Log Message
No routers were discovered.
Default Log Severity
Warning
Parameters
iface
Explanation
No router advertisements were received.
Gateway Action
None
Action Description
None
Proposed Action
None

2.32.51. [ID: 1159] IPv6 prefix was discovered

Log Categories
NDP
Log Message
IPv6 prefix was discovered.
Default Log Severity
Notice
Parameters
network, iface
Explanation
IPv6 prefix has been discovered on the interface.
Gateway Action
None
Action Description
None
Proposed Action
None

2.32.52. [ID: 1151] IPv6 prefix has expired

Log Categories
NDP
Log Message
IPv6 prefix has expired.
Default Log Severity
Notice
Parameters
network, iface
Explanation
IPv6 prefix has expired.
Gateway Action
None
Action Description
None
Proposed Action
None

2.32.53. [ID: 1284] IPv6 prefix preferred lifetime exceeds valid[...]

Log Categories
NDP
Log Message
IPv6 prefix preferred lifetime exceeds valid lifetime.
Default Log Severity
Notice
Parameters
network, iface
Explanation
IPv6 prefix preferred lifetime exceeds valid lifetime.
Gateway Action
Reject
Action Description
None
Proposed Action
None

2.32.54. [ID: 1138] Router was discovered

Log Categories
NDP
Log Message
Router was discovered.
Default Log Severity
Notice
Parameters
ip, iface
Explanation
IPv6 router has been discovered on the interface.
Gateway Action
None
Action Description
None
Proposed Action
None

2.32.55. [ID: 1142] IPv6 router has expired

Log Categories
NDP
Log Message
IPv6 router has expired.
Default Log Severity
Notice
Parameters
ip, iface
Explanation
IPv6 router has expired.
Gateway Action
None
Action Description
None
Proposed Action
None

2.33. NETCON

These log messages refer to the NETCON category.

2.33.1. [ID: 588] Netcon CLI instance closed

Log Categories
NETCON
Log Message
Netcon CLI instance closed.
Default Log Severity
Information
Parameters
ip, port
Explanation
The Netcon CLI session was closed.
Gateway Action
None
Action Description
None
Proposed Action
None

2.33.2. [ID: 305] Netcon CLI instance failed

Log Categories
NETCON
Log Message
Netcon CLI instance failed.
Default Log Severity
Error
Parameters
ip, port
Explanation
The Netcon CLI session could not be started.
Gateway Action
None
Action Description
None
Proposed Action
None

2.33.3. [ID: 620] Too many Netcon CLI instances

Log Categories
NETCON
Log Message
Too many Netcon CLI instances.
Default Log Severity
Notice
Parameters
ip, port
Explanation
The Netcon CLI session was denied because the maximum number of open sessions was reached.
Gateway Action
None
Action Description
None
Proposed Action
None

2.33.4. [ID: 501] Netcon CLI instance started

Log Categories
NETCON
Log Message
Netcon CLI instance started.
Default Log Severity
Information
Parameters
ip, port
Explanation
The Netcon CLI session was started.
Gateway Action
None
Action Description
None
Proposed Action
None

2.33.5. [ID: 608] Failed to open file for writing

Log Categories
NETCON
Log Message
Failed to open file for writing.
Default Log Severity
Error
Parameters
file, ip, port
Explanation
The file could not be upploaded because the target file could not be opened for writing.
Gateway Action
None
Action Description
None
Proposed Action
None

2.33.6. [ID: 346] New Netcon connection

Log Categories
NETCON
Log Message
New Netcon connection.
Default Log Severity
Notice
Parameters
ip, port
Explanation
The Netcon connection was opened.
Gateway Action
None
Action Description
None
Proposed Action
None

2.33.7. [ID: 243] Disconnecting Netcon peer

Log Categories
NETCON
Log Message
Disconnecting Netcon peer.
Default Log Severity
Notice
Parameters
ip, port
Explanation
The Netcon connection was closed.
Gateway Action
None
Action Description
None
Proposed Action
None

2.33.8. [ID: 539] Uploaded file could not be written to disk

Log Categories
NETCON,SYSTEM
Log Message
Uploaded file could not be written to disk.
Default Log Severity
Error
Parameters
file
Explanation
The file could not be uploaded because the target file could not be written to disk.
Gateway Action
None
Action Description
None
Proposed Action
None

2.33.9. [ID: 480] File transfer to host completed

Log Categories
NETCON
Log Message
File transfer to host completed.
Default Log Severity
Information
Parameters
file, filesize, ip, port
Explanation
The file was downloaded successfully.
Gateway Action
None
Action Description
None
Proposed Action
None

2.33.10. [ID: 349] File download requested by host failed

Log Categories
NETCON
Log Message
File download requested by host failed.
Default Log Severity
Error
Parameters
file, ip, port
Explanation
The file could not be downloaded over Netcon.
Gateway Action
None
Action Description
None
Proposed Action
None

2.33.11. [ID: 160] Could not open requested file

Log Categories
NETCON
Log Message
Could not open requested file.
Default Log Severity
Error
Parameters
file, ip, port
Explanation
The file could not be downloaded over Netcon because the file could not be opened.
Gateway Action
None
Action Description
None
Proposed Action
None

2.33.12. [ID: 201] File transfer to host started

Log Categories
NETCON
Log Message
File transfer to host started.
Default Log Severity
Information
Parameters
file, filesize, ip, port
Explanation
The file download over Netcon has been started.
Gateway Action
None
Action Description
None
Proposed Action
None

2.33.13. [ID: 550] File cannot be received since too many Netcon[...]

Log Categories
NETCON
Log Message
File cannot be received since too many Netcon peers are transferring files simultaneously.
Default Log Severity
Warning
Parameters
file, ip, port
Explanation
The file could not be uploaded over Netcon because the maximum number of simultanous file transfers was reached.
Gateway Action
None
Action Description
None
Proposed Action
None

2.33.14. [ID: 152] File cannot be sent since too many Netcon[...]

Log Categories
NETCON
Log Message
File cannot be sent since too many Netcon peers are transferring files simultaneously.
Default Log Severity
Warning
Parameters
file, ip, port
Explanation
The file could not be downloaded over Netcon because the maximum number of simultanous file transfers was reached.
Gateway Action
None
Action Description
None
Proposed Action
None

2.33.15. [ID: 112] Receiving file from host

Log Categories
NETCON
Log Message
Receiving file from host.
Default Log Severity
Information
Parameters
file, filesize, ip, port
Explanation
The file upload has been started.
Gateway Action
None
Action Description
None
Proposed Action
None

2.33.16. [ID: 1721] Invalid file name

Log Categories
NETCON
Log Message
Invalid file name.
Default Log Severity
Error
Parameters
file, ip, port
Explanation
The name of the file to upload did not specify a valid path.
Gateway Action
None
Action Description
None
Proposed Action
None

2.33.17. [ID: 441] A listening socket for Netcon could not be[...]

Log Categories
NETCON
Log Message
A listening socket for Netcon could not be set up.
Default Log Severity
Critical
Parameters
ip, port
Explanation
The socket for incomming Netcon connectins could not be set up during intitialization.
Gateway Action
None
Action Description
None
Proposed Action
None

2.33.18. [ID: 137] Netcon logger instance closed

Log Categories
NETCON
Log Message
Netcon logger instance closed.
Default Log Severity
Information
Parameters
ip, port
Explanation
The Netcon logger session was closed.
Gateway Action
None
Action Description
None
Proposed Action
None

2.33.19. [ID: 544] Netcon logger instance failed

Log Categories
NETCON
Log Message
Netcon logger instance failed.
Default Log Severity
Error
Parameters
ip, port
Explanation
The Netcon logger session could not be started.
Gateway Action
None
Action Description
None
Proposed Action
None

2.33.20. [ID: 368] Netcon logger instance started

Log Categories
NETCON
Log Message
Netcon logger instance started.
Default Log Severity
Information
Parameters
ip, port
Explanation
The Netcon logger session was started.
Gateway Action
None
Action Description
None
Proposed Action
None

2.33.21. [ID: 138] Insufficient RAM to start CLI session

Log Categories
NETCON,SYSTEM
Log Message
Insufficient RAM to start CLI session.
Default Log Severity
Error
Parameters
 
Explanation
There was not enough free RAM to start a Netcon CLI session.
Gateway Action
Abort
Action Description
None
Proposed Action
None

2.33.22. [ID: 116] Insufficient RAM to initialize Netcon

Log Categories
NETCON,SYSTEM
Log Message
Insufficient RAM to initialize Netcon.
Default Log Severity
Critical
Parameters
 
Explanation
There was not enough free RAM to start the Netcon service.
Gateway Action
Abort
Action Description
None
Proposed Action
None

2.33.23. [ID: 502] File upload aborted by host

Log Categories
NETCON
Log Message
File upload aborted by host.
Default Log Severity
Information
Parameters
file, ip, port
Explanation
The file upload over Netcon was aborted.
Gateway Action
None
Action Description
None
Proposed Action
None

2.33.24. [ID: 255] File upload completed successfully

Log Categories
NETCON
Log Message
File upload completed successfully.
Default Log Severity
Information
Parameters
file, filesize, ip, port
Explanation
The file was successfully uploaded over Netcon.
Gateway Action
None
Action Description
None
Proposed Action
None

2.33.25. [ID: 542] File upload from host failed

Log Categories
NETCON
Log Message
File upload from host failed.
Default Log Severity
Error
Parameters
file, ip, port, reason
Explanation
The file upload over Netcon failed.
Gateway Action
Abort
Action Description
None
Proposed Action
None

2.34. OSPF

These log messages refer to the OSPF category.

2.34.1. [ID: 848] Unable to send ACK

Log Categories
OSPF
Log Message
Unable to send ACK.
Default Log Severity
Critical
Parameters
recviface, rule
Explanation
Unable to send acknowledgment.
Gateway Action
None
Action Description
None
Proposed Action
None

2.34.2. [ID: 870] Failed to add route

Log Categories
OSPF
Log Message
Failed to add route.
Default Log Severity
Critical
Parameters
iprange, rule
Explanation
The OSPF process could not create a new route with range iprange. This is probably a result of not having enough free memory.
Gateway Action
None
Action Description
None
Proposed Action
Check memory consumption.

2.34.3. [ID: 861] Bad area

Log Categories
OSPF
Log Message
Bad area.
Default Log Severity
Warning
Parameters
area, iface, rule
Explanation
The received OSPF data was from a neighboring router within an area which does not match the area of the receive iface.
Gateway Action
Drop
Action Description
None
Proposed Action
Make sure all locally attached OSPF routers are in the same area as the attaching interfaces.

2.34.4. [ID: 867] Authentication failed due to bad crypto digest

Log Categories
OSPF
Log Message
Authentication failed due to bad crypto digest.
Default Log Severity
Warning
Parameters
neighborid, iface, rule
Explanation
Authentication failed due to bad crypto digest.
Gateway Action
Drop
Action Description
None
Proposed Action
Verify that the neighbor OSPF router neighborid connected on interface iface share the same crypto digest.

2.34.5. [ID: 851] Authentication failed due to bad crypto key[...]

Log Categories
OSPF
Log Message
Authentication failed due to bad crypto key ids.
Default Log Severity
Warning
Parameters
id, recvid, neighborid, iface, rule
Explanation
Authentication failed due to bad crypto key ids. The crypto id id, used by interface iface does not match the received crypto id recvid from neighbor neighborid.
Gateway Action
Drop
Action Description
None
Proposed Action
Verify that the neighboring OSPF router share the same crypto key id.

2.34.6. [ID: 824] Bad authentication password

Log Categories
OSPF
Log Message
Bad authentication password.
Default Log Severity
Warning
Parameters
neighborid, iface, rule
Explanation
Authentication failed due to bad password. The authentication password used by interface iface does not match the password from neighbor neighborid.
Gateway Action
Drop
Action Description
None
Proposed Action
Verify that the neighboring OSPF router share the same password.

2.34.7. [ID: 814] Authentication failed since received crypto[...]

Log Categories
OSPF
Log Message
Authentication failed since received crypto sequence number too low.
Default Log Severity
Warning
Parameters
seqno, recvseqno, neighborid, recviface, rule
Explanation
Authentication failed since the received crypto sequence number is too low.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.34.8. [ID: 854] Authentication type mismatch with neighbor[...]

Log Categories
OSPF
Log Message
Authentication type mismatch with neighbor router.
Default Log Severity
Warning
Parameters
auth, recvauth, neighborid, recviface, rule
Explanation
The authentication type on this and the neighboring OSPF router does not match.
Gateway Action
Drop
Action Description
None
Proposed Action
Verify that the neighboring OSPF router have the same authentication type.

2.34.9. [ID: 855] Received OSPF packet with bad length

Log Categories
OSPF
Log Message
Received OSPF packet with bad length.
Default Log Severity
Warning
Parameters
len, iplen, type, rule
Explanation
The received OSPF packet had a bad length. The OSPF packet type was type, the packet IP length was iplen and the OSPF data length was len.
Gateway Action
Drop
Action Description
None
Proposed Action
Verify that neighboring routers are correctly configured.

2.34.10. [ID: 868] Checksum error

Log Categories
OSPF
Log Message
Checksum error.
Default Log Severity
Warning
Parameters
chksum, recvchksum, neighborid, recviface, rule
Explanation
The received OSPF data had a bad checksum.
Gateway Action
Drop
Action Description
None
Proposed Action
Check network equipment for problems.

2.34.11. [ID: 836] Neighbor implied AS-EXT on stub area

Log Categories
OSPF
Log Message
Neighbor implied AS-EXT on stub area.
Default Log Severity
Warning
Parameters
neighborid, rule
Explanation
A neighbor illegally implied AS-EXT on a stub area.
Gateway Action
Abort
Action Description
The current DD exchange is aborted and restarted
Proposed Action
Check the configuration on the neighboring OSPF router.

2.34.12. [ID: 856] Received LSA with bad max-age value

Log Categories
OSPF
Log Message
Received LSA with bad max-age value.
Default Log Severity
Warning
Parameters
neighborid, maxage, recvmaxage, rule
Explanation
Received LSA with bad max-age value.
Gateway Action
Abort
Action Description
The current DD exchange is aborted and restarted
Proposed Action
Check the configuration on the neighboring OSPF router.

2.34.13. [ID: 876] Received LSA with bad sequence number

Log Categories
OSPF
Log Message
Received LSA with bad sequence number.
Default Log Severity
Warning
Parameters
neighborid, seqno, rule
Explanation
The received LSA had a bad sequence number.
Gateway Action
Abort
Action Description
The current DD exchange is aborted and restarted
Proposed Action
None

2.34.14. [ID: 826] Neighbor replied with unexpected sequence[...]

Log Categories
OSPF
Log Message
Neighbor replied with unexpected sequence number.
Default Log Severity
Warning
Parameters
neighborid, recviface, rule
Explanation
The system received a DD exchange packet with an unexpected sequence number.
Gateway Action
Abort
Action Description
The current DD exchange is aborted and restarted
Proposed Action
None

2.34.15. [ID: 837] Neighbor DD packet has too high MTU

Log Categories
OSPF
Log Message
Neighbor DD packet has too high MTU.
Default Log Severity
Warning
Parameters
neighborid, mtu, recvmtu, recviface, rule
Explanation
The MTU in the received DD packet was too high. The MTU recvmtu in the data received on interface recviface from neighbor neighborid is higher than the MTU on the receive interface.
Gateway Action
Drop
Action Description
None
Proposed Action
Lower the MTU on the neighboring OSPF router.

2.34.16. [ID: 825] Neighbor sent non-duplicate in wrong state

Log Categories
OSPF
Log Message
Neighbor sent non-duplicate in wrong state.
Default Log Severity
Warning
Parameters
neighborid, recviface, rule
Explanation
The system received a non-duplicate DD from a neighbor in a higher state than exchange.
Gateway Action
Abort
Action Description
The current DD exchange is aborted and restarted
Proposed Action
None

2.34.17. [ID: 871] Neighbor changed options during exchange phase

Log Categories
OSPF
Log Message
Neighbor changed options during exchange phase.
Default Log Severity
Warning
Parameters
neighborid, rule
Explanation
The system received a DD exchange packet indicating that the neighbor had changed options during the exchange.
Gateway Action
Abort
Action Description
The current DD exchange is aborted and restarted
Proposed Action
None

2.34.18. [ID: 815] Unknown LSA type

Log Categories
OSPF
Log Message
Unknown LSA type.
Default Log Severity
Warning
Parameters
neighborid, type, rule
Explanation
A neighbor described an unknown LSA type.
Gateway Action
Abort
Action Description
The current DD exchange is aborted and restarted
Proposed Action
Check the configuration on the neighboring OSPF router.

2.34.19. [ID: 835] Neighbor misused the I-flag

Log Categories
OSPF
Log Message
Neighbor misused the I-flag.
Default Log Severity
Warning
Parameters
neighborid, recviface, rule
Explanation
The system received a DD exchange packet in which the I-flag was set.
Gateway Action
Abort
Action Description
The current DD exchange is aborted and restarted
Proposed Action
None

2.34.20. [ID: 845] Neighbor M-MS mismatch

Log Categories
OSPF
Log Message
Neighbor M-MS mismatch.
Default Log Severity
Warning
Parameters
neighborid, recviface, rule
Explanation
The system received a DD exchange packet indicating that the neighbor got the M/MS (master/slave) role wrong.
Gateway Action
Abort
Action Description
The current DD exchange is aborted and restarted
Proposed Action
None

2.34.21. [ID: 853] Generic event

Log Categories
OSPF
Log Message
Generic event.
Default Log Severity
Debug
Parameters
type, loglevel, reason, rule
Explanation
A DDesc debug log event of level loglevel occurred. The event is described in the parameter reason. This log event can be enabled/disabled by configuring the OSPF process config object.
Gateway Action
None
Action Description
None
Proposed Action
None

2.34.22. [ID: 830] Generic event

Log Categories
OSPF
Log Message
Generic event.
Default Log Severity
Debug
Parameters
type, loglevel, reason, rule
Explanation
A EXCHANGE debug log event of level loglevel occurred. The event is described in the parameter reason. This log event can be enabled/disabled by configuring the OSPF process config object.
Gateway Action
None
Action Description
None
Proposed Action
None

2.34.23. [ID: 874] Cannot map PTP neighbor to local IP

Log Categories
OSPF
Log Message
Cannot map PTP neighbor to local IP.
Default Log Severity
Warning
Parameters
neighborid, ip, iface, rule
Explanation
Unable to map a configured PTP neighbor to the local IP at HA fail over.
Gateway Action
None
Action Description
None
Proposed Action
Check OSPF interface configuration.

2.34.24. [ID: 823] Generic event

Log Categories
OSPF
Log Message
Generic event.
Default Log Severity
Debug
Parameters
type, loglevel, reason, rule
Explanation
A HELLO debug log event of level loglevel occurred. The event is described in the parameter reason. This log event can be enabled/disabled by configuring the OSPF process config object.
Gateway Action
None
Action Description
None
Proposed Action
None

2.34.25. [ID: 817] Hello packet E-flag mismatch

Log Categories
OSPF
Log Message
Hello packet E-flag mismatch.
Default Log Severity
Warning
Parameters
flag, recvflag, iface, rule
Explanation
Received a HELLO packet on interface iface, which had a mismatching E-flag configuration. The system uses E-flag value flag which does not match the received flag recvflag. The E-Flag describes how AS-external-LSAs are flooded.
Gateway Action
Drop
Action Description
None
Proposed Action
Check that all locally attached OSPF routers share the same E-flag configuration.

2.34.26. [ID: 832] Hello packet N-flag and E-flags are both set[...]

Log Categories
OSPF
Log Message
Hello packet N-flag and E-flags are both set which is illegal.
Default Log Severity
Warning
Parameters
iface, rule
Explanation
Received a HELLO packet on interface iface which has both the N and E flags set. This is illegal.
Gateway Action
Drop
Action Description
None
Proposed Action
Change the configuration on the neighboring router.

2.34.27. [ID: 872] Hello packet interval mismatch

Log Categories
OSPF
Log Message
Hello packet interval mismatch.
Default Log Severity
Warning
Parameters
interval, recvinterval, iface, rule
Explanation
The HELLO interval property in the received HELLO packet, recvinterval does not match the HELLO interval configured on iface.
Gateway Action
Drop
Action Description
None
Proposed Action
Check that all locally attached OSPF routers have the same hello interval.

2.34.28. [ID: 834] Hello packet N-flag mismatch

Log Categories
OSPF
Log Message
Hello packet N-flag mismatch.
Default Log Severity
Warning
Parameters
flag, recvflag, iface, rule
Explanation
Received a HELLO packet on interface iface, which had a mismatching N-flag configuration. The N-flag describes NSSA details.
Gateway Action
Drop
Action Description
None
Proposed Action
Check that all locally attached OSPF routers share the same N-flag configuration.

2.34.29. [ID: 839] Hello packet netmask mismatch

Log Categories
OSPF
Log Message
Hello packet netmask mismatch.
Default Log Severity
Warning
Parameters
netmask, recvnetmask, iface, rule
Explanation
A OSPF data packet from a neighboring router had a network netmask recvnetmask, that differed from the netmask on the receive iface.
Gateway Action
Drop
Action Description
None
Proposed Action
Verify that locally attached OSPF routers have the same netmask as the attaching interfaces.

2.34.30. [ID: 875] Hello packet router dead interval mismatch

Log Categories
OSPF
Log Message
Hello packet router dead interval mismatch.
Default Log Severity
Warning
Parameters
interval, recvinterval, iface, rule
Explanation
Received a HELLO packet which had a mismatching router dead interval. The interval configured on interface iface does not match the received interval, recvinterval.
Gateway Action
Drop
Action Description
None
Proposed Action
Check that all locally attached OSPF routers have the same router dead interval.

2.34.31. [ID: 852] LSA internal checksum error

Log Categories
OSPF
Log Message
LSA internal checksum error.
Default Log Severity
Critical
Parameters
rule
Explanation
Internal LSA checksum error.
Gateway Action
None
Action Description
None
Proposed Action
Restart the OSPF subsystem.

2.34.32. [ID: 865] Got ACK for mismatched LSA

Log Categories
OSPF
Log Message
Got ACK for mismatched LSA.
Default Log Severity
Warning
Parameters
type, lsaid, lsartr, rule
Explanation
Received acknowledge for mismatched LSA.
Gateway Action
Ignore
Action Description
The acknowledgment is ignored
Proposed Action
None

2.34.33. [ID: 864] Received AS-EXT LSA on stub

Log Categories
OSPF
Log Message
Received AS-EXT LSA on stub.
Default Log Severity
Warning
Parameters
neighborid, rule
Explanation
An AS external LSA was received which is illegal on a stub area.
Gateway Action
Discard
Action Description
The LSA was discarded
Proposed Action
None

2.34.34. [ID: 843] Received LSA with bad checksum

Log Categories
OSPF
Log Message
Received LSA with bad checksum.
Default Log Severity
Warning
Parameters
neighborid, rule
Explanation
The received LSA had an incorrect checksum.
Gateway Action
Discard
Action Description
The LSA was discarded
Proposed Action
Check network equipment for problems.

2.34.35. [ID: 840] Bad LSA sequence number

Log Categories
OSPF
Log Message
Bad LSA sequence number.
Default Log Severity
Warning
Parameters
neighborid, maxage, recvmaxage, rule
Explanation
A LSA with a bad max age was received.
Gateway Action
Discard
Action Description
The LSA was discarded
Proposed Action
None

2.34.36. [ID: 846] Bad LSA sequence number

Log Categories
OSPF
Log Message
Bad LSA sequence number.
Default Log Severity
Warning
Parameters
neighborid, seqno, rule
Explanation
The received LSA had a bad sequence number.
Gateway Action
Discard
Action Description
The LSA was discarded
Proposed Action
None

2.34.37. [ID: 819] Generic event

Log Categories
OSPF
Log Message
Generic event.
Default Log Severity
Debug
Parameters
type, loglevel, reason, rule
Explanation
A LSA debug log event of level loglevel occurred. The event is described in the parameter reason. This log event can be enabled/disabled by configuring the OSPF process config object.
Gateway Action
None
Action Description
None
Proposed Action
None

2.34.38. [ID: 857] Failed to prepare replacement LSA

Log Categories
OSPF
Log Message
Failed to prepare replacement LSA.
Default Log Severity
Critical
Parameters
type, lsaid, lsartr, rule
Explanation
Failed to create the LSA replacement for the existing LSA with id lsaid, type type and originating router lsartr.
Gateway Action
None
Action Description
None
Proposed Action
None

2.34.39. [ID: 863] Received LSA is older then DB copy

Log Categories
OSPF
Log Message
Received LSA is older then DB copy.
Default Log Severity
Warning
Parameters
type, lsaid, lsartr, rule
Explanation
The received LSA is older than the copy already in the database.
Gateway Action
Discard
Action Description
The received LSA will be discarded
Proposed Action
None

2.34.40. [ID: 827] REQ packet LSA size mismatch

Log Categories
OSPF
Log Message
REQ packet LSA size mismatch.
Default Log Severity
Warning
Parameters
rule
Explanation
The received OSPF REQ packet had a mismatching LSA size.
Gateway Action
Abort
Action Description
Parsing aborted
Proposed Action
None

2.34.41. [ID: 842] ACK packet LSA size mismatch

Log Categories
OSPF
Log Message
ACK packet LSA size mismatch.
Default Log Severity
Warning
Parameters
recviface, rule
Explanation
ACK packet LSA size mismatch.
Gateway Action
Abort
Action Description
Parsing aborted
Proposed Action
None

2.34.42. [ID: 821] Requested LSA size too large

Log Categories
OSPF
Log Message
Requested LSA size too large.
Default Log Severity
Warning
Parameters
size, rule
Explanation
Unable to create LSA since the size is too large.
Gateway Action
Abort
Action Description
Unable to create LSA
Proposed Action
None

2.34.43. [ID: 828] Received selforiginated LSA for unknown type

Log Categories
OSPF
Log Message
Received selforiginated LSA for unknown type.
Default Log Severity
Warning
Parameters
type, rule
Explanation
Received selforiginated LSA of unknown type.
Gateway Action
Drop
Action Description
The LSA will be flushed
Proposed Action
None

2.34.44. [ID: 858] UPD packet LSA size mismatch

Log Categories
OSPF
Log Message
UPD packet LSA size mismatch.
Default Log Severity
Warning
Parameters
rule
Explanation
The received OSPF UPD packet had a mismatching LSA size.
Gateway Action
Abort
Action Description
Parsing aborted
Proposed Action
None

2.34.45. [ID: 1442] Received malformed packet

Log Categories
OSPF
Log Message
Received malformed packet.
Default Log Severity
Warning
Parameters
neighborid, type, rule
Explanation
Received malformed OSPF packet. The OSPF packet was received from neighborid and were of the type type.
Gateway Action
Discard
Action Description
None
Proposed Action
Verify that neighboring routers are correctly configured.

2.34.46. [ID: 822] Unable to find VLINK transport area

Log Categories
OSPF
Log Message
Unable to find VLINK transport area.
Default Log Severity
Warning
Parameters
area, vlink, rule
Explanation
Unable to find transport area for the VLINK.
Gateway Action
Skip
Action Description
Interface is not included in router LSA
Proposed Action
Verify the configuration of the OSPF area.

2.34.47. [ID: 831] Neighbor died

Log Categories
OSPF
Log Message
Neighbor died.
Default Log Severity
Warning
Parameters
neighborid, iface, rule
Explanation
Lost connectivity with neighbor router.
Gateway Action
None
Action Description
None
Proposed Action
Check neighbor status and connectivity.

2.34.48. [ID: 820] AS disabled due to failed memory allocation

Log Categories
OSPF
Log Message
AS disabled due to failed memory allocation.
Default Log Severity
Critical
Parameters
rule
Explanation
An OSPF AS has been disabled due to memory allocation failure.
Gateway Action
Disable
Action Description
None
Proposed Action
Check memory consumption.

2.34.49. [ID: 850] Unable to allocate memory for LSA

Log Categories
OSPF
Log Message
Unable to allocate memory for LSA.
Default Log Severity
Critical
Parameters
rule
Explanation
The OSPF subsystem was unable to allocate additional memory needed for storing LSA information. The internal states of the OSPF process might now not correspond to what the neighboring routers expect.
Gateway Action
None
Action Description
None
Proposed Action
The OSPF subsystem is out of memory. Try increasing the amount of memory used by OSPF and/or modify the network topology surrounding this OSPF router.

2.34.50. [ID: 866] Unable to allocate memory for LSA link states

Log Categories
OSPF
Log Message
Unable to allocate memory for LSA link states.
Default Log Severity
Critical
Parameters
rule
Explanation
The OSPF subsystem was unable to allocate additional memory needed for storing LSA information. The internal states of the OSPF process might now not correspond to what the neighboring routers expect.
Gateway Action
None
Action Description
None
Proposed Action
The OSPF subsystem is out of memory. Try increasing the amount of memory used by OSPF and/or modify the network topology surrounding this OSPF router.

2.34.51. [ID: 841] Unable to allocate memory for LSA shell states

Log Categories
OSPF
Log Message
Unable to allocate memory for LSA shell states.
Default Log Severity
Critical
Parameters
rule
Explanation
The OSPF subsystem was unable to allocate additional memory needed for storing LSA information. The internal states of the OSPF process might now not correspond to what the neighboring routers expect.
Gateway Action
None
Action Description
None
Proposed Action
The OSPF subsystem is out of memory. Try increasing the amount of memory used by OSPF and/or modify the network topology surrounding this OSPF router.

2.34.52. [ID: 873] Unable to allocate memory for router neighbor[...]

Log Categories
OSPF
Log Message
Unable to allocate memory for router neighbor states.
Default Log Severity
Critical
Parameters
rule
Explanation
The OSPF subsystem was unable to allocate additional memory needed for storing neighbor information. The internal states of the OSPF process might now not correspond to the what the neighboring routers expect.
Gateway Action
None
Action Description
None
Proposed Action
The OSPF subsystem is out of memory. Try increasing the amount of memory used by OSPF and/or modify the network topology surrounding this OSPF router.

2.34.53. [ID: 829] Unable to allocate memory for SPF vertex[...]

Log Categories
OSPF
Log Message
Unable to allocate memory for SPF vertex states.
Default Log Severity
Critical
Parameters
rule
Explanation
The OSPF subsystem was unable to allocate additional memory needed for storing SPF vertex information. The internal states of the OSPF process might now not correspond to the what the neighboring routers expect.
Gateway Action
None
Action Description
None
Proposed Action
The OSPF subsystem is out of memory. Try increasing the amount of memory used by OSPF and/or modify the network topology surrounding this OSPF router.

2.34.54. [ID: 818] Generic event

Log Categories
OSPF
Log Message
Generic event.
Default Log Severity
Debug
Parameters
type, loglevel, reason, rule
Explanation
A packet debug log event of level loglevel occurred. The event is described in the parameter reason. This log event can be enabled/disabled by configuring the OSPF process config object.
Gateway Action
None
Action Description
None
Proposed Action
None

2.34.55. [ID: 859] Generic event

Log Categories
OSPF
Log Message
Generic event.
Default Log Severity
Debug
Parameters
type, loglevel, reason, rule
Explanation
A route debug log event of level loglevel occurred. The event is described in the parameter reason. This log event can be enabled/disabled by configuring the OSPF process config object.
Gateway Action
None
Action Description
None
Proposed Action
None

2.34.56. [ID: 1053] Received Router LSA which contains mismatched[...]

Log Categories
OSPF
Log Message
Received Router LSA which contains mismatched Link State ID and Advertising Router.
Default Log Severity
Warning
Parameters
lsaid, lsartr, rule
Explanation
None
Gateway Action
Discard
Action Description
None
Proposed Action
None

2.34.57. [ID: 838] Generic event

Log Categories
OSPF
Log Message
Generic event.
Default Log Severity
Debug
Parameters
type, loglevel, reason, rule
Explanation
A SPF debug log event of level loglevel occurred. The event is described in the parameter reason. This log event can be enabled/disabled by configuring the OSPF process config object.
Gateway Action
None
Action Description
None
Proposed Action
None

2.34.58. [ID: 833] Unable to send data on interface

Log Categories
OSPF
Log Message
Unable to send data on interface.
Default Log Severity
Warning
Parameters
destip, iface, rule
Explanation
The interface iface could not send data to the specified address destip.
Gateway Action
None
Action Description
 
Proposed Action
Verify that the interface is up and running and that is has link.

2.34.59. [ID: 849] Sender source IP not in interface range

Log Categories
OSPF
Log Message
Sender source IP not in interface range.
Default Log Severity
Warning
Parameters
srcip, iprange, iface, rule
Explanation
The source IP (srcip) on the received OSPF data is not within the receive interface iface range iprange.
Gateway Action
Drop
Action Description
None
Proposed Action
Verify that all locally attached OSPF routes are on the same network.

2.34.60. [ID: 869] Too many neighbors on interface

Log Categories
OSPF
Log Message
Too many neighbors on interface.
Default Log Severity
Warning
Parameters
iface, rule
Explanation
There are too many OSPF routers on a directly connected network. Unable to maintain 2-way with all of them(hello packet).
Gateway Action
Skip
Action Description
Some neighbors are skipped and are not described in outgoing HELLO packets
Proposed Action
Reduce the number of OSPF routers on the network.

2.34.61. [ID: 862] Unknown LSA type

Log Categories
OSPF
Log Message
Unknown LSA type.
Default Log Severity
Warning
Parameters
neighborid, type, rule
Explanation
The received LSA was of unknown type.
Gateway Action
Discard
Action Description
The LSA was discarded
Proposed Action
Check the configuration on the neighboring OSPF router.

2.34.62. [ID: 860] Unknown neighbor

Log Categories
OSPF
Log Message
Unknown neighbor.
Default Log Severity
Warning
Parameters
neighborid, neighborip, iface, rule
Explanation
Unknown neighbor seen on PTP based interface.
Gateway Action
None
Action Description
None
Proposed Action
Verify the configuration on the neighboring OSPF router.

2.34.63. [ID: 816] Unknown OSPF packet type

Log Categories
OSPF
Log Message
Unknown OSPF packet type.
Default Log Severity
Warning
Parameters
type, recviface, rule
Explanation
The received OSPF data was of an unknown type.
Gateway Action
Drop
Action Description
None
Proposed Action
Check the configuration on the neighboring router.

2.34.64. [ID: 847] Packet version is not OSPFv2

Log Categories
OSPF
Log Message
Packet version is not OSPFv2.
Default Log Severity
Warning
Parameters
version, rule
Explanation
Packet version is not OSPFv2.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.35. PIPES

These log messages refer to the PIPES category.

2.35.1. [ID: 1393] Out of non-uniform memory

Log Categories
PIPES,SYSTEM
Log Message
Out of non-uniform memory.
Default Log Severity
Alert
Parameters
pipe, memusageinactive, memusageactive, numinactive, numactive
Explanation
The system was running out of memory needed to honor the traffic shaping policy, likely due to a high number of groups becoming active. Groups that were already active would continue functioning according to policy, but traffic belonging to new groups was instead erroneously forwarded as non-grouped traffic.
Gateway Action
Ignore
Action Description
The system was running out of memory needed for traffic shaping. Traffic that should have been forwarded per group basis was instead erroneously forwarded as non-grouped traffic
Proposed Action
Investigate why the system is low on RAM, though in this particular case it should be obvious that memory was used up by traffic shaping. Complex configurations with many priority levels require more memory. Every active group will consume additional memory, and inactive groups are allowed to keep memory during a grace period. The setting TrafficMgmtSettings:MaxPipesMemUsage can be decreased in order to limit the number of active groups. Also consider adjusting the configuration to lower the maximum number of groups handled by traffic shaping, either by narrowing down the traffic that is grouped or by modifying the grouping parameter. Note that the cost of each group is amplified by the number of precedence levels enabled by the pipe; try to make the best use of the PrecedenceMin and PrecedenceMax parameters. Static group limits (such as UserLimitBpsTotal) also increase the cost per group.

2.35.2. [ID: 1396] No longer out of non-uniform memory

Log Categories
PIPES,SYSTEM
Log Message
No longer out of non-uniform memory.
Default Log Severity
Information
Parameters
pipe, memusageinactive, memusageactive, numinactive, numactive
Explanation
The system is no longer out of memory. Traffic is once again forwarded according to traffic shaping policies.
Gateway Action
Ignore
Action Description
None
Proposed Action
None

2.35.3. [ID: 1416] Pipe memory limit reached

Log Categories
PIPES,SYSTEM
Log Message
Pipe memory limit reached.
Default Log Severity
Warning
Parameters
pipe, numselected, memusage, memusagelocal, memusageactive, memusageinactive, numactive, numinactive
Explanation
The system has reached the memory limit for traffic shaping; some (numselected) active groups of pipe pipe was demoted to inactive state in order to keep within the configured memory limits. Traffic shaping was at this point using memusage bytes of memory, of which memusagelocal bytes were in use by this particular pipe.
Gateway Action
Ignore
Action Description
The system has reached the memory limit for traffic shaping. Traffic that should be forwarded per group basis may be erroneously forwarded as non-grouped traffic
Proposed Action
This log message is normally caused by abnormal behavior such as D-DoS attacks or malfunctioning hardware that is flooding the network with random credentials. In the case where this log is generated by legitimate network conditions, consider adjusting TrafficMgmtSettings:MaxPipesMemUsage and make sure that statistics-per-group is not enabled by the pipe in question. The system will demote randomly selected active groups to handle this situation. Note that the cost of each active group is amplified by the number of precedence levels enabled by the pipe; try to make the best out of the PrecedenceMin and PrecedenceMax parameters. The system will assume that inactive groups can be ignored with regards to memory consumption. The number of inactive groups is indirectly limited by the number of flows, as inactive groups are removed when no flows are using them. Inactive groups can therefore be seen as a property of the flows themselves, and the number of inactive groups can therefore only be decreased either by lowering the number of open flows, or by configuring the pipes to use a more coarse grouping scheme.

2.36. PORTMGR

These log messages refer to the PORTMGR category.

2.36.1. [ID: 410] Failed to allocate dynamic port

Log Categories
PORTMGR,SYSTEM
Log Message
Failed to allocate dynamic port.
Default Log Severity
Critical
Parameters
localip, destip
Explanation
The port manager could not find any available port. All ports for the source and destination IP pair localip-destip are allocated.
Gateway Action
Abort
Action Description
None
Proposed Action
Investigate why all ports for the specified source and destination IP pair are allocated. The specified source IP might be under a denial-of-service attack.

2.36.2. [ID: 167] Switching to High Load Mode

Log Categories
PORTMGR,SYSTEM
Log Message
Switching to High Load Mode.
Default Log Severity
Warning
Parameters
localip, destip
Explanation
The port manager state for the specified source and destination IP is heavily used. The port manager switches to High Load Mode for the specified addresses in order to increase performance.
Gateway Action
Adjust
Action Description
None
Proposed Action
Investigate why there are many flows between the specified source and destination IP. This is a normal condition that occur in heavily used networks.

2.36.3. [ID: 170] Switching to Low Load Mode

Log Categories
PORTMGR,SYSTEM
Log Message
Switching to Low Load Mode.
Default Log Severity
Notice
Parameters
localip, destip
Explanation
The port manager state for the specified source and destination IP is returning to normal mode. The port manager switches to Low Load Mode for the specified addresses in order to free up memory resources.
Gateway Action
Adjust
Action Description
None
Proposed Action
None

2.36.4. [ID: 421] Out of memory when allocating dynamic port

Log Categories
PORTMGR,SYSTEM
Log Message
Out of memory when allocating dynamic port.
Default Log Severity
Alert
Parameters
localip, destip
Explanation
Memory allocation failed while allocating a dynamic port. The port allocation attempt for the source and destination IP pair was aborted. The system was out of RAM.
Gateway Action
Abort
Action Description
None
Proposed Action
Investigate why the system is low on RAM. Review the configuration and try to free more RAM.

2.36.5. [ID: 451] Out of memory while switching to High Load[...]

Log Categories
PORTMGR,SYSTEM
Log Message
Out of memory while switching to High Load Mode.
Default Log Severity
Critical
Parameters
localip, destip
Explanation
The port manager could not switch to High Load Mode for the specified source and destination IP pair since the system is low on RAM. The IP pair will remain in Low Load Mode with decreased performance.
Gateway Action
Abort
Action Description
None
Proposed Action
Investigate why the system is low on RAM. Review the configuration and try to free more RAM.

2.36.6. [ID: 432] Out of memory initializing port manager

Log Categories
PORTMGR,SYSTEM
Log Message
Out of memory initializing port manager.
Default Log Severity
Critical
Parameters
 
Explanation
There was not enough RAM to allocate a port manager. The port manager is a vital part of the system and is required for Network Address Translation and managing sockets.
Gateway Action
Abort
Action Description
None
Proposed Action
Investigate why the system is low on RAM. Review the configuration and try to free more RAM.

2.37. RADIUS

These log messages refer to the RADIUS category.

2.37.1. [ID: 666] Access-Accept packet received from RADIUS[...]

Log Categories
RADIUS
Log Message
Access-Accept packet received from RADIUS server.
Default Log Severity
Notice
Parameters
radiusserver, id
Explanation
An Access-Accept packet was received from a RADIUS server.
Gateway Action
None
Action Description
None
Proposed Action
None

2.37.2. [ID: 1667] Access-Challenge packet received from RADIUS[...]

Log Categories
RADIUS
Log Message
Access-Challenge packet received from RADIUS server.
Default Log Severity
Notice
Parameters
radiusserver, id
Explanation
An Access-Challenge packet was received from a RADIUS server.
Gateway Action
None
Action Description
None
Proposed Action
None

2.37.3. [ID: 678] Access-Reject packet received from RADIUS[...]

Log Categories
RADIUS
Log Message
Access-Reject packet received from RADIUS server.
Default Log Severity
Notice
Parameters
radiusserver, id
Explanation
An Access-Reject packet was received from a RADIUS server.
Gateway Action
None
Action Description
None
Proposed Action
If the response was not expected, verify that user name and password as well as RADIUS server shared secret are correct.

2.37.4. [ID: 691] Access-Request packet sent to RADIUS server

Log Categories
RADIUS
Log Message
Access-Request packet sent to RADIUS server.
Default Log Severity
Notice
Parameters
user, radiusserver, id
Explanation
An Access-Request packet was sent to a RADIUS server.
Gateway Action
None
Action Description
None
Proposed Action
None

2.37.5. [ID: 771] RADIUS challenge expired

Log Categories
RADIUS
Log Message
RADIUS challenge expired.
Default Log Severity
Warning
Parameters
user, radiusserver, id
Explanation
The client using RADIUS failed to respond to the challenge within the specified timeout.
Gateway Action
None
Action Description
None
Proposed Action
Verify that the timeout, if received from the RADIUS server, is correct.

2.37.6. [ID: 675] Non-responding RADIUS server

Log Categories
RADIUS
Log Message
Non-responding RADIUS server.
Default Log Severity
Warning
Parameters
user, radiusserver, id
Explanation
A RADIUS server did not answer to a Access Request after sending all configured resends.
Gateway Action
None
Action Description
None
Proposed Action
Verify that the RADIUS server configuration is correct.

2.37.7. [ID: 1075] Failed to initiate connection with RADIUS[...]

Log Categories
RADIUS
Log Message
Failed to initiate connection with RADIUS server.
Default Log Severity
Warning
Parameters
radiusserver, code
Explanation
It was not possible to create a connection to the RADIUS server.
Gateway Action
None
Action Description
None
Proposed Action
Verify that the configuration of the connection to the RADIUS server is correct.

2.37.8. [ID: 664] Failed to parse incoming RADIUS packet

Log Categories
RADIUS
Log Message
Failed to parse incoming RADIUS packet.
Default Log Severity
Warning
Parameters
pktlen, srcip, radiusserver, id, reason
Explanation
Failed to parse an incoming RADIUS packet.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.37.9. [ID: 791] Access-Request packet could not be created

Log Categories
RADIUS
Log Message
Access-Request packet could not be created.
Default Log Severity
Warning
Parameters
user, radiusserver, id, value, reason
Explanation
An Access-Request packet could not be created and sent to the configured RADIUS server.
Gateway Action
None
Action Description
None
Proposed Action
Verify that the authenticating client is configured correctly.

2.37.10. [ID: 683] Access-Request packet could not be sent to[...]

Log Categories
RADIUS
Log Message
Access-Request packet could not be sent to RADIUS server.
Default Log Severity
Warning
Parameters
user, radiusserver, id, reason
Explanation
An Access-Request packet could not be sent to the configured RADIUS server.
Gateway Action
None
Action Description
None
Proposed Action
None

2.38. ROUTE

These log messages refer to the ROUTE category.

2.38.1. [ID: 1064] Monitored host treated as reachable due to[...]

Log Categories
ROUTE
Log Message
Monitored host treated as reachable due to low latency.
Default Log Severity
Notice
Parameters
hostip, table, network, gwip, metric, iface
Explanation
A monitored host on the route is now considered unreachable due to high latency.
Gateway Action
None
Action Description
None
Proposed Action
Find and resolve the source of the high latency by checking the connection to the host.

2.38.2. [ID: 1067] Monitored host treated as unreachable due to[...]

Log Categories
ROUTE
Log Message
Monitored host treated as unreachable due to high latency.
Default Log Severity
Notice
Parameters
hostip, table, network, gwip, metric, iface
Explanation
A monitored host on the route is now considered reachable due to lowered latency.
Gateway Action
None
Action Description
None
Proposed Action
None

2.38.3. [ID: 1063] Monitored host reachable

Log Categories
ROUTE
Log Message
Monitored host reachable.
Default Log Severity
Notice
Parameters
hostip, table, network, gwip, metric, iface
Explanation
A monitored host on the route is now reachable (after being unreachable).
Gateway Action
None
Action Description
None
Proposed Action
None

2.38.4. [ID: 1066] Monitored host unreachable

Log Categories
ROUTE
Log Message
Monitored host unreachable.
Default Log Severity
Notice
Parameters
hostip, table, network, gwip, metric, iface
Explanation
A monitored host on the route is now unreachable.
Gateway Action
None
Action Description
None
Proposed Action
Find and resolve the source of the host being unreachable by checking the connection to the host.

2.38.5. [ID: 1068] Monitored route disabled

Log Categories
ROUTE
Log Message
Monitored route disabled.
Default Log Severity
Error
Parameters
table, network, gwip, metric, method, iface
Explanation
The monitoring method (method) triggered a monitored route to be disabled.
Gateway Action
Disable
Action Description
None
Proposed Action
Unless the link of the monitored route is actually malfunctioning, check for connectivity problems with the interface and/or monitored hosts.

2.38.6. [ID: 1065] Monitored route enabled

Log Categories
ROUTE
Log Message
Monitored route enabled.
Default Log Severity
Notice
Parameters
table, network, gwip, metric, method, iface
Explanation
The monitoring method (method) triggered a monitored route to be enabled.
Gateway Action
Enable
Action Description
None
Proposed Action
None

2.38.7. [ID: 652] Dynamic route added

Log Categories
ROUTE
Log Message
Dynamic route added.
Default Log Severity
Notice
Parameters
id, table, network, gwip, metric, originator, iface
Explanation
A dynamic route have been added to routing table.
Gateway Action
None
Action Description
None
Proposed Action
None

2.38.8. [ID: 654] Dynamic route removed

Log Categories
ROUTE
Log Message
Dynamic route removed.
Default Log Severity
Notice
Parameters
id, table, network, gwip, metric, originator, iface
Explanation
A dynamic route have been removed from routing table.
Gateway Action
None
Action Description
None
Proposed Action
None

2.39. RULE

These log messages refer to the RULE category.

2.39.1. [ID: 1230] IPC error managing dynamic rules

Log Categories
RULE
Log Message
IPC error managing dynamic rules.
Default Log Severity
Error
Parameters
module, error
Explanation
An unexpected and, hence, unhandled error occurred while managing dynamic rules. This may result in leaked rules remaining in the system after they should have been removed or reduced functionality if it was inserting new rules that failed.
Gateway Action
None
Action Description
None
Proposed Action
The device might need to be manually restarted to get full functionality. This should be reported to the vendor of the device.

2.39.2. [ID: 1240] Dynamic rules leaked

Log Categories
RULE
Log Message
Dynamic rules leaked.
Default Log Severity
Error
Parameters
module, count
Explanation
The system failed to remove rules that where dynamically set up by the module. Leaking/leaving unwanted dynamic rules in place is a last resort when all attempts to removed them has failed.
Gateway Action
None
Action Description
None
Proposed Action
The device might need to be manually restarted to get rid of those unwanted rules. This should be reported to the vendor of the device.

2.39.3. [ID: 1133] Blacklist rule added

Log Categories
RULE,BLACKLIST
Log Message
Blacklist rule added.
Default Log Severity
Information
Parameters
srcip, destip, proto, recviface
Explanation
A new blacklist rule has been added.
Gateway Action
None
Action Description
None
Proposed Action
None

2.39.4. [ID: 1164] Blacklist rule table size set to

Log Categories
RULE,BLACKLIST
Log Message
Blacklist rule table size set to.
Default Log Severity
Information
Parameters
size
Explanation
Maximum number of simultaneous blacklist entries changed/set to.
Gateway Action
None
Action Description
None
Proposed Action
None

2.39.5. [ID: 1141] Blacklist rule removed

Log Categories
RULE,BLACKLIST
Log Message
Blacklist rule removed.
Default Log Severity
Information
Parameters
srcip, destip, proto, recviface
Explanation
A blacklist rule has been removed either because it timed out or because the user manually removed it via the cli.
Gateway Action
None
Action Description
None
Proposed Action
None

2.39.6. [ID: 1165] Blacklist rule replaced

Log Categories
RULE,BLACKLIST
Log Message
Blacklist rule replaced.
Default Log Severity
Information
Parameters
srcip, destip, proto, srcip, destip, proto, recviface, recviface
Explanation
Random blacklist rule has been replaced with another rule.
Gateway Action
None
Action Description
None
Proposed Action
None

2.39.7. [ID: 649] Flow HA sync disallowed by access rule

Log Categories
RULE,FLOW,HA
Log Message
Flow HA sync disallowed by access rule.
Default Log Severity
Notice
Parameters
srcip, destip, recviface, matchkey, rule
Explanation
The access rules on the inactive HA node did not allow this flow to be installed.
Gateway Action
Skip
Action Description
None
Proposed Action
This event can be caused by having different configurations on the HA nodes. Running a cluster with different configurations on the nodes is not recommended, consider synchronizing the configurations.

2.39.8. [ID: 643] Flow HA sync failed due to address[...]

Log Categories
RULE,FLOW,HA
Log Message
Flow HA sync failed due to address translation mismatch.
Default Log Severity
Notice
Parameters
matchkey, rule
Explanation
The flow could not be installed on the inactive node due to that the rules on the inactive node specified different address translation than the rules on the active node.
Gateway Action
Skip
Action Description
None
Proposed Action
This event can be caused by having different configurations on the HA nodes. Running a cluster with different configurations on the nodes is not recommended, consider synchronizing the configurations.

2.39.9. [ID: 1150] Flow HA sync disallowed by blacklist rule

Log Categories
RULE,FLOW,HA,BLACKLIST
Log Message
Flow HA sync disallowed by blacklist rule.
Default Log Severity
Notice
Parameters
srcip, destip, recviface, matchkey, rule
Explanation
The blacklist rules on the inactive HA node did not allow this flow to be installed.
Gateway Action
Skip
Action Description
None
Proposed Action
This event can be caused by having different blacklist rules on the HA nodes. Running a cluster with different blacklist rules on the nodes is not recommended, consider synchronizing the blacklist rules.

2.39.10. [ID: 1662] Source IP not routed on receive interface

Log Categories
RULE,FLOW,HA
Log Message
Source IP not routed on receive interface.
Default Log Severity
Notice
Parameters
srcip, destip, recviface, matchkey
Explanation
The flow could not be installed on the inactive node due to the source IP of the flow not being routed over the receive interface of the flow according to the inactive node's configuration.
Gateway Action
Skip
Action Description
None
Proposed Action
This event can be caused by having different configurations on the HA nodes. Running a cluster with different configurations on the nodes is not recommended, consider synchronizing the configurations.

2.39.11. [ID: 647] Flow HA sync failed due to no route to[...]

Log Categories
RULE,FLOW,HA
Log Message
Flow HA sync failed due to no route to destination.
Default Log Severity
Notice
Parameters
destip, iface, matchkey
Explanation
The flow could not be installed on the inactive node due to no route to the destination.
Gateway Action
Skip
Action Description
None
Proposed Action
This event can be caused by having different configurations on the HA nodes. Running a cluster with different configurations on the nodes is not recommended, consider synchronizing the configurations.

2.39.12. [ID: 659] Flow HA sync failed due to no route to source

Log Categories
RULE,FLOW,HA
Log Message
Flow HA sync failed due to no route to source.
Default Log Severity
Notice
Parameters
srcip, iface, matchkey
Explanation
The flow could not be installed on the inactive node due to no route to the source.
Gateway Action
Skip
Action Description
None
Proposed Action
This event can be caused by having different configurations on the HA nodes. Running a cluster with different configurations on the nodes is not recommended, consider synchronizing the configurations.

2.39.13. [ID: 1395] Source address matches translation prefix

Log Categories
RULE,NAT64
Log Message
Source address matches translation prefix.
Default Log Severity
Notice
Parameters
prefix, matchkey, rule
Explanation
A packet with a source address matching the prefix used in protocol translation has been dropped. This is done to prevent hairpinning loops.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.39.14. [ID: 1088] Max sessions reached on ALG

Log Categories
RULE,FTPALG,SIPALG,DNSALG,GTPINSPECTION
Log Message
Max sessions reached on ALG.
Default Log Severity
Warning
Parameters
profile, type, max, pkt, rule, ruletype, ruleorigin
Explanation
The amount of sessions on an ALG has reached the limit configured in the profile used.
Gateway Action
Drop
Action Description
None
Proposed Action
If the MaxSessions limit is reached under normal usage patterns, try increasing the MaxSessions on the profile used to allow more sessions through.

2.39.15. [ID: 109] Packet received open

Log Categories
RULE
Log Message
Packet received open.
Default Log Severity
Notice
Parameters
flow, rule, user, userid
Explanation
Packet that is allowed to be forwarded according to setting is received. The traffic is configured to be allowed according to the rule set.
Gateway Action
Open
Action Description
None
Proposed Action
None

2.39.16. [ID: 431] Packet received reject

Log Categories
RULE
Log Message
Packet received reject.
Default Log Severity
Notice
Parameters
flow, rule, user, userid
Explanation
Packet that is allowed to be forwarded according to setting is received. The traffic is configured to be rejected according to the rule set.
Gateway Action
Open
Action Description
None
Proposed Action
None

2.39.17. [ID: 1209] Unsupported protocol combination for ALG

Log Categories
RULE,FTPALG,SIPALG,DNSALG,GTPINSPECTION
Log Message
Unsupported protocol combination for ALG.
Default Log Severity
Notice
Parameters
type, proto, pkt, rule, ruletype, ruleorigin
Explanation
The matching rule specified to use an Application Layer Gateway (ALG) to process the traffic but the selected ALG does not support the protocols used by the packet.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.39.18. [ID: 238] Allowed by access rule

Log Categories
RULE
Log Message
Allowed by access rule.
Default Log Severity
Notice
Parameters
pkt, rule
Explanation
The sender IP address was verified and accepted by an access rule in the access section.
Gateway Action
Allow
Action Description
None
Proposed Action
Modify the access rule accordingly, if the sender should not be allowed.

2.39.19. [ID: 242] Disallowed by access rule

Log Categories
RULE
Log Message
Disallowed by access rule.
Default Log Severity
Notice
Parameters
srcip, destip, recviface, pkt, rule
Explanation
The packet was dropped since the configuration, that is, access rules, does not allow packets from this sender to arrive at that interface.
Gateway Action
Drop
Action Description
None
Proposed Action
If the decision to drop the packet was correct but you don't want any logs then either change the LogEnabled property on the access rule (if the rule is an explicitly configured access rule), add an access rule to drop the packet silently or configure a log message exception in the log receiver to ignore this message. If the decision to drop the packet was incorrect then there are two cases: If the rule is an explicitly configured access rule then modify it, and possibly other, access rules accordingly. Otherwise start by verifying that the routing is correctly configured for the sender's address since routes provide automatic access rules. If that does not help, that is, in setups where packets arriving from the sender arrive on another interface than where packets going to the sender are routed, then add an access rule accepting the sender's address on the receive interface.

2.39.20. [ID: 1661] Source IP not routed on receive interface

Log Categories
RULE,ROUTE,IPSPOOFING
Log Message
Source IP not routed on receive interface.
Default Log Severity
Notice
Parameters
srcip, destip, recviface, srcroute, pkt
Explanation
The packet was dropped since the source IP of the packet is not routed over the receive interface of the packet. This event could indicate that someone is trying to use a spoofed IP address.
Gateway Action
Drop
Action Description
None
Proposed Action
This is an effect of the automatic reverse path ingress filtering of the system based on the routes known to the system. The default policy is basically "strict reverse path forwarding", that is, that a packet must be received on the interface where packets to the source IP of the packet would be routed out, to be acceptable. In some scenarios, for instance, where asymmetric routing is used, this is too strict. Exceptions can then be made by marking interfaces as security equvivalent or by adding explicit access rules to allow packets from the source IP on this interface even tough packets to the source IP will be sent over some other interface.

2.39.21. [ID: 1653] Receive sub interface id mismatch with route[...]

Log Categories
RULE,ROUTE,IPSPOOFING
Log Message
Receive sub interface id mismatch with route to source IP.
Default Log Severity
Notice
Parameters
srcip, destip, recviface, srcroute, pkt
Explanation
The packet was dropped since the source IP is routed on another sub interface id (belongs to another client) than the packet was received from. This event could indicate that someone is trying to use a spoofed IP address.
Gateway Action
Drop
Action Description
None
Proposed Action
This is an effect of the automatic reverse path ingress filtering of the system based on the routes known to the system. The default policy is basically "strict reverse path forwarding", that is, that a packet must be received on the interface where packets to the source IP of the packet would be routed out, to be acceptable. In some scenarios, for instance, where asymmetric routing is used, this is too strict. Exceptions can then be made by marking interfaces as security equvivalent or by adding explicit access rules to allow packets from the source IP on this interface even tough packets to the source IP will be sent over some other interface.

2.39.22. [ID: 394] Local Undelivered

Log Categories
RULE
Log Message
Local Undelivered.
Default Log Severity
Warning
Parameters
pkt
Explanation
Packet destined for the firewall itself was not picked up by any local service.
Gateway Action
Drop
Action Description
None
Proposed Action
Verify the configuration of the corresponding service if the packet should be processed.

2.39.23. [ID: 471] No route to destination

Log Categories
RULE
Log Message
No route to destination.
Default Log Severity
Warning
Parameters
destip, iface, pkt
Explanation
Further processing of received packet is not allowed due to no route coverage for the destination address.
Gateway Action
Drop
Action Description
None
Proposed Action
Configure route support for the destination if it should be allowed.

2.39.24. [ID: 129] No route to source

Log Categories
RULE
Log Message
No route to source.
Default Log Severity
Warning
Parameters
srcip, iface, pkt
Explanation
Further processing of received packet is not allowed due to no route coverage for the source address.
Gateway Action
Drop
Action Description
None
Proposed Action
Configure route support for the source if it should be allowed.

2.39.25. [ID: 514] Packet dropped by the ruleset

Log Categories
RULE
Log Message
Packet dropped by the ruleset.
Default Log Severity
Warning
Parameters
pkt, geoip, rule
Explanation
Further processing of received packet is not allowed due to matched drop rule policy of the ruleset.
Gateway Action
Drop
Action Description
None
Proposed Action
Modify the ruleset accordingly, if the traffic should be allowed.

2.39.26. [ID: 384] Non-NATable IP protocol

Log Categories
RULE,SYSTEM,PORTMGR
Log Message
Non-NATable IP protocol.
Default Log Severity
Warning
Parameters
proto, localip, destip, rule
Explanation
Network Address Translation (NAT) is only fully supported for TCP, UDP and ICMP flows. Address translation will still be applied to flows with IP protocol number proto, but it is only possible to have one such flow open between the source and destination IP pair localip-destip.
Gateway Action
Ignore
Action Description
None
Proposed Action
Modify the rule rule to only include NATable protocols.

2.39.27. [ID: 520] Could not allocate NAT port

Log Categories
RULE,SYSTEM,PORTMGR
Log Message
Could not allocate NAT port.
Default Log Severity
Error
Parameters
localip, destip, rule
Explanation
A NAT flow could not be opened since dynamic port allocation failed for the source and destination IP pair localip-destip.
Gateway Action
Drop
Action Description
None
Proposed Action
The system might be low on RAM or all ports for the specified source and destination IP pair might be allocated.

2.39.28. [ID: 987] Could not allocate NAT IP from NATPool

Log Categories
RULE,SYSTEM,NATPOOL
Log Message
Could not allocate NAT IP from NATPool.
Default Log Severity
Critical
Parameters
pool, srcip, rule
Explanation
The system failed to setup a new flow since allocation of a dynamic NAT IP from a NAT Pool failed.
Gateway Action
Drop
Action Description
None
Proposed Action
Review NAT Pool related log messages for an indication why this event occurred.

2.39.29. [ID: 1158] Whitelist prevents blacklist action from[...]

Log Categories
RULE,THRESHOLD,FLOW,BLACKLIST
Log Message
Whitelist prevents blacklist action from being executed.
Default Log Severity
Warning
Parameters
conflictrule, name, matchkey, rule
Explanation
A flow setup attempt triggered threshold set name in threshold rule conflictrule: The flow setup attempt should have been blocked and blacklisted, but this was overruled by the whitelist rule rule. The flow setup attempt has therefore been allowed.
Gateway Action
Ignore
Action Description
A threshold blacklist action was prevented from being executed by a whitelist rule
Proposed Action
Investigate why the threshold rules are triggered by whitelisted traffic. Normally this should never happen; it may signify that network resources have been compromised.

2.40. SCTP

These log messages refer to the SCTP category.

2.40.1. [ID: 1335] IP address outside IP rule filter

Log Categories
SCTP,STATEFUL,VALIDATE
Log Message
IP address outside IP rule filter.
Default Log Severity
Warning
Parameters
iplen, chunktype, chunkindex, chunkoffset, chunklen, paramtype, paramoffset, paramlen, ip, pkt, assoc, rule
Explanation
The packet contains an alternative transport address that does not comply with the IP rule. Traffic to and from addresses that don't match the IP rule, will not be allowed once the association has been established for stateful SCTP inspection since that would cause problems to an association's state tracking in case the traffic is using paths that do not pass through the firewall. By disallowing this kind of addresses, the association is narrowed down to match that of the IP rule.
Gateway Action
Strip
Action Description
None
Proposed Action
None

2.40.2. [ID: 1350] IP address outside IP rule filter

Log Categories
SCTP,STATEFUL,VALIDATE
Log Message
IP address outside IP rule filter.
Default Log Severity
Warning
Parameters
iplen, chunktype, chunkindex, chunkoffset, chunklen, paramtype, paramoffset, paramlen, ip, pkt, assoc, rule
Explanation
The packet contains an alternative transport address that does not comply with the IP rule. Traffic to and from addresses that don't match the IP rule, will not be allowed once the association has been established for stateful SCTP inspection since that would cause problems to an association's state tracking in case the traffic is using paths that do not pass through the firewall. By disallowing this kind of addresses, the association is narrowed down to match that of the IP rule.
Gateway Action
Strip
Action Description
None
Proposed Action
None

2.40.3. [ID: 1371] ABORT bundled with DATA chunk

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
ABORT bundled with DATA chunk.
Default Log Severity
Warning
Parameters
iplen, chunktype, chunkindex, chunkoffset, chunklen, pkt
Explanation
An abort message was bundled with DATA chunks.
Gateway Action
Drop
Action Description
None
Proposed Action
This log message is controlled by SCTPSettings:SCTPLogFormatError.

2.40.4. [ID: 1216] Advertised receiver window credit too low

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Advertised receiver window credit too low.
Default Log Severity
Warning
Parameters
value, pkt
Explanation
This log message indicates that the advertised window credit during association setup is too low. Normally this is the maximum window credit for the entire lifetime of the association. Not only does this affect the data transfer rate, but also the maximum user message size in bytes. This log message is indirectly controlled by SCTPSettings:SCTPMinInitWindowCredit.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.40.5. [ID: 1324] Association abort

Log Categories
SCTP,STATEFUL
Log Message
Association abort.
Default Log Severity
Warning
Parameters
pkt, assoc, rule
Explanation
The association was aborted by a peer.
Gateway Action
Abort
Action Description
None
Proposed Action
None

2.40.6. [ID: 1361] Established association exists

Log Categories
SCTP,STATEFUL,VALIDATE
Log Message
Established association exists.
Default Log Severity
Warning
Parameters
iplen, chunktype, chunkindex, chunkoffset, chunklen, pkt, assoc, rule
Explanation
The association the current control chunk is trying to establish already exists.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.40.7. [ID: 1367] Association established

Log Categories
SCTP,STATEFUL
Log Message
Association established.
Default Log Severity
Information
Parameters
pkt, assoc, rule
Explanation
An SCTP association handshake has been completed, and a new association has been established.
Gateway Action
Enable
Action Description
None
Proposed Action
None

2.40.8. [ID: 1658] Association establishment clash

Log Categories
SCTP,STATEFUL
Log Message
Association establishment clash.
Default Log Severity
Warning
Parameters
pkt, assoc, rule
Explanation
The association failed to establish because it tried to claim a combination of ports and IP addresses that is already in use by another association.
Gateway Action
Abort
Action Description
None
Proposed Action
The system may contain lingering associations that have been silently abandoned for one reason or another (there is also a known attack with these symptoms). Verify that the existing associations are valid; by default SCTP has a very long idle timeout and abandoned associations may need to be manually removed.

2.40.9. [ID: 1689] Association no longer allowed

Log Categories
SCTP,STATEFUL
Log Message
Association no longer allowed.
Default Log Severity
Warning
Parameters
assoc, rule
Explanation
The system policy has been updated, and as a consequence the association assoc was no longer allowed. The association has been forcefully closed.
Gateway Action
Close
Action Description
None
Proposed Action
Verify that the endpoints are aware that the association has been closed.

2.40.10. [ID: 1362] Association closed due to idle timeout

Log Categories
SCTP,STATEFUL
Log Message
Association closed due to idle timeout.
Default Log Severity
Information
Parameters
assoc, rule
Explanation
An SCTP association was closed due to idle timeout. An SCTP association is considered "idle" if it has no flows.
Gateway Action
Close
Action Description
None
Proposed Action
Strictly following RFC 4960, an established SCTP association should never time out. Examine the hosts involved if this is a reoccurring problem. The idle lifetime can also be adjusted using the setting SCTPSettings:SCTPIdleLifetime.

2.40.11. [ID: 1359] Handshake random replace

Log Categories
SCTP,STATEFUL
Log Message
Handshake random replace.
Default Log Severity
Warning
Parameters
assoc, rule
Explanation
There are too many concurrent SCTP handshakes and a randomly chosen handshake attempt has been discarded.
Gateway Action
Close
Action Description
None
Proposed Action
The maximum number of concurrent SCTP handshakes can be adjusted with SCTPSettings:SCTPMaxHandshake. Configure the system to support more simultaneous handshakes, or try to track down the host(s) that overloads the network.

2.40.12. [ID: 1326] Association handshake timeout

Log Categories
SCTP,STATEFUL
Log Message
Association handshake timeout.
Default Log Severity
Warning
Parameters
assoc, rule
Explanation
An SCTP association handshake timed out. No association was ever established. Larger amounts of "handshake timeouts" may be caused by port scanning.
Gateway Action
Close
Action Description
No association has been setup
Proposed Action
The maximum lifetime of an handshake can be adjusted using the setting SCTPSettings:SCTPHandshakeLifetime.

2.40.13. [ID: 1332] Association handshake initiated

Log Categories
SCTP,STATEFUL
Log Message
Association handshake initiated.
Default Log Severity
Notice
Parameters
pkt, assoc, rule
Explanation
An SCTP init message was received. This is the first part of an SCTP association handshake.
Gateway Action
Open
Action Description
Allowed by the configuration
Proposed Action
None; normally a log message that the association has been established should follow.

2.40.14. [ID: 1639] Association handshake restart

Log Categories
SCTP,STATEFUL
Log Message
Association handshake restart.
Default Log Severity
Notice
Parameters
pkt, assoc, rule
Explanation
An SCTP init message was received by an established association. This is an anomalous event that can happen, say if either of the end-points has lost their state (crashed or rebooted).
Gateway Action
Reopen
Action Description
None
Proposed Action
None; normally a log message that the association has been established should follow.

2.40.15. [ID: 1659] Association restart clash

Log Categories
SCTP,STATEFUL
Log Message
Association restart clash.
Default Log Severity
Warning
Parameters
pkt, assoc, rule
Explanation
A failed attempt was made to restart an SCTP association, leaving the old association unaffected. The attempt failed to establish the new association because the new association tried to claim a combination of ports and IP addresses that is already in use by other existing associations.
Gateway Action
Abort
Action Description
None
Proposed Action
The system may contain lingering associations that have been silently abandoned for one reason or another (there is also a known attack with these symptoms). Verify that the existing associations are valid; by default SCTP has a very long idle timeout and abandoned associations may need to be manually removed.

2.40.16. [ID: 1329] Association restart initiated

Log Categories
SCTP,STATEFUL
Log Message
Association restart initiated.
Default Log Severity
Notice
Parameters
newinitvtag, newrespvtag, assoc, rule
Explanation
An SCTP init message, matching an existing association, was received. This might be an association restart, in which case it should be followed by an "association restarted" log message.
Gateway Action
Open
Action Description
None
Proposed Action
None

2.40.17. [ID: 1384] Association restart initiated

Log Categories
SCTP,STATEFUL
Log Message
Association restart initiated.
Default Log Severity
Notice
Parameters
newinitip, newrespip, newinitvtag, newrespvtag, assoc, rule
Explanation
An SCTP init message, matching an existing association, was received. This might be an association restart, in which case it should be followed by an "association restarted" log message.
Gateway Action
Open
Action Description
None
Proposed Action
None

2.40.18. [ID: 1339] Association restarted

Log Categories
SCTP,STATEFUL
Log Message
Association restarted.
Default Log Severity
Information
Parameters
pkt, assoc, rule
Explanation
An SCTP association was successfully restarted.
Gateway Action
Reopen
Action Description
The effect is the same as if the old association had been closed, and a new one has been negotiated
Proposed Action
None

2.40.19. [ID: 1347] Association random replace

Log Categories
SCTP,STATEFUL
Log Message
Association random replace.
Default Log Severity
Warning
Parameters
assoc, rule
Explanation
There are too many concurrent established SCTP associations and a randomly chosen association has been discarded. More correctly; the currently established SCTP associations are using too many resources and one association has been selected. The selection is made randomly, but associations using more resources are more likely to be chosen.
Gateway Action
Close
Action Description
None
Proposed Action
The maximum number of concurrent SCTP associations can be (indirectly) adjusted with SCTPSettings:SCTPMaxAssocLinks. Configure the system to support more simultaneous associations, or try to track down the host(s) that overloads the network. Note that the setting counts the number of IP combinations that can be made within the associations; with the maximum supported IP addresses (32 per endpoint) the setting should be given a value that is 1024 (32 x 32) times larger than the maximum concurrent associations.

2.40.20. [ID: 1327] Association timeout on shutdown

Log Categories
SCTP,STATEFUL
Log Message
Association timeout on shutdown.
Default Log Severity
Warning
Parameters
assoc, rule
Explanation
An SCTP association was forcibly closed since the shutdown sequence timed out.
Gateway Action
Close
Action Description
None
Proposed Action
Strictly following RFC 4960, an SCTP association should never time out during the shutdown sequence. Examine the hosts involved if this is a reoccurring problem. The maximum lifetime of the shutdown sequence can be adjusted using the setting SCTPSettings:SCTPHandshakeLifetime.

2.40.21. [ID: 1358] Association closed

Log Categories
SCTP,STATEFUL
Log Message
Association closed.
Default Log Severity
Notice
Parameters
pkt, assoc, rule
Explanation
The association has been gracefully closed.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.40.22. [ID: 1343] Association shutdown received

Log Categories
SCTP,STATEFUL
Log Message
Association shutdown received.
Default Log Severity
Information
Parameters
pkt, assoc, rule
Explanation
An SCTP association has begun a shutdown sequence.
Gateway Action
Allow
Action Description
The association is now effectively closed, but will linger until the peer has acknowledged the shutdown
Proposed Action
None

2.40.23. [ID: 1640] Association linger timeout

Log Categories
SCTP,STATEFUL
Log Message
Association linger timeout.
Default Log Severity
Critical
Parameters
assoc, rule
Explanation
The system failed to synchronize the shutdown of an SCTP association over the HA cluster, and could not recover the necessary information to retry. This may have left the association open in the established state, even though it should have been closed. Such associations will eventually timeout, but may be possible to exploit in the meantime.
Gateway Action
Discard
Action Description
Timeout while waiting for HA peer to acknowledge deletion of closed association
Proposed Action
Check if the association (identified as assoc) has been left open (verify that there are no log messages saying that it has been "restarted" or that a new one has been opened with the same network parameters); manually close it if so.

2.40.24. [ID: 1357] PPID blacklisted

Log Categories
SCTP,STATEFUL,VALIDATE
Log Message
PPID blacklisted.
Default Log Severity
Warning
Parameters
iplen, chunktype, chunkindex, chunkoffset, chunklen, ppid, pkt, assoc, rule
Explanation
The Payload Protocol Identifier of a DATA chunk was blacklisted by the SCTP service that is used by the IP rule that allows the traffic.
Gateway Action
Drop
Action Description
None
Proposed Action
Exclude the Payload Protocol Identifier from the blacklist of the SCTP service used if you want to allow it.

2.40.25. [ID: 1239] Bundled singular chunk type

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Bundled singular chunk type.
Default Log Severity
Warning
Parameters
chunktype, count, pkt
Explanation
Certain chunks are not allowed to be mixed with other chunks in the same packet; in fact only one such chunk is allowed per packet. In this case a packet was found to not honor this restriction.
Gateway Action
Drop
Action Description
None
Proposed Action
This packet is broken. If the packet sender is one of your network devices, investigate why the unit is sending malformed packets.

2.40.26. [ID: 1377] Unexpected cookie ack from initiator of[...]

Log Categories
SCTP,STATEFUL
Log Message
Unexpected cookie ack from initiator of restart.
Default Log Severity
Warning
Parameters
pkt, assoc, rule
Explanation
A COOKIE ACK was received from the initiator of a restart instead of the responder.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.40.27. [ID: 1375] Unexpected cookie echo from responder of[...]

Log Categories
SCTP,STATEFUL
Log Message
Unexpected cookie echo from responder of restart.
Default Log Severity
Warning
Parameters
pkt, assoc, rule
Explanation
A COOKIE ECHO was received from the responder of a restart instead of the initiator.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.40.28. [ID: 1298] Chunk length includes padding at end

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Chunk length includes padding at end.
Default Log Severity
Notice
Parameters
iplen, chunktype, chunkindex, chunkoffset, chunklen, padlen, pkt
Explanation
The length parameter of a chunk includes the padding at the end.
Gateway Action
Allow
Action Description
None
Proposed Action
This log message is controlled by SCTPSettings:SCTPLogFormatError.

2.40.29. [ID: 1660] Cookie echoed

Log Categories
SCTP,STATEFUL
Log Message
Cookie echoed.
Default Log Severity
Debug
Parameters
pkt, assoc, rule
Explanation
An SCTP cookie-echo message was received. This is the third part of an SCTP association handshake, consisting of the initiator returning the responder "cookie".
Gateway Action
Accept
Action Description
Part of association handshake.
Proposed Action
None; normally a log message that the association has been established should follow.

2.40.30. [ID: 1439] Stripped DATA chunk from packet containing[...]

Log Categories
SCTP,STATEFUL,VALIDATE
Log Message
Stripped DATA chunk from packet containing SHUTDOWN.
Default Log Severity
Information
Parameters
chunktype, chunkindex, chunkoffset, chunklen, pkt
Explanation
DATA chunk found after SHUTDOWN chunk.
Gateway Action
Strip
Action Description
None
Proposed Action
None

2.40.31. [ID: 1363] Destination port mismatch

Log Categories
SCTP,STATEFUL,VALIDATE
Log Message
Destination port mismatch.
Default Log Severity
Warning
Parameters
iplen, chunktype, chunkindex, chunkoffset, chunklen, destport, pkt, assoc, rule
Explanation
The destination port of an SCTP packet sent by the initiator of an association does not match the destination port of the association the packet belongs to.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.40.32. [ID: 1369] Unexpected DATA from shutdown initiator

Log Categories
SCTP,STATEFUL,VALIDATE
Log Message
Unexpected DATA from shutdown initiator.
Default Log Severity
Warning
Parameters
iplen, chunktype, chunkindex, chunkoffset, chunklen, pkt, assoc, rule
Explanation
A DATA chunk has been received for an SCTP association by the initiator of the shutdown.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.40.33. [ID: 1352] Initial vtag changed

Log Categories
SCTP,STATEFUL,VALIDATE
Log Message
Initial vtag changed.
Default Log Severity
Warning
Parameters
iplen, chunktype, chunkindex, chunkoffset, chunklen, newvtag, pkt, assoc, rule
Explanation
During an SCTP association establishment this is not the first INIT_ACK chunk that has been seen and it contains a different initiate tag than the first INIT_ACK chunk sent.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.40.34. [ID: 1345] No init seen

Log Categories
SCTP,STATEFUL,VALIDATE
Log Message
No init seen.
Default Log Severity
Warning
Parameters
iplen, chunktype, chunkindex, chunkoffset, chunklen, pkt, assoc, rule
Explanation
No former INIT chunk was encountered that justifies the receipt of the current chunk.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.40.35. [ID: 1386] Restart changed initiator IP address number

Log Categories
SCTP,STATEFUL
Log Message
Restart changed initiator IP address number.
Default Log Severity
Warning
Parameters
old, new, pkt, assoc, rule
Explanation
An INIT chunk was received for a restart of an association. The number of IP addresses between the original association and the restart is bigger.
Gateway Action
Drop
Action Description
None
Proposed Action
Make sure a restart does not contain more IP addresses that the original association.

2.40.36. [ID: 1376] Restart added initiator IP address

Log Categories
SCTP,STATEFUL
Log Message
Restart added initiator IP address.
Default Log Severity
Warning
Parameters
ip, pkt, assoc, rule
Explanation
A restart was issued which added a new ip address for the initiator of an SCTP association.
Gateway Action
Drop
Action Description
None
Proposed Action
Make sure a restart does not add IP addresses that do not exist to the initiator of the original association.

2.40.37. [ID: 1383] Restart added responder IP address

Log Categories
SCTP,STATEFUL
Log Message
Restart added responder IP address.
Default Log Severity
Warning
Parameters
ip, pkt, assoc, rule
Explanation
A restart was issued which added a new ip address for the responder of an SCTP association.
Gateway Action
Drop
Action Description
None
Proposed Action
Make sure a restart does not add IP addresses that do not exist to the responder of the original association.

2.40.38. [ID: 1387] Restart changed responder IP address number

Log Categories
SCTP,STATEFUL
Log Message
Restart changed responder IP address number.
Default Log Severity
Warning
Parameters
old, new, pkt, assoc, rule
Explanation
An INIT-ACK chunk was received for a restart of an association. The number of IP addresses between the original association and the restart is bigger.
Gateway Action
Drop
Action Description
None
Proposed Action
Make sure a restart does not contain more IP addresses that the original association.

2.40.39. [ID: 1338] Wrong association restart state

Log Categories
SCTP,STATEFUL,VALIDATE
Log Message
Wrong association restart state.
Default Log Severity
Warning
Parameters
iplen, chunktype, chunkindex, chunkoffset, chunklen, pkt, assoc, rule
Explanation
A COOKIE_ACK has been received for a restart of an association which is not in the COOKIE_ECHOED or ESTABLISHED state.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.40.40. [ID: 1368] Shutdown during establishment

Log Categories
SCTP,STATEFUL,VALIDATE
Log Message
Shutdown during establishment.
Default Log Severity
Warning
Parameters
iplen, chunktype, chunkindex, chunkoffset, chunklen, pkt, assoc, rule
Explanation
Received a shutdown related control chunk during the establishment of an association.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.40.41. [ID: 1355] Expired restart period

Log Categories
SCTP,STATEFUL,VALIDATE
Log Message
Expired restart period.
Default Log Severity
Warning
Parameters
iplen, chunktype, chunkindex, chunkoffset, chunklen, pkt, assoc, rule
Explanation
The period for an association to be restarted has been expired.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.40.42. [ID: 1333] Too many shutdown requests

Log Categories
SCTP,STATEFUL,VALIDATE
Log Message
Too many shutdown requests.
Default Log Severity
Warning
Parameters
iplen, chunktype, chunkindex, chunkoffset, chunklen, pkt, assoc, rule
Explanation
More than one SHUTDOWN or ABORT chunks have been received for the association within two seconds.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.40.43. [ID: 1346] Unexpected COOKIE ACK

Log Categories
SCTP,STATEFUL,VALIDATE
Log Message
Unexpected COOKIE ACK.
Default Log Severity
Warning
Parameters
iplen, chunktype, chunkindex, chunkoffset, chunklen, pkt, assoc, rule
Explanation
A COOKIE_ACK chunk has been received while the current association is neither in the expected COOKIE_ECHOED state or in the ESTABLISHED state with the potential for a possible restart.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.40.44. [ID: 1331] Unexpected COOKIE ECHO

Log Categories
SCTP,STATEFUL,VALIDATE
Log Message
Unexpected COOKIE ECHO.
Default Log Severity
Warning
Parameters
iplen, chunktype, chunkindex, chunkoffset, chunklen, pkt, assoc, rule
Explanation
A stray COOKIE_ECHO chunk has been received while the association has either received only an INIT chunk or is shutting down. Possibly a stale packet that was used to establish the present association or a past association that is no longer in existence.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.40.45. [ID: 1656] Unexpected DATA from initiator

Log Categories
SCTP,STATEFUL,VALIDATE
Log Message
Unexpected DATA from initiator.
Default Log Severity
Warning
Parameters
iplen, chunktype, chunkindex, chunkoffset, chunklen, pkt, assoc, rule
Explanation
A DATA chunk from the initiator was seen, before having received a valid COOKIE-ECHO from the initiator. The packet has been dropped.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.40.46. [ID: 1654] Unexpected DATA from responder

Log Categories
SCTP,STATEFUL,VALIDATE
Log Message
Unexpected DATA from responder.
Default Log Severity
Warning
Parameters
iplen, chunktype, chunkindex, chunkoffset, chunklen, pkt, assoc, rule
Explanation
A DATA chunk from the responder was seen, before having received the (Cookie) Echo-Ack from the responder. The packet has been dropped.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.40.47. [ID: 1342] Unexpected shutdown chunk

Log Categories
SCTP,STATEFUL,VALIDATE
Log Message
Unexpected shutdown chunk.
Default Log Severity
Warning
Parameters
iplen, state, chunktype, chunkindex, chunkoffset, chunklen, pkt, assoc, rule
Explanation
Received a shutdown related control chunk while the association was in the wrong state.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.40.48. [ID: 1288] Empty state cookie parameter found

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Empty state cookie parameter found.
Default Log Severity
Warning
Parameters
chunktype, chunkindex, chunkoffset, chunklen, paramtype, paramoffset, paramlen, pkt
Explanation
A state cookie parameter with no value was found within an INIT_ACK chunk.
Gateway Action
Drop
Action Description
None
Proposed Action
This packet is invalid. If the packet sender is one of your network devices, investigate why the unit is sending empty state cookie parameters within INIT_ACK chunks.

2.40.49. [ID: 1686] Clash

Log Categories
SCTP,STATEFUL,HA
Log Message
Clash.
Default Log Severity
Critical
Parameters
srcport, srcip, destport, destip, srciface, assoc, rule
Explanation
Cannot synchronize assoc; an incompatible SCTP association exists at this node.
Gateway Action
Abort
Action Description
Synchronization failed and the system now has two different SCTP associations that at least partially respond to the same traffic
Proposed Action
Identify the two mutually exclusive associations, and manually resolve the situation. Consider rebooting one of the HA nodes.

2.40.50. [ID: 1685] Clash

Log Categories
SCTP,STATEFUL,HA
Log Message
Clash.
Default Log Severity
Warning
Parameters
srcport, srcip, destport, destip, srciface, assoc, rule
Explanation
Synchronization encountered an incompatible SCTP association at the current node. This was resolved by discarding the existing association without notifying the endpoints, as it (assoc) did not appear to have been in use for some time. More specifically, it had not been forwarding any traffic for a time exceeding the one given by FlowTimeoutSettings:FlowLifetimeSCTPStateful.
Gateway Action
Discard
Action Description
Synchronization encountered an unexpected situation involving two mutually exclusive SCTP associations. However, as one of the associations had been unused (not forwarding traffic) for a time of at least FlowTimeoutSettings:FlowLifetimeSCTPStateful, the assoc was discarded in favour of the one synchronized
Proposed Action
Verify that the discarded association indeed was right to discard.

2.40.51. [ID: 1684] Disallowed

Log Categories
SCTP,STATEFUL,HA
Log Message
Disallowed.
Default Log Severity
Warning
Parameters
srcport, srcip, destport, destip, srciface
Explanation
Disallowed by policies at the current node, but allowed by the peer node. This sometimes happen when associations are being setup at the same time that the HA node is booting up, or when the configuration has been updated at the HA peer but not at the current node.
Gateway Action
Ignore
Action Description
The association will not be synchronized; at least not for the moment
Proposed Action
Usually the association is synchronized once the HA peer has been updated, but it is still advised to verify that the relevant association has been properly synchronized.

2.40.52. [ID: 1170] Host name address detected

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Host name address detected.
Default Log Severity
Notice
Parameters
name, offset, datalen, pkt
Explanation
The packet contains a Host Name address parameter; an alternative address using the DNS format. Note that the host name will be resolved by a, potentially compromised, external entity. Therefore it has the potential to circumvent the IP policy (but not the routes). Whether this will incur a security risk depends on the network layout, but it does increase the target area. This log message is controlled by SCTPSettings:SCTPHostNameAddressParam.
Gateway Action
Allow
Action Description
None
Proposed Action
None

2.40.53. [ID: 1189] Host name address detected

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Host name address detected.
Default Log Severity
Information
Parameters
name, offset, datalen, pkt
Explanation
The packet contains a Host Name address parameter; an alternative address using the DNS format. Note that the host name will be resolved by a, potentially compromised, external entity. Therefore it has the potential to circumvent the IP policy (but not the routes). Whether this will incur a security risk depends on the network layout, but it does increase the target area. This log message is controlled by SCTPSettings:SCTPHostNameAddressParam.
Gateway Action
Strip
Action Description
None
Proposed Action
None

2.40.54. [ID: 1374] Host name address detected

Log Categories
SCTP,STATEFUL,VALIDATE
Log Message
Host name address detected.
Default Log Severity
Warning
Parameters
name, offset, datalen, pkt, assoc, rule
Explanation
For stateful inspection of SCTP traffic, a Host Name Address parameter always gets stripped from a chunk.
Gateway Action
Strip
Action Description
None
Proposed Action
None

2.40.55. [ID: 1381] Wrong initiator primary IP

Log Categories
SCTP,STATEFUL
Log Message
Wrong initiator primary IP.
Default Log Severity
Warning
Parameters
ip, pkt, assoc, rule
Explanation
A packet with an INIT ACK chunk was received for a restart which did not use as destination IP the primary IP that the initiator of the restart declared on the previous INIT chunk he sent.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.40.56. [ID: 1379] Wrong responder primary IP

Log Categories
SCTP,STATEFUL
Log Message
Wrong responder primary IP.
Default Log Severity
Warning
Parameters
ip, pkt, assoc, rule
Explanation
A packet with an INIT ACK chunk was received for a restart which did not use as source IP the destination IP that the initiator of the restart used on the previous INIT chunk he sent.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.40.57. [ID: 1373] IP address inside IP rule filter

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
IP address inside IP rule filter.
Default Log Severity
Warning
Parameters
ip, pkt
Explanation
Although the IP address parameter encountered in an SCTP chunk is within the IP rule filter, the setting SCTPSettings:SCTPMultihoming does not allow it.
Gateway Action
Strip
Action Description
None
Proposed Action
None

2.40.58. [ID: 1198] IP address outside IP rule filter

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
IP address outside IP rule filter.
Default Log Severity
Information
Parameters
ip, pkt
Explanation
The packet contains an alternative transport address that does not comply with the IP rule. This log message, as well as how these addresses are treated by the system, is controlled by SCTPSettings:SCTPMultihoming. Allowing the association to use this transport address will result in a loosened IP policy; traffic to and from addresses that don't match the IP rule, will be allowed once the association has been established. By disallowing this kind of addresses, the association is narrowed down to match that of the IP rule.
Gateway Action
Strip
Action Description
None
Proposed Action
None

2.40.59. [ID: 1177] IP address outside IP rule filter

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
IP address outside IP rule filter.
Default Log Severity
Notice
Parameters
ip, pkt
Explanation
The packet contains an alternative transport address that does not comply with the IP rule. This log message, as well as how these addresses are treated by the system, is controlled by SCTPSettings:SCTPMultihoming. Allowing the association to use this transport address will result in a loosened IP policy; traffic to and from addresses that don't match the IP rule, will be allowed once the association has been established. By disallowing this kind of addresses, the association is narrowed down to match that of the IP rule.
Gateway Action
Allow
Action Description
None
Proposed Action
None

2.40.60. [ID: 1348] Source IP disallowed by association

Log Categories
SCTP,STATEFUL,VALIDATE
Log Message
Source IP disallowed by association.
Default Log Severity
Warning
Parameters
iplen, chunktype, chunkindex, chunkoffset, chunklen, pkt, assoc, rule
Explanation
The initiator of an association has sent an SCTP packet using an IP that does not exist in the list of its IP addresses.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.40.61. [ID: 1385] IP disallowed by initiator of restart

Log Categories
SCTP,STATEFUL,VALIDATE
Log Message
IP disallowed by initiator of restart.
Default Log Severity
Warning
Parameters
ip, iplen, chunktype, chunkindex, chunkoffset, chunklen, pkt, assoc, rule
Explanation
A packet with a COOKIE ECHO chunk has been received for a restart using an IP address that is used by the peer for the original association but was not included to be used for the restart as well.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.40.62. [ID: 1336] Destination IP disallowed by association

Log Categories
SCTP,STATEFUL,VALIDATE
Log Message
Destination IP disallowed by association.
Default Log Severity
Warning
Parameters
iplen, chunktype, chunkindex, chunkoffset, chunklen, pkt, assoc, rule
Explanation
The initiator of an association has sent an SCTP packet using as destination IP an IP that does not exist in the list of the responder's IP addresses.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.40.63. [ID: 1378] IP disallowed by responder of restart

Log Categories
SCTP,STATEFUL,VALIDATE
Log Message
IP disallowed by responder of restart.
Default Log Severity
Warning
Parameters
ip, iplen, chunktype, chunkindex, chunkoffset, chunklen, pkt, assoc, rule
Explanation
A packet with a COOKIE ACK chunk has been received for a restart using an IP address that is used by the peer for the original association but was not included to be used for the restart as well.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.40.64. [ID: 1294] SCTP padding with illegal length

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
SCTP padding with illegal length.
Default Log Severity
Warning
Parameters
iplen, chunktype, chunkindex, chunkoffset, chunklen, offset, padlen, pkt
Explanation
An SCTP chunk contained more than 3 bytes of padding; padlen bytes of padding. According to the RFC 4960 padding MUST not exceed 3 bytes in total. The illegal padding is located at offset offset (relative the SCTP header), inside the chunk with index chunkindex. This may also be a severely malformed packet, whose content is impossible to interpret.
Gateway Action
Drop
Action Description
None
Proposed Action
This packet is broken. If the packet sender is one of your network devices, investigate why the unit is sending malformed packets.

2.40.65. [ID: 1271] SCTP mis-aligned by padding

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
SCTP mis-aligned by padding.
Default Log Severity
Warning
Parameters
offset, padlen, pkt
Explanation
What looks like mis-aligned padding was found at the end of the SCTP packet. The padding in itself was not a problem; this padding caused the end of the packet to be mis-aligned. Padding to a mis-aligned offset is not only pointless, but it is also a telltale sign of something broken.
Gateway Action
Drop
Action Description
None
Proposed Action
This packet is broken. If the packet sender is one of your network devices, investigate why the unit is sending malformed packets.

2.40.66. [ID: 1277] SCTP chunk end mis-aligned by padding

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
SCTP chunk end mis-aligned by padding.
Default Log Severity
Warning
Parameters
iplen, chunktype, chunkindex, chunkoffset, chunklen, offset, padlen, pkt
Explanation
What looks like mis-aligned padding was found at the end of a chunk inside the SCTP packet; this padding caused the end of the chunk to be mis-aligned. Padding to a mis-aligned offset is not only pointless, but it is also a telltale sign of something broken.
Gateway Action
Drop
Action Description
None
Proposed Action
This packet is broken. If the packet sender is one of your network devices, investigate why the unit is sending malformed packets.
Proposed Action
This packet is broken. If the packet sender is one of your network devices, investigate why the unit is sending malformed packets.

2.40.67. [ID: 1291] Address type illegal with Host Name Address[...]

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Address type illegal with Host Name Address option.
Default Log Severity
Warning
Parameters
paramtype, pkt
Explanation
An SCTP message that combines the Host Name Address parameter with an address parameter of type paramtype. RCF4960 explicitly forbids the Host Name Address option to be combined with address parameters of any other address type.
Gateway Action
Drop
Action Description
None
Proposed Action
This packet is invalid. If the packet sender is one of your network devices, investigate why the unit is trying to use both static address and host name address parameters.

2.40.68. [ID: 1663] Init-ack seen

Log Categories
SCTP,STATEFUL
Log Message
Init-ack seen.
Default Log Severity
Debug
Parameters
pkt, assoc, rule
Explanation
An SCTP init-ack message was received. This is the second part of an SCTP association handshake, and the first reply from the responder. The message contains a "cookie" that the initiator is supposed to return unchanged.
Gateway Action
Accept
Action Description
Part of association handshake.
Proposed Action
None; normally a log message that the association has been established should follow.

2.40.69. [ID: 1382] Association restart from initiator failed

Log Categories
SCTP,STATEFUL,VALIDATE
Log Message
Association restart from initiator failed.
Default Log Severity
Warning
Parameters
pkt, assoc, rule
Explanation
The initiator of an association issued a restart using a different primary IP and possibly interface but no matching IP rule was found to allow it.
Gateway Action
Drop
Action Description
None
Proposed Action
Configure an IP rule that allows the initiator to issue a restart using the new primary IP and interface.

2.40.70. [ID: 1366] Initiator vtag mismatch

Log Categories
SCTP,STATEFUL,VALIDATE
Log Message
Initiator vtag mismatch.
Default Log Severity
Warning
Parameters
iplen, chunktype, chunkindex, chunkoffset, chunklen, vtag, pkt, assoc, rule
Explanation
The verification tag of an SCTP common header sent by the responder of an SCTP association does not match the verification tag of the initiator.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.40.71. [ID: 1176] Invalid SCTP checksum

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Invalid SCTP checksum.
Default Log Severity
Notice
Parameters
chksum, calcchksum, pkt
Explanation
The checksum of the SCTP message was incorrect.
Gateway Action
Allow
Action Description
None
Proposed Action
Set SCTPSettings:SCTPValidateChecksum to change the behavior for SCTP checksum validation.

2.40.72. [ID: 1242] Invalid SCTP checksum

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Invalid SCTP checksum.
Default Log Severity
Warning
Parameters
chksum, calcchksum, pkt
Explanation
The checksum of the SCTP message was incorrect.
Gateway Action
Drop
Action Description
None
Proposed Action
Set SCTPSettings:SCTPValidateChecksum to change the behavior for SCTP checksum validation.

2.40.73. [ID: 1178] Invalid SCTP chunk length

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Invalid SCTP chunk length.
Default Log Severity
Warning
Parameters
iplen, chunktype, chunkindex, chunkoffset, chunklen, pkt
Explanation
The chunk length exceeded the SCTP message length, or the length did not match the length specified for that chunk type.
Gateway Action
Drop
Action Description
None
Proposed Action
This packet is broken. If the packet sender is one of your network devices, investigate why the unit is sending malformed packets.

2.40.74. [ID: 1174] Invalid SCTP destination port

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Invalid SCTP destination port.
Default Log Severity
Notice
Parameters
matchkey
Explanation
The destination port of the SCTP message was zero.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.40.75. [ID: 1337] Invalid destination route

Log Categories
SCTP,ROUTE,STATEFUL,VALIDATE
Log Message
Invalid destination route.
Default Log Severity
Warning
Parameters
destiface, iface, flow, assoc, rule, user, userid
Explanation
The destination IP was routed via an interface destiface that is not security equivalent with the corresponding interface iface used when the association was setup. From the moment the association is setup, the initiator is assumed to be reached via the interface from which the INIT message was received, or one that is security equivalent with it. Similarly the responder is assumed to be reached via the original destination interface of the INIT message, or one that is security equivalent with it. This log message is generated when the assumption is violated by the traffic.
Gateway Action
Drop
Action Description
The system prevented an SCTP flow from being opened because the destination route is deemed not to be security equivalent with those used during association setup
Proposed Action
Establish whether the IP address is routed via the correct interface. Verify whether the IP address is valid for the association. Review whether the destination interface destiface should be security equivalent with the corresponding interface iface used at the association setup.

2.40.76. [ID: 1194] Invalid SCTP error cause length

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Invalid SCTP error cause length.
Default Log Severity
Warning
Parameters
iplen, chunktype, chunkindex, chunkoffset, chunklen, code, offset, datalen, pkt
Explanation
The length of the error cause exceeded the SCTP ERROR chunk length, or the length did not match the length specified for that error cause type.
Gateway Action
Drop
Action Description
None
Proposed Action
This packet is broken. If the packet sender is one of your network devices, investigate why the unit is sending malformed packets.

2.40.77. [ID: 1273] Invalid SCTP heartbeat information

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Invalid SCTP heartbeat information.
Default Log Severity
Warning
Parameters
iplen, chunktype, chunkindex, chunkoffset, chunklen, type, datalen, pkt
Explanation
The information of a HEARTBEAT or HEARTBEAT ACK chunk chunktype was of the wrong type type. This log is controlled by SCTPSettings:SCTPLogFormatError.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.40.78. [ID: 1187] Invalid Host Name address format

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Invalid Host Name address format.
Default Log Severity
Warning
Parameters
iplen, offset, datalen, pkt
Explanation
A badly formatted Host Name address parameter was found. This log is controlled by SCTPSettings:SCTPLogFormatError.
Gateway Action
Drop
Action Description
None
Proposed Action
This packet is broken. If the packet sender is one of your network devices, investigate why the unit is sending malformed packets.

2.40.79. [ID: 1353] Invalid stream ID

Log Categories
SCTP,STATEFUL,VALIDATE
Log Message
Invalid stream ID.
Default Log Severity
Warning
Parameters
iplen, chunktype, chunkindex, chunkoffset, chunklen, streamid, max, pkt, assoc, rule
Explanation
The stream ID of an SCTP DATA chunk was larger than the maximum inbound stream ID of the association.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.40.80. [ID: 1258] Illegal initiate tag

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Illegal initiate tag.
Default Log Severity
Warning
Parameters
value, pkt
Explanation
The initiate tag of the SCTP INIT chunk was zero which is not allowed.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.40.81. [ID: 1257] Invalid number of streams

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Invalid number of streams.
Default Log Severity
Warning
Parameters
inbound, outbound, pkt
Explanation
The number of inbound or outbound streams in an INIT chunk was zero.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.40.82. [ID: 1188] Invalid number of mandatory SCTP parameters

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Invalid number of mandatory SCTP parameters.
Default Log Severity
Warning
Parameters
iplen, chunktype, chunkindex, chunkoffset, chunklen, code, offset, datalen, value, pkt
Explanation
A chunk was missing mandatory parameters. This log is controlled by SCTPSettings:SCTPLogFormatError.
Gateway Action
Drop
Action Description
None
Proposed Action
This packet is broken. If the packet sender is one of your network devices, investigate why the unit is sending malformed packets.

2.40.83. [ID: 1325] Invalid stream ID

Log Categories
SCTP,STATEFUL,VALIDATE
Log Message
Invalid stream ID.
Default Log Severity
Warning
Parameters
iplen, chunktype, chunkindex, chunkoffset, chunklen, streamid, max, pkt, assoc, rule
Explanation
The stream ID of an SCTP DATA chunk was larger than the maximum outbound stream ID of the association.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.40.84. [ID: 1296] Invalid pad parameter inside chunk

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Invalid pad parameter inside chunk.
Default Log Severity
Warning
Parameters
chunktype, chunkindex, chunkoffset, chunklen, paramtype, paramoffset, paramlen, padlen, pkt
Explanation
A padding parameter according to RFC4820 was found within a chunk that is not an INIT chunk. According to RFC4820, apart from an INIT chunk, the padding parameter must not be included in any other chunk.
Gateway Action
Drop
Action Description
None
Proposed Action
This packet is invalid. If the packet sender is one of your network devices, investigate why the unit is sending packets with padding parameters included in other chunks than an INIT chunk.

2.40.85. [ID: 1195] Invalid SCTP chunk parameter length

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Invalid SCTP chunk parameter length.
Default Log Severity
Warning
Parameters
iplen, chunktype, chunkindex, chunkoffset, chunklen, paramtype, paramoffset, paramlen, pkt
Explanation
The parameter length exceeded the SCTP chunk length, or the parameter length did not match the length specified for that parameter type.
Gateway Action
Drop
Action Description
None
Proposed Action
This packet is broken. If the packet sender is one of your network devices, investigate why the unit is sending malformed packets.

2.40.86. [ID: 1354] Invalid source interface

Log Categories
SCTP,ROUTE,STATEFUL,VALIDATE
Log Message
Invalid source interface.
Default Log Severity
Warning
Parameters
recviface, iface, flow, assoc, rule, user, userid
Explanation
The source IP was received by interface recviface that is not security equivalent with the corresponding interface iface that was used when the association was setup. From the moment the association is setup, the initiator is assumed to be reached via the interface from which the INIT message was received, or one that is security equivalent with it. Similarly the responder is assumed to be reached via the original destination interface of the INIT message, or one that is security equivalent with it. This log message is generated when the assumption is violated by the traffic.
Gateway Action
Drop
Action Description
The system prevented an SCTP flow from being opened because the source route is deemed not to be security equivalent with those used during association setup
Proposed Action
Establish whether the IP address was received by the correct interface. Verify whether the IP address is valid for the association. Review whether the receive interface recviface should be security equivalent with the corresponding interface iface used at the association setup.

2.40.87. [ID: 1167] Invalid SCTP source port

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Invalid SCTP source port.
Default Log Severity
Notice
Parameters
matchkey
Explanation
The source port of the SCTP message was zero.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.40.88. [ID: 1181] Invalid SCTP verification tag

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Invalid SCTP verification tag.
Default Log Severity
Notice
Parameters
vtag, pkt
Explanation
The SCTP verification tag was zero for an INIT message.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.40.89. [ID: 1301] Chunk length includes the padding of the last[...]

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Chunk length includes the padding of the last parameter.
Default Log Severity
Notice
Parameters
iplen, chunktype, chunkindex, chunkoffset, chunklen, paramtype, paramoffset, paramlen, padlen, pkt
Explanation
The length parameter of a chunk includes tha padding of the chunk's last parameter.
Gateway Action
Allow
Action Description
None
Proposed Action
This log message is controlled by SCTPSettings:SCTPLogFormatError.

2.40.90. [ID: 1340] Max IP addresses exceeded

Log Categories
SCTP,STATEFUL,VALIDATE
Log Message
Max IP addresses exceeded.
Default Log Severity
Warning
Parameters
iplen, chunktype, chunkindex, chunkoffset, chunklen, max, ip, pkt, assoc, rule
Explanation
Maximum number of IP addresses allowed for a peer of an association was reached. The IP address will be stripped from the packet.
Gateway Action
Strip
Action Description
None
Proposed Action
None

2.40.91. [ID: 1370] Max control chunks exceeded

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Max control chunks exceeded.
Default Log Severity
Warning
Parameters
iplen, chunktype, chunkindex, chunkoffset, chunklen, count, max, pkt
Explanation
The configured maximum number of allowed SCTP control chunks for an SCTP packet per service used has been reached.
Gateway Action
Drop
Action Description
None
Proposed Action
If the maximum number of allowed SCTP control chunks for an SCTP packet per SCTP service is too low, increase it.

2.40.92. [ID: 1364] Max DATA chunks exceeded

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Max DATA chunks exceeded.
Default Log Severity
Warning
Parameters
iplen, chunktype, chunkindex, chunkoffset, chunklen, count, max, pkt
Explanation
The configured maximum number of allowed SCTP DATA chunks for an SCTP packet per service used has been reached.
Gateway Action
Drop
Action Description
None
Proposed Action
If the maximum number of allowed SCTP DATA chunks for an SCTP packet per SCTP service is too low, increase it.

2.40.93. [ID: 1360] Max inbound streams adjusted

Log Categories
SCTP,STATEFUL,VALIDATE
Log Message
Max inbound streams adjusted.
Default Log Severity
Notice
Parameters
iplen, chunktype, chunkindex, chunkoffset, chunklen, instreams, max, pkt, assoc, rule
Explanation
The maximum number of inbound streams in an INIT or INIT_ACK chunk was reduced due to the setting of the maximum allowed inbound streams set on the SCTP service used by the IP rule allowing the traffic in the case of an INIT chunk or because of the setting of the maximum allowed outbound streams in the case of an INIT_ACK chunk.
Gateway Action
Adjust
Action Description
None
Proposed Action
Increment the maximum inbound streams setting on the SCTP service used by the IP rule in case of an INIT chunk or the maximum outbound streams setting in case of an INIT_ACK chunk.

2.40.94. [ID: 1356] Max outbound streams adjusted

Log Categories
SCTP,STATEFUL,VALIDATE
Log Message
Max outbound streams adjusted.
Default Log Severity
Notice
Parameters
iplen, chunktype, chunkindex, chunkoffset, chunklen, outstreams, max, pkt, assoc, rule
Explanation
The maximum number of outbound streams in an INIT or INIT_ACK chunk was reduced either due to the setting of the maximum allowed outbound streams set on the SCTP service used by the IP rule allowing the traffic in the case of an INIT chunk or because of the setting of the maximum allowed inbound streams in the case of an INIT_ACK chunk.
Gateway Action
Adjust
Action Description
None
Proposed Action
Increment the maximum outbound streams setting on the SCTP service used by the IP rule in case of an INIT chunk or the maximum inbound streams setting in case of an INIT_ACK chunk.

2.40.95. [ID: 1299] Missing SCTP chunk padding

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Missing SCTP chunk padding.
Default Log Severity
Warning
Parameters
chunktype, chunkindex, chunkoffset, chunklen, pkt
Explanation
A packet with a chunk that is not padded to a multiple of four was detected.
Gateway Action
Drop
Action Description
None
Proposed Action
This log message is controlled by SCTPSettings:SCTPLogFormatError. This packet is invalid. If the packet sender is one of your network devices, investigate why the unit is sending packets containing chunks not padded to a multiple of four.

2.40.96. [ID: 1285] Missing mandatory SCTP parameter from a chunk

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Missing mandatory SCTP parameter from a chunk.
Default Log Severity
Warning
Parameters
iplen, chunktype, chunkindex, chunkoffset, chunklen, paramtype, pkt
Explanation
A mandatory parameter is missing from a chunk.
Gateway Action
Drop
Action Description
None
Proposed Action
This packet is invalid. If the packet sender is one of your network devices, investigate why the unit is sending SCTP packets with chunks that are missing mandatory parameters.

2.40.97. [ID: 1168] Missing SCTP cookie

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Missing SCTP cookie.
Default Log Severity
Warning
Parameters
iplen, chunktype, chunkindex, chunkoffset, chunklen, pkt
Explanation
The SCTP message contained an COOKIE ECHO chunk without cookie data.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.40.98. [ID: 1330] No association found

Log Categories
SCTP,STATEFUL,VALIDATE
Log Message
No association found.
Default Log Severity
Warning
Parameters
iplen, vtag, chunktype, chunkindex, chunkoffset, chunklen, pkt
Explanation
No association was found for a received SCTP chunk.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.40.99. [ID: 1688] No valid association found

Log Categories
SCTP,STATEFUL,VALIDATE
Log Message
No valid association found.
Default Log Severity
Notice
Parameters
pkt
Explanation
An SCTP packet was dropped even though a matching association had been found. This is related to policy updates and can either mean that the association ended up being forcefully closed, or it indicates a temporary condition where the system was unable to verify that the association conformed with the system policy.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.40.100. [ID: 1341] No whitelisted PPIDs

Log Categories
SCTP,STATEFUL,VALIDATE
Log Message
No whitelisted PPIDs.
Default Log Severity
Warning
Parameters
iplen, chunktype, chunkindex, chunkoffset, chunklen, ppid, pkt, assoc, rule
Explanation
Whitelist of Payload Protocol Identifiers is used in the SCTP service configured without any members. All Payload Protocol Identifiers are disallowed.
Gateway Action
Drop
Action Description
None
Proposed Action
Include the Payload Protocol Identifiers you want to be allowed to the whitelist list of the SCTP service used by the IP rule that allows the traffic.

2.40.101. [ID: 1349] No possible association restart

Log Categories
SCTP,STATEFUL,VALIDATE
Log Message
No possible association restart.
Default Log Severity
Warning
Parameters
iplen, chunktype, chunkindex, chunkoffset, chunklen, pkt, assoc, rule
Explanation
An established association which has not previously encountered chunks that justify an association restart, receives a chunk that could be valid only if there was an ongoing possible restart.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.40.102. [ID: 1292] Non-zero SCTP chunk padding inside chunk

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Non-zero SCTP chunk padding inside chunk.
Default Log Severity
Warning
Parameters
iplen, chunktype, chunkindex, chunkoffset, chunklen, offset, padlen, pkt
Explanation
The SCTP chunk contained a padding parameter, a padding chunk, a padding trailer inside the chunk or some other non-standard padding construct beginning. The padding is located at offset offset (relative the SCTP header), inside the chunk with index chunkindex. The padding contains non-zero data; most likely unintentionally leaked data. This may also be a severely malformed packet, whose content is impossible to interpret.
Gateway Action
Allow
Action Description
None
Proposed Action
Investigate why non-standard padding is leaking data; try to locate the source. Padding chunks (chunktype equals 132) and padding parameters (only possible when chunktype equals 1) are likely an attempt by network appliance to disable a specific SCTP feature without a need to rewrite the packet. Non-zero padding inside error chunks (chunktype equals 9) is probably caused by the SCTP end point leaking internal data from network handling. The setting SCTPSettings:SCTPPaddingInsideChunk can be modified to change the handling of padding parameters, padding chunks and padding trailers. The setting SCTPSettings:SCTPNonZeroPadding can be modified to change the general handling of non-zero padding data.

2.40.103. [ID: 1297] Non-zero SCTP chunk padding inside chunk

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Non-zero SCTP chunk padding inside chunk.
Default Log Severity
Warning
Parameters
iplen, chunktype, chunkindex, chunkoffset, chunklen, offset, padlen, pkt
Explanation
The SCTP chunk contained a padding parameter, a padding chunk, a padding trailer inside the chunk or some other non-standard padding construct beginning. The padding is located at offset offset (relative the SCTP header), inside the chunk with index chunkindex. The padding contains non-zero data; most likely unintentionally leaked data. This may also be a severely malformed packet, whose content is impossible to interpret.
Gateway Action
Drop
Action Description
None
Proposed Action
Investigate why non-standard padding is leaking data; try to locate the source. Padding chunks (chunktype equals 132) and padding parameters (only possible when chunktype equals 1) are likely an attempt by network appliance to disable a specific SCTP feature without a need to rewrite the packet. Non-zero padding inside error chunks (chunktype equals 9) is probably caused by the SCTP end point leaking internal data from network handling. The setting SCTPSettings:SCTPPaddingInsideChunk can be modified to change the handling of padding parameters, padding chunks and padding trailers. The setting SCTPSettings:SCTPNonZeroPadding can be modified to change the general handling of non-zero padding data.

2.40.104. [ID: 1289] Non-zero SCTP chunk padding inside chunk

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Non-zero SCTP chunk padding inside chunk.
Default Log Severity
Warning
Parameters
iplen, chunktype, chunkindex, chunkoffset, chunklen, offset, padlen, pkt
Explanation
The SCTP chunk contained a padding parameter, a padding chunk, a padding trailer inside the chunk or some other non-standard padding construct beginning. The padding is located at offset offset (relative the SCTP header), inside the chunk with index chunkindex. The padding contains non-zero data; most likely unintentionally leaked data. This may also be a severely malformed packet, whose content is impossible to interpret.
Gateway Action
Strip
Action Description
None
Proposed Action
Investigate why non-standard padding is leaking data; try to locate the source. Padding chunks (chunktype equals 132) and padding parameters (only possible when chunktype equals 1) are likely an attempt by network appliance to disable a specific SCTP feature without a need to rewrite the packet. Non-zero padding inside error chunks (chunktype equals 9) is probably caused by the SCTP end point leaking internal data from network handling. The setting SCTPSettings:SCTPPaddingInsideChunk can be modified to change the handling of padding parameters, padding chunks and padding trailers. The setting SCTPSettings:SCTPNonZeroPadding can be modified to change the general handling of non-zero padding data.

2.40.105. [ID: 1197] SCTP chunk padding inside chunk

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
SCTP chunk padding inside chunk.
Default Log Severity
Notice
Parameters
chunktype, chunkindex, chunkoffset, chunklen, offset, padlen, pkt
Explanation
The SCTP chunk contained a padding parameter, a padding trailer inside the chunk or some other valid, but more or less non-standard padding construct. The system did not investigate whether the padding data is non-zero or not, because of the current setting of SCTPSettings:SCTPNonZeroPadding. RFC 4820 describes the purpose of padding parameters and padding chunks as a mean to enlarge SCTP INIT chunks and SCTP packets, respectively. Another (more likely) usage is that firewalls can use padding parameters and padding chunks to remove features from an SCTP packet without affecting the packet layout.
Gateway Action
Allow
Action Description
None
Proposed Action
Set SCTPSettings:SCTPPaddingInsideChunk to change the handling of padding parameters, padding chunks and padding trailers. The setting SCTPSettings:SCTPNonZeroPadding can be modified to change the general handling of non-zero padding data.

2.40.106. [ID: 1290] SCTP chunk padding inside chunk

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
SCTP chunk padding inside chunk.
Default Log Severity
Information
Parameters
chunktype, chunkindex, chunkoffset, chunklen, offset, padlen, pkt
Explanation
The SCTP chunk contained a padding parameter, a padding trailer inside the chunk or some other valid, but more or less non-standard padding construct. This log message will only be generated for valid padding; data consisting of all zeroes. RFC 4820 describes the purpose of padding parameters and padding chunks as a mean to enlarge SCTP INIT chunks and SCTP packets, respectively. Another (more likely) usage is that firewalls can use padding parameters and padding chunks to remove features from an SCTP packet without affecting the packet layout.
Gateway Action
Allow
Action Description
None
Proposed Action
Set SCTPSettings:SCTPPaddingInsideChunk to change the handling of padding parameters, padding chunks and padding trailers. The setting SCTPSettings:SCTPNonZeroPadding can be modified to change the general handling of non-zero padding data.

2.40.107. [ID: 1282] SCTP chunk padding inside chunk

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
SCTP chunk padding inside chunk.
Default Log Severity
Warning
Parameters
chunktype, chunkindex, chunkoffset, chunklen, offset, padlen, pkt
Explanation
The SCTP chunk contained a padding parameter, a padding trailer inside the chunk or some other valid, but more or less non-standard padding construct. The system did not investigate whether the padding data is non-zero or not, because of the current setting of SCTPSettings:SCTPPaddingInsideChunk. RFC 4820 describes the purpose of padding parameters and padding chunks as a mean to enlarge SCTP INIT chunks and SCTP packets, respectively. Another (more likely) usage is that firewalls can use padding parameters and padding chunks to remove features from an SCTP packet without affecting the packet layout.
Gateway Action
Drop
Action Description
None
Proposed Action
Set SCTPSettings:SCTPPaddingInsideChunk to change the handling of padding parameters, padding chunks and padding trailers. The setting SCTPSettings:SCTPNonZeroPadding can be modified to change the general handling of non-zero padding data.

2.40.108. [ID: 1281] SCTP chunk padding inside chunk

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
SCTP chunk padding inside chunk.
Default Log Severity
Warning
Parameters
chunktype, chunkindex, chunkoffset, chunklen, offset, padlen, pkt
Explanation
The SCTP chunk contained a padding parameter, a padding trailer inside the chunk or some other valid, but more or less non-standard padding construct. The system did not investigate whether the padding data is non-zero or not, because of the current setting of SCTPSettings:SCTPPaddingInsideChunk. RFC 4820 describes the purpose of padding parameters and padding chunks as a mean to enlarge SCTP INIT chunks and SCTP packets, respectively. Another (more likely) usage is that firewalls can use padding parameters and padding chunks to remove features from an SCTP packet without affecting the packet layout.
Gateway Action
Strip
Action Description
None
Proposed Action
Set SCTPSettings:SCTPPaddingInsideChunk to change the handling of padding parameters, padding chunks and padding trailers. The setting SCTPSettings:SCTPNonZeroPadding can be modified to change the general handling of non-zero padding data.

2.40.109. [ID: 1190] Non-zero SCTP chunk padding

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Non-zero SCTP chunk padding.
Default Log Severity
Notice
Parameters
iplen, chunktype, chunkindex, chunkoffset, chunklen, padlen, pkt
Explanation
The padding for an SCTP chunk (after the chunk) contained non-zero data. This is most likely unintentionally leaked internal data, remaining from packet handling.
Gateway Action
Allow
Action Description
None
Proposed Action
Set SCTPSettings:SCTPNonZeroPadding to change the handling of non-zero padding.

2.40.110. [ID: 1278] Non-zero SCTP chunk padding

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Non-zero SCTP chunk padding.
Default Log Severity
Warning
Parameters
iplen, chunktype, chunkindex, chunkoffset, chunklen, padlen, pkt
Explanation
The padding for an SCTP chunk (after the chunk) contained non-zero data. This is most likely unintentionally leaked internal data, remaining from packet handling.
Gateway Action
Drop
Action Description
None
Proposed Action
Set SCTPSettings:SCTPNonZeroPadding to change the handling of non-zero padding.

2.40.111. [ID: 1279] Non-zero SCTP chunk padding

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Non-zero SCTP chunk padding.
Default Log Severity
Warning
Parameters
iplen, chunktype, chunkindex, chunkoffset, chunklen, padlen, pkt
Explanation
The padding for an SCTP chunk (after the chunk) contained non-zero data. This is most likely unintentionally leaked internal data, remaining from packet handling.
Gateway Action
Strip
Action Description
None
Proposed Action
Set SCTPSettings:SCTPNonZeroPadding to change the handling of non-zero padding.

2.40.112. [ID: 1173] Non-zero reserved field in SCTP error cause

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Non-zero reserved field in SCTP error cause.
Default Log Severity
Warning
Parameters
iplen, chunktype, chunkindex, chunkoffset, chunklen, code, offset, datalen, pkt
Explanation
The SCTP message contained an error cause with a reserved field that was not zero. This log is controlled by SCTPSettings:SCTPLogFormatError.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.40.113. [ID: 1269] Non-zero SCTP chunk parameter padding

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Non-zero SCTP chunk parameter padding.
Default Log Severity
Notice
Parameters
iplen, chunktype, chunkindex, chunkoffset, chunklen, paramoffset, paramlen, padlen, pkt
Explanation
The padding after an SCTP parameter (inside a chunk) contained non-zero data. This is most likely unintentionally leaked internal data, remaining from packet handling.
Gateway Action
Allow
Action Description
None
Proposed Action
Set SCTPSettings:SCTPNonZeroPadding to change the handling of non-zero padding.

2.40.114. [ID: 1268] Non-zero SCTP chunk parameter padding

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Non-zero SCTP chunk parameter padding.
Default Log Severity
Warning
Parameters
iplen, chunktype, chunkindex, chunkoffset, chunklen, paramoffset, paramlen, padlen, pkt
Explanation
The padding after an SCTP parameter (inside a chunk) contained non-zero data. This is most likely unintentionally leaked internal data, remaining from packet handling.
Gateway Action
Drop
Action Description
None
Proposed Action
Set SCTPSettings:SCTPNonZeroPadding to change the handling of non-zero padding.

2.40.115. [ID: 1196] Non-zero SCTP chunk parameter padding

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Non-zero SCTP chunk parameter padding.
Default Log Severity
Warning
Parameters
iplen, chunktype, chunkindex, chunkoffset, chunklen, paramoffset, paramlen, padlen, pkt
Explanation
The padding after an SCTP parameter (inside a chunk) contained non-zero data. This is most likely unintentionally leaked internal data, remaining from packet handling.
Gateway Action
Strip
Action Description
None
Proposed Action
Set SCTPSettings:SCTPNonZeroPadding to change the handling of non-zero padding.

2.40.116. [ID: 1344] Non-first SCTP cookie ack

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Non-first SCTP cookie ack.
Default Log Severity
Warning
Parameters
chunktype, chunkindex, chunkoffset, chunklen, offset, pkt
Explanation
A COOKIE ACK chunk was found that was not the first chunk in the packet.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.40.117. [ID: 1295] Non-first SCTP cookie

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Non-first SCTP cookie.
Default Log Severity
Warning
Parameters
chunktype, chunkindex, chunkoffset, chunklen, offset, pkt
Explanation
A COOKIE ECHO chunk was found that was not the first chunk in the packet.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.40.118. [ID: 1365] PPID not whitelisted

Log Categories
SCTP,STATEFUL,VALIDATE
Log Message
PPID not whitelisted.
Default Log Severity
Warning
Parameters
iplen, chunktype, chunkindex, chunkoffset, chunklen, ppid, pkt, assoc, rule
Explanation
The Payload Protocol Identifier of a DATA chunk was not whitelisted by the SCTP service that is used by the IP rule that allows the traffic.
Gateway Action
Drop
Action Description
None
Proposed Action
Include the Payload Protocol Identifier in the whitelist of the SCTP service used if you want to allow it.

2.40.119. [ID: 1441] SCTP padding chunk

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
SCTP padding chunk.
Default Log Severity
Notice
Parameters
chunktype, chunkindex, chunkoffset, chunklen, offset, padlen, pkt
Explanation
The SCTP contained a padding chunk. The system did not investigate whether the padding data is non-zero or not, because of the current setting of SCTPSettings:SCTPNonZeroPadding. RFC 4820 describes the purpose of padding parameters and padding chunks as a mean to enlarge SCTP INIT chunks and SCTP packets, respectively. Another (more likely) usage is that firewalls can use padding parameters and padding chunks to remove features from an SCTP packet without affecting the packet layout.
Gateway Action
Allow
Action Description
None
Proposed Action
Set SCTPSettings:SCTPPaddingChunk to change the handling of chunks. The setting SCTPSettings:SCTPNonZeroPadding can be modified to change the general handling of non-zero padding data.

2.40.120. [ID: 1438] SCTP padding chunk

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
SCTP padding chunk.
Default Log Severity
Information
Parameters
chunktype, chunkindex, chunkoffset, chunklen, offset, padlen, pkt
Explanation
The SCTP contained a padding chunk. This log message will only be generated for valid padding; data consisting of all zeroes. RFC 4820 describes the purpose of padding parameters and padding chunks as a mean to enlarge SCTP INIT chunks and SCTP packets, respectively. Another (more likely) usage is that firewalls can use padding parameters and padding chunks to remove features from an SCTP packet without affecting the packet layout.
Gateway Action
Allow
Action Description
None
Proposed Action
Set SCTPSettings:SCTPPaddingChunk to change the handling of padding chunks. The setting SCTPSettings:SCTPNonZeroPadding can be modified to change the general handling of non-zero padding data.

2.40.121. [ID: 1440] SCTP padding chunk

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
SCTP padding chunk.
Default Log Severity
Warning
Parameters
chunktype, chunkindex, chunkoffset, chunklen, offset, padlen, pkt
Explanation
The SCTP chunk contained a padding chunk. The system did not investigate whether the padding data is non-zero or not, because of the current setting of SCTPSettings:SCTPPaddingChunk. RFC 4820 describes the purpose of padding parameters and padding chunks as a mean to enlarge SCTP INIT chunks and SCTP packets, respectively. Another (more likely) usage is that firewalls can use padding parameters and padding chunks to remove features from an SCTP packet without affecting the packet layout.
Gateway Action
Drop
Action Description
None
Proposed Action
Set SCTPSettings:SCTPPaddingChunk to change the handling of chunks. The setting SCTPSettings:SCTPNonZeroPadding can be modified to change the general handling of non-zero padding data.

2.40.122. [ID: 1437] SCTP padding chunk

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
SCTP padding chunk.
Default Log Severity
Notice
Parameters
chunktype, chunkindex, chunkoffset, chunklen, offset, padlen, pkt
Explanation
The SCTP contained a padding chunk. The system did not investigate whether the padding data is non-zero or not, because of the current setting of SCTPSettings:SCTPNonZeroPadding. RFC 4820 describes the purpose of padding parameters and padding chunks as a mean to enlarge SCTP INIT chunks and SCTP packets, respectively. Another (more likely) usage is that firewalls can use padding parameters and padding chunks to remove features from an SCTP packet without affecting the packet layout.
Gateway Action
Strip
Action Description
None
Proposed Action
Set SCTPSettings:SCTPPaddingChunk to change the handling of chunks. The setting SCTPSettings:SCTPNonZeroPadding can be modified to change the general handling of non-zero padding data.

2.40.123. [ID: 1380] Association restart from responder failed

Log Categories
SCTP,STATEFUL,VALIDATE
Log Message
Association restart from responder failed.
Default Log Severity
Warning
Parameters
pkt, assoc, rule
Explanation
The responder of an association issued a restart but no matching IP rule was found to allow it.
Gateway Action
Drop
Action Description
None
Proposed Action
Configure an IP rule that allows the restart from the responder.

2.40.124. [ID: 1328] Responder vtag mismatch

Log Categories
SCTP,STATEFUL,VALIDATE
Log Message
Responder vtag mismatch.
Default Log Severity
Warning
Parameters
iplen, chunktype, chunkindex, chunkoffset, chunklen, vtag, pkt, assoc, rule
Explanation
The verification tag of an SCTP common header sent by the initiator of an SCTP association does not match the verification tag of the responder.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.40.125. [ID: 1351] Source port mismatch

Log Categories
SCTP,STATEFUL,VALIDATE
Log Message
Source port mismatch.
Default Log Severity
Warning
Parameters
iplen, chunktype, chunkindex, chunkoffset, chunklen, srcport, pkt, assoc, rule
Explanation
The source port of an SCTP packet sent by the initiator of an association does not match the source port of the association the packet belongs to.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.40.126. [ID: 1270] Stateful SCTP is not supported

Log Categories
SCTP,STATEFUL
Log Message
Stateful SCTP is not supported. Packets will be dropped.
Default Log Severity
Warning
Parameters
matchkey
Explanation
A stateful IP rule has matched SCTP traffic. Stateful SCTP traffic will be dropped.
Gateway Action
Drop
Action Description
None
Proposed Action
In order to forward the SCTP traffic, configure the IP rule as 'stateless'. SCTP support can also be turned off with SCTPSettings:SCTPEnabled, in which case SCTP will be forwarded as the 'unknown' IP protocol 132.

2.40.127. [ID: 1283] Too many occurrences of SCTP parameter

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Too many occurrences of SCTP parameter.
Default Log Severity
Warning
Parameters
iplen, chunktype, chunkindex, chunkoffset, chunklen, paramtype, count, max, pkt
Explanation
The SCTP chunk chunktype contained too many parameters of type paramtype.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.40.128. [ID: 1334] Unexpected state cookie

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Unexpected state cookie.
Default Log Severity
Warning
Parameters
iplen, chunktype, chunkindex, chunkoffset, chunklen, pkt
Explanation
A state cookie parameter was discovered outside of an INIT-ACK chunk.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.40.129. [ID: 1280] Unknown mandatory chunk type

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Unknown mandatory chunk type.
Default Log Severity
Warning
Parameters
chunktype, flags, chunkindex, chunkoffset, chunklen, pkt
Explanation
An unknown "mandatory" chunk type has been encountered; what RFC 4960 mentions as "highest-order bit types" 00 and 01 in Section 3.2, and roughly translates into "when unknown, ignore the remaining chunks of this packet". While unknown, these types are typically used to modify the general actions an SCTP endpoint should take when acting upon chunks. The effect is likely limited to a single packet, and only those chunks following it.
Gateway Action
Abort
Action Description
None
Proposed Action
This log message is controlled by SCTPSettings:SCTPLogUnknownMandChunk. How to handle these types of unknown chunks is controlled by SCTPSettings:SCTPUnknownMandChunk and SCTPSettings:SCTPUnknownMandChunkNotify.

2.40.130. [ID: 1184] Unknown mandatory chunk type

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Unknown mandatory chunk type.
Default Log Severity
Notice
Parameters
chunktype, flags, chunkindex, chunkoffset, chunklen, pkt
Explanation
An unknown "mandatory" chunk type has been encountered; what RFC 4960 mentions as "highest-order bit types" 00 and 01 in Section 3.2, and roughly translates into "when unknown, ignore the remaining chunks of this packet". While unknown, these types are typically used to modify the general actions an SCTP endpoint should take when acting upon chunks. The effect is likely limited to a single packet, and only those chunks following it.
Gateway Action
Allow
Action Description
None
Proposed Action
This log message is controlled by SCTPSettings:SCTPLogUnknownMandChunk. How to handle these types of unknown chunks is controlled by SCTPSettings:SCTPUnknownMandChunk and SCTPSettings:SCTPUnknownMandChunkNotify.

2.40.131. [ID: 1193] Unknown mandatory chunk type

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Unknown mandatory chunk type.
Default Log Severity
Warning
Parameters
chunktype, flags, chunkindex, chunkoffset, chunklen, pkt
Explanation
An unknown "mandatory" chunk type has been encountered; what RFC 4960 mentions as "highest-order bit types" 00 and 01 in Section 3.2, and roughly translates into "when unknown, ignore the remaining chunks of this packet". While unknown, these types are typically used to modify the general actions an SCTP endpoint should take when acting upon chunks. The effect is likely limited to a single packet, and only those chunks following it.
Gateway Action
Drop
Action Description
None
Proposed Action
This log message is controlled by SCTPSettings:SCTPLogUnknownMandChunk. How to handle these types of unknown chunks is controlled by SCTPSettings:SCTPUnknownMandChunk and SCTPSettings:SCTPUnknownMandChunkNotify.

2.40.132. [ID: 1191] Unknown mandatory chunk type

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Unknown mandatory chunk type.
Default Log Severity
Warning
Parameters
chunktype, flags, chunkindex, chunkoffset, chunklen, pkt
Explanation
An unknown "mandatory" chunk type has been encountered; what RFC 4960 mentions as "highest-order bit types" 00 and 01 in Section 3.2, and roughly translates into "when unknown, ignore the remaining chunks of this packet". While unknown, these types are typically used to modify the general actions an SCTP endpoint should take when acting upon chunks. The effect is likely limited to a single packet, and only those chunks following it.
Gateway Action
Strip
Action Description
None
Proposed Action
This log message is controlled by SCTPSettings:SCTPLogUnknownMandChunk. How to handle these types of unknown chunks is controlled by SCTPSettings:SCTPUnknownMandChunk and SCTPSettings:SCTPUnknownMandChunkNotify.

2.40.133. [ID: 1236] Unknown mandatory parameter type

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Unknown mandatory parameter type.
Default Log Severity
Warning
Parameters
chunktype, chunkindex, chunkoffset, chunklen, paramtype, paramoffset, paramlen, pkt
Explanation
An unknown "mandatory" parameter type has been encountered; what RFC 4960 mentions as "highest-order bit types" 00 and 01 in Section 3.2.1, and roughly translates into "when unknown, ignore the remaining parameters of this chunk". While unknown, these types are typically carrying instructions to modify the interpretation of other parameters inside the same chunk.
Gateway Action
Abort
Action Description
None
Proposed Action
This log message is controlled by SCTPSettings:SCTPLogUnknownMandParam. How to handle these types of unknown parameters is controlled by SCTPSettings:SCTPUnknownMandParam and SCTPSettings:SCTPUnknownMandParamNotify.

2.40.134. [ID: 1171] Unknown mandatory parameter type

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Unknown mandatory parameter type.
Default Log Severity
Notice
Parameters
chunktype, chunkindex, chunkoffset, chunklen, paramtype, paramoffset, paramlen, pkt
Explanation
An unknown "mandatory" parameter type has been encountered; what RFC 4960 mentions as "highest-order bit types" 00 and 01 in Section 3.2.1, and roughly translates into "when unknown, ignore the remaining parameters of this chunk". While unknown, these types are typically carrying instructions to modify the interpretation of other parameters inside the same chunk.
Gateway Action
Allow
Action Description
None
Proposed Action
This log message is controlled by SCTPSettings:SCTPLogUnknownMandParam. How to handle these types of unknown parameters is controlled by SCTPSettings:SCTPUnknownMandParam and SCTPSettings:SCTPUnknownMandParamNotify.

2.40.135. [ID: 1166] Unknown mandatory parameter type

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Unknown mandatory parameter type.
Default Log Severity
Warning
Parameters
chunktype, chunkindex, chunkoffset, chunklen, paramtype, paramoffset, paramlen, pkt
Explanation
An unknown "mandatory" parameter type has been encountered; what RFC 4960 mentions as "highest-order bit types" 00 and 01 in Section 3.2.1, and roughly translates into "when unknown, ignore the remaining parameters of this chunk". While unknown, these types are typically carrying instructions to modify the interpretation of other parameters inside the same chunk.
Gateway Action
Drop
Action Description
None
Proposed Action
This log message is controlled by SCTPSettings:SCTPLogUnknownMandParam. How to handle these types of unknown parameters is controlled by SCTPSettings:SCTPUnknownMandParam and SCTPSettings:SCTPUnknownMandParamNotify.

2.40.136. [ID: 1186] Unknown mandatory parameter type

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Unknown mandatory parameter type.
Default Log Severity
Warning
Parameters
chunktype, chunkindex, chunkoffset, chunklen, paramtype, paramoffset, paramlen, pkt
Explanation
An unknown "mandatory" parameter type has been encountered; what RFC 4960 mentions as "highest-order bit types" 00 and 01 in Section 3.2.1, and roughly translates into "when unknown, ignore the remaining parameters of this chunk". While unknown, these types are typically carrying instructions to modify the interpretation of other parameters inside the same chunk.
Gateway Action
Strip
Action Description
None
Proposed Action
This log message is controlled by SCTPSettings:SCTPLogUnknownMandParam. How to handle these types of unknown parameters is controlled by SCTPSettings:SCTPUnknownMandParam and SCTPSettings:SCTPUnknownMandParamNotify.

2.40.137. [ID: 1248] Unknown optional chunk type

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Unknown optional chunk type.
Default Log Severity
Warning
Parameters
chunktype, flags, chunkindex, chunkoffset, chunklen, pkt
Explanation
An unknown "optional" chunk type has been encountered; what RFC 4960 mentions as "highest-order bit types" 10 and 11 in Section 3.2, and roughly translates into "when unknown, ignore chunk". While unknown, these types are typically carrying instructions to modify the SCTP association. Usually these instructions are not critical for the functionality of the association, though "type 11" is more likely to be of importance.
Gateway Action
Abort
Action Description
None
Proposed Action
This log message is controlled by SCTPSettings:SCTPLogUnknownOptChunk. How to handle these types of unknown chunks is controlled by SCTPSettings:SCTPUnknownOptChunk and SCTPSettings:SCTPUnknownOptChunkNotify.

2.40.138. [ID: 1180] Unknown optional chunk type

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Unknown optional chunk type.
Default Log Severity
Notice
Parameters
chunktype, flags, chunkindex, chunkoffset, chunklen, pkt
Explanation
An unknown "optional" chunk type has been encountered; what RFC 4960 mentions as "highest-order bit types" 10 and 11 in Section 3.2, and roughly translates into "when unknown, ignore chunk". While unknown, these types are typically carrying instructions to modify the SCTP association. Usually these instructions are not critical for the functionality of the association, though "type 11" is more likely to be of importance.
Gateway Action
Allow
Action Description
None
Proposed Action
This log message is controlled by SCTPSettings:SCTPLogUnknownOptChunk. How to handle these types of unknown chunks is controlled by SCTPSettings:SCTPUnknownOptChunk and SCTPSettings:SCTPUnknownOptChunkNotify.

2.40.139. [ID: 1172] Unknown optional chunk type

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Unknown optional chunk type.
Default Log Severity
Warning
Parameters
chunktype, flags, chunkindex, chunkoffset, chunklen, pkt
Explanation
An unknown "optional" chunk type has been encountered; what RFC 4960 mentions as "highest-order bit types" 10 and 11 in Section 3.2, and roughly translates into "when unknown, ignore chunk". While unknown, these types are typically carrying instructions to modify the SCTP association. Usually these instructions are not critical for the functionality of the association, though "type 11" is more likely to be of importance.
Gateway Action
Drop
Action Description
None
Proposed Action
This log message is controlled by SCTPSettings:SCTPLogUnknownOptChunk. How to handle these types of unknown chunks is controlled by SCTPSettings:SCTPUnknownOptChunk and SCTPSettings:SCTPUnknownOptChunkNotify.

2.40.140. [ID: 1175] Unknown optional chunk type

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Unknown optional chunk type.
Default Log Severity
Warning
Parameters
chunktype, flags, chunkindex, chunkoffset, chunklen, pkt
Explanation
An unknown "optional" chunk type has been encountered; what RFC 4960 mentions as "highest-order bit types" 10 and 11 in Section 3.2, and roughly translates into "when unknown, ignore chunk". While unknown, these types are typically carrying instructions to modify the SCTP association. Usually these instructions are not critical for the functionality of the association, though "type 11" is more likely to be of importance.
Gateway Action
Strip
Action Description
None
Proposed Action
This log message is controlled by SCTPSettings:SCTPLogUnknownOptChunk. How to handle these types of unknown chunks is controlled by SCTPSettings:SCTPUnknownOptChunk and SCTPSettings:SCTPUnknownOptChunkNotify.

2.40.141. [ID: 1214] Unknown optional parameter type

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Unknown optional parameter type.
Default Log Severity
Warning
Parameters
chunktype, chunkindex, chunkoffset, chunklen, paramtype, paramoffset, paramlen, pkt
Explanation
An unknown "optional" parameter type has been encountered; what RFC 4960 mentions as "highest-order bit types" 10 and 11 in Section 3.2.1, and roughly translates into "when unknown, ignore this parameter". While unknown, these types are typically carrying non-vital options for a chunk.
Gateway Action
Abort
Action Description
None
Proposed Action
This log message is controlled by SCTPSettings:SCTPLogUnknownOptParam. How to handle these types of unknown parameters is controlled by SCTPSettings:SCTPUnknownOptParam and SCTPSettings:SCTPUnknownOptParamNotify.

2.40.142. [ID: 1185] Unknown optional parameter type

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Unknown optional parameter type.
Default Log Severity
Notice
Parameters
chunktype, chunkindex, chunkoffset, chunklen, paramtype, paramoffset, paramlen, pkt
Explanation
An unknown "optional" parameter type has been encountered; what RFC 4960 mentions as "highest-order bit types" 10 and 11 in Section 3.2.1, and roughly translates into "when unknown, ignore this parameter". While unknown, these types are typically carrying non-vital options for a chunk.
Gateway Action
Allow
Action Description
None
Proposed Action
This log message is controlled by SCTPSettings:SCTPLogUnknownOptParam. How to handle these types of unknown parameters is controlled by SCTPSettings:SCTPUnknownOptParam and SCTPSettings:SCTPUnknownOptParamNotify.

2.40.143. [ID: 1182] Unknown optional parameter type

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Unknown optional parameter type.
Default Log Severity
Warning
Parameters
chunktype, chunkindex, chunkoffset, chunklen, paramtype, paramoffset, paramlen, pkt
Explanation
An unknown "optional" parameter type has been encountered; what RFC 4960 mentions as "highest-order bit types" 10 and 11 in Section 3.2.1, and roughly translates into "when unknown, ignore this parameter". While unknown, these types are typically carrying non-vital options for a chunk.
Gateway Action
Drop
Action Description
None
Proposed Action
This log message is controlled by SCTPSettings:SCTPLogUnknownOptParam. How to handle these types of unknown parameters is controlled by SCTPSettings:SCTPUnknownOptParam and SCTPSettings:SCTPUnknownOptParamNotify.

2.40.144. [ID: 1192] Unknown optional parameter type

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Unknown optional parameter type.
Default Log Severity
Warning
Parameters
chunktype, chunkindex, chunkoffset, chunklen, paramtype, paramoffset, paramlen, pkt
Explanation
An unknown "optional" parameter type has been encountered; what RFC 4960 mentions as "highest-order bit types" 10 and 11 in Section 3.2.1, and roughly translates into "when unknown, ignore this parameter". While unknown, these types are typically carrying non-vital options for a chunk.
Gateway Action
Strip
Action Description
None
Proposed Action
This log message is controlled by SCTPSettings:SCTPLogUnknownOptParam. How to handle these types of unknown parameters is controlled by SCTPSettings:SCTPUnknownOptParam and SCTPSettings:SCTPUnknownOptParamNotify.

2.40.145. [ID: 1169] Unknown supported address type

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Unknown supported address type.
Default Log Severity
Warning
Parameters
paramtype, pkt
Explanation
An unknown address type was found in the "supported address types" parameter. The packet may be broken.
Gateway Action
Allow
Action Description
None
Proposed Action
Unknown address types will be allowed if and only if SCTPSettings:SCTPUnknownAddressType allow this.

2.40.146. [ID: 1286] Unknown supported address type

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Unknown supported address type.
Default Log Severity
Warning
Parameters
paramtype, pkt
Explanation
An unknown address type was found in the "supported address types" parameter. The packet may be broken.
Gateway Action
Drop
Action Description
None
Proposed Action
Unknown address types will be allowed if and only if SCTPSettings:SCTPUnknownAddressType allow this.

2.40.147. [ID: 1179] Unknown supported address type

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Unknown supported address type.
Default Log Severity
Warning
Parameters
paramtype, pkt
Explanation
An unknown address type was found in the "supported address types" parameter. The packet may be broken.
Gateway Action
Strip
Action Description
None
Proposed Action
Unknown address types will be allowed if and only if SCTPSettings:SCTPUnknownAddressType allow this.

2.40.148. [ID: 1183] Unkown SCTP error cause

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Unkown SCTP error cause.
Default Log Severity
Notice
Parameters
iplen, offset, code, pkt
Explanation
The system does not recognize an error cause in the SCTP message. The body of the error cause will not be validated.
Gateway Action
Allow
Action Description
None
Proposed Action
None

2.40.149. [ID: 1208] Not supported address type

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
Not supported address type.
Default Log Severity
Notice
Parameters
paramtype, pkt
Explanation
An unsupported address type was found in the "supported address types" parameter.
Gateway Action
Strip
Action Description
None
Proposed Action
Whether an address type is considered unsupported or not depends primarily on the IP rule; address types used by the IP rule are supported, others are not. Any action on behalf of the unsupported address types will depend on SCTPSettings:SCTPMultihoming. The "host name address" type is a special case that is considered supported if and only if SCTPSettings:SCTPHostNameAddressParam is set to "Allow" this address type.

2.40.150. [ID: 1372] PPID whitelisted

Log Categories
SCTP,STATEFUL,VALIDATE
Log Message
PPID whitelisted.
Default Log Severity
Notice
Parameters
iplen, chunktype, chunkindex, chunkoffset, chunklen, ppid, pkt, assoc, rule
Explanation
The Payload Protocol Identifier of a DATA chunk is whitelisted by the SCTP service that is used by the IP rule that allows the traffic.
Gateway Action
Allow
Action Description
None
Proposed Action
Exclude the Payload Protocol Identifier from the whitelist of the SCTP service used if you want to disallow it.

2.40.151. [ID: 1300] State cookie parameter has zero for value

Log Categories
SCTP,STATELESS,VALIDATE
Log Message
State cookie parameter has zero for value.
Default Log Severity
Warning
Parameters
chunktype, chunkindex, chunkoffset, chunklen, paramtype, paramoffset, paramlen, pkt
Explanation
A state cookie parameter with zero for value was found within an INIT_ACK chunk.
Gateway Action
Drop
Action Description
None
Proposed Action
This packet is invalid. If the packet sender is one of your network devices, investigate why the unit is sending state cookie parameters with zero for value within INIT_ACK chunks.

2.41. SIPALG

These log messages refer to the SIPALG category.

2.41.1. [ID: 1206] SIP ALG call leg deleted

Log Categories
SIPALG
Log Message
SIP ALG call leg deleted.
Default Log Severity
Notice
Parameters
method, fromuri, touri, srcip, srcport, destip, destport
Explanation
The call leg for the identified method request was deleted.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.41.2. [ID: 1229] SIP ALG call leg state updated

Log Categories
SIPALG
Log Message
SIP ALG call leg state updated.
Default Log Severity
Debug
Parameters
state, fromuri, touri, srcip, srcport, destip, destport
Explanation
The SIP ALG call leg state was updated to the identified state.
Gateway Action
Allow
Action Description
None
Proposed Action
None

2.41.3. [ID: 1260] Failed to create call leg

Log Categories
SIPALG
Log Message
Failed to create call leg.
Default Log Severity
Error
Parameters
method, fromuri, touri, srcip, srcport, destip, destport
Explanation
The SIP ALG failed to create call leg for the identified method request.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.41.4. [ID: 1266] Failed to create new transaction

Log Categories
SIPALG
Log Message
Failed to create new transaction.
Default Log Severity
Error
Parameters
method, fromuri, touri, srcip, srcport, destip, destport
Explanation
The SIP ALG failed to create transaction.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.41.5. [ID: 1267] Failed to do dns resolve

Log Categories
SIPALG
Log Message
Failed to do dns resolve.
Default Log Severity
Critical
Parameters
reason
Explanation
An attempt to resolve dns failed.
Gateway Action
Drop
Action Description
None
Proposed Action
Check if the dns servers are configured and reachable by the firewall.

2.41.6. [ID: 1247] Failed to create SIP ALG session

Log Categories
SIPALG
Log Message
Failed to create SIP ALG session.
Default Log Severity
Error
Parameters
method, fromuri, touri, srcip, srcport, destip, destport
Explanation
A new SIP ALG session request could not be created.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.41.7. [ID: 1262] Failed to find SIP ALG session

Log Categories
SIPALG
Log Message
Failed to find SIP ALG session.
Default Log Severity
Error
Parameters
reason, fromuri, touri, srcip, srcport, destip, destport
Explanation
Failed to find SIP ALG session.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.41.8. [ID: 1259] Unsuccessful registration

Log Categories
SIPALG
Log Message
Unsuccessful registration.
Default Log Severity
Warning
Parameters
reason, fromuri, touri, srcip, srcport, destip, destport
Explanation
The user failed to register.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.41.9. [ID: 1221] Failed unregistration

Log Categories
SIPALG
Log Message
Failed unregistration.
Default Log Severity
Notice
Parameters
reason, fromuri, touri, srcip, srcport, destip, destport
Explanation
The user failed to unregister.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.41.10. [ID: 1210] Failed to find call leg

Log Categories
SIPALG
Log Message
Failed to find call leg.
Default Log Severity
Warning
Parameters
method, fromuri, touri, srcip, srcport, destip, destport
Explanation
Failed to find call leg for identified method request.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.41.11. [ID: 1219] Failed to find role

Log Categories
SIPALG
Log Message
Failed to find role.
Default Log Severity
Error
Parameters
method, fromuri, touri, srcip, srcport, destip, destport
Explanation
Failed to find role for the identified method request.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.41.12. [ID: 1202] Failed to find transaction

Log Categories
SIPALG
Log Message
Failed to find transaction.
Default Log Severity
Warning
Parameters
method, fromuri, touri, srcip, srcport, destip, destport
Explanation
Failed to find transaction.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.41.13. [ID: 1213] Flow failed

Log Categories
SIPALG
Log Message
Flow failed.
Default Log Severity
Notice
Parameters
reason, originator, flow, rule
Explanation
An error occurred that caused the SIP flow to be aborted.
Gateway Action
Abort
Action Description
None
Proposed Action
None

2.41.14. [ID: 1224] Failed to get free NAT port pair for the[...]

Log Categories
SIPALG
Log Message
Failed to get free NAT port pair for the given host.
Default Log Severity
Critical
Parameters
reason, fromuri, touri, srcip, srcport, destip, destport
Explanation
Failed to get free NAT port pair for the given host.
Gateway Action
Drop
Action Description
None
Proposed Action
Failure on getting a NAT port pair may result from a heavy loaded system/port range. Revision of NAT configuration parameters and system wide load is advisable.

2.41.15. [ID: 1322] Failed to install HA synced object

Log Categories
SIPALG
Log Message
Failed to install HA synced object.
Default Log Severity
Notice
Parameters
type, reason, matchkey
Explanation
The SIP ALG failed to install an object on the inactive node.
Gateway Action
None
Action Description
None
Proposed Action
None

2.41.16. [ID: 1323] Failed to apply HA update to object

Log Categories
SIPALG
Log Message
Failed to apply HA update to object.
Default Log Severity
Notice
Parameters
type, reason, matchkey
Explanation
The SIP ALG on the inactive HA node failed to update an object with the new parameters synced from the active node.
Gateway Action
None
Action Description
None
Proposed Action
None

2.41.17. [ID: 1205] Invalid SIP UDP packet received

Log Categories
SIPALG
Log Message
Invalid SIP UDP packet received.
Default Log Severity
Error
Parameters
 
Explanation
The SIP ALG received an invalid UDP packet. The packet will be dropped.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.41.18. [ID: 1211] Invalid session state change

Log Categories
SIPALG
Log Message
Invalid session state change.
Default Log Severity
Error
Parameters
state, fromuri, touri, srcip, srcport, destip, destport
Explanation
Invalid session state found.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.41.19. [ID: 1237] Maximum number of transaction per session has[...]

Log Categories
SIPALG
Log Message
Maximum number of transaction per session has been reached.
Default Log Severity
Warning
Parameters
sessions, fromuri, touri, srcip, srcport, destip, destport
Explanation
The configured maximum number of concurrent SIP sessions per SIP service has been reached.
Gateway Action
Close
Action Description
None
Proposed Action
If the maximum number of SIP ALG sessions per SIP service is too low, increase it.

2.41.20. [ID: 1203] Maximum number of sessions per SIP URI has[...]

Log Categories
SIPALG
Log Message
Maximum number of sessions per SIP URI has been reached.
Default Log Severity
Warning
Parameters
sessions, fromuri, touri, srcip, srcport, destip, destport
Explanation
The configured maximum number of concurrent SIP sessions per SIP URI has been reached.
Gateway Action
Close
Action Description
None
Proposed Action
If the maximum number of SIP ALG sessions per SIP URI is too low, increase it.

2.41.21. [ID: 1220] Maximum number of sessions per Service has[...]

Log Categories
SIPALG
Log Message
Maximum number of sessions per Service has been reached.
Default Log Severity
Warning
Parameters
sessions, fromuri, touri, srcip, srcport, destip, destport
Explanation
The configured maximum number of transactions per SIP session has been reached.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.41.22. [ID: 1223] Failed to parse media

Log Categories
SIPALG
Log Message
Failed to parse media.
Default Log Severity
Error
Parameters
method, fromuri, touri, srcip, srcport, destip, destport
Explanation
Failed to parse media for the request.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.41.23. [ID: 1274] Media stream rules created

Log Categories
SIPALG
Log Message
Media stream rules created.
Default Log Severity
Information
Parameters
fromuri, touri, srcip, srcport, destip, destport, proto
Explanation
The system has created rules to allow a media stream negotiated using the SIP protocol.
Gateway Action
None
Action Description
None
Proposed Action
None

2.41.24. [ID: 1272] Failed to create media stream rules

Log Categories
SIPALG
Log Message
Failed to create media stream rules.
Default Log Severity
Warning
Parameters
fromuri, touri, srcip, srcport, destip, destport, proto
Explanation
The system failed to create rules to allow a media stream negotiated using the SIP protocol.
Gateway Action
None
Action Description
None
Proposed Action
There are several possible reasons for the failure. If NAT is used it could relate to NAT port allocation, so, search for logs in the categories PORTMGR and/or NATPOOL.

2.41.25. [ID: 1204] Out of memory

Log Categories
SIPALG
Log Message
Out of memory.
Default Log Severity
Emergency
Parameters
reason
Explanation
Memory allocation failed while processing SIP message.
Gateway Action
Drop
Action Description
None
Proposed Action
Change configuration to free up more RAM.

2.41.26. [ID: 1245] Expire value modified in registration request

Log Categories
SIPALG
Log Message
Expire value modified in registration request.
Default Log Severity
Notice
Parameters
time, fromuri, touri, srcip, srcport, destip, destport
Explanation
The SIP ALG modified the requested registration time since it exceeds the configured maximum registration time value.
Gateway Action
Allow
Action Description
None
Proposed Action
None

2.41.27. [ID: 1199] Failed to modify contact tag in message

Log Categories
SIPALG
Log Message
Failed to modify contact tag in message.
Default Log Severity
Error
Parameters
reason, fromuri, touri, srcip, srcport, destip, destport
Explanation
Failed to modify the contact tag in SIP message.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.41.28. [ID: 1235] Failed to modify FROM tag in message

Log Categories
SIPALG
Log Message
Failed to modify FROM tag in message.
Default Log Severity
Error
Parameters
method, fromuri, touri, srcip, srcport, destip, destport
Explanation
Failed to modify the FROM tag in message for the identified method request.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.41.29. [ID: 1263] Failed to modify request URI in message

Log Categories
SIPALG
Log Message
Failed to modify request URI in message.
Default Log Severity
Error
Parameters
method, fromuri, touri, srcip, srcport, destip, destport
Explanation
Failed to modify the request URI in message for the identified method request.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.41.30. [ID: 1200] Failed to modify the request

Log Categories
SIPALG
Log Message
Failed to modify the request.
Default Log Severity
Error
Parameters
method, fromuri, touri, srcip, srcport, destip, destport
Explanation
Failed to modify the topology info in the identified method request.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.41.31. [ID: 1251] Failed to modify the response

Log Categories
SIPALG
Log Message
Failed to modify the response.
Default Log Severity
Error
Parameters
method, fromuri, touri, srcip, srcport, destip, destport
Explanation
Failed to modify the topology info in the identified method response.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.41.32. [ID: 1231] Failed to modify SDP message

Log Categories
SIPALG
Log Message
Failed to modify SDP message.
Default Log Severity
Error
Parameters
reason, fromuri, touri, srcip, srcport, destip, destport
Explanation
Failed to modify SDP part of message.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.41.33. [ID: 1238] Failed to modify the SAT request

Log Categories
SIPALG
Log Message
Failed to modify the SAT request.
Default Log Severity
Error
Parameters
method, fromuri, touri, srcip, srcport, destip, destport
Explanation
Failed to modify request ip to SAT destination IP in the identified method request.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.41.34. [ID: 1207] Call leg created

Log Categories
SIPALG
Log Message
Call leg created.
Default Log Severity
Notice
Parameters
method, fromuri, touri, srcip, srcport, destip, destport
Explanation
SIP ALG call leg created for identified method request.
Gateway Action
Allow
Action Description
None
Proposed Action
None

2.41.35. [ID: 1232] New SIP ALG session created

Log Categories
SIPALG
Log Message
New SIP ALG session created.
Default Log Severity
Notice
Parameters
method, fromuri, touri, srcip, srcport, destip, destport
Explanation
New SIP ALG session request created.
Gateway Action
Allow
Action Description
None
Proposed Action
None

2.41.36. [ID: 1234] New transaction created

Log Categories
SIPALG
Log Message
New transaction created.
Default Log Severity
Notice
Parameters
method, fromuri, touri, srcip, srcport, destip, destport
Explanation
New SIP ALG transaction created.
Gateway Action
Allow
Action Description
None
Proposed Action
None

2.41.37. [ID: 1261] Failed to find route for given host

Log Categories
SIPALG
Log Message
Failed to find route for given host.
Default Log Severity
Error
Parameters
reason, fromuri, touri, srcip, srcport, destip, destport
Explanation
No route information found for the given host.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.41.38. [ID: 1256] General Error

Log Categories
SIPALG
Log Message
General Error.
Default Log Severity
Warning
Parameters
reason, fromuri, touri, srcip, srcport, destip, destport
Explanation
General error while processing message.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.41.39. [ID: 1217] Registration hijack attempt detected

Log Categories
SIPALG
Log Message
Registration hijack attempt detected.
Default Log Severity
Alert
Parameters
count, fromuri, touri, srcip, srcport, destip, destport
Explanation
The number of registration attempts has been exceeded.
Gateway Action
Drop
Action Description
None
Proposed Action
Check with the user, why he is using false authentication to register.

2.41.40. [ID: 1246] Successful Registration

Log Categories
SIPALG
Log Message
Successful Registration.
Default Log Severity
Notice
Parameters
user, contact
Explanation
User registered.
Gateway Action
None
Action Description
None
Proposed Action
None

2.41.41. [ID: 1264] SDP message parsing failed

Log Categories
SIPALG
Log Message
SDP message parsing failed.
Default Log Severity
Error
Parameters
reason, fromuri, touri, srcip, srcport, destip, destport
Explanation
SDP part of message failed parsing due to malformed message.
Gateway Action
Drop
Action Description
None
Proposed Action
Examine why client or server is sending a malformed SDP message.

2.41.42. [ID: 1243] SDP message validation failed

Log Categories
SIPALG
Log Message
SDP message validation failed.
Default Log Severity
Error
Parameters
reason, fromuri, touri, srcip, srcport, destip, destport
Explanation
SDP part of message failed validation due to malformed message.
Gateway Action
Drop
Action Description
None
Proposed Action
Examine why client or server is sending a malformed SDP message.

2.41.43. [ID: 1227] SIP ALG packet reception error

Log Categories
SIPALG
Log Message
SIP ALG packet reception error.
Default Log Severity
Error
Parameters
reason
Explanation
Packet without data received.
Gateway Action
Drop
Action Description
None
Proposed Action
Take needed steps to understand how SIP ALG received NULL SIP packet.

2.41.44. [ID: 1265] SIP message parsing failed

Log Categories
SIPALG
Log Message
SIP message parsing failed.
Default Log Severity
Error
Parameters
reason, fromuri, touri, srcip, srcport, destip, destport
Explanation
SIP part of message failed parsing due to malformed message.
Gateway Action
Drop
Action Description
None
Proposed Action
Examine why client or server is sending a malformed SIP message.

2.41.45. [ID: 1254] SIP message validation failed due to[...]

Log Categories
SIPALG
Log Message
SIP message validation failed due to malformed message.
Default Log Severity
Error
Parameters
reason, fromuri, touri, srcip, srcport, destip, destport
Explanation
SIP part of message failed validation due to malformed message.
Gateway Action
Drop
Action Description
None
Proposed Action
Examine why client or server is sending a malformed SIP message.

2.41.46. [ID: 1212] SIP request-response timeout

Log Categories
SIPALG
Log Message
SIP request-response timeout.
Default Log Severity
Warning
Parameters
method, fromuri, touri, srcip, srcport, destip, destport
Explanation
SIP request-response timeout for the session. The session will be deleted.
Gateway Action
Close
Action Description
None
Proposed Action
If the configured SIP Request-Response timeout value is too low, increase it.

2.41.47. [ID: 1255] SIP signal timeout

Log Categories
SIPALG
Log Message
SIP signal timeout.
Default Log Severity
Warning
Parameters
method, fromuri, touri, srcip, srcport, destip, destport
Explanation
SIP signal timeout for session. The session will be deleted.
Gateway Action
Close
Action Description
None
Proposed Action
If the configured SIP signal timeout value is too low, increase it.

2.41.48. [ID: 1233] SIP ALG session deleted

Log Categories
SIPALG
Log Message
SIP ALG session deleted.
Default Log Severity
Information
Parameters
method, fromuri, touri, srcip, srcport, destip, destport
Explanation
SIP ALG session deleted.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.41.49. [ID: 1201] SIP ALG session state updated

Log Categories
SIPALG
Log Message
SIP ALG session state updated.
Default Log Severity
Debug
Parameters
state, fromuri, touri, srcip, srcport, destip, destport
Explanation
The SIP ALG session state was updated.
Gateway Action
Allow
Action Description
None
Proposed Action
None

2.41.50. [ID: 1250] Block third party SIP request

Log Categories
SIPALG
Log Message
Block third party SIP request.
Default Log Severity
Warning
Parameters
reason, fromuri, touri, srcip, srcport, destip, destport
Explanation
The SIP ALG has detected a SIP/SDP message involving third party IP address.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.41.51. [ID: 1244] Transaction state updated

Log Categories
SIPALG
Log Message
Transaction state updated.
Default Log Severity
Debug
Parameters
state, fromuri, touri, srcip, srcport, destip, destport
Explanation
A SIP ALG transaction state has been updated to the identified state.
Gateway Action
Allow
Action Description
None
Proposed Action
None

2.41.52. [ID: 1253] SIP ALG transaction deleted

Log Categories
SIPALG
Log Message
SIP ALG transaction deleted.
Default Log Severity
Notice
Parameters
method, fromuri, touri, srcip, srcport, destip, destport
Explanation
The transaction for the identified method request is deleted.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.41.53. [ID: 1226] Invalid transaction state change

Log Categories
SIPALG
Log Message
Invalid transaction state change.
Default Log Severity
Error
Parameters
state, fromuri, touri, srcip, srcport, destip, destport
Explanation
Invalid transaction state found.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.41.54. [ID: 1252] Successful unregistration

Log Categories
SIPALG
Log Message
Successful unregistration.
Default Log Severity
Notice
Parameters
user, contact
Explanation
User unregistered successfully.
Gateway Action
Allow
Action Description
None
Proposed Action
None

2.41.55. [ID: 1222] Method not supported

Log Categories
SIPALG
Log Message
Method not supported.
Default Log Severity
Warning
Parameters
method, fromuri, touri, srcip, srcport, destip, destport
Explanation
The identified method is not supported.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.41.56. [ID: 1249] Failed to update call leg

Log Categories
SIPALG
Log Message
Failed to update call leg.
Default Log Severity
Warning
Parameters
method, fromuri, touri, srcip, srcport, destip, destport
Explanation
Failed to update call leg for identified method request.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.41.57. [ID: 1225] Failed to update contact

Log Categories
SIPALG
Log Message
Failed to update contact.
Default Log Severity
Error
Parameters
method, fromuri, touri, srcip, srcport, destip, destport
Explanation
Failed to update contact into session for the identified method request.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.41.58. [ID: 1241] Failed to update port information

Log Categories
SIPALG
Log Message
Failed to update port information.
Default Log Severity
Error
Parameters
method, fromuri, touri, srcip, srcport, destip, destport
Explanation
Failed to update port into session for identified method request.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.41.59. [ID: 1228] Registration entry not found

Log Categories
SIPALG
Log Message
Registration entry not found.
Default Log Severity
Warning
Parameters
reason, fromuri, touri, srcip, srcport, destip, destport
Explanation
The specified user could not be found in the register table.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.41.60. [ID: 1215] Failed to modify via in message

Log Categories
SIPALG
Log Message
Failed to modify via in message.
Default Log Severity
Error
Parameters
reason, fromuri, touri, srcip, srcport, destip, destport
Explanation
Failed to modify the via header in message for the identified method request.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.42. SNMP

These log messages refer to the SNMP category.

2.42.1. [ID: 478] SNMP access

Log Categories
SNMP
Log Message
SNMP access.
Default Log Severity
Notice
Parameters
srcip, destip
Explanation
A SNMP packet was received.
Gateway Action
None
Action Description
None
Proposed Action
None

2.42.2. [ID: 1506] SNMP authentication failure

Log Categories
SNMP
Log Message
SNMP authentication failure.
Default Log Severity
Warning
SNMP Trap Category
SNMP
SNMP Trap MIB name
authenticationFailure
SNMP Trap MIB OID
1.3.6.1.6.3.1.1.5.5   (SNMPv2-MIB, RFC3418)
Parameters
srcip, destip
Explanation
The system has received a protocol message that is not properly authenticated. The packet was thus silently dropped.
Gateway Action
None
Action Description
None
Proposed Action
Check the configured authentication items. If the problem persist check for abnormal traffic.

2.42.3. [ID: 1505] Max restart counter

Log Categories
SNMP
Log Message
Max restart counter.
Default Log Severity
Alert
Parameters
 
Explanation
The restart counter has reached the maximum allowed value. SNMPv3 traps and responses will not be sent until the RemoteMgmtSettings:SNMPv3EngineId advanced setting has been changed. This is required to prevent eavesdropping adversaries from decrypting SNMPv3 messages.
Gateway Action
None
Action Description
None
Proposed Action
Set a new Engine Id in RemoteMgmtSettings:SNMPv3EngineId advanced setting.

2.42.4. [ID: 1680] SNMP not in time window

Log Categories
SNMP
Log Message
SNMP not in time window.
Default Log Severity
Notice
Parameters
srcip, destip
Explanation
The SNMP3 client made a request outside the current time window (request contains values that have been deprecated, typically a time value that is off by more than 150 seconds). The original request has been dropped, and a notification has been sent to the client with the correct time window to use (as specified by RFC3414 this is done by returning the value of the usmStatsNotInTimeWindows counter without encryption).
Gateway Action
Reject
Action Description
None
Proposed Action
Normally nothing needs to be done. A valid SNMP3 client will automatically adjust its time window with the supplied information. Make sure that the client is using the correct authentication credentials if it is continuing to use faulty values.

2.42.5. [ID: 763] SNMP unexpected version

Log Categories
SNMP
Log Message
SNMP unexpected version.
Default Log Severity
Warning
Parameters
srcip, destip
Explanation
A packet was received for a not supported SNMP version.
Gateway Action
Drop
Action Description
None
Proposed Action
Make sure your SNMP client is using a supported SNMP version.

2.42.6. [ID: 1681] SNMP unknown engine ID

Log Categories
SNMP
Log Message
SNMP unknown engine ID.
Default Log Severity
Warning
Parameters
srcip, destip
Explanation
The SNMP3 client made a request for, what appears to be, another system. It is impossible for the system to validate the authenticity of an SNMP3 request using an unknown engine ID, and so (the system) replied with an error message. Normal SNMP clients will close the connection with an error upon receiving this reply.
Gateway Action
Reject
Action Description
None
Proposed Action
None

2.43. SSHCLIENT

These log messages refer to the SSHCLIENT category.

2.43.1. [ID: 1703] SSH client error

Log Categories
SSHCLIENT
Log Message
SSH client error.
Default Log Severity
Error
Parameters
msg
Explanation
An error occured for a SSH client connection.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.43.2. [ID: 1704] SSH client fatal error

Log Categories
SSHCLIENT
Log Message
SSH client fatal error.
Default Log Severity
Critical
Parameters
msg
Explanation
A fatal error occured for a SSH client connection.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.43.3. [ID: 1702] SSH client info

Log Categories
SSHCLIENT
Log Message
SSH client info.
Default Log Severity
Information
Parameters
msg
Explanation
Information about a SSH client connection.
Gateway Action
None
Action Description
None
Proposed Action
None

2.43.4. [ID: 1701] SSH client notice

Log Categories
SSHCLIENT
Log Message
SSH client notice.
Default Log Severity
Notice
Parameters
msg
Explanation
The state of a SSH client connection changed.
Gateway Action
None
Action Description
None
Proposed Action
None

2.44. SSHD

These log messages refer to the SSHD category.

2.44.1. [ID: 370] Administrative user logged in

Log Categories
SSHD
Log Message
Administrative user logged in.
Default Log Severity
Notice
Parameters
user, method, accesslevel, profile, clientip
Explanation
An administrative user has logged in.
Gateway Action
None
Action Description
None
Proposed Action
None

2.44.2. [ID: 297] Incorrect user name or insufficient[...]

Log Categories
SSHD
Log Message
Incorrect user name or insufficient credentials.
Default Log Severity
Warning
Parameters
user, method, accesslevel, profile, clientip, sshserver
Explanation
Administrative user login have been aborted. This is due to user not existing or having insufficient privileges.
Gateway Action
Close
Action Description
None
Proposed Action
Increase user privileges or change the access level of the SSH server.

2.44.3. [ID: 186] Administrative user failed to login because[...]

Log Categories
SSHD
Log Message
Administrative user failed to login because of bad credentials.
Default Log Severity
Warning
Parameters
user, method, accesslevel, profile, clientip
Explanation
An administrative user failed to log in to configuration system. This is most likely due to an invalid entered username or password, or incorrect public key authentication.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.44.4. [ID: 455] Administrative user logged out

Log Categories
SSHD
Log Message
Administrative user logged out.
Default Log Severity
Notice
Parameters
user, method, accesslevel, profile, clientip
Explanation
An administrative user has logged out.
Gateway Action
None
Action Description
None
Proposed Action
None

2.44.5. [ID: 1287] Fatal sshd error

Log Categories
SSHD
Log Message
Fatal sshd error.
Default Log Severity
Warning
Parameters
clientip, sshserver, reason
Explanation
The connection attempt was aborted due to internal error.
Gateway Action
Close
Action Description
Nonen
Proposed Action
None

2.44.6. [ID: 877] Failed to get traffic parameters from[...]

Log Categories
SSHD
Log Message
Failed to get traffic parameters from dataplane.
Default Log Severity
Notice
Parameters
clientip, sshserver
Explanation
This is a problem with the internal communication within the system.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.44.7. [ID: 474] SSH session inactivity time limit has been[...]

Log Categories
SSHD
Log Message
SSH session inactivity time limit has been reached.
Default Log Severity
Warning
Parameters
time, clientip, sshserver
Explanation
The connect client has been inactive for too long, and is forcibly logged out.
Gateway Action
Close
Action Description
None
Proposed Action
Increase the inactive session timeout value if it is set too low.

2.44.8. [ID: 448] Username change

Log Categories
SSHD
Log Message
Username change.
Default Log Severity
Warning
Parameters
service, old, clientip
Explanation
User changed the service between two authentication phases, which is not allowed.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.44.9. [ID: 256] Invalid service request received

Log Categories
SSHD
Log Message
Invalid service request received.
Default Log Severity
Warning
Parameters
clientip, service
Explanation
A invalid service request was received.
Gateway Action
Close
Action Description
None
Proposed Action
Investigate why the SSH client is sending a invalid service request.

2.44.10. [ID: 576] Username change

Log Categories
SSHD
Log Message
Username change.
Default Log Severity
Warning
Parameters
user, old, clientip
Explanation
User changed the username between two authentication phases, which is not allowed.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.44.11. [ID: 425] SSH Login grace timeout expired

Log Categories
SSHD
Log Message
SSH Login grace timeout expired.
Default Log Severity
Warning
Parameters
time, clientip
Explanation
The client failed to login within the given login grace time.
Gateway Action
Close
Action Description
None
Proposed Action
Increase the grace timeout value if it is set too low.

2.44.12. [ID: 554] Maximum number of authentication retries[...]

Log Categories
SSHD
Log Message
Maximum number of authentication retries reached.
Default Log Severity
Error
Parameters
user, clientip
Explanation
User failed to authenticate within the maximum allowed number of tries.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.44.13. [ID: 225] The maximum number of simultaneously[...]

Log Categories
SSHD
Log Message
The maximum number of simultaneously connected SSH clients has been reached.
Default Log Severity
Warning
Parameters
max, clientip, sshserver
Explanation
The maximum number of simultaneously connected SSH clients has been reached. Denying access for this attempt, and closing the connection.
Gateway Action
Close
Action Description
None
Proposed Action
Wait until an existing connection has closed or increase the number of allowed connections.

2.44.14. [ID: 406] The maximum number of connection attempts[...]

Log Categories
SSHD
Log Message
The maximum number of connection attempts reached.
Default Log Severity
Warning
Parameters
max, clientip, sshserver
Explanation
The maximum number of connection attempts have been reached.
Gateway Action
Close
Action Description
None
Proposed Action
Wait until an existing connection has closed or increase the number of allowed connections.

2.44.15. [ID: 640] Incompatible encryption

Log Categories
SSHD
Log Message
Incompatible encryption.
Default Log Severity
Warning
Parameters
clientip, sshserver, reason
Explanation
The connection attempt was aborted due to incompatible ciphers between server and client.
Gateway Action
Close
Action Description
None
Proposed Action
Ensure that client and server are using compatible ciphers.

2.44.16. [ID: 1293] Incompatible key exchange algorithm

Log Categories
SSHD
Log Message
Incompatible key exchange algorithm.
Default Log Severity
Warning
Parameters
clientip, sshserver, reason
Explanation
The connection attempt was aborted due to incompatible key exchange algorithms between server and client.
Gateway Action
Close
Action Description
None
Proposed Action
Ensure that client and server are using compatible key exchange algorithm.

2.44.17. [ID: 639] Incompatible mac

Log Categories
SSHD
Log Message
Incompatible mac.
Default Log Severity
Warning
Parameters
clientip, sshserver, reason
Explanation
The connection attempt was aborted due to incompatible macs between server and client.
Gateway Action
Close
Action Description
None
Proposed Action
Ensure that client and server are using compatible macs.

2.44.18. [ID: 996] Request to copy file

Log Categories
SSHD
Log Message
Request to copy file.
Default Log Severity
Information
Parameters
 
Explanation
Request to copy files was successful.
Gateway Action
None
Action Description
None
Proposed Action
None

2.44.19. [ID: 995] Request to copy file failed

Log Categories
SSHD
Log Message
Request to copy file failed.
Default Log Severity
Warning
Parameters
 
Explanation
Request to copy file failed.
Gateway Action
None
Action Description
None
Proposed Action
None

2.44.20. [ID: 994] Request to copy file successful

Log Categories
SSHD
Log Message
Request to copy file successful.
Default Log Severity
Information
Parameters
 
Explanation
Request to copy a file.
Gateway Action
None
Action Description
None
Proposed Action
None

2.44.21. [ID: 624] SSH connection is no longer valid

Log Categories
SSHD
Log Message
SSH connection is no longer valid.
Default Log Severity
Notice
Parameters
clientip, sshserver
Explanation
The SSH connection is no longer valid. The might be a result of the SSH management object being changed.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.44.22. [ID: 997] Closing session for subsystem

Log Categories
SSHD
Log Message
Closing session for subsystem.
Default Log Severity
Information
Parameters
subsystem
Explanation
Closing the session for subsystem.
Gateway Action
None
Action Description
None
Proposed Action
None

2.44.23. [ID: 993] Creating session for subsystem request

Log Categories
SSHD
Log Message
Creating session for subsystem request.
Default Log Severity
Information
Parameters
subsystem
Explanation
Creating a session for the requested subsystem.
Gateway Action
None
Action Description
None
Proposed Action
None

2.45. SSLINSPECTION

These log messages refer to the SSLINSPECTION category.

2.45.1. [ID: 1460] Abnormal close

Log Categories
SSLINSPECTION
Log Message
Abnormal close.
Default Log Severity
Information
Parameters
sessionid, profile, reason, flow, user, userid
Explanation
The SSL Inspection connection was discovered to be broken.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.45.2. [ID: 1462] Error accepting client connection

Log Categories
SSLINSPECTION
Log Message
Error accepting client connection.
Default Log Severity
Warning
Parameters
sessionid, profile, failure, flow, user, userid
Explanation
An error occurred during initialization of SSL connection with client.
Gateway Action
Reject
Action Description
SSL connection attempt from client was rejected
Proposed Action
None

2.45.3. [ID: 1480] Session allocation failure

Log Categories
SSLINSPECTION
Log Message
Session allocation failure.
Default Log Severity
Critical
Parameters
profile, flow, user, userid
Explanation
Allocating memory to do SSL inspection failed.
Gateway Action
Reject
Action Description
SSL connection attempt from client was rejected
Proposed Action
Change configuration to free up more RAM.

2.45.4. [ID: 1485] Certificate error

Log Categories
SSLINSPECTION
Log Message
Certificate error.
Default Log Severity
Error
Parameters
sessionid, profile, failure, flow, user, userid
Explanation
There was a problem with the certificate.
Gateway Action
Reject
Action Description
None
Proposed Action
Make sure the configured certificate is valid.

2.45.5. [ID: 1495] Client cipher suites mismatch

Log Categories
SSLINSPECTION
Log Message
Client cipher suites mismatch.
Default Log Severity
Notice
Parameters
sessionid, profile, flow, user, userid
Explanation
SSL inspection does not support any of the client's suggested cipher suites.
Gateway Action
Reject
Action Description
SSL connection attempt from client was rejected
Proposed Action
Investigate if additional cipher suites should be enabled.

2.45.6. [ID: 1500] Client TLS version error

Log Categories
SSLINSPECTION
Log Message
Client TLS version error.
Default Log Severity
Notice
Parameters
sessionid, profile, flow, user, userid
Explanation
Client's TLS version is not allowed.
Gateway Action
Reject
Action Description
SSL connection attempt from client was rejected
Proposed Action
Investigate if TLS version of client should be enabled.

2.45.7. [ID: 1466] Error connecting to server

Log Categories
SSLINSPECTION
Log Message
Error connecting to server.
Default Log Severity
Warning
Parameters
sessionid, profile, failure, flow, user, userid
Explanation
An error occurred during initialization of SSL connection with server.
Gateway Action
Reject
Action Description
SSL connection attempt to the server was rejected
Proposed Action
None

2.45.8. [ID: 1498] Flow failed

Log Categories
SSLINSPECTION
Log Message
Flow failed.
Default Log Severity
Warning
Parameters
reason, flow, user, userid
Explanation
Initialization of the TCP connection failed before a SSL Inspection connection was properly initiated.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.45.9. [ID: 1447] Failed to forward SNI

Log Categories
SSLINSPECTION
Log Message
Failed to forward SNI.
Default Log Severity
Warning
Parameters
profile, sni, flow, user, userid
Explanation
The system could not forward the Server Name Indication (SNI) from the client to the protected server. This may cause the SSL connection to the server to fail.
Gateway Action
None
Action Description
None
Proposed Action
None

2.45.10. [ID: 1502] Handshake timeout with

Log Categories
SSLINSPECTION
Log Message
Handshake timeout with.
Default Log Severity
Warning
Parameters
direction, flow, user, userid
Explanation
SSL handshake was taking too long.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.45.11. [ID: 1490] IPS protection closed connection

Log Categories
SSLINSPECTION
Log Message
IPS protection closed connection.
Default Log Severity
Warning
Parameters
sessionid, profile, flow, user, userid
Explanation
IPS detected a problem and decided to close the connection.
Gateway Action
Reject
Action Description
None
Proposed Action
None

2.45.12. [ID: 1474] No server matched SNI

Log Categories
SSLINSPECTION
Log Message
No server matched SNI.
Default Log Severity
Notice
Parameters
profile, sni, flow, user, userid
Explanation
The Server Name Indication (SNI) received from the client did not match any of the configured server patterns.
Gateway Action
None
Action Description
None
Proposed Action
Review the server configuration of the given SSL inspection profile if the problem persists.

2.45.13. [ID: 1483] Error reading data from client

Log Categories
SSLINSPECTION
Log Message
Error reading data from client.
Default Log Severity
Warning
Parameters
sessionid, profile, failure, flow, user, userid
Explanation
An error occurred while trying to read data from the client.
Gateway Action
Reject
Action Description
None
Proposed Action
None

2.45.14. [ID: 1450] Error reading data from server

Log Categories
SSLINSPECTION
Log Message
Error reading data from server.
Default Log Severity
Warning
Parameters
sessionid, profile, failure, flow, user, userid
Explanation
An error occurred while trying to read data from the server.
Gateway Action
Reject
Action Description
None
Proposed Action
None

2.45.15. [ID: 1492] Received SNI from client

Log Categories
SSLINSPECTION
Log Message
Received SNI from client.
Default Log Severity
Information
Parameters
profile, sni, flow, user, userid
Explanation
A client sent a Server Name Indication (SNI) to indicate which host it attempts to connect to.
Gateway Action
None
Action Description
None
Proposed Action
None

2.45.16. [ID: 1484] Server cipher suites mismatch

Log Categories
SSLINSPECTION
Log Message
Server cipher suites mismatch.
Default Log Severity
Notice
Parameters
sessionid, profile, flow, user, userid
Explanation
SSL inspection does not support any of the server's suggested cipher suites.
Gateway Action
Reject
Action Description
SSL connection attempt to the server was rejected
Proposed Action
Investigate if additional cipher suites should be enabled.

2.45.17. [ID: 1481] Server TLS version error

Log Categories
SSLINSPECTION
Log Message
Server TLS version error.
Default Log Severity
Notice
Parameters
sessionid, profile, flow, user, userid
Explanation
Server's TLS version is not allowed.
Gateway Action
Reject
Action Description
SSL connection attempt to server was rejected
Proposed Action
Investigate if TLS version of server should be enabled.

2.45.18. [ID: 1487] Session closed

Log Categories
SSLINSPECTION
Log Message
Session closed.
Default Log Severity
Information
Parameters
sessionid, profile, flow, user, userid
Explanation
None
Gateway Action
Close
Action Description
None
Proposed Action
None

2.45.19. [ID: 1456] Connection established

Log Categories
SSLINSPECTION
Log Message
Connection established.
Default Log Severity
Information
Parameters
sessionid, profile, type, clienttlsver, clientcipher, servertlsver, servercipher, flow, user, userid
Explanation
SSL connection successfully established.
Gateway Action
Open
Action Description
None
Proposed Action
None

2.45.20. [ID: 1494] Session opened

Log Categories
SSLINSPECTION
Log Message
Session opened.
Default Log Severity
Information
Parameters
sessionid, profile, flow, user, userid
Explanation
A connection has been initiated.
Gateway Action
Open
Action Description
None
Proposed Action
None

2.45.21. [ID: 1444] Error writing data to client

Log Categories
SSLINSPECTION
Log Message
Error writing data to client.
Default Log Severity
Warning
Parameters
sessionid, profile, failure, flow, user, userid
Explanation
An error occurred while trying to write data to the client.
Gateway Action
Reject
Action Description
None
Proposed Action
None

2.45.22. [ID: 1499] Error writing data to client

Log Categories
SSLINSPECTION
Log Message
Error writing data to client.
Default Log Severity
Warning
Parameters
sessionid, profile, failure, flow, user, userid
Explanation
An error occurred while trying to write data to the server.
Gateway Action
Reject
Action Description
None
Proposed Action
None

2.46. SSLVPN

These log messages refer to the SSLVPN category.

2.46.1. [ID: 1491] Allocated client IP

Log Categories
SSLVPN
Log Message
Allocated client IP.
Default Log Severity
Information
Parameters
ip, iface, matchkey
Explanation
The connected client was allocated an IP address from the pool.
Gateway Action
None
Action Description
None
Proposed Action
None

2.46.2. [ID: 1448] Client certificate verification failed

Log Categories
SSLVPN
Log Message
Client certificate verification failed.
Default Log Severity
Notice
Parameters
reason, certcn, iface, matchkey
Explanation
Verification of the client certificate certcn failed. The specific error is described by reason.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.46.3. [ID: 1459] Client certificate verification successful

Log Categories
SSLVPN
Log Message
Client certificate verification successful.
Default Log Severity
Information
Parameters
certcn, iface, matchkey
Explanation
The client certificate was successfully verified.
Gateway Action
Accept
Action Description
None
Proposed Action
None

2.46.4. [ID: 1471] Verification of client options failed

Log Categories
SSLVPN
Log Message
Verification of client options failed.
Default Log Severity
Notice
Parameters
reason, iface, matchkey
Explanation
The options the client sent during the key exchange did not match the allowed values.
Gateway Action
Close
Action Description
None
Proposed Action
Reconfigure the client software.

2.46.5. [ID: 1461] Closed TLS session due to unacknowledged[...]

Log Categories
SSLVPN
Log Message
Closed TLS session due to unacknowledged message.
Default Log Severity
Notice
Parameters
keyid, iface, matchkey
Explanation
After several retries an outbound message was not acknowledged by peer, thus the TLS session was closed. A TLS session for another Key ID might still be active.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.46.6. [ID: 1451] Connected SSLVPN client

Log Categories
SSLVPN
Log Message
Connected SSLVPN client.
Default Log Severity
Information
Parameters
iface, matchkey
Explanation
An client connected to the SSLVPN server.
Gateway Action
Accept
Action Description
None
Proposed Action
None

2.46.7. [ID: 1467] Could not allocate client IP

Log Categories
SSLVPN
Log Message
Could not allocate client IP.
Default Log Severity
Warning
Parameters
iface, matchkey
Explanation
Allocating an IP address to the client failed. The pool could be depleted.
Gateway Action
Close
Action Description
None
Proposed Action
Try increasing size of pool.

2.46.8. [ID: 1457] Internal error when decrypting packet

Log Categories
SSLVPN
Log Message
Internal error when decrypting packet.
Default Log Severity
Error
Parameters
flow, user, userid
Explanation
There was an internal error while decrypting a packet on the data channel.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.46.9. [ID: 1465] Decryption failed for data channel packet

Log Categories
SSLVPN
Log Message
Decryption failed for data channel packet.
Default Log Severity
Notice
Parameters
flow, user, userid
Explanation
There was an error decrypting a data channel packet.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.46.10. [ID: 1443] Disconnected SSLVPN client

Log Categories
SSLVPN
Log Message
Disconnected SSLVPN client.
Default Log Severity
Information
Parameters
iface, matchkey
Explanation
A client disconnected from the SSLVPN server.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.46.11. [ID: 1496] Data packet before negotiated data channel

Log Categories
SSLVPN
Log Message
Data packet before negotiated data channel.
Default Log Severity
Notice
Parameters
flow, user, userid
Explanation
A client sent a data channel packet before the data channel was negotiated.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.46.12. [ID: 1464] Encryption failed for data channel packet

Log Categories
SSLVPN
Log Message
Encryption failed for data channel packet.
Default Log Severity
Error
Parameters
flow, user, userid
Explanation
Encryption failed for a packet on the data channel.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.46.13. [ID: 1455] Encrypted packet did not fit packet buffer

Log Categories
SSLVPN
Log Message
Encrypted packet did not fit packet buffer.
Default Log Severity
Error
Parameters
flow, user, userid
Explanation
After encryption and addition of SSL VPN headers, the packet was too big to fit the packet buffer.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.46.14. [ID: 1482] Failed to send packet to control plane

Log Categories
SSLVPN
Log Message
Failed to send packet to control plane.
Default Log Severity
Notice
Parameters
flow, user, userid
Explanation
The system failed to forward a control channel packet to the submodule in control plane.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.46.15. [ID: 1486] Failed to set encryption key for packet

Log Categories
SSLVPN
Log Message
Failed to set encryption key for packet.
Default Log Severity
Error
Parameters
flow, user, userid
Explanation
There was an internal error when setting the key used for encrypting the data channel packet.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.46.16. [ID: 1473] Failed to write encrypted packet

Log Categories
SSLVPN
Log Message
Failed to write encrypted packet.
Default Log Severity
Error
Parameters
flow, user, userid
Explanation
There was an internal error when writing the encrypted data channel packet to the packet buffer.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.46.17. [ID: 1668] Failed to get server

Log Categories
SSLVPN
Log Message
Failed to get server.
Default Log Severity
Error
Parameters
user, profile, crstate, iface, matchkey
Explanation
No SSLVPN server session could be found for a client request.
Gateway Action
Deny
Action Description
None
Proposed Action
None

2.46.18. [ID: 1669] Failed to get session

Log Categories
SSLVPN
Log Message
Failed to get session.
Default Log Severity
Error
Parameters
user, profile, crstate, iface, matchkey
Explanation
No SSLVPN session could be found for a client request.
Gateway Action
Deny
Action Description
None
Proposed Action
None

2.46.19. [ID: 1678] Failed to get user session

Log Categories
SSLVPN
Log Message
Failed to get user session.
Default Log Severity
Error
Parameters
user, profile, crstate, iface, matchkey
Explanation
No user session could be found for a client request.
Gateway Action
Deny
Action Description
None
Proposed Action
None

2.46.20. [ID: 1463] TLS handshake timed out

Log Categories
SSLVPN
Log Message
TLS handshake timed out.
Default Log Severity
Notice
Parameters
keyid, iface, matchkey
Explanation
The handshake with the client timed out.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.46.21. [ID: 1478] Integrity check failed during decryption

Log Categories
SSLVPN
Log Message
Integrity check failed during decryption.
Default Log Severity
Notice
Parameters
flow, user, userid
Explanation
The integrity check failed when decrypting a packet on the data channel. This might be due to data corruption or due to deliberate tampering with the packet.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.46.22. [ID: 1472] Maximum number of authenticated SSLVPN[...]

Log Categories
SSLVPN
Log Message
Maximum number of authenticated SSLVPN sessions allowed by license exceeded.
Default Log Severity
Warning
Parameters
maxsessions
Explanation
Incoming SSLVPN requests exceeded license limitation for maximum number of allowed concurrent SSLVPN sessions.
Gateway Action
Deny
Action Description
None
Proposed Action
Add more hardware devices or extend your license to support more SSLVPN sessions to secure that all incoming SSLVPN requests can be properly established.

2.46.23. [ID: 1446] Number of authenticated SSLVPN sessions[...]

Log Categories
SSLVPN
Log Message
Number of authenticated SSLVPN sessions reached 90 percent of max SSLVPN sessions allowed by license.
Default Log Severity
Warning
Parameters
sessions, maxsessions
Explanation
Incoming SSLVPN requests exceeded 90 percent of the allowed number of concurrent SSLVPN sessions (license limitation).
Gateway Action
None
Action Description
None
Proposed Action
Add more hardware devices or extend your license to support more SSLVPN sessions to secure that all incoming SSLVPN requests can be properly established.

2.46.24. [ID: 1453] Malformed packet on data channel

Log Categories
SSLVPN
Log Message
Malformed packet on data channel.
Default Log Severity
Notice
Parameters
flow, user, userid
Explanation
The system failed to parse a packet on the data channel.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.46.25. [ID: 1673] Failed to read challenge text from[...]

Log Categories
SSLVPN
Log Message
Failed to read challenge text from configuration.
Default Log Severity
Error
Parameters
user, profile, crstate, iface, matchkey
Explanation
No challenge text could be found for a client request.
Gateway Action
Deny
Action Description
None
Proposed Action
None

2.46.26. [ID: 1679] Peer did not send client certificate

Log Categories
SSLVPN
Log Message
Peer did not send client certificate.
Default Log Severity
Information
Parameters
iface, matchkey
Explanation
The peer did not send a client certificate.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.46.27. [ID: 1674] Failed to find server configuration

Log Categories
SSLVPN
Log Message
Failed to find server configuration.
Default Log Severity
Error
Parameters
user, profile, crstate, iface, matchkey
Explanation
No SSLVPN server configuration could be found for a client request.
Gateway Action
Deny
Action Description
None
Proposed Action
None

2.46.28. [ID: 1476] Non active key ID on data channel

Log Categories
SSLVPN
Log Message
Non active key ID on data channel.
Default Log Severity
Notice
Parameters
keyid, flow, user, userid
Explanation
A packet was received on data channel using a key id that had not been negotiated.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.46.29. [ID: 1470] Verification of client peer info failed

Log Categories
SSLVPN
Log Message
Verification of client peer info failed.
Default Log Severity
Notice
Parameters
reason, iface, matchkey
Explanation
The peer info the client sent during the key exchange did not match the allowed values.
Gateway Action
Close
Action Description
None
Proposed Action
Reconfigure the client software or upgrade to newer version.

2.46.30. [ID: 1493] Rate limit exceeded

Log Categories
SSLVPN
Log Message
Rate limit exceeded.
Default Log Severity
Warning
Parameters
flow, user, userid
Explanation
The rate limit of control channel messages was exceeded on the flow.
Gateway Action
Drop
Action Description
None
Proposed Action
Investigate if system is under attack.

2.46.31. [ID: 1469] Released client IP

Log Categories
SSLVPN
Log Message
Released client IP.
Default Log Severity
Information
Parameters
ip, iface, matchkey
Explanation
The client IP address was released back to the pool.
Gateway Action
None
Action Description
None
Proposed Action
None

2.46.32. [ID: 1452] Key renegotiation failed

Log Categories
SSLVPN
Log Message
Key renegotiation failed.
Default Log Severity
Notice
Parameters
keyid, iface, matchkey
Explanation
Key renegotiation for the data channel failed.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.46.33. [ID: 1475] Key renegotiation successful

Log Categories
SSLVPN
Log Message
Key renegotiation successful.
Default Log Severity
Information
Parameters
keyid, iface, matchkey
Explanation
Key renegotiation for the data channel was successful.
Gateway Action
None
Action Description
None
Proposed Action
None

2.46.34. [ID: 1449] Replay check failed on data channel

Log Categories
SSLVPN
Log Message
Replay check failed on data channel.
Default Log Severity
Warning
Parameters
keyid, packetid, flow, user, userid
Explanation
A packet was dropped due to failed packet replay check. Either the packet was seen before or it is older than the packet replay window allows.
Gateway Action
Drop
Action Description
None
Proposed Action
Investigate if the session is under attack.

2.46.35. [ID: 1670] Failed to send challenge to client

Log Categories
SSLVPN
Log Message
Failed to send challenge to client.
Default Log Severity
Error
Parameters
user, profile, crstate, iface, matchkey
Explanation
The system could not forward a challenge request from the authentication source to the SSLVPN client.
Gateway Action
Deny
Action Description
None
Proposed Action
None

2.46.36. [ID: 1677] Failed to send challenge response

Log Categories
SSLVPN
Log Message
Failed to send challenge response.
Default Log Severity
Error
Parameters
user, profile, crstate, iface, matchkey
Explanation
The system could not forward a challenge response from the SSLVPN client to the authentication source.
Gateway Action
Deny
Action Description
None
Proposed Action
None

2.46.37. [ID: 1489] Server reset from client

Log Categories
SSLVPN
Log Message
Server reset from client.
Default Log Severity
Notice
Parameters
flow, user, userid
Explanation
A client sent a packet to the service that is only sent from server to client.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.46.38. [ID: 1477] TLS handshake error

Log Categories
SSLVPN
Log Message
TLS handshake error.
Default Log Severity
Notice
Parameters
reason, certcn, iface, matchkey
Explanation
TLS handshake with the client was aborted due to an error, and the TLS session is closed. The specific error is described by reason.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.46.39. [ID: 1497] Too short packet payload

Log Categories
SSLVPN
Log Message
Too short packet payload.
Default Log Severity
Notice
Parameters
paylen, flow, user, userid
Explanation
A client sent a packet with a too short payload.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.46.40. [ID: 1501] Unacknowledged control channel message

Log Categories
SSLVPN
Log Message
Unacknowledged control channel message.
Default Log Severity
Notice
Parameters
packetid, keyid, iface, matchkey
Explanation
An outbound message to peer was not acknowledged after several retries, and was thus dropped.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.46.41. [ID: 1488] Received ACK for unknown packet id

Log Categories
SSLVPN
Log Message
Received ACK for unknown packet id.
Default Log Severity
Notice
Parameters
packetid, keyid, iface, matchkey
Explanation
The peer sent an ACK for a packet ID the system never sent out, or a packet ID that was already acknowledged. The ACK was ignored.
Gateway Action
Discard
Action Description
None
Proposed Action
None

2.46.42. [ID: 1479] Unknown protocol opcode

Log Categories
SSLVPN
Log Message
Unknown protocol opcode.
Default Log Severity
Notice
Parameters
code, flow, user, userid
Explanation
A client sent a protocol message containing an unknown opcode.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.46.43. [ID: 1671] Unprintable characters in challenge text

Log Categories
SSLVPN
Log Message
Unprintable characters in challenge text.
Default Log Severity
Warning
Parameters
user, profile, crstate, iface, matchkey
Explanation
The challenge text for an SSLVPN session contained unprintable characters, which is not allowed.
Gateway Action
Deny
Action Description
None
Proposed Action
Change the challenge text on the authentication source or the overriden value in the local configuration.

2.46.44. [ID: 1454] Unsupported key exchange method v1

Log Categories
SSLVPN
Log Message
Unsupported key exchange method v1.
Default Log Severity
Notice
Parameters
flow, user, userid
Explanation
A client sent a client reset using key exchange method 1, which is unsupported.
Gateway Action
Drop
Action Description
None
Proposed Action
Upgrade client software to more recent version.

2.46.45. [ID: 1445] User failed to log in to SSLVPN

Log Categories
SSLVPN
Log Message
User failed to log in to SSLVPN.
Default Log Severity
Warning
Parameters
user, profile, crstate, iface, matchkey
Explanation
The client failed authentication trying to log in.
Gateway Action
Deny
Action Description
None
Proposed Action
None

2.46.46. [ID: 1458] User logged in to SSLVPN

Log Categories
SSLVPN
Log Message
User logged in to SSLVPN.
Default Log Severity
Information
Parameters
user, profile, crstate, iface, matchkey
Explanation
The client was successfully logged in.
Gateway Action
Accept
Action Description
None
Proposed Action
None

2.46.47. [ID: 1468] User logged out from SSLVPN by authentication[...]

Log Categories
SSLVPN
Log Message
User logged out from SSLVPN by authentication system.
Default Log Severity
Notice
Parameters
user, iface, matchkey
Explanation
The user connected to the SSLVPN server was logged out through the authentication system, and thus the session was closed.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.46.48. [ID: 1675] Username not allowed to change

Log Categories
SSLVPN
Log Message
Username not allowed to change.
Default Log Severity
Warning
Parameters
user, profile, crstate, iface, matchkey
Explanation
The user name for an SSLVPN session changed, which is not allowed.
Gateway Action
Deny
Action Description
None
Proposed Action
Change the configuration of the SSLVPN client to use the same user name throughout the entire session.

2.47. STATISTICS

These log messages refer to the STATISTICS category.

2.47.1. [ID: 1432] Failed to add statistical values for BGP peer

Log Categories
STATISTICS,BGP
Log Message
Failed to add statistical values for BGP peer.
Default Log Severity
Warning
Parameters
ip
Explanation
Configuration error.
Gateway Action
None
Action Description
 
Proposed Action
None

2.47.2. [ID: 1428] Failed to remove statistical values of BGP[...]

Log Categories
STATISTICS,BGP
Log Message
Failed to remove statistical values of BGP peer.
Default Log Severity
Warning
Parameters
ip
Explanation
Configuration error.
Gateway Action
None
Action Description
 
Proposed Action
None

2.47.3. [ID: 1436] Failed to create AgentX talker thread

Log Categories
STATISTICS,BGP
Log Message
Failed to create AgentX talker thread.
Default Log Severity
Warning
Parameters
 
Explanation
 
Gateway Action
None
Action Description
Failed to start AgentX protocol communication
Proposed Action
None

2.47.4. [ID: 1431] Failed to parse AgentX message

Log Categories
STATISTICS,BGP
Log Message
Failed to parse AgentX message.
Default Log Severity
Debug
Parameters
 
Explanation
Unexpected or corrupted AgentX message.
Gateway Action
None
Action Description
 
Proposed Action
None

2.47.5. [ID: 1433] No support for IPv6 peer identifiers

Log Categories
STATISTICS,BGP
Log Message
No support for IPv6 peer identifiers.
Default Log Severity
Notice
Parameters
ip
Explanation
No statistics support for BGP peers identified with IPv6 address.
Gateway Action
None
Action Description
 
Proposed Action
None

2.47.6. [ID: 1429] AgentX session closed

Log Categories
STATISTICS,BGP
Log Message
AgentX session closed.
Default Log Severity
Debug
Parameters
id, id, code
Explanation
An AgentX session with an internal process was closed.
Gateway Action
None
Action Description
 
Proposed Action
None

2.47.7. [ID: 1434] AgentX session opened

Log Categories
STATISTICS,BGP
Log Message
AgentX session opened.
Default Log Severity
Debug
Parameters
id, id, code
Explanation
An AgentX session with an internal process was established.
Gateway Action
None
Action Description
 
Proposed Action
None

2.47.8. [ID: 1430] Failed to setup listening socket

Log Categories
STATISTICS,BGP
Log Message
Failed to setup listening socket.
Default Log Severity
Warning
Parameters
port
Explanation
Failed to setup socket for AgentX protocol.
Gateway Action
None
Action Description
 
Proposed Action
None

2.47.9. [ID: 1435] Update of statistics value failed

Log Categories
STATISTICS,BGP
Log Message
Update of statistics value failed.
Default Log Severity
Debug
Parameters
id
Explanation
Failed to update statistical value received via AgentX protocol.
Gateway Action
None
Action Description
 
Proposed Action
None

2.48. SYSLOGALG

These log messages refer to the SYSLOGALG category.

2.48.1. [ID: 1707] Failed to create new session

Log Categories
SYSLOGALG
Log Message
Failed to create new session.
Default Log Severity
Error
Parameters
 
Explanation
An attempt to create a new Syslog ALG session failed, because the unit is out of memory.
Gateway Action
Close
Action Description
None
Proposed Action
Decrease the maximum allowed Syslog ALG sessions, or try to free some of the RAM used.

2.48.2. [ID: 1711] Flow failed

Log Categories
SYSLOGALG
Log Message
Flow failed.
Default Log Severity
Notice
Parameters
reason, originator, sessionid, flow, rule
Explanation
An error occurred that caused the Syslog flow to be aborted.
Gateway Action
Abort
Action Description
None
Proposed Action
None

2.48.3. [ID: 1710] Session closed

Log Categories
SYSLOGALG
Log Message
Session closed.
Default Log Severity
Information
Parameters
sessionid, profile, flow
Explanation
A session using the Syslog ALG was closed.
Gateway Action
Close
Action Description
None
Proposed Action
None

2.48.4. [ID: 1706] Session opened

Log Categories
SYSLOGALG
Log Message
Session opened.
Default Log Severity
Information
Parameters
sessionid, profile, flow
Explanation
A session using the Syslog ALG was opened.
Gateway Action
Open
Action Description
None
Proposed Action
None

2.48.5. [ID: 1708] Too large syslog packet received

Log Categories
SYSLOGALG
Log Message
Too large syslog packet received.
Default Log Severity
Error
Parameters
sessionid, profile, size, max, flow
Explanation
Syslog packet rejected due to being larger than the configuration allows.
Gateway Action
Drop
Action Description
None
Proposed Action
If required, change the configuration to allow syslog packets with this size.

2.48.6. [ID: 1705] Syslog packet rejected

Log Categories
SYSLOGALG
Log Message
Syslog packet rejected.
Default Log Severity
Information
Parameters
sessionid, profile, reason, flow
Explanation
A Syslog packet was rejected by the ALG.
Gateway Action
Drop
Action Description
None
Proposed Action
Verify that the Syslog clients are correctly configured.

2.48.7. [ID: 1712] Prohibited keyword detected in syslog data

Log Categories
SYSLOGALG
Log Message
Prohibited keyword detected in syslog data.
Default Log Severity
Error
Parameters
sessionid, profile, keyword, flow
Explanation
Syslog packet rejected due to presence of a prohibited keyword.
Gateway Action
Drop
Action Description
None
Proposed Action
Change the configuration to allow syslog packets with this keyword.

2.48.8. [ID: 1709] Reverse traffic detected on syslog flow

Log Categories
SYSLOGALG
Log Message
Reverse traffic detected on syslog flow.
Default Log Severity
Error
Parameters
sessionid, profile, flow
Explanation
The Syslog ALG detected data packets sent in the reverse direction i.e. from the server towards the client. The session is closed.
Gateway Action
Drop
Action Description
None
Proposed Action
Investigate why the packets are sent in the reverse direction of the syslog connection.

2.49. SYSTEM

These log messages refer to the SYSTEM category.

2.49.1. [ID: 641] A new kernel exception report was generated

Log Categories
SYSTEM
Log Message
A new kernel exception report was generated.
Default Log Severity
Emergency
Parameters
file
Explanation
The system encountered a serious error. A report describing the exception has been generated and saved.
Gateway Action
None
Action Description
None
Proposed Action
Contact customer support and provide the exception report.

2.49.2. [ID: 235] Out of memory initializing data plane[...]

Log Categories
SYSTEM
Log Message
Out of memory initializing data plane processing units.
Default Log Severity
Emergency
Parameters
 
Explanation
A memory allocation attempt failed when allocating memory for a critical subsystem within data plane. Normal operation cannot be guaranteed.
Gateway Action
Abort
Action Description
None
Proposed Action
Investigate why the system is low on RAM. Review the configuration and try to free more RAM.

2.49.3. [ID: 583] All systems shutdown

Log Categories
SYSTEM,CONFIG
Log Message
All systems shutdown.
Default Log Severity
Notice
Parameters
reason
Explanation
Shutdown of all virtual systems.
Gateway Action
None
Action Description
None
Proposed Action
None

2.49.4. [ID: 313] Aborted shutdown of all systems

Log Categories
SYSTEM,CONFIG
Log Message
Aborted shutdown of all systems.
Default Log Severity
Notice
Parameters
reason
Explanation
Shutdown of all virtual system has been aborted.
Gateway Action
None
Action Description
None
Proposed Action
None

2.49.5. [ID: 231] All systems shutdown notice

Log Categories
SYSTEM,CONFIG
Log Message
All systems shutdown notice.
Default Log Severity
Notice
Parameters
time, reason
Explanation
Shutdown of all virtual systems will begin at the specified time.
Gateway Action
None
Action Description
None
Proposed Action
None

2.49.6. [ID: 392] Failed to create backup file

Log Categories
SYSTEM
Log Message
Failed to create backup file.
Default Log Severity
Alert
Parameters
file, reason
Explanation
Attempt to create a backup failed.
Gateway Action
None
Action Description
None
Proposed Action
Make sure there is enough memory on the disk.

2.49.7. [ID: 193] Backup file created

Log Categories
SYSTEM
Log Message
Backup file created.
Default Log Severity
Notice
Parameters
file
Explanation
A backup file was created.
Gateway Action
None
Action Description
None
Proposed Action
None

2.49.8. [ID: 1073] Leaving Daylight Saving Time

Log Categories
SYSTEM
Log Message
Leaving Daylight Saving Time.
Default Log Severity
Information
Parameters
 
Explanation
Daylight Saving Time change, DST is not in use.
Gateway Action
None
Action Description
None
Proposed Action
None

2.49.9. [ID: 1074] Entering Daylight Saving Time

Log Categories
SYSTEM
Log Message
Entering Daylight Saving Time.
Default Log Severity
Information
Parameters
 
Explanation
Daylight Saving Time change, DST is in use.
Gateway Action
None
Action Description
None
Proposed Action
None

2.49.10. [ID: 390] Exception report generated

Log Categories
SYSTEM
Log Message
Exception report generated.
Default Log Severity
Emergency
Parameters
file
Explanation
The system ended up in an unrecoverable erroneous state and had to be restarted. A report describing the exception has been generated and saved.
Gateway Action
None
Action Description
None
Proposed Action
Contact customer support and provide the exception report.

2.49.11. [ID: 1072] System time set

Log Categories
SYSTEM
Log Message
System time set.
Default Log Severity
Information
Parameters
 
Explanation
New system time was set with CLI time command (admin).
Gateway Action
None
Action Description
None
Proposed Action
None

2.49.12. [ID: 404] PKG file was successfully applied

Log Categories
SYSTEM
Log Message
PKG file was successfully applied.
Default Log Severity
Notice
Parameters
file
Explanation
PKG file was successfully applied.
Gateway Action
None
Action Description
None
Proposed Action
None

2.49.13. [ID: 244] Failed to apply PKG file

Log Categories
SYSTEM
Log Message
Failed to apply PKG file.
Default Log Severity
Alert
Parameters
file, reason
Explanation
PKG file could no be applied.
Gateway Action
None
Action Description
None
Proposed Action
Verify that the file is compatible with the system.

2.49.14. [ID: 190] Failed to validate PKG file

Log Categories
SYSTEM
Log Message
Failed to validate PKG file.
Default Log Severity
Warning
Parameters
file, reason
Explanation
PKG file was not considered valid.
Gateway Action
None
Action Description
None
Proposed Action
Verify that file is compatible with the system.

2.49.15. [ID: 786] Process exited with non-zero status code

Log Categories
SYSTEM
Log Message
Process exited with non-zero status code.
Default Log Severity
Error
Parameters
module, code, reason
Explanation
A process exited unexpectedly with a status code that indicates that an error occurred.
Gateway Action
None
Action Description
None
Proposed Action
None

2.49.16. [ID: 785] Process exited because of signal

Log Categories
SYSTEM
Log Message
Process exited because of signal.
Default Log Severity
Error
Parameters
module, code
Explanation
A process exited unexpectedly due to a signal, which indicates that an error occurred.
Gateway Action
None
Action Description
None
Proposed Action
None

2.49.17. [ID: 794] Generating crashdump report

Log Categories
SYSTEM
Log Message
Generating crashdump report.
Default Log Severity
Error
Parameters
module
Explanation
Process malfunctioned, and a crashdump report is being generated.
Gateway Action
None
Action Description
None
Proposed Action
Earlier log messages may give additional information about the reason of the malfunction.

2.49.18. [ID: 800] Killing process that did not exit in time

Log Categories
SYSTEM
Log Message
Killing process that did not exit in time.
Default Log Severity
Error
Parameters
module, code
Explanation
Process was instructed to shut down and exit, but failed to do so in time. Terminating it with a signal, specified by the code parameter.
Gateway Action
None
Action Description
None
Proposed Action
None

2.49.19. [ID: 798] Process is not responding

Log Categories
SYSTEM
Log Message
Process is not responding.
Default Log Severity
Warning
Parameters
module, count
Explanation
The process is not responding, the count parameter specifies the number of times the process has failed to respond.
Gateway Action
None
Action Description
None
Proposed Action
None

2.49.20. [ID: 799] Removing unresponsive process

Log Categories
SYSTEM
Log Message
Removing unresponsive process. Sending signal.
Default Log Severity
Error
Parameters
module, code
Explanation
Process was unresponsive and it will be terminated by sending a signal. The code parameter specifies the signal number.
Gateway Action
None
Action Description
None
Proposed Action
None

2.49.21. [ID: 797] Restarting process

Log Categories
SYSTEM
Log Message
Restarting process.
Default Log Severity
Notice
Parameters
module
Explanation
Process was restarted.
Gateway Action
None
Action Description
None
Proposed Action
Look for prior log messages to find the reason for why the process was restarted.

2.49.22. [ID: 796] Process did not exit in time

Log Categories
SYSTEM
Log Message
Process did not exit in time. Sending signal.
Default Log Severity
Error
Parameters
module, code
Explanation
Process was instructed to shut down and exit, but failed to do so in time. Terminating it with a signal, specified by the code parameter.
Gateway Action
None
Action Description
None
Proposed Action
None

2.49.23. [ID: 1058] Process exited unexpectedly

Log Categories
SYSTEM
Log Message
Process exited unexpectedly.
Default Log Severity
Error
Parameters
module, code
Explanation
A process exited unexpectedly.
Gateway Action
None
Action Description
None
Proposed Action
None

2.49.24. [ID: 990] Configuration has been reset to factory[...]

Log Categories
SYSTEM
Log Message
Configuration has been reset to factory default.
Default Log Severity
Notice
Parameters
 
Explanation
Configuration has been reset to factory default.
Gateway Action
None
Action Description
None
Proposed Action
None

2.49.25. [ID: 991] System has been reset to factory default

Log Categories
SYSTEM
Log Message
System has been reset to factory default.
Default Log Severity
Notice
Parameters
 
Explanation
System has been reset to factory default.
Gateway Action
None
Action Description
None
Proposed Action
None

2.49.26. [ID: 459] Revert has been applied

Log Categories
SYSTEM
Log Message
Revert has been applied.
Default Log Severity
Notice
Parameters
 
Explanation
System has been reverted to state prior latest perform config/system restore.
Gateway Action
None
Action Description
None
Proposed Action
None

2.49.27. [ID: 558] Failed to revert

Log Categories
SYSTEM
Log Message
Failed to revert.
Default Log Severity
Emergency
Parameters
reason
Explanation
System could not be reverted to Last Known Good.
Gateway Action
None
Action Description
None
Proposed Action
Uploading and apply a backup file. If not resolved perform a reset to factory default.

2.49.28. [ID: 361] System shutting down

Log Categories
SYSTEM,CONFIG
Log Message
System shutting down.
Default Log Severity
Notice
SNMP Trap Category
SHUTDOWN
SNMP Trap MIB name
ssmShutdown
SNMP Trap MIB OID
1.3.6.1.4.1.5089.3.0.2020.0.1005   (STREAM-TRAPS-MIB)
Parameters
reason
Explanation
System shutting down.
Gateway Action
None
Action Description
None
Proposed Action
None

2.49.29. [ID: 1023] Preparing to shut down

Log Categories
SYSTEM,CONFIG
Log Message
Preparing to shut down.
Default Log Severity
Notice
Parameters
 
Explanation
The system is preparing to shutdown and will take down connections to other hosts. E.g. IKE/IPsec SAs.
Gateway Action
None
Action Description
None
Proposed Action
None

2.49.30. [ID: 427] System started

Log Categories
SYSTEM,CONFIG
Log Message
System started.
Default Log Severity
Notice
SNMP Trap Category
STARTUP
SNMP Trap MIB name
coldStart
SNMP Trap MIB OID
1.3.6.1.6.3.1.1.5.1   (SNMPv2-MIB, RFC3418)
Parameters
name, version
Explanation
The system has started and loaded the configuration.
Gateway Action
None
Action Description
None
Proposed Action
None

2.49.31. [ID: 1002] System could not be rebooted using the[...]

Log Categories
SYSTEM
Log Message
System could not be rebooted using the content of upgrade package and has been reverted.
Default Log Severity
Emergency
Parameters
reason
Explanation
System could not be rebooted using the content of upgrade package and has been reverted.
Gateway Action
None
Action Description
None
Proposed Action
Verify that the upgrade package is intact.

2.49.32. [ID: 992] System could not be reconfigured using the[...]

Log Categories
SYSTEM
Log Message
System could not be reconfigured using the content of upgrade package and will be reverted.
Default Log Severity
Emergency
Parameters
 
Explanation
System could not be reconfigured using the content of upgrade package and will be reverted.
Gateway Action
None
Action Description
None
Proposed Action
Verify that the upgrade package is intact.

2.49.33. [ID: 1003] System was successfully upgraded

Log Categories
SYSTEM
Log Message
System was successfully upgraded.
Default Log Severity
Notice
Parameters
 
Explanation
System has been upgraded using the upgrade package.
Gateway Action
None
Action Description
None
Proposed Action
None

2.49.34. [ID: 382] Out of memory setting up virtual system

Log Categories
SYSTEM
Log Message
Out of memory setting up virtual system.
Default Log Severity
Emergency
Parameters
 
Explanation
A memory allocation attempt failed when allocating memory needed to initialize a virtual system. The virtual system failed to initialize.
Gateway Action
Abort
Action Description
None
Proposed Action
Investigate why the system is low on RAM. Review the configuration and try to free more RAM.

2.49.35. [ID: 290] Module was restarted

Log Categories
SYSTEM
Log Message
Module was restarted.
Default Log Severity
Critical
Parameters
module
Explanation
The monitored module was restarted by the system.
Gateway Action
None
Action Description
None
Proposed Action
Check that the module have been restarted and examine the cause of the restart.

2.49.36. [ID: 318] Failed to start module

Log Categories
SYSTEM
Log Message
Failed to start module. Restarting system.
Default Log Severity
Critical
Parameters
module
Explanation
A monitored module could not be started which lead to a restart of the complete system.
Gateway Action
None
Action Description
None
Proposed Action
Examine why the module could not be started and, in case of a re-start attempt, the cause of the initial failure.

2.50. TCP

These log messages refer to the TCP category.

2.50.1. [ID: 102] Ambiguous MSS announcement

Log Categories
TCP,STATEFUL,VALIDATE
Log Message
Ambiguous MSS announcement.
Default Log Severity
Warning
Parameters
old, new, effective, tcpopt, flow, user, userid
Explanation
The gateway has received several packets with the SYN flag set, on this flow. Not all of these packets announced the same Maximum Segment Size (MSS). The gateway will act as if the value of the parameter effective was announced in all packets that had the SYN flag set on this flow.
Gateway Action
Accept
Action Description
The gateway accepted the new MSS announcement as the new effective MSS for the flow
Proposed Action
None

2.50.2. [ID: 189] TCP MSS too high

Log Categories
TCP,STATELESS,VALIDATE
Log Message
TCP MSS too high.
Default Log Severity
Notice
Parameters
mss, max, tcpopt, setting, flow, pkt, user, userid
Explanation
The TCP packet announced a Maximum Segment Size (MSS) larger than the configured limit.
Gateway Action
Adjust
Action Description
None
Proposed Action
The setting TCPSettings:TCPMSSOnHigh controls how the gateway handles packets that announce a Maximum Segment Size (MSS) larger than the configured limit. The limit is configured in the setting TCPSettings:TCPMSSMax.

2.50.3. [ID: 393] TCP MSS too low

Log Categories
TCP,STATELESS,VALIDATE
Log Message
TCP MSS too low.
Default Log Severity
Notice
Parameters
mss, min, tcpopt, setting, flow, pkt, user, userid
Explanation
The TCP packet announced a Maximum Segment Size (MSS) less than the configured limit.
Gateway Action
Adjust
Action Description
None
Proposed Action
The setting TCPSettings:TCPMSSOnLow controls how the gateway handles packets that announce a Maximum Segment Size (MSS) less than the configured limit. The limit is configured in the setting TCPSettings:TCPMSSMin.

2.50.4. [ID: 591] Oversized TCP window

Log Categories
TCP,STATEFUL,VALIDATE
Log Message
Oversized TCP window.
Default Log Severity
Information
Parameters
windowsize, max, state, flow, pkt, user, userid
Explanation
The packet's announced receive window exceeded the configured limit. This event is only logged once per flow.
Gateway Action
Adjust
Action Description
The size of the announced receive window was lowered below the configured limit
Proposed Action
Window size limitation is controlled by two settings. The setting TCPSettings:TCPMaxWindow sets the actual limit and the setting TCPSettings:TCPOversizedWindow control's the action of the gateway when the limit is exceeded.

2.50.5. [ID: 416] Ambiguous SACK permission announced

Log Categories
TCP,STATEFUL,VALIDATE
Log Message
Ambiguous SACK permission announced.
Default Log Severity
Warning
Parameters
tcpopt, flow, user, userid
Explanation
The gateway has received several packets with the SYN flag set, on this flow. Some, but not all, of these packets granted the peer permission to send SACK options.
Gateway Action
Allow
Action Description
The gateway will allow packets with the SACK option from the peer on this flow-pair
Proposed Action
None

2.50.6. [ID: 307] Ambiguous SACK permission announced

Log Categories
TCP,STATEFUL,VALIDATE
Log Message
Ambiguous SACK permission announced.
Default Log Severity
Warning
Parameters
tcpopt, flow, user, userid
Explanation
The gateway has received several packets with the SYN flag set, on this flow. Some, but not all, of these packets granted the peer permission to send SACK options.
Gateway Action
Deny
Action Description
The gateway will drop packets with the SACK option from the peer on this flow-pair
Proposed Action
If this seems to cause problems, for instance, through packet drops generating "not negotiated option" logs pointing at the SACK option, then changing the setting TCPSettings:TCPOPT_SACK so that the gateway will strip the SACK option and there by disabling the use of SACK options could be used as a workaround.

2.50.7. [ID: 246] Ambiguous window scale negotiation

Log Categories
TCP,STATEFUL,VALIDATE
Log Message
Ambiguous window scale negotiation.
Default Log Severity
Warning
Parameters
tcpopt, flow, user, userid
Explanation
The gateway has received several packets with the SYN flag set, on this flow. Some, but not all, of these packets has proposed to use the window scale option.
Gateway Action
Disable
Action Description
The gateway will act as if the negotiation of window scale failed on this flow-pair. This means that it will not apply any shift count when processing the window information in subsequent packets. This will also affect the validation of sequence numbers since that depends on the window information
Proposed Action
If this seems to cause problems, for instance, with the sequence number validation, then changing the setting TCPSettings:TCPOPT_WSOPT so that the gateway will strip the Window Scale option and there by disabling the use of Window Scale options could be used as a workaround.

2.50.8. [ID: 551] Ambiguous window scale negotiation

Log Categories
TCP,STATEFUL,VALIDATE
Log Message
Ambiguous window scale negotiation.
Default Log Severity
Warning
Parameters
tcpopt, flow, user, userid
Explanation
The gateway has received several packets with the SYN flag set, on this flow. Some, but not all, of these packets has proposed to use the window scale option.
Gateway Action
Enable
Action Description
The gateway will act as if window scale was successfully negotiated on this flow-pair. This means that it will use the announced shift counts when processing the window information in subsequent packets. This will also affect the validation of sequence numbers since that depends on the window information
Proposed Action
None

2.50.9. [ID: 565] SACK block with invalid range

Log Categories
TCP,STATELESS,VALIDATE
Log Message
SACK block with invalid range.
Default Log Severity
Warning
Parameters
sackblock, tcpopt, flow, pkt, user, userid
Explanation
The TCP packet had a SACK option containing a block with an empty or inverted range, that is, a range that runs from a higher sequence number to a lower sequence number.
Gateway Action
Drop
Action Description
None
Proposed Action
Investigate the source of this erroneous packet.

2.50.10. [ID: 411] Resent SYN with mismatching window scale[...]

Log Categories
TCP,STATEFUL,VALIDATE
Log Message
Resent SYN with mismatching window scale proposal.
Default Log Severity
Warning
Parameters
new, effective, tcpopt, flow, pkt, user, userid
Explanation
The gateway has received a retransmission of a packet with the SYN flag set. The retransmitted packet announced a different Window Scale shift count than the original packet and is therefore dropped.
Gateway Action
Drop
Action Description
None
Proposed Action
If this seems to cause problems, then changing the setting TCPSettings:TCPOPT_WSOPT so that the gateway will strip the Window Scale option and there by disabling the use of Window Scale options could be used as a workaround.

2.50.11. [ID: 545] Disallowed flag set

Log Categories
TCP,STATELESS,VALIDATE
Log Message
Disallowed flag set.
Default Log Severity
Warning
Parameters
flag, setting, flow, pkt, user, userid
Explanation
The TCP packet had an uncommon, unusual or poorly standardized flag set.
Gateway Action
Drop
Action Description
None
Proposed Action
Investigate the source of this strange packet. If the problem can't be fixed at the source then the gateway can be configured to either silently take action on such packets or just ignore them all together by modifying one of the settings TCPSettings:TCPUrg, TCPSettings:TCPECN or TCPSettings:TCPRF, depending on the flag in question. The parameter setting shows which of the settings that was applied to the packet.

2.50.12. [ID: 202] Bad TCP option length

Log Categories
TCP,STATELESS,VALIDATE
Log Message
Bad TCP option length.
Default Log Severity
Warning
Parameters
tcpopt, len, expectlen, setting, flow, pkt, user, userid
Explanation
While parsing the TCP header an option with an invalid length, for that specific option type, was found.
Gateway Action
Drop
Action Description
None
Proposed Action
Investigate the source of this erroneous packet. If the problem can't be fixed at the source then the gateway's response to this event can be changed through the setting TCPSettings:TCPBadOptionLengths.

2.50.13. [ID: 596] TCP segment exceeds previous FIN

Log Categories
TCP,STATEFUL,VALIDATE
Log Message
TCP segment exceeds previous FIN.
Default Log Severity
Warning
Parameters
seqno, max, flags, state, flow, pkt, user, userid
Explanation
The TCP packet ended at a higher sequence number than the sequence number assigned to the FIN flag by a previous packet. Since the FIN flag signals the end of the data stream, packets with higher sequence numbers should not occur. The parameter seqno contains the last sequence number transported in the segment and the parameter max contains the sequence number immediately before the previously received FIN.
Gateway Action
Drop
Action Description
None
Proposed Action
The setting TCPSettings:TCPSeqNumValidationMode controls how strictly the gateway validates sequence numbers.

2.50.14. [ID: 547] TCP FIN flag set without the ACK flag

Log Categories
TCP,STATELESS,VALIDATE
Log Message
TCP FIN flag set without the ACK flag.
Default Log Severity
Warning
Parameters
setting, flow, pkt, user, userid
Explanation
The TCP packet had the FIN flag set but the ACK flag cleared. This combination is normally invalid.
Gateway Action
Drop
Action Description
None
Proposed Action
The setting TCPSettings:TCPFinNoAck controls how the gateway handles packets with this flag combination.

2.50.15. [ID: 113] Disallowed flag combination

Log Categories
TCP,STATELESS,VALIDATE
Log Message
Disallowed flag combination.
Default Log Severity
Warning
Parameters
goodflag, badflag, setting, flow, pkt, user, userid
Explanation
The TCP packet had an unusual, and normally invalid, flag combination set.
Gateway Action
Drop
Action Description
None
Proposed Action
Investigate the source of this erroneous packet. If the problem can't be fixed at the source then the gateway can be configured to either silently take action on such packets or just ignore them all together by modifying one of the settings TCPSettings:TCPSynUrg, TCPSettings:TCPSynPsh, TCPSettings:TCPSynRst, TCPSettings:TCPSynFin, TCPSettings:TCPRstFin or TCPSettings:TCPFinUrg, depending on which flag combination the packet had. The parameter setting shows which of the settings that was applied to the packet.

2.50.16. [ID: 388] Invalid TCP checksum

Log Categories
TCP,STATELESS,VALIDATE
Log Message
Invalid TCP checksum.
Default Log Severity
Warning
Parameters
setting, flow, pkt, user, userid
Explanation
The packet's TCP checksum was invalid.
Gateway Action
Drop
Action Description
None
Proposed Action
TCP checksum verification is controlled by the setting TCPSettings:TCPChecksumVerification.

2.50.17. [ID: 359] Invalid TCP option length

Log Categories
TCP,STATELESS,VALIDATE
Log Message
Invalid TCP option length.
Default Log Severity
Warning
Parameters
tcpopt, len, setting, flow, pkt, user, userid
Explanation
A TCP option with explicit length had an invalid length. No option with explicit length can be shorter than two bytes (one byte to indicate the kind of option and one byte to indicate the length).
Gateway Action
Drop
Action Description
None
Proposed Action
Investigate the source of this erroneous packet. If the problem can't be fixed at the source then the gateway's response to this event can be changed through the setting TCPSettings:TCPBadOptionLengths.

2.50.18. [ID: 139] Invalid reset sequence number in state SYN[...]

Log Categories
TCP,STATEFUL,VALIDATE
Log Message
Invalid reset sequence number in state SYN RECVD.
Default Log Severity
Warning
Parameters
seqno, min, max, flow, pkt, user, userid
Explanation
A reset packet was received from the originator of the connection before any SYN-ACK was received from the terminator side. Resets under these conditions are required to have a sequence number in close proximity to the sequence number of the SYN packet to be considered valid.
Gateway Action
Drop
Action Description
None
Proposed Action
Configuring the TCP sequence number validation in audit mode using the setting TCPSettings:TCPSeqNumValidationMode can be used as a workaround.

2.50.19. [ID: 187] TCP MSS too high

Log Categories
TCP,STATELESS,VALIDATE
Log Message
TCP MSS too high.
Default Log Severity
Warning
Parameters
mss, max, tcpopt, setting, flow, pkt, user, userid
Explanation
The TCP packet announced a Maximum Segment Size (MSS) larger than the configured limit.
Gateway Action
Drop
Action Description
None
Proposed Action
The setting TCPSettings:TCPMSSOnHigh controls how the gateway handles packets that announce a Maximum Segment Size (MSS) larger than the configured limit. The limit is configured in the setting TCPSettings:TCPMSSMax.

2.50.20. [ID: 312] TCP MSS too low

Log Categories
TCP,STATELESS,VALIDATE
Log Message
TCP MSS too low.
Default Log Severity
Warning
Parameters
mss, min, tcpopt, setting, flow, pkt, user, userid
Explanation
The TCP packet announced a Maximum Segment Size (MSS) less than the configured limit.
Gateway Action
Drop
Action Description
None
Proposed Action
The setting TCPSettings:TCPMSSOnLow controls how the gateway handles packets that announce a Maximum Segment Size (MSS) less than the configured limit. The limit is configured in the setting TCPSettings:TCPMSSMin.

2.50.21. [ID: 571] New acknowledgment in ICMP message

Log Categories
TCP,STATEFUL,VALIDATE
Log Message
New acknowledgment in ICMP message.
Default Log Severity
Warning
Parameters
ackseqno, max, state, flow, pkt, user, userid
Explanation
The acknowledgment in an ICMP encapsulated TCP packet was higher than any acknowledgment processed on the flow.
Gateway Action
Drop
Action Description
None
Proposed Action
The gateway's response to this event is configured through the setting TCPSettings:TCPSeqNumValidationMode.

2.50.22. [ID: 375] Not forwarded sequence number in ICMP message

Log Categories
TCP,STATEFUL,VALIDATE
Log Message
Not forwarded sequence number in ICMP message.
Default Log Severity
Warning
Parameters
seqno, len, max, flow, pkt, user, userid
Explanation
The sequence number in an ICMP encapsulated TCP packet was higher than any sequence number processed on the flow.
Gateway Action
Drop
Action Description
None
Proposed Action
The gateway's response to this event is configured through the setting TCPSettings:TCPSeqNumValidationMode.

2.50.23. [ID: 456] Non-zero header padding

Log Categories
TCP,STATELESS,VALIDATE
Log Message
Non-zero header padding.
Default Log Severity
Warning
Parameters
setting, flow, pkt, user, userid
Explanation
The padding between the option field and the end of the header was found to be non-zero. It is recommended to at least strip this information from the packet to prevent unfiltered data from being tunneled within the padding.
Gateway Action
Drop
Action Description
None
Proposed Action
The setting TCPSettings:TCPNonZeroHeaderPadding controls the gateway's behavior when non-zero header padding is found.

2.50.24. [ID: 493] SACK block announced data not sent

Log Categories
TCP,STATEFUL,VALIDATE
Log Message
SACK block announced data not sent.
Default Log Severity
Warning
Parameters
sackblock, max, tcpopt, setting, flow, pkt, user, userid
Explanation
The SACK option in the packet announced that data not yet sent by the peer already had been received.
Gateway Action
Drop
Action Description
None
Proposed Action
The gateway's reaction to this event is controlled by the setting TCPSettings:TCPInconsistentSACK.

2.50.25. [ID: 447] TCP NULL packet

Log Categories
TCP,STATELESS,VALIDATE
Log Message
TCP NULL packet.
Default Log Severity
Warning
Parameters
setting, flow, pkt, user, userid
Explanation
The TCP packet had none of the flags SYN, FIN, RST or ACK set.
Gateway Action
Drop
Action Description
None
Proposed Action
Investigate the source of the packet and try to fix the problem there. Secondly, review the setting TCPSettings:TCPNULL which controls the gateway's behavior when receiving such packets.

2.50.26. [ID: 449] Non-first SACK block announced acknowledged[...]

Log Categories
TCP,STATELESS,VALIDATE
Log Message
Non-first SACK block announced acknowledged data.
Default Log Severity
Warning
Parameters
sackblock, ackseqno, tcpopt, setting, flow, pkt, user, userid
Explanation
A non-first SACK block acknowledged data already acknowledged by the standard acknowledgment field in the header. Only the first SACK block is allowed to do that.
Gateway Action
Drop
Action Description
None
Proposed Action
The gateway's reaction to this event is controlled by the setting TCPSettings:TCPInconsistentSACK.

2.50.27. [ID: 437] Disallowed TCP option

Log Categories
TCP,STATELESS,VALIDATE
Log Message
Disallowed TCP option.
Default Log Severity
Warning
Parameters
tcpopt, setting, flow, pkt, user, userid
Explanation
The packet contained an option of the kind indicated by the parameter tcpopt.
Gateway Action
Drop
Action Description
None
Proposed Action
The gateway's action when it finds an option of this type is controlled by the setting indicated by the parameter setting.

2.50.28. [ID: 173] SYN only option in non-SYN segment

Log Categories
TCP,STATELESS,VALIDATE
Log Message
SYN only option in non-SYN segment.
Default Log Severity
Warning
Parameters
tcpopt, setting, flow, pkt, user, userid
Explanation
A TCP option that only should occur in packets with the SYN flag set was found in a packet with the SYN flag cleared.
Gateway Action
Drop
Action Description
None
Proposed Action
Investigate the source of the packet and try to fix the problem there. If that is not possible then the gateway's behavior can be adjusted through the setting TCPSettings:TCPSynOptInNonSyn.

2.50.29. [ID: 373] TCP option length missing

Log Categories
TCP,STATELESS,VALIDATE
Log Message
TCP option length missing.
Default Log Severity
Warning
Parameters
tcpopt, setting, flow, pkt, user, userid
Explanation
A TCP option with explicit length was found at a position in the header such that the length information fell outside of the header.
Gateway Action
Drop
Action Description
None
Proposed Action
Investigate the source of this erroneous packet. If the problem can't be fixed at the source then the gateway's response to this event can be changed through the setting TCPSettings:TCPBadOptionLengths.

2.50.30. [ID: 182] Oversized TCP segment

Log Categories
TCP,STATEFUL,VALIDATE
Log Message
Oversized TCP segment.
Default Log Severity
Warning
Parameters
mss, datalen, hdrlen, state, flow, pkt, user, userid
Explanation
The packet exceeded the Maximum Segment Size (MSS) announced by the peer. If no MSS has been announced, an MSS of 536/1220 is assumed for TCP over IPv4/IPv6.
Gateway Action
Drop
Action Description
None
Proposed Action
The setting TCPSettings:TCPOversizedSegment controls if the gateway should check that the MSS is obeyed and what actions it should take when the MSS is exceeded.

2.50.31. [ID: 369] Oversized TCP window in ICMP message

Log Categories
TCP,STATEFUL,VALIDATE
Log Message
Oversized TCP window in ICMP message.
Default Log Severity
Warning
Parameters
windowsize, max, state, flow, pkt, user, userid
Explanation
The TCP window in the ICMP encapsulated packet exceeded the maximal window limit. This is erroneous since no packet that exceeded the limit has been forwarded.
Gateway Action
Drop
Action Description
None
Proposed Action
Window size limitation is controlled by two settings. The setting TCPSettings:TCPMaxWindow sets the actual limit and the setting TCPSettings:TCPOversizedWindow control's the action of the gateway when the limit is exceeded.

2.50.32. [ID: 227] TCP option does not fit in the header

Log Categories
TCP,STATELESS,VALIDATE
Log Message
TCP option does not fit in the header.
Default Log Severity
Warning
Parameters
tcpopt, len, avail, setting, flow, pkt, user, userid
Explanation
A TCP option with a length that exceeded the remaining part of the header was found in the packet.
Gateway Action
Drop
Action Description
None
Proposed Action
Investigate the source of this erroneous packet. If the problem can't be fixed at the source then the gateway's response to this event can be changed through the setting TCPSettings:TCPBadOptionLengths.

2.50.33. [ID: 200] Too high TCP sequence number

Log Categories
TCP,STATEFUL,VALIDATE
Log Message
Too high TCP sequence number.
Default Log Severity
Warning
Parameters
seqno, len, min, max, windowsize, gap, flags, state, flow, pkt, user, userid
Explanation
The sequence number in the TCP packet was above the receive window announced by the receiver of the packet. This is normally invalid and should not occur, however, there are a few exceptions, the primary exception being if the receiver recently has reduced it receive window.
Gateway Action
Drop
Action Description
None
Proposed Action
The gateway's response to this event is controlled by the setting TCPSettings:TCPSeqNumValidationMode.

2.50.34. [ID: 463] Too low FIN sequence number

Log Categories
TCP,STATEFUL,VALIDATE
Log Message
Too low FIN sequence number.
Default Log Severity
Warning
Parameters
seqno, min, state, flow, pkt, user, userid
Explanation
The packet had the FIN flag set but a sequence number that had already been used for data. The FIN flag is logically located at the end of the data stream and should have a previously unused sequence number.
Gateway Action
Drop
Action Description
None
Proposed Action
If this event occurs frequently and causes problems then configuring a non-strict sequence number validation mode in the setting TCPSettings:TCPSeqNumValidationMode can be used as a workaround.

2.50.35. [ID: 168] Too low TCP sequence number

Log Categories
TCP,STATEFUL,VALIDATE
Log Message
Too low TCP sequence number.
Default Log Severity
Warning
Parameters
seqno, len, min, max, windowsize, gap, flags, state, loglevel, value, flow, pkt, user, userid
Explanation
The sequence number in the TCP packet was below the receive window announced by the receiver of the packet. The reason for why this event occurs can be as simple as timing. When a receiver of a data stream receives the next part of the stream it will move its receive window forward. Gateways on the path between the sender and the receiver of the data stream will pick up this information before it reaches the sender. This mean that when the sender retransmits a segment it may fall within the receive window known to the sender but if the original segment in fact was received by the receiver then a new receive window announcement, that does not include the segment, may be on the way from the receiver to the sender. A gateway that picks up the new receive window announcement before the retransmitted segment will come to the conclusion that the segment's sequence number is too low.
Gateway Action
Drop
Action Description
None
Proposed Action
The setting TCPSettings:TCPSeqTooLowLogLevel is the tool that can be used to filter out normal/expected occurrences of this event. The configured log level is shown in the parameter loglevel and the parameter value holds the corresponding value for this packet. The gateway's response to this event is also controlled by the setting TCPSettings:TCPSeqNumValidationMode.

2.50.36. [ID: 103] Too low sequence number in ICMP message

Log Categories
TCP,STATEFUL,VALIDATE
Log Message
Too low sequence number in ICMP message.
Default Log Severity
Warning
Parameters
seqno, min, max, loglevel, value, flow, pkt, user, userid
Explanation
The sequence number in the TCP packet encapsulated in an ICMP message was below the receive window announced by the intended receiver of the encapsulated packet. Either the sequence number had already been acknowledged or it had never been used at all.
Gateway Action
Drop
Action Description
None
Proposed Action
The setting TCPSettings:TCPSeqNumValidationMode is the primary control of the gateway's response to this event. To filter out event caused by network conditions the setting TCPSettings:TCPSeqTooLowLogLevel also applies. The configured log level is shown in the parameter loglevel and the parameter value holds the corresponding value for this packet.

2.50.37. [ID: 145] Truncated TCP header encapsulated in ICMP[...]

Log Categories
TCP,STATELESS,VALIDATE
Log Message
Truncated TCP header encapsulated in ICMP message.
Default Log Severity
Warning
Parameters
avail, hdrlen, setting, flow, pkt, user, userid
Explanation
Only a part of encapsulated packet's TCP header was available in the ICMP packet. The parameter avail shows how much of the encapsulated packet's IP payload that was available and the hdrlen holds the length of the TCP header.
Gateway Action
Drop
Action Description
None
Proposed Action
The setting TCPSettings:TCPTruncHeaderInICMP controls how the gateway handles ICMP packets with a truncated TCP header in the encapsulated packet.

2.50.38. [ID: 210] Too high TCP acknowledgment

Log Categories
TCP,STATEFUL,VALIDATE
Log Message
Too high TCP acknowledgment.
Default Log Severity
Warning
Parameters
ackseqno, max, gap, state, flow, pkt, user, userid
Explanation
The TCP acknowledgment in the packet announced that data not yet sent by the peer already had been received.
Gateway Action
Drop
Action Description
None
Proposed Action
The gateway's response to this event is configured through the setting TCPSettings:TCPSeqNumValidationMode.

2.50.39. [ID: 444] Unacceptable initial TCP acknowledgment

Log Categories
TCP,STATEFUL,VALIDATE
Log Message
Unacceptable initial TCP acknowledgment.
Default Log Severity
Warning
Parameters
ackseqno, min, max, state, flow, pkt, user, userid
Explanation
The first TCP acknowledgment received on the flow did not match the sequence numbers of the packets sent in the other direction.
Gateway Action
Drop
Action Description
None
Proposed Action
The gateway's response to this event is configured through the setting TCPSettings:TCPSeqNumValidationMode.

2.50.40. [ID: 217] Unused non-zero ACK

Log Categories
TCP,STATELESS,VALIDATE
Log Message
Unused non-zero ACK.
Default Log Severity
Warning
Parameters
setting, flow, pkt, user, userid
Explanation
The acknowledgment field in the packet was set even though the ACK flag was cleared. It is recommended to at least strip this information from the packet to prevent unfiltered data from being tunneled within the acknowledgment field. Also, some operating systems reveal sequence number information this way, which can make it easier for intruders wanting to hijack established connections.
Gateway Action
Drop
Action Description
None
Proposed Action
The setting TCPSettings:TCPUnusedNonZeroAckField controls the gateway's behavior when an unused non-zero acknowledgment field is found.

2.50.41. [ID: 527] Unused non-zero urgent pointer

Log Categories
TCP,STATELESS,VALIDATE
Log Message
Unused non-zero urgent pointer.
Default Log Severity
Warning
Parameters
setting, flow, pkt, user, userid
Explanation
The urgent pointer field in the packet was set even though the URG flag was cleared. It is recommended to at least strip this information from the packet to prevent unfiltered data from being tunneled within the urgent pointer field.
Gateway Action
Drop
Action Description
None
Proposed Action
The setting TCPSettings:TCPUnusedNonZeroUrgField controls the gateway's behavior when an unused non-zero urgent pointer field is found.

2.50.42. [ID: 538] Fragmented TCP header encapsulated in ICMP[...]

Log Categories
TCP,STATELESS,VALIDATE
Log Message
Fragmented TCP header encapsulated in ICMP message.
Default Log Severity
Warning
Parameters
flow, pkt, user, userid
Explanation
An ICMP packet encapsulating a TCP packet was received. The TCP header in the encapsulated packet was split into several parts due to IP fragmentation. Either the ICMP packet was fragmented or the encapsulated TCP packet was a fragment. Either way, the fragmentation had to target an unreasonable low MTU for that to occur so the packet was considered invalid.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.50.43. [ID: 267] TCP header length exceeds IP payload length

Log Categories
TCP,STATELESS,VALIDATE
Log Message
TCP header length exceeds IP payload length.
Default Log Severity
Warning
Parameters
hdrlen, iplen, flow, pkt, user, userid
Explanation
The TCP header claimed to be larger than the size of the IP payload that it was contained within.
Gateway Action
Drop
Action Description
None
Proposed Action
Investigate the source of the packet and try to fix the problem there. If the problem can't be fixed at the source then the log message can be turned off by configuring the log receivers or turning the setting TCPSettings:TCPLogInvalidHeaderLen off.

2.50.44. [ID: 299] Ambiguous MSS announcement

Log Categories
TCP,STATEFUL,VALIDATE
Log Message
Ambiguous MSS announcement.
Default Log Severity
Warning
Parameters
old, new, effective, tcpopt, flow, user, userid
Explanation
The gateway has received several packets with the SYN flag set, on this flow. Not all of these packets announced the same Maximum Segment Size (MSS). The gateway will act as if the value of the parameter effective was announced in all packets that had the SYN flag set on this flow.
Gateway Action
Ignore
Action Description
The gateway ignored the new MSS announcement
Proposed Action
None

2.50.45. [ID: 258] Unexpected invalid FIN

Log Categories
TCP,STATEFUL,VALIDATE
Log Message
Unexpected invalid FIN.
Default Log Severity
Warning
Parameters
state, flow, pkt, user, userid
Explanation
A packet classified (internally) as having an unreliable sequence number also had the FIN flag set. This combination is not allowed in strict sequence number validation mode.
Gateway Action
Drop
Action Description
None
Proposed Action
If this event occurs frequently and causes problems then configuring a non-strict sequence number validation mode in the setting TCPSettings:TCPSeqNumValidationMode can be used as a workaround.

2.50.46. [ID: 561] Invalid TCP header length

Log Categories
TCP,STATELESS,VALIDATE
Log Message
Invalid TCP header length.
Default Log Severity
Warning
Parameters
hdrlen, flow, pkt, user, userid
Explanation
The TCP packet's header length field claimed that the header was shorter than the minimal 20 bytes.
Gateway Action
Drop
Action Description
None
Proposed Action
Investigate the source of the packet and try to fix the problem there. If the problem can't be fixed at the source then the log message can be turned off by configuring the log receivers or turning the setting TCPSettings:TCPLogInvalidHeaderLen off.

2.50.47. [ID: 399] Window scale shift count exceeds 14

Log Categories
TCP,STATELESS,VALIDATE
Log Message
Window scale shift count exceeds 14.
Default Log Severity
Warning
Parameters
value, tcpopt, flow, pkt, user, userid
Explanation
The packet was dropped since it contained a Window Scale option specifying an invalid (too large) shift count.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.50.48. [ID: 342] Suspicious flag set

Log Categories
TCP,STATELESS,VALIDATE
Log Message
Suspicious flag set.
Default Log Severity
Notice
Parameters
flag, setting, flow, pkt, user, userid
Explanation
The TCP packet had an uncommon, unusual or poorly standardized flag set.
Gateway Action
None
Action Description
None
Proposed Action
Investigate the source of this strange packet. If the problem can't be fixed at the source then the gateway can be configured to either silently take action on such packets or just ignore them all together by modifying one of the settings TCPSettings:TCPUrg, TCPSettings:TCPECN or TCPSettings:TCPRF, depending on the flag in question. The parameter setting shows which of the settings that was applied to the packet.

2.50.49. [ID: 320] TCP segment exceeds previous FIN

Log Categories
TCP,STATEFUL,VALIDATE
Log Message
TCP segment exceeds previous FIN.
Default Log Severity
Notice
Parameters
seqno, max, flags, state, flow, pkt, user, userid
Explanation
The TCP packet ended at a higher sequence number than the sequence number assigned to the FIN flag by a previous packet. Since the FIN flag signals the end of the data stream, packets with higher sequence numbers should not occur. The parameter seqno contains the last sequence number transported in the segment and the parameter max contains the sequence number immediately before the previously received FIN.
Gateway Action
None
Action Description
None
Proposed Action
The setting TCPSettings:TCPSeqNumValidationMode controls how strictly the gateway validates sequence numbers.

2.50.50. [ID: 468] TCP FIN flag set without the ACK flag

Log Categories
TCP,STATELESS,VALIDATE
Log Message
TCP FIN flag set without the ACK flag.
Default Log Severity
Notice
Parameters
setting, flow, pkt, user, userid
Explanation
The TCP packet had the FIN flag set but the ACK flag cleared. This combination is normally invalid.
Gateway Action
None
Action Description
None
Proposed Action
The setting TCPSettings:TCPFinNoAck controls how the gateway handles packets with this flag combination.

2.50.51. [ID: 504] Suspicious flag combination

Log Categories
TCP,STATELESS,VALIDATE
Log Message
Suspicious flag combination.
Default Log Severity
Notice
Parameters
goodflag, badflag, setting, flow, pkt, user, userid
Explanation
The TCP packet had an unusual, and normally invalid, flag combination set.
Gateway Action
None
Action Description
None
Proposed Action
Investigate the source of this erroneous packet. If the problem can't be fixed at the source then the gateway can be configured to either silently take action on such packets or just ignore them all together by modifying one of the settings TCPSettings:TCPSynUrg, TCPSettings:TCPSynPsh, TCPSettings:TCPSynRst, TCPSettings:TCPSynFin, TCPSettings:TCPRstFin or TCPSettings:TCPFinUrg, depending on which flag combination the packet had. The parameter setting shows which of the settings that was applied to the packet.

2.50.52. [ID: 218] TCP MSS exceeds log level

Log Categories
TCP,STATELESS,VALIDATE
Log Message
TCP MSS exceeds log level.
Default Log Severity
Notice
Parameters
mss, loglevel, tcpopt, setting, flow, pkt, user, userid
Explanation
The TCP packet announced a Maximum Segment Size (MSS) larger than the configured log level.
Gateway Action
None
Action Description
None
Proposed Action
The log level is configured in the setting TCPSettings:TCPMSSLogLevel.

2.50.53. [ID: 270] Invalid TCP checksum

Log Categories
TCP,STATELESS,VALIDATE
Log Message
Invalid TCP checksum.
Default Log Severity
Notice
Parameters
setting, flow, pkt, user, userid
Explanation
The packet's TCP checksum was invalid.
Gateway Action
None
Action Description
None
Proposed Action
TCP checksum verification is controlled by the setting TCPSettings:TCPChecksumVerification.

2.50.54. [ID: 147] Invalid reset sequence number in state SYN[...]

Log Categories
TCP,STATEFUL,VALIDATE
Log Message
Invalid reset sequence number in state SYN RECVD.
Default Log Severity
Notice
Parameters
seqno, min, max, flow, pkt, user, userid
Explanation
A reset packet was received from the originator of the connection before any SYN-ACK was received from the terminator side. Resets under these conditions are required to have a sequence number in close proximity to the sequence number of the SYN packet to be considered valid.
Gateway Action
None
Action Description
None
Proposed Action
Logging of this event can be configured with the setting TCPSettings:TCPSeqNumValidationMode.

2.50.55. [ID: 209] TCP MSS too high

Log Categories
TCP,STATELESS,VALIDATE
Log Message
TCP MSS too high.
Default Log Severity
Notice
Parameters
mss, max, tcpopt, setting, flow, pkt, user, userid
Explanation
The TCP packet announced a Maximum Segment Size (MSS) larger than the configured limit.
Gateway Action
None
Action Description
None
Proposed Action
The setting TCPSettings:TCPMSSOnHigh controls how the gateway handles packets that announce a Maximum Segment Size (MSS) larger than the configured limit. The limit is configured in the setting TCPSettings:TCPMSSMax.

2.50.56. [ID: 215] TCP MSS too low

Log Categories
TCP,STATELESS,VALIDATE
Log Message
TCP MSS too low.
Default Log Severity
Notice
Parameters
mss, min, tcpopt, setting, flow, pkt, user, userid
Explanation
The TCP packet announced a Maximum Segment Size (MSS) less than the configured limit.
Gateway Action
None
Action Description
None
Proposed Action
The setting TCPSettings:TCPMSSOnLow controls how the gateway handles packets that announce a Maximum Segment Size (MSS) less than the configured limit. The limit is configured in the setting TCPSettings:TCPMSSMin.

2.50.57. [ID: 592] New acknowledgment in ICMP message

Log Categories
TCP,STATEFUL,VALIDATE
Log Message
New acknowledgment in ICMP message.
Default Log Severity
Notice
Parameters
ackseqno, max, state, flow, pkt, user, userid
Explanation
The acknowledgment in an ICMP encapsulated TCP packet was higher than any acknowledgment processed on the flow.
Gateway Action
None
Action Description
None
Proposed Action
The gateway's response to this event is configured through the setting TCPSettings:TCPSeqNumValidationMode.

2.50.58. [ID: 353] Not forwarded sequence number in ICMP message

Log Categories
TCP,STATEFUL,VALIDATE
Log Message
Not forwarded sequence number in ICMP message.
Default Log Severity
Notice
Parameters
seqno, len, max, flow, pkt, user, userid
Explanation
The sequence number in an ICMP encapsulated TCP packet was higher than any sequence number processed on the flow.
Gateway Action
None
Action Description
None
Proposed Action
The gateway's response to this event is configured through the setting TCPSettings:TCPSeqNumValidationMode.

2.50.59. [ID: 169] Non-zero header padding

Log Categories
TCP,STATELESS,VALIDATE
Log Message
Non-zero header padding.
Default Log Severity
Notice
Parameters
setting, flow, pkt, user, userid
Explanation
The padding between the option field and the end of the header was found to be non-zero. It is recommended to at least strip this information from the packet to prevent unfiltered data from being tunneled within the padding.
Gateway Action
None
Action Description
None
Proposed Action
The setting TCPSettings:TCPNonZeroHeaderPadding controls the gateway's behavior when non-zero header padding is found.

2.50.60. [ID: 484] SACK block announced data not sent

Log Categories
TCP,STATEFUL,VALIDATE
Log Message
SACK block announced data not sent.
Default Log Severity
Notice
Parameters
sackblock, max, tcpopt, setting, flow, pkt, user, userid
Explanation
The SACK option in the packet announced that data not yet sent by the peer already had been received.
Gateway Action
None
Action Description
None
Proposed Action
The gateway's reaction to this event is controlled by the setting TCPSettings:TCPInconsistentSACK.

2.50.61. [ID: 257] TCP NULL packet

Log Categories
TCP,STATELESS,VALIDATE
Log Message
TCP NULL packet.
Default Log Severity
Notice
Parameters
setting, flow, pkt, user, userid
Explanation
The TCP packet had none of the flags SYN, FIN, RST or ACK set.
Gateway Action
None
Action Description
None
Proposed Action
Investigate the source of the packet and try to fix the problem there. Secondly, review the setting TCPSettings:TCPNULL which controls the gateway's behavior when receiving such packets.

2.50.62. [ID: 345] Non-first SACK block announced acknowledged[...]

Log Categories
TCP,STATELESS,VALIDATE
Log Message
Non-first SACK block announced acknowledged data.
Default Log Severity
Notice
Parameters
sackblock, ackseqno, tcpopt, setting, flow, pkt, user, userid
Explanation
A non-first SACK block acknowledged data already acknowledged by the standard acknowledgment field in the header. Only the first SACK block is allowed to do that.
Gateway Action
None
Action Description
None
Proposed Action
The gateway's reaction to this event is controlled by the setting TCPSettings:TCPInconsistentSACK.

2.50.63. [ID: 614] TCP option

Log Categories
TCP,STATELESS,VALIDATE
Log Message
TCP option.
Default Log Severity
Notice
Parameters
tcpopt, setting, flow, pkt, user, userid
Explanation
The packet contained an option of the kind indicated by the parameter tcpopt.
Gateway Action
None
Action Description
None
Proposed Action
The gateway's action when it finds an option of this type is controlled by the setting indicated by the parameter setting.

2.50.64. [ID: 366] SYN only option in non-SYN segment

Log Categories
TCP,STATELESS,VALIDATE
Log Message
SYN only option in non-SYN segment.
Default Log Severity
Notice
Parameters
tcpopt, setting, flow, pkt, user, userid
Explanation
A TCP option that only should occur in packets with the SYN flag set was found in a packet with the SYN flag cleared.
Gateway Action
None
Action Description
None
Proposed Action
Investigate the source of the packet and try to fix the problem there. If that is not possible then the gateway's behavior can be adjusted through the setting TCPSettings:TCPSynOptInNonSyn.

2.50.65. [ID: 181] Oversized TCP segment

Log Categories
TCP,STATEFUL,VALIDATE
Log Message
Oversized TCP segment.
Default Log Severity
Notice
Parameters
mss, datalen, hdrlen, state, flow, pkt, user, userid
Explanation
The packet exceeded the Maximum Segment Size (MSS) announced by the peer. If no MSS has been announced, an MSS of 536/1220 is assumed for TCP over IPv4/IPv6.
Gateway Action
None
Action Description
None
Proposed Action
The setting TCPSettings:TCPOversizedSegment controls if the gateway should check that the MSS is obeyed and what actions it should take when the MSS is exceeded.

2.50.66. [ID: 199] Oversized TCP window

Log Categories
TCP,STATEFUL,VALIDATE
Log Message
Oversized TCP window.
Default Log Severity
Information
Parameters
windowsize, max, state, flow, pkt, user, userid
Explanation
The packet's announced receive window exceeded the configured limit. This event is only logged once per flow.
Gateway Action
None
Action Description
None
Proposed Action
Window size limitation is controlled by two settings. The setting TCPSettings:TCPMaxWindow sets the actual limit and the setting TCPSettings:TCPOversizedWindow control's the action of the gateway when the limit is exceeded.

2.50.67. [ID: 461] Too high TCP sequence number

Log Categories
TCP,STATEFUL,VALIDATE
Log Message
Too high TCP sequence number.
Default Log Severity
Notice
Parameters
seqno, len, min, max, windowsize, gap, flags, state, flow, pkt, user, userid
Explanation
The sequence number in the TCP packet was above the receive window announced by the receiver of the packet. This is normally invalid and should not occur, however, there are a few exceptions, the primary exception being if the receiver recently has reduced it receive window.
Gateway Action
None
Action Description
None
Proposed Action
The gateway's response to this event is controlled by the setting TCPSettings:TCPSeqNumValidationMode.

2.50.68. [ID: 207] Too low FIN sequence number

Log Categories
TCP,STATEFUL,VALIDATE
Log Message
Too low FIN sequence number.
Default Log Severity
Notice
Parameters
seqno, min, state, flow, pkt, user, userid
Explanation
The packet had the FIN flag set but a sequence number that had already been used for data. The FIN flag is logically located at the end of the data stream and should have a previously unused sequence number.
Gateway Action
None
Action Description
None
Proposed Action
If this event occurs frequently and causes problems then configuring a non-strict sequence number validation mode in the setting TCPSettings:TCPSeqNumValidationMode can be used as a workaround.

2.50.69. [ID: 420] Too low TCP sequence number

Log Categories
TCP,STATEFUL,VALIDATE
Log Message
Too low TCP sequence number.
Default Log Severity
Notice
Parameters
seqno, len, min, max, windowsize, gap, flags, state, loglevel, value, flow, pkt, user, userid
Explanation
The sequence number in the TCP packet was below the receive window announced by the receiver of the packet. The reason for why this event occurs can be as simple as timing. When a receiver of a data stream receives the next part of the stream it will move its receive window forward. Gateways on the path between the sender and the receiver of the data stream will pick up this information before it reaches the sender. This mean that when the sender retransmits a segment it may fall within the receive window known to the sender but if the original segment in fact was received by the receiver then a new receive window announcement, that does not include the segment, may be on the way from the receiver to the sender. A gateway that picks up the new receive window announcement before the retransmitted segment will come to the conclusion that the segment's sequence number is too low.
Gateway Action
None
Action Description
None
Proposed Action
The setting TCPSettings:TCPSeqTooLowLogLevel is the tool that can be used to filter out normal/expected occurrences of this event. The configured log level is shown in the parameter loglevel and the parameter value holds the corresponding value for this packet. The gateway's response to this event is also controlled by the setting TCPSettings:TCPSeqNumValidationMode.

2.50.70. [ID: 601] Too low sequence number in ICMP message

Log Categories
TCP,STATEFUL,VALIDATE
Log Message
Too low sequence number in ICMP message.
Default Log Severity
Notice
Parameters
seqno, min, max, loglevel, value, flow, pkt, user, userid
Explanation
The sequence number in the TCP packet encapsulated in an ICMP message was below the receive window announced by the intended receiver of the encapsulated packet. Either the sequence number had already been acknowledged or it had never been used at all.
Gateway Action
None
Action Description
None
Proposed Action
The setting TCPSettings:TCPSeqNumValidationMode is the primary control of the gateway's response to this event. To filter out event caused by network conditions the setting TCPSettings:TCPSeqTooLowLogLevel also applies. The configured log level is shown in the parameter loglevel and the parameter value holds the corresponding value for this packet.

2.50.71. [ID: 560] Truncated TCP header encapsulated in ICMP[...]

Log Categories
TCP,STATELESS,VALIDATE
Log Message
Truncated TCP header encapsulated in ICMP message.
Default Log Severity
Notice
Parameters
avail, hdrlen, setting, flow, pkt, user, userid
Explanation
Only a part of encapsulated packet's TCP header was available in the ICMP packet. The parameter avail shows how much of the encapsulated packet's IP payload that was available and the hdrlen holds the length of the TCP header.
Gateway Action
None
Action Description
None
Proposed Action
The setting TCPSettings:TCPTruncHeaderInICMP controls how the gateway handles ICMP packets with a truncated TCP header in the encapsulated packet.

2.50.72. [ID: 498] Too high TCP acknowledgment

Log Categories
TCP,STATEFUL,VALIDATE
Log Message
Too high TCP acknowledgment.
Default Log Severity
Notice
Parameters
ackseqno, max, gap, state, flow, pkt, user, userid
Explanation
The TCP acknowledgment in the packet announced that data not yet sent by the peer already had been received.
Gateway Action
None
Action Description
None
Proposed Action
The gateway's response to this event is configured through the setting TCPSettings:TCPSeqNumValidationMode.

2.50.73. [ID: 479] Unacceptable initial TCP acknowledgment

Log Categories
TCP,STATEFUL,VALIDATE
Log Message
Unacceptable initial TCP acknowledgment.
Default Log Severity
Notice
Parameters
ackseqno, min, max, state, flow, pkt, user, userid
Explanation
The first TCP acknowledgment received on the flow did not match the sequence numbers of the packets sent in the other direction.
Gateway Action
None
Action Description
None
Proposed Action
The gateway's response to this event is configured through the setting TCPSettings:TCPSeqNumValidationMode.

2.50.74. [ID: 541] Unused non-zero ACK

Log Categories
TCP,STATELESS,VALIDATE
Log Message
Unused non-zero ACK.
Default Log Severity
Notice
Parameters
setting, flow, pkt, user, userid
Explanation
The acknowledgment field in the packet was set even though the ACK flag was cleared. It is recommended to at least strip this information from the packet to prevent unfiltered data from being tunneled within the acknowledgment field. Also, some operating systems reveal sequence number information this way, which can make it easier for intruders wanting to hijack established connections.
Gateway Action
None
Action Description
None
Proposed Action
The setting TCPSettings:TCPUnusedNonZeroAckField controls the gateway's behavior when an unused non-zero acknowledgment field is found.

2.50.75. [ID: 337] Unused non-zero urgent pointer

Log Categories
TCP,STATELESS,VALIDATE
Log Message
Unused non-zero urgent pointer.
Default Log Severity
Notice
Parameters
setting, flow, pkt, user, userid
Explanation
The urgent pointer field in the packet was set even though the URG flag was cleared. It is recommended to at least strip this information from the packet to prevent unfiltered data from being tunneled within the urgent pointer field.
Gateway Action
None
Action Description
None
Proposed Action
The setting TCPSettings:TCPUnusedNonZeroUrgField controls the gateway's behavior when an unused non-zero urgent pointer field is found.

2.50.76. [ID: 335] Multiple TCP options of the same kind

Log Categories
TCP,STATELESS,VALIDATE
Log Message
Multiple TCP options of the same kind.
Default Log Severity
Warning
Parameters
tcpopt, flow, pkt, user, userid
Explanation
The packet contained more than one TCP option of a type that should not occur more than once in a packet.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.50.77. [ID: 250] No new flow for this packet

Log Categories
TCP,STATELESS,VALIDATE
Log Message
No new flow for this packet.
Default Log Severity
Notice
Parameters
pkt
Explanation
No flow matched the TCP packet and the packet was not a plain-SYN so it was not allowed to setup a new flow.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.50.78. [ID: 252] TCP option not negotiated

Log Categories
TCP,STATEFUL,VALIDATE
Log Message
TCP option not negotiated.
Default Log Severity
Warning
Parameters
tcpopt, flow, pkt, user, userid
Explanation
Some TCP options must be negotiated during the handshake before they can be used. The dropped packet contained such an option, as indicated by the parameter tcpopt, but that option had not been negotiated on the flow.
Gateway Action
Drop
Action Description
None
Proposed Action
If this event is triggered frequently then the gateway can be configured to silently strip the type of option that is causing the problem as a workaround while the problem is investigated and resolved. Stripping options is controlled the TCPOPT_* settings.

2.50.79. [ID: 381] SACK option without the ACK flag set

Log Categories
TCP,STATELESS,VALIDATE
Log Message
SACK option without the ACK flag set.
Default Log Severity
Warning
Parameters
tcpopt, flow, pkt, user, userid
Explanation
The packet contained a SACK option without having the ACK flag set.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.50.80. [ID: 1011] New TCP flow denied

Log Categories
TCP,STATELESS,FLOW
Log Message
New TCP flow denied.
Default Log Severity
Notice
Parameters
pkt
Explanation
The configured stateless IP rule does only allow existing TCP streams to setup new flows.
Gateway Action
Drop
Action Description
None
Proposed Action
To allow new TCP streams, the IP rule's StatelessAllowNewTCP setting must be changed.

2.50.81. [ID: 208] Disallowed flag set

Log Categories
TCP,STATELESS,VALIDATE
Log Message
Disallowed flag set.
Default Log Severity
Notice
Parameters
flag, setting, flow, pkt, user, userid
Explanation
The TCP packet had an uncommon, unusual or poorly standardized flag set.
Gateway Action
Strip
Action Description
The flag indicated by the parameter flag was stripped from the packet
Proposed Action
Investigate the source of this strange packet. If the problem can't be fixed at the source then the gateway can be configured to either silently take action on such packets or just ignore them all together by modifying one of the settings TCPSettings:TCPUrg, TCPSettings:TCPECN or TCPSettings:TCPRF, depending on the flag in question. The parameter setting shows which of the settings that was applied to the packet.

2.50.82. [ID: 491] Bad TCP option length

Log Categories
TCP,STATELESS,VALIDATE
Log Message
Bad TCP option length.
Default Log Severity
Notice
Parameters
tcpopt, len, expectlen, setting, flow, pkt, user, userid
Explanation
While parsing the TCP header an option with an invalid length, for that specific option type, was found.
Gateway Action
Strip
Action Description
The broken option and any other options following the broken option were removed from the packet
Proposed Action
Investigate the source of this erroneous packet. If the problem can't be fixed at the source then the gateway's response to this event can be changed through the setting TCPSettings:TCPBadOptionLengths.

2.50.83. [ID: 322] Disallowed flag combination

Log Categories
TCP,STATELESS,VALIDATE
Log Message
Disallowed flag combination.
Default Log Severity
Notice
Parameters
goodflag, badflag, setting, flow, pkt, user, userid
Explanation
The TCP packet had an unusual, and normally invalid, flag combination set.
Gateway Action
Strip
Action Description
The flag indicated by badflag was stripped from the packet
Proposed Action
Investigate the source of this erroneous packet. If the problem can't be fixed at the source then the gateway can be configured to either silently take action on such packets or just ignore them all together by modifying one of the settings TCPSettings:TCPSynUrg, TCPSettings:TCPSynPsh, TCPSettings:TCPSynRst, TCPSettings:TCPSynFin, TCPSettings:TCPRstFin or TCPSettings:TCPFinUrg, depending on which flag combination the packet had. The parameter setting shows which of the settings that was applied to the packet.

2.50.84. [ID: 329] Invalid TCP option length

Log Categories
TCP,STATELESS,VALIDATE
Log Message
Invalid TCP option length.
Default Log Severity
Notice
Parameters
tcpopt, len, setting, flow, pkt, user, userid
Explanation
A TCP option with explicit length had an invalid length. No option with explicit length can be shorter than two bytes (one byte to indicate the kind of option and one byte to indicate the length).
Gateway Action
Strip
Action Description
None
Proposed Action
Investigate the source of this erroneous packet. If the problem can't be fixed at the source then the gateway's response to this event can be changed through the setting TCPSettings:TCPBadOptionLengths.

2.50.85. [ID: 241] Non-zero header padding

Log Categories
TCP,STATELESS,VALIDATE
Log Message
Non-zero header padding.
Default Log Severity
Notice
Parameters
setting, flow, pkt, user, userid
Explanation
The padding between the option field and the end of the header was found to be non-zero. It is recommended to at least strip this information from the packet to prevent unfiltered data from being tunneled within the padding.
Gateway Action
Strip
Action Description
None
Proposed Action
The setting TCPSettings:TCPNonZeroHeaderPadding controls the gateway's behavior when non-zero header padding is found.

2.50.86. [ID: 352] SACK block announced data not sent

Log Categories
TCP,STATEFUL,VALIDATE
Log Message
SACK block announced data not sent.
Default Log Severity
Notice
Parameters
sackblock, max, tcpopt, setting, flow, pkt, user, userid
Explanation
The SACK option in the packet announced that data not yet sent by the peer already had been received.
Gateway Action
Strip
Action Description
The whole SACK option is removed from the packet
Proposed Action
The gateway's reaction to this event is controlled by the setting TCPSettings:TCPInconsistentSACK.

2.50.87. [ID: 581] Non-first SACK block announced acknowledged[...]

Log Categories
TCP,STATELESS,VALIDATE
Log Message
Non-first SACK block announced acknowledged data.
Default Log Severity
Notice
Parameters
sackblock, ackseqno, tcpopt, setting, flow, pkt, user, userid
Explanation
A non-first SACK block acknowledged data already acknowledged by the standard acknowledgment field in the header. Only the first SACK block is allowed to do that.
Gateway Action
Strip
Action Description
The whole SACK option is removed from the packet
Proposed Action
The gateway's reaction to this event is controlled by the setting TCPSettings:TCPInconsistentSACK.

2.50.88. [ID: 253] Disallowed TCP option

Log Categories
TCP,STATELESS,VALIDATE
Log Message
Disallowed TCP option.
Default Log Severity
Notice
Parameters
tcpopt, setting, flow, pkt, user, userid
Explanation
The packet contained an option of the kind indicated by the parameter tcpopt.
Gateway Action
Strip
Action Description
None
Proposed Action
The gateway's action when it finds an option of this type is controlled by the setting indicated by the parameter setting.

2.50.89. [ID: 391] SYN only option in non-SYN segment

Log Categories
TCP,STATELESS,VALIDATE
Log Message
SYN only option in non-SYN segment.
Default Log Severity
Notice
Parameters
tcpopt, setting, flow, pkt, user, userid
Explanation
A TCP option that only should occur in packets with the SYN flag set was found in a packet with the SYN flag cleared.
Gateway Action
Strip
Action Description
None
Proposed Action
Investigate the source of the packet and try to fix the problem there. If that is not possible then the gateway's behavior can be adjusted through the setting TCPSettings:TCPSynOptInNonSyn.

2.50.90. [ID: 194] TCP option length missing

Log Categories
TCP,STATELESS,VALIDATE
Log Message
TCP option length missing.
Default Log Severity
Notice
Parameters
tcpopt, setting, flow, pkt, user, userid
Explanation
A TCP option with explicit length was found at a position in the header such that the length information fell outside of the header.
Gateway Action
Strip
Action Description
The broken option was removed from the packet
Proposed Action
Investigate the source of this erroneous packet. If the problem can't be fixed at the source then the gateway's response to this event can be changed through the setting TCPSettings:TCPBadOptionLengths.

2.50.91. [ID: 351] TCP option does not fit in the header

Log Categories
TCP,STATELESS,VALIDATE
Log Message
TCP option does not fit in the header.
Default Log Severity
Notice
Parameters
tcpopt, len, avail, setting, flow, pkt, user, userid
Explanation
A TCP option with a length that exceeded the remaining part of the header was found in the packet.
Gateway Action
Strip
Action Description
The broken option was removed from the packet.
Proposed Action
Investigate the source of this erroneous packet. If the problem can't be fixed at the source then the gateway's response to this event can be changed through the setting TCPSettings:TCPBadOptionLengths.

2.50.92. [ID: 429] Unused non-zero ACK

Log Categories
TCP,STATELESS,VALIDATE
Log Message
Unused non-zero ACK.
Default Log Severity
Notice
Parameters
setting, flow, pkt, user, userid
Explanation
The acknowledgment field in the packet was set even though the ACK flag was cleared. It is recommended to at least strip this information from the packet to prevent unfiltered data from being tunneled within the acknowledgment field. Also, some operating systems reveal sequence number information this way, which can make it easier for intruders wanting to hijack established connections.
Gateway Action
Strip
Action Description
The acknowledgment field was set to zero
Proposed Action
The setting TCPSettings:TCPUnusedNonZeroAckField controls the gateway's behavior when an unused non-zero acknowledgment field is found.

2.50.93. [ID: 245] Unused non-zero urgent pointer

Log Categories
TCP,STATELESS,VALIDATE
Log Message
Unused non-zero urgent pointer.
Default Log Severity
Notice
Parameters
setting, flow, pkt, user, userid
Explanation
The urgent pointer field in the packet was set even though the URG flag was cleared. It is recommended to at least strip this information from the packet to prevent unfiltered data from being tunneled within the urgent pointer field.
Gateway Action
Strip
Action Description
The urgent pointer field was set to zero
Proposed Action
The setting TCPSettings:TCPUnusedNonZeroUrgField controls the gateway's behavior when an unused non-zero urgent pointer field is found.

2.50.94. [ID: 188] Unexpected TCP flags

Log Categories
TCP,STATEFUL,VALIDATE
Log Message
Unexpected TCP flags.
Default Log Severity
Warning
Parameters
flags, state, flow, pkt, user, userid
Explanation
The TCP packet had a TCP flag set that is not expected to be set in the current state of the TCP connection.
Gateway Action
Drop
Action Description
None
Proposed Action
This log message can be turned off by the setting TCPSettings:TCPLogStateViolations.

2.50.95. [ID: 433] Unexpected SYN packet

Log Categories
TCP,STATEFUL,VALIDATE
Log Message
Unexpected SYN packet.
Default Log Severity
Warning
Parameters
seqno, origseqno, flags, offset, state, flow, pkt, user, userid
Explanation
The TCP packet's combination of sequence number and SYN flag or the mere existence of the SYN flag was unexpected in the current state of the TCP connection. There are several reasons why this event can occur. The first is that a handshake packet has be retransmitted even though it was not necessary to establish the connection and then been delayed more than most other packets on the connection. In this case the parameters seqno and origseqno should match. If the ACK flag is not set, according to the flags parameter, then it could be an attempt to setup a new connection before the flow state belonging to a previous connection has timed out. Such an attempt is only valid if either the old connection has been torn down or if it never was properly established. The parameter state should give an indication of the state of the old connection. SYN_RECVD, FIN_RCVD and TIME_WAIT are valid connection states for reopening the flow state. The packet could also be an indication of a broken device or be a part of some network scan or some other malicious activity.
Gateway Action
Drop
Action Description
None
Proposed Action
If this appears to be an attempt to setup a new connection while the flow state of a previous connection still exists then consider changing the setting TCPSettings:TCPAllowReopen to allow the flow state to be reopened/reused. The parameter offset is intended as an aid in deciding whether to allow any sequence number to reopen the flow state or just those that are higher than the sequence numbers used on the old connection. If the offset is greater than zero then it should be sufficient to only allow higher sequence numbers otherwise any sequence number must be allowed, to have the intended effect. If allowing flow states to be reopened is not an option then an alternative solution is to reduce the idle lifetime for TCP flow states during setup and/or tear-down to make it less likely that the same connection will be reused before the flow state has timed out. However, reducing the idle lifetimes too much can cause other problems, for instance, with connection establishment. This log message can be turned off by the setting TCPSettings:TCPLogStateViolations.

2.50.96. [ID: 510] TCP state tracking requires stricter[...]

Log Categories
TCP,STATEFUL
Log Message
TCP state tracking requires stricter validation.
Default Log Severity
Error
Parameters
setting, min
Explanation
The implementation of the TCP state tracking assumes that certain strange packets are handled during validation. The current configuration breaks that assumption and is therefore not supported.
Gateway Action
None
Action Description
None
Proposed Action
Change the configuration to comply and report this error to the vendor's support organization. If you need to use the current settings then TCP state tracking must be disabled and the traffic forwarded using only some lighter validation.

2.50.97. [ID: 293] TCP window shrinking

Log Categories
TCP,STATEFUL,VALIDATE
Log Message
TCP window shrinking.
Default Log Severity
Information
Parameters
old, new, gap, flags, ackseqno, state, flow, pkt, user, userid
Explanation
A new receive window was announced on the flow. However, the previous receive window announcement accepted higher sequence numbers than the new one. This means that the sender of this segment has revoked previous claims that it is willing to accept a certain range of sequence numbers. This is discouraged behavior and could be causing packet drops due to too high sequence number. The parameter gap contains the size of the sequence number range which is no longer announced as part of the receive window.
Gateway Action
None
Action Description
None
Proposed Action
None

2.51. THRESHOLD

These log messages refer to the THRESHOLD category.

2.51.1. [ID: 1115] Threshold notice

Log Categories
THRESHOLD,FLOW
Log Message
Threshold notice.
Default Log Severity
Dynamic
Parameters
name, matchkey, rule
Explanation
A flow setup attempt triggered a threshold set: The flow setup was allowed to continue.
Gateway Action
Allow
Action Description
None
Proposed Action
None

2.51.2. [ID: 1085] Threshold blacklist

Log Categories
THRESHOLD,FLOW,BLACKLIST
Log Message
Threshold blacklist.
Default Log Severity
Dynamic
Parameters
name, matchkey, rule
Explanation
A flow setup attempt triggered a threshold set: The attempt has been blocked and the source is now blacklisted.
Gateway Action
Drop
Action Description
None
Proposed Action
Contact the owner of the blacklisted source.

2.51.3. [ID: 1128] Threshold block flow

Log Categories
THRESHOLD,FLOW
Log Message
Threshold block flow.
Default Log Severity
Dynamic
Parameters
name, matchkey, rule
Explanation
A flow setup attempt triggered a threshold set: This particular attempt was blocked.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.51.4. [ID: 1147] Threshold reject flow

Log Categories
THRESHOLD,FLOW
Log Message
Threshold reject flow.
Default Log Severity
Dynamic
Parameters
name, matchkey, rule
Explanation
A flow setup attempt triggered a threshold set: This particular attempt was rejected.
Gateway Action
Reject
Action Description
Reject is a polite way of denying access to a protected service, by sending an error message back to the source
Proposed Action
Carefully consider the security implications created by using the reject action.

2.51.5. [ID: 1123] Threshold tag flow

Log Categories
THRESHOLD,FLOW
Log Message
Threshold tag flow.
Default Log Severity
Dynamic
Parameters
name, matchkey, rule
Explanation
A flow setup attempt triggered a threshold set: The flow setup was allowed to continue, but the flow has been tagged for later analysis.
Gateway Action
Allow
Action Description
None
Proposed Action
Review the tagged flows. The tag will not affect the functionality of the forwarded traffic in any way, but some functionality can apply the tag as a filter (notably CLI commands and log messages).

2.51.6. [ID: 1126] Threshold is no longer exceeded

Log Categories
THRESHOLD
Log Message
Threshold is no longer exceeded.
Default Log Severity
Information
Parameters
name, group, threshold, interval, value, time, lifetime
Explanation
The specific threshold group group no longer exceeds the threshold definition name (with the configured threshold threshold over the configured interval interval seconds): The group measurement is currently value over a period of time seconds. Before this event happened, the group did exceed the threshold for lifetime seconds.
Gateway Action
Ignore
Action Description
None
Proposed Action
None

2.51.7. [ID: 1107] Threshold is exceeded

Log Categories
THRESHOLD
Log Message
Threshold is exceeded.
Default Log Severity
Dynamic
Parameters
name, group, threshold, interval, value, time, lifetime
Explanation
The specific threshold group group now exceeds the threshold definition name (with the configured threshold threshold over the configured interval interval seconds): The group measurement is currently value over a period of time seconds. Before this event happened, the group did spend lifetime seconds without being exceeded.
Gateway Action
Ignore
Action Description
None
Proposed Action
None

2.51.8. [ID: 1130] Random group replacement

Log Categories
THRESHOLD
Log Message
Random group replacement.
Default Log Severity
Warning
Parameters
group
Explanation
There was a shortage of free threshold group instances and therefore, one randomly selected active threshold group instance was removed. This only happens when there are excessive flow open requests coming from many different sources (assuming the grouping is per source). Threshold rules that contain rate-based thresholds with a long configured interval are prone to this during distributed denial-of-service attacks since old group instances cannot be sensibly discarded until activity has ceased for a whole configured interval. The impact of losing an active group instance is that the system will forget information that could have been used to identify traffic that should have trigged a threshold action. This can potentially be used as an attempt to mask another more "stealthy" attack.
Gateway Action
Ignore
Action Description
None
Proposed Action
Review the threshold rules; length of intervals, grouping parameters and actions. Consider to use grouping by network segments rather than individual IP addresses, as this will decrease the maximum possible number of groups that an attack can cause to be setup. As a last resort, the setting TrafficMgmtSettings:MaxThresholdMemUsage can be adjusted to support more simultaneous threshold groups.

2.52. TIMESYNC

These log messages refer to the TIMESYNC category.

2.52.1. [ID: 772] An internal error has occurred

Log Categories
TIMESYNC
Log Message
An internal error has occurred.
Default Log Severity
Alert
Parameters
value
Explanation
An internal error has occurred and the NTP daemon will be restarted.
Gateway Action
None
Action Description
None
Proposed Action
None

2.52.2. [ID: 634] Time synchronization prevented due to[...]

Log Categories
TIMESYNC
Log Message
Time synchronization prevented due to negative delay in received packet.
Default Log Severity
Notice
Parameters
 
Explanation
A received time from a timeserver has a negative delay.
Gateway Action
None
Action Description
The received time is discarded
Proposed Action
None

2.52.3. [ID: 635] Time synchronization prevented due to[...]

Log Categories
TIMESYNC
Log Message
Time synchronization prevented due to security validation.
Default Log Severity
Warning
Parameters
 
Explanation
A received packet from a timeserver did not pass security validation.
Gateway Action
None
Action Description
The received time is discarded
Proposed Action
None

2.52.4. [ID: 386] Communication with server has failed

Log Categories
TIMESYNC
Log Message
Communication with server has failed.
Default Log Severity
Warning
Parameters
serverip, reason
Explanation
Communication with a server has failed and cannot be used for time synchronization.
Gateway Action
None
Action Description
None
Proposed Action
Check configuration settings for time synchronization.

2.52.5. [ID: 524] Time synchronization is currently impossible

Log Categories
TIMESYNC
Log Message
Time synchronization is currently impossible.
Default Log Severity
Error
Parameters
 
Explanation
No communication can be established with any timeservers, making time synchronization impossible.
Gateway Action
None
Action Description
None
Proposed Action
Check configuration settings for time synchronization.

2.52.6. [ID: 385] The clock has drifted so much that it is not[...]

Log Categories
TIMESYNC
Log Message
The clock has drifted so much that it is not within the maximum allowed correction interval. The clock will not be updated.
Default Log Severity
Notice
Parameters
offset, max
Explanation
A received time from a timeserver was outside of the maximum allowed time adjustment setting.
Gateway Action
Discard
Action Description
The received time is discarded
Proposed Action
None

2.52.7. [ID: 529] Time has been synchronized

Log Categories
TIMESYNC
Log Message
Time has been synchronized.
Default Log Severity
Notice
Parameters
time, old, serverip, name
Explanation
Time has been synchronized.
Gateway Action
None
Action Description
None
Proposed Action
None

2.53. UDP

These log messages refer to the UDP category.

2.53.1. [ID: 482] Mismatching UDP IP payload length

Log Categories
UDP,STATELESS,VALIDATE
Log Message
Mismatching UDP IP payload length.
Default Log Severity
Warning
Parameters
len, iplen, flow, pkt, user, userid
Explanation
The length field in the UDP header does not match the payload length specified by the IP header.
Gateway Action
Drop
Action Description
None
Proposed Action
If the packet sender is one of your network devices, investigate why the unit is sending malformed UDP packets. This log event can be disabled by the IPSettings:LayerSizeConsistency setting.

2.53.2. [ID: 573] Bad UDP checksum

Log Categories
UDP,STATELESS,VALIDATE
Log Message
Bad UDP checksum.
Default Log Severity
Notice
Parameters
chksum, calcchksum, flow, pkt, user, userid
Explanation
The packet's UDP checksum was incorrect. A bad checksum is normally an indication that the packet data has been corrupted, something that will happen spontaneously when transferred over a physical network medium. This is only a concern when it happens in excess; in this case it may be a sign of broken hardware inside the network.
Gateway Action
Allow
Action Description
None
Proposed Action
The settings UDPSettings:UDP4ChecksumVerification and UDPSettings:UDP6ChecksumVerification can be changed to control the gateways behavior for analyzing the checksum of UDP packets.

2.53.3. [ID: 119] Bad UDP checksum

Log Categories
UDP,STATELESS,VALIDATE
Log Message
Bad UDP checksum.
Default Log Severity
Warning
Parameters
chksum, calcchksum, flow, pkt, user, userid
Explanation
The packet's UDP checksum was incorrect. A bad checksum is normally an indication that the packet data has been corrupted, something that will happen spontaneously when transferred over a physical network medium. This is only a concern when it happens in excess; in this case it may be a sign of broken hardware inside the network.
Gateway Action
Drop
Action Description
None
Proposed Action
The settings UDPSettings:UDP4ChecksumVerification and UDPSettings:UDP6ChecksumVerification can be changed to control the gateways behavior for analyzing the checksum of UDP packets.

2.53.4. [ID: 602] Bad UDP checksum

Log Categories
UDP,STATELESS,VALIDATE
Log Message
Bad UDP checksum.
Default Log Severity
Warning
Parameters
chksum, calcchksum, pkt
Explanation
The packet's' UDP checksum was found to be incorrect while performing an important operation e.g. updating a flow state. A bad checksum is normally an indication that the packet data has been corrupted, something that will happen spontaneously when transferred over a physical network medium. This is only a concern when it happens in excess; in this case it may be a sign of broken hardware inside the network.
Gateway Action
Allow
Action Description
None
Proposed Action
Some packets are considered important and must be verified to be valid before they are allowed to pass through the system. Thus, UDP checksum verification cannot be disabled for these key packets.

2.53.5. [ID: 1076] Bad UDP checksum

Log Categories
UDP,STATELESS,VALIDATE
Log Message
Bad UDP checksum.
Default Log Severity
Warning
Parameters
chksum, calcchksum, pkt
Explanation
The packet's' UDP checksum was found to be incorrect while performing an important operation e.g. updating a flow state. A bad checksum is normally an indication that the packet data has been corrupted, something that will happen spontaneously when transferred over a physical network medium. This is only a concern when it happens in excess; in this case it may be a sign of broken hardware inside the network.
Gateway Action
Drop
Action Description
None
Proposed Action
Some packets are considered important and must be verified to be valid before they are allowed to pass through the system. Thus, UDP checksum verification cannot be disabled for these key packets.

2.53.6. [ID: 374] Invalid jumbogram UDP header length

Log Categories
UDP,STATELESS,VALIDATE
Log Message
Invalid jumbogram UDP header length.
Default Log Severity
Warning
Parameters
len, expectlen, flow, pkt, user, userid
Explanation
The length field in the UDP header must be zero for IPv6 jumbograms.
Gateway Action
Drop
Action Description
None
Proposed Action
If the packet sender is one of your network devices, investigate why the unit is sending malformed UDP packets. This log event can be disabled by the IPSettings:LayerSizeConsistency setting.

2.53.7. [ID: 292] Truncated UDP header

Log Categories
UDP,STATELESS,VALIDATE
Log Message
Truncated UDP header.
Default Log Severity
Warning
Parameters
len, minlen, flow, pkt, user, userid
Explanation
The length field in the UDP header was smaller then the minimum allowed length of 8 bytes.
Gateway Action
Drop
Action Description
None
Proposed Action
If the packet sender is one of your network devices, investigate why the unit is sending malformed UDP packets. This log event can be disabled by the IPSettings:LayerSizeConsistency setting.

2.54. VLAN

These log messages refer to the VLAN category.

2.54.1. [ID: 879] VLAN packet with CFI set

Log Categories
VLAN,STATELESS,VALIDATE
Log Message
VLAN packet with CFI set.
Default Log Severity
Notice
Parameters
pkt
Explanation
A VLAN packet with the CFI (Canonical Format Indicator) set was received. Such packets should not occur on an Ethernet network. The packet was dropped.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.54.2. [ID: 880] Packet is too small to contain VLAN header

Log Categories
VLAN,STATELESS,VALIDATE
Log Message
Packet is too small to contain VLAN header.
Default Log Severity
Warning
Parameters
pkt
Explanation
The end of packet data was encountered while parsing VLAN headers. The packet must be truncated and was dropped.
Gateway Action
Drop
Action Description
None
Proposed Action
None

2.54.3. [ID: 878] VLAN packet with unknown VLAN id

Log Categories
VLAN,STATELESS,VALIDATE
Log Message
VLAN packet with unknown VLAN id.
Default Log Severity
Notice
Parameters
vlanid, vlantype, iface, pkt
Explanation
The VLAN id of a received packet has not been configured on any interface, hence, there is no interface to receive the packet on, so, the packet was dropped.
Gateway Action
Drop
Action Description
None
Proposed Action
None