Login
- Released At: 03-03-2023
- Page Views:
- Downloads:
- Table of Contents
- Related Documents
-
|
|
|
H3C Access Controllers System Log Messages Reference |
|
|
|
|
Software version: Release 5456,ESS 5457
Document version: 6W100-20230228
Copyright © 2023 New H3C Technologies Co., Ltd. All rights reserved.
No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.
Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.
The information in this document is subject to change without notice
Contents
Managing and obtaining system log messages
Obtaining log messages from the console terminal
Obtaining log messages from a monitor terminal
Obtaining log messages from the log buffer
Obtaining log messages from the log file
Obtaining log messages from a log host
ACL_ACCELERATE_NONCONTIGUOUSMASK
ACL_ACCELERATE_NOT_SUPPORTHOPBYHOP
ACL_ACCELERATE_NOT_SUPPORTMULTITCPFLAG
APMGR_DETECT_IDLE_RADAR_FAILED
APMGR_LOG_VIRTUAL_5G_RADIO (on fat APs)
RADIO_GROUP_FREQUENCY_CONFLICT
ARP_ACTIVE_ACK_NOREQUESTED_REPLY
ATK_ICMPV6_DEST_UNREACH_RAW_SZ
ATK_ICMPV6_GROUPREDUCTION_RAW_SZ
ATK_ICMPV6_PACKETTOOBIG_RAW_SZ
ATK_IP4_TCP_INVALIDFLAGS_RAW_SZ
ATK_IP6_TCP_INVALIDFLAGS_RAW_SZ
ATK_IPOPT_LOOSESRCROUTE_RAW_SZ
ATK_IPOPT_STRICTSRCROUTE_RAW_SZ
AVC_THRESHOLDWARNING_FASTLOGGING_FMT
AVC_THRESHOLDWARNING_FASTLOGGING_IPV6FMT
DOT1X_NOTENOUGH_EADFREERULE_RES
DOT1X_NOTENOUGH_EADPORTREDIR_RES
DOT1X_NOTENOUGH_EADMACREDIR_RES
DOT1X_NOTENOUGH_ENABLEDOT1X_RES
DOT1X_NOTSUPPORT_EADFREEIP_RES
DOT1X_NOTSUPPORT_EADFREERULE_RES
DOT1X_NOTSUPPORT_EADMACREDIR_RES
DOT1X_NOTSUPPORT_EADPORTREDIR_RES
EDEV_FAILOVER_GROUP_STATE_CHANGE
IDENTITY_IMC_IMPORT_FAILED_NO_MEMORY
IDENTITY_LDAP_IMPORT_FAILED_NO_MEMORY
IDENTITY_LDAP_IMPORT_GROUP_FAILED
IDENTITY_LDAP_IMPORT_USER_FAILED
IPSEC_ANTI-REPLAY_WINDOWS_ERROR
LAGG_INACTIVE_RESOURCE_INSUFICIE
LB_CHANGE_LINK_CONNNUM_RECOVERY
LB_CHANGE_LINK_CONNRATE_RECOVERY
LB_CHANGE_RS_CONNRATE_RECOVERY
LB_CHANGE_VS_CONNRATE_RECOVERY
NAT_INTERFACE_RESOURCE_EXHAUST
NAT_SERVICE_CARD_RECOVER_FAILURE
ND_SET_VLAN_REDIRECT_NORESOURCE
PORTSEC_PORTMODE_NOT_EFFECTIVE
QOS_QMPROFILE_MODIFYQUEUE_FAIL
MONITOR_BLADE_THROUGHPUT_EXCEED
MONITOR_BLADE_THROUGHPUT_BELOW
SSLVPN_ADD_CONTENT_TYPE_FAILED
SSLVPN_ADD_EXCROUTEITEM_FAILED
SSLVPN_ADD_INCROUTEITEM_FAILED
SSLVPN_ADD_IPADDRESSPOOL_FAILED
SSLVPN_ADD_IPTUNNELACIF_FAILED
SSLVPN_ADD_PORTFWD_ITEM_FAILED
SSLVPN_ADD_REFER_PFWDITEM_FAILED
SSLVPN_ADD_REFERPORTFWD_FAILED
SSLVPN_ADD_REFERSCUTLIST_FAILED
SSLVPN_ADD_REFERSHORTCUT_FAILED
SSLVPN_ADD_REFERSNATPOOL_FAILED
SSLVPN_ADD_REFERURLLIST_FAILED
SSLVPN_ADD_REWRITE_RULE_FAILED
SSLVPN_ADD_SHORTCUTLIST_FAILED
SSLVPN_ADD_URLITEM_REFERURIACL
SSLVPN_ADD_URLITEM_REFERURIACL_FAILED
SSLVPN_ADD_URLMAPPING_DOMAIN_FAILED
SSLVPN_ADD_URLMAPPING_VPNPORT_FAILED
SSLVPN_CFG_AUTHENTICATIONUSE_FAILED
SSLVPN_CFG_BINDIPAUTOALLOC_FAILED
SSLVPN_CFG_CONTEXT_USERMAXIMUM
SSLVPN_CFG_CONTEXT_USERMAXIMUM_FAILED
SSLVPN_CFG_DEFAULTPGROUP_FAILED
SSLVPN_CFG_GWIPV6ADDRESS_FAILED
SSLVPN_CFG_HTTPREDIRECT_FAILED
SSLVPN_CFG_IPTUNNEL_WEBRESOURCE_AUTOPUSH
SSLVPN_CFG_IPTUNNEL_WEBRESOURCE_AUTOPUSH_FAILED
SSLVPN_CFG_IPTUNNELPOOL_FAILED
SSLVPN_CFG_LOGINMESSAGE_FAILED
SSLVPN_CFG_PFWDEXECUTION_FAILED
SSLVPN_CFG_SCUTDESCRIPTION_FAILED
SSLVPN_CFG_SCUTEXECUTION_FAILED
SSLVPN_CFG_TRAFFICTHRESHOLD_FAILED
SSLVPN_CFG_WEBACCESS_IPCLIENT_AUTOACTIVE
SSLVPN_CFG_WEBACCESS_IPCLIENT_AUTOACTIVE_FAILED
SSLVPN_CLR_AUTHENTICATIONUSE_FAILED
SSLVPN_CLR_CONTEXT_USERMAXIMUM
SSLVPN_CLR_CONTEXT_USERMAXIMUM_FAILED
SSLVPN_CLR_DEFAULT_PGROUP_FAILED
SSLVPN_CLR_GWIPV6ADDRESS_FAILED
SSLVPN_CLR_HTTPREDIRECT_FAILED
SSLVPN_CLR_IPTUNNEL_WEBRESOURCE_AUTOPUSH
SSLVPN_CLR_IPTUNNEL_WEBRESOURCE_AUTOPUSH_FAILED
SSLVPN_CLR_IPTUNNELPOOL_FAILED
SSLVPN_CLR_PFWDEXECUTION_FAILED
SSLVPN_CLR_SCUTDESCRIPTION_FAILED
SSLVPN_CLR_SCUTEXECUTION_FAILED
SSLVPN_CLR_TRAFFICTHRESHOLD_FAILED
SSLVPN_CLR_WEBACCESS_IPCLIENT_AUTOACTIVE
SSLVPN_CLR_WEBACCESS_IPCLIENT_AUTOACTIVE_FAILED
SSLVPN_DEL_CONTENT_TYPE_FAILED
SSLVPN_DEL_EXCROUTEITEM_FAILED
SSLVPN_DEL_INCROUTEITEM_FAILED
SSLVPN_DEL_IPADDRESSPOOL_FAILED
SSLVPN_DEL_IPTUNNELACIF_FAILED
SSLVPN_DEL_PORTFWD_ITEM_FAILED
SSLVPN_DEL_REFERPFWDITEM_FAILED
SSLVPN_DEL_REFERPORTFWD_FAILED
SSLVPN_DEL_REFERSCUTLIST_FAILED
SSLVPN_DEL_REFERSHORTCUT_FAILED
SSLVPN_DEL_REFERSNATPOOL_FAILED
SSLVPN_DEL_REFERURLITEM_FAILED
SSLVPN_DEL_REFERURLLIST_FAILED
SSLVPN_DEL_REWRITE_RULE_FAILED
SSLVPN_DEL_SHORTCUTLIST_FAILED
SSLVPN_DEL_URLITEM_REFERURIACL
SSLVPN_DEL_URLITEM_REFERURIACL_FAILED
SSLVPN_DISABLE_DYNAMICPWD_FAILED
SSLVPN_DISABLE_GLOBAL_LOG_FAILED
SSLVPN_DISABLE_IPTUNNEL_LOG_FAILED
SSLVPN_DISABLE_PASSWORDAUTH_FAILED
SSLVPN_DISABLE_VERIFYCODE_FAILED
SSLVPN_ENABLE_DYNAMICPWD_FAILED
SSLVPN_ENABLE_FORCELOGOUT_FAILED
SSLVPN_ENABLE_GLOBAL_LOG_FAILED
SSLVPN_ENABLE_IPTUNNEL_LOG_FAILED
SSLVPN_ENABLE_PASSWORDAUTH_FAILED
SSLVPN_ENABLE_VERIFYCODE_FAILED
SSLVPN_UNDO_FORCELOGOUT_FAILED
STAMGR_AUTHORUSERPROFILE_FAILURE
STAMGR_STA_ADDMOB_LKUP_ENDOFIOCTL
UFLT_NOT MATCH_IPV4_LOG (syslog)
UFLT_NOT MATCH_IPV6_LOG (syslog)
UFLT_MATCH_IPv4_LOG (fast log)
UFLT_MATCH_IPv6_LOG (fast log)
UFLT_NOT_MATCH_IPv4_LOG (fast log)
UFLT_NOT_MATCH_IPv6_LOG (fast log)
VLAN_VLANSTRIP_REG_DIFF_CONFIG
Introduction
This document includes the following system messages:
· Messages specific to the access controller.
· Messages for the Comware 7 software platform. Some platform system messages might not be available on the access controller.
This document is intended only for managing H3C access controllers. Do not use this document for any other device models.
This document assumes that the readers are familiar with data communications technologies and H3C networking products.
System log message format
By default, the system log messages use one of the following formats depending on the output destination:
· Log host:
<PRI>TIMESTAMP Sysname %%vendorMODULE/severity/MNEMONIC: location; CONTENT
· Destinations except for the log host:
Prefix TIMESTAMP Sysname MODULE/severity/MNEMONIC: CONTENT
Table 1 System log message elements
|
Element |
Description |
|
<PRI> |
Priority identifier. It is calculated by using the following formula: Priority identifier=facilityx8+severity Where: · Facility is specified by using the info-center loghost command. A log host uses this parameter to identify log sources and filter log messages. · Severity represents the importance of the message. For more information about severity levels, see Table 2. |
|
Prefix |
Message type identifier. This element is contained in the system log messages sent to non-log-host destinations. The element uses the following symbols to indicate message severity: · Percentage sign (%)—Informational and higher levels. · Asterisk (*)—Debug level. |
|
TIMESTAMP |
Date and time when the event occurred. The following are commands for configuring the timestamp format: · Log host—Use the info-center timestamp loghost command. · Non-log-host destinations—Use the info-center timestamp command. |
|
Sysname |
Name or IP address of the device that generated the message. |
|
%%vendor |
Manufacturer flag. This element is %%10 for H3C. |
|
MODULE |
Name of the module that produced the message. |
|
severity |
Severity level of the message. (For more information about severity levels, see Table 2.) |
|
MNEMONIC |
Text string that uniquely identifies the system message. The maximum length is 32 characters. |
|
location |
Optional. This element presents location information for the message in the following format: -attribute1=x-attribute2=y…-attributeN=z This element is separated from the message description by using a semicolon (;). |
|
CONTENT |
Text string that contains detailed information about the event or error. For variable fields in this element, this document uses the representations in Table 3. |
System log messages are classified into eight severity levels from 0 to 7. The lower the number, the higher the severity.
Table 2 System log message severity levels
|
Level |
Severity |
Description |
|
0 |
Emergency |
The system is unusable. For example, the system authorization has expired. |
|
1 |
Alert |
Action must be taken immediately. For example, traffic on an interface exceeds the upper limit. |
|
2 |
Critical |
Critical condition. For example, the device temperature exceeds the upper limit, the power module fails, or the fan tray fails. |
|
3 |
Error |
Error condition. For example, the link state changes or a storage card is unplugged. |
|
4 |
Warning |
Warning condition. For example, an interface is disconnected, or the memory resources are used up. |
|
5 |
Notification |
Normal but significant condition. For example, a terminal logs in to the device, or the device reboots. |
|
6 |
Informational |
Informational message. For example, a command or a ping operation is executed. |
|
7 |
Debug |
Debugging message. |
For variable fields in the message text, this document uses the representations in Table 3. The values are case insensitive, even though the representations are uppercase letters.
Table 3 Variable field representations
|
Representation |
Information type |
|
INT16 |
Signed 16-bit decimal number. |
|
UINT16 |
Unsigned 16-bit decimal number. |
|
INT32 |
Signed 32-bit decimal number. |
|
UINT32 |
Unsigned 32-bit decimal number. |
|
INT64 |
Signed 64-bit decimal number. |
|
UINT64 |
Unsigned 64-bit decimal number. |
|
DOUBLE |
Two dot-separated signed 32-bit decimal numbers. The format is [INTEGER].[INTEGER]. |
|
HEX |
Hexadecimal number. |
|
CHAR |
Single character. |
|
STRING |
Character string. |
|
IPADDR |
IP address. |
|
MAC |
MAC address. |
|
DATE |
Date. |
|
TIME |
Time. |
Managing and obtaining system log messages
You can manage system log messages by using the information center.
By default, the information center is enabled. Log messages can be output to the console, monitor terminal, log buffer, log host, and log file.
To filter log messages, use the info-center source command to specify log output rules. A log output rule specifies the source modules and the lowest severity level of log messages that can be output to a destination. A log message is output if its severity level is higher than or equal to the specified level. For example, if you specify a severity level of 6 (informational), log messages that have a severity level from 0 to 6 are output.
For more information about using the information center, see the System Management Configuration Guide for the product.
Obtaining log messages from the console terminal
Access the device through the console port. Real-time log messages are displayed on the console terminal.
Obtaining log messages from a monitor terminal
Monitor terminals refer to terminals that access the device through the VTY lines (for example, Telnet). To obtain log messages from a monitor terminal, use the following guidelines:
· To display log messages on the monitor terminal, you must configure the terminal monitor command.
· For monitor terminals, the lowest level of log messages that can be displayed is determined by both the terminal logging level and info-center source commands.
|
|
NOTE: Settings for the terminal monitor and terminal logging level commands take effect only on the current login session. The default settings for the commands restore at a relogin. |
Obtaining log messages from the log buffer
Use the display logbuffer command to display history log messages in the log buffer.
Obtaining log messages from the log file
By default, the log file feature automatically saves logs from the log file buffer to the log file every 24 hours. You can use the info-center logfile frequency command to change the automatic saving internal.
To manually save logs to the log file, use the logfile save command. The log file buffer is cleared each time a save operation is performed.
By default, you can obtain the log file from the flash:/logfile path if the device only supports the fixed storage medium flash. If the device supports the fixed storage medium CF card, the file path is cfa0:/logfile/.
To view the contents of the log file on the device, use the more command.
Obtaining log messages from a log host
Use the info-center loghost command to specify the service port number and IP address of a log host. To specify multiple log hosts, repeat the command.
For a successful log message transmission, make sure the specified port number is the same as the port number used on the log host. The default service port number is 514.
Software module list
Table 4 lists all software modules that might produce system log messages. This document uses "OPENSRC" to represent all open source modules.
|
Module name representation |
Module name expansion |
|
AAA |
Authentication, Authorization and Accounting |
|
ACL |
Access Control List |
|
ADVPN |
Auto Discovery Virtual Private Network |
|
APMGR |
Access Point Management |
|
APR |
Application Recognition |
|
ARP |
Address Resolution Protocol |
|
ASPF |
Advanced Stateful Packet Filter |
|
ATK |
Attack Detection and Prevention |
|
AVC |
Application Visible Control |
|
CFGLOG |
Configuration log |
|
CFGMAN |
Configuration Management |
|
CONNLMT |
Connection Limit |
|
DEV |
Device Management |
|
DHCP |
Dynamic Host Configuration Protocol |
|
DHCPS |
DHCP Server |
|
DHCPS6 |
DHCPv6 Server |
|
DHCPSP4 |
DHCP Snooping |
|
DHCPSP6 |
DHCPv6 Snooping |
|
DIAG |
Diagnosis |
|
DIM |
DPI Engine |
|
DOT1X |
802.1X |
|
EDEV |
Extended-Device Management |
|
FILTER |
Filter |
|
FS |
File System |
|
FTP |
File Transfer Protocol |
|
HA |
High Availability |
|
HTTPD |
Hypertext Transfer Protocol Daemon |
|
IDENTITY |
IDENTITY |
|
IFNET |
Interface Net Management |
|
IKE |
Internet Key Exchange |
|
IPSEC |
IP Security |
|
IPSG |
IP Source Guard |
|
IRF (cluster) |
Intelligent Resilient Framework (cluster) |
|
KDNS |
Kernel Domain Name System |
|
KHTTP |
Kernel Hypertext Transfer Protocol |
|
L2TP |
Layer 2 Tunneling Protocol |
|
LAGG |
Link Aggregation |
|
LB |
Load Balancing |
|
LIPC |
Leopard Inter-process Communication |
|
LLDP |
Link Layer Discovery Protocol |
|
LOAD |
Load Management |
|
LOGIN |
Login |
|
LPDT |
Loopback Detection |
|
LS |
Local Server |
|
MAC |
Media Access Control |
|
MACA |
MAC Authentication |
|
MACSEC |
MAC Security |
|
MBUF |
Memory buffer |
|
MFIB |
Multicast Forwarding Information Base |
|
MGROUP |
Mirroring group |
|
NAT |
Network Address Translation |
|
ND |
Neighbor Discovery |
|
NETCONF |
Network Configuration Protocol |
|
NQA |
Network Quality Analyzer |
|
NTP |
Network Time Protocol |
|
OBJP |
Object Policy |
|
OPENSRC(RSYNC) |
Open Source(Remote Synchronize) |
|
OPTMOD |
Optical Module |
|
PBR |
Policy-Based Routing |
|
PCAPWARE |
Packet Capture Wireshark |
|
PING |
Packet Internet Groper |
|
PKI |
Public Key Infrastructure |
|
PKT2CPU |
Packet to CPU |
|
PKTCPT |
Packet Capture |
|
PORTAL |
Portal |
|
PORTSEC |
Port Security |
|
PPP |
Point to Point Protocol |
|
PWDCTL |
Password Control |
|
QOS |
Quality of Service |
|
RADIUS |
Remote Authentication Dial In User Service |
|
RIP |
Routing Information Protocol |
|
RIPNG |
Routing Information Protocol Next Generation |
|
RM |
Routing Management |
|
RRM |
Radio Resource Management |
|
RTM |
Real-Time Event Manager |
|
SCM |
Service Control Manager |
|
SECDIAG |
Security Diagnose |
|
SESSION |
Session |
|
SHELL |
Shell |
|
SNMP |
Simple Network Management Protocol |
|
SSHC |
Secure Shell Client |
|
SSHS |
Secure Shell Server |
|
SSL VPN |
Secure Sockets Layer Virtual Private Network |
|
STAMGR |
Station Management |
|
STM |
Stack Topology Management |
|
STP |
Spanning Tree Protocol |
|
SYSEVENT |
System Event |
|
SYSLOG |
System Log |
|
TELNETD |
Telnet Daemon |
|
UFLT |
URL Filter |
|
VLAN |
Virtual Local Area Network |
|
WCLT |
WLAN Client |
|
WEB |
Web |
|
WFF |
WLAN Fast Forwarding |
|
WIPS |
Wireless Intrusion Prevention System |
|
WLANAUD |
WLAN Audit |
|
WMESH |
WLAN Mesh |
|
WRDC |
Wireless Roaming Data Centerr |
|
WSA |
Wireless Spectrum Analysis |
Using this document
This document categorizes system log messages by software module. The modules are ordered alphabetically. Except for OPENSRC, the system log messages for each module are listed in alphabetic order of their mnemonic names. The OPENSRC messages are unordered because they use the same mnemonic name (SYSLOG). For each OPENSRC message, the section title uses a short description instead of the mnemonic name.
This document explains messages in tables. Table 5 describes information provided in these tables.
Table 5 Message explanation table contents
|
Item |
Content |
Example |
|
Message text |
Presents the message description. |
ACL [UINT32] [STRING] [UINT64] packet(s). |
|
Variable fields |
Briefly describes the variable fields in the order that they appear in the message text. The variable fields are numbered in the "$Number" form to help you identify their location in the message text. |
$1: ACL number. $2: ID and content of an ACL rule. $3: Number of packets that matched the rule. |
|
Severity level |
Provides the severity level of the message. |
6 |
|
Example |
Provides a real message example. The examples do not include the "<PRI>TIMESTAMP Sysname %%vendor" part or the "Prefix TIMESTAMP Sysname" part, because information in this part varies with system settings. |
ACL/6/ACL_STATIS_INFO: ACL 2000 rule 0 permit source 1.1.1.1 0 logging 10000 packet(s). |
|
Explanation |
Explains the message, including the event or error cause. |
Number of packets that matched an ACL rule. This message is sent when the packet counter changes. |
|
Recommended action |
Provides recommended actions. For informational messages, no action is required. |
No action is required. |
AAA messages
This section contains AAA messages.
AAA_FAILURE
|
Message text |
-AAAType=[STRING]-AAADomain=[STRING]-Service=[STRING]-UserName=[STRING]; AAA failed. |
|
Variable fields |
$1: AAA type. $2: AAA scheme. $3: Service. $4: Username. |
|
Severity level |
5 |
|
Example |
AAA/5/AAA_FAILURE: -AAAType=AUTHOR-AAADomain=domain1-Service=login-UserName=cwf@system; AAA failed. |
|
Explanation |
An AAA request was rejected. The following are the common reasons: · No response was received from the server. · The username or password was incorrect. · The service type that the user applied for was incorrect. |
|
Recommended action |
1. Verify that the device is correctly connected to the server. 2. Enter the correct username and password. 3. Verify that the server settings are the same as the settings on the device. 4. If the problem persists, contact H3C Support. |
AAA_LAUNCH
|
Message text |
-AAAType=[STRING]-AAADomain=[STRING]-Service=[STRING]-UserName=[STRING]; AAA launched. |
|
Variable fields |
$1: AAA type. $2: AAA scheme. $3: Service. $4: Username. |
|
Severity level |
6 |
|
Example |
AAA/6/AAA_LAUNCH: -AAAType=AUTHEN-AAADomain=domain1-Service=login-UserName=cwf@system; AAA launched. |
|
Explanation |
An AAA request was received. |
|
Recommended action |
No action is required. |
AAA_SUCCESS
|
Message text |
-AAAType=[STRING]-AAADomain=[STRING]-Service=[STRING]-UserName=[STRING]; AAA succeeded. |
|
Variable fields |
$1: AAA type. $2: AAA scheme. $3: Service. $4: Username. |
|
Severity level |
6 |
|
Example |
AAA/6/AAA_SUCCESS: -AAAType=AUTHOR-AAADomain=domain1-Service=login-UserName=cwf@system; AAA succeeded. |
|
Explanation |
An AAA request was accepted. |
|
Recommended action |
No action is required. |
ACL messages
This section contains ACL messages.
ACL_ACCELERATE_NO_RES
|
Message text |
Failed to accelerate [STRING] ACL [UINT32]. The resources are insufficient. |
|
Variable fields |
$1: ACL type. $2: ACL number. |
|
Severity level |
4 |
|
Example |
ACL/4/ACL_ACCELERATE_NO_RES: Failed to accelerate IPv6 ACL 2001. The resources are insufficient. |
|
Explanation |
Hardware resources were insufficient for accelerating an ACL. |
|
Recommended action |
Delete some rules or disabled ACL acceleration for other ACLs to release hardware resources. |
ACL_ACCELERATE_NONCONTIGUOUSMASK
|
Message text |
Failed to accelerate ACL [UINT32]. ACL acceleration supports only contiguous wildcard masks. |
|
Variable fields |
$1: ACL number. |
|
Severity level |
4 |
|
Example |
ACL/4/ACL_ACCELERATE_NONCONTIGUOUSMASK: Failed to accelerate ACL 2001. ACL acceleration supports only contiguous wildcard masks. |
|
Explanation |
ACL acceleration failed because rules containing noncontiguous wildcard masks exist in the ACL. |
|
Recommended action |
Check the ACL rules and delete the unsupported configuration. |
ACL_ACCELERATE_NOT_SUPPORT
|
Message text |
Failed to accelerate [STRING] ACL [UINT32]. The operation is not supported. |
|
Variable fields |
$1: ACL type. $2: ACL number. |
|
Severity level |
4 |
|
Example |
ACL/4/ACL_ACCELERATE_NOT_SUPPORT: Failed to accelerate IPv6 ACL 2001. The operation is not supported. |
|
Explanation |
ACL acceleration failed because the system does not support ACL acceleration. |
|
Recommended action |
No action is required. |
ACL_ACCELERATE_NOT_SUPPORTHOPBYHOP
|
Message text |
Failed to accelerate IPv6 ACL [UINT32]. ACL acceleration does not support the rules that contain the hop-by-hop keywords. |
|
Variable fields |
$1: ACL number. |
|
Severity level |
4 |
|
Example |
ACL/4/ACL_ACCELERATE_NOT_SUPPORTHOPBYHOP: Failed to accelerate IPv6 ACL 2001. ACL acceleration does not support the rules that contain the hop-by-hop keywords. |
|
Explanation |
ACL acceleration failed for the IPv6 ACL because rules containing the hop-by-hop keyword exist in the ACL. |
|
Recommended action |
Check the ACL rules and delete the unsupported configuration. |
ACL_ACCELERATE_NOT_SUPPORTMULTITCPFLAG
|
Message text |
Failed to accelerate IPv6 ACL [UINT32]. ACL acceleration does not support specifying multiple TCP flags in one rule. |
|
Variable fields |
$1: ACL number. |
|
Severity level |
4 |
|
Example |
ACL/4/ACL_ACCELERATE_NOT_SUPPORTMULTITCPFLAG: Failed to accelerate IPv6 ACL 2001. ACL acceleration does not support specifying multiple TCP flags in one rule. |
|
Explanation |
ACL acceleration failed for the IPv6 ACL because rules containing multiple TCP flags exist in the ACL. |
|
Recommended action |
Check the ACL rules and delete the unsupported configuration. |
ACL_ACCELERATE_UNK_ERR
|
Message text |
Failed to accelerate [STRING] ACL [UINT32]. |
|
Variable fields |
$1: ACL type. $2: ACL number. |
|
Severity level |
4 |
|
Example |
ACL/4/ACL_ACCELERATE_UNK_ERR: Failed to accelerate IPv6 ACL 2001. |
|
Explanation |
ACL acceleration failed because of an unknown error. |
|
Recommended action |
No action is required. |
ACL_DYNRULE_COMMENT
|
Message text |
The comment of [STRING], which was generated dynamically, can't be added or deleted manually. |
|
Variable fields |
$1: Dynamic ACL rule information. |
|
Severity level |
6 |
|
Example |
ACL/6/ACL_DYNRULE_COMMENT: The comment of IPv4 ACL 3000 rule 1, which was generated dynamically, can't be added or deleted manually. |
|
Explanation |
The comment of a dynamic ACL rule can't be added or deleted manually. |
|
Recommended action |
No action is required. |
ACL_DYNRULE_MDF
|
Message text |
[STRING], which was generated dynamically, was deleted or modified manually. |
|
Variable fields |
$1: Dynamic ACL rule information. |
|
Severity level |
5 |
|
Example |
ACL/5/ACL_DYNRULE_MDF: IPv4 ACL 3000 rule 1, which was generated dynamically, was deleted or modified manually. |
|
Explanation |
A dynamic ACL rule was deleted or modified manually. |
|
Recommended action |
Make sure deleting or modifying the dynamic ACL rule does not affect ongoing services on the network. |
ACL_IPV6_STATIS_INFO
|
Message text |
IPv6 ACL [UINT32] [STRING] [UINT64] packet(s). |
|
Variable fields |
$1: ACL number. $2: ID and content of an IPv6 ACL rule. $3: Number of packets that matched the rule. |
|
Severity level |
6 |
|
Example |
ACL/6/ACL_IPV6_STATIS_INFO: IPv6 ACL 2000 rule 0 permit source 1:1::/64 logging 1000 packet(s). |
|
Explanation |
The number of packets matching the IPv6 ACL rule changed. |
|
Recommended action |
No action is required. |
ACL_NO_MEM
|
Message text |
Failed to configure [STRING] ACL [UINT] due to lack of memory. |
|
Variable fields |
$1: ACL type. $2: ACL number. |
|
Severity level |
3 |
|
Example |
ACL/3/ACL_NO_MEM: Failed to configure ACL 2001 due to lack of memory. |
|
Explanation |
Configuring the ACL failed because memory is insufficient. |
|
Recommended action |
Use the display memory-threshold command to check the memory usage. |
ACL_RULE_REACH_MAXNUM
|
Message text |
The maximum number of rules in [STRING] ACL [UNIT32] already reached. |
|
Variable fields |
$1: ACL type. $2: ACL number. |
|
Severity level |
5 |
|
Example |
ACL/5/ACL_RULE_REACH_MAXNUM:The maximum number of rules in IPv4 ACL 3000 already reached. |
|
Explanation |
A dynamic ACL rule failed to be added because the maximum number of rules in the ACL already reached. |
|
Recommended action |
Delete unused ACL rules. |
ACL_RULE_SUBID_EXCEED
|
Message text |
The rule ID in [STRING] ACL [UNIT32] is out of range. |
|
Variable fields |
$1: ACL type. $2: ACL number. |
|
Severity level |
5 |
|
Example |
ACL/5/ ACL_RULE_SUBID_EXCEED: The rule ID in IPv4 ACL 3000 is out of range. |
|
Explanation |
A dynamic ACL rule failed to be added because the rule ID is out of range. |
|
Recommended action |
Modify the rule numbering step for the ACL. |
ACL_STATIS_INFO
|
Message text |
ACL [UINT32] [STRING] [UINT64] packet(s). |
|
Variable fields |
$1: ACL number. $2: ID and content of an IPv4 ACL rule. $3: Number of packets that matched the rule. |
|
Severity level |
6 |
|
Example |
ACL/6/ACL_STATIS_INFO: ACL 2000 rule 0 permit source 1.1.1.1 0 logging 10000 packet(s). |
|
Explanation |
The number of packets matching the IPv4 ACL rule changed. |
|
Recommended action |
No action is required. |
ADVPN messages
This section contains ADVPN messages.
ADVPN_SESSION_DELETED
|
Message text |
An ADVPN tunnel was deleted: tunnel interface=[STRING], private addr=[STRING], public addr=[STRING], peer private addr=[STRING], peer public addr=[STRING], type=[STRING], last state=[STRING], last state duration=[STRING], domain name=[STRING], ADVPN group name=[STRING]. |
|
Variable fields |
$1: Tunnel interface name. $2: Private address of the ADVPN tunnel. $3: Public address of the ADVPN tunnel. $4: Peer private address of the ADVPN tunnel. $5: Peer public address of the ADVPN tunnel. $6: ADVPN tunnel type. $7: Last state of the ADVPN tunnel. $8: Duration for the last state of the ADVPN tunnel, in the format of xH yM zS. $9: ADVPN domain name. $10: ADVPN group name. |
|
Severity level |
4 |
|
Example |
ADVPN/4/ADVPN_SESSION_DELETED: An ADVPN tunnel was deleted: tunnel interface=888, private addr=112.168.60.56, public addr=192.168.60.137,peer private addr=112.168.60.18, peer public addr=192.168.60.11,type=Spoke-Hub, last state=Success, last state duration=0H 8M 8S,domain name=abc, ADVPN group name= |
|
Explanation |
An ADVPN tunnel was deleted. |
|
Recommended action |
Check the network connectivity and configuration. |
ADVPN_SESSION_STATE_CHANGED
|
Message text |
ADVPN tunnel state changed from [STRING] to [STRING]: tunnel interface=[STRING], private addr=[STRING], public addr=[STRING], peer private addr=[STRING], peer public addr=[STRING], type=[STRING], last state=[STRING], last state duration=[STRING], domain name=[STRING], ADVPN group name=[STRING]. |
|
Variable fields |
$1: Original state of the ADVPN tunnel. $2: New state of the ADVPN tunnel. $3: Tunnel interface name. $4: Private address of the ADVPN tunnel. $5: Public address of the ADVPN tunnel. $6: Peer private address of the ADVPN tunnel. $7: Peer public address of the ADVPN tunnel. $8: ADVPN tunnel type. $9: Last state of the ADVPN tunnel. $10: Duration for the last state of the ADVPN tunnel, in the format of xH yM zS. $11: ADVPN domain name. $12: ADVPN group name. |
|
Severity level |
4 |
|
Example |
ADVPN/4/ADVPN_SESSION_STATE_CHANGED: ADVPN tunnel state changed from Establishing to Success: tunnel interface=888, private addr=112.168.60.56, public addr=192.168.60.137,peer private addr=112.168.60.18, peer public addr=192.168.60.11,type=Spoke-Hub, last state=Establishing, last state duration=0H 0M 5S,domain name=abc, ADVPN group name= |
|
Explanation |
The state of an ADVPN tunnel was changed. |
|
Recommended action |
Check the network connectivity and configuration. |
APMGR messages
This section contains access point management messages.
AP_CREATE_FAILURE
|
Message text |
Failed to create an AP with entity ID [UINT32] and model [STRING]. Reason: Region code is not available. |
|
Variable fields |
$1: AP ID. $2: AP model. |
|
Severity level |
6 |
|
Example |
APMGR/6/AP_CREATE_FAILURE: Failed to create an AP with entity ID 1 and model WA2620i-AGN. Reason: Region code is not available. |
|
Explanation |
The system fails to create an AP because the AP is not specified with a region code. |
|
Recommended action |
Specify a region code in global configuration view. |
AP_REBOOT_REASON
|
Message text |
AP in Run state is rebooting. Reason: The physical status of the radio is down. |
|
Variable fields |
N/A |
|
Severity level |
6 |
|
Example |
APMGR/6/AP_REBOOT_REASON: AP in Run state is rebooting. Reason: The physical status of the radio is down. |
|
Explanation |
The AP is rebooting because a physical radio interface of the AP is in down state. |
|
Recommended action |
Verify that radio settings on the AP are correct after the reboot. |
APMGR_ADDBAC_INFO
|
Message text |
Add BAS AC [STRING]. |
|
Variable fields |
$1: MAC address of the BAS AC. |
|
Severity level |
6 |
|
Example |
APMGR/6/APMGR_ADDBAC_INFO: Add BAS AC 3ce5-a616-28cd. |
|
Explanation |
The BAS AC was connected to the master AC. |
|
Recommended action |
No action is required. |
APMGR_AP_CFG_FAILED
|
Message text |
Failed to reset AP [STRING]. Reason: The AP is writing an image file into the flash. |
|
Variable fields |
$1: AP name. |
|
Severity level |
4 |
|
Example |
APMGR/4/APMGR_CFG_FAILD: Failed to reset AP ap2. Reason: The AP is writing an image file into the flash. |
|
Explanation |
AP reset failed because the AP is writing an image file into the flash. |
|
Recommended action |
Restart the AP after the AP finishes writing an image file into the flash. |
APMGR_AP_ONLINE
|
Message text |
The AP failed to come online in discovery stage. Reason: AP model [$1] is not supported. |
|
Variable fields |
$1: AP model. |
|
Severity level |
6 |
|
Example |
APMGR/6/APMGR_AP_ONLINE: The AP failed to come online in discovery stage. Reason: AP model wa2620i-AGN is not supported. |
|
Explanation |
The AP fails to come online because its model is not supported by the AC and the AC cannot receive discovery requests from the AP. |
|
Recommended action |
No action is required. |
APMGR_DELBAC_INFO
|
Message text |
Delete BAS AC [STRING]. |
|
Variable fields |
$1: MAC address of the BAS AC. |
|
Severity level |
6 |
|
Example |
APMGR/6/APMGR_DELBAC_INFO: Delete BAS AC 3ce5-a616-28cd. |
|
Explanation |
The BAS AC was disconnected from the master AC. |
|
Recommended action |
No action is required. |
APMGR_DETECT_IDLE_RADAR_FAILED
|
Message text |
Radio [UINT32] on AP [STRING] does not have available wireless service resources when the detect-idle-radar feature is configured. |
|
Variable fields |
$1: Radio ID. $2: AP name. |
|
Severity level |
6 |
|
Example |
APMGR/6/APMGR_DETECT_IDLE_RADAR_FAILED: Radio 3 on AP ap1 does not have available wireless service resources when the detect-idle-radar feature is configured. |
|
Explanation |
No wireless service resource is available for idle radar channel detection. |
|
Recommended action |
Unbind some service templates from the radio and then configure idle radar channel detection. |
APMGR_LOG_ADD_AP_FAIL
|
Message text |
AP [STRING] failed to come online using serial ID [STRING]: MAC address [STRING] is being used by AP [STRING]. |
|
Variable fields |
$1: AP name. $2: Serial ID. $3: MAC address. $4: AP name. |
|
Severity level |
4 |
|
Example |
APMGR/4/APMGR_LOG_ADD_AP_FAIL: AP ap1 failed to come online using serial ID 01247ef96: MAC address 0023-7961-5201 is being used by AP ap2. |
|
Explanation |
The AP failed to come online because a manual AP that has the same MAC address already exists on the AC. |
|
Recommended action |
Delete either the manual AP that has the MAC address or the serial ID. |
APMGR_LOG_CHANNELCHANGE
|
Message text |
APMGR/6/APMGR_LOG_CHANNELCHANGE: Channel of radio [UINT32] on AP [STRING] changed from [SHORT16] to [SHORT16]. Reason: [STRING] |
|
Variable fields |
$1: Radio ID. $2: AP name. $3: Old channel ID. $4: New channel ID. $5: Channel change reason: · Avoid radar channel. · Radar channel recover. |
|
Severity level |
6 |
|
Example |
APMGR/6/APMGR_LOG_CHANNELCHANGE: Channel of radio 1 on AP ap1 changed from 64 to 149. Reason: Avoid radar channel. |
|
Explanation |
The working channel of the radio changed because radar signals were detected or radar avoidance timed out. |
|
Recommended action |
No action is required. |
APMGR_LOG_LACOFFLINE
|
Message text |
Local AC [STRING] went offline. State changed to Idle. |
|
Variable fields |
$1: Name of the local AC. |
|
Severity level |
6 |
|
Example |
APMGR/6/APMGR_LOG_LACOFFLINE: Local AC ac1 went offline. State changed to Idle. |
|
Explanation |
The local AC went offline. The state of the local AC changed to Idle. |
|
Recommended action |
5. If the local AC went offline abnormally, check the debugging information to locate the problem and resolve it. 6. If the problem persists, contact H3C Support. |
APMGR_LOG_LACONLINE
|
Message text |
Local AC [STRING] went online. State changed to Run. |
|
Variable fields |
$1: Name of the local AC. |
|
Severity level |
6 |
|
Example |
APMGR/6/APMGR_LOG_LACONLINE: Local AC ac1 went online. State changed to Run. |
|
Explanation |
The local AC came online. The state of the local AC changed to Run. |
|
Recommended action |
No action is required. |
APMGR_LOG_MEMALERT
|
Message text |
The memory usage of the AC has reached the threshold. |
|
Variable fields |
N/A |
|
Severity level |
4 |
|
Example |
APMGR/4/APMGR_LOG_MEMALERT: The memory usage of the AC has reached the threshold. |
|
Explanation |
The AP failed to come online because the memory utilization exceeded the limit. |
|
Recommended action |
Stop creating manual APs and prevent APs from coming online. |
APMGR_LOG_NOLICENSE
|
Message text |
AP failed to come online in [STRING]. Reason: No license for the [STRING]. |
|
Variable fields |
$1: AP state: · discover. · join. $2: AP type: · common AP. · WTU AP. |
|
Severity level |
6 |
|
Example |
APMGR/6/APMGR_LOG_NOLICENSE: AP failed to come online in discover. Reason: No license for the common AP. |
|
Explanation |
The AP failed to come online because the number of APs allowed by the license on the AC has reached the upper limit. |
|
Recommended action |
Purchase an upgrade license for AP number extension. |
APMGR_LOG_OFFLINE
|
Message text |
AP [STRING] went offline. State changed to Idle. |
|
Variable fields |
$1: AP name. |
|
Severity level |
6 |
|
Example |
APMGR/6/APMGR_LOG_OFFLINE: AP ap1 went offline. State changed to Idle. |
|
Explanation |
The AP went offline. The state of the AP changed to Idle. |
|
Recommended action |
If the AP went offline abnormally, check the debugging information to locate the problem and resolve it. |
APMGR_LOG_ONLINE
|
Message text |
AP [STRING] came online. State changed to Run. |
|
Variable fields |
$1: AP name. |
|
Severity level |
6 |
|
Example |
APMGR/6/APMGR_LOG_ONLINE: AP ap1 came online. State changed to Run. |
|
Explanation |
The AP came online. The state of the AP changed to Run. |
|
Recommended action |
No action is required. |
APMGR_LOG_ONLINE_FAILED
|
Message text |
[STRING] ([STRING]) failed to come online in join state. Reason: [STRING] ([STRING]) was offline. |
|
Variable fields |
$1: Name of a WTU or WAP. $2: Serial ID of a WTU or WAP. $3: Name of the connected WT or SPM. $4: Serial ID of the connected WT or SPM. |
|
Severity level |
6 |
|
Example |
· APMGR/6/APMGR_AP_ONLINE_FAILED: WTU (219801A0WA916BQ12535) failed to come online in join state. Reason: WT (219801A11UC173000153) was offline. · APMGR/6/APMGR_AP_ONLINE_FAILED: WAP (219801A0VW916AG00254) failed to come online in join state. Reason: SPM (219801A13DB05B0004350) was offline. |
|
Explanation |
· The WTU cannot come online because its connected WT is offline. · The WAP cannot come online because its connected SPM is offline. |
|
Recommended action |
Make the WT or SPM come online. |
APMGR_LOG_VIRTUAL_5G_RADIO (on fat APs)
|
Message text |
[STRING] virtual 5 GHz radio for the AP. Result: [UINT32]. |
|
Variable fields |
$1: Action. · Enabled · Disabled $2: Result code. 0X0 indicates that the configuration was deployed to the kernel successfully. Any other value indicates operation failure. |
|
Severity level |
5 |
|
Example |
APMGR/6/APMGR_LOG_VIRTUAL_5G_RADIO: Enabled virtual 5 GHz radio for the AP. Result: 0x0. |
|
Explanation |
The virtual 5 GHz radio of the AP was enabled or disabled. |
|
Recommended action |
If the result code indicates that the operation failed, contact Technical Support. |
APMGR_REACH_MAX_APNUMBER
|
Message text |
An AP failed to come online: Maximum number of APs already reached. |
|
Variable fields |
N/A |
|
Severity level |
4 |
|
Example |
APMGR/4/APMGR_REACH_MAX_APNEMBER: An AP failed to come online: Maximum number of APs already reached. |
|
Explanation |
An AP failed to come online because the number of APs on the AC already reached the upper limit. |
|
Recommended action |
No action is required. |
APMGR_SWAC_DRV_FAILED
|
Message text |
Failed to install WLAN feature package. Reason: Insufficient hardware resources. |
|
Variable fields |
N/A |
|
Severity level |
3 |
|
Example |
APMGR/3/SWAC_DRV_FAILED: Failed to install WLAN feature package. Reason: Insufficient hardware resources. |
|
Explanation |
The system failed to install the WLAN feature package because of insufficient hardware resources. |
|
Recommended action |
To resolve the problem: 7. Uninstall the WLAN feature package. 8. Locate the reason that causes hardware resource exhaustion and remove the issue. 9. Reinstall the WLAN feature package. 10. If the problem persists, contact H3C Support. |
APMGR_TRAFFIC_ALARM
|
Message text |
The traffic on interface [STRING] of AP [STRING] exceeded the threshold. |
|
Variable fields |
$1: AP interface name. $2: AP name. |
|
Severity level |
4 |
|
Example |
APMGR/4/APMGR_TRAFFIC_ALARM: The traffic on interface GE1/0/1 of AP ap1 exceeded the threshold. |
|
Explanation |
The bandwidth usage on the interface exceeded the alarm threshold. |
|
Recommended action |
To resolve the problem: 11. Use display current-configuration | include "wlan ap interface-traffic-log to view the alarm threshold and verify that the threshold is reasonable. 12. Use packet capture software to capture packets to examine if a large number of broadcast packets exist. If yes, optimize networking and configuration. 13. Enable client rate limit. 14. If the problem persists, contact H3C Support. |
APMGR_TRAFFIC_NORMAL
|
Message text |
The traffic on interface [STRING] of AP [STRING] dropped below the threshold. |
|
Variable fields |
$1: AP interface name. $2: AP name. |
|
Severity level |
6 |
|
Example |
APMGR/6/APMGR_TRAFFIC_NORMAL: The traffic on interface GE1/0/1 of AP ap1 dropped below the threshold. |
|
Explanation |
The bandwidth usage on the interface dropped below the alarm threshold. |
|
Recommended action |
No action is required. |
CWC_AP_DOWN
|
Message text |
CAPWAP tunnel to AC [STRING] went down. Reason: [STRING]. |
|
Variable fields |
$1: AC IP address. $2: Reason: · Added AP IP address. · Deleted AP IP address. · AP interface used for CAPWAP tunnel went down. · AP config changed. · AP was reset. · Number of echo retransmission attempts exceeded the limit. · No license for the AP. · Full retransmission queue. · Data channel timer expired. · Backup AC IP address changed. · Backup tunnel changed to master tunnel. · Failed to change backup tunnel to master tunnel. · Backup method changed. · The AP mode will change from fat or cloud-managed AP to fit AP. · N/A. |
|
Severity level |
6 |
|
Example |
CWC/6/CWC_AP_DOWN: CAPWAP tunnel to AC 192.168.10.1 went down. Reason: AP was reset. |
|
Explanation |
The CAPWAP tunnel between the AP and the AC was terminated for a specific reason. |
|
Recommended action |
Examine the network connection between the AP and the AC. |
CWC_AP_UP
|
Message text |
[STRING] CAPWAP tunnel to AC [STRING] went up. |
|
Variable fields |
$1: Tunnel type: · Master. · Backup. $2: AC IP address. |
|
Severity level |
6 |
|
Example |
CWC/6/CWC_AP_UP: Master CAPWAP tunnel to AC 192.168.10.1 went up. |
|
Explanation |
The AP was connected to the AC successfully and entered Run state. |
|
Recommended action |
No action is required. |
CWC_AP_REBOOT
|
Message text |
AP in state [STRING] is rebooting. Reason: [STRING] |
|
Variable fields |
$1: AP state. $2: Reason: · Image was downloaded successfully. · Reset by admin. · Reset by CloudTunnel. · Reset on cloud. · The radio status was incorrect. · WT was offline. · Stayed in idle state for a long time. |
|
Severity level |
6 |
|
Example |
CWC/6/CWC_AP_REBOOT: AP in State Run is rebooting. Reason: Reset by admin. |
|
Explanation |
The AP rebooted for a specific reason. |
|
Recommended action |
No action is required. |
CWC_IMG_DOWNLOAD_COMPLETE
|
Message text |
System software image file [STRING] downloading through the CAPWAP tunnel to AC [STRING] completed. |
|
Variable fields |
$1: Image file name. $2: AC IP address. |
|
Severity level |
6 |
|
Example |
CWC/6/CWC_IMG_DOWNLOAD_COMPLETE: System software image file 5800.ipe downloading through the CAPWAP tunnel to AC 192.168.10.1 completed. |
|
Explanation |
The AP downloaded the image file from the AC successfully. |
|
Recommended action |
No action is required. |
CWS_IMG_DOWNLOAD_FAILED
|
Message text |
Failed to download image file [STRING1] for [STRING2] [STRING3]. |
|
Variable fields |
$1: Image file name. $2: AP or local AC. $3: Name of the AP or local AC. |
|
Severity level |
6 |
|
Example |
CWS/6/CWS_IMG_DOWNLOAD_FAILED: Failed to download image file wa6300.ipe for AP ap1. |
|
Explanation |
The AP or the local AC failed to download the image file from the AC. |
|
Recommended action |
No action is required. |
CWC_IMG_DOWNLOAD_START
|
Message text |
Started to download the system software image file [STRING] through the CAPWAP tunnel to AC [STRING]. |
|
Variable fields |
$1: Image file name. $2: AC IP address. |
|
Severity level |
6 |
|
Example |
CWC/6/CWC_IMG_DOWNLOAD_START: Started to download the system software image file 5800.ipe through the CAPWAP tunnel to AC 192.168.10.1. |
|
Explanation |
The AP started to download the image file from the AC. |
|
Recommended action |
Make sure the AP is correctly connected to the AC. |
CWC_IMG_NO_ENOUGH_SPACE
|
Message text |
Insufficient flash memory space for downloading system software image file [STRING]. |
|
Variable fields |
$1: Image file name. |
|
Severity level |
6 |
|
Example |
CWC/6/CWC_IMG_NO_ENOUGH_SPACE: Insufficient flash memory space for downloading system software image file 5800.ipe. |
|
Explanation |
The AP failed to download the image file from the AC because of insufficient flash memory. |
|
Recommended action |
Delete files not in use from the AP. |
CWC_LOCALAC_DOWN
|
Message text |
CAPWAP tunnel to Central AC [STRING] went down. Reason: [STRING]. |
|
Variable fields |
$1: IP address of the central AC. $2: Reason: · Added local AC IP address. · Deleted local AC IP address. · Local AC interface used for CAPWAP tunnel went down. · Local AC config changed. · Local AC was reset by admin. · N/A |
|
Severity level |
4 |
|
Example |
CWC/4/CWC_LOCALAC_DOWN: CAPWAP tunnel to Central AC 2.2.2.1 went down. Reason: Local AC config changed. |
|
Explanation |
The CAPWAP tunnel between the central AC and the local AC was terminated for a specific reason. |
|
Recommended action |
To resolve the problem: 15. Examine the network connection between the central AC and the local AC. 16. Verify that the central AC is correctly configured. 17. Verify that the local AC is correctly configured. 18. If the problem persists, contact H3C Support. |
CWC_LOCALAC_UP
|
Message text |
CAPWAP tunnel to Central AC [STRING] went up. |
|
Variable fields |
$1: IP address of the central AC. |
|
Severity level |
6 |
|
Example |
CWC/6/CWC_LOCALAC_UP: CAPWAP tunnel to Central AC 2.2.2.1 went up. |
|
Explanation |
The central AC has established a CAPWAP tunnel with the local AC. |
|
Recommended action |
No action is required. |
CWC_RUN_DOWNLOAD_COMPLETE
|
Message text |
File [STRING] successfully downloaded through the CAPWAP tunnel to AC [STRING]. |
|
Variable fields |
$1: File name. $2: AC IP address. |
|
Severity level |
6 |
|
Example |
CWC/6/CWC_RUN_DOWNLOAD_COMPLETE: File ac.cfg successfully downloaded through the CAPWAP tunnel to AC 192.168.10.1. |
|
Explanation |
The AP downloaded the file from the AC successfully. |
|
Recommended action |
No action is required. |
CWC_RUN_DOWNLOAD_START
|
Message text |
Started to download the file [STRING] through the CAPWAP tunnel to AC [STRING]. |
|
Variable fields |
$1: File name. $2: AC IP address. |
|
Severity level |
6 |
|
Example |
CWC/6/CWC_RUN_DOWNLOAD_START: Started to download the file ac.cfg through the CAPWAP tunnel to AC 192.168.10.1. |
|
Explanation |
The AP started to download the file from the AC. |
|
Recommended action |
Make sure the AP is correctly connected to the AC. |
CWC_RUN_NO_ENOUGH_SPACE
|
Message text |
Insufficient flash memory space for downloading file [STRING]. |
|
Variable fields |
$1: File name. |
|
Severity level |
6 |
|
Example |
CWC/6/CWC_RUN_NO_ENOUGH_SPACE: Insufficient flash memory space for downloading file ac.cfg. |
|
Explanation |
The AP failed to download the file from the AC because of insufficient flash memory. |
|
Recommended action |
Delete files not in use from the AP. |
CWS_AP_DOWN
|
Message text |
CAPWAP tunnel to AP [STRING] went down. Reason: [STRING]. |
|
Variable fields |
$1: AP name. $2: Reason: · Neighbor dead timer expired. · AP was reset by admin. · AP was reset by CloudTunnel. · AP was reset on cloud. · WT was offline. · AP was deleted. · Serial number changed. · Processed join request in Run state. · Failed to retransmit message. · Received WTP tunnel down event from AP. · Backup AC closed the backup tunnel. · Backup AP upgrade failed. · AC is inactive. · Tunnel switched. · N/A. |
|
Severity level |
6 |
|
Example |
CWS/6/CWS_AP_DOWN: CAPWAP tunnel to AP ap1 went down. Reason: AP was reset by admin. |
|
Explanation |
The AP went offline for a specific reason. |
|
Recommended action |
To resolve the problem: 19. Examine the network connection between the AP and the AC. 20. Verify that the AP is correctly configured. 21. Verify that the AC is correctly configured. 22. If the problem persists, contact H3C Support. |
CWS_AP_UP
|
Message text |
[STRING] CAPWAP tunnel to AP [STRING] went up. |
|
Variable fields |
$1: Tunnel type: · Master. · Backup. $2: AP name or serial ID. |
|
Severity level |
6 |
|
Example |
CWS/6/CWS_AP_UP: Backup CAPWAP tunnel to AP ap1 went up. |
|
Explanation |
The AP came online and entered Run state. |
|
Recommended action |
No action is required. |
CWS_IMG_DOWNLOAD_COMPLETE
|
Message text |
System software image file [STRING] downloading through the CAPWAP tunnel for AP [STRING] completed. |
|
Variable fields |
$1: Image file name. $2: AP name. |
|
Severity level |
6 |
|
Example |
CWS/6/CWS_IMG_DOWNLOAD_COMPLETE: System software image file 5800.ipe downloading through the CAPWAP tunnel for AP ap2 completed. |
|
Explanation |
The AP downloaded the image file from the AC successfully. |
|
Recommended action |
No action is required. |
CWS_IMG_DOWNLOAD_FAILED
|
Message text |
Failed to download image file [STRING] for the AP. AC memory is not enough. |
|
Variable fields |
$1: Name of an image file. |
|
Severity level |
6 |
|
Example |
CWS/6/CWS_IMG_DOWNLOAD_FAILED: Failed to download image file wa6300anchor.ipe for the AP. AC memory is not enough. |
|
Explanation |
The AP failed to download an image file from the AC because of insufficient AC memory. |
|
Recommended action |
No action is required. |
CWS_IMG_DOWNLOAD_START
|
Message text |
AP [STRING] started to download the system software image file [STRING]. |
|
Variable fields |
$1: AP name. $2: Image file name. |
|
Severity level |
6 |
|
Example |
CWS/6/CWS_IMG_DOWNLOAD_START: AP ap1 started to download the system software image file 5800.ipe. |
|
Explanation |
The AP started to download the image file from the AC. |
|
Recommended action |
No action is required. |
CWS_IMG_OPENFILE_FAILED
|
Message text |
Failed to open the image file [STRING]. |
|
Variable fields |
$1: Path of the image file to be downloaded to the AP. |
|
Severity level |
3 |
|
Example |
CWS/3/CWS_IMG_OPENFILE_FAILED: Failed to open the image file slot1#cfa0:/wa6300.ipe. |
|
Explanation |
The AP failed to open the image file downloaded from the AC. |
|
Recommended action |
No action is required. |
CWS_LOCALAC_DOWN
|
Message text |
CAPWAP tunnel to local AC [STRING] went down. Reason: [STRING]. |
|
Variable fields |
$1: IP address of the local AC. $2: Reason: · Neighbor dead timer expired. · Local AC was deleted. · Serial number changed. · Processed join request in Run state. · Failed to retransmit message. · N/A |
|
Severity level |
4 |
|
Example |
CWS/4/CWS_LOCALAC_DOWN: CAPWAP tunnel to local AC 1.1.1.1 went down. Reason: Local AC was deleted. |
|
Explanation |
The CAPWAP tunnel between the central AC and the local AC was terminated for a specific reason. |
|
Recommended action |
To resolve the problem: 23. Examine the network connection between the central AC and the local AC. 24. Verify that the central AC is correctly configured. 25. Verify that the local AC is correctly configured. 26. If the problem persists, contact H3C Support. |
CWS_LOCALAC_UP
|
Message text |
CAPWAP tunnel to local AC [STRING] went up. |
|
Variable fields |
$1: IP address of the local AC. |
|
Severity level |
6 |
|
Example |
CWS/6/CWS_LOCALAC_UP: CAPWAP tunnel to local AC 1.1.1.1 went up. |
|
Explanation |
The central AC has established a CAPWAP tunnel with the local AC. |
|
Recommended action |
No action is required. |
CWS_RUN_DOWNLOAD_COMPLETE
|
Message text |
File [STRING] successfully downloaded through the CAPWAP tunnel for AP [STRING]. |
|
Variable fields |
$1: File name. $2: AP name. |
|
Severity level |
6 |
|
Example |
CWS/6/CWS_RUN_DOWNLOAD_COMPLETE: File ac.cfg successfully downloaded through the CAPWAP tunnel for AP ap2. |
|
Explanation |
The AP downloaded the file from the AC successfully. |
|
Recommended action |
No action is required. |
CWS_RUN_DOWNLOAD_START
|
Message text |
AP [STRING] started to download the file [STRING]. |
|
Variable fields |
$1: AP name. $2: File name. |
|
Severity level |
6 |
|
Example |
CWS/6/CWS_RUN_DOWNLOAD_START: AP ap1 started to download the file ac.cfg. |
|
Explanation |
The AP started to download the file from the AC. |
|
Recommended action |
No action is required. |
RADIO
|
Message text |
APMGR/6/RADIO: Current channel usage [UINT32] of radio [CHAR] on AP [STRING] exceeded the threshold. |
|
Variable fields |
$1: Current channel usage. $2: Radio ID. $3: AP name. |
|
Severity level |
6 |
|
Example |
APMGR/6/RADIO: Current channel usage 63% of radio 2 on AP ap1 exceeded the threshold. |
|
Explanation |
The current channel usage on a radio has exceeded the channel usage threshold. |
|
Recommended action |
Execute the channel command to switch the working channel to a channel with low usage. |
RADIO_FREQUENCYBAND_CONFLICT
|
Message text |
Radio [UINT32] on AP [STRING] cannot be configured to operate at the 2.4GHz frequency band, because the other radio is already operating at this band. |
|
Variable fields |
$1: Radio ID. $2: AP name. |
|
Severity level |
6 |
|
Example |
APMGR/6/RADIO_FREQUENCYBAND_CONFLICT: Radio 2 on AP ap1 cannot be configured to operate at the 2.4GHz frequency band, because the other radio is already operating at this band. |
|
Explanation |
Some AP models do not support configuring two radios to operate at the 2.4 GHz frequency band. |
|
Recommended action |
For some AP models, only one radio can operate at the 2.4 GHz frequency band. To change the frequency band for a radio on an AP with two radios for which the frequency band can be changed to 2.4 GHz, make sure the other radio is operating at the 5 GHz band. |
RADIO_GROUP_FREQUENCY_CONFLICT
|
Message text |
Radio [UINT32] on AP [STRING] and radio [UINT32] on group [STRING] were configured to operate at the 2.4GHz frequency band. |
|
Variable fields |
$1: Radio ID. $2: AP name. $ 3: Radio ID in an AP group. $ 4: AP group name. |
|
Severity level |
6 |
|
Example |
APMGR/6/RADIO_GROUP_FREQUENCY_CONFLICT: Radio 2 on AP AP1 and radio 3 on group GROUP1 were configured to operate at the 2.4GHz frequency band. |
|
Explanation |
An AP of a specific model has two 2.4 GHz radios after that AP is added to another AP group. |
|
Recommended action |
Change the frequency band for one radio to 5 GHz, and then add the AP to the specified AP group. |
APR messages
This section contains APR messages.
NBAR_WARNING
|
Message text |
Updated the APR signature library successfully. |
|
Variable fields |
N/A |
|
Severity level |
4 |
|
Example |
NBAR/4/NBAR_WARNING: -Context=1; Updated the APR signature library successfully. |
|
Explanation |
The APR signature library was updated successfully. The device outputs this log message for one of the following conditions: · The triggered update operation succeeds. · The local update operation succeeds. |
|
Recommended action |
No action is required. |
NBAR_WARNING
|
Message text |
Rolled back the APR signature library successfully. |
|
Variable fields |
N/A |
|
Severity level |
4 |
|
Example |
NBAR/4/NBAR_WARNING: -Context=1; Rolled back the APR signature library successfully. |
|
Explanation |
The APR signature library was rolled back successfully to the last version or the factory version. |
|
Recommended action |
No action is required. |
NBAR_WARNING
|
Message text |
Failed to update the APR signature library because no valid license was found for the NBAR feature. |
|
Variable fields |
N/A |
|
Severity level |
4 |
|
Example |
NBAR/4/NBAR_WARNING: -Context=1; Failed to update the APR signature library because no valid license was found for the NBAR feature. |
|
Explanation |
The APR signature library update failed because no valid license was found for updating the APR signature library. The device outputs this log message for one of the following conditions: · Failed to perform a triggered update operation. · Failed to perform a local update operation through the Web interface. |
|
Recommended action |
ARP messages
This section contains ARP messages.
ARP_ACTIVE_ACK_NO_REPLY
|
Message text |
No ARP reply from IP [STRING] was received on interface [STRING]. |
|
Variable fields |
$1: IP address. $2: Interface name. |
|
Severity level |
6 |
|
Example |
ARP/6/ARP_ACTIVE_ACK_NO_REPLY: No ARP reply from IP 192.168.10.1 was received on interface Ethernet0/1/0. |
|
Explanation |
The ARP active acknowledgement feature did not receive an ARP reply after it sent an ARP request to the sender IP of an ARP message. This message indicates the risk of attacks. |
|
Recommended action |
27. Verify that the learned ARP entries on the device are consistent with the existing legal devices. When gateways and servers are on the network, check the ARP entries for these devices first. 28. If the ARP entries are correct and the attack continues, contact H3C Support. |
ARP_ACTIVE_ACK_NOREQUESTED_REPLY
|
Message text |
Interface [STRING] received from IP [STRING] an ARP reply that was not requested by the device. |
|
Variable fields |
$1: Interface name. $2: IP address. |
|
Severity level |
6 |
|
Example |
ARP/6/ARP_ACTIVE_ACK_NOREQUESTED_REPLY: Interface Ethernet0/1/0 received from IP 192.168.10.1 an ARP reply that was not requested by the device. |
|
Explanation |
The ARP active acknowledgement feature received an unsolicited ARP reply from a sender IP. This message indicates the risk of attacks. |
|
Recommended action |
No action is required. The device discards the ARP reply automatically. |
ARP_BINDRULETOHW_FAILED
|
Message text |
Failed to download binding rule to hardware on the interface [STRING], SrcIP [IPADDR], SrcMAC [MAC], VLAN [UINT16], Gateway MAC [MAC]. |
|
Variable fields |
$1: Interface name. $2: Source IP address. $3: Source MAC address. $4: VLAN ID. $5: Gateway MAC address. |
|
Severity level |
5 |
|
Example |
ARP/5/ARP_BINDRULETOHW_FAILED: Failed to download binding rule to hardware on the interface Ethernet1/0/1, SrcIP 1.1.1.132, SrcMAC 0015-E944-A947, VLAN 1, Gateway MAC 00A1-B812-1108. |
|
Explanation |
The system failed to set a binding rule to the hardware on an interface. The message is sent in any of the following situations: · The resources are not sufficient for the operation. · The memory is not sufficient for the operation. · A hardware error occurs. |
|
Recommended action |
To resolve the problem: 29. Execute the display qos-acl resource command to check if the ACL resources for the operation are sufficient. ¡ If yes, proceed to step 2. ¡ If no, delete unnecessary configuration to release ACL resources. If no configuration can be deleted, proceed to step 2. 30. Execute the display memory command to check if the memory for the operation is sufficient. ¡ If yes, proceed to step 3. ¡ If no, delete unnecessary configuration to release memory. If no configuration can be deleted, proceed to step 3. 31. Delete the configuration and perform the operation again. |
ARP_DYNAMIC
|
Message text |
The maximum number of dynamic ARP entries for the device reached. |
|
Variable fields |
N/A |
|
Severity level |
6 |
|
Example |
The maximum number of dynamic ARP entries for the device reached. |
|
Explanation |
This message is displayed when the maximum number of dynamic ARP entries on the device is reached. |
|
Recommended action |
No action is required. |
ARP_DYNAMIC_IF
|
Message text |
The maximum number of dynamic ARP entries for interface [STRING] reached. |
|
Variable fields |
$1: Interface name. |
|
Severity level |
6 |
|
Example |
The maximum number of dynamic ARP entries for interface GigabitEthernet3/0/1 reached. |
|
Explanation |
This message is displayed when maximum number of dynamic ARP entries on an interface is reached. |
|
Recommended action |
No action is required. |
ARP_DYNAMIC_SLOT
|
Message text |
The maximum number of dynamic ARP entries for [STRING] reached. |
|
Variable fields |
$1: Slot number (in standalone mode) or chassis number and slot number (in IRF mode). |
|
Severity level |
6 |
|
Example |
The maximum number of dynamic ARP entries for slot 2 reached. The maximum number of dynamic ARP entries for chassis 1 slot 2 reached. |
|
Explanation |
This message is displayed when the maximum number of dynamic ARP entries on a slot is reached. |
|
Recommended action |
No action is required. |
ARP_HOST_IP_CONFLICT
|
Message text |
|
|
Variable fields |
$1: IP address. $2: Interface name. $3: Interface name. |
|
Severity level |
4 |
|
Example |
|
|
Explanation |
The sender IP address in a received ARP message conflicted with the IP address of a host connected to another interface. |
|
Recommended action |
Check whether the hosts that send the ARP messages are legitimate. Disconnect the illegal host from the network. |
ARP_RATE_EXCEEDED
|
Message text |
The ARP packet rate ([UINT32] pps) exceeded the rate limit ([UINT32] pps) on interface [STRING] in the last [UINT32] seconds. |
|
Variable fields |
$1: ARP packet rate. $2: ARP limit rate. $3: Interface name. $4: Interval time. |
|
Severity level |
4 |
|
Example |
ARP/4/ARP_RATE_EXCEEDED: The ARP packet rate (100 pps) exceeded the rate limit (80 pps) on interface Ethernet0/1/0 in the last 10 seconds. |
|
Explanation |
An interface received ARP messages at a higher rate than the rate limit. |
|
Recommended action |
Verify that the hosts at the sender IP addresses are legitimate. |
ARP_SENDER_IP_INVALID
|
Message text |
Sender IP [STRING] was not on the same network as the receiving interface [STRING]. |
|
Variable fields |
$1: IP address. $2: Interface name. |
|
Severity level |
6 |
|
Example |
ARP/6/ARP_SENDER_IP_INVALID: Sender IP 192.168.10.2 was not on the same network as the receiving interface Ethernet0/1/0. |
|
Explanation |
The sender IP of a received ARP message was not on the same network as the receiving interface. |
|
Recommended action |
Verify that the host at the sender IP address is legitimate. |
ARP_SENDER_MAC_INVALID
|
Message text |
Sender MAC [STRING] was not identical to Ethernet source MAC [STRING] on interface [STRING]. |
|
Variable fields |
$1: MAC address. $2: MAC address. $3: Interface name. |
|
Severity level |
6 |
|
Example |
ARP/6/ARP_SENDER_MAC_INVALID: Sender MAC 0000-5E14-0E00 was not identical to Ethernet source MAC 0000-5C14-0E00 on interface Ethernet0/1/0. |
|
Explanation |
An interface received an ARP message. The sender MAC address in the message body was not identical to the source MAC address in the Ethernet header. |
|
Recommended action |
Verify that the host at the sender MAC address is legitimate. |
ARP_SRC_MAC_FOUND_ATTACK
|
Message text |
An attack from MAC [STRING] was detected on interface [STRING]. |
|
Variable fields |
$1: MAC address. $2: Interface name. |
|
Severity level |
6 |
|
Example |
ARP/6/ARP_SRC_MAC_FOUND_ATTACK: An attack from MAC 0000-5E14-0E00 was detected on interface Ethernet0/1/0. |
|
Explanation |
The source MAC-based ARP attack detection feature received more ARP packets from the same MAC address within 5 seconds than the specified threshold. This message indicates the risk of attacks. |
|
Recommended action |
Verify that the host at the source MAC address is legitimate. |
ARP_TARGET_IP_INVALID
|
Message text |
Target IP [STRING] was not the IP of the receiving interface [STRING]. |
|
Variable fields |
$1: IP address. $2: Interface name. |
|
Severity level |
6 |
|
Example |
ARP/6/ARP_TARGET_IP_INVALID: Target IP 192.168.10.2 was not the IP of the receiving interface Ethernet0/1/0. |
|
Explanation |
The target IP address of a received ARP message was not the IP address of the receiving interface. |
|
Recommended action |
Verify that the host at the sender IP address is legitimate. |
DUPIFIP
|
Message text |
Duplicate address [STRING] on interface [STRING], sourced from [STRING]. |
|
Variable fields |
$1: IP address. $2: Interface name. $3: MAC Address. |
|
Severity level |
6 |
|
Example |
ARP/6/DUPIFIP: Duplicate address 1.1.1.1 on interface Ethernet1/1/1, sourced from 0015-E944-A947. |
|
Explanation |
ARP detected a duplicate address. The sender IP in the received ARP packet was being used by the receiving interface. |
|
Recommended action |
Modify the IP address configuration. |
DUPIP
|
Message text |
IP address [STRING] conflicted with global or imported IP address, sourced from [STRING]. |
|
Variable fields |
$1: IP address. $2: MAC Address. |
|
Severity level |
6 |
|
Example |
ARP/6/DUPIP: IP address 30.1.1.1 conflicted with global or imported IP address, sourced from 0000-0000-0001. |
|
Explanation |
The sender IP address of the received ARP packet conflicted with the global or imported IP address. |
|
Recommended action |
Modify the IP address configuration. |
DUPVRRPIP
|
Message text |
IP address [STRING] conflicted with VRRP virtual IP address on interface [STRING], sourced from [STRING]. |
|
Variable fields |
$1: IP address. $2: Interface name. $3: MAC address. |
|
Severity level |
6 |
|
Example |
ARP/6/DUPVRRPIP: IP address 1.1.1.1 conflicted with VRRP virtual IP address on interface Ethernet1/1/1, sourced from 0015-E944-A947. |
|
Explanation |
The sender IP address of the received ARP packet conflicted with the VRRP virtual IP address. |
|
Recommended action |
Modify the IP address configuration. |
ASPF messages
This section contains ASPF messages.
ASPF_IPV4_DNS
|
Message text |
SrcIPAddr(1003)=[IPADDR];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];RcvDSLiteTunnelPeer(1040)=[STRING];DomainName(1099)=[STRING];Action(1053)=[STRING];Reason(1056)=[STRING]. |
|
Variable fields |
$1: Source IPv4 address. $2: Destination IPv4 address. $3: VPN instance name. $4: Local address of a DS-Lite tunnel. $5: Domain name. $6: Action on the detected illegal packets: · drop—Drops illegal packets. · logging—Generates log messages. · none—Does not process the packets and allows illegal packets to pass. $7: Reason why the message was generated: · Invalid DNS RR. · Failed to check DNS header flag. · Failed to check DNS header ID. |
|
Severity level |
6 |
|
Example |
ASPF/6/ASPF_IPV4_DNS:SrcIPAddr(1003)=1.1.1.3;DstIPAddr(1007)=2.1.1.2;RcvVPNInstance(1042)=vpn;RcvDSLiteTunnelPeer(1040)=dstunnel1;DomainName(1099)=www.h3c.com;Action(1053)=drop,logging;Reason(1056)=Check DNS RR invalid. |
|
Explanation |
ASPF inspection for DNS is configured. The device takes a specific action on IPv4 packets that are determined to be illegal for a reason. |
|
Recommended action |
No action is required. |
ASPF_IPV6_DNS
|
Message text |
SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];DomainName(1099)=[STRING];Action(1053)=[STRING];Reason(1056)=[STRING]. |
|
Variable fields |
$1: Source IPv6 address. $2: Destination IPv6 address. $3: VPN instance name. $4: Domain name. $5: Action on the detected illegal packets: · drop—Drops illegal packets. · logging—Generates log messages. · none—Does not process the packet and allows illegal packets to pass. $6: Reason why the message was generated: · Invalid DNS RR. · Failed to check DNS header flag. · Failed to check DNS header ID. |
|
Severity level |
6 |
|
Example |
ASPF/6/ASPF_IPV6_DNS:SrcIPv6Addr(1036)=2001::1;DstIPv6Addr(1037)=3001::1;RcvVPNInstance(1042)=vpn;DomainName(1099)=www.h3c.com;Action(1053)=drop,logging;Reason(1056)=Check DNS RR invalid. |
|
Explanation |
ASPF inspection for DNS is configured. The device takes a specific action on IPv6 packets that are determined to be illegal for a reason. |
|
Recommended action |
No action is required. |
ATK messages
This section contains attack detection and prevention messages.
ATK_ICMP_ADDRMASK_REQ
|
Message text |
IcmpType(1062)=[UINT32];RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: ICMP message type. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. $8: Start time of the attack. $9: End time of the attack. $10: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMP_ADDRMASK_REQ:IcmpType(1062)=17;RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011091319;EndTime_c(1012)=20131011091819;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when ICMP address mask request logs are aggregated. |
|
Recommended action |
No action is required. |
ATK_ICMP_ADDRMASK_REQ_RAW
|
Message text |
IcmpType(1062)=[UINT32];RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: ICMP message type. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMP_ADDRMASK_REQ_RAW:IcmpType(1062)=17;RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for ICMP address mask requests of the same attributes, this message is sent only when the first request is received. If log aggregation is disabled, this message is sent every time an ICMP address mask request is received. |
|
Recommended action |
No action is required. |
ATK_ICMP_ADDRMASK_RPL
|
Message text |
IcmpType(1062)=[UINT32];RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: ICMP message type. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. $8: Start time of the attack. $9: End time of the attack. $10: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMP_ADDRMASK_RPL:IcmpType(1062)=18;RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011091319;EndTime_c(1012)=20131011091819;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when ICMP address mask reply logs are aggregated. |
|
Recommended action |
No action is required. |
ATK_ICMP_ADDRMASK_RPL_RAW
|
Message text |
IcmpType(1062)=[UINT32];RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: ICMP message type. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMP_ADDRMASK_RPL_RAW:IcmpType(1062)=18;RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for ICMP address mask replies of the same attributes, this message is sent only when the first reply is received. If log aggregation is disabled, this message is sent every time an ICMP address mask reply is received. |
|
Recommended action |
No action is required. |
ATK_ICMP_ECHO_RPL
|
Message text |
IcmpType(1062)=[UINT32];RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: ICMP message type. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. $8: Start time of the attack. $9: End time of the attack. $10: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMP_ECHO_RPL:IcmpType(1062)=0;RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011091319;EndTime_c(1012)=20131011091819;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when ICMP echo reply logs are aggregated. |
|
Recommended action |
No action is required. |
ATK_ICMP_ECHO_RPL_RAW
|
Message text |
IcmpType(1062)=[UINT32];RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: ICMP message type. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMP_ECHO_RPL_RAW:IcmpType(1062)=0;RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for ICMP echo replies of the same attributes, this message is sent only when the first reply is received. If log aggregation is disabled, this message is sent every time an ICMP echo reply is received. |
|
Recommended action |
No action is required. |
ATK_ICMP_ECHO_REQ
|
Message text |
IcmpType(1062)=[UINT32];RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: ICMP message type. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. $8: Start time of the attack. $9: End time of the attack. $10: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMP_ECHO_REQ:IcmpType(1062)=8;RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011091319;EndTime_c(1012)=20131011091819;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when ICMP echo request logs are aggregated. |
|
Recommended action |
No action is required. |
ATK_ICMP_ECHO_REQ_RAW
|
Message text |
IcmpType(1062)=[UINT32];RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];DstPort(1004)=[UINT16];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: ICMP message type. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Destination port number. $7: Name of the receiving VPN instance. $8: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMP_ECHO_REQ_RAW:IcmpType(1062)=8;RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;DstPort(1004)=22;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for ICMP echo requests of the same attributes, this message is sent only when the first request is received. If log aggregation is disabled, this message is sent every time an ICMP echo request is received. |
|
Recommended action |
No action is required. |
ATK_ICMP_FLOOD
|
Message text |
RcvIfName(1023)=[STRING];DstIPAddr(1007)=[IPADDR];DstPort(1008)=[UINT16];RcvVPNInstance(1042)=[STRING];UpperLimit(1049)=[UINT32];Action(1053)=[STRING];BeginTime_c(1011)=[STRING]. |
|
Variable fields |
$1: Receiving interface name. $2: Destination IP address. $3: Destination port number. $4: Name of the receiving VPN instance. $5: Rate limit. $6: Actions against the attack. $7: Start time of the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_ICMP_FLOOD:RcvIfName(1023)=Ethernet0/0/2;DstIPAddr(1007)=6.1.1.5;DstPort(1008)=22;RcvVPNInstance(1042)=;UpperLimit(1049)=10;Action(1053)=logging;BeginTime_c(1011)=20131009093351. |
|
Explanation |
This message is sent when the number of ICMP packets sent to a destination per second exceeds the rate limit. |
|
Recommended action |
No action is required. |
ATK_ICMP_INFO_REQ
|
Message text |
IcmpType(1062)=[UINT32];RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: ICMP message type. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. $8: Start time of the attack. $9: End time of the attack. $10: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMP_INFO_REQ:IcmpType(1062)=15;RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011091319;EndTime_c(1012)=20131011091819;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when ICMP information request logs are aggregated. |
|
Recommended action |
No action is required. |
ATK_ICMP_INFO_REQ_RAW
|
Message text |
IcmpType(1062)=[UINT32];RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: ICMP message type. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMP_INFO_REQ_RAW:IcmpType(1062)=15;RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for ICMP information requests of the same attributes, this message is sent only when the first request is received. If log aggregation is disabled, this message is sent every time an ICMP information request is received. |
|
Recommended action |
No action is required. |
ATK_ICMP_INFO_RPL
|
Message text |
IcmpType(1062)=[UINT32];RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: ICMP message type. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. $8: Start time of the attack. $9: End time of the attack. $10: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMP_INFO_RPL:IcmpType(1062)=16;RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011091319;EndTime_c(1012)=20131011091819;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when ICMP information reply logs are aggregated. |
|
Recommended action |
No action is required. |
ATK_ICMP_INFO_RPL_RAW
|
Message text |
IcmpType(1062)=[UINT32];RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: ICMP message type. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMP_INFO_RPL_RAW:IcmpType(1062)=16;RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for ICMP information replies of the same attributes, this message is sent only when the first reply is received. If log aggregation is disabled, this message is sent every time an ICMP information reply is received. |
|
Recommended action |
No action is required. |
ATK_ICMP_LARGE
|
Message text |
RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_ICMP_LARGE:RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011074913;EndTime_c(1012)=20131011075413;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when large ICMP packet logs are aggregated. |
|
Recommended action |
No action is required. |
ATK_ICMP_LARGE_RAW
|
Message text |
RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_ICMP_LARGE_RAW:RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for large ICMP packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a large ICMP packet is received. |
|
Recommended action |
No action is required. |
ATK_ICMP_PARAPROBLEM
|
Message text |
IcmpType(1062)=[UINT32];RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: ICMP message type. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. $8: Start time of the attack. $9: End time of the attack. $10: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMP_PARAPROBLEM:IcmpType(1062)=12;RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011091319;EndTime_c(1012)=20131011091819;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when ICMP parameter problem logs are aggregated. |
|
Recommended action |
No action is required. |
ATK_ICMP_PARAPROBLEM_RAW
|
Message text |
IcmpType(1062)=[UINT32];RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: ICMP message type. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMP_PARAPROBLEM_RAW:IcmpType(1062)=12;RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for ICMP parameter problem packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time an ICMP parameter problem packet is received. |
|
Recommended action |
No action is required. |
ATK_ICMP_PINGOFDEATH
|
Message text |
RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_ICMP_PINGOFDEATH:RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011074913;EndTime_c(1012)=20131011075413;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when logs are aggregated for ICMP packets larger than 65535 bytes with the MF flag set to 0. |
|
Recommended action |
No action is required. |
ATK_ICMP_PINGOFDEATH_RAW
|
Message text |
RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_ICMP_PINGOFDEATH_RAW:RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
This message is for the ping of death attack. The attack uses ICMP packets larger than 65535 bytes with the MF flag set to 0. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
|
Recommended action |
No action is required. |
ATK_ICMP_REDIRECT
|
Message text |
IcmpType(1062)=[UINT32];RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: ICMP message type. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. $8: Start time of the attack. $9: End time of the attack. $10: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMP_REDIRECT:IcmpType(1062)=5;RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011091319;EndTime_c(1012)=20131011091819;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when ICMP redirect logs are aggregated. |
|
Recommended action |
No action is required. |
ATK_ICMP_REDIRECT_RAW
|
Message text |
IcmpType(1062)=[UINT32];RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: ICMP message type. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMP_REDIRECT_RAW:IcmpType(1062)=5;RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for ICMP redirect packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time an ICMP redirect packet is received. |
|
Recommended action |
No action is required. |
ATK_ICMP_SMURF
|
Message text |
RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_ICMP_SMURF:RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011074913;EndTime_c(1012)=20131011075413;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when logs are aggregated for ICMP echo requests whose destination IP address is one of the following addresses: · A broadcast or network address of A, B, or C class. · An IP address of D or E class. · The broadcast or network address of the network where the receiving interface resides. |
|
Recommended action |
No action is required. |
ATK_ICMP_SMURF_RAW
|
Message text |
RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_ICMP_SMURF_RAW:RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
This message is for the smurf attack. The attack uses ICMP echo requests with the destination IP address being one of the following addresses: · A broadcast or network address of A, B, or C class. · An IP address of D or E class. · The broadcast or network address of the network where the receiving interface resides. If log aggregation is enabled, for requests of the same attributes, this message is sent only when the first request is received. If log aggregation is disabled, this message is sent every time a request is received. |
|
Recommended action |
No action is required. |
ATK_ICMP_SOURCEQUENCH
|
Message text |
IcmpType(1062)=[UINT32];RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: ICMP message type. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. $8: Start time of the attack. $9: End time of the attack. $10: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMP_SOURCEQUENCH:IcmpType(1062)=4;RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011091319;EndTime_c(1012)=20131011091819;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when ICMP source quench logs are aggregated. |
|
Recommended action |
No action is required. |
ATK_ICMP_SOURCEQUENCH_RAW
|
Message text |
IcmpType(1062)=[UINT32];RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: ICMP message type. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMP_SOURCEQUENCH_RAW:IcmpType(1062)=4;RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for ICMP source quench packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time an ICMP source quench packet is received. |
|
Recommended action |
No action is required. |
ATK_ICMP_TIMEEXCEED
|
Message text |
IcmpType(1062)=[UINT32];RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: ICMP message type. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. $8: Start time of the attack. $9: End time of the attack. $10: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMP_TIMEEXCEED:IcmpType(1062)=11;RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011091319;EndTime_c(1012)=20131011091819;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when ICMP time exceeded logs are aggregated. |
|
Recommended action |
No action is required. |
ATK_ICMP_TIMEEXCEED_RAW
|
Message text |
IcmpType(1062)=[UINT32];RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: ICMP message type. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMP_TIMEEXCEED_RAW:IcmpType(1062)=11;RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for ICMP time exceeded packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time an ICMP time exceeded packet is received. |
|
Recommended action |
No action is required. |
ATK_ICMP_TRACEROUTE
|
Message text |
RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_ICMP_TRACEROUTE:RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011074913;EndTime_c(1012)=20131011075413;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when logs are aggregated for ICMP time exceeded packets of code 0. |
|
Recommended action |
No action is required. |
ATK_ICMP_TRACEROUTE_RAW
|
Message text |
RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_ICMP_TRACEROUTE_RAW:RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for ICMP time exceeded packets of code 0 of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time an ICMP time exceeded packet of code 0 is received. |
|
Recommended action |
No action is required. |
ATK_ICMP_TSTAMP_REQ
|
Message text |
IcmpType(1062)=[UINT32];RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: ICMP message type. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. $8: Start time of the attack. $9: End time of the attack. $10: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMP_TSTAMP_REQ:IcmpType(1062)=13;RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011091319;EndTime_c(1012)=20131011091819;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when ICMP timestamp logs are aggregated. |
|
Recommended action |
No action is required. |
ATK_ICMP_TSTAMP_REQ_RAW
|
Message text |
IcmpType(1062)=[UINT32];RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: ICMP message type. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMP_TSTAMP_REQ_RAW:IcmpType(1062)=13;RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for ICMP timestamp packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time an ICMP timestamp packet is received. |
|
Recommended action |
No action is required. |
ATK_ICMP_TSTAMP_RPL
|
Message text |
IcmpType(1062)=[UINT32];RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: ICMP message type. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. $8: Start time of the attack. $9: End time of the attack. $10: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMP_TSTAMP_RPL:IcmpType(1062)=14;RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011091319;EndTime_c(1012)=20131011091819;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when ICMP timestamp reply logs are aggregated. |
|
Recommended action |
No action is required. |
ATK_ICMP_TSTAMP_RPL_RAW
|
Message text |
IcmpType(1062)=[UINT32];RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: ICMP message type. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMP_TSTAMP_RPL_RAW:IcmpType(1062)=14;RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for ICMP timestamp replies of the same attributes, this message is sent only when the first reply is received. If log aggregation is disabled, this message is sent every time an ICMP timestamp reply is received. |
|
Recommended action |
No action is required. |
ATK_ICMP_TYPE
|
Message text |
IcmpType(1062)=[UINT32];RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: ICMP message type. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. $8: Start time of the attack. $9: End time of the attack. $10: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMP_TYPE:IcmpType(1062)=38;RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011091319;EndTime_c(1012)=20131011091819;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when logs are aggregated for user-defined ICMP packets. |
|
Recommended action |
No action is required. |
ATK_ICMP_TYPE_RAW
|
Message text |
IcmpType(1062)=[UINT32];RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: ICMP message type. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMP_TYPE_RAW:IcmpType(1062)=38;RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for user-defined ICMP packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a user-defined ICMP packet is received. |
|
Recommended action |
No action is required. |
ATK_ICMP_UNREACHABLE
|
Message text |
IcmpType(1062)=[UINT32];RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: ICMP message type. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. $8: Start time of the attack. $9: End time of the attack. $10: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMP_UNREACHABLE:IcmpType(1062)=3;RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011091319;EndTime_c(1012)=20131011091819;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when ICMP destination unreachable logs are aggregated. |
|
Recommended action |
No action is required. |
ATK_ICMP_UNREACHABLE_RAW
|
Message text |
IcmpType(1062)=[UINT32];RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: ICMP message type. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMP_UNREACHABLE_RAW:IcmpType(1062)=3;RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for ICMP destination unreachable packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time an ICMP destination unreachable packet is received. |
|
Recommended action |
No action is required. |
ATK_ICMPV6_DEST_UNREACH
|
Message text |
Icmpv6Type(1064)=[UINT32];RcvIfName(1023)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: ICMPv6 message type. $2: Receiving interface name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMPV6_DEST_UNREACH:Icmpv6Type(1064)=133;RcvIfName(1023)=Ethernet0/0/2;SrcIPv6Addr(1036)=5600::12;DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011100935;EndTime_c(1012)=20131011101435;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when ICMPv6 destination unreachable logs are aggregated. |
|
Recommended action |
No action is required. |
ATK_ICMPV6_DEST_UNREACH_RAW
|
Message text |
Icmpv6Type(1064)=[UINT32];RcvIfName(1023)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: ICMPv6 message type. $2: Receiving interface name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMPV6_DEST_UNREACH_RAW:Icmpv6Type(1064)=133;RcvIfName(1023)=Ethernet0/0/2;SrcIPv6Addr(1036)=5600::12;DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for ICMPv6 destination unreachable packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time an ICMPv6 destination unreachable packet is received. |
|
Recommended action |
No action is required. |
ATK_ICMPV6_ECHO_REQ
|
Message text |
Icmpv6Type(1064)=[UINT32];RcvIfName(1023)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: ICMPv6 message type. $2: Receiving interface name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMPV6_ECHO_REQ:Icmpv6Type(1064)=128;RcvIfName(1023)=Ethernet0/0/2;SrcIPv6Addr(1036)=5600::12;DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011100935;EndTime_c(1012)=20131011101435;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when ICMPv6 echo request logs are aggregated. |
|
Recommended action |
No action is required. |
ATK_ICMPV6_ECHO_REQ_RAW
|
Message text |
Icmpv6Type(1064)=[UINT32];RcvIfName(1023)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: ICMPv6 message type. $2: Receiving interface name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMPV6_ECHO_REQ_RAW:Icmpv6Type(1064)=128;RcvIfName(1023)=Ethernet0/0/2;SrcIPv6Addr(1036)=5600::12;DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for ICMPv6 echo requests of the same attributes, this message is sent only when the first request is received. If log aggregation is disabled, this message is sent every time an ICMPv6 echo request is received. |
|
Recommended action |
No action is required. |
ATK_ICMPV6_ECHO_RPL
|
Message text |
Icmpv6Type(1064)=[UINT32];RcvIfName(1023)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: ICMPv6 message type. $2: Receiving interface name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMPV6_ECHO_RPL:Icmpv6Type(1064)=129;RcvIfName(1023)=Ethernet0/0/2;SrcIPv6Addr(1036)=5600::12;DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011100935;EndTime_c(1012)=20131011101435;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when ICMPv6 echo reply logs are aggregated. |
|
Recommended action |
No action is required. |
ATK_ICMPV6_ECHO_RPL_RAW
|
Message text |
Icmpv6Type(1064)=[UINT32];RcvIfName(1023)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: ICMPv6 message type. $2: Receiving interface name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMPV6_ECHO_RPL_RAW:Icmpv6Type(1064)=129;RcvIfName(1023)=Ethernet0/0/2;SrcIPv6Addr(1036)=5600::12;DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for ICMPv6 echo replies of the same attributes, this message is sent only when the first reply is received. If log aggregation is disabled, this message is sent every time an ICMPv6 echo reply is received. |
|
Recommended action |
No action is required. |
ATK_ICMPV6_FLOOD
|
Message text |
RcvIfName(1023)=[STRING];DstIPv6Addr(1037)=[IPADDR];DstPort(1008)=[UINT16];RcvVPNInstance(1042)=[STRING];UpperLimit(1049)=[UINT32];Action(1053)=[STRING];BeginTime_c(1011)=[STRING]. |
|
Variable fields |
$1: Receiving interface name. $2: Destination IPv6 address. $3: Destination port number. $4: Name of the receiving VPN instance. $5: Rate limit. $6: Actions against the attack. $7: Start time of the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_ICMPV6_FLOOD:RcvIfName(1023)=Ethernet0/0/2;DstIPv6Addr(1007)=2002::2;DstPort(1008)=22;RcvVPNInstance(1042)=;UpperLimit(1049)=10;Action(1053)=logging;BeginTime_c(1011)=20131009093351. |
|
Explanation |
This message is sent when the number of ICMPv6 packets sent to a destination per second exceeds the rate limit. |
|
Recommended action |
No action is required. |
ATK_ICMPV6_GROUPQUERY
|
Message text |
Icmpv6Type(1064)=[UINT32];RcvIfName(1023)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: ICMPv6 message type. $2: Receiving interface name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMPV6_GROUPQUERY:Icmpv6Type(1064)=130;RcvIfName(1023)=Ethernet0/0/2;SrcIPv6Addr(1036)=5600::12;DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011100935;EndTime_c(1012)=20131011101435;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when ICMPv6 multicast listener query logs are aggregated. |
|
Recommended action |
No action is required. |
ATK_ICMPV6_GROUPQUERY_RAW
|
Message text |
Icmpv6Type(1064)=[UINT32];RcvIfName(1023)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: ICMPv6 message type. $2: Receiving interface name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMPV6_GROUPQUERY_RAW:Icmpv6Type(1064)=130;RcvIfName(1023)=Ethernet0/0/2;SrcIPv6Addr(1036)=5600::12;DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for ICMPv6 multicast listener queries of the same attributes, this message is sent only when the first query is received. If log aggregation is disabled, this message is sent every time an ICMPv6 multicast listener query is received. |
|
Recommended action |
No action is required. |
ATK_ICMPV6_GROUPREDUCTION
|
Message text |
Icmpv6Type(1064)=[UINT32];RcvIfName(1023)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: ICMPv6 message type. $2: Receiving interface name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMPV6_GROUPREDUCTION:Icmpv6Type(1064)=132;RcvIfName(1023)=Ethernet0/0/2;SrcIPv6Addr(1036)=5600::12;DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011100935;EndTime_c(1012)=20131011101435;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when ICMPv6 multicast listener done logs are aggregated. |
|
Recommended action |
No action is required. |
ATK_ICMPV6_GROUPREDUCTION_RAW
|
Message text |
Icmpv6Type(1064)=[UINT32];RcvIfName(1023)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: ICMPv6 message type. $2: Receiving interface name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMPV6_GROUPREDUCTION_RAW:Icmpv6Type(1064)=132;RcvIfName(1023)=Ethernet0/0/2;SrcIPv6Addr(1036)=5600::12;DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for ICMPv6 multicast listener done packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time an ICMPv6 multicast listener done packet is received. |
|
Recommended action |
No action is required. |
ATK_ICMPV6_GROUPREPORT
|
Message text |
Icmpv6Type(1064)=[UINT32];RcvIfName(1023)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: ICMPv6 message type. $2: Receiving interface name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMPV6_GROUPREPORT:Icmpv6Type(1064)=131;RcvIfName(1023)=Ethernet0/0/2;SrcIPv6Addr(1036)=5600::12;DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011100935;EndTime_c(1012)=20131011101435;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when ICMPv6 multicast listener report logs are aggregated. |
|
Recommended action |
No action is required. |
ATK_ICMPV6_GROUPREPORT_RAW
|
Message text |
Icmpv6Type(1064)=[UINT32];RcvIfName(1023)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: ICMPv6 message type. $2: Receiving interface name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMPV6_GROUPREPORT_RAW:Icmpv6Type(1064)=131;RcvIfName(1023)=Ethernet0/0/2;SrcIPv6Addr(1036)=5600::12;DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for ICMPv6 multicast listener reports of the same attributes, this message is sent only when the first report is received. If log aggregation is disabled, this message is sent every time an ICMPv6 multicast listener report is received. |
|
Recommended action |
No action is required. |
ATK_ICMPV6_LARGE
|
Message text |
RcvIfName(1023)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. $6: Start time of the attack. $7: End time of the attack. $8: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_ICMPV6_LARGE:RcvIfName(1023)=Ethernet0/0/2;SrcIPv6Addr(1036)=5600::12;DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011100935;EndTime_c(1012)=20131011101435;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when large ICMPv6 packet logs are aggregated. |
|
Recommended action |
No action is required. |
ATK_ICMPV6_LARGE_RAW
|
Message text |
RcvIfName(1023)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_ICMPV6_LARGE_RAW:RcvIfName(1023)=Ethernet0/0/2;SrcIPv6Addr(1036)=5600::12;DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for large ICMPv6 packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a large ICMPv6 packet is received. |
|
Recommended action |
No action is required. |
ATK_ICMPV6_PACKETTOOBIG
|
Message text |
Icmpv6Type(1064)=[UINT32];RcvIfName(1023)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: ICMPv6 message type. $2: Receiving interface name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMPV6_PACKETTOOBIG:Icmpv6Type(1064)=136;RcvIfName(1023)=Ethernet0/0/2;SrcIPv6Addr(1036)=5600::12;DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011100935;EndTime_c(1012)=20131011101435;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when ICMPv6 packet too big logs are aggregated. |
|
Recommended action |
No action is required. |
ATK_ICMPV6_PACKETTOOBIG_RAW
|
Message text |
Icmpv6Type(1064)=[UINT32];RcvIfName(1023)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: ICMPv6 message type. $2: Receiving interface name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMPV6_PACKETTOOBIG_RAW:Icmpv6Type(1064)=136;RcvIfName(1023)=Ethernet0/0/2;SrcIPv6Addr(1036)=5600::12;DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for ICMPv6 packet too big packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time an ICMPv6 packet too big packet is received. |
|
Recommended action |
No action is required. |
ATK_ICMPV6_PARAPROBLEM
|
Message text |
Icmpv6Type(1064)=[UINT32];RcvIfName(1023)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: ICMPv6 message type. $2: Receiving interface name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMPV6_PARAPROBLEM:Icmpv6Type(1064)=135;RcvIfName(1023)=Ethernet0/0/2;SrcIPv6Addr(1036)=5600::12;DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011100935;EndTime_c(1012)=20131011101435;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when ICMPv6 parameter problem logs are aggregated. |
|
Recommended action |
No action is required. |
ATK_ICMPV6_PARAPROBLEM_RAW
|
Message text |
Icmpv6Type(1064)=[UINT32];RcvIfName(1023)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: ICMPv6 message type. $2: Receiving interface name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMPV6_PARAPROBLEM_RAW:Icmpv6Type(1064)=135;RcvIfName(1023)=Ethernet0/0/2;SrcIPv6Addr(1036)=5600::12;DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for ICMPv6 parameter problem packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time an ICMPv6 parameter problem packet is received. |
|
Recommended action |
No action is required. |
ATK_ICMPV6_TIMEEXCEED
|
Message text |
Icmpv6Type(1064)=[UINT32];RcvIfName(1023)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: ICMPv6 message type. $2: Receiving interface name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMPV6_TIMEEXCEED:Icmpv6Type(1064)=134;RcvIfName(1023)=Ethernet0/0/2;SrcIPv6Addr(1036)=5600::12;DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011100935;EndTime_c(1012)=20131011101435;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when ICMPv6 time exceeded logs are aggregated. |
|
Recommended action |
No action is required. |
ATK_ICMPV6_TIMEEXCEED_RAW
|
Message text |
Icmpv6Type(1064)=[UINT32];RcvIfName(1023)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: ICMPv6 message type. $2: Receiving interface name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMPV6_TIMEEXCEED_RAW:Icmpv6Type(1064)=134;RcvIfName(1023)=Ethernet0/0/2;SrcIPv6Addr(1036)=5600::12;DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for ICMPv6 time exceeded packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time an ICMPv6 time exceeded packet is received. |
|
Recommended action |
No action is required. |
ATK_ICMPV6_TRACEROUTE
|
Message text |
RcvIfName(1023)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. $6: Start time of the attack. $7: End time of the attack. $8: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_ICMPV6_TRACEROUTE:RcvIfName(1023)=Ethernet0/0/2;SrcIPv6Addr(1036)=5600::12;DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011100935;EndTime_c(1012)=20131011101435;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when logs are aggregated for ICMPv6 time exceeded packets of code 0. |
|
Recommended action |
No action is required. |
ATK_ICMPV6_TRACEROUTE_RAW
|
Message text |
RcvIfName(1023)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. $6: Start time of the attack. $7: End time of the attack. $8: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_ICMPV6_TRACEROUTE_RAW:RcvIfName(1023)=Ethernet0/0/2;SrcIPv6Addr(1036)=5600::12;DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011100935;EndTime_c(1012)=20131011101435. |
|
Explanation |
If log aggregation is enabled, for ICMPv6 time exceeded packets of code 0 of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time an ICMPv6 time exceeded packet of code 0 is received. |
|
Recommended action |
No action is required. |
ATK_ICMPV6_TYPE
|
Message text |
Icmpv6Type(1064)=[UINT32];RcvIfName(1023)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: ICMPv6 message type. $2: Receiving interface name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMPV6_TYPE:Icmpv6Type(1064)=38;RcvIfName(1023)=Ethernet0/0/2;SrcIPv6Addr(1036)=5600::12;DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011100935;EndTime_c(1012)=20131011101435;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when logs are aggregated for user-defined ICMPv6 packets. |
|
Recommended action |
No action is required. |
ATK_ICMPV6_TYPE_RAW
|
Message text |
Icmpv6Type(1064)=[UINT32];RcvIfName(1023)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: ICMPv6 message type. $2: Receiving interface name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMPV6_TYPE_RAW:Icmpv6Type(1064)=38;RcvIfName(1023)=Ethernet0/0/2;SrcIPv6Addr(1036)=5600::12;DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for user-defined ICMPv6 packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a user-defined ICMPv6 packet is received. |
|
Recommended action |
No action is required. |
ATK_IP4_ACK_FLOOD
|
Message text |
RcvIfName(1023)=[STRING];DstIPAddr(1007)=[IPADDR];DstPort(1008)=[UINT16];RcvVPNInstance(1042)=[STRING];UpperLimit(1049)=[UINT32];Action(1053)=[STRING];BeginTime_c(1011)=[STRING]. |
|
Variable fields |
$1: Receiving interface name. $2: Destination IP address. $3: Destination port number. $4: Name of the receiving VPN instance. $5: Rate limit. $6: Actions against the attack. $7: Start time of the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_ACK_FLOOD:RcvIfName(1023)=Ethernet0/0/2;DstIPAddr(1007)=6.1.1.5;DstPort(1008)=22;RcvVPNInstance(1042)=;UpperLimit(1049)=10;Action(1053)=logging;BeginTime_c(1011)=20131009093351. |
|
Explanation |
This message is sent when the number of IPv4 ACK packets sent to a destination per second exceeds the rate limit. |
|
Recommended action |
No action is required. |
ATK_IP4_DIS_PORTSCAN
|
Message text |
RcvIfName(1023)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING]. |
|
Variable fields |
$1: Receiving interface name. $2: Destination IP address. $3: Name of the receiving VPN instance. $4: Actions against the attack. $5: Start time of the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_DIS_PORTSCAN:RcvIfName(1023)=Ethernet0/0/2;DstIPAddr(1007)=6.1.1.5;RcvVPNInstance(1042)=vpn1;Action(1053)=logging,block-source;BeginTime_c(1011)=20131009052955. |
|
Explanation |
This message is sent when an IPv4 distributed port scan attack is detected. |
|
Recommended action |
No action is required. |
ATK_IP4_DNS_FLOOD
|
Message text |
RcvIfName(1023)=[STRING];DstIPAddr(1007)=[IPADDR];DstPort(1008)=[UINT16];RcvVPNInstance(1042)=[STRING];UpperLimit(1049)=[UINT32];Action(1053)=[STRING];BeginTime_c(1011)=[STRING]. |
|
Variable fields |
$1: Receiving interface name. $2: Destination IP address. $3: Destination port number. $4: Name of the receiving VPN instance. $5: Rate limit. $6: Actions against the attack. $7: Start time of the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_DNS_FLOOD:RcvIfName(1023)=Ethernet0/0/2;DstIPAddr(1007)=6.1.1.5;DstPort(1008)=22;RcvVPNInstance(1042)=;UpperLimit(1049)=10;Action(1053)=logging;BeginTime_c(1011)=20131009093351. |
|
Explanation |
This message is sent when the number of IPv4 DNS queries sent to a destination per second exceeds the rate limit. |
|
Recommended action |
No action is required. |
ATK_IP4_FIN_FLOOD
|
Message text |
RcvIfName(1023)=[STRING];DstIPAddr(1007)=[IPADDR];DstPort(1008)=[UINT16];RcvVPNInstance(1042)=[STRING];UpperLimit(1049)=[UINT32];Action(1053)=[STRING];BeginTime_c(1011)=[STRING]. |
|
Variable fields |
$1: Receiving interface name. $2: Destination IP address. $3: Destination port number. $4: Name of the receiving VPN instance. $5: Rate limit. $6: Actions against the attack. $7: Start time of the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_FIN_FLOOD:RcvIfName(1023)=Ethernet0/0/2;DstIPAddr(1007)=6.1.1.5;DstPort(1008)=22;RcvVPNInstance(1042)=;UpperLimit(1049)=10;Action(1053)=logging;BeginTime_c(1011)=20131009093351. |
|
Explanation |
This message is sent when the number of IPv4 FIN packets sent to a destination per second exceeds the rate limit. |
|
Recommended action |
No action is required. |
ATK_IP4_FRAGMENT
|
Message text |
RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Protocol(1001)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Protocol type. $7: Actions against the attack. $8: Start time of the attack. $9: End time of the attack. $10: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_FRAGMENT:RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Protocol(1001)=TCP;Action(1053)=logging;BeginTime_c(1011)=20131011074913;EndTime_c(1012)=20131011075413;AtkTimes(1054)=3. |
|
Explanation |
This message is sent when logs are aggregated for IPv4 packets with an offset smaller than 5 but bigger than 0. |
|
Recommended action |
No action is required. |
ATK_IP4_FRAGMENT_RAW
|
Message text |
RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Protocol(1001)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Protocol type. $7: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_FRAGMENT_RAW:RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Protocol(1001)=TCP;Action(1053)=logging. |
|
Explanation |
This message is for the IPv4 fragment attack. The attack uses IPv4 packets with an offset smaller than 5 but bigger than 0. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
|
Recommended action |
No action is required. |
ATK_IP4_HTTP_FLOOD
|
Message text |
RcvIfName(1023)=[STRING];DstIPAddr(1007)=[IPADDR];DstPort(1008)=[UINT16];RcvVPNInstance(1042)=[STRING];UpperLimit(1049)=[UINT32];Action(1053)=[STRING];BeginTime_c(1011)=[STRING]. |
|
Variable fields |
$1: Receiving interface name. $2: Destination IP address. $3: Destination port number. $4: Name of the receiving VPN instance. $5: Rate limit. $6: Actions against the attack. $7: Start time of the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_HTTP_FLOOD:RcvIfName(1023)=Ethernet0/0/2;DstIPAddr(1007)=6.1.1.5;DstPort(1008)=22;RcvVPNInstance(1042)=;UpperLimit(1049)=10;Action(1053)=logging;BeginTime_c(1011)=20131009093351. |
|
Explanation |
This message is sent when the number of IPv4 HTTP Get packets sent to a destination per second exceeds the rate limit. |
|
Recommended action |
No action is required. |
ATK_IP4_IMPOSSIBLE
|
Message text |
RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Protocol(1001)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Protocol type. $7: Actions against the attack. $8: Start time of the attack. $9: End time of the attack. $10: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_IMPOSSIBLE:RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Protocol(1001)=TCP;Action(1053)=logging;BeginTime_c(1011)=20131011074913;EndTime_c(1012)=20131011075413;AtkTimes(1054)=3. |
|
Explanation |
This message is sent when logs are aggregated for IPv4 packets whose source IPv4 address is the same as the destination IPv4 address. |
|
Recommended action |
No action is required. |
ATK_IP4_IMPOSSIBLE_RAW
|
Message text |
RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Protocol(1001)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Protocol type. $7: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_IMPOSSIBLE_RAW:RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Protocol(1001)=TCP;Action(1053)=logging. |
|
Explanation |
This message is for the IPv4 impossible packet attack. The attack uses IPv4 packets whose source IPv4 address is the same as the destination IPv4 address. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
|
Recommended action |
No action is required. |
ATK_IP4_IPSWEEP
|
Message text |
RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Name of the receiving VPN instance. $5: Actions against the attack. $6: Start time of the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_IPSWEEP:RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.5;SndDSLiteTunnelPeer(1041)=--;RcvVPNInstance(1042)=vpn1;Action(1053)=logging,block-source;BeginTime_c(1011)=20131009060657. |
|
Explanation |
This message is sent when an IPv4 sweep attack is detected. |
|
Recommended action |
No action is required. |
ATK_IP4_PORTSCAN
|
Message text |
RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];RcvVPNInstance(1042)=[STRING];DstIPAddr(1007)=[IPADDR];Action(1053)=[STRING];BeginTime_c(1011)=[STRING]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Name of the receiving VPN instance. $5: Destination IP address. $6: Actions against the attack. $7: Start time of the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_PORTSCAN:RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.5;SndDSLiteTunnelPeer(1041)=--;RcvVPNInstance(1042)=vpn1;DstIPAddr(1007)=6.1.1.5;Action(1053)=logging,block-source;BeginTime_c(1011)=20131009052955. |
|
Explanation |
This message is sent when an IPv4 port scan attack is detected. |
|
Recommended action |
No action is required. |
ATK_IP4_RST_FLOOD
|
Message text |
RcvIfName(1023)=[STRING];DstIPAddr(1007)=[IPADDR];DstPort(1008)=[UINT16];RcvVPNInstance(1042)=[STRING];UpperLimit(1049)=[UINT32];Action(1053)=[STRING];BeginTime_c(1011)=[STRING]. |
|
Variable fields |
$1: Receiving interface name. $2: Destination IP address. $3: Destination port number. $4: Name of the receiving VPN instance. $5: Rate limit. $6: Actions against the attack. $7: Start time of the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_RST_FLOOD:RcvIfName(1023)=Ethernet0/0/2;DstIPAddr(1007)=6.1.1.5;DstPort(1008)=22;RcvVPNInstance(1042)=;UpperLimit(1049)=10;Action(1053)=logging;BeginTime_c(1011)=20131009093351. |
|
Explanation |
This message is sent when the number of IPv4 RST packets sent to a destination per second exceeds the rate limit. |
|
Recommended action |
No action is required. |
ATK_IP4_SYN_FLOOD
|
Message text |
RcvIfName(1023)=[STRING];DstIPAddr(1007)=[IPADDR];DstPort(1008)=[UINT16];RcvVPNInstance(1042)=[STRING];UpperLimit(1049)=[UINT32];Action(1053)=[STRING];BeginTime_c(1011)=[STRING]. |
|
Variable fields |
$1: Receiving interface name. $2: Destination IP address. $3: Destination port number. $4: Name of the receiving VPN instance. $5: Rate limit. $6: Actions against the attack. $7: Start time of the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_SYN_FLOOD:RcvIfName(1023)=Ethernet0/0/2;DstIPAddr(1007)=6.1.1.5;DstPort(1008)=22;RcvVPNInstance(1042)=;UpperLimit(1049)=10;Action(1053)=logging;BeginTime_c(1011)=20131009093351. |
|
Explanation |
This message is sent when the number of IPv4 SYN packets sent to a destination per second exceeds the rate limit. |
|
Recommended action |
No action is required. |
ATK_IP4_SYNACK_FLOOD
|
Message text |
RcvIfName(1023)=[STRING];DstIPAddr(1007)=[IPADDR];DstPort(1008)=[UINT16];RcvVPNInstance(1042)=[STRING];UpperLimit(1049)=[UINT32];Action(1053)=[STRING];BeginTime_c(1011)=[STRING]. |
|
Variable fields |
$1: Receiving interface name. $2: Destination IP address. $3: Destination port number. $4: Name of the receiving VPN instance. $5: Rate limit. $6: Actions against the attack. $7: Start time of the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_SYNACK_FLOOD:RcvIfName(1023)=Ethernet0/0/2;DstIPAddr(1007)=6.1.1.5;DstPort(1008)=22;RcvVPNInstance(1042)=;UpperLimit(1049)=10;Action(1053)=logging;BeginTime_c(1011)=20131009093351. |
|
Explanation |
This message is sent when the number of IPv4 SYN-ACK packets sent to a destination per second exceeds the rate limit. |
|
Recommended action |
No action is required. |
ATK_IP4_TCP_ALLFLAGS
|
Message text |
RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_TCP_ALLFLAGS:RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011074913;EndTime_c(1012)=20131011075413;AtkTimes(1054)=3. |
|
Explanation |
This message is sent when logs are aggregated for IPv4 TCP packets that have all flags set. |
|
Recommended action |
No action is required. |
ATK_IP4_TCP_ALLFLAGS_RAW
|
Message text |
RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_TCP_ALLFLAGS_RAW:RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
This message is for IPv4 TCP packets that have all flags set. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
|
Recommended action |
No action is required. |
ATK_IP4_TCP_FINONLY
|
Message text |
RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_TCP_FINONLY:RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011074913;EndTime_c(1012)=20131011075413;AtkTimes(1054)=3. |
|
Explanation |
This message is sent when logs are aggregated for IPv4 TCP packets that have only the FIN flag set. |
|
Recommended action |
No action is required. |
ATK_IP4_TCP_FINONLY_RAW
|
Message text |
RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_TCP_FINONLY_RAW:RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
This message is for IPv4 TCP packets that have only the FIN flag set. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
|
Recommended action |
No action is required. |
ATK_IP4_TCP_INVALIDFLAGS
|
Message text |
RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_TCP_INVALIDFLAGS:RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011074913;EndTime_c(1012)=20131011075413;AtkTimes(1054)=3. |
|
Explanation |
This message is sent when logs are aggregated for IPv4 TCP packets that have invalid flag settings. Invalid flag settings include: · The RST and FIN flags are both set. · The RST and SYN flags are both set. · The RST, FIN, and SYN flags are all set. · The PSH, RST, and FIN flags are all set. · The PSH, RST, and SYN flags are all set. · The PSH, RST, SYN, and FIN flags are all set. · The ACK, RST, and FIN flags are all set. · The ACK, RST, and SYN flags are all set. · The ACK, RST, SYN, and FIN flags are all set. · The ACK, PSH, SYN, and FIN flags are all set. · The ACK, PSH, RST, and FIN flags are all set. · The ACK, PSH, RST, and SYN flags are all set. |
|
Recommended action |
No action is required. |
ATK_IP4_TCP_INVALIDFLAGS_RAW
|
Message text |
RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_TCP_INVALIDFLAGS_RAW:RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
This message is for IPv4 TCP packets that have invalid flag settings. Invalid flag settings include: · The RST and FIN flags are both set. · The RST and SYN flags are both set. · The RST, FIN, and SYN flags are all set. · The PSH, RST, and FIN flags are all set. · The PSH, RST, and SYN flags are all set. · The PSH, RST, SYN, and FIN flags are all set. · The ACK, RST, and FIN flags are all set. · The ACK, RST, and SYN flags are all set. · The ACK, RST, SYN, and FIN flags are all set. · The ACK, PSH, SYN, and FIN flags are all set. · The ACK, PSH, RST, and FIN flags are all set. · The ACK, PSH, RST, and SYN flags are all set. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
|
Recommended action |
No action is required. |
ATK_IP4_TCP_LAND
|
Message text |
RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_TCP_LAND:RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011074913;EndTime_c(1012)=20131011075413;AtkTimes(1054)=3. |
|
Explanation |
This message is sent when logs are aggregated for IPv4 TCP packets whose source IP address is the same as the destination IP address. |
|
Recommended action |
No action is required. |
ATK_IP4_TCP_LAND_RAW
|
Message text |
RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_TCP_LAND_RAW:RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
This message is for the IPv4 land attack. The attack uses IPv4 TCP packets whose source IP address is the same as the destination IP address. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
|
Recommended action |
No action is required. |
ATK_IP4_TCP_NULLFLAG
|
Message text |
RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_TCP_NULLFLAG:RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011074913;EndTime_c(1012)=20131011075413;AtkTimes(1054)=4. |
|
Explanation |
This message is sent when logs are aggregated for IPv4 TCP packets that have no flag set. |
|
Recommended action |
No action is required. |
ATK_IP4_TCP_NULLFLAG_RAW
|
Message text |
RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_TCP_NULLFLAG_RAW:RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
This message is for IPv4 TCP packets that have no flag set. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
|
Recommended action |
No action is required. |
ATK_IP4_TCP_SYNFIN
|
Message text |
RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_TCP_SYNFIN:RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011074913;EndTime_c(1012)=20131011075413;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when logs are aggregated for IPv4 TCP packets that have SYN and FIN flags set. |
|
Recommended action |
No action is required. |
ATK_IP4_TCP_SYNFIN_RAW
|
Message text |
RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_TCP_SYNFIN_RAW:RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
This message is for IPv4 TCP packets that have SYN and FIN flags set. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
|
Recommended action |
No action is required. |
ATK_IP4_TCP_WINNUKE
|
Message text |
RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_TCP_WINNUKE:RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011074913;EndTime_c(1012)=20131011075413;AtkTimes(1054)=5. |
|
Explanation |
This message is sent when logs are aggregated for IPv4 TCP packets with destination port 139, the URG flag set, and a nonzero Urgent Pointer. |
|
Recommended action |
No action is required. |
ATK_IP4_TCP_WINNUKE_RAW
|
Message text |
RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_TCP_WINNUKE_RAW:RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
This message is for the IPv4 WinNuke attack. The attack uses IPv4 TCP packets with destination port 139, the URG flag set, and a nonzero Urgent Pointer. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
|
Recommended action |
No action is required. |
ATK_IP4_TEARDROP
|
Message text |
RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Protocol(1001)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Protocol type. $7: Actions against the attack. $8: Start time of the attack. $9: End time of the attack. $10: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_TEARDROP:RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Protocol(1001)=TCP;Action(1053)=logging;BeginTime_c(1011)=20131011074913;EndTime_c(1012)=20131011075413;AtkTimes(1054)=3. |
|
Explanation |
This message is sent when logs are aggregated for IPv4 overlapping fragments. |
|
Recommended action |
No action is required. |
ATK_IP4_TEARDROP_RAW
|
Message text |
RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Protocol(1001)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Protocol type. $7: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_TEARDROP_RAW:RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Protocol(1001)=TCP;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for IPv4 overlapping fragments of the same attributes, this message is sent only when the first overlapping fragment is received. If log aggregation is disabled, this message is sent every time an IPv4 overlapping fragment is received. |
|
Recommended action |
No action is required. |
ATK_IP4_TINY_FRAGMENT
|
Message text |
RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Protocol(1001)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Protocol type. $7: Actions against the attack. $8: Start time of the attack. $9: End time of the attack. $10: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_TINY_FRAGMENT:RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Protocol(1001)=TCP;Action(1053)=logging;BeginTime_c(1011)=20131011074913;EndTime_c(1012)=20131011075413;AtkTimes(1054)=6. |
|
Explanation |
This message is sent when logs are aggregated for IPv4 packets with a datagram smaller than 68 bytes and the MF flag set. |
|
Recommended action |
No action is required. |
ATK_IP4_TINY_FRAGMENT_RAW
|
Message text |
RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Protocol(1001)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Protocol type. $7: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_TINY_FRAGMENT_RAW:RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Protocol(1001)=TCP;Action(1053)=logging. |
|
Explanation |
This message is for the IPv4 tiny fragment attack. The attack uses IPv4 packets with a datagram smaller than 68 bytes and the MF flag set. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
|
Recommended action |
No action is required. |
ATK_IP4_UDP_BOMB
|
Message text |
RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_UDP_BOMB:RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011074913;EndTime_c(1012)=20131011075413;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when logs are aggregated for IPv4 UDP packets in which the length value in the IP header is larger than the IP header length plus the length in the UDP header. |
|
Recommended action |
No action is required. |
ATK_IP4_UDP_BOMB_RAW
|
Message text |
RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_UDP_BOMB_RAW:RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
This message is for IPv4 UDP bomb attack. The attack uses IPv4 UDP packets in which the length value in the IP header is larger than the IP header length plus the length in the UDP header. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
|
Recommended action |
No action is required. |
ATK_IP4_UDP_FLOOD
|
Message text |
RcvIfName(1023)=[STRING];DstIPAddr(1007)=[IPADDR];DstPort(1008)=[UINT16];RcvVPNInstance(1042)=[STRING];UpperLimit(1049)=[UINT32];Action(1053)=[STRING];BeginTime_c(1011)=[STRING]. |
|
Variable fields |
$1: Receiving interface name. $2: Destination IP address. $3: Destination port number. $4: Name of the receiving VPN instance. $5: Rate limit. $6: Actions against the attack. $7: Start time of the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_UDP_FLOOD:RcvIfName(1023)=Ethernet0/0/2;DstIPAddr(1007)=6.1.1.5;DstPort(1008)=22;RcvVPNInstance(1042)=;UpperLimit(1049)=10;Action(1053)=logging;BeginTime_c(1011)=20131009093351. |
|
Explanation |
This message is sent when the number of IPv4 UDP packets sent to a destination per second exceeds the rate limit. |
|
Recommended action |
No action is required. |
ATK_IP4_UDP_FRAGGLE
|
Message text |
RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_UDP_FRAGGLE:RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011074913;EndTime_c(1012)=20131011075413;AtkTimes(1054)=11. |
|
Explanation |
This message is sent when logs are aggregated for IPv4 UDP packets with source port 7 and destination port 19. |
|
Recommended action |
No action is required. |
ATK_IP4_UDP_FRAGGLE_RAW
|
Message text |
RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_UDP_FRAGGLE_RAW:RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
This message is for IPv4 UDP fraggle attack. The attack uses IPv4 UDP packets with source port 7 and destination port 19. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
|
Recommended action |
No action is required. |
ATK_IP4_UDP_SNORK
|
Message text |
RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_UDP_SNORK:RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011074913;EndTime_c(1012)=20131011075413;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when logs are aggregated for IPv4 UDP packets with source port 7, 19, or 135, and destination port 135. |
|
Recommended action |
No action is required. |
ATK_IP4_UDP_SNORK_RAW
|
Message text |
RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_UDP_SNORK_RAW:RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
This message is for IPv4 UDP snork attack. The attack uses IPv4 UDP packets with source port 7, 19, or 135, and destination port 135. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
|
Recommended action |
No action is required. |
ATK_IP6_ACK_FLOOD
|
Message text |
RcvIfName(1023)=[STRING];DstIPv6Addr(1037)=[IPADDR];DstPort(1008)=[UINT16];RcvVPNInstance(1042)=[STRING];UpperLimit(1049)=[UINT32];Action(1053)=[STRING];BeginTime_c(1011)=[STRING]. |
|
Variable fields |
$1: Receiving interface name. $2: Destination IPv6 address. $3: Destination port number. $4: Name of the receiving VPN instance. $5: Rate limit. $6: Actions against the attack. $7: Start time of the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_ACK_FLOOD:RcvIfName(1023)=Ethernet0/0/2;DstIPv6Addr(1037)=2::2;DstPort(1008)=22;RcvVPNInstance(1042)=;UpperLimit(1049)=10;Action(1053)=logging;BeginTime_c(1011)=20131009100434. |
|
Explanation |
This message is sent when the number of IPv6 ACK packets sent to a destination per second exceeds the rate limit. |
|
Recommended action |
No action is required. |
ATK_IP6_DIS_PORTSCAN
|
Message text |
RcvIfName(1023)=[STRING];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING]. |
|
Variable fields |
$1: Receiving interface name. $2: Destination IPv6 address. $3: Name of the receiving VPN instance. $4: Actions against the attack. $5: Start time of the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_DIS_PORTSCAN:RcvIfName(1023)=Ethernet0/0/2;DstIPv6Addr(1037)=2::2;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131009100928. |
|
Explanation |
This message is sent when an IPv6 distributed port scan attack is detected. |
|
Recommended action |
No action is required. |
ATK_IP6_DNS_FLOOD
|
Message text |
RcvIfName(1023)=[STRING];DstIPv6Addr(1037)=[IPADDR];DstPort(1008)=[UINT16];RcvVPNInstance(1042)=[STRING];UpperLimit(1049)=[UINT32];Action(1053)=[STRING];BeginTime_c(1011)=[STRING]. |
|
Variable fields |
$1: Receiving interface name. $2: Destination IPv6 address. $3: Destination port number. $4: Name of the receiving VPN instance. $5: Rate limit. $6: Actions against the attack. $7: Start time of the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_DNS_FLOOD:RcvIfName(1023)=Ethernet0/0/2;DstIPv6Addr(1037)=2::2;DstPort(1008)=22;RcvVPNInstance(1042)=;UpperLimit(1049)=10;Action(1053)=logging;BeginTime_c(1011)=20131009100434. |
|
Explanation |
This message is sent when the number of IPv6 DNS queries sent to a destination per second exceeds the rate limit. |
|
Recommended action |
No action is required. |
ATK_IP6_FIN_FLOOD
|
Message text |
RcvIfName(1023)=[STRING];DstIPv6Addr(1037)=[IPADDR];DstPort(1008)=[UINT16];RcvVPNInstance(1042)=[STRING];UpperLimit(1049)=[UINT32];Action(1053)=[STRING];BeginTime_c(1011)=[STRING]. |
|
Variable fields |
$1: Receiving interface name. $2: Destination IPv6 address. $3: Destination port number. $4: Name of the receiving VPN instance. $5: Rate limit. $6: Actions against the attack. $7: Start time of the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_FIN_FLOOD:RcvIfName(1023)=Ethernet0/0/2;DstIPv6Addr(1037)=2::2;DstPort(1008)=22;RcvVPNInstance(1042)=;UpperLimit(1049)=10;Action(1053)=logging;BeginTime_c(1011)=20131009100434. |
|
Explanation |
This message is sent when the number of IPv6 FIN packets sent to a destination per second exceeds the rate limit. |
|
Recommended action |
No action is required. |
ATK_IP6_FRAGMENT
|
Message text |
RcvIfName(1023)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Protocol(1001)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Protocol type. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_FRAGMENT:RcvIfName(1023)=Ethernet0/0/2;SrcIPv6Addr(1036)=1::1;DstIPv6Addr(1037)=1::1;RcvVPNInstance(1042)=;Protocol(1001)=IPv6-ICMP;Action(1053)=logging;BeginTime_c(1011)=20131011103335;EndTime_c(1012)=20131011103835;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when logs are aggregated for IPv6 packets with an offset smaller than 5 but bigger than 0. |
|
Recommended action |
No action is required. |
ATK_IP6_FRAGMENT_RAW
|
Message text |
RcvIfName(1023)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Protocol(1001)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Protocol type. $6: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_FRAGMENT_RAW:RcvIfName(1023)=Ethernet0/0/2;SrcIPv6Addr(1036)=1::1;DstIPv6Addr(1037)=1::1;RcvVPNInstance(1042)=;Protocol(1001)=IPv6-ICMP;Action(1053)=logging. |
|
Explanation |
This message is for the IPv6 fragment attack. The attack uses IPv6 packets with an offset smaller than 5 but bigger than 0. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
|
Recommended action |
No action is required. |
ATK_IP6_HTTP_FLOOD
|
Message text |
RcvIfName(1023)=[STRING];DstIPv6Addr(1037)=[IPADDR];DstPort(1008)=[UINT16];RcvVPNInstance(1042)=[STRING];UpperLimit(1049)=[UINT32];Action(1053)=[STRING];BeginTime_c(1011)=[STRING]. |
|
Variable fields |
$1: Receiving interface name. $2: Destination IPv6 address. $3: Destination port number. $4: Name of the receiving VPN instance. $5: Rate limit. $6: Actions against the attack. $7: Start time of the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_HTTP_FLOOD:RcvIfName(1023)=Ethernet0/0/2;DstIPv6Addr(1037)=2::2;DstPort(1008)=22;RcvVPNInstance(1042)=;UpperLimit(1049)=10;Action(1053)=logging;BeginTime_c(1011)=20131009100434. |
|
Explanation |
This message is sent when the number of IPv6 HTTP Get packets sent to a destination per second exceeds the rate limit. |
|
Recommended action |
No action is required. |
ATK_IP6_IMPOSSIBLE
|
Message text |
RcvIfName(1023)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Protocol(1001)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Protocol type. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_IMPOSSIBLE:RcvIfName(1023)=Ethernet0/0/2;SrcIPv6Addr(1036)=1::1;DstIPv6Addr(1037)=1::1;RcvVPNInstance(1042)=;Protocol(1001)=IPv6-ICMP;Action(1053)=logging;BeginTime_c(1011)=20131011103335;EndTime_c(1012)=20131011103835;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when logs are aggregated for IPv6 packets whose source IPv6 address is the same as the destination IPv6 address. |
|
Recommended action |
No action is required. |
ATK_IP6_IMPOSSIBLE_RAW
|
Message text |
RcvIfName(1023)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Protocol(1001)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Protocol type. $6: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_IMPOSSIBLE_RAW:RcvIfName(1023)=Ethernet0/0/2;SrcIPv6Addr(1036)=1::1;DstIPv6Addr(1037)=1::1;RcvVPNInstance(1042)=;Protocol(1001)=IPv6-ICMP;Action(1053)=logging. |
|
Explanation |
This message is for the IPv6 impossible packet attack. The attack uses IPv6 packets whose source IPv6 address is the same as the destination IPv6 address. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
|
Recommended action |
No action is required. |
ATK_IP6_IPSWEEP
|
Message text |
RcvIfName(1023)=[STRING];SrcIPv6Addr(1036)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IPv6 address. $3: Name of the receiving VPN instance. $4: Actions against the attack. $5: Start time of the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_IPSWEEP:RcvIfName(1023)=Ethernet0/0/2;SrcIPv6Addr(1036)=1::5;RcvVPNInstance(1042)=;Action(1053)=logging,block-source;BeginTime_c(1011)=20131009100639. |
|
Explanation |
This message is sent when an IPv6 sweep attack is detected. |
|
Recommended action |
No action is required. |
ATK_IP6_PORTSCAN
|
Message text |
RcvIfName(1023)=[STRING];SrcIPv6Addr(1036)=[IPADDR];RcvVPNInstance(1042)=[STRING];DstIPv6Addr(1037)=[IPADDR];Action(1053)=[STRING];BeginTime_c(1011)=[STRING]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IPv6 address. $3: Name of the receiving VPN instance. $4: Destination IPv6 address. $5: Actions against the attack. $6: Start time of the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_PORTSCAN:RcvIfName(1023)=Ethernet0/0/2;SrcIPv6Addr(1036)=1::5;RcvVPNInstance(1042)=;DstIPv6Addr(1037)=2::2;Action(1053)=logging,block-source;BeginTime_c(1011)=20131009100455. |
|
Explanation |
This message is sent when an IPv6 port scan attack is detected. |
|
Recommended action |
No action is required. |
ATK_IP6_RST_FLOOD
|
Message text |
RcvIfName(1023)=[STRING];DstIPv6Addr(1037)=[IPADDR];DstPort(1008)=[UINT16];RcvVPNInstance(1042)=[STRING];UpperLimit(1049)=[UINT32];Action(1053)=[STRING];BeginTime_c(1011)=[STRING]. |
|
Variable fields |
$1: Receiving interface name. $2: Destination IPv6 address. $3: Destination port number. $4: Name of the receiving VPN instance. $5: Rate limit. $6: Actions against the attack. $7: Start time of the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_RST_FLOOD:RcvIfName(1023)=Ethernet0/0/2;DstIPv6Addr(1037)=2::2;RcvVPNInstance(1042)=;UpperLimit(1049)=10;Action(1053)=logging;BeginTime_c(1011)=20131009100434. |
|
Explanation |
This message is sent when the number of IPv6 RST packets sent to a destination per second exceeds the rate limit. |
|
Recommended action |
No action is required. |
ATK_IP6_SYN_FLOOD
|
Message text |
RcvIfName(1023)=[STRING];DstIPv6Addr(1037)=[IPADDR];DstPort(1008)=[UINT16];RcvVPNInstance(1042)=[STRING];UpperLimit(1049)=[UINT32];Action(1053)=[STRING];BeginTime_c(1011)=[STRING]. |
|
Variable fields |
$1: Receiving interface name. $2: Destination IPv6 address. $3: Destination port number. $4: Name of the receiving VPN instance. $5: Rate limit. $6: Actions against the attack. $7: Start time of the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_SYN_FLOOD:RcvIfName(1023)=Ethernet0/0/2;DstIPv6Addr(1037)=2::2;DstPort(1008)=22;RcvVPNInstance(1042)=;UpperLimit(1049)=10;Action(1053)=logging;BeginTime_c(1011)=20131009100434. |
|
Explanation |
This message is sent when the number of IPv6 SYN packets sent to a destination per second exceeds the rate limit. |
|
Recommended action |
No action is required. |
ATK_IP6_SYNACK_FLOOD
|
Message text |
RcvIfName(1023)=[STRING];DstIPv6Addr(1037)=[IPADDR];DstPort(1008)=[UINT16];RcvVPNInstance(1042)=[STRING];UpperLimit(1049)=[UINT32];Action(1053)=[STRING];BeginTime_c(1011)=[STRING]. |
|
Variable fields |
$1: Receiving interface name. $2: Destination IPv6 address. $3: Destination port number. $4: Name of the receiving VPN instance. $5: Rate limit. $6: Actions against the attack. $7: Start time of the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_SYNACK_FLOOD:RcvIfName(1023)=Ethernet0/0/2;DstIPv6Addr(1037)=2::2;DstPort(1008)=22;RcvVPNInstance(1042)=;UpperLimit(1049)=10;Action(1053)=logging;BeginTime_c(1011)=20131009100434. |
|
Explanation |
This message is sent when the number of IPv6 SYN-ACK packets sent to a destination per second exceeds the rate limit. |
|
Recommended action |
No action is required. |
ATK_IP6_TCP_ALLFLAGS
|
Message text |
RcvIfName(1023)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. $6: Start time of the attack. $7: End time of the attack. $8: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_TCP_ALLFLAGS:RcvIfName(1023)=Ethernet0/0/2;SrcIPv6Addr(1036)=1::1;DstIPv6Addr(1037)=2::11;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131009103631;EndTime_c(1012)=20131009104131;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when logs are aggregated for IPv6 TCP packets that have all flags set. |
|
Recommended action |
No action is required. |
ATK_IP6_TCP_ALLFLAGS_RAW
|
Message text |
RcvIfName(1023)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_TCP_ALLFLAGS_RAW:RcvIfName(1023)=Ethernet0/0/2;SrcIPv6Addr(1036)=2000::1;DstIPv6Addr(1037)=2003::200;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
This message is for IPv6 TCP packets that have all flags set. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
|
Recommended action |
No action is required. |
ATK_IP6_TCP_FINONLY
|
Message text |
RcvIfName(1023)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. $6: Start time of the attack. $7: End time of the attack. $8: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_TCP_FINONLY:RcvIfName(1023)=Ethernet0/0/2;SrcIPv6Addr(1036)=1::1;DstIPv6Addr(1037)=2::11;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131009103631;EndTime_c(1012)=20131009104131;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when logs are aggregated for IPv6 TCP packets that have only the FIN flag set. |
|
Recommended action |
No action is required. |
ATK_IP6_TCP_FINONLY_RAW
|
Message text |
RcvIfName(1023)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_TCP_FINONLY_RAW:RcvIfName(1023)=Ethernet0/0/2;SrcIPv6Addr(1036)=2000::1;DstIPv6Addr(1037)=2003::200;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
This message is for IPv6 TCP packets that have only the FIN flag set. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
|
Recommended action |
No action is required. |
ATK_IP6_TCP_INVALIDFLAGS
|
Message text |
RcvIfName(1023)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. $6: Start time of the attack. $7: End time of the attack. $8: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_TCP_INVALIDFLAGS:RcvIfName(1023)=Ethernet0/0/2;SrcIPv6Addr(1036)=1::1;DstIPv6Addr(1037)=2::11;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131009103631;EndTime_c(1012)=20131009104131;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when logs are aggregated for IPv6 TCP packets that have invalid flag settings. Invalid flag settings include: · The RST and FIN flags are both set. · The RST and SYN flags are both set. · The RST, FIN, and SYN flags are all set. · The PSH, RST, and FIN flags are all set. · The PSH, RST, and SYN flags are all set. · The PSH, RST, SYN, and FIN flags are all set. · The ACK, RST, and FIN flags are all set. · The ACK, RST, and SYN flags are all set. · The ACK, RST, SYN, and FIN flags are all set. · The ACK, PSH, SYN, and FIN flags are all set. · The ACK, PSH, RST, and FIN flags are all set. · The ACK, PSH, RST, and SYN flags are all set. |
|
Recommended action |
No action is required. |
ATK_IP6_TCP_INVALIDFLAGS_RAW
|
Message text |
RcvIfName(1023)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_TCP_INVALIDFLAGS_RAW:RcvIfName(1023)=Ethernet0/0/2;SrcIPv6Addr(1036)=2000::1;DstIPv6Addr(1037)=2003::200;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
This message is for IPv6 TCP packets that have invalid flag settings. Invalid flag settings include: · The RST and FIN flags are both set. · The RST and SYN flags are both set. · The RST, FIN, and SYN flags are all set. · The PSH, RST, and FIN flags are all set. · The PSH, RST, and SYN flags are all set. · The PSH, RST, SYN, and FIN flags are all set. · The ACK, RST, and FIN flags are all set. · The ACK, RST, and SYN flags are all set. · The ACK, RST, SYN, and FIN flags are all set. · The ACK, PSH, SYN, and FIN flags are all set. · The ACK, PSH, RST, and FIN flags are all set. · The ACK, PSH, RST, and SYN flags are all set. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
|
Recommended action |
No action is required. |
ATK_IP6_TCP_LAND
|
Message text |
RcvIfName(1023)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. $6: Start time of the attack. $7: End time of the attack. $8: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_TCP_LAND:RcvIfName(1023)=Ethernet0/0/2;SrcIPv6Addr(1036)=1::1;DstIPv6Addr(1037)=2::11;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131009103631;EndTime_c(1012)=20131009104131;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when logs are aggregated for IPv6 TCP packets whose source IPv6 address is the same as the destination IPv6 address. |
|
Recommended action |
No action is required. |
ATK_IP6_TCP_LAND_RAW
|
Message text |
RcvIfName(1023)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_TCP_LAND_RAW:RcvIfName(1023)=Ethernet0/0/2;SrcIPv6Addr(1036)=2000::1;DstIPv6Addr(1037)=2003::200;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
This message is for the IPv6 land attack. The attack uses IPv6 TCP packets whose source IPv6 address is the same as the destination IPv6 address. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
|
Recommended action |
No action is required. |
ATK_IP6_TCP_NULLFLAG
|
Message text |
RcvIfName(1023)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. $6: Start time of the attack. $7: End time of the attack. $8: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_TCP_NULLFLAG:RcvIfName(1023)=Ethernet0/0/2;SrcIPv6Addr(1036)=1::1;DstIPv6Addr(1037)=2::11;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131009103631;EndTime_c(1012)=20131009104131;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when logs are aggregated for IPv6 TCP packets that have no flag set. |
|
Recommended action |
No action is required. |
ATK_IP6_TCP_NULLFLAG_RAW
|
Message text |
RcvIfName(1023)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_TCP_NULLFLAG_RAW:RcvIfName(1023)=Ethernet0/0/2;SrcIPv6Addr(1036)=2000::1;DstIPv6Addr(1037)=2003::200;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
This message is for IPv6 TCP packets that have no flag set. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
|
Recommended action |
No action is required. |
ATK_IP6_TCP_SYNFIN
|
Message text |
RcvIfName(1023)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. $6: Start time of the attack. $7: End time of the attack. $8: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_TCP_SYNFIN:RcvIfName(1023)=Ethernet0/0/2;SrcIPv6Addr(1036)=1::1;DstIPv6Addr(1037)=2::11;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131009103631;EndTime_c(1012)=20131009104131;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when logs are aggregated for IPv6 TCP packets that have SYN and FIN flags set. |
|
Recommended action |
No action is required. |
ATK_IP6_TCP_SYNFIN_RAW
|
Message text |
RcvIfName(1023)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_TCP_SYNFIN_RAW:RcvIfName(1023)=Ethernet0/0/2;SrcIPv6Addr(1036)=2000::1;DstIPv6Addr(1037)=2003::200;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
This message is for IPv6 TCP packets that have SYN and FIN flags set. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
|
Recommended action |
No action is required. |
ATK_IP6_TCP_WINNUKE
|
Message text |
RcvIfName(1023)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. $6: Start time of the attack. $7: End time of the attack. $8: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_TCP_WINNUKE:RcvIfName(1023)=Ethernet0/0/2;SrcIPv6Addr(1036)=1::1;DstIPv6Addr(1037)=2::11;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131009103631;EndTime_c(1012)=20131009104131;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when logs are aggregated for IPv6 TCP packets with destination port 139, the URG flag set, and a nonzero Urgent Pointer. |
|
Recommended action |
No action is required. |
ATK_IP6_TCP_WINNUKE_RAW
|
Message text |
RcvIfName(1023)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_TCP_WINNUKE_RAW:RcvIfName(1023)=Ethernet0/0/2;SrcIPv6Addr(1036)=1::1;DstIPv6Addr(1037)=2::11;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
This message is for the IPv6 WinNuke attack. The attack uses IPv6 TCP packets with destination port 139, the URG flag set, and a nonzero Urgent Pointer. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
|
Recommended action |
No action is required. |
ATK_IP6_UDP_FLOOD
|
Message text |
RcvIfName(1023)=[STRING];DstIPv6Addr(1037)=[IPADDR];DstPort(1008)=[UINT16];RcvVPNInstance(1042)=[STRING];UpperLimit(1049)=[UINT32];Action(1053)=[STRING];BeginTime_c(1011)=[STRING]. |
|
Variable fields |
$1: Receiving interface name. $2: Destination IPv6 address. $3: Destination port number. $4: Name of the receiving VPN instance. $5: Rate limit. $6: Actions against the attack. $7: Start time of the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_UDP_FLOOD:RcvIfName(1023)=Ethernet0/0/2;DstIPv6Addr(1037)=2::2;DstPort(1008)=22;RcvVPNInstance(1042)=;UpperLimit(1049)=10;Action(1053)=logging;BeginTime_c(1011)=20131009100434. |
|
Explanation |
This message is sent when the number of IPv6 UDP packets sent to a destination per second exceeds the rate limit. |
|
Recommended action |
No action is required. |
ATK_IP6_UDP_FRAGGLE
|
Message text |
RcvIfName(1023)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. $6: Start time of the attack. $7: End time of the attack. $8: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_UDP_FRAGGLE:RcvIfName(1023)=Ethernet0/0/2;SrcIPv6Addr(1036)=1::1;DstIPv6Addr(1037)=2::11;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131009103631;EndTime_c(1012)=20131009104131;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when logs are aggregated for IPv6 UDP packets with source port 7 and destination port 19. |
|
Recommended action |
No action is required. |
ATK_IP6_UDP_FRAGGLE_RAW
|
Message text |
RcvIfName(1023)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_UDP_FRAGGLE_RAW:RcvIfName(1023)=Ethernet0/0/2;SrcIPv6Addr(1036)=1::1;DstIPv6Addr(1037)=2::11;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
This message is for IPv6 UDP fraggle attack. The attack uses IPv6 UDP packets with source port 7 and destination port 19. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
|
Recommended action |
No action is required. |
ATK_IP6_UDP_SNORK
|
Message text |
RcvIfName(1023)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. $6: Start time of the attack. $7: End time of the attack. $8: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_UDP_SNORK:RcvIfName(1023)=Ethernet0/0/2;SrcIPv6Addr(1036)=1::1;DstIPv6Addr(1037)=2::11;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131009103631;EndTime_c(1012)=20131009104131;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when logs are aggregated for IPv6 UDP packets with source port 7, 19, or 135, and destination port 135. |
|
Recommended action |
No action is required. |
ATK_IP6_UDP_SNORK_RAW
|
Message text |
RcvIfName(1023)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_UDP_SNORK_RAW:RcvIfName(1023)=Ethernet0/0/2;SrcIPv6Addr(1036)=1::1;DstIPv6Addr(1037)=2::11;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
This message is for IPv6 UDP snork attack. The attack uses IPv6 UDP packets with source port 7, 19, or 135, and port 135. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
|
Recommended action |
No action is required. |
ATK_IP_OPTION
|
Message text |
IPOptValue(1061)=[UINT32];RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Protocol(1001)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: IP option value. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Protocol type. $8: Actions against the attack. $9: Start time of the attack. $10: End time of the attack. $11: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_IP_OPTION:IPOptValue(1061)=38;RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Protocol(1001)=RAWIP;Action(1053)=logging;BeginTime_c(1011)=20131011063123;EndTime_c(1012)=20131011063623;AtkTimes(1054)=3. |
|
Explanation |
This message is sent when logs are aggregated for packets with a user-defined IP option. |
|
Recommended action |
No action is required. |
ATK_IP_OPTION_RAW
|
Message text |
IPOptValue(1061)=[UINT32];RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Protocol(1001)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: IP option value. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Protocol type. $8: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_IP_OPTION_RAW:IPOptValue(1061)=38;RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Protocol(1001)=RAWIP;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for packets with a user-defined IP option and of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet with a user-defined IP option is received. |
|
Recommended action |
No action is required. |
ATK_IPOPT_ABNORMAL
|
Message text |
RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Protocol(1001)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Protocol type. $7: Actions against the attack. $8: Start time of the attack. $9: End time of the attack. $10: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IPOPT_ABNORMAL:RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Protocol(1001)=RAWIP;Action(1053)=logging;BeginTime_c(1011)=20131011072002;EndTime_c(1012)=20131011072502;AtkTimes(1054)=3. |
|
Explanation |
This message is sent when logs are aggregated for packets with more than two IP options. |
|
Recommended action |
No action is required. |
ATK_IPOPT_ABNORMAL_RAW
|
Message text |
RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Protocol(1001)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Protocol type. $7: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IPOPT_ABNORMAL_RAW:RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Protocol(1001)=RAWIP;Action(1053)=logging. |
|
Explanation |
This message is for packets that each has more than two IP options. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet with more than two IP options is received. |
|
Recommended action |
No action is required. |
ATK_IPOPT_LOOSESRCROUTE
|
Message text |
IPOptValue(1061)=[UINT32];RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Protocol(1001)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)= [UINT32]. |
|
Variable fields |
$1: IP option value. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Protocol type. $8: Actions against the attack. $9: Start time of the attack. $10: End time of the attack. $11: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_IPOPT_LOOSESRCROUTE:IPOptValue(1061)=131;RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Protocol(1001)=RAWIP;Action(1053)=logging;BeginTime_c(1011)=20131011063123;EndTime_c(1012)=20131011063623;AtkTimes(1054)=3. |
|
Explanation |
This message is sent when logs are aggregated for packets with IP option 131. |
|
Recommended action |
No action is required. |
ATK_IPOPT_LOOSESRCROUTE_RAW
|
Message text |
IPOptValue(1061)=[UINT32];RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Protocol(1001)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: IP option value. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Protocol type. $8: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_IPOPT_LOOSESRCROUTE_RAW:IPOptValue(1061)=131;RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Protocol(1001)=RAWIP;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for packets with IP option 131 and of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet with IP option 131 is received. |
|
Recommended action |
No action is required. |
ATK_IPOPT_RECORDROUTE
|
Message text |
IPOptValue(1061)=[UINT32];RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Protocol(1001)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: IP option value. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Protocol type. $8: Actions against the attack. $9: Start time of the attack. $10: End time of the attack. $11: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_IPOPT_RECORDROUTE:IPOptValue(1061)=7;RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Protocol(1001)=RAWIP;Action(1053)=logging;BeginTime_c(1011)=20131011063123;EndTime_c(1012)=20131011063623;AtkTimes(1054)=3. |
|
Explanation |
This message is sent when logs are aggregated for packets with IP option 7. |
|
Recommended action |
No action is required. |
ATK_IPOPT_RECORDROUTE_RAW
|
Message text |
IPOptValue(1061)=[UINT32];RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Protocol(1001)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: IP option value. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Protocol type. $8: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_IPOPT_RECORDROUTE_RAW:IPOptValue(1061)=7;RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Protocol(1001)=RAWIP;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for packets with IP option 7 and of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet with IP option 7 is received. |
|
Recommended action |
No action is required. |
ATK_IPOPT_ROUTEALERT
|
Message text |
IPOptValue(1061)=[UINT32];RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Protocol(1001)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: IP option value. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Protocol type. $8: Actions against the attack. $9: Start time of the attack. $10: End time of the attack. $11: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_IPOPT_ROUTEALERT:IPOptValue(1061)=148;RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Protocol(1001)=RAWIP;Action(1053)=logging;BeginTime_c(1011)=20131011063123;EndTime_c(1012)=20131011063623;AtkTimes(1054)=3. |
|
Explanation |
This message is sent when logs are aggregated for packets with IP option 148. |
|
Recommended action |
No action is required. |
ATK_IPOPT_ROUTEALERT_RAW
|
Message text |
IPOptValue(1061)=[UINT32];RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Protocol(1001)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: IP option value. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Protocol type. $8: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_IPOPT_ROUTEALERT_RAW:IPOptValue(1061)=148;RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Protocol(1001)=RAWIP;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for packets with IP option 148 and of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet with IP option 148 is received. |
|
Recommended action |
No action is required. |
ATK_IPOPT_SECURITY
|
Message text |
IPOptValue(1061)=[UINT32];RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Protocol(1001)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: IP option value. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Protocol type. $8: Actions against the attack. $9: Start time of the attack. $10: End time of the attack. $11: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_IPOPT_SECURITY:IPOptValue(1061)=130;RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Protocol(1001)=RAWIP;Action(1053)=logging;BeginTime_c(1011)=20131009091022;EndTime_c(1012)=20131009091522;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when logs are aggregated for packets with IP option 130. |
|
Recommended action |
No action is required. |
ATK_IPOPT_SECURITY_RAW
|
Message text |
IPOptValue(1061)=[UINT32];RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Protocol(1001)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: IP option value. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Protocol type. $8: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_IPOPT_SECURITY_RAW:IPOptValue(1061)=130;RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Protocol(1001)=RAWIP;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for packets with IP option 130 and of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet with IP option 130 is received. |
|
Recommended action |
No action is required. |
ATK_IPOPT_STREAMID
|
Message text |
IPOptValue(1061)=[UINT32];RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Protocol(1001)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: IP option value. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Protocol type. $8: Actions against the attack. $9: Start time of the attack. $10: End time of the attack. $11: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_IPOPT_STREAMID:IPOptValue(1061)=136;RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Protocol(1001)=RAWIP;Action(1053)=logging;BeginTime_c(1011)=20131011063123;EndTime_c(1012)=20131011063623;AtkTimes(1054)=3. |
|
Explanation |
This message is sent when logs are aggregated for packets with IP option 136. |
|
Recommended action |
No action is required. |
ATK_IPOPT_STREAMID_RAW
|
Message text |
IPOptValue(1061)=[UINT32];RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Protocol(1001)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: IP option value. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Protocol type. $8: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_IPOPT_STREAMID_RAW:IPOptValue(1061)=136;RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Protocol(1001)=RAWIP;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for packets with IP option 136 and of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet with IP option 136 is received. |
|
Recommended action |
No action is required. |
ATK_IPOPT_STRICTSRCROUTE
|
Message text |
IPOptValue(1061)=[UINT32];RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Protocol(1001)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: IP option value. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Protocol type. $8: Actions against the attack. $9: Start time of the attack. $10: End time of the attack. $11: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_IPOPT_STRICTSRCROUTE:IPOptValue(1061)=137;RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Protocol(1001)=RAWIP;Action(1053)=logging;BeginTime_c(1011)=20131011063123;EndTime_c(1012)=20131011063623;AtkTimes(1054)=3. |
|
Explanation |
This message is sent when logs are aggregated for packets with IP option 137. |
|
Recommended action |
No action is required. |
ATK_IPOPT_STRICTSRCROUTE_RAW
|
Message text |
IPOptValue(1061)=[UINT32];RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Protocol(1001)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: IP option value. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Protocol type. $8: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_IPOPT_STRICTSRCROUTE_RAW:IPOptValue(1061)=137;RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Protocol(1001)=RAWIP;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for packets with IP option 137 and of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet with IP option 137 is received. |
|
Recommended action |
No action is required. |
ATK_IPOPT_TIMESTAMP
|
Message text |
IPOptValue(1061)=[UINT32];RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Protocol(1001)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: IP option value. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Protocol type. $8: Actions against the attack. $9: Start time of the attack. $10: End time of the attack. $11: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_IPOPT_TIMESTAMP:IPOptValue(1061)=68;RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Protocol(1001)=RAWIP;Action(1053)=logging;BeginTime_c(1011)=20131011063123;EndTime_c(1012)=20131011063623;AtkTimes(1054)=3. |
|
Explanation |
This message is sent when logs are aggregated for packets with IP option 68. |
|
Recommended action |
No action is required. |
ATK_IPOPT_TIMESTAMP_RAW
|
Message text |
IPOptValue(1061)=[UINT32];RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Protocol(1001)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: IP option value. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Protocol type. $8: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_IPOPT_TIMESTAMP_RAW:IPOptValue(1061)=68;RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Protocol(1001)=RAWIP;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for packets with IP option 68 and of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet with IP option 68 is received. |
|
Recommended action |
No action is required. |
ATK_IPV6_EXT_HEADER
|
Message text |
IPv6ExtHeader(1060)=[UINT32];RcvIfName(1023)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: IPv6 extension header value. $2: Receiving interface name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_IPV6_EXT_HEADER:IPv6ExtHeader(1060)=43;RcvIfName(1023)=Ethernet0/0/2;SrcIPv6Addr(1036)=1::1;DstIPv6Addr(1037)=2::11;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131009103631;EndTime_c(1012)=20131009104131;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when logs are aggregated for IPv6 packets with a user-defined extension header. |
|
Recommended action |
No action is required. |
ATK_IPV6_EXT_HEADER _RAW
|
Message text |
IPv6ExtHeader(1060)=[UINT32];RcvIfName(1023)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: IPv6 extension header value. $2: Receiving interface name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_IPV6_EXT_HEADER_RAW:IPv6ExtHeader(1060)=43;RcvIfName(1023)=Ethernet0/0/2;SrcIPv6Addr(1036)=1::1;DstIPv6Addr(1037)=2::11;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for IPv6 packets with a user-defined extension header and of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time an IPv6 packet with a user-defined extension header is received. |
|
Recommended action |
No action is required. |
ATK_ICMP_ADDRMASK_REQ_SZ
|
Message text |
IcmpType(1062)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: ICMP message type. $2: Source security zone name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. $8: Start time of the attack. $9: End time of the attack. $10: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMP_ADDRMASK_REQ_SZ:IcmpType(1062)=17;SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011091319;EndTime_c(1012)=20131011091819;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when ICMP address mask request logs are aggregated. |
|
Recommended action |
No action is required. |
ATK_ICMP_ADDRMASK_REQ_RAW_SZ
|
Message text |
IcmpType(1062)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: ICMP message type. $2: Source security zone name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMP_ADDRMASK_REQ_RAW_SZ:IcmpType(1062)=17;SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for ICMP address mask requests of the same attributes, this message is sent only when the first request is received. If log aggregation is disabled, this message is sent every time an ICMP address mask request is received. |
|
Recommended action |
No action is required. |
ATK_ICMP_ADDRMASK_RPL_SZ
|
Message text |
IcmpType(1062)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: ICMP message type. $2: Source security zone name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. $8: Start time of the attack. $9: End time of the attack. $10: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMP_ADDRMASK_RPL_SZ:IcmpType(1062)=18;SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011091319;EndTime_c(1012)=20131011091819;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when ICMP address mask reply logs are aggregated. |
|
Recommended action |
No action is required. |
ATK_ICMP_ADDRMASK_RPL_RAW_SZ
|
Message text |
IcmpType(1062)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: ICMP message type. $2: Source security zone name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMP_ADDRMASK_RPL_RAW_SZ:IcmpType(1062)=18;SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for ICMP address mask replies of the same attributes, this message is sent only when the first reply is received. If log aggregation is disabled, this message is sent every time an ICMP address mask reply is received. |
|
Recommended action |
No action is required. |
ATK_ICMP_ECHO_RPL_SZ
|
Message text |
IcmpType(1062)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: ICMP message type. $2: Source security zone name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. $8: Start time of the attack. $9: End time of the attack. $10: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMP_ECHO_RPL_SZ:IcmpType(1062)=0;SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011091319;EndTime_c(1012)=20131011091819;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when ICMP echo reply logs are aggregated. |
|
Recommended action |
No action is required. |
ATK_ICMP_ECHO_RPL_RAW_SZ
|
Message text |
IcmpType(1062)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: ICMP message type. $2: Source security zone name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMP_ECHO_RPL_RAW_SZ:IcmpType(1062)=0;SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for ICMP echo replies of the same attributes, this message is sent only when the first reply is received. If log aggregation is disabled, this message is sent every time an ICMP echo reply is received. |
|
Recommended action |
No action is required. |
ATK_ICMP_ECHO_REQ_SZ
|
Message text |
IcmpType(1062)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: ICMP message type. $2: Source security zone name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. $8: Start time of the attack. $9: End time of the attack. $10: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMP_ECHO_REQ_SZ:IcmpType(1062)=8;SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011091319;EndTime_c(1012)=20131011091819;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when ICMP echo request logs are aggregated. |
|
Recommended action |
No action is required. |
ATK_ICMP_ECHO_REQ_RAW_SZ
|
Message text |
IcmpType(1062)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];DstPort(1004)=[UINT16];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: ICMP message type. $2: Source security zone name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Destination port number. $7: Name of the receiving VPN instance. $8: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMP_ECHO_REQ_RAW_SZ:IcmpType(1062)=8;SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;DstPort(1004)=22;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for ICMP echo requests of the same attributes, this message is sent only when the first request is received. If log aggregation is disabled, this message is sent every time an ICMP echo request is received. |
|
Recommended action |
No action is required. |
ATK_ICMP_FLOOD_SZ
|
Message text |
SrcZoneName(1025)=[STRING];DstIPAddr(1007)=[IPADDR];DstPort(1008)=[UINT16];RcvVPNInstance(1042)=[STRING];UpperLimit(1049)=[UINT32];Action(1053)=[STRING];BeginTime_c(1011)=[STRING]. |
|
Variable fields |
$1: Source security zone name. $2: Destination IP address. $3: Destination port number. $4: Name of the receiving VPN instance. $5: Rate limit. $6: Actions against the attack. $7: Start time of the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_ICMP_FLOOD_SZ:SrcZoneName(1025)=Trust;DstIPAddr(1007)=6.1.1.5;DstPort(1008)=22;RcvVPNInstance(1042)=;UpperLimit(1049)=10;Action(1053)=logging;BeginTime_c(1011)=20131009093351. |
|
Explanation |
This message is sent when the number of ICMP packets sent to a destination per second exceeds the rate limit. |
|
Recommended action |
No action is required. |
ATK_ICMP_INFO_REQ_SZ
|
Message text |
IcmpType(1062)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: ICMP message type. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. $8: Start time of the attack. $9: End time of the attack. $10: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMP_INFO_REQ_SZ:IcmpType(1062)=15;SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011091319;EndTime_c(1012)=20131011091819;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when ICMP information request logs are aggregated. |
|
Recommended action |
No action is required. |
ATK_ICMP_INFO_REQ_RAW_SZ
|
Message text |
IcmpType(1062)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: ICMP message type. $2: Source security zone name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMP_INFO_REQ_RAW_SZ:IcmpType(1062)=15;SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for ICMP information requests of the same attributes, this message is sent only when the first request is received. If log aggregation is disabled, this message is sent every time an ICMP information request is received. |
|
Recommended action |
No action is required. |
ATK_ICMP_INFO_RPL_SZ
|
Message text |
IcmpType(1062)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: ICMP message type. $2: Source security zone name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. $8: Start time of the attack. $9: End time of the attack. $10: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMP_INFO_RPL_SZ:IcmpType(1062)=16;SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011091319;EndTime_c(1012)=20131011091819;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when ICMP information reply logs are aggregated. |
|
Recommended action |
No action is required. |
ATK_ICMP_INFO_RPL_RAW_SZ
|
Message text |
IcmpType(1062)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: ICMP message type. $2: Source security zone name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMP_INFO_RPL_RAW_SZ:IcmpType(1062)=16;SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for ICMP information replies of the same attributes, this message is sent only when the first reply is received. If log aggregation is disabled, this message is sent every time an ICMP information reply is received. |
|
Recommended action |
No action is required. |
ATK_ICMP_LARGE_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Source security zone name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_ICMP_LARGE_SZ:SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011074913;EndTime_c(1012)=20131011075413;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when large ICMP packet logs are aggregated. |
|
Recommended action |
No action is required. |
ATK_ICMP_LARGE_RAW_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Source security zone name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMP_LARGE_RAW_SZ:SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for large ICMP packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a large ICMP packet is received. |
|
Recommended action |
No action is required. |
ATK_ICMP_PARAPROBLEM_SZ
|
Message text |
IcmpType(1062)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: ICMP message type. $2: Source security zone name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. $8: Start time of the attack. $9: End time of the attack. $10: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMP_PARAPROBLEM_SZ:IcmpType(1062)=12;SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011091319;EndTime_c(1012)=20131011091819;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when ICMP parameter problem logs are aggregated. |
|
Recommended action |
No action is required. |
ATK_ICMP_PARAPROBLEM_RAW_SZ
|
Message text |
IcmpType(1062)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: ICMP message type. $2: Source security zone name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMP_PARAPROBLEM_RAW_SZ:IcmpType(1062)=12;SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for ICMP parameter problem packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time an ICMP parameter problem packet is received. |
|
Recommended action |
No action is required. |
ATK_ICMP_PINGOFDEATH_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Source security zone name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_ICMP_PINGOFDEATH_SZ:SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011074913;EndTime_c(1012)=20131011075413;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when logs are aggregated for ICMP packets larger than 65535 bytes with the MF flag set to 0. |
|
Recommended action |
No action is required. |
ATK_ICMP_PINGOFDEATH_RAW_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Source security zone name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_ICMP_PINGOFDEATH_RAW_SZ:SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
This message is for the ping of death attack. The attack uses ICMP packets larger than 65535 bytes with the MF flag set to 0. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
|
Recommended action |
No action is required. |
ATK_ICMP_REDIRECT_SZ
|
Message text |
IcmpType(1062)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: ICMP message type. $2: Source security zone name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. $8: Start time of the attack. $9: End time of the attack. $10: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMP_REDIRECT_SZ:IcmpType(1062)=5;SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011091319;EndTime_c(1012)=20131011091819;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when ICMP redirect logs are aggregated. |
|
Recommended action |
No action is required. |
ATK_ICMP_REDIRECT_RAW_SZ
|
Message text |
IcmpType(1062)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: ICMP message type. $2: Source security zone name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMP_REDIRECT_RAW_SZ:IcmpType(1062)=5;SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for ICMP redirect packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time an ICMP redirect packet is received. |
|
Recommended action |
No action is required. |
ATK_ICMP_SMURF_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Source security zone name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_ICMP_SMURF_SZ:SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011074913;EndTime_c(1012)=20131011075413;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when logs are aggregated for ICMP echo requests whose destination IP address is one of the following addresses: · A broadcast or network address of A, B, or C class. · An IP address of D or E class. · The broadcast or network address of the network where the receiving interface resides. |
|
Recommended action |
No action is required. |
ATK_ICMP_SMURF_RAW_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Source security zone name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_ICMP_SMURF_RAW_SZ:SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
This message is for the smurf attack. The attack uses ICMP echo requests with the destination IP address being one of the following addresses: · A broadcast or network address of A, B, or C class. · An IP address of D or E class. · The broadcast or network address of the network where the receiving interface resides. If log aggregation is enabled, for requests of the same attributes, this message is sent only when the first request is received. If log aggregation is disabled, this message is sent every time a request is received. |
|
Recommended action |
No action is required. |
ATK_ICMP_SOURCEQUENCH_SZ
|
Message text |
IcmpType(1062)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: ICMP message type. $2: Source security zone name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. $8: Start time of the attack. $9: End time of the attack. $10: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMP_SOURCEQUENCH_SZ:IcmpType(1062)=4;SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011091319;EndTime_c(1012)=20131011091819;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when ICMP source quench logs are aggregated. |
|
Recommended action |
No action is required. |
ATK_ICMP_SOURCEQUENCH_RAW_SZ
|
Message text |
IcmpType(1062)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: ICMP message type. $2: Source security zone name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMP_SOURCEQUENCH_RAW_SZ:IcmpType(1062)=4;SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for ICMP source quench packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time an ICMP source quench packet is received. |
|
Recommended action |
No action is required. |
ATK_ICMP_TIMEEXCEED_SZ
|
Message text |
IcmpType(1062)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: ICMP message type. $2: Source security zone name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. $8: Start time of the attack. $9: End time of the attack. $10: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMP_TIMEEXCEED_SZ:IcmpType(1062)=11;SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011091319;EndTime_c(1012)=20131011091819;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when ICMP time exceeded logs are aggregated. |
|
Recommended action |
No action is required. |
ATK_ICMP_TIMEEXCEED_RAW_SZ
|
Message text |
IcmpType(1062)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: ICMP message type. $2: Source security zone name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMP_TIMEEXCEED_RAW_SZ:IcmpType(1062)=11;SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for ICMP time exceeded packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time an ICMP time exceeded packet is received. |
|
Recommended action |
No action is required. |
ATK_ICMP_TRACEROUTE_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Source security zone name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_ICMP_TRACEROUTE_SZ:SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011074913;EndTime_c(1012)=20131011075413;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when logs are aggregated for ICMP time exceeded packets of code 0. |
|
Recommended action |
No action is required. |
ATK_ICMP_TRACEROUTE_RAW_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Source security zone name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_ICMP_TRACEROUTE_RAW_SZ:SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for ICMP time exceeded packets of code 0 of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time an ICMP time exceeded packet of code 0 is received. |
|
Recommended action |
No action is required. |
ATK_ICMP_TSTAMP_REQ_SZ
|
Message text |
IcmpType(1062)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: ICMP message type. $2: Source security zone name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. $8: Start time of the attack. $9: End time of the attack. $10: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMP_TSTAMP_REQ_SZ:IcmpType(1062)=13;SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011091319;EndTime_c(1012)=20131011091819;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when ICMP timestamp logs are aggregated. |
|
Recommended action |
No action is required. |
ATK_ICMP_TSTAMP_REQ_RAW_SZ
|
Message text |
IcmpType(1062)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: ICMP message type. $2: Source security zone name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMP_TSTAMP_REQ_RAW_SZ:IcmpType(1062)=13;SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for ICMP timestamp packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time an ICMP timestamp packet is received. |
|
Recommended action |
No action is required. |
ATK_ICMP_TSTAMP_RPL_SZ
|
Message text |
IcmpType(1062)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: ICMP message type. $2: Source security zone name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. $8: Start time of the attack. $9: End time of the attack. $10: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMP_TSTAMP_RPL_SZ:IcmpType(1062)=14;SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011091319;EndTime_c(1012)=20131011091819;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when ICMP timestamp reply logs are aggregated. |
|
Recommended action |
No action is required. |
ATK_ICMP_TSTAMP_RPL_RAW_SZ
|
Message text |
IcmpType(1062)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: ICMP message type. $2: Source security zone name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMP_TSTAMP_RPL_RAW_SZ:IcmpType(1062)=14;SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for ICMP timestamp replies of the same attributes, this message is sent only when the first reply is received. If log aggregation is disabled, this message is sent every time an ICMP timestamp reply is received. |
|
Recommended action |
No action is required. |
ATK_ICMP_TYPE_SZ
|
Message text |
IcmpType(1062)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: ICMP message type. $2: Source security zone name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. $8: Start time of the attack. $9: End time of the attack. $10: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMP_TYPE_SZ:IcmpType(1062)=38;SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011091319;EndTime_c(1012)=20131011091819;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when logs are aggregated for user-defined ICMP packets. |
|
Recommended action |
No action is required. |
ATK_ICMP_TYPE_RAW_SZ
|
Message text |
IcmpType(1062)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: ICMP message type. $2: Source security zone name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMP_TYPE_RAW_SZ:IcmpType(1062)=38;SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for user-defined ICMP packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a user-defined ICMP packet is received. |
|
Recommended action |
No action is required. |
ATK_ICMP_UNREACHABLE_SZ
|
Message text |
IcmpType(1062)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: ICMP message type. $2: Source security zone name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. $8: Start time of the attack. $9: End time of the attack. $10: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMP_UNREACHABLE_SZ:IcmpType(1062)=3;SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011091319;EndTime_c(1012)=20131011091819;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when ICMP destination unreachable logs are aggregated. |
|
Recommended action |
No action is required. |
ATK_ICMP_UNREACHABLE_RAW_SZ
|
Message text |
IcmpType(1062)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: ICMP message type. $2: Source security zone name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMP_UNREACHABLE_RAW_SZ:IcmpType(1062)=3;SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for ICMP destination unreachable packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time an ICMP destination unreachable packet is received. |
|
Recommended action |
No action is required. |
ATK_ICMPV6_DEST_UNREACH_SZ
|
Message text |
Icmpv6Type(1064)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: ICMPv6 message type. $2: Source security zone name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMPV6_DEST_UNREACH_SZ:Icmpv6Type(1064)=133;SrcZoneName(1025)=Trust;SrcIPv6Addr(1036)=5600::12;DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011100935;EndTime_c(1012)=20131011101435;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when ICMPv6 destination unreachable logs are aggregated. |
|
Recommended action |
No action is required. |
ATK_ICMPV6_DEST_UNREACH_RAW_SZ
|
Message text |
Icmpv6Type(1064)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: ICMPv6 message type. $2: Source security zone name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMPV6_DEST_UNREACH_RAW_SZ:Icmpv6Type(1064)=133;SrcZoneName(1025)=Trust;SrcIPv6Addr(1036)=5600::12;DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for ICMPv6 destination unreachable packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time an ICMPv6 destination unreachable packet is received. |
|
Recommended action |
No action is required. |
ATK_ICMPV6_ECHO_REQ_SZ
|
Message text |
Icmpv6Type(1064)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: ICMPv6 message type. $2: Source security zone name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMPV6_ECHO_REQ_SZ:Icmpv6Type(1064)=128;SrcZoneName(1025)=Trust;SrcIPv6Addr(1036)=5600::12;DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011100935;EndTime_c(1012)=20131011101435;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when ICMPv6 echo request logs are aggregated. |
|
Recommended action |
No action is required. |
ATK_ICMPV6_ECHO_REQ_RAW_SZ
|
Message text |
Icmpv6Type(1064)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: ICMPv6 message type. $2: Source security zone name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMPV6_ECHO_REQ_RAW_SZ:Icmpv6Type(1064)=128;SrcZoneName(1025)=Trust;SrcIPv6Addr(1036)=5600::12;DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for ICMPv6 echo requests of the same attributes, this message is sent only when the first request is received. If log aggregation is disabled, this message is sent every time an ICMPv6 echo request is received. |
|
Recommended action |
No action is required. |
ATK_ICMPV6_ECHO_RPL_SZ
|
Message text |
Icmpv6Type(1064)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: ICMPv6 message type. $2: Source security zone name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMPV6_ECHO_RPL_SZ:Icmpv6Type(1064)=129;SrcZoneName(1025)=Trust;SrcIPv6Addr(1036)=5600::12;DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011100935;EndTime_c(1012)=20131011101435;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when ICMPv6 echo reply logs are aggregated. |
|
Recommended action |
No action is required. |
ATK_ICMPV6_ECHO_RPL_RAW_SZ
|
Message text |
Icmpv6Type(1064)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: ICMPv6 message type. $2: Source security zone name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMPV6_ECHO_RPL_RAW_SZ:Icmpv6Type(1064)=129;SrcZoneName(1025)=Trust;SrcIPv6Addr(1036)=5600::12;DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for ICMPv6 echo replies of the same attributes, this message is sent only when the first reply is received. If log aggregation is disabled, this message is sent every time an ICMPv6 echo reply is received. |
|
Recommended action |
No action is required. |
ATK_ICMPV6_FLOOD_SZ
|
Message text |
SrcZoneName(1025)=[STRING];DstIPv6Addr(1037)=[IPADDR];DstPort(1008)=[UINT16];RcvVPNInstance(1042)=[STRING];UpperLimit(1049)=[UINT32];Action(1053)=[STRING];BeginTime_c(1011)=[STRING]. |
|
Variable fields |
$1: Source security zone name. $2: Destination IPv6 address. $3: Destination port number. $4: Name of the receiving VPN instance. $5: Rate limit. $6: Actions against the attack. $7: Start time of the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_ICMPV6_FLOOD_SZ:SrcZoneName(1025)=Trust;DstIPv6Addr(1007)=2002::2;DstPort(1008)=22;RcvVPNInstance(1042)=;UpperLimit(1049)=10;Action(1053)=logging;BeginTime_c(1011)=20131009093351. |
|
Explanation |
This message is sent when the number of ICMPv6 packets sent to a destination per second exceeds the rate limit. |
|
Recommended action |
No action is required. |
ATK_ICMPV6_GROUPQUERY_SZ
|
Message text |
Icmpv6Type(1064)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: ICMPv6 message type. $2: Source security zone name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMPV6_GROUPQUERY_SZ:Icmpv6Type(1064)=130;SrcZoneName(1025)=Trust;SrcIPv6Addr(1036)=5600::12;DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011100935;EndTime_c(1012)=20131011101435;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when ICMPv6 multicast listener query logs are aggregated. |
|
Recommended action |
No action is required. |
ATK_ICMPV6_GROUPQUERY_RAW_SZ
|
Message text |
Icmpv6Type(1064)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: ICMPv6 message type. $2: Source security zone name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMPV6_GROUPQUERY_RAW_SZ:Icmpv6Type(1064)=130;SrcZoneName(1025)=Trust;SrcIPv6Addr(1036)=5600::12;DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for ICMPv6 multicast listener queries of the same attributes, this message is sent only when the first query is received. If log aggregation is disabled, this message is sent every time an ICMPv6 multicast listener query is received. |
|
Recommended action |
No action is required. |
ATK_ICMPV6_GROUPREDUCTION_SZ
|
Message text |
Icmpv6Type(1064)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: ICMPv6 message type. $2: Source security zone name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMPV6_GROUPREDUCTION_SZ:Icmpv6Type(1064)=132;SrcZoneName(1025)=Trust;SrcIPv6Addr(1036)=5600::12;DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011100935;EndTime_c(1012)=20131011101435;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when ICMPv6 multicast listener done logs are aggregated. |
|
Recommended action |
No action is required. |
ATK_ICMPV6_GROUPREDUCTION_RAW_SZ
|
Message text |
Icmpv6Type(1064)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: ICMPv6 message type. $2: Source security zone name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMPV6_GROUPREDUCTION_RAW_SZ:Icmpv6Type(1064)=132;SrcZoneName(1025)=Trust;SrcIPv6Addr(1036)=5600::12;DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for ICMPv6 multicast listener done packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time an ICMPv6 multicast listener done packet is received. |
|
Recommended action |
No action is required. |
ATK_ICMPV6_GROUPREPORT_SZ
|
Message text |
Icmpv6Type(1064)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: ICMPv6 message type. $2: Source security zone name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMPV6_GROUPREPORT_SZ:Icmpv6Type(1064)=131;SrcZoneName(1025)=Trust;SrcIPv6Addr(1036)=5600::12;DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011100935;EndTime_c(1012)=20131011101435;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when ICMPv6 multicast listener report logs are aggregated. |
|
Recommended action |
No action is required. |
ATK_ICMPV6_GROUPREPORT_RAW_SZ
|
Message text |
Icmpv6Type(1064)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: ICMPv6 message type. $2: Source security zone name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMPV6_GROUPREPORT_RAW_SZ:Icmpv6Type(1064)=131;SrcZoneName(1025)=Trust;SrcIPv6Addr(1036)=5600::12;DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for ICMPv6 multicast listener reports of the same attributes, this message is sent only when the first report is received. If log aggregation is disabled, this message is sent every time an ICMPv6 multicast listener report is received. |
|
Recommended action |
No action is required. |
ATK_ICMPV6_LARGE_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Source security zone name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. $6: Start time of the attack. $7: End time of the attack. $8: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_ICMPV6_LARGE_SZ:SrcZoneName(1025)=Trust;SrcIPv6Addr(1036)=5600::12;DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011100935;EndTime_c(1012)=20131011101435;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when large ICMPv6 packet logs are aggregated. |
|
Recommended action |
No action is required. |
ATK_ICMPV6_LARGE_RAW_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Source security zone name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_ICMPV6_LARGE_RAW_SZ:SrcZoneName(1025)=Trust;SrcIPv6Addr(1036)=5600::12;DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for large ICMPv6 packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a large ICMPv6 packet is received. |
|
Recommended action |
No action is required. |
ATK_ICMPV6_PACKETTOOBIG_SZ
|
Message text |
Icmpv6Type(1064)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: ICMPv6 message type. $2: Source security zone name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMPV6_PACKETTOOBIG_SZ:Icmpv6Type(1064)=136;SrcZoneName(1025)=Trust;SrcIPv6Addr(1036)=5600::12;DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011100935;EndTime_c(1012)=20131011101435;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when ICMPv6 packet too big logs are aggregated. |
|
Recommended action |
No action is required. |
ATK_ICMPV6_PACKETTOOBIG_RAW_SZ
|
Message text |
Icmpv6Type(1064)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: ICMPv6 message type. $2: Source security zone name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMPV6_PACKETTOOBIG_RAW_SZ:Icmpv6Type(1064)=136;SrcZoneName(1025)=Trust;SrcIPv6Addr(1036)=5600::12;DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for ICMPv6 packet too big packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time an ICMPv6 packet too big packet is received. |
|
Recommended action |
No action is required. |
ATK_ICMPV6_PARAPROBLEM_SZ
|
Message text |
Icmpv6Type(1064)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: ICMPv6 message type. $2: Source security zone name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMPV6_PARAPROBLEM_SZ:Icmpv6Type(1064)=135;SrcZoneName(1025)=Trust;SrcIPv6Addr(1036)=5600::12;DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011100935;EndTime_c(1012)=20131011101435;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when ICMPv6 parameter problem logs are aggregated. |
|
Recommended action |
No action is required. |
ATK_ICMPV6_PARAPROBLEM_RAW_SZ
|
Message text |
Icmpv6Type(1064)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: ICMPv6 message type. $2: Source security zone name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMPV6_PARAPROBLEM_RAW_SZ:Icmpv6Type(1064)=135;SrcZoneName(1025)=Trust;SrcIPv6Addr(1036)=5600::12;DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for ICMPv6 parameter problem packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time an ICMPv6 parameter problem packet is received. |
|
Recommended action |
No action is required. |
ATK_ICMPV6_TIMEEXCEED_SZ
|
Message text |
Icmpv6Type(1064)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: ICMPv6 message type. $2: Source security zone name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMPV6_TIMEEXCEED_SZ:Icmpv6Type(1064)=134;SrcZoneName(1025)=Trust;SrcIPv6Addr(1036)=5600::12;DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011100935;EndTime_c(1012)=20131011101435;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when ICMPv6 time exceeded logs are aggregated. |
|
Recommended action |
No action is required. |
ATK_ICMPV6_TIMEEXCEED_RAW_SZ
|
Message text |
Icmpv6Type(1064)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: ICMPv6 message type. $2: Source security zone name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMPV6_TIMEEXCEED_RAW_SZ:Icmpv6Type(1064)=134;SrcZoneName(1025)=Trust;SrcIPv6Addr(1036)=5600::12;DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for ICMPv6 time exceeded packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time an ICMPv6 time exceeded packet is received. |
|
Recommended action |
No action is required. |
ATK_ICMPV6_TRACEROUTE_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Source security zone name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. $6: Start time of the attack. $7: End time of the attack. $8: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_ICMPV6_TRACEROUTE_SZ:SrcZoneName(1025)=Trust;SrcIPv6Addr(1036)=5600::12;DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011100935;EndTime_c(1012)=20131011101435;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when logs are aggregated for ICMPv6 time exceeded packets of code 0. |
|
Recommended action |
No action is required. |
ATK_ICMPV6_TRACEROUTE_RAW_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING]. |
|
Variable fields |
$1: Source security zone name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. $6: Start time of the attack. $7: End time of the attack. $8: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_ICMPV6_TRACEROUTE_RAW_SZ:SrcZoneName(1025)=Trust;SrcIPv6Addr(1036)=5600::12;DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011100935;EndTime_c(1012)=20131011101435. |
|
Explanation |
If log aggregation is enabled, for ICMPv6 time exceeded packets of code 0 of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time an ICMPv6 time exceeded packet of code 0 is received. |
|
Recommended action |
No action is required. |
ATK_ICMPV6_TYPE_SZ
|
Message text |
Icmpv6Type(1064)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: ICMPv6 message type. $2: Source security zone name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMPV6_TYPE_SZ:Icmpv6Type(1064)=38;SrcZoneName(1025)=Trust;SrcIPv6Addr(1036)=5600::12;DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011100935;EndTime_c(1012)=20131011101435;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when logs are aggregated for user-defined ICMPv6 packets. |
|
Recommended action |
No action is required. |
ATK_ICMPV6_TYPE _RAW_SZ
|
Message text |
Icmpv6Type(1064)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: ICMPv6 message type. $2: Source security zone name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMPV6_TYPE_RAW_SZ:Icmpv6Type(1064)=38;SrcZoneName(1025)=Trust;SrcIPv6Addr(1036)=5600::12;DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for user-defined ICMPv6 packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a user-defined ICMPv6 packet is received. |
|
Recommended action |
No action is required. |
ATK_IP4_ACK_FLOOD_SZ
|
Message text |
SrcZoneName(1025)=[STRING];DstIPAddr(1007)=[IPADDR];DstPort(1008)=[UINT16];RcvVPNInstance(1042)=[STRING];UpperLimit(1049)=[UINT32];Action(1053)=[STRING];BeginTime_c(1011)=[STRING]. |
|
Variable fields |
$1: Source security zone name. $2: Destination IP address. $3: Destination port number. $4: Name of the receiving VPN instance. $5: Rate limit. $6: Actions against the attack. $7: Start time of the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_ACK_FLOOD_SZ:SrcZoneName(1025)=Trust;DstIPAddr(1007)=6.1.1.5;DstPort(1008)=22;RcvVPNInstance(1042)=;UpperLimit(1049)=10;Action(1053)=logging;BeginTime_c(1011)=20131009093351. |
|
Explanation |
This message is sent when the number of IPv4 ACK packets sent to a destination per second exceeds the rate limit. |
|
Recommended action |
No action is required. |
ATK_IP4_DIS_PORTSCAN_SZ
|
Message text |
SrcZoneName(1025)=[STRING];Protocol(1001)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING]. |
|
Variable fields |
$1: Source security zone name. $2: Destination IP address. $3: Name of the receiving VPN instance. $4: Actions against the attack. $5: Start time of the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_DIS_PORTSCAN_SZ:SrcZoneName(1025)=Trust;Protocol(1001)=TCP;DstIPAddr(1007)=6.1.1.5;RcvVPNInstance(1042)=vpn1;Action(1053)=logging,block-source;BeginTime_c(1011)=20131009052955. |
|
Explanation |
This message is sent when an IPv4 distributed port scan attack is detected. |
|
Recommended action |
No action is required. |
ATK_IP4_DNS_FLOOD_SZ
|
Message text |
SrcZoneName(1025)=[STRING];DstIPAddr(1007)=[IPADDR];DstPort(1008)=[UINT16];RcvVPNInstance(1042)=[STRING];UpperLimit(1049)=[UINT32];Action(1053)=[STRING];BeginTime_c(1011)=[STRING]. |
|
Variable fields |
$1: Source security zone name. $2: Destination IP address. $3: Destination port number. $4: Name of the receiving VPN instance. $5: Rate limit. $6: Actions against the attack. $7: Start time of the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_DNS_FLOOD_SZ:SrcZoneName(1025)=Trust;DstIPAddr(1007)=6.1.1.5;DstPort(1008)=22;RcvVPNInstance(1042)=;UpperLimit(1049)=10;Action(1053)=logging;BeginTime_c(1011)=20131009093351. |
|
Explanation |
This message is sent when the number of IPv4 DNS queries sent to a destination per second exceeds the rate limit. |
|
Recommended action |
No action is required. |
ATK_IP4_FIN_FLOOD_SZ
|
Message text |
SrcZoneName(1025)=[STRING];DstIPAddr(1007)=[IPADDR];DstPort(1008)=[UINT16];RcvVPNInstance(1042)=[STRING];UpperLimit(1049)=[UINT32];Action(1053)=[STRING];BeginTime_c(1011)=[STRING]. |
|
Variable fields |
$1: Source security zone name. $2: Destination IP address. $3: Destination port number. $4: Name of the receiving VPN instance. $5: Rate limit. $6: Actions against the attack. $7: Start time of the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_FIN_FLOOD_SZ:SrcZoneName(1025)=Trust;DstIPAddr(1007)=6.1.1.5;DstPort(1008)=22;RcvVPNInstance(1042)=;UpperLimit(1049)=10;Action(1053)=logging;BeginTime_c(1011)=20131009093351. |
|
Explanation |
This message is sent when the number of IPv4 FIN packets sent to a destination per second exceeds the rate limit. |
|
Recommended action |
No action is required. |
ATK_IP4_FRAGMENT_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Protocol(1001)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Source security zone name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Protocol type. $7: Actions against the attack. $8: Start time of the attack. $9: End time of the attack. $10: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_FRAGMENT_SZ:SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Protocol(1001)=TCP;Action(1053)=logging;BeginTime_c(1011)=20131011074913;EndTime_c(1012)=20131011075413;AtkTimes(1054)=3. |
|
Explanation |
This message is sent when logs are aggregated for IPv4 packets with an offset smaller than 5 but bigger than 0. |
|
Recommended action |
No action is required. |
ATK_IP4_FRAGMENT_RAW_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Protocol(1001)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Source security zone name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Protocol type. $7: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_FRAGMENT_RAW_SZ:SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Protocol(1001)=TCP;Action(1053)=logging. |
|
Explanation |
This message is for the IPv4 fragment attack. The attack uses IPv4 packets with an offset smaller than 5 but bigger than 0. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
|
Recommended action |
No action is required. |
ATK_IP4_HTTP_FLOOD_SZ
|
Message text |
SrcZoneName(1025)=[STRING];DstIPAddr(1007)=[IPADDR];DstPort(1008)=[UINT16];RcvVPNInstance(1042)=[STRING];UpperLimit(1049)=[UINT32];Action(1053)=[STRING];BeginTime_c(1011)=[STRING]. |
|
Variable fields |
$1: Source security zone name. $2: Destination IP address. $3: Destination port number. $4: Name of the receiving VPN instance. $5: Rate limit. $6: Actions against the attack. $7: Start time of the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_HTTP_FLOOD_SZ:SrcZoneName(1025)=Trust;DstIPAddr(1007)=6.1.1.5;DstPort(1008)=22;RcvVPNInstance(1042)=;UpperLimit(1049)=10;Action(1053)=logging;BeginTime_c(1011)=20131009093351. |
|
Explanation |
This message is sent when the number of IPv4 HTTP Get packets sent to a destination per second exceeds the rate limit. |
|
Recommended action |
No action is required. |
ATK_IP4_IMPOSSIBLE_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Protocol(1001)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Source security zone name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Protocol type. $7: Actions against the attack. $8: Start time of the attack. $9: End time of the attack. $10: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_IMPOSSIBLE_SZ:SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Protocol(1001)=TCP;Action(1053)=logging;BeginTime_c(1011)=20131011074913;EndTime_c(1012)=20131011075413;AtkTimes(1054)=3. |
|
Explanation |
This message is sent when logs are aggregated for IPv4 packets whose source IPv4 address is the same as the destination IPv4 address. |
|
Recommended action |
No action is required. |
ATK_IP4_IMPOSSIBLE_RAW_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Protocol(1001)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Source security zone name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Protocol type. $7: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_IMPOSSIBLE_RAW_SZ:SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Protocol(1001)=TCP;Action(1053)=logging. |
|
Explanation |
This message is for the IPv4 impossible packet attack. The attack uses IPv4 packets whose source IPv4 address is the same as the destination IPv4 address. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
|
Recommended action |
No action is required. |
ATK_IP4_IPSWEEP_SZ
|
Message text |
SrcZoneName(1025)=[STRING];Protocol(1001)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING]. |
|
Variable fields |
$1: Source security zone name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Name of the receiving VPN instance. $5: Actions against the attack. $6: Start time of the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_IPSWEEP_SZ:SrcZoneName(1025)=Trust;Protocol(1001)=TCP;SrcIPAddr(1003)=9.1.1.5;SndDSLiteTunnelPeer(1041)=--;RcvVPNInstance(1042)=vpn1;Action(1053)=logging,block-source;BeginTime_c(1011)=20131009060657. |
|
Explanation |
This message is sent when an IPv4 sweep attack is detected. |
|
Recommended action |
No action is required. |
ATK_IP4_PORTSCAN_SZ
|
Message text |
SrcZoneName(1025)=[STRING];Protocol(1001)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];RcvVPNInstance(1042)=[STRING];DstIPAddr(1007)=[IPADDR];Action(1053)=[STRING];BeginTime_c(1011)=[STRING]. |
|
Variable fields |
$1: Source security zone name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Name of the receiving VPN instance. $5: Destination IP address. $6: Actions against the attack. $7: Start time of the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_PORTSCAN_SZ:SrcZoneName(1025)=Trust;Protocol(1001)=TCP;SrcIPAddr(1003)=9.1.1.5;SndDSLiteTunnelPeer(1041)=--;RcvVPNInstance(1042)=vpn1;DstIPAddr(1007)=6.1.1.5;Action(1053)=logging,block-source;BeginTime_c(1011)=20131009052955. |
|
Explanation |
This message is sent when an IPv4 port scan attack is detected. |
|
Recommended action |
No action is required. |
ATK_IP4_RST_FLOOD_SZ
|
Message text |
SrcZoneName(1025)=[STRING];DstIPAddr(1007)=[IPADDR];DstPort(1008)=[UINT16];RcvVPNInstance(1042)=[STRING];UpperLimit(1049)=[UINT32];Action(1053)=[STRING];BeginTime_c(1011)=[STRING]. |
|
Variable fields |
$1: Source security zone name. $2: Destination IP address. $3: Destination port number. $4: Name of the receiving VPN instance. $5: Rate limit. $6: Actions against the attack. $7: Start time of the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_RST_FLOOD_SZ:SrcZoneName(1025)=Trust;DstIPAddr(1007)=6.1.1.5;DstPort(1008)=22;RcvVPNInstance(1042)=;UpperLimit(1049)=10;Action(1053)=logging;BeginTime_c(1011)=20131009093351. |
|
Explanation |
This message is sent when the number of IPv4 RST packets sent to a destination per second exceeds the rate limit. |
|
Recommended action |
No action is required. |
ATK_IP4_SYN_FLOOD_SZ
|
Message text |
SrcZoneName(1025)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];UpperLimit(1049)=[UINT32];Action(1053)=[STRING];BeginTime_c(1011)=[STRING]. |
|
Variable fields |
$1: Source security zone name. $2: Destination IP address. $3: Name of the receiving VPN instance. $4: Rate limit. $5: Actions against the attack. $6: Start time of the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_SYN_FLOOD_SZ:SrcZoneName(1025)=Trust;DstIPAddr(1007)=6.1.1.5;RcvVPNInstance(1042)=;UpperLimit(1049)=10;Action(1053)=logging;BeginTime_c(1011)=20131009093351. |
|
Explanation |
This message is sent when the number of IPv4 SYN packets sent to a destination per second exceeds the rate limit. |
|
Recommended action |
No action is required. |
ATK_IP4_SYNACK_FLOOD_SZ
|
Message text |
SrcZoneName(1025)=[STRING];DstIPAddr(1007)=[IPADDR];DstPort(1008)=[UINT16];RcvVPNInstance(1042)=[STRING];UpperLimit(1049)=[UINT32];Action(1053)=[STRING];BeginTime_c(1011)=[STRING]. |
|
Variable fields |
$1: Source security zone name. $2: Destination IP address. $3: Destination port number. $4: Name of the receiving VPN instance. $5: Rate limit. $6: Actions against the attack. $7: Start time of the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_SYNACK_FLOOD_SZ:SrcZoneName(1025)=Trust;DstIPAddr(1007)=6.1.1.5;DstPort(1008)=22;RcvVPNInstance(1042)=;UpperLimit(1049)=10;Action(1053)=logging;BeginTime_c(1011)=20131009093351. |
|
Explanation |
This message is sent when the number of IPv4 SYN-ACK packets sent to a destination per second exceeds the rate limit. |
|
Recommended action |
No action is required. |
ATK_IP4_TCP_ALLFLAGS_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Source security zone name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_TCP_ALLFLAGS_SZ:SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011074913;EndTime_c(1012)=20131011075413;AtkTimes(1054)=3. |
|
Explanation |
This message is sent when logs are aggregated for IPv4 TCP packets that have all flags set. |
|
Recommended action |
No action is required. |
ATK_IP4_TCP_ALLFLAGS_RAW_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Source security zone name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_TCP_ALLFLAGS_RAW_SZ:SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
This message is for IPv4 TCP packets that have all flags set. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
|
Recommended action |
No action is required. |
ATK_IP4_TCP_FINONLY_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Source security zone name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_TCP_FINONLY_SZ:SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011074913;EndTime_c(1012)=20131011075413;AtkTimes(1054)=3. |
|
Explanation |
This message is sent when logs are aggregated for IPv4 TCP packets that have only the FIN flag set. |
|
Recommended action |
No action is required. |
ATK_IP4_TCP_FINONLY_RAW_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Source security zone name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_TCP_FINONLY_RAW_SZ:SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
This message is for IPv4 TCP packets that have only the FIN flag set. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
|
Recommended action |
No action is required. |
ATK_IP4_TCP_INVALIDFLAGS_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Source security zone name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_TCP_INVALIDFLAGS_SZ:SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011074913;EndTime_c(1012)=20131011075413;AtkTimes(1054)=3. |
|
Explanation |
This message is sent when logs are aggregated for IPv4 TCP packets that have invalid flag settings. Invalid flag settings include: · The RST and FIN flags are both set. · The RST and SYN flags are both set. · The RST, FIN, and SYN flags are all set. · The PSH, RST, and FIN flags are all set. · The PSH, RST, and SYN flags are all set. · The PSH, RST, SYN, and FIN flags are all set. · The ACK, RST, and FIN flags are all set. · The ACK, RST, and SYN flags are all set. · The ACK, RST, SYN, and FIN flags are all set. · The ACK, PSH, SYN, and FIN flags are all set. · The ACK, PSH, RST, and FIN flags are all set. · The ACK, PSH, RST, and SYN flags are all set. |
|
Recommended action |
No action is required. |
ATK_IP4_TCP_INVALIDFLAGS_RAW_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Source security zone name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_TCP_INVALIDFLAGS_RAW_SZ:SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
This message is for IPv4 TCP packets that have invalid flag settings. Invalid flag settings include: · The RST and FIN flags are both set. · The RST and SYN flags are both set. · The RST, FIN, and SYN flags are all set. · The PSH, RST, and FIN flags are all set. · The PSH, RST, and SYN flags are all set. · The PSH, RST, SYN, and FIN flags are all set. · The ACK, RST, and FIN flags are all set. · The ACK, RST, and SYN flags are all set. · The ACK, RST, SYN, and FIN flags are all set. · The ACK, PSH, SYN, and FIN flags are all set. · The ACK, PSH, RST, and FIN flags are all set. · The ACK, PSH, RST, and SYN flags are all set. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
|
Recommended action |
No action is required. |
ATK_IP4_TCP_LAND_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Source security zone name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_TCP_LAND_SZ:SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011074913;EndTime_c(1012)=20131011075413;AtkTimes(1054)=3. |
|
Explanation |
This message is sent when logs are aggregated for IPv4 TCP packets whose source IP address is the same as the destination IP address. |
|
Recommended action |
No action is required. |
ATK_IP4_TCP_LAND_RAW_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Source security zone name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_TCP_LAND_RAW_SZ:SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
This message is for the IPv4 land attack. The attack uses IPv4 TCP packets whose source IP address is the same as the destination IP address. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
|
Recommended action |
No action is required. |
ATK_IP4_TCP_NULLFLAG_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Source security zone name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_TCP_NULLFLAG_SZ:SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011074913;EndTime_c(1012)=20131011075413;AtkTimes(1054)=4. |
|
Explanation |
This message is sent when logs are aggregated for IPv4 TCP packets that have no flag set. |
|
Recommended action |
No action is required. |
ATK_IP4_TCP_NULLFLAG_RAW_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Source security zone name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_TCP_NULLFLAG_RAW_SZ:SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
This message is for IPv4 TCP packets that have no flag set. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
|
Recommended action |
No action is required. |
ATK_IP4_TCP_SYNFIN_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Source security zone name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_TCP_SYNFIN_SZ:SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011074913;EndTime_c(1012)=20131011075413;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when logs are aggregated for IPv4 TCP packets that have SYN and FIN flags set. |
|
Recommended action |
No action is required. |
ATK_IP4_TCP_SYNFIN_RAW_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Source security zone name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_TCP_SYNFIN_RAW_SZ:SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
This message is for IPv4 TCP packets that have SYN and FIN flags set. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
|
Recommended action |
No action is required. |
ATK_IP4_TCP_WINNUKE_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Source security zone name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_TCP_WINNUKE_SZ:SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011074913;EndTime_c(1012)=20131011075413;AtkTimes(1054)=5. |
|
Explanation |
This message is sent when logs are aggregated for IPv4 TCP packets with destination port 139, the URG flag set, and a nonzero Urgent Pointer. |
|
Recommended action |
No action is required. |
ATK_IP4_TCP_WINNUKE_RAW_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Source security zone name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_TCP_WINNUKE_RAW_SZ:SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
This message is for the IPv4 WinNuke attack. The attack uses IPv4 TCP packets with destination port 139, the URG flag set, and a nonzero Urgent Pointer. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
|
Recommended action |
No action is required. |
ATK_IP4_TEARDROP_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Protocol(1001)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Source security zone name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Protocol type. $7: Actions against the attack. $8: Start time of the attack. $9: End time of the attack. $10: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_TEARDROP_SZ:SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Protocol(1001)=TCP;Action(1053)=logging;BeginTime_c(1011)=20131011074913;EndTime_c(1012)=20131011075413;AtkTimes(1054)=3. |
|
Explanation |
This message is sent when logs are aggregated for IPv4 overlapping fragments. |
|
Recommended action |
No action is required. |
ATK_IP4_TEARDROP_RAW_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Protocol(1001)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Source security zone name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Protocol type. $7: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_TEARDROP_RAW_SZ:SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Protocol(1001)=TCP;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for IPv4 overlapping fragments of the same attributes, this message is sent only when the first overlapping fragment is received. If log aggregation is disabled, this message is sent every time an IPv4 overlapping fragment is received. |
|
Recommended action |
No action is required. |
ATK_IP4_TINY_FRAGMENT_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Protocol(1001)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Source security zone name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Protocol type. $7: Actions against the attack. $8: Start time of the attack. $9: End time of the attack. $10: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_TINY_FRAGMENT_SZ:SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Protocol(1001)=TCP;Action(1053)=logging;BeginTime_c(1011)=20131011074913;EndTime_c(1012)=20131011075413;AtkTimes(1054)=6. |
|
Explanation |
This message is sent when logs are aggregated for IPv4 packets with a datagram smaller than 68 bytes and the MF flag set. |
|
Recommended action |
No action is required. |
ATK_IP4_TINY_FRAGMENT_RAW_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Protocol(1001)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Source security zone name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Protocol type. $7: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_TINY_FRAGMENT_RAW_SZ:SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Protocol(1001)=TCP;Action(1053)=logging. |
|
Explanation |
This message is for the IPv4 tiny fragment attack. The attack uses IPv4 packets with a datagram smaller than 68 bytes and the MF flag set. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
|
Recommended action |
No action is required. |
ATK_IP4_UDP_BOMB_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Source security zone name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_UDP_BOMB_SZ:SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011074913;EndTime_c(1012)=20131011075413;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when logs are aggregated for IPv4 UDP packets in which the length value in the IP header is larger than the IP header length plus the length in the UDP header. |
|
Recommended action |
No action is required. |
ATK_IP4_UDP_BOMB_RAW_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Source security zone name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_UDP_BOMB_RAW_SZ:SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
This message is for IPv4 UDP bomb attack. The attack uses IPv4 UDP packets in which the length value in the IP header is larger than the IP header length plus the length in the UDP header. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
|
Recommended action |
No action is required. |
ATK_IP4_UDP_FLOOD_SZ
|
Message text |
SrcZoneName(1025)=[STRING];DstIPAddr(1007)=[IPADDR];DstPort(1008)=[UINT16];RcvVPNInstance(1042)=[STRING];UpperLimit(1049)=[UINT32];Action(1053)=[STRING];BeginTime_c(1011)=[STRING]. |
|
Variable fields |
$1: Source security zone name. $2: Destination IP address. $3: Destination port number. $4: Name of the receiving VPN instance. $5: Rate limit. $6: Actions against the attack. $7: Start time of the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_UDP_FLOOD_SZ:SrcZoneName(1025)=Trust;DstIPAddr(1007)=6.1.1.5;DstPort(1008)=22;RcvVPNInstance(1042)=;UpperLimit(1049)=10;Action(1053)=logging;BeginTime_c(1011)=20131009093351. |
|
Explanation |
This message is sent when the number of IPv4 UDP packets sent to a destination per second exceeds the rate limit. |
|
Recommended action |
No action is required. |
ATK_IP4_UDP_FRAGGLE_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Source security zone name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_UDP_FRAGGLE_SZ:SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011074913;EndTime_c(1012)=20131011075413;AtkTimes(1054)=11. |
|
Explanation |
This message is sent when logs are aggregated for IPv4 UDP packets with source port 7 and destination port 19. |
|
Recommended action |
No action is required. |
ATK_IP4_UDP_FRAGGLE_RAW_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Source security zone name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_UDP_FRAGGLE_RAW_SZ:SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
This message is for IPv4 UDP fraggle attack. The attack uses IPv4 UDP packets with source port 7 and destination port 19. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
|
Recommended action |
No action is required. |
ATK_IP4_UDP_SNORK_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Source security zone name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_UDP_SNORK_SZ:SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011074913;EndTime_c(1012)=20131011075413;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when logs are aggregated for IPv4 UDP packets with source port 7, 19, or 135, and destination port 135. |
|
Recommended action |
No action is required. |
ATK_IP4_UDP_SNORK_RAW_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Source security zone name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP4_UDP_SNORK_RAW_SZ:SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
This message is for IPv4 UDP snork attack. The attack uses IPv4 UDP packets with source port 7, 19, or 135, and destination port 135. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
|
Recommended action |
No action is required. |
ATK_IP6_ACK_FLOOD_SZ
|
Message text |
SrcZoneName(1025)=[STRING];DstIPv6Addr(1037)=[IPADDR];DstPort(1008)=[UINT16];RcvVPNInstance(1042)=[STRING];UpperLimit(1049)=[UINT32];Action(1053)=[STRING];BeginTime_c(1011)=[STRING]. |
|
Variable fields |
$1: Source security zone name. $2: Destination IPv6 address. $3: Destination port number. $4: Name of the receiving VPN instance. $5: Rate limit. $6: Actions against the attack. $7: Start time of the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_ACK_FLOOD_SZ:SrcZoneName(1025)=Trust;DstIPv6Addr(1037)=2::2;DstPort(1008)=22;RcvVPNInstance(1042)=;UpperLimit(1049)=10;Action(1053)=logging;BeginTime_c(1011)=20131009100434. |
|
Explanation |
This message is sent when the number of IPv6 ACK packets sent to a destination per second exceeds the rate limit. |
|
Recommended action |
No action is required. |
ATK_IP6_DIS_PORTSCAN_SZ
|
Message text |
SrcZoneName(1025)=[STRING];Protocol(1001)=[STRING];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING]. |
|
Variable fields |
$1: Source security zone name. $2: Destination IPv6 address. $3: Name of the receiving VPN instance. $4: Actions against the attack. $5: Start time of the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_DIS_PORTSCAN_SZ:SrcZoneName(1025)=Trust;Protocol(1001)=TCP;DstIPv6Addr(1037)=2::2;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131009100928. |
|
Explanation |
This message is sent when an IPv6 distributed port scan attack is detected. |
|
Recommended action |
No action is required. |
ATK_IP6_DNS_FLOOD_SZ
|
Message text |
SrcZoneName(1025)=[STRING];DstIPv6Addr(1037)=[IPADDR];DstPort(1008)=[UINT16];RcvVPNInstance(1042)=[STRING];UpperLimit(1049)=[UINT32];Action(1053)=[STRING];BeginTime_c(1011)=[STRING]. |
|
Variable fields |
$1: Source security zone name. $2: Destination IPv6 address. $3: Destination port number. $4: Name of the receiving VPN instance. $5: Rate limit. $6: Actions against the attack. $7: Start time of the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_DNS_FLOOD_SZ:SrcZoneName(1025)=Trust;DstIPv6Addr(1037)=2::2;DstPort(1008)=22;RcvVPNInstance(1042)=;UpperLimit(1049)=10;Action(1053)=logging;BeginTime_c(1011)=20131009100434. |
|
Explanation |
This message is sent when the number of IPv6 DNS queries sent to a destination per second exceeds the rate limit. |
|
Recommended action |
No action is required. |
ATK_IP6_FIN_FLOOD_SZ
|
Message text |
SrcZoneName(1025)=[STRING];DstIPv6Addr(1037)=[IPADDR];DstPort(1008)=[UINT16];RcvVPNInstance(1042)=[STRING];UpperLimit(1049)=[UINT32];Action(1053)=[STRING];BeginTime_c(1011)=[STRING]. |
|
Variable fields |
$1: Source security zone name. $2: Destination IPv6 address. $3: Destination port number. $4: Name of the receiving VPN instance. $5: Rate limit. $6: Actions against the attack. $7: Start time of the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_FIN_FLOOD_SZ:SrcZoneName(1025)=Trust;DstIPv6Addr(1037)=2::2;DstPort(1008)=22;RcvVPNInstance(1042)=;UpperLimit(1049)=10;Action(1053)=logging;BeginTime_c(1011)=20131009100434. |
|
Explanation |
This message is sent when the number of IPv6 FIN packets sent to a destination per second exceeds the rate limit. |
|
Recommended action |
No action is required. |
ATK_IP6_FRAGMENT_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Protocol(1001)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Source security zone name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Protocol type. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_FRAGMENT_SZ:SrcZoneName(1025)=Trust;SrcIPv6Addr(1036)=1::1;DstIPv6Addr(1037)=1::1;RcvVPNInstance(1042)=;Protocol(1001)=IPv6-ICMP;Action(1053)=logging;BeginTime_c(1011)=20131011103335;EndTime_c(1012)=20131011103835;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when logs are aggregated for IPv6 packets with an offset smaller than 5 but bigger than 0. |
|
Recommended action |
No action is required. |
ATK_IP6_FRAGMENT_RAW_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Protocol(1001)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Source security zone name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Protocol type. $6: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_FRAGMENT_RAW_SZ:SrcZoneName(1025)=Trust;SrcIPv6Addr(1036)=1::1;DstIPv6Addr(1037)=1::1;RcvVPNInstance(1042)=;Protocol(1001)=IPv6-ICMP;Action(1053)=logging. |
|
Explanation |
This message is for the IPv6 fragment attack. The attack uses IPv6 packets with an offset smaller than 5 but bigger than 0. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
|
Recommended action |
No action is required. |
ATK_IP6_HTTP_FLOOD_SZ
|
Message text |
SrcZoneName(1025)=[STRING];DstIPv6Addr(1037)=[IPADDR];DstPort(1008)=[UINT16];RcvVPNInstance(1042)=[STRING];UpperLimit(1049)=[UINT32];Action(1053)=[STRING];BeginTime_c(1011)=[STRING]. |
|
Variable fields |
$1: Source security zone name. $2: Destination IPv6 address. $3: Destination port number. $4: Name of the receiving VPN instance. $5: Rate limit. $6: Actions against the attack. $7: Start time of the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_HTTP_FLOOD_SZ:SrcZoneName(1025)=Trust;DstIPv6Addr(1037)=2::2;DstPort(1008)=22;RcvVPNInstance(1042)=;UpperLimit(1049)=10;Action(1053)=logging;BeginTime_c(1011)=20131009100434. |
|
Explanation |
This message is sent when the number of IPv6 HTTP Get packets sent to a destination per second exceeds the rate limit. |
|
Recommended action |
No action is required. |
ATK_IP6_IMPOSSIBLE_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Protocol(1001)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Source security zone name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Protocol type. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_IMPOSSIBLE_SZ:SrcZoneName(1025)=Trust;SrcIPv6Addr(1036)=1::1;DstIPv6Addr(1037)=1::1;RcvVPNInstance(1042)=;Protocol(1001)=IPv6-ICMP;Action(1053)=logging;BeginTime_c(1011)=20131011103335;EndTime_c(1012)=20131011103835;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when logs are aggregated for IPv6 packets whose source IPv6 address is the same as the destination IPv6 address. |
|
Recommended action |
No action is required. |
ATK_IP6_IMPOSSIBLE_RAW_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Protocol(1001)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Source security zone name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Protocol type. $6: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_IMPOSSIBLE_RAW_SZ:SrcZoneName(1025)=Trust;SrcIPv6Addr(1036)=1::1;DstIPv6Addr(1037)=1::1;RcvVPNInstance(1042)=;Protocol(1001)=IPv6-ICMP;Action(1053)=logging. |
|
Explanation |
This message is for the IPv6 impossible packet attack. The attack uses IPv6 packets whose source IPv6 address is the same as the destination IPv6 address. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
|
Recommended action |
No action is required. |
ATK_IP6_IPSWEEP_SZ
|
Message text |
SrcZoneName(1025)=[STRING];Protocol(1001)=[STRING];SrcIPv6Addr(1036)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING]. |
|
Variable fields |
$1: Source security zone name. $2: Source IPv6 address. $3: Name of the receiving VPN instance. $4: Actions against the attack. $5: Start time of the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_IPSWEEP_SZ:SrcZoneName(1025)=Trust;Protocol(1001)=TCP;SrcIPv6Addr(1036)=1::5;RcvVPNInstance(1042)=;Action(1053)=logging,block-source;BeginTime_c(1011)=20131009100639. |
|
Explanation |
This message is sent when an IPv6 sweep attack is detected. |
|
Recommended action |
No action is required. |
ATK_IP6_PORTSCAN_SZ
|
Message text |
SrcZoneName(1025)=[STRING];Protocol(1001)=[STRING];SrcIPv6Addr(1036)=[IPADDR];RcvVPNInstance(1042)=[STRING];DstIPv6Addr(1037)=[IPADDR];Action(1053)=[STRING];BeginTime_c(1011)=[STRING]. |
|
Variable fields |
$1: Source security zone name. $2: Source IPv6 address. $3: Name of the receiving VPN instance. $4: Destination IPv6 address. $5: Actions against the attack. $6: Start time of the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_PORTSCAN_SZ:SrcZoneName(1025)=Trust;Protocol(1001)=TCP;SrcIPv6Addr(1036)=1::5;RcvVPNInstance(1042)=;DstIPv6Addr(1037)=2::2;Action(1053)=logging,block-source;BeginTime_c(1011)=20131009100455. |
|
Explanation |
This message is sent when an IPv6 port scan attack is detected. |
|
Recommended action |
No action is required. |
ATK_IP6_RST_FLOOD_SZ
|
Message text |
SrcZoneName(1025)=[STRING];DstIPv6Addr(1037)=[IPADDR];DstPort(1008)=[UINT16];RcvVPNInstance(1042)=[STRING];UpperLimit(1049)=[UINT32];Action(1053)=[STRING];BeginTime_c(1011)=[STRING]. |
|
Variable fields |
$1: Source security zone name. $2: Destination IPv6 address. $3: Destination port number. $4: Name of the receiving VPN instance. $5: Rate limit. $6: Actions against the attack. $7: Start time of the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_RST_FLOOD_SZ:SrcZoneName(1025)=Trust;DstIPv6Addr(1037)=2::2;RcvVPNInstance(1042)=;UpperLimit(1049)=10;Action(1053)=logging;BeginTime_c(1011)=20131009100434. |
|
Explanation |
This message is sent when the number of IPv6 RST packets sent to a destination per second exceeds the rate limit. |
|
Recommended action |
No action is required. |
ATK_IP6_SYN_FLOOD_SZ
|
Message text |
SrcZoneName(1025)=[STRING];DstIPv6Addr(1037)=[IPADDR];DstPort(1008)=[UINT16];RcvVPNInstance(1042)=[STRING];UpperLimit(1049)=[UINT32];Action(1053)=[STRING];BeginTime_c(1011)=[STRING]. |
|
Variable fields |
$1: Source security zone name. $2: Destination IPv6 address. $3: Destination port number. $4: Name of the receiving VPN instance. $5: Rate limit. $6: Actions against the attack. $7: Start time of the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_SYN_FLOOD_SZ:SrcZoneName(1025)=Trust;DstIPv6Addr(1037)=2::2;DstPort(1008)=22;RcvVPNInstance(1042)=;UpperLimit(1049)=10;Action(1053)=logging;BeginTime_c(1011)=20131009100434. |
|
Explanation |
This message is sent when the number of IPv6 SYN packets sent to a destination per second exceeds the rate limit. |
|
Recommended action |
No action is required. |
ATK_IP6_SYNACK_FLOOD_SZ
|
Message text |
SrcZoneName(1025)=[STRING];DstIPv6Addr(1037)=[IPADDR];DstPort(1008)=[UINT16];RcvVPNInstance(1042)=[STRING];UpperLimit(1049)=[UINT32];Action(1053)=[STRING];BeginTime_c(1011)=[STRING]. |
|
Variable fields |
$1: Source security zone name. $2: Destination IPv6 address. $3: Destination port number. $4: Name of the receiving VPN instance. $5: Rate limit. $6: Actions against the attack. $7: Start time of the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_SYNACK_FLOOD_SZ:SrcZoneName(1025)=Trust;DstIPv6Addr(1037)=2::2;DstPort(1008)=22;RcvVPNInstance(1042)=;UpperLimit(1049)=10;Action(1053)=logging;BeginTime_c(1011)=20131009100434. |
|
Explanation |
This message is sent when the number of IPv6 SYN-ACK packets sent to a destination per second exceeds the rate limit. |
|
Recommended action |
No action is required. |
ATK_IP6_TCP_ALLFLAGS_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Source security zone name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. $6: Start time of the attack. $7: End time of the attack. $8: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_TCP_ALLFLAGS_SZ:SrcZoneName(1025)=Trust;SrcIPv6Addr(1036)=1::1;DstIPv6Addr(1037)=2::11;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131009103631;EndTime_c(1012)=20131009104131;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when logs are aggregated for IPv6 TCP packets that have all flags set. |
|
Recommended action |
No action is required. |
ATK_IP6_TCP_ALLFLAGS_RAW_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Source security zone name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_TCP_ALLFLAGS_RAW_SZ:SrcZoneName(1025)=Trust;SrcIPv6Addr(1036)=2000::1;DstIPv6Addr(1037)=2003::200;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
This message is for IPv6 TCP packets that have all flags set. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
|
Recommended action |
No action is required. |
ATK_IP6_TCP_FINONLY_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Source security zone name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. $6: Start time of the attack. $7: End time of the attack. $8: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_TCP_FINONLY_SZ:SrcZoneName(1025)=Trust;SrcIPv6Addr(1036)=1::1;DstIPv6Addr(1037)=2::11;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131009103631;EndTime_c(1012)=20131009104131;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when logs are aggregated for IPv6 TCP packets that have only the FIN flag set. |
|
Recommended action |
No action is required. |
ATK_IP6_TCP_FINONLY_RAW_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Source security zone name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_TCP_FINONLY_RAW_SZ:SrcZoneName(1025)=Trust;SrcIPv6Addr(1036)=2000::1;DstIPv6Addr(1037)=2003::200;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
This message is for IPv6 TCP packets that have only the FIN flag set. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
|
Recommended action |
No action is required. |
ATK_IP6_TCP_INVALIDFLAGS_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Source security zone name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. $6: Start time of the attack. $7: End time of the attack. $8: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_TCP_INVALIDFLAGS_SZ:SrcZoneName(1025)=Trust;SrcIPv6Addr(1036)=1::1;DstIPv6Addr(1037)=2::11;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131009103631;EndTime_c(1012)=20131009104131;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when logs are aggregated for IPv6 TCP packets that have invalid flag settings. Invalid flag settings include: · The RST and FIN flags are both set. · The RST and SYN flags are both set. · The RST, FIN, and SYN flags are all set. · The PSH, RST, and FIN flags are all set. · The PSH, RST, and SYN flags are all set. · The PSH, RST, SYN, and FIN flags are all set. · The ACK, RST, and FIN flags are all set. · The ACK, RST, and SYN flags are all set. · The ACK, RST, SYN, and FIN flags are all set. · The ACK, PSH, SYN, and FIN flags are all set. · The ACK, PSH, RST, and FIN flags are all set. · The ACK, PSH, RST, and SYN flags are all set. |
|
Recommended action |
No action is required. |
ATK_IP6_TCP_INVALIDFLAGS_RAW_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Source security zone name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_TCP_INVALIDFLAGS_RAW_SZ:SrcZoneName(1025)=Trust;SrcIPv6Addr(1036)=2000::1;DstIPv6Addr(1037)=2003::200;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
This message is for IPv6 TCP packets that have invalid flag settings. Invalid flag settings include: · The RST and FIN flags are both set. · The RST and SYN flags are both set. · The RST, FIN, and SYN flags are all set. · The PSH, RST, and FIN flags are all set. · The PSH, RST, and SYN flags are all set. · The PSH, RST, SYN, and FIN flags are all set. · The ACK, RST, and FIN flags are all set. · The ACK, RST, and SYN flags are all set. · The ACK, RST, SYN, and FIN flags are all set. · The ACK, PSH, SYN, and FIN flags are all set. · The ACK, PSH, RST, and FIN flags are all set. · The ACK, PSH, RST, and SYN flags are all set. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
|
Recommended action |
No action is required. |
ATK_IP6_TCP_LAND_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Source security zone name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. $6: Start time of the attack. $7: End time of the attack. $8: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_TCP_LAND_SZ:SrcZoneName(1025)=Trust;SrcIPv6Addr(1036)=1::1;DstIPv6Addr(1037)=2::11;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131009103631;EndTime_c(1012)=20131009104131;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when logs are aggregated for IPv6 TCP packets whose source IPv6 address is the same as the destination IPv6 address. |
|
Recommended action |
No action is required. |
ATK_IP6_TCP_LAND_RAW_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Source security zone name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_TCP_LAND_RAW_SZ:SrcZoneName(1025)=Trust;SrcIPv6Addr(1036)=2000::1;DstIPv6Addr(1037)=2003::200;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
This message is for the IPv6 land attack. The attack uses IPv6 TCP packets whose source IPv6 address is the same as the destination IPv6 address. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
|
Recommended action |
No action is required. |
ATK_IP6_TCP_NULLFLAG_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Source security zone name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. $6: Start time of the attack. $7: End time of the attack. $8: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_TCP_NULLFLAG_SZ:SrcZoneName(1025)=Trust;SrcIPv6Addr(1036)=1::1;DstIPv6Addr(1037)=2::11;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131009103631;EndTime_c(1012)=20131009104131;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when logs are aggregated for IPv6 TCP packets that have no flag set. |
|
Recommended action |
No action is required. |
ATK_IP6_TCP_NULLFLAG_RAW_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Source security zone name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_TCP_NULLFLAG_RAW_SZ:SrcZoneName(1025)=Trust;SrcIPv6Addr(1036)=2000::1;DstIPv6Addr(1037)=2003::200;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
This message is for IPv6 TCP packets that have no flag set. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
|
Recommended action |
No action is required. |
ATK_IP6_TCP_SYNFIN_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Source security zone name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. $6: Start time of the attack. $7: End time of the attack. $8: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_TCP_SYNFIN_SZ:SrcZoneName(1025)=Trust;SrcIPv6Addr(1036)=1::1;DstIPv6Addr(1037)=2::11;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131009103631;EndTime_c(1012)=20131009104131;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when logs are aggregated for IPv6 TCP packets that have SYN and FIN flags set. |
|
Recommended action |
No action is required. |
ATK_IP6_TCP_SYNFIN_RAW_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Source security zone name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_TCP_SYNFIN_RAW_SZ:SrcZoneName(1025)=Trust;SrcIPv6Addr(1036)=2000::1;DstIPv6Addr(1037)=2003::200;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
This message is for IPv6 TCP packets that have SYN and FIN flags set. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
|
Recommended action |
No action is required. |
ATK_IP6_TCP_WINNUKE_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Source security zone name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. $6: Start time of the attack. $7: End time of the attack. $8: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_TCP_WINNUKE_SZ:SrcZoneName(1025)=Trust;SrcIPv6Addr(1036)=1::1;DstIPv6Addr(1037)=2::11;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131009103631;EndTime_c(1012)=20131009104131;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when logs are aggregated for IPv6 TCP packets with destination port 139, the URG flag set, and a nonzero Urgent Pointer. |
|
Recommended action |
No action is required. |
ATK_IP6_TCP_WINNUKE_RAW_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Source security zone name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_TCP_WINNUKE_RAW_SZ:SrcZoneName(1025)=Trust;SrcIPv6Addr(1036)=1::1;DstIPv6Addr(1037)=2::11;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
This message is for the IPv6 WinNuke attack. The attack uses IPv6 TCP packets with destination port 139, the URG flag set, and a nonzero Urgent Pointer. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
|
Recommended action |
No action is required. |
ATK_IP6_UDP_FLOOD_SZ
|
Message text |
SrcZoneName(1025)=[STRING];DstIPv6Addr(1037)=[IPADDR];DstPort(1008)=[UINT16];RcvVPNInstance(1042)=[STRING];UpperLimit(1049)=[UINT32];Action(1053)=[STRING];BeginTime_c(1011)=[STRING]. |
|
Variable fields |
$1: Source security zone name. $2: Destination IPv6 address. $3: Destination port number. $4: Name of the receiving VPN instance. $5: Rate limit. $6: Actions against the attack. $7: Start time of the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_UDP_FLOOD_SZ:SrcZoneName(1025)=Trust;DstIPv6Addr(1037)=2::2;DstPort(1008)=22;RcvVPNInstance(1042)=;UpperLimit(1049)=10;Action(1053)=logging;BeginTime_c(1011)=20131009100434. |
|
Explanation |
This message is sent when the number of IPv6 UDP packets sent to a destination per second exceeds the rate limit. |
|
Recommended action |
No action is required. |
ATK_IP6_UDP_FRAGGLE_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Source security zone name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. $6: Start time of the attack. $7: End time of the attack. $8: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_UDP_FRAGGLE_SZ:SrcZoneName(1025)=Trust;SrcIPv6Addr(1036)=1::1;DstIPv6Addr(1037)=2::11;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131009103631;EndTime_c(1012)=20131009104131;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when logs are aggregated for IPv6 UDP packets with source port 7 and destination port 19. |
|
Recommended action |
No action is required. |
ATK_IP6_UDP_FRAGGLE_RAW_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Source security zone name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_UDP_FRAGGLE_RAW_SZ:SrcZoneName(1025)=Trust;SrcIPv6Addr(1036)=1::1;DstIPv6Addr(1037)=2::11;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
This message is for IPv6 UDP fraggle attack. The attack uses IPv6 UDP packets with source port 7 and destination port 19. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
|
Recommended action |
No action is required. |
ATK_IP6_UDP_SNORK_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Source security zone name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. $6: Start time of the attack. $7: End time of the attack. $8: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_UDP_SNORK_SZ:SrcZoneName(1025)=Trust;SrcIPv6Addr(1036)=1::1;DstIPv6Addr(1037)=2::11;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131009103631;EndTime_c(1012)=20131009104131;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when logs are aggregated for IPv6 UDP packets with source port 7, 19, or 135, and destination port 135. |
|
Recommended action |
No action is required. |
ATK_IP6_UDP_SNORK_RAW_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Source security zone name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IP6_UDP_SNORK_RAW_SZ:SrcZoneName(1025)=Trust;SrcIPv6Addr(1036)=1::1;DstIPv6Addr(1037)=2::11;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
This message is for IPv6 UDP snork attack. The attack uses IPv6 UDP packets with source port 7, 19, or 135, and port 135. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
|
Recommended action |
No action is required. |
ATK_IP_OPTION_SZ
|
Message text |
IPOptValue(1061)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Protocol(1001)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: IP option value. $2: Source security zone name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Protocol type. $8: Actions against the attack. $9: Start time of the attack. $10: End time of the attack. $11: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_IP_OPTION_SZ:IPOptValue(1061)=38;SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Protocol(1001)=RAWIP;Action(1053)=logging;BeginTime_c(1011)=20131011063123;EndTime_c(1012)=20131011063623;AtkTimes(1054)=3. |
|
Explanation |
This message is sent when logs are aggregated for packets with a user-defined IP option. |
|
Recommended action |
No action is required. |
ATK_IP_OPTION_RAW_SZ
|
Message text |
IPOptValue(1061)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Protocol(1001)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: IP option value. $2: Source security zone name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Protocol type. $8: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_IP_OPTION_RAW_SZ:IPOptValue(1061)=38;SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Protocol(1001)=RAWIP;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for packets with a user-defined IP option and of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet with a user-defined IP option is received. |
|
Recommended action |
No action is required. |
ATK_IPOPT_ABNORMAL_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Protocol(1001)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: Source security zone name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Protocol type. $7: Actions against the attack. $8: Start time of the attack. $9: End time of the attack. $10: Attack times. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IPOPT_ABNORMAL_SZ:SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Protocol(1001)=RAWIP;Action(1053)=logging;BeginTime_c(1011)=20131011072002;EndTime_c(1012)=20131011072502;AtkTimes(1054)=3. |
|
Explanation |
This message is sent when logs are aggregated for packets with more than two IP options. |
|
Recommended action |
No action is required. |
ATK_IPOPT_ABNORMAL_RAW_SZ
|
Message text |
SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Protocol(1001)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: Source security zone name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Protocol type. $7: Actions against the attack. |
|
Severity level |
3 |
|
Example |
ATK/3/ATK_IPOPT_ABNORMAL_RAW_SZ:SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Protocol(1001)=RAWIP;Action(1053)=logging. |
|
Explanation |
This message is for packets that each has more than two IP options. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet with more than two IP options is received. |
|
Recommended action |
No action is required. |
ATK_IPOPT_LOOSESRCROUTE_SZ
|
Message text |
IPOptValue(1061)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Protocol(1001)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)= [UINT32]. |
|
Variable fields |
$1: IP option value. $2: Source security zone name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Protocol type. $8: Actions against the attack. $9: Start time of the attack. $10: End time of the attack. $11: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_IPOPT_LOOSESRCROUTE_SZ:IPOptValue(1061)=131;SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Protocol(1001)=RAWIP;Action(1053)=logging;BeginTime_c(1011)=20131011063123;EndTime_c(1012)=20131011063623;AtkTimes(1054)=3. |
|
Explanation |
This message is sent when logs are aggregated for packets with IP option 131. |
|
Recommended action |
No action is required. |
ATK_IPOPT_LOOSESRCROUTE_RAW_SZ
|
Message text |
IPOptValue(1061)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Protocol(1001)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: IP option value. $2: Source security zone name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Protocol type. $8: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_IPOPT_LOOSESRCROUTE_RAW_SZ:IPOptValue(1061)=131;SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Protocol(1001)=RAWIP;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for packets with IP option 131 and of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet with IP option 131 is received. |
|
Recommended action |
No action is required. |
ATK_IPOPT_RECORDROUTE_SZ
|
Message text |
IPOptValue(1061)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Protocol(1001)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: IP option value. $2: Source security zone name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Protocol type. $8: Actions against the attack. $9: Start time of the attack. $10: End time of the attack. $11: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_IPOPT_RECORDROUTE_SZ:IPOptValue(1061)=7;SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Protocol(1001)=RAWIP;Action(1053)=logging;BeginTime_c(1011)=20131011063123;EndTime_c(1012)=20131011063623;AtkTimes(1054)=3. |
|
Explanation |
This message is sent when logs are aggregated for packets with IP option 7. |
|
Recommended action |
No action is required. |
ATK_IPOPT_RECORDROUTE_RAW_SZ
|
Message text |
IPOptValue(1061)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Protocol(1001)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: IP option value. $2: Source security zone name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Protocol type. $8: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_IPOPT_RECORDROUTE_RAW_SZ:IPOptValue(1061)=7;SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Protocol(1001)=RAWIP;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for packets with IP option 7 and of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet with IP option 7 is received. |
|
Recommended action |
No action is required. |
ATK_IPOPT_ROUTEALERT_SZ
|
Message text |
IPOptValue(1061)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Protocol(1001)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: IP option value. $2: Source security zone name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Protocol type. $8: Actions against the attack. $9: Start time of the attack. $10: End time of the attack. $11: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_IPOPT_ROUTEALERT_SZ:IPOptValue(1061)=148;SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Protocol(1001)=RAWIP;Action(1053)=logging;BeginTime_c(1011)=20131011063123;EndTime_c(1012)=20131011063623;AtkTimes(1054)=3. |
|
Explanation |
This message is sent when logs are aggregated for packets with IP option 148. |
|
Recommended action |
No action is required. |
ATK_IPOPT_ROUTEALERT_RAW_SZ
|
Message text |
IPOptValue(1061)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Protocol(1001)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: IP option value. $2: Source security zone name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Protocol type. $8: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_IPOPT_ROUTEALERT_RAW_SZ:IPOptValue(1061)=148;SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Protocol(1001)=RAWIP;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for packets with IP option 148 and of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet with IP option 148 is received. |
|
Recommended action |
No action is required. |
ATK_IPOPT_SECURITY_SZ
|
Message text |
IPOptValue(1061)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Protocol(1001)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: IP option value. $2: Source security zone name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Protocol type. $8: Actions against the attack. $9: Start time of the attack. $10: End time of the attack. $11: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_IPOPT_SECURITY_SZ:IPOptValue(1061)=130;SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Protocol(1001)=RAWIP;Action(1053)=logging;BeginTime_c(1011)=20131009091022;EndTime_c(1012)=20131009091522;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when logs are aggregated for packets with IP option 130. |
|
Recommended action |
No action is required. |
ATK_IPOPT_SECURITY_RAW_SZ
|
Message text |
IPOptValue(1061)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Protocol(1001)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: IP option value. $2: Source security zone name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Protocol type. $8: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_IPOPT_SECURITY_RAW_SZ:IPOptValue(1061)=130;SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Protocol(1001)=RAWIP;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for packets with IP option 130 and of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet with IP option 130 is received. |
|
Recommended action |
No action is required. |
ATK_IPOPT_STREAMID_SZ
|
Message text |
IPOptValue(1061)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Protocol(1001)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: IP option value. $2: Source security zone name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Protocol type. $8: Actions against the attack. $9: Start time of the attack. $10: End time of the attack. $11: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_IPOPT_STREAMID_SZ:IPOptValue(1061)=136;SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Protocol(1001)=RAWIP;Action(1053)=logging;BeginTime_c(1011)=20131011063123;EndTime_c(1012)=20131011063623;AtkTimes(1054)=3. |
|
Explanation |
This message is sent when logs are aggregated for packets with IP option 136. |
|
Recommended action |
No action is required. |
ATK_IPOPT_STREAMID_RAW_SZ
|
Message text |
IPOptValue(1061)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Protocol(1001)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: IP option value. $2: Source security zone name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Protocol type. $8: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_IPOPT_STREAMID_RAW_SZ:IPOptValue(1061)=136;SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Protocol(1001)=RAWIP;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for packets with IP option 136 and of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet with IP option 136 is received. |
|
Recommended action |
No action is required. |
ATK_IPOPT_STRICTSRCROUTE_SZ
|
Message text |
IPOptValue(1061)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Protocol(1001)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: IP option value. $2: Source security zone name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Protocol type. $8: Actions against the attack. $9: Start time of the attack. $10: End time of the attack. $11: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_IPOPT_STRICTSRCROUTE_SZ:IPOptValue(1061)=137;SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Protocol(1001)=RAWIP;Action(1053)=logging;BeginTime_c(1011)=20131011063123;EndTime_c(1012)=20131011063623;AtkTimes(1054)=3. |
|
Explanation |
This message is sent when logs are aggregated for packets with IP option 137. |
|
Recommended action |
No action is required. |
ATK_IPOPT_STRICTSRCROUTE_RAW_SZ
|
Message text |
IPOptValue(1061)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Protocol(1001)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: IP option value. $2: Source security zone name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Protocol type. $8: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_IPOPT_STRICTSRCROUTE_RAW_SZ:IPOptValue(1061)=137;SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Protocol(1001)=RAWIP;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for packets with IP option 137 and of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet with IP option 137 is received. |
|
Recommended action |
No action is required. |
ATK_IPOPT_TIMESTAMP_SZ
|
Message text |
IPOptValue(1061)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Protocol(1001)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: IP option value. $2: Source security zone name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Protocol type. $8: Actions against the attack. $9: Start time of the attack. $10: End time of the attack. $11: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_IPOPT_TIMESTAMP_SZ:IPOptValue(1061)=68;SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Protocol(1001)=RAWIP;Action(1053)=logging;BeginTime_c(1011)=20131011063123;EndTime_c(1012)=20131011063623;AtkTimes(1054)=3. |
|
Explanation |
This message is sent when logs are aggregated for packets with IP option 68. |
|
Recommended action |
No action is required. |
ATK_IPOPT_TIMESTAMP_RAW_SZ
|
Message text |
IPOptValue(1061)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Protocol(1001)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: IP option value. $2: Source security zone name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Protocol type. $8: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_IPOPT_TIMESTAMP_RAW_SZ:IPOptValue(1061)=68;SrcZoneName(1025)=Trust;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Protocol(1001)=RAWIP;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for packets with IP option 68 and of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet with IP option 68 is received. |
|
Recommended action |
No action is required. |
ATK_IPV6_EXT_HEADER_SZ
|
Message text |
IPv6ExtHeader(1066)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: IPv6 extension header value. $2: Source security zone name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_IPV6_EXT_HEADER_SZ:IPv6ExtHeader(1060)=43;SrcZoneName(1025)=Trust;SrcIPv6Addr(1036)=1::1;DstIPv6Addr(1037)=2::11;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131009103631;EndTime_c(1012)=20131009104131;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when logs are aggregated for IPv6 packets with a user-defined extension header. |
|
Recommended action |
No action is required. |
ATK_IPV6_EXT_HEADER_RAW_SZ
|
Message text |
IPv6ExtHeader(1066)=[UINT32];SrcZoneName(1025)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING]. |
|
Variable fields |
$1: IPv6 extension header value. $2: Source security zone name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_IPV6_EXT_HEADER_RAW_SZ:IPv6ExtHeader(1060)=43;SrcZoneName(1025)=Trust;SrcIPv6Addr(1036)=1::1;DstIPv6Addr(1037)=2::11;RcvVPNInstance(1042)=;Action(1053)=logging. |
|
Explanation |
If log aggregation is enabled, for IPv6 packets with a user-defined extension header and of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time an IPv6 packet with a user-defined extension header is received. |
|
Recommended action |
No action is required. |
AVC messages
This section contains bandwidth management messages.
AVC_MATCH_IPV4_LOG
|
Message text |
Application(1002)=[STRING];UserName(1113)=[STRING];SrcIPAddr(1003)=[IPADDR];SrcPort(1004)=[USHORT];DstIPAddr(1007)=[IPADDR];DstPort(1008)=[USHORT];SrcZoneName(1025)=[STRING];DstZoneName(1035)=[STRING];PolicyName(1079)=[STRING];VistTime(1114)=[STRING];Action(1053)= [STRING]; |
|
Variable fields |
$1: Application name. $2: User name. $3: Source IPv4 address. $4: Source port number. $5: Destination IPv4 address. $6: Destination port number. $7: Source security zone. $8: Destination security zone. $9: Policy name. $10: Hit time. $11: Rule action. |
|
Severity level |
6 |
|
Example |
AVC/6/AVC_MATCH_IPV4_LOG:Application(1002)=App;UserName(1113)=User1;SrcIPAddr(1003)=12.2.2.2;SrcPort(1004)=5141;DstIPAddr(1007)=13.1.1.14;DstPort(1008)=5784;SrcZoneName(1025)=whx;DstZoneName(1035)=hea;PolicyName(1079)=aaa;VistTime(1114)=Wed, 22 May 2019 16:43:47;Action(1053)=drop; |
|
Explanation |
This message is generated and sent to the log host as a fast output log when a packet matches a traffic rule. |
|
Recommended action |
None. |
AVC_MATCH_IPV6_LOG
|
Message text |
Application(1002)=[STRING];UserName(1113)=[STRING];SrcIPv6Addr(1036)=[IPADDR];SrcPort(1004)=[USHORT];DstIPv6Addr(1037)=[IPADDR];DstPort(1008)=[USHORT];SrcZoneName(1025)=[STRING];DstZoneName(1035)=[STRING];PolicyName(1079)=[STRING];VistTime(1114)=[STRING];Action(1053)= [STRING]; |
|
Variable fields |
$1: Application name. $2: User name. $3: Source IPv6 address. $4: Source port number. $5: Destination IPv6 address. $6: Destination port number. $7: Source security zone. $8: Destination security zone. $9: Policy name. $10: Hit time. $11: Rule action. |
|
Severity level |
6 |
|
Example |
AVC/6/AVC_MATCH_IPV6_LOG:Application(1002)=App;UserName(1113)=User1;SrcIPv6Addr(1036)=12::2;SrcPort(1004)=5141;DstIPv6Addr(1037)=13::4;DstPort(1008)=5784; SrcZoneName(1025)=whx;DstZoneName(1035)=hea;PolicyName(1079)=aaa;VistTime(1114)= Wed, 22 May 2019 16:52:08; Action(1053)=drop; |
|
Explanation |
This message is generated and sent to the log host as a fast output log when a packet matches a traffic rule. |
|
Recommended action |
None. |
AVC_THRESHOLDWARNING_FASTLOGGING_FMT
|
Message text |
SrcIPAddr(1003)=[IPADDR];PolicyName(1079)=[STRING];ProfileName(1158)=[STRING];DeviceInfo(1159)=[STRING];BandwidthUpperLimit(1160)=[UINT32];BandwidthLowerLimit(1161)=[UINT32];UpperWarningValue(1162)=[UINT32];LowerWarningValue(1163)=[UINT32];CurRateValue(1164)=[UINT32];WarningTime(1165)=[STRING];WarningDuration(1166)=[UINT32]; |
|
Variable fields |
$1: Source IPv4 address. $2: Traffic policy name. $3: Traffic profile name. $4: Device information. $5: Maximum bandwidth threshold in kbps. $6: Minimum bandwidth threshold in kbps. $7: Actual rate in kbps that exceeds the maximum bandwidth threshold. $8: Actual rate in kbps that falls below the minimum bandwidth threshold. $9: Current traffic rate in kbps. $10: Warning time when the device detected a threshold violation. $11: Warning duration. (length of time the threshold violation lasted). |
|
Severity level |
6 |
|
Example |
AVC/6/AVC_THRESHOLDWARNING_FASTLOGGING_FMT:SrcIPAddr(1003)=192.168.1.8;PolicyName(1079)=a;ProfileName(1158)=p;DeviceInfo(1159)=YuShi;BandwidthUpperLimit(1160)=8366;BandwidthLowerLimit(1161)=2091;UpperWarningValue(1162)=6;LowerWarningValue(1163)=6;CurRateValue(1164)=6;WarningTime(1165)=Fri, 8 Oct 2019 17:38:32;WarningDuration(1166)=7; |
|
Explanation |
This message is generated and sent to the log host as a fast output log if a threshold violation occurs one minute or more after the previous threshold violation. |
|
Recommended action |
None. |
AVC_THRESHOLDWARNING_FASTLOGGING_IPV6FMT
|
Message text |
SrcIPv6Addr(1036)=[IPADDR];PolicyName(1079)=[STRING];ProfileName(1158)=[STRING];DeviceInfo(1159)=[STRING];BandwidthUpperLimit(1160)=[UINT32];BandwidthLowerLimit(1161)=[UINT32];UpperWarningValue(1162)=[UINT32];LowerWarningValue(1163)=[UINT32];CurRateValue(1164)=[UINT32];WarningTime(1165)=[STRING];WarningDuration(1166)=[UINT32]; |
|
Variable fields |
$1: Source IPv6 address. $2: Traffic policy name. $3: Traffic profile name. $4: Device information. $5: Maximum bandwidth threshold in kbps. $6: Minimum bandwidth threshold in kbps. $7: Actual rate in kbps that exceeds the maximum bandwidth threshold. $8: Actual rate in kbps that falls below the minimum bandwidth threshold. $9: Current traffic rate in kbps. $10: Warning time (time when the device detected a threshold violation). $11: Warning duration (length of time the threshold violation lasted). |
|
Severity level |
6 |
|
Example |
AVC/6/AVC_THRESHOLDWARNING_FASTLOGGING_IPV6FMT:SrcIPv6Addr(1036)=2001::1;PolicyName(1079)=a;ProfileName(1158)=p;DeviceInfo(1159)=YuShi;BandwidthUpperLimit(1160)=8366;BandwidthLowerLimit(1161)=2091;UpperWarningValue(1162)=6;LowerWarningValue(1163)=6;CurRateValue(1164)=6;WarningTime(1165)=Fri, 8 Oct 2019 17:38:32;WarningDuration(1166)=7; |
|
Explanation |
This message is generated and sent to the log host as a fast output log if a threshold violation occurs more than one minute after the previous threshold violation occurred. |
|
Recommended action |
None. |
CFGLOG messages
This section contains configuration log messages.
CFGLOG_CFGOPERATE
|
Message text |
-Client=[STRING]-User=[STRING]-IPAddr=[STRING]-Role=[STRING];Config in [STRING] changed: -Old setting=[STRING]; -New setting=[STRING]; |
|
Variable fields |
$1: Configuration method. The supported configuration methods include CLI, NETCONF, SNMP, CWMP, and Web. $2: Name of the user that changed the configuration. This field displays two asterisks (**) if the user does not use scheme authentication, which requires a username for login. $3: IP address of the user that changed the configuration. This field displays two asterisks (**) if the user logged in to the device through the console port. $4: User role of the user that changed the configuration. $5: Configuration change location. $6: Old setting. $7: New setting. If one operation causes multiple settings to change, the $5, $6, and $7 fields might be displayed one time for each setting change. |
|
Severity level |
6 |
|
Example |
CFGLOG/6/CFGLOG_CFGOPERATE: -Client=CLI-User=**-IPAddr=**-Role=network-admin; Config in system changed: -Old setting=sysname Device -New setting=sysname Test. |
|
Explanation |
A user changed the configuration on the device. |
|
Recommended action |
No action is required. |
CFGMAN messages
This section contains configuration management messages.
CFGMAN_CFGCHANGED
|
Message text |
-EventIndex=[INT32]-CommandSource=[INT32]-ConfigSource=[INT32]-ConfigDestination=[INT32]; Configuration changed. |
|
Variable fields |
$1: Event index in the range of 1 to 2147483647. $2: Configuration change source: ¡ cli—The configuration change came from the CLI. ¡ snmp—The configuration change came from SNMP or was a configuration database change detected by SNMP. ¡ other—The configuration change came from other sources. $3: Source configuration: ¡ erase—Deleting or renaming a configuration file. ¡ running—Saving the running configuration. ¡ commandSource—Copying a configuration file. ¡ startup—Saving the running configuration to the next-startup configuration file. ¡ local—Saving the running configuration to a local file. ¡ networkFtp—Using FTP to transfer and save a configuration file to the device as the running configuration or next-startup configuration file. ¡ hotPlugging—A card hot swapping caused the configuration to be deleted or become ineffective. $4: Destination configuration: ¡ erase—Deleting or renaming a configuration file. ¡ running—Saving the running configuration. ¡ commandSource—Copying a configuration file. ¡ startup—Saving the running configuration to the next-startup configuration file. ¡ local—Saving the running configuration to a local file. ¡ networkFtp—Using FTP to transfer and save a configuration file to the device as the running configuration or next-startup configuration file. ¡ hotPlugging—A card hot swapping caused the configuration to be deleted or become ineffective. |
|
Severity level |
5 |
|
Example |
CFGMAN/5/CFGMAN_CFGCHANGED: -EventIndex=[6]-CommandSource=[snmp]-ConfigSource=[startup]-ConfigDestination=[running]; Configuration changed. |
|
Explanation |
The running configuration changed in the past 10 minutes. |
|
Recommended action |
No action is required. |
CFGMAN_OPTCOMPLETION
|
Message text |
-OperateType=[INT32]-OperateTime=[INT32]-OperateState=[INT32]-OperateEndTime=[INT32]; Operation completed. |
|
Variable fields |
$1: Operation type: ¡ running2startup—Saves the running configuration to the next-startup configuration file. ¡ startup2running—Loads the configuration in the next-startup configuration file. ¡ running2net—Saves the running configuration to a host on the network. ¡ net2running—Transfers a configuration file from a host on the network and loads the configuration. ¡ net2startup—Transfers a configuration file from a host on the network and specifies the file as the next-startup configuration file. ¡ startup2net—Copies the next-startup configuration file to a host on the network. $2: Operation start time. $3: Operation status: ¡ InProcess—Operation is in progress. ¡ success—Operation succeeded. ¡ InvalidOperation—Invalid operation. ¡ InvalidProtocol—Invalid protocol. ¡ InvalidSource—Invalid source file name. ¡ InvalidDestination—Invalid destination file name. ¡ InvalidServer—Invalid server address. ¡ DeviceBusy—The device is busy. ¡ InvalidDevice—Invalid device address. ¡ DeviceError—An error occurred on the device. ¡ DeviceNotWritable—The storage medium on the device is write protected. ¡ DeviceFull—The device does not have enough free storage space for the file. ¡ FileOpenError—Failed to open the file. ¡ FileTransferError—Failed to transfer the file. ¡ ChecksumError—File checksum error. ¡ LowMemory—The memory space is not sufficient. ¡ AuthFailed—User authentication failed. ¡ TransferTimeout—Transfer timed out. ¡ UnknownError—An unknown error occurred. ¡ invalidConfig—Invalid configuration. $4: Operation end time. |
|
Severity level |
5 |
|
Example |
CFGMAN/5/CFGMAN_OPTCOMPLETION: -OperateType=[running2startup]-OperateTime=[248]-OperateState=[success]-OperateEndTime=[959983]; Operation completed. |
|
Explanation |
The device is performing or has completed an operation. |
|
Recommended action |
If the operation is not successful, locate and resolve the problem. |
CONNLMT messages
This section contains connection limit messages.
CONNLMT_IPV4_OVERLOAD
|
Message text |
RcvIfName(1023)=[STRING];Protocol(1001)=[STRING];SrcIPAddr(1003)=[IPADDR];DstIPAddr(1007)=[IPADDR];ServicePort(1071)=[UINT16];RcvVPNInstance(1042)=[STRING];SndVPNInstance(1043)=[STRING];SndDSLiteTunnelPeer(1041)=[STRING];UpperLimit(1049)=[UINT32];LimitRuleNum(1051)=[UINT16];Event(1048)=[STRING]; |
|
Variable fields |
$1: Global, or interface name. $2: Transport layer protocol type. $3: Source IP address. $4: Destination IP address. $5: Service port number. $6: Source VPN instance name. $7: Destination VPN instance name. $8: Peer tunnel ID. $9: Upper threshold. $10: Rule ID. $11: Event message. |
|
Severity level |
6 |
|
Example |
CONNLMT/6/CONNLMT_IPV4_OVERLOAD: RcvIfName(1023)=Global;Protocol(1001)=;SrcIPAddr(1003)=10.10.10.1;DstIPAddr(1007)=;ServicePort(1071)=;RcvVPNInstance(1042)=;SndVPNInstance(1043)=;SndDSLiteTunnelPeer(1041)=;UpperLimit(1049)=1000;LimitRuleNum(1051)=1;Event(1048)=Exceeded upper threshold; |
|
Explanation |
The number of concurrent connections exceeded the upper threshold. |
|
Recommended action |
No action is required. |
CONNLMT_IPV4_RECOVER
|
Message text |
RcvIfName(1023)=[STRING];Protocol(1001)=[STRING];SrcIPAddr(1003)=[IPADDR];DstIPAddr(1007)=[IPADDR];ServicePort(1071)=[UINT16];RcvVPNInstance(1042)=[STRING];SndVPNInstance(1043)=[STRING];SndDSLiteTunnelPeer(1041)=[STRING];DropPktCount(1052)=[UINT32];LowerLimit(1050)=[UINT32];LimitRuleNum(1051)=[UINT16];Event(1048)=[STRING]; |
|
Variable fields |
$1: Global, or interface name. $2: Transport layer protocol type. $3: Source IP address. $4: Destination IP address. $5: Service port number. $6: Source VPN instance name. $7: Destination VPN instance name. $8: Peer tunnel ID. $9: Number of dropped packets. $10: Lower threshold. $11: Rule ID. $12: Event message. |
|
Severity level |
6 |
|
Example |
CONNLMT/6/CONNLMT_IPV4_RECOVER: RcvIfName(1023)=Global;Protocol(1001)=;SrcIPAddr(1003)=10.10.10.1;DstIPAddr(1007)=;ServicePort(1071)=;RcvVPNInstance(1042)=;SndVPNInstance(1043)=;SndDSLiteTunnelPeer(1041)=;DropPktCount(1052)=306004;LowerLimit(1050)=10;LimitRuleNum(1051)=1;Event(1048)=Dropped below lower threshold; |
|
Explanation |
The number of concurrent connections dropped below the lower threshold from the upper threshold. |
|
Recommended action |
No action is required. |
CONNLMT_IPV6_OVERLOAD
|
Message text |
RcvIfName(1023)=[STRING];Protocol(1001)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];ServicePort(1071)=[UINT16];RcvVPNInstance(1042)=[STRING];SndVPNInstance(1043)=[STRING];SndDSLiteTunnelPeer(1041)=[STRING];UpperLimit(1049)=[UINT32];LimitRuleNum(1051)=[UINT16];Event(1048)=[STRING]; |
|
Variable fields |
$1: Global, or interface name. $2: Transport layer protocol type. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Service port number. $6: Source VPN instance name. $7: Destination VPN instance name. $8: Peer tunnel ID. $9: Upper threshold. $10: Rule ID. $11: Event message. |
|
Severity level |
6 |
|
Example |
CONNLMT/6/CONNLMT_IPV6_OVERLOAD: RcvIfName(1023)=Global;Protocol(1001)=;SrcIPv6Addr(1036)=2001::1;DstIPv6Addr(1037)=;ServicePort(1071)=;RcvVPNInstance(1042)=;SndVPNInstance(1043)=;SndDSLiteTunnelPeer(1041)=;UpperLimit(1049)=1000;LimitRuleNum(1051)=1;Event(1048)=Exceeded upper threshold; |
|
Explanation |
The number of concurrent connections exceeded the upper threshold. |
|
Recommended action |
No action is required. |
CONNLMT_IPV6_RECOVER
|
Message text |
RcvIfName(1023)=[STRING];Protocol(1001)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];ServicePort(1071)=[UINT16];RcvVPNInstance(1042)=[STRING];SndVPNInstance(1043)=[STRING];SndDSLiteTunnelPeer(1041)=[STRING];DropPktCount(1052)=[UINT32];LowerLimit(1050)=[UINT32];LimitRuleNum(1051)=[UINT16];Event(1048)=[STRING]; |
|
Variable fields |
$1: Global, or interface name. $2: Transport layer protocol type. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Service port number. $6: Source VPN instance name. $7: Destination VPN instance name. $8: Peer tunnel ID. $9: Number of dropped packets. $10: Lower threshold. $11: Rule ID. $12: Event message. |
|
Severity level |
6 |
|
Example |
CONNLMT/6/CONNLMT_IPV6_RECOVER: RcvIfName(1023)=Global;Protocol(1001)=;SrcIPAddr(1003)=2001::1;DstIPAddr(1007)=;ServicePort(1071)=;RcvVPNInstance(1042)=;SndVPNInstance(1043)=;SndDSLiteTunnelPeer(1041)=;DropPktCount(1052)=306004;LowerLimit(1050)=10;LimitRuleNum(1051)=1;Event(1048)=Dropped below lower threshold; |
|
Explanation |
The number of concurrent connections dropped below the lower threshold from the upper threshold. |
|
Recommended action |
No action is required. |
CONNLMT_IPV4_RATELIMIT
|
Message text |
RcvIfName(1023)=[STRING];Protocol(1001)=[STRING];SrcIPAddr(1036)=[IPADDR];DstIPAddr(1037)=[IPADDR];ServicePort(1071)=[UINT16];RcvVPNInstance(1042)=[STRING];SndVPNInstance(1043)=[STRING];SndDSLiteTunnelPeer(1041)=[STRING];LimitRate(1073)=[UINT32];LimitRuleNum(1051)=[UINT16];Event(1048)=[STRING]; |
|
Variable fields |
$1: Global, or interface name. $2: Transport layer protocol type. $3: Source IPv4 address. $4: Destination IPv4 address. $5: Service port number. $6: Source VPN instance name. $7: Destination VPN instance name. $8: Peer tunnel ID. $9: Upper rate limit. $10: Rule ID. $11: Event message. |
|
Severity level |
6 |
|
Example |
CONNLMT/6/CONNLMT_IPV4_RATELIMIT: -MDC=1; RcvIfName(1023)=M-GigabitEthernet0/0/0;Protocol(1001)=;SrcIPAddr(1003)=;DstIPAddr(1007)=;ServicePort(1071)=; RcvVPNInstance(1042)=;SndVPNInstance(1043)=;SndDSLiteTunnelPeer(1041)=;LimitRate(1073)=10;LimitRuleNum(1051)=1;Event(1048)=Exceeded rate limit; |
|
Explanation |
Connections are established at a rate higher than the rate limit. The message is output only at the first time if the event takes place consecutively. |
|
Recommended action |
No action is required. |
CONNLMT_IPV6_RATELIMIT
|
Message text |
RcvIfName(1023)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];ServicePort(1071)=[UINT16];RcvVPNInstance(1042)=[STRING];SndVPNInstance(1043)=[STRING];SndDSLiteTunnelPeer(1041)=[STRING];LimitRate(1073)=[UINT32];LimitRuleNum(1051)=[UINT16];Event(1048)=[STRING]; |
|
Variable fields |
$1: Global, or interface name. $2: Transport layer protocol type. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Service port number. $6: Source VPN instance name. $7: Destination VPN instance name. $8: Peer tunnel ID. $9: Upper rate limit. $10: Rule ID. $11: Event message. |
|
Severity level |
6 |
|
Example |
CONNLMT/6/CONNLMT_IPV6_RATELIMIT: -MDC=1; RcvIfName(1023)=M-GigabitEthernet0/0/0;Protocol(1001)=;SrcIPAddr(1003)=;DstIPAddr(1007)=;ServicePort(1071)=; RcvVPNInstance(1042)=;SndVPNInstance(1043)=;SndDSLiteTunnelPeer(1041)=;LimitRate(1073)=10;LimitRuleNum(1051)=1;Event(1048)=Exceeded rate limit; |
|
Explanation |
Connections are established at a rate higher than the rate limit. The message is output only at the first time if the event takes place consecutively. |
|
Recommended action |
No action is required. |
DEV messages
This section contains device management messages.
BOARD_REBOOT
|
Message text |
Board is rebooting on chassis [INT32] slot [INT32]. |
|
Variable fields |
$1: Chassis ID. $2: Slot ID. |
|
Severity level |
5 |
|
Example |
DEV/5/BOARD_REBOOT: Board is rebooting on chassis 1 slot 5. |
|
Explanation |
A card was manually or automatically rebooted. |
|
Recommended action |
If an unexpected automatic reboot occurred, perform the following tasks: 32. Execute the display version command after the card starts up. 33. Check the Last reboot reason field for the reboot reason. 34. If an exception caused the reboot, contact HP Support. |
BOARD_REMOVED
|
Message text |
Board was removed from chassis [INT32] slot [INT32], type is [STRING]. |
|
Variable fields |
$1: Chassis ID. $2: Slot ID. $3: Card type. |
|
Severity level |
3 |
|
Example |
DEV/3/BOARD_REMOVED: Board was removed from chassis 1 slot 5, type is LSQ1FV48SA. |
|
Explanation |
An LPU or a standby MPU was removed from a member device, causing the device to leave the IRF fabric. |
|
Recommended action |
If the LPU or MPU was not manually removed, perform the following tasks: 35. Verify that the card is securely seated. 36. Replace the card if the message persists. 37. Reboot the device to make it join the IRF fabric. 38. If the problem persists, contact HP Support. |
BOARD_STATE_NORMAL
|
Message text |
Board state changed to Normal on [STRING], type is [STRING]. |
|
Variable fields |
$1: Slot ID in the slot xx format. (Distributed devices in standalone mode.) $1: Member ID in the slot xx format. (Centralized IRF devices.) $1: Slot ID and chassis ID in the chassis xx slot xx format. (Distributed devices in IRF mode.) $2: Card type. |
|
Severity level |
5 |
|
Example |
DEV/5/BOARD_STATE_NORMAL: Board state changed to Normal on slot 1, type is LSQ1FV48SA. (Distributed devices in standalone mode.) (Centralized IRF devices.) DEV/5/BOARD_STATE_NORMAL: Board state changed to Normal on chassis 1 slot 5, type is LSQ1FV48SA. (Distributed devices in IRF mode.) |
|
Explanation |
A newly installed LPU or standby MPU completed initialization (on a single-CPU card) or the main CPU completed initialization (on a multi-CPU card). |
|
Recommended action |
No action is required. |
BOARD_STATE_FAULT
|
Message text |
Board state changed to Fault on chassis [INT32] slot [INT32], type is [STRING]. |
|
Variable fields |
$1: Chassis ID. $2: Slot ID. $3: Card type. |
|
Severity level |
2 |
|
Example |
DEV/2/BOARD_STATE_FAULT: Board state changed to Fault on chassis 1 slot 5, type is LSQ1FV48SA. |
|
Explanation |
The card was starting up (initializing or loading software) or was not operating correctly. |
|
Recommended action |
· If the card was newly installed, wait for the card to start up. The required startup time varies by card model and software version and is typically less than 10 minutes. · If the card was not newly installed, contact HP Support. |
CFCARD_INSERTED
|
Message text |
CF card was inserted in chassis [INT32] slot [INT32] CF card slot [INT32]. |
|
Variable fields |
$1: Chassis ID. $2: Slot ID. $3: Flash slot ID. |
|
Severity level |
4 |
|
Example |
DEV/4/CFCARD_INSERTED: CF card was inserted in chassis 1 slot 5 CF card slot 1. |
|
Explanation |
A CF card was installed. |
|
Recommended action |
No action is required. |
CFCARD_REMOVED
|
Message text |
CF card was removed from chassis [INT32] slot [INT32] CF card slot [INT32]. |
|
Variable fields |
$1: Chassis ID. $2: Slot ID. $3: CF card slot ID. |
|
Severity level |
3 |
|
Example |
DEV/3/CFCARD_REMOVED: CF card was removed from chassis 1 slot 5 CF card slot 1. |
|
Explanation |
A CF card was removed. |
|
Recommended action |
If the CF card was not manually removed, perform the following tasks: 39. Verify that the card is securely seated. 40. Replace the card if the message persists. 41. If the problem persists, contact HP Support. |
CHASSIS_REBOOT
|
Message text |
Chassis [INT32] is rebooting now. |
|
Variable fields |
$1: Chassis ID. |
|
Severity level |
5 |
|
Example |
DEV/5/CHASSIS_REBOOT: Chassis 1 is rebooting now. |
|
Explanation |
The chassis was manually or automatically rebooted. |
|
Recommended action |
If an unexpected automatic reboot occurs, perform the following tasks: 42. Execute the display version command after the chassis starts up. 43. Check the Last reboot reason field for the reboot reason. 44. If an exception caused the reboot, contact HP Support. |
DEV_CLOCK_CHANGE
|
Message text |
-User=[STRING]-IPAddr=[IPADDR]; System clock changed from [STRING] to [STRING]. |
|
Variable fields |
$1: Username of the login user. $2: IP address of the login user. $3: Old time. $4: New time. |
|
Severity level |
5 |
|
Example |
DEV/5/DEV_CLOCK_CHANGE: -User=admin-IPAddr=192.168.1.2; System clock changed from 15:49:52 01/02/2013 to 15:50:00 01/02/2013. |
|
Explanation |
The system time changed. |
|
Recommended action |
No action is required. |
DEV_FAULT_TOOLONG
|
Message text |
Card in [STRING] is still in Fault state for [UINT32] minutes. |
|
Variable fields |
$1: Slot ID in the slot xx format. (Distributed devices in standalone mode.) $1: Member ID in the slot xx format. (Centralized IRF devices.) $1: Slot ID and chassis ID in the chassis xx slot xx format. (Distributed devices in IRF mode.) $2: Time duration during which the card stayed in Fault state. |
|
Severity level |
4 |
|
Example |
DEV/4/DEV_FAULT_TOOLONG: Card in slot 2 is still in Fault state for 60 minutes. (Distributed devices in standalone mode.) (Centralized IRF devices.) |
|
Explanation |
A card stayed in Fault state for a long period of time. |
|
Recommended action |
45. Reboot the card. 46. If the problem persists, contact HP Support. |
FAN_ABSENT
|
Message text |
Chassis [INT32] fan [INT32] is absent. |
|
Variable fields |
$1: Chassis ID. $2: Fan tray ID. |
|
Severity level |
3 |
|
Example |
DEV/3/FAN_ABSENT: Chassis 1 fan 2 is absent. |
|
Explanation |
A fan tray was not in place. |
|
Recommended action |
47. Check the fan tray slot: ¡ If the fan tray slot is empty, the temperature might have increased and the system recommends that you install a fan tray. ¡ If a fan tray is present, verify that the fan tray is securely seated. 48. Replace the fan tray if the message persists. 49. If the problem persists, contact HP Support. |
FAN_ABSENT
|
Message text |
Fan [INT32] is absent. |
|
Variable fields |
$1: Fan tray ID. |
|
Severity level |
3 |
|
Example |
DEV/3/FAN_ABSENT: Fan 2 is absent. |
|
Explanation |
A fan tray was not in place. |
|
Recommended action |
50. Check the fan tray slot: ¡ If the fan tray slot is empty, the temperature might have increased and the system recommends that you install a fan tray. ¡ If a fan tray is present, verify that the fan tray is securely seated. 51. Replace the fan tray if the message persists. 52. If the problem persists, contact HP Support. |
FAN_DIRECTION_NOT_PREFERRED
|
Message text |
Fan [INT32] airflow direction is not preferred on slot [INT32], please check it. |
|
Variable fields |
$1: Fan tray ID. $2: Slot ID. |
|
Severity level |
1 |
|
Example |
DEV/1/FAN_DIRECTION_NOT_PREFERRED: Fan 1 airflow direction is not preferred on slot 3, please check it. |
|
Explanation |
The airflow direction of the fan tray is different from the airflow direction setting. |
|
Recommended action |
53. Verify that the airflow direction setting is correct. 54. Verify that the fan tray model provides the same airflow direction as the configured setting. 55. If the problem persists, contact HP Support. |
FAN_FAILED
|
Message text |
Chassis [INT32] fan [INT32] failed. |
|
Variable fields |
$1: Chassis ID. $2: Fan tray ID. |
|
Severity level |
2 |
|
Example |
DEV/2/FAN_FAILED: Chassis 1 fan 2 failed. |
|
Explanation |
The fan tray stopped because of an exception. |
|
Recommended action |
Replace the fan tray. |
FAN_FAILED
|
Message text |
Fan [INT32] failed. |
|
Variable fields |
$1: Fan tray ID. |
|
Severity level |
2 |
|
Example |
DEV/2/FAN_FAILED: Fan 2 failed. |
|
Explanation |
The fan tray stopped because of an exception. |
|
Recommended action |
Replace the fan tray. |
FAN_RECOVERED
|
Message text |
Chassis [INT32] fan [INT32] recovered. |
|
Variable fields |
$1: Chassis ID. $2: Fan tray ID. |
|
Severity level |
5 |
|
Example |
DEV/5/FAN_RECOVERED: Chassis 1 fan 2 recovered. |
|
Explanation |
The fan tray started to operate correctly after it was installed. |
|
Recommended action |
No action is required. |
FAN_RECOVERED
|
Message text |
Fan [INT32] recovered. |
|
Variable fields |
$1: Fan tray ID. |
|
Severity level |
5 |
|
Example |
DEV/5/FAN_RECOVERED: Fan 2 recovered. |
|
Explanation |
The fan tray started to operate correctly after it was installed. |
|
Recommended action |
No action is required. |
MAD_ DETECT
|
Message text |
Multi-active devices detected, please fix it. |
|
Variable fields |
N/A |
|
Severity level |
1 |
|
Example |
DEV/1/MAD_DETECT: Multi-active devices detected, please fix it. |
|
Explanation |
Multiple member devices were found active. |
|
Recommended action |
56. Use the display irf command to view which member devices have left the original IRF fabric. 57. Use the display irf link command to locate the IRF link with problems. 58. Fix the IRF link in DOWN state. |
POWER_ABSENT
|
Message text |
Power [INT32] is absent. |
|
Variable fields |
$1: Power supply ID. |
|
Severity level |
3 |
|
Example |
DEV/3/POWER_ABSENT: Power 1 is absent. |
|
Explanation |
A power supply was removed. |
|
Recommended action |
59. Check the power supply slot. ¡ If the power supply slot is empty, install a power supply. ¡ If a power supply is present, verify that the power supply is securely seated. 60. If the problem persists, replace the power supply. 61. If the problem persists, contact HP Support. |
POWER_ABSENT
|
Message text |
Chassis [INT32] power [INT32] is absent. |
|
Variable fields |
$1: Chassis ID. $2: Power supply ID. |
|
Severity level |
3 |
|
Example |
DEV/3/POWER_ABSENT: Chassis 1 power 1 is absent. |
|
Explanation |
A power supply was removed. |
|
Recommended action |
62. Check the power supply slot. ¡ If the power supply slot is empty, install a power supply. ¡ If a power supply is present, verify that the power supply is securely seated. 63. If the problem persists, replace the power supply. 64. If the problem persists, contact HP Support. |
POWER_FAILED
|
Message text |
Power [INT32] failed. |
|
Variable fields |
$1: Power supply ID. |
|
Severity level |
2 |
|
Example |
DEV/2/POWER_FAILED: Power 1 failed. |
|
Explanation |
A power supply failed. |
|
Recommended action |
Replace the power supply. |
POWER_FAILED
|
Message text |
Chassis [INT32] power [INT32] failed. |
|
Variable fields |
$1: Chassis ID. $2: Power supply ID. |
|
Severity level |
2 |
|
Example |
DEV/2/POWER_FAILED: Chassis 1 power 1 failed. |
|
Explanation |
A power supply failed. |
|
Recommended action |
Replace the power supply. |
POWER_MONITOR_ABSENT
|
Message text |
Power monitor unit [INT32] is absent. |
|
Variable fields |
$1: Power monitoring module ID. |
|
Severity level |
3 |
|
Example |
DEV/3/POWER_MONITOR_ABSENT: Power monitor unit 1 is absent. |
|
Explanation |
A power monitoring module was removed. |
|
Recommended action |
65. Check the power monitoring module slot. ¡ If the power monitoring module slot is empty, install a power monitoring module. ¡ If a power monitoring module is present, verify that the power monitoring module is securely seated. 66. If the problem persists, replace the power monitoring module. 67. If the problem persists, contact HP Support. |
POWER_MONITOR_ABSENT
|
Message text |
Chassis [INT32] power monitor unit [INT32] is absent. |
|
Variable fields |
$1: Chassis ID. $2: Power monitoring module ID. |
|
Severity level |
3 |
|
Example |
DEV/3/POWER_MONITOR_ABSENT: Chassis 2 power monitor unit 1 is absent. |
|
Explanation |
A power monitoring module was removed. |
|
Recommended action |
68. Check the power monitoring module slot. ¡ If the power monitoring module slot is empty, install a power monitoring module. ¡ If a power monitoring module is present, verify that the power monitoring module is securely seated. 69. If the problem persists, replace the power monitoring module. 70. If the problem persists, contact HP Support. |
POWER_MONITOR_FAILED
|
Message text |
Power monitor unit [INT32] failed. |
|
Variable fields |
$1: Power monitoring module ID. |
|
Severity level |
2 |
|
Example |
DEV/2/POWER_MONITOR_FAILED: Power monitor unit 1 failed. |
|
Explanation |
A power monitoring module failed. |
|
Recommended action |
Replace the power monitoring module. |
POWER_MONITOR_FAILED
|
Message text |
Chassis [INT32] power monitor unit [INT32] failed. |
|
Variable fields |
$1: Chassis ID. $2: Power monitoring module ID. |
|
Severity level |
2 |
|
Example |
DEV/2/POWER_MONITOR_FAILED: Chassis 2 power monitor unit 1 failed. |
|
Explanation |
A power monitoring module failed. |
|
Recommended action |
Replace the power monitoring module. |
POWER_MONITOR_RECOVERED
|
Message text |
Power monitor unit [INT32] recovered. |
|
Variable fields |
$1: Power monitoring module ID. |
|
Severity level |
5 |
|
Example |
DEV/5/POWER_MONITOR_RECOVERED: Power monitor unit 1 recovered. |
|
Explanation |
The power monitoring module started to operate correctly after it was installed. |
|
Recommended action |
No action is required. |
POWER_MONITOR_RECOVERED
|
Message text |
Chassis [INT32] power monitor unit [INT32] recovered. |
|
Variable fields |
$1: Chassis ID. $2: Power monitoring module ID. |
|
Severity level |
5 |
|
Example |
DEV/5/POWER_MONITOR_RECOVERED: Chassis 2 power monitor unit 1 recovered. |
|
Explanation |
The power monitoring module started to operate correctly after it was installed. |
|
Recommended action |
No action is required. |
POWER_RECOVERED
|
Message text |
Power [INT32] recovered. |
|
Variable fields |
$1: Power supply ID. |
|
Severity level |
5 |
|
Example |
DEV/5/POWER_RECOVERED: Power 1 recovered. |
|
Explanation |
The power supply started to operate correctly after it was installed. |
|
Recommended action |
No action is required. |
POWER_RECOVERED
|
Message text |
Chassis [INT32] power [INT32] recovered. |
|
Variable fields |
$1: Chassis ID. $2: Power supply ID. |
|
Severity level |
5 |
|
Example |
DEV/5/POWER_RECOVERED: Chassis 1 power 1 recovered. |
|
Explanation |
The power supply started to operate correctly after it was installed. |
|
Recommended action |
No action is required. |
RPS_ABSENT
|
Message text |
RPS [INT32] is absent. |
|
Variable fields |
$1: RPS ID. |
|
Severity level |
3 |
|
Example |
DEV/3/RPS_ABSENT: RPS 1 is absent. |
|
Explanation |
An RPS was removed. |
|
Recommended action |
71. Check the RPS slot. ¡ If the RPS slot is empty, install an RPS. ¡ If an RPS is present, verify that the RPS is securely seated. 72. If the problem persists, replace the RPS. 73. If the problem persists, contact HP Support. |
RPS_ABSENT
|
Message text |
Chassis [INT32] RPS [INT32] is absent. |
|
Variable fields |
$1: Chassis ID. $2: RPS ID. |
|
Severity level |
3 |
|
Example |
DEV/3/RPS_ABSENT: Chassis 1 RPS 1 is absent. |
|
Explanation |
An RPS was removed. |
|
Recommended action |
74. Check the RPS slot. ¡ If the RPS slot is empty, install an RPS. ¡ If an RPS is present, verify that the RPS is securely seated. 75. If the problem persists, replace the RPS. 76. If the problem persists, contact HP Support. |
RPS_NORMAL
|
Message text |
RPS [INT32] is normal. |
|
Variable fields |
$1: RPS ID. |
|
Severity level |
5 |
|
Example |
DEV/5/RPS_NORMAL: RPS 1 is normal. |
|
Explanation |
The RPS started to operate correctly after it was installed. |
|
Recommended action |
No action is required. |
RPS_NORMAL
|
Message text |
Chassis [INT32] RPS [INT32] is normal. |
|
Variable fields |
$1: Chassis ID. $2: RPS ID. |
|
Severity level |
5 |
|
Example |
DEV/5/RPS_NORMAL: Chassis 1 RPS 1 is normal. |
|
Explanation |
The RPS started to operate correctly after it was installed. |
|
Recommended action |
No action is required. |
SUBCARD_FAULT
|
Message text |
Subcard state changed to Fault on chassis [INT32] slot [INT32] subslot [INT32], type is [STRING]. |
|
Variable fields |
$1: Chassis ID. $2: Slot ID. $3: Subslot ID. $4: Subcard type. |
|
Severity level |
2 |
|
Example |
DEV/2/SUBCARD_FAULT: Subcard state changed to Fault on chassis 1 slot 5 subslot 1, type is MIM-1ATM-OC3SML. |
|
Explanation |
The subcard failed, or its status changed to Fault after it was rebooted. |
|
Recommended action |
Track the status of the subcard. · If the status of the subcard changes to Normal later, no action is required. · If the status is always Fault, replace the subcard. |
SUBCARD_INSERTED
|
Message text |
Subcard was inserted in chassis [INT32] slot [INT32] subslot [INT32], type is [STRING]. |
|
Variable fields |
$1: Chassis ID. $2: Slot ID. $3: Subslot ID. $4: Subcard type. |
|
Severity level |
4 |
|
Example |
DEV/4/SUBCARD_INSERTED: Subcard was inserted in chassis 1 slot 5 subslot 1, type is MIM-1ATM-OC3SML. |
|
Explanation |
A subcard was installed. |
|
Recommended action |
No action is required. |
SUBCARD_REBOOT
|
Message text |
Subcard is rebooting on chassis [INT32] slot [INT32] subslot [INT32]. |
|
Variable fields |
$1: Chassis ID. $2: Slot ID. $3: Subslot ID. |
|
Severity level |
5 |
|
Example |
DEV/5/SUBCARD_REBOOT: Subcard is rebooting on chassis 1 slot 5 subslot 1. |
|
Explanation |
The subcard was manually or automatically rebooted. |
|
Recommended action |
· If the subcard operates correctly after it starts up, no action is required. · If you want to know the reboot reason or the subcard keeps rebooting, contact HP Support. |
SUBCARD_REMOVED
|
Message text |
Subcard was removed from chassis [INT32] slot [INT32] subslot [INT32], type is [STRING]. |
|
Variable fields |
$1: Chassis ID. $2: Slot ID. $3: Subslot ID. $4: Subcard type. |
|
Severity level |
3 |
|
Example |
DEV/3/SUBCARD_REMOVED: Subcard was removed from chassis 1 slot 5 subslot 1, type is MIM-1ATM-OC3SML. |
|
Explanation |
A subcard was removed. |
|
Recommended action |
If the subcard was not manually removed, perform the following tasks: 77. Verify that the subcard is securely seated. 78. Replace the subcard if the message persists. 79. If the problem persists, contact HP Support. |
SYSTEM_REBOOT
|
Message text |
System is rebooting now. |
|
Variable fields |
N/A |
|
Severity level |
5 |
|
Example |
DEV/5/SYSTEM_REBOOT: System is rebooting now. |
|
Explanation |
The system was manually or automatically rebooted. |
|
Recommended action |
If an unexpected automatic reboot occurred, perform the following tasks: 80. Execute the display version command after the system starts up. 81. Check the Last reboot reason field for the reboot reason. 82. If an exception caused the reboot, contact HP Support. |
TEMPERATURE_ALARM
|
Message text |
Temperature is greater than the high-temperature alarming threshold on chassis [INT32] slot [INT32] sensor [STRING] [INT32]. Current temperature is [INT32] degrees centigrade. |
|
Variable fields |
$1: Chassis ID. $2: Slot ID. $3: Sensor type. $4: Sensor ID. $5: Current temperature. |
|
Severity level |
4 |
|
Example |
DEV/4/TEMPERATURE_ALARM: Temperature is greater than the high-temperature alarming threshold on chassis 1 slot 5 sensor inflow 1. Current temperature is 80 degrees centigrade |
|
Explanation |
A sensor's temperature exceeded the high-temperature alarming threshold. The ambient temperature was too high or the fan tray was not operating correctly. |
|
Recommended action |
83. Verify that the ambient temperature is normal and the ventilation system is operating correctly. 84. Use the display fan command to verify that the fan trays are in position and operating correctly. If a fan tray is missing, install the fan tray. If a fan tray does not operate correctly, replace it. |
TEMPERATURE_LOW
|
Message text |
Temperature is less than the low-temperature threshold on chassis [INT32] slot [INT32] sensor [STRING] [INT32]. Current temperature is [INT32] degrees centigrade. |
|
Variable fields |
$1: Chassis ID. $2: Slot ID. $3: Sensor type. $4: Sensor ID. $5: Current temperature. |
|
Severity level |
4 |
|
Example |
DEV/4/TEMPERATURE_LOW: Temperature is less than the low-temperature threshold on chassis 1 slot 5 sensor inflow 1. Current temperature is -10 degrees centigrade. |
|
Explanation |
A sensor's temperature fell below the low-temperature threshold. |
|
Recommended action |
Adjust the ambient temperature higher. |
TEMPERATURE_NORMAL
|
Message text |
Temperature changed to normal on chassis [INT32] slot [INT32] sensor [STRING] [INT32]. |
|
Variable fields |
$1: Chassis ID. $2: Slot ID. $3: Sensor type. $4: Sensor ID. |
|
Severity level |
5 |
|
Example |
DEV/5/TEMPERATURE_NORMAL: Temperature changed to normal on chassis 1 slot 5 sensor inflow 1. |
|
Explanation |
A sensor's temperature was normal (between the low-temperature threshold and the high-temperature warning threshold). |
|
Recommended action |
No action is required. |
TEMPERATURE_SHUTDOWN
|
Message text |
Temperature is greater than the high-temperature shutdown threshold on chassis [INT32] slot [INT32] sensor [STRING] [INT32]. The slot will be powered off automatically. Current temperature is [INT32] degrees centigrade. |
|
Variable fields |
$1: Chassis ID. $2: Slot ID. $3: Sensor type. $4: Sensor ID. $5: Current temperature. |
|
Severity level |
2 |
|
Example |
DEV/2/TEMPERATURE_SHUTDOWN: Temperature is greater than the high-temperature shutdown threshold on chassis 1 slot 5 sensor inflow 1. The slot will be powered off automatically. Current temperature is 60 degrees centigrade. |
|
Explanation |
A sensor's temperature exceeded the high-temperature shutdown threshold. The ambient temperature was too high or the fan tray was not operating correctly. |
|
Recommended action |
85. Verify that the ambient temperature is normal and the ventilation system is operating correctly. 86. Use the display fan command to verify that the fan trays are in position and operating correctly. If a fan tray is missing, install the fan tray. If a fan tray does not operate correctly, replace it. |
TEMPERATURE_WARNING
|
Message text |
Temperature is greater than the high-temperature warning threshold on chassis [INT32] slot [INT32] sensor [STRING] [INT32]. Current temperature is [INT32] degrees centigrade. |
|
Variable fields |
$1: Chassis ID. $2: Slot ID. $3: Sensor type. $4: Sensor ID. $5: Current temperature. |
|
Severity level |
4 |
|
Example |
DEV/4/TEMPERATURE_WARNING: Temperature is greater than the high-temperature warning threshold on chassis 1 slot 2 sensor inflow 1. Current temperature is 50 degrees centigrade. |
|
Explanation |
A sensor's temperature exceeded the high-temperature warning threshold. The ambient temperature was too high or the fan tray was not operating correctly. |
|
Recommended action |
87. Verify that the ambient temperature is normal and the ventilation system is operating correctly. 88. Use the display fan command to verify that the fan trays are in position and operating correctly. If a fan tray is missing, install the fan tray. If a fan tray does not operate correctly, replace it. |
VCHK_VERSION_INCOMPATIBLE
|
Message text |
Software version of [STRING] is incompatible with that of the MPU. |
|
Variable fields |
$1: Slot ID in the slot xx format. (Distributed devices in standalone mode.) $1: Member ID in the slot xx format. (Centralized IRF devices.) $1: Slot ID and chassis ID in the chassis xx slot xx format. (Distributed devices in IRF mode.) |
|
Severity level |
1 |
|
Example |
|
|
Explanation |
A PEX that was starting up detected that its software version is incompatible with the parent device's software version. |
|
Recommended action |
Specify a set of startup software images for the PEX. Make sure the images are compatible with the parent device's software images. |
DHCP
This section contains DHCP messages.
DHCP_NOTSUPPORTED
|
Message text |
Failed to apply filtering rules for DHCP packets because some rules are not supported. |
|
Variable fields |
N/A |
|
Severity level |
3 |
|
Example |
DHCP/3/DHCP_NOTSUPPORTED: Failed to apply filtering rules for DHCP packets because some rules are not supported. |
|
Explanation |
The system failed to apply filtering rules for DHCP packets because some rules are not supported on the device. |
|
Recommended action |
No action is required. |
DHCP_NORESOURCES
|
Message text |
Failed to apply filtering rules for DHCP packets because hardware resources are insufficient. |
|
Variable fields |
N/A |
|
Severity level |
3 |
|
Example |
DHCP/3/DHCP_NORESOURCES: Failed to apply filtering rules for DHCP packets because hardware resources are insufficient. |
|
Explanation |
The system failed to apply filtering rules for DHCP packets because the hardware resources are insufficient. |
|
Recommended action |
Release hardware resources and then apply the rules again. |
DHCPS messages
This section contains DHCP server messages.
DHCPS_ALLOCATE_IP
|
Message text |
DHCP server received a DHCP client's request packet on interface [STRING], and allocated an IP address [IPADDR](lease [UINT32] seconds) for the DHCP client(MAC [MAC]) from [STRING] pool. |
|
Variable fields |
$1: Name of the interface on which DHCP server is configured. $2: IPv4 address assigned to the DHCP client. $3: Lease duration of the assigned IPv4 address. $4: MAC address of the DHCP client. $5: Name of the address pool to which the assigned IPv4 address belongs. |
|
Severity level |
5 |
|
Example |
DHCPS/5/DHCPS_ALLOCATE_IP: DHCP server received a DHCP client’s request packet on interface Ethernet0/2, and allocated an IP address 1.0.0.91(lease 86400 seconds) for the DHCP client(MAC 0000-0000-905a) from p1 pool. |
|
Explanation |
The DHCP server assigned an IPv4 address with a lease to a DHCP client. |
|
Recommended action |
No action is required. |
DHCPS_CONFLICT_IP
|
Message text |
A conflict IP [IPADDR] from [STRING] pool was detected by DHCP server on interface [STRING]. |
|
Variable fields |
$1: IPv4 address that is in conflict. $2: Name of the address pool to which the conflicting IPv4 address belongs. $3: Name of the interface on which DHCP server is configured. |
|
Severity level |
5 |
|
Example |
DHCPS/5/DHCPS_CONFLICT_IP: A conflict IP 100.1.1.1 from p1 pool was detected by DHCP server on interface Ethernet0/2. |
|
Explanation |
The DHCP server deleted a conflicting IPv4 address from an address pool. |
|
Recommended action |
No action is required. |
DHCPS_EXTEND_IP
|
Message text |
DHCP server received a DHCP client's request packet on interface [STRING], and extended lease from [STRING] pool for the DHCP client (IP [IPADDR], MAC [MAC]). |
|
Variable fields |
$1: Name of the interface on which DHCP server is configured. $2: Name of the address pool to which the client's IPv4 address belongs. $3: IPv4 address of the DHCP client. $4: MAC address of the DHCP client. |
|
Severity level |
5 |
|
Example |
DHCPS/5/DHCPS_EXTEND_IP: DHCP server received a DHCP client’s request packet on interface Ethernet0/2, and extended lease from p1 pool for the DHCP client (IP 1.0.0.91, MAC 0000-0000-905a). |
|
Explanation |
The DHCP server extended the lease for a DHCP client. |
|
Recommended action |
No action is required. |
DHCPS_FILE
|
Message text |
Failed to save DHCP client information due to lack of storage resources. |
|
Variable fields |
N/A |
|
Severity level |
4 |
|
Example |
DHCPS/4/DHCPS_FILE: Failed to save DHCP client information due to lack of storage resources. |
|
Explanation |
The DHCP server failed to back up DHCP bindings to the backup file due to lack of storage resources. |
|
Recommended action |
Delete unnecessary files to release resources. |
DHCPS_RECLAIM_IP
|
Message text |
DHCP server reclaimed a [STRING] pool’s lease(IP [IPADDR], lease [UINT32] seconds), which is allocated for the DHCP client (MAC [MAC]). |
|
Variable fields |
$1: Name of the address pool to which the assigned IPv4 address belongs. $2: IPv4 address assigned to the DHCP client. $3: Lease duration of the assigned IPv4 address. $4: MAC address of the DHCP client. |
|
Severity level |
5 |
|
Example |
DHCPS/5/DHCPS_RECLAIM_IP: DHCP server reclaimed a p1 pool’s lease(IP 1.0.0.91, lease 86400 seconds), which is allocated for the DHCP client (MAC 0000-0000-905a). |
|
Explanation |
The DHCP server reclaimed the IPv4 address assigned to a DHCP client. |
|
Recommended action |
No action is required. |
DHCPS_VERIFY_CLASS
|
Message text |
Illegal DHCP client-PacketType=[STRING]-ClientAddress=[MAC]; |
|
Variable fields |
$1: Type of the packet. $2: Hardware address of the DHCP client. |
|
Severity level |
5 |
|
Example |
|
|
Explanation |
The DHCP server verified that the DHCP client was not on the user class whitelist. |
|
Recommended action |
Check the validity of the DHCP client. |
DHCPS6 messages
This section contains DHCPv6 server messages.
DHCPS6_ALLOCATE_ADDRESS
|
Message text |
DHCPv6 server received a DHCPv6 client’s request packet on interface [STRING], and allocated an IPv6 address [IPADDR] (lease [UINT32] seconds) for the DHCP client(DUID [HEX], IAID [HEX]) from [STRING] pool. |
|
Variable fields |
$1: Name of the interface on which DHCPv6 server is configured. $2: IPv6 address assigned to the DHCPv6 client. $3: Lease duration of the assigned IPv6 address. $4: DUID of the DHCPv6 client. $5: IAID of the DHCPv6 client. $6: Name of the address pool to which the assigned IPv6 address belongs. |
|
Severity level |
5 |
|
Example |
DHCPS6/5/DHCPS6_ALLOCATE_ADDRESS: DHCPv6 server received a DHCPv6 client’s request packet on interface Ethernet0/2, and allocated an IPv6 address 2000::3(lease 60 seconds) for the DHCP client(DUID 0001000118137c37b4b52facab5a, IAID 10b4b52f) from p1 pool. |
|
Explanation |
The DHCPv6 server assigned an IPv6 address with a lease to a DHCPv6 client. |
|
Recommended action |
No action is required. |
DHCPS6_ALLOCATE_PREFIX
|
Message text |
DHCPv6 server received a DHCPv6 client’s request packet on interface [STRING], and allocated an IPv6 prefix [IPADDR] (lease [UINT32] seconds) for the DHCP client(DUID [HEX], IAID [HEX]) from [STRING] pool. |
|
Variable fields |
$1: Name of the interface on which DHCPv6 server is configured. $2: IPv6 prefix assigned to the DHCPv6 client. $3: Lease duration of the assigned IPv6 prefix. $4: DUID of the DHCPv6 client. $5: IAID of the DHCPv6 client. $6: Name of the address pool to which the assigned IPv6 prefix belongs. |
|
Severity level |
5 |
|
Example |
DHCPS6/5/DHCPS6_ALLOCATE_PREFIX: DHCPv6 server received a DHCPv6 client’s request packet on interface Ethernet0/2, and allocated an IPv6 prefix 2000::(lease 60 seconds) for the DHCP client(DUID 0001000118137c37b4b52facab5a, IAID 10b4b52f) from p1 pool. |
|
Explanation |
The DHCPv6 server assigned an IPv6 prefix with a lease to a DHCPv6 client. |
|
Recommended action |
No action is required. |
DHCPS6_CONFLICT_ADDRESS
|
A conflict IPv6 address [IPADDR] from [STRING] pool was detected by DHCPv6 server on interface [STRING]. |
|
|
Variable fields |
$1: IPv6 address that is in conflict. $2: Name of the address pool to which the conflicting IPv6 address belongs. $3: Name of the interface on which DHCPv6 server is configured. |
|
Severity level |
5 |
|
Example |
DHCPS6/5/DHCPS6_CONFLICT_ADDRESS: A conflict IPv6 address 33::1 from p1 pool was detected by DHCPv6 server on interface Ethernet0/2. |
|
Explanation |
The DHCPv6 server deleted a conflicting IPv6 address from an address pool. |
|
Recommended action |
No action is required. |
DHCPS6_EXTEND_ADDRESS
|
Message text |
DHCPv6 server received a DHCP client’s request packet on interface [STRING], and extended lease from [STRING] pool for the DHCP client (IPv6 address [IPADDR], DUID [HEX], IAID [HEX]). |
|
Variable fields |
$1: Name of the interface on which DHCPv6 server is configured. $2: Name of the address pool to which the client's IPv6 address belongs. $3: IPv6 address of the DHCPv6 client. $4: DUID of the DHCPv6 client. $5: IAID of the DHCPv6 client. |
|
Severity level |
5 |
|
Example |
DHCPS6/5/DHCPS6_EXTEND_ADDRESS: DHCPv6 server received a DHCP client’s request packet on interface Ethernet0/2, and extended lease from p1 pool for the DHCP client (IPv6 address 2000::3, DUID 0001000118137c37b4b52facab5a, IAID 10b4b52f). |
|
Explanation |
The DHCPv6 server extended the address lease for a DHCPv6 client. |
|
Recommended action |
No action is required. |
DHCPS6_EXTEND_PREFIX
|
Message text |
DHCPv6 server received a DHCP client’s request packet on interface [STRING], and extended lease from [STRING] pool for the DHCP client (IPv6 prefix [IPADDR], DUID [HEX], IAID [HEX]). |
|
Variable fields |
$1: Name of the interface on which DHCPv6 server is configured. $2: Name of the address pool to which the client's IPv6 prefix belongs. $3: IPv6 prefix of the DHCPv6 client. $4: DUID of the DHCPv6 client. $5: IAID of the DHCPv6 client. |
|
Severity level |
5 |
|
Example |
DHCPS6/5/DHCPS6_EXTEND_PREFIX: DHCPv6 server received a DHCP client’s request packet on interface Ethernet0/2, and extended lease from p1 pool for the DHCP client (IPv6 prefix 2000::, DUID 0001000118137c37b4b52facab5a, IAID 10b4b52f). |
|
Explanation |
The DHCPv6 server extended the prefix lease for a DHCPv6 client. |
|
Recommended action |
No action is required. |
DHCPS6_FILE
|
Message text |
Failed to save DHCP client information due to lack of storage resources. |
|
Variable fields |
N/A |
|
Severity level |
4 |
|
Example |
DHCPS6/4/DHCPS6_FILE: Failed to save DHCP client information due to lack of storage resources. |
|
Explanation |
The DHCPv6 server failed to back up DHCPv6 bindings to the backup file due to lack of storage resources. |
|
Recommended action |
Delete unnecessary files to release resources. |
DHCPS6_RECLAIM_ADDRESS
|
Message text |
DHCPv6 server reclaimed a [STRING] pool's lease(IPv6 address [IPADDR], lease [UINT32] seconds), which is allocated for the DHCPv6 client (DUID [HEX], IAID [HEX]). |
|
Variable fields |
$1: Name of the address pool to which the assigned IPv6 address belongs. $2: IPv6 address assigned to the DHCPv6 client. $3: Lease duration of the assigned IPv6 address. $4: DUID of the DHCPv6 client. $5: IAID of the DHCPv6 client. |
|
Severity level |
5 |
|
Example |
DHCPS6/5/DHCPS6_RECLAIM_ADDRESS: DHCPv6 server reclaimed a p1 pool’s lease(IPv6 address 2000::3, lease 60 seconds), which is allocated for the DHCPv6 client (DUID 0001000118137c37b4b52facab5a, IAID 10b4b52f). |
|
Explanation |
The DHCPv6 server reclaimed the IPv6 address assigned to a DHCPv6 client. |
|
Recommended action |
No action is required. |
DHCPS6_RECLAIM_PREFIX
|
Message text |
DHCPv6 server reclaimed a [STRING] pool’s lease(IPv6 prefix [IPADDR], lease [INTEGER] seconds), which is allocated for the DHCPv6 client (DUID [HEX], IAID [HEX]). |
|
Variable fields |
$1: Name of the address pool to which the assigned IPv6 prefix belongs. $2: IPv6 prefix assigned to the DHCPv6 client. $3: Lease duration of the assigned IPv6 prefix. $4: DUID of the DHCPv6 client. $5: IAID of the DHCPv6 client. |
|
Severity level |
5 |
|
Example |
DHCPS6/5/DHCPS6_RECLAIM_PREFIX: DHCPv6 server reclaimed a p1 pool’s lease(IPv6 prefix 2000::, lease 60 seconds), which is allocated for the DHCPv6 client (DUID 0001000118137c37b4b52facab5a, IAID 10b4b52f). |
|
Explanation |
The DHCPv6 server reclaimed the IPv6 prefix assigned to a DHCPv6 client. |
|
Recommended action |
No action is required. |
DHCPSP4
This section contains DHCP snooping messages.
DHCPSP4_FILE
|
Message text |
Failed to save DHCP client information due to lack of storage resources. |
|
Variable fields |
N/A |
|
Severity level |
4 |
|
Example |
DHCPSP4/4/DHCPSP4_FILE: Failed to save DHCP client information due to lack of storage resources. |
|
Explanation |
The DHCP snooping device failed to back up DHCP snooping entries to the backup file due to lack of storage resources. |
|
Recommended action |
Delete unnecessary files to release resources. |
DHCPSP6
This section contains DHCPv6 snooping messages.
DHCPSP6_FILE
|
Message text |
Failed to save DHCP client information due to lack of storage resources. |
|
Variable fields |
N/A |
|
Severity level |
4 |
|
Example |
DHCPSP6/4/DHCPSP6_FILE: Failed to save DHCP client information due to lack of storage resources. |
|
Explanation |
The DHCPv6 snooping device failed to back up DHCPv6 snooping entries to the backup file due to lack of storage resources. |
|
Recommended action |
Delete unnecessary files to release resources. |
DIAG messages
This section contains diagnostic messages.
CORE_EXCEED_THRESHOLD
|
Message text |
Usage threshold [STRING] exceeded on [STRING]. |
|
Variable fields |
$1: Number of the CPU and number of the CPU core. $2: Usage threshold in percentage. |
|
Severity level |
1 |
|
Example |
DIAG/1/CORE_EXCEED_THRESHOLD: Usage threshold CPU 0 core 2 exceeded on 80%. |
|
Explanation |
The system samples CPU core usage at an interval of 1 minute and generates this message if the sample is greater than the CPU core usage threshold. |
|
Recommended action |
If this message appears frequently, perform the tasks: 89. Execute the display cpu-usage configuration command to display the CPU core usage threshold settings. 90. Use the monitor cpu-usage threshold command to adjust the CPU core usage threshold settings as required. |
CPU_USAGE_LASTMINUTE
|
Message text |
CPU usage was [STRING] in last minute. |
|
Variable fields |
$1: CPU usage in percentage. |
|
Severity level |
5 |
|
Example |
DIAG/5/CPU_USAGE_LASTMINUTE: CPU usage was 10% in last minute. |
|
Explanation |
Average CPU usage in last minute. |
|
Recommended action |
No action is required. |
DIAG_STORAGE_BELOW_THRESHOLD
|
Message text |
The usage of [STRING] ([UINT32]%) has dropped below the threshold of [UINT32]%. |
|
Variable fields |
$1: Name of the storage medium, for example, flash. $2: Usage of the storage medium. $3: Usage threshold of the storage medium. |
|
Severity level |
1 |
|
Example |
DIAG/1/DIAG_STORAGE_BELOW_THRESHOLD: The usage of flash (90%) has dropped below the threshold of 95%. |
|
Explanation |
The usage of the storage medium was below or equal to the threshold. |
|
Recommended action |
No action is required. |
DIAG_STORAGE_EXCEED_THRESHOLD
|
Message text |
The usage of [STRING] ([UINT32]%) exceeded the threshold of [UINT32]%. |
|
Variable fields |
$1: Name of the storage medium, for example, flash. $2: Usage of the storage medium. $3: Usage threshold of the storage medium. |
|
Severity level |
1 |
|
Example |
DIAG/1/DIAG_STORAGE_EXCEED_THRESHOLD: The usage of flash (96%) exceeded the threshold of 95%. |
|
Explanation |
The usage of the storage medium exceeded the threshold. |
|
Recommended action |
Back up the files that are not used for a long time to the PC and then delete the files, or delete the files directly. The files include logs and software packages for earlier versions. |
MEM_ALERT
|
Message text |
system memory info: total used free shared buffers cached Mem: [ULONG] [ULONG] [ULONG] [ULONG] [ULONG] [ULONG] -/+ buffers/cache: [ULONG] [ULONG] Swap: [ULONG] [ULONG] [ULONG] Lowmem: [ULONG] [ULONG] [ULONG] |
|
Variable fields |
· Mem—Memory information of the whole system: ¡ $1: Total size of allocatable physical memory. The system physical memory contains allocatable physical memory and unallocatable physical memory. Unallocatable physical memory is mainly used for kernel code storage, kernel management, and running of basic functions. Allocatable physical memory is used for such tasks as running service modules and storing files. The size of unallocatable physical memory is automatically calculated based on the system operation requirements. The size of allocatable physical memory is the total physical memory size minus the unallocatable physical memory size. ¡ $2: Size of the physical memory used by the system. ¡ $3: Size of free physical memory of the system. ¡ $4: Total size of physical memory shared by processes. ¡ $5: Size of physical memory used for buffers. ¡ $6: Size of physical memory used for caches. · -/+ buffers/cache—Memory usage information of applications: ¡ $7: -/+ Buffers/Cache:used = Mem:Used – Mem:Buffers – Mem:Cached, which indicates the size of physical memory used by applications. ¡ $8: -/+ Buffers/Cache:free = Mem:Free + Mem:Buffers + Mem:Cached, which indicates the size of physical memory available for applications. · Swap—Swap memory usage information: ¡ $9: Total size of swap memory. ¡ $10: Size of used swap memory. ¡ $11: Size of free swap memory. · Lowmem—Low memory usage information: ¡ $12: Total size of low memory. ¡ $13: Size of used low memory. ¡ $14: Size of free low memory. |
|
Severity level |
4 |
|
Example |
DIAG/4/MEM_ALERT: system memory info: total used free shared buffers cached Mem: 1784424 920896 863528 0 0 35400 -/+ buffers/cache: 885496 898928 Swap: 0 0 0 Lowmem: 735848 637896 97952 |
|
Explanation |
A memory alarm was generated, displaying memory usage information. The system generates this message when the used memory is greater than or equal to the minor, severe, or critical threshold of memory usage. |
|
Recommended action |
You can perform the following tasks to help remove the alarm: · Verify that appropriate alarm thresholds are set. To view the alarm thresholds, use the display memory-threshold command. Then you can use the memory-threshold command to modify the alarm thresholds if required. · Verify that the device is not under attack by checking the ARP table and routing table. · Examine and optimize the network, for example, reduce the number of routes, or replace the device with a higher-performance device. |
MEM_BELOW_THRESHOLD
|
Message text |
Memory usage has dropped below [STRING] threshold. |
|
Variable fields |
$1: Memory usage threshold name: minor, severe, or critical. |
|
Severity level |
1 |
|
Example |
DIAG/1/MEM_BELOW_THRESHOLD: Memory usage has dropped below critical threshold. |
|
Explanation |
A memory alarm was removed. The message is sent when the system free memory is greater than a memory alarm recovery threshold. |
|
Recommended action |
No action is required. |
MEM_EXCEED_THRESHOLD
|
Message text |
Memory [STRING] threshold has been exceeded. |
|
Variable fields |
$1: Memory usage threshold name: minor, severe, or critical. |
|
Severity level |
1 |
|
Example |
DIAG/1/MEM_EXCEED_THRESHOLD: Memory minor threshold has been exceeded. |
|
Explanation |
A memory alarm was notified. When the used memory size is greater than or equal to the minor, severe, or critical threshold of memory usage, the system generates this message and notifies services modules to perform auto repair, such as releasing memory and stopping requesting memory. |
|
Recommended action |
You can perform the following tasks to help remove the alarm: · Verify that appropriate alarm thresholds are set. To view the alarm thresholds, use the display memory-threshold command. Then you can use the memory-threshold command to modify the alarm thresholds if required. · Verify that the device is not under attack by checking the ARP table and routing table. · Examine and optimize the network, for example, reduce the number of routes or replace the device with a higher-performance device. |
MEM_USAGE
|
Message text |
Current memory usage is [STRING]. |
|
Variable fields |
$1: Memory usage in percentage. |
|
Severity level |
5 |
|
Example |
DIAG/5/MEM_USAGE: Current memory usage is 10%. |
|
Explanation |
Current memory usage of the device. |
|
Recommended action |
No action is required. |
DIM engine messages
This section contains DPI engine messages.
DIM_SIGNATURE_WARNING
|
Message text |
DIM/4/DIM_SIGNATURE_WARNING: Failed to write a signature file to the flash memory due to insufficient storage space. |
|
Severity level |
4 |
|
Example |
DPI/4/DIM_SIGNATURE_WARNING: Failed to write a signature file to the flash memory due to insufficient storage space. |
|
Explanation |
This message is generated when a signature library fails to be updated or rolled back due to insufficient storage space in the flash memory. |
|
Recommended action |
Release some storage space in the flash memory before updating or rolling back a signature library. |
DIM_ACTIVE_WARNING
|
Message text |
DIM/4/DIM_ACTIVE_WARNING: The device fails to activate the DPI engine due to insufficient memory space after the free-memory normal state threshold is reached. DPI services were no longer in effect. |
|
Severity level |
4 |
|
Example |
DPI/4/DIM_ACTIVE_WARNING: The device fails to activate the DPI engine due to insufficient memory space after the free-memory normal state threshold is reached. DPI services were no longer in effect. |
|
Explanation |
This message is generated when the device fails to activate the DPI engine due to insufficient memory space. |
|
Recommended action |
Release some storage space and then execute the inspect activate command. |
DOT1X messages
This section contains 802.1X messages.
DOT1X_NOTENOUGH_EADFREEIP_RES
|
Message text |
Failed to assign a rule for Free IP [IPADDR] on interface [STRING] due to lack of ACL resources. |
|
Variable fields |
$1: Free IP. $2: Interface type and number. |
|
Severity level |
3 |
|
Example |
DOT1X/3/DOT1X_NOTENOUGH_EADFREEIP_RES: Failed to assign a rule for Free IP 1.1.1.0 on interface Ethernet3/1/2 due to lack of ACL resources. |
|
Explanation |
The device failed to assign an ACL rule to permit a free IP on an interface because of ACL resource shortage. |
|
Recommended action |
No action is required. |
DOT1X_NOTENOUGH_EADFREERULE_RES
|
Message text |
Failed to assign a rule for permitting DHCP and DNS packets on interface [STRING] due to lack of ACL resources. |
|
Variable fields |
$1: Interface type and number. |
|
Severity level |
3 |
|
Example |
DOT1X/3/DOT1X_NOTENOUGH_EADFREERULE_RES: Failed to assign a rule for permitting DHCP and DNS packets on interface Ethernet3/1/2 due to lack of ACL resources. |
|
Explanation |
The device failed to assign an ACL rule to permit DHCP and DNS packets on an interface because of ACL resource shortage. |
|
Recommended action |
No action is required. |
DOT1X_NOTENOUGH_EADPORTREDIR_RES
|
Message text |
Failed to assign a rule for redirecting HTTP packets on interface [STRING] due to lack of ACL resources. |
|
Variable fields |
$1: Interface type and number. |
|
Severity level |
3 |
|
Example |
DOT1X/3/DOT1X_NOTENOUGH_EADPORTREDIR_RES: Failed to assign a rule for redirecting HTTP packets on interface Ethernet3/1/2 due to lack of ACL resources. |
|
Explanation |
The device failed to assign an ACL rule to redirect HTTP packets on an interface because of ACL resource shortage. |
|
Recommended action |
No action is required. |
DOT1X_NOTENOUGH_EADMACREDIR_RES
|
Message text |
Failed to issue a rule for redirecting HTTP packets with source MAC address [MAC] on interface [STRING]. |
|
Variable fields |
$1: Source MAC address of HTTP packets. $2: Interface type and number. |
|
Severity level |
3 |
|
Example |
DOT1X/3/DOT1X_NOTENOUGH_EADMACREDIR_RES: Failed to issue a rule for redirecting HTTP packets with source MAC address 00e0-fc00-5915 on interface Ethernet3/1/2. |
|
Explanation |
The device failed to redirect HTTP packet with the designated source MAC on an interface because of ACL resource shortage. |
|
Recommended action |
No action is required. |
DOT1X_NOTENOUGH_ENABLEDOT1X_RES
|
Message text |
Failed to enable 802.1X feature on interface [STRING] due to lack of ACL resources. |
|
Variable fields |
$1: Interface type and number. |
|
Severity level |
3 |
|
Example |
DOT1X/3/DOT1X_NOTENOUGH_ENABLEDOT1X_RES: Failed to enable 802.1X feature on interface Ethernet3/1/2 due to lack of ACL resources. |
|
Explanation |
Failed to enable 802.1X on an interface because of ACL resource shortage. |
|
Recommended action |
Disable 802.1X on the interface, and then re-enable 802.1X. |
DOT1X_NOTSUPPORT_EADFREEIP_RES
|
Message text |
Failed to assign a rule for free IP [IPADDR] on interface [STRING]: EAD assistant was not supported. |
|
Variable fields |
$1: IP address. $2: Interface type and number. |
|
Severity level |
3 |
|
Example |
DOT1X/3/DOT1X_NOTSUPPORT_EADFREEIP_RES: Failed to assign a rule for free IP 1.1.1.0 on interface Ethernet3/1/2: EAD assistant was not supported. |
|
Explanation |
The device failed to assign an ACL rule to permit a free IP on an 802.1X-enabled interface because EAD assistant was not supported. |
|
Recommended action |
No action is required. |
DOT1X_NOTSUPPORT_EADFREERULE_RES
|
Message text |
Failed to assign a rule for permitting DHCP and DNS packets on interface [STRING]: EAD assistant was not supported. |
|
Variable fields |
$1: Interface type and number. |
|
Severity level |
3 |
|
Example |
DOT1X/3/DOT1X_NOTSUPPORT_EADFREERULE_RES: Failed to assign a rule for permitting DHCP and DNS packets on interface Ethernet3/1/2: EAD assistant was not supported. |
|
Explanation |
The device failed to assign an ACL rule to permit DHCP and DNS packets on an 802.1X-enabled interface because EAD assistant was not supported. |
|
Recommended action |
No action is required. |
DOT1X_NOTSUPPORT_EADMACREDIR_RES
|
Message text |
Failed to assign a rule for redirecting HTTP packets with source MAC address [MAC] on interface [STRING]: EAD assistant was not supported. |
|
Variable fields |
$1: Source MAC address of HTTP packets. $2: Interface type and number. |
|
Severity level |
3 |
|
Example |
DOT1X/3/DOT1X_NOTSUPPORT_EADMACREDIR_RES: Failed to assign a rule for redirecting HTTP packets with source MAC address 00e0-fc00-5915 on interface Ethernet3/1/2: EAD assistant was not supported. |
|
Explanation |
The device failed to assign an ACL rule to redirect HTTP packets with a specific source MAC address on an 802.1X-enabled interface because EAD assistant was not supported. |
|
Recommended action |
No action is required. |
DOT1X_NOTSUPPORT_EADPORTREDIR_RES
|
Message text |
Failed to assign a rule for redirecting HTTP packets on interface [STRING]: EAD assistant was not supported. |
|
Variable fields |
$1: Interface type and number. |
|
Severity level |
3 |
|
Example |
DOT1X/3/DOT1X_NOTSUPPORT_EADPORTREDIR_RES: Failed to assign a rule for redirecting HTTP packets on interface Ethernet3/1/2: EAD assistant was not supported. |
|
Explanation |
The device failed to assign an ACL rule to redirect HTTP packets on an 802.1X-enabled interface because EAD assistant was not supported. |
|
Recommended action |
No action is required. |
DOT1X_UNICAST_NOT_EFFECTIVE
|
Message text |
The unicast trigger feature is enabled but is not effective on interface [STRING]. |
|
Variable fields |
$1: Interface type and number. |
|
Severity level |
3 |
|
Example |
DOT1X/3/DOT1X_UNICAST_NOT_EFFECTIVE: The unicast trigger feature is enabled but is not effective on interface Ethernet3/1/2. |
|
Explanation |
The unicast trigger setting does not take effect on an interface, because the interface does not support unicast trigger. |
|
Recommended action |
91. Reconnect the 802.1X clients to another interface that supports the unicast trigger feature. 92. Enable the unicast trigger feature on the new interface. |
DOT1X_WLAN_LOGIN_FAILURE
|
Message text |
|
|
Variable fields |
$1: Username. $2: MAC address of the client. $3: SSID. $4: Name of the AP with which the client is associated. $5: ID of the radio with which the client is associated. $6: VLAN ID. $7: Reason that causes the authentication failure: · AAA processed authentication request and returned error code code. The values for code include: ¡ 4—Represents the error of nonexistent authentication domain. ¡ 8—Represents one of the following errors: Configuration error exists in the authentication domain, the preshared key configured on the authentication server is different from the preshared key configured on the device, authentication port 1812 is unavailable, or the authentication server and the device cannot reach each other. ¡ 26—Represents one of the following errors: The username or password is incorrect, the authentication type is incorrect, the device IP address is not added to the authentication server, or the authentication domain is not correctly configured on the service template. · AAA processed authorization request and returned error code code. The value for code is 8, which indicates that the server and the device cannot reach each other. · Received logoff request from the client. · Client timeout timer expired. · Server timeout timer expired. · Received logoff request while authenticating the client. · Received user security information and kicked off the client. · Accounting-update timer expired, and no responses were received from the server. · Kicked off the client when the idle timeout timer expired. · Authentication method error. · Kicked off the client because the server-assigned session timeout timer is 0. · Received session disconnection event. · Unknown reason. |
|
Severity level |
5 |
|
Example |
DOT1X/5/DOT1X_WLAN_LOGIN_FAILURE:-Username=Dot1X-UserMAC=3ce5-a616-28cd-SSID=text-wifi-APName=ap1-RadioID=2-VLANID=11; A user failed 802.1X authentication. Reason: AAA processed authentication request and returned error code 26. |
|
Explanation |
The client failed to pass 802.1X authentication for a specific reason. |
|
Recommended action |
To resolve the problem: 93. Troubleshoot errors according to the returned failure reason. 94. If the problem persists, contact H3C Support. |
DOT1X_WLAN_LOGIN_SUCC
|
Message text |
|
|
Variable fields |
$1: Username. $2: MAC address of the client. $3: SSID. $4: Name of the AP with which the client is associated. $5: ID of the radio with which the client is associated. $6: VLAN ID. |
|
Severity level |
6 |
|
Example |
DOT1X/6/DOT1X_WLAN_LOGIN_SUCC:-Username=Dot1X-UserMAC=3ce5-a616-28cd-SSID=text-wifi-APName=ap1-RadioID=2-VLANID=11; A user passed 802.1X authentication and came online. |
|
Explanation |
The client came online after passing 802.1X authentication. |
|
Recommended action |
No action is required. |
DOT1X_WLAN_LOGOFF
|
Message text |
|
|
Variable fields |
$1: Username. $2: MAC address of the client. $3: SSID. $4: Name of the AP with which the client is associated. $5: ID of the radio with which the client is associated. $6: VLAN ID. $7: Reason that causes the client logoff. · AAA processed authentication request and returned error code code. Server reason: reason. If the server does not return the failure cause, the Server reason variable is not available. The values for code include: ¡ 4—Represents the error of nonexistent authentication domain. ¡ 8—Represents one of the following errors: Configuration error exists in the authentication domain, the preshared key configured on the authentication server is different from the preshared key configured on the device, authentication port 1812 is unavailable, or the authentication server and the device cannot reach each other. ¡ 26—Represents one of the following errors: The username or password is incorrect, the authentication type is incorrect, the device IP address is not added to the authentication server, or the authentication domain is not correctly configured on the service template. · AAA processed authorization request and returned error code code. Server reason: reason. If the server does not return the failure cause, the Server reason variable is not available. The value for code is 8, which indicates that the server and the device cannot reach each other. · AAA processed accounting-start request and returned error code code. Server reason: reason. If the server does not return the failure cause, the Server reason variable is not available. The value for code is 8, which indicates that the server and the device cannot reach each other. · AAA processed accounting-update request and returned error code code. Server reason: reason. If the server does not return the failure cause, the Server reason variable is not available. The value for code is 8, which indicates that the server and the device cannot reach each other. · Received logoff request from the client. · User timer expired. · Server timer expired. · Received logoff request while authenticating the client. · Received user security information and kicked off the client. · Lost in shaking hands. · Accounting-update timer expired, and no responses were received from the server. · Kicked off the client when the idle timeout timer expired. · Authentication method error. · Kicked off the client because the server-assigned session timeout timer is 0. · Received session disconnection event. · Received disassociation frame in Run state: reason code=code. · Received deauthentication frame in Run state: reason code=code. · Received disassociation packet in Userauth state. · Received deauthentication packet in Userauth state. · Received client failure message with reason code=code. · Received client offline message with reason code=code. · Unknown reason. |
|
Severity level |
6 |
|
Example |
DOT1X/6/DOT1X_WLAN_LOGOFF:-Username=Dot1X-UserMAC=3ce5-a616-28cd-SSID=text-wifi-APName=ap1-RadioID=2-VLANID=11; Session for an 802.1X user was terminated. Reason: Received logoff request from the client. |
|
Explanation |
The 802.1X authenticated client was logged off for a specific reason. |
|
Recommended action |
95. Check the debugging information to locate the logoff cause and remove the problem. If the logoff was requested by the client, no action is required. 96. If the problem persists, contact H3C Support. |
EDEV messages
This section contains messages for extended-device management.
EDEV_FAILOVER_GROUP_STATE_CHANGE
|
Message text |
Status of stateful failover group [STRING] with ID [UINT32] changed to [STRING]. |
|
Variable fields |
$1: Failover group name. $2: Failover group ID. $3: Failover group state. |
|
Severity level |
5 |
|
Example |
|
|
Explanation |
The status of a failover group changed. |
|
Recommended action |
No action is required. |
FILTER messages
This section contains filter messages.
FILTER_EXECUTION_ICMP
|
Message text |
RcvIfName(1023)=[STRING];Direction(1070)=[STRING];Type(1067)=[STRING];Acl(1068)=[STRING];RuleID(1078)=[UINT32];Protocol(1001)=[STRING];SrcIPAddr(1003)=[IPADDR];DstIPAddr(1007)=[IPADDR];IcmpType(1062)=[STRING]([UINT16]);IcmpCode(1063)=[UINT16];MatchCount(1069)=[UINT32];Event(1048)=[STRING]; |
|
Variable fields |
$1: Receiving interface name. $2: Direction. $3: ACL type. $4: ACL number or name. $5: ACL rule ID. $6: Layer 4 protocol name. $7: Source IP address. $8: Destination IP address. $9: ICMP message type. $10: ICMP message code. $11: Match count. $12: Event information. |
|
Severity level |
6 |
|
Example |
FILTER/6/FILTER_EXECUTION_ICMP: RcvIfName(1023)=GigabitEthernet2/0/2;Direction(1070)=inbound;Type(1067)=IPv4;Acl(1068)=3000;RuleID(1078)=0;Protocol(1001)=ICMP;SrcIPAddr(1003)=100.1.1.1;DstIPAddr(1007)=200.1.1.1;IcmpType(1062)=Echo(8);IcmpCode(1063)=0;MatchCount(1069)=1000;Event(1048)=Permit; |
|
Explanation |
ICMP packets matched the packet filter. This message is sent when the first ICMP packet of a flow matches the packet filter, and it will be sent regularly for the flow. |
|
Recommended action |
No action is required. |
FILTER_EXECUTION_ICMPV6
|
Message text |
RcvIfName(1023)=[STRING];Direction(1070)=[STRING];Type(1067)=[STRING];Acl(1068)=[STRING];RuleID(1078)=[UINT32];Protocol(1001)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];Icmpv6Type(1064)=[STRING]([UINT16]);Icmpv6Code(1065)=[UINT16];MatchCount(1069)=[UINT32];Event(1048)=[STRING]; |
|
Variable fields |
$1: Receiving interface name. $2: Direction. $3: ACL type. $4: ACL number or name. $5: ACL rule ID. $6: Layer 4 protocol name. $7: Source IPv6 address. $8: Destination IPv6 address. $9: ICMPv6 message type. $10: ICMPv6 message code. $11: Match count. $12: Event information. |
|
Severity level |
6 |
|
Example |
FILTER/6/FILTER_EXECUTION_ICMP: RcvIfName(1023)=GigabitEthernet2/0/2;Direction(1070)=inbound;Type(1067)=IPv4;Acl(1068)=3000;RuleID(1078)=0;Protocol(1001)=ICMP;SrcIPAddr(1003)=100.1.1.1;DstIPAddr(1007)=200.1.1.1;IcmpType(1062)=Echo(8);IcmpCode(1063)=0;MatchCount(1069)=1000;Event(1048)=Permit; |
|
Explanation |
ICMPv6 packets matched the packet filter. This message is sent when the first ICMPv6 packet of a flow matches the packet filter, and it will be sent regularly for the flow. |
|
Recommended action |
No action is required. |
FILTER_IPV4_EXECUTION
|
Message text |
RcvIfName(1023)=[STRING];Direction(1070)=[STRING];Type(1067)=[STRING];Acl(1068)=[STRING];RuleID(1078)=[UINT32];Protocol(1001)=[STRING];Application(1002)=[STRING];SrcIPAddr(1003)=[IPADDR];SrcPort(1004)=[UINT16];DstIPAddr(1007)=[IPADDR];DstPort(1008)=[UINT16];MatchCount(1069)=[UINT32];Event(1048)=[STRING]; |
|
Variable fields |
$1: Receiving interface name. $2: Direction. $3: ACL type. $4: ACL number or name. $5: ACL rule ID. $6: Layer 4 protocol name. $7: Application name. $8: Source IP address. $9: Source port. $10: Destination IP address. $11: Destination port number. $12: Match count. $13: Event information. |
|
Severity level |
6 |
|
Example |
FILTER/6/FILTER_IPV4_EXECUTION: RcvIfName(1023)=GigabitEthernet2/0/2;Direction(1070)=inbound;Type(1067)=IPv4;Acl(1068)=3000;RuleID(1078)=0;Protocol(1001)=TCP;Application(1002)=ftp;SrcIPAddr(1003)=100.1.1.1;SrcPort(1004)=1025;DstIPAddr(1007)=200.1.1.1;DstPort(1008)=1026;MatchCount(1069)=1000;Event(1048)=Permit; |
|
Explanation |
Packets other than ICMP packets matched the packet filter. This message is sent when the first packet of a flow matches the packet filter, and it will be sent regularly for the flow. |
|
Recommended action |
No action is required. |
FILTER_IPV6_EXECUTION
|
Message text |
RcvIfName(1023)=[STRING];Direction(1070)=[STRING];Type(1067)=[STRING];Acl(1068)=[STRING];RuleID(1078)=[UINT32];Protocol(1001)=[STRING];Application(1002)=[STRING];SrcIPv6Addr(1036)=[IPADDR];SrcPort(1004)=[UINT16];DstIPv6Addr(1037)=[IPADDR];DstPort(1008)=[UINT16];MatchCount(1069)=[UINT32];Event(1048)=[STRING]; |
|
Variable fields |
$1: Receiving interface name. $2: Direction. $3: ACL type. $4: ACL number or name. $5: ACL rule ID. $6: Layer 4 protocol name. $7: Application name. $8: Source IPv6 address. $9: Source port number. $10: Destination IPv6 address. $11: Destination port number. $12: Match count. $13: Event information. |
|
Severity level |
6 |
|
Example |
FILTER/6/FILTER_IPV6_EXECUTION: RcvIfName(1023)=GigabitEthernet2/0/2;Direction(1070)=inbound;Type(1067)=IPv6;Acl(1068)=3000;RuleID(1078)=0;Protocol(1001)=TCP;Application(1002)=ftp;SrcIPv6Addr(1036)=2001::1;SrcPort(1004)=1025;DstIPv6Addr(1037)=3001::1;DstPort(1008)=1026;MatchCount(1069)=1000;Event(1048)=Permit; |
|
Explanation |
Packets other than ICMPv6 packets matched the packet filter. This message is sent when the first packet of a flow matches the packet filter, and it will be sent regularly for the flow. |
|
Recommended action |
No action is required. |
FILTER_ZONE_IPV4_EXECUTION
|
Message text |
SrcZoneName(1025)=[STRING];DstZoneName(1035)=[STRING];Type(1067)=[STRING];ObjectPolicy(1072)=[STRING];RuleID(1078)=[UINT32];Protocol(1001)=[STRING];Application(1002)=[STRING];SrcIPAddr(1003)=[STRING];SrcPort(1004)=[UINT16];DstIPAddr(1007)=[STRING];DstPort(1008)=[UINT16];MatchCount(1069)=[UINT32];Event(1048)=[STRING]; |
|
Variable fields |
$1: Source security zone. $2: Destination security zone. $3: Type of the object policy. $4: Name of the object policy. $5: ID of the object policy rule. $6: Layer 4 protocol name. $7: Application name. $8: Source IP address. $9: Source port number. $10: Destination IP address. $11: Destination port number. $12: Match count. $13: Event information. |
|
Severity level |
6 |
|
Example |
FILTER/6/FILTER_ZONE_IPV4_EXECUTION: SrcZoneName(1025)=zone1;DstZoneName(1035)=zone2;Type(1067)=IPv4;ObjectPolicy(1072)=policy1;RuleID(1078)=0;Protocol(1001)=TCP;Application(1002)=ftp;SrcIPAddr(1003)=100.1.1.1;SrcPort(1004)=1025;DstIPAddr(1007)=200.1.1.1;DstPort(1008)=1026;MatchCount(1069)=1000;Event(1048)=permit; |
|
Explanation |
A flow matched an object policy. This message is sent when the first packet of a flow matches the object policy, and the message will be sent regularly for the flow. |
|
Recommended action |
No action is required. |
FILTER_ZONE_IPV4_EXECUTION
|
Message text |
SrcZoneName(1025)=zone1;DstZoneName(1035)=[STRING];Type(1067)=[STRING];Acl(1068)=[UINT16];RuleID(1078)=[UINT32];Protocol(1001)=[STRING];Application(1002)=[STRING];SrcIPAddr(1003)=[STRING];SrcPort(1004)=[UINT16];DstIPAddr(1007)=[STRING];DstPort(1008)=[UINT16];MatchCount(1069)=[UINT32];Event(1048)=[STRING]; |
|
Variable fields |
$1: Source security zone. $2: Destination security zone. $3: ACL type. $4: ACL number or name. $5: ACL rule ID. $6: Layer 4 protocol name. $7: Application name. $8: Source IP address. $9: Source port number. $10: Destination IP address. $11: Destination port number. $12: Match count. $13: Event information. |
|
Severity level |
6 |
|
Example |
FILTER/6/FILTER_ZONE_IPV4_EXECUTION: SrcZoneName(1025)=zone1;DstZoneName(1035)=zone2;Type(1067)=IPv4;Acl(1068)=3000;RuleID(1078)=0;Protocol(1001)=TCP;Application(1002)=ftp;SrcIPAddr(1003)=100.1.1.1;SrcPort(1004)=1025;DstIPAddr(1007)=200.1.1.1;DstPort(1008)=1026;MatchCount(1069)=1000;Event(1048)=permit; |
|
Explanation |
A flow matched the packet filter. This message is sent when the first packet of a flow matches the packet filter, and the message will be sent regularly for the flow. |
|
Recommended action |
No action is required. |
FILTER_ZONE_IPV4_EXECUTION
|
Message text |
SrcZoneName(1025)=[STRING];DstZoneName(1035)=[STRING];Type(1067)=[STRING];SecurityPolicy(1072)=[STRING];RuleID(1078)=[UINT32];Protocol(1001)=[STRING];Application(1002)=[STRING];SrcIPAddr(1003)=[STRING];SrcPort(1004)=[UINT16];SrcMacAddr(1021)=[STRING];DstIPAddr(1007)=[STRING];DstPort(1008)=[UINT16];MatchCount(1069)=[UINT32];Event(1048)=[STRING]; |
|
Variable fields |
$1: Source security zone. $2: Destination security zone. $3: Security policy type. $4: Security policy name. $5: Security policy rule ID. $6: Layer 4 protocol name. $7: Application name. $8: Source IP address. $9: Source port number. $10: Source MAC address. $11: Destination IP address. $12: Destination port number. $13: Match count. $14: Event information. |
|
Severity level |
6 |
|
Example |
FILTER/6/FILTER_ZONE_IPV4_EXECUTION: SrcZoneName(1025)=zone1;DstZoneName(1035)=zone2;Type(1067)=IPv4;SecurityPolicy(1072)=policy1;RuleID(1078)=0;Protocol(1001)=TCP;Application(1002)=ftp;SrcIPAddr(1003)=100.1.1.1;SrcPort(1004)=1025;SrcMacAddr(1021)=000f-e267-76eb;DstIPAddr(1007)=200.1.1.1;DstPort(1008)=1026;MatchCount(1069)=1000;Event(1048)=permit; |
|
Explanation |
A flow matched the security policy. This message is sent when the first packet of a flow matches the security policy, and the message will be sent regularly for the flow. |
|
Recommended action |
No action is required. |
FILTER_ZONE_IPV6_EXECUTION
|
Message text |
SrcZoneName(1025)=[STRING];DstZoneName(1035)=[STRING];Type(1067)=[STRING];ObjectPolicy(1072)=[STRING];RuleID(1078)=[UINT32];Protocol(1001)=[STRING];Application(1002)=[STRING];SrcIPv6Addr(1036)=[STRING];SrcPort(1004)=[UINT16];DstIPv6Addr(1037)=[STRING];DstPort(1008)=[UINT16];MatchCount(1069)=[UINT32];Event(1048)=[STRING]; |
|
Variable fields |
$1: Source security zone. $2: Destination security zone. $3: Type of the object policy. $4: Name of the object policy. $5: ID of the object policy rule. $6: Layer 4 protocol name. $7: Application name. $8: Source IPv6 address. $9: Source port number. $10: Destination IPv6 address. $11: Destination port number. $12: Match count. $13: Event information. |
|
Severity level |
6 |
|
Example |
FILTER/6/FILTER_ZONE_IPV6_EXECUTION: SrcZoneName(1025)=zone1;DstZoneName(1035)=zone2;Type(1067)=IPv6;ObjectPolicy(1072)=policy1;RuleID(1078)=0;Protocol(1001)=TCP;Application(1002)=ftp;SrcIPv6Addr(1036)=2001::1;SrcPort(1004)=1025;DstIPv6Addr(1037)=3000::1;DstPort(1008)=1026;MatchCount(1069)=1000;Event(1048)=permit; |
|
Explanation |
A flow matched an object policy. This message is sent when the first packet of a flow matches the object policy, and the message will be sent regularly for the flow. |
|
Recommended action |
No action is required. |
FILTER_ZONE_IPV6_EXECUTION
|
Message text |
SrcZoneName(1025)=[STRING];DstZoneName(1035)=[STRING];Type(1067)=[STRING];Acl(1068)=[UINT16];RuleID(1078)=[UINT32];Protocol(1001)=[STRING];Application(1002)=[STRING];SrcIPv6Addr(1036)=[STRING];SrcPort(1004)=[UINT16];DstIPv6Addr(1037)=[STRING];DstPort(1008)=[UINT16];MatchCount(1069)=[UINT32];Event(1048)=[STRING]; |
|
Variable fields |
$1: Source security zone. $2: Destination security zone. $3: ACL type. $4: ACL number or name. $5: ACL rule ID. $6: Layer 4 protocol name. $7: Application name. $8: Source IPv6 address. $9: Source port number. $10: Destination IPv6 address. $11: Destination port number. $12: Match count. $13: Event information. |
|
Severity level |
6 |
|
Example |
FILTER/6/FILTER_ZONE_IPV6_EXECUTION: SrcZoneName(1025)=zone1;DstZoneName(1035)=zone2;Type(1067)=IPv6;Acl(1068)=3000;RuleID(1078)=0;Protocol(1001)=TCP;Application(1002)=ftp;SrcIPv6Addr(1036)=2001::1;SrcPort(1004)=1025;DstIPv6Addr(1037)=3000::1;DstPort(1008)=1026;MatchCount(1069)=1000;Event(1048)=permit; |
|
Explanation |
A flow matched the packet filter. This message is sent when the first packet of a flow matches the packet filter, and the message will be sent regularly for the flow. |
|
Recommended action |
No action is required. |
FILTER_ZONE_IPV6_EXECUTION
|
Message text |
SrcZoneName(1025)=[STRING];DstZoneName(1035)=[STRING];Type(1067)=[STRING];SecurityPolicy(1072)=[STRING];RuleID(1078)=[UINT32];Protocol(1001)=[STRING];Application(1002)=[STRING];SrcIPv6Addr(1036)=[STRING];SrcPort(1004)=[UINT16];DstIPv6Addr(1037)=[STRING];DstPort(1008)=[UINT16];MatchCount(1069)=[UINT32];Event(1048)=[STRING]; |
|
Variable fields |
$1: Source security zone. $2: Destination security zone. $3: Security policy type. $4: Security policy name. $5: Security policy rule ID. $6: Layer 4 protocol name. $7: Application name. $8: Source IPv6 address. $9: Source port number. $10: Destination IPv6 address. $11: Destination port number. $12: Match count. $13: Event information. |
|
Severity level |
6 |
|
Example |
FILTER/6/FILTER_ZONE_IPV6_EXECUTION: SrcZoneName(1025)=zone1;DstZoneName(1035)=zone2;Type(1067)=IPv6;Acl(1068)=3000;RuleID(1078)=0;Protocol(1001)=TCP;Application(1002)=ftp;SrcIPv6Addr(1036)=2001::1;SrcPort(1004)=1025;DstIPv6Addr(1037)=3000::1;DstPort(1008)=1026;MatchCount(1069)=1000;Event(1048)=permit; |
|
Explanation |
A flow matched the security policy. This message is sent when the first packet of a flow matches the security policy, and the message will be sent regularly for the flow. |
|
Recommended action |
No action is required. |
FILTER_ZONE_EXECUTION_ICMP
|
Message text |
SrcZoneName(1025)=[STRING];DstZoneName(1035)=[STRING];Type(1067)=[STRING];ObjectPolicy(1072)=[STRING];RuleID(1078)=[UINT32];Protocol(1001)=[STRING];SrcIPAddr(1003)=[STRING];SrcPort(1004)=[UINT16];DstIPAddr(1007)=[STRING];DstPort(1008)=[UINT16];MatchCount(1069)=[UINT32];Event(1048)=[STRING]; |
|
Variable fields |
$1: Source security zone. $2: Destination security zone. $3: Type of the object policy. $4: Name of the object policy. $5: ID of the object policy rule. $6: Layer 4 protocol name. $7: Source IP address. $8: Source port number. $9: Destination IP address. $10: Destination port number. $11: Match count. $12: Event information. |
|
Severity level |
6 |
|
Example |
FILTER/6/FILTER_ZONE_EXECUTION_ICMP: SrcZoneName(1025)=zone1;DstZoneName(1035)=zone2;Type(1067)=IPv4;ObjectPolicy(1072)=policy1;RuleID(1078)=0;Protocol(1001)=ICMP;SrcIPAddr(1003)=100.1.1.1;SrcPort(1004)=1025;DstIPAddr(1007)=200.1.1.1;DstPort(1008)=1026;MatchCount(1069)=1000;Event(1048)=permit; |
|
Explanation |
ICMP packets matched an object policy. This message is sent when the first ICMP packet of a flow matches the object policy, and the message will be sent regularly for the flow. |
|
Recommended action |
No action is required. |
FILTER_ZONE_EXECUTION_ICMP
|
Message text |
SrcZoneName(1025)=[STRING];DstZoneName(1035)=[STRING];Type(1067)=[STRING];Acl(1068)=[UINT16];RuleID(1078)=[UINT32];Protocol(1001)=[STRING];SrcIPAddr(1003)=[STRING];SrcPort(1004)=[UINT16];DstIPAddr(1007)=[STRING];DstPort(1008)=[UINT16];MatchCount(1069)=[UINT32];Event(1048)=[STRING]; |
|
Variable fields |
$1: Source security zone. $2: Destination security zone. $3: ACL type. $4: ACL number or name. $5: ACL rule ID. $6: Layer 4 protocol name. $7: Source IP address. $8: Source port number. $9: Destination IP address. $10: Destination port number. $11: Match count. $12: Event information. |
|
Severity level |
6 |
|
Example |
FILTER/6/FILTER_ZONE_EXECUTION_ICMP: SrcZoneName(1025)=zone1;DstZoneName(1035)=zone2;Type(1067)=IPv4;Acl(1068)=3000;RuleID(1078)=0;Protocol(1001)=ICMP;SrcIPAddr(1003)=100.1.1.1;SrcPort(1004)=1025;DstIPAddr(1007)=200.1.1.1;DstPort(1008)=1026;MatchCount(1069)=1000;Event(1048)=permit; |
|
Explanation |
ICMP packets matched the packet filter. This message is sent when the first ICMP packet of a flow matches the packet filter, and the message will be sent regularly for the flow. |
|
Recommended action |
No action is required. |
FILTER_ZONE_EXECUTION_ICMP
|
Message text |
SrcZoneName(1025)=[STRING];DstZoneName(1035)=[STRING];Type(1067)=[STRING];SecurityPolicy(1072)=[STRING];RuleID(1078)=[UINT32];Protocol(1001)=[STRING];SrcIPAddr(1003)=[STRING];SrcPort(1004)=[UINT16];SrcMacAddr(1021)=[STRING];DstIPAddr(1007)=[STRING];DstPort(1008)=[UINT16];MatchCount(1069)=[UINT32];Event(1048)=[STRING]; |
|
Variable fields |
$1: Source security zone. $2: Destination security zone. $3: Security policy type. $4: Security policy name. $5: Security policy rule ID. $6: Layer 4 protocol name. $7: Source IP address. $8: Source port number. $9: Source MAC address. 10: Destination IP address. $11: Destination port number. $12: Match count. $13: Event information. |
|
Severity level |
6 |
|
Example |
FILTER/6/FILTER_ZONE_EXECUTION_ICMP: SrcZoneName(1025)=zone1;DstZoneName(1035)=zone2;Type(1067)=IPv4;SecurityPolicy(1072)=policy1;RuleID(1078)=0;Protocol(1001)=ICMP;SrcIPAddr(1003)=100.1.1.1;SrcPort(1004)=1025;SrcMacAddr(1021)=dc4a-3e7d-91b1;DstIPAddr(1007)=200.1.1.1;DstPort(1008)=1026;MatchCount(1069)=1000;Event(1048)=permit; |
|
Explanation |
ICMP packets matched the security policy. This message is sent when the first ICMP packet of a flow matches the security policy, and the message will be sent regularly for the flow. |
|
Recommended action |
No action is required. |
FILTER_ZONE_EXECUTION_ICMPV6
|
Message text |
SrcZoneName(1025)=[STRING];DstZoneName(1035)=[STRING];Type(1067)=[STRING];ObjectPolicy(1072)=[STRING];RuleID(1078)=[UINT32];Protocol(1001)=[STRING];SrcIPv6Addr(1036)=[STRING];SrcPort(1004)=[UINT16];DstIPv6Addr(1037)=[STRING];DstPort(1008)=[UINT16];MatchCount(1069)=[UINT32];Event(1048)=[STRING]; |
|
Variable fields |
$1: Source security zone. $2: Destination security zone. $3: Type of the object policy. $4: Name of the object policy. $5: ID of the object policy rule. $6: Layer 4 protocol name. $7: Source IPv6 address. $8: Source port number. $9: Destination IPv6 address. $10: Destination port number. $11: Match count. $12: Event information. |
|
Severity level |
6 |
|
Example |
FILTER/6/FILTER_ZONE_EXECUTION_ICMPV6: SrcZoneName(1025)=zone1;DstZoneName(1035)=zone2;Type(1067)=IPv6;ObjectPolicy(1072)=policy1;RuleID(1078)=0;Protocol(1001)=ICMPV6;SrcIPv6Addr(1036)=2001::1;SrcPort(1004)=1025;DstIPv6Addr(1037)=3000::1;DstPort(1008)=1026; MatchCount(1069)=1000;Event(1048)=permit; |
|
Explanation |
ICMPv6 packets matched an object policy. This message is sent when the first ICMPv6 packet of a flow matches the object policy, and the message will be sent regularly for the flow. |
|
Recommended action |
No action is required. |
FILTER_ZONE_EXECUTION_ICMPV6
|
Message text |
SrcZoneName(1025)=[STRING];DstZoneName(1035)=[STRING];Type(1067)=[STRING];Acl(1068)=[UINT16];RuleID(1078)=[UINT32];Protocol(1001)=[STRING];SrcIPv6Addr(1036)=[STRING];SrcPort(1004)=[UINT16];DstIPv6Addr(1037)=[STRING];DstPort(1008)=[UINT16];MatchCount(1069)=[UINT32];Event(1048)=[STRING]; |
|
Variable fields |
$1: Source security zone. $2: Destination security zone. $3: ACL type. $4: ACL number or name. $5: ACL rule ID. $6: Layer 4 protocol name. $7: Source IPv6 address. $8: Source port number. $9: Destination IPv6 address. $10: Destination port number. $11: Match count. $12: Event information. |
|
Severity level |
6 |
|
Example |
FILTER/6/FILTER_ZONE_EXECUTION_ICMPV6: SrcZoneName(1025)=zone1;DstZoneName(1035)=zone2;Type(1067)=IPv6;Acl(1068)=3000;RuleID(1078)=0;Protocol(1001)=ICMPV6;SrcIPv6Addr(1036)=2001::1;SrcPort(1004)=1025;DstIPv6Addr(1037)=3000::1;DstPort(1008)=1026; MatchCount(1069)=1000;Event(1048)=permit; |
|
Explanation |
ICMPv6 packets matched the packet filter. This message is sent when the first ICMPv6 packet of a flow matches the packet filter, and the message will be sent regularly for the flow. |
|
Recommended action |
No action is required. |
FILTER_ZONE_EXECUTION_ICMPV6
|
Message text |
SrcZoneName(1025)=[STRING];DstZoneName(1035)=[STRING];Type(1067)=[STRING];SecurityPolicy(1072)=[STRING];RuleID(1078)=[UINT32];Protocol(1001)=[STRING];SrcIPv6Addr(1036)=[STRING];SrcPort(1004)=[UINT16];DstIPv6Addr(1037)=[STRING];DstPort(1008)=[UINT16];MatchCount(1069)=[UINT32];Event(1048)=[STRING]; |
|
Variable fields |
$1: Source security zone. $2: Destination security zone. $3: Security policy type. $4: Security policy name. $5: Security policy rule ID. $6: Layer 4 protocol name. $7: Source IPv6 address. $8: Source port number. $9: Destination IPv6 address. $10: Destination port number. $11: Match count. $12: Event information. |
|
Severity level |
6 |
|
Example |
FILTER/6/FILTER_ZONE_EXECUTION_ICMPV6: SrcZoneName(1025)=zone1;DstZoneName(1035)=zone2;Type(1067)=IPv6;SecurityPolicy(1072)=policy1;RuleID(1078)=0;Protocol(1001)=ICMPV6;SrcIPv6Addr(1036)=2001::1;SrcPort(1004)=1025;DstIPv6Addr(1037)=3000::1;DstPort(1008)=1026; MatchCount(1069)=1000;Event(1048)=permit; |
|
Explanation |
ICMPv6 packets matched the security policy. This message is sent when the first ICMPv6 packet of a flow matches the security policy, and the message will be sent regularly for the flow. |
|
Recommended action |
No action is required. |
FS messages
This section contains file system messages.
FS_UNFORMATTED_PARTITION
|
Message text |
Partition [%s] is not formatted yet. Please format the partition first. |
|
Variable fields |
$1: Partition name. |
|
Severity level |
4 |
|
Example |
FS/4/FS_UNFORMATED_PARTITION: Partition usba0: is not formatted yet. Please format the partition first. |
|
Explanation |
The partition is not formatted. You must format a partition before you can perform other operations on the partition. |
|
Recommended action |
Format the specified partition. |
FTP messages
This section contains File Transfer Protocol messages.
FTP_ACL_DENY
|
Message text |
The FTP Connection request from [IPADDR]([STRING]) was denied by ACL rule (rule ID=[INT32]) |
|
Variable fields |
$1: IP address of the FTP client. $2: VPN instance to which the FTP client belongs. $3: ID of the rule that denied the FTP client. If an FTP client does not match created ACL rules, the device denies the client based on the default ACL rule. |
|
Severity level |
5 |
|
Example |
FTP/5/FTP_ACL_DENY: The FTP connection request from 181.1.1.10 was denied by ACL rule (rule ID=20). FTP/5/FTP_ACL_DENY: The FTP connection request from 181.1.1.10 was denied by ACL rule (default rule). |
|
Explanation |
FTP access control ACLs control which FTP clients can access the FTP service on the device. The device sends this log message when it denies an FTP client. |
|
Recommended action |
No action is required. |
FTP_REACH_SESSION_LIMIT
|
Message text |
FTP client $1 failed to log in. The current number of FTP sessions is [NUMBER]. The maximum number allowed is ([NUMBER]). |
|
Variable fields |
$1: IP address of the FTP client. $2: Current number of FTP sessions. $3: Maximum number of FTP sessions allowed by the device. |
|
Severity level |
|
|
Example |
|
|
Explanation |
The number of FTP connections reached the limit. |
|
Recommended action |
97. Use the display current-configuration | include session-limit command to view the current limit for FTP connections. If the command does not display the limit, the device is using the default setting. 98. If you want to set a greater limit, execute the aaa session-limit command. If you think the limit is proper, no action is required. |
HA messages
This section contains HA messages.
HA_BATCHBACKUP_FINISHED
|
Message text |
Batch backup of standby board in [STRING] has finished. |
|
Variable fields |
$1: MPU location. |
|
Severity level |
5 |
|
Example |
HA/5/HA_BATCHBACKUP_FINISHED: Batch backup of standby board in chassis 0 slot 1 has finished. |
|
Explanation |
Batch backup from the active MPU to the standby MPU has finished. |
|
Recommended action |
No action is required. |
HA_BATCHBACKUP_STARTED
|
Message text |
Batch backup of standby board in [STRING] started. |
|
Variable fields |
$1: MPU location. |
|
Severity level |
5 |
|
Example |
HA/5/HA_BATCHBACKUP_STARTED: Batch backup of standby board in chassis 0 slot 1 started. |
|
Explanation |
Batch backup from the active MPU to the standby MPU has started. |
|
Recommended action |
No action is required. |
HA_STANDBY_NOT_READY
|
Message text |
Standby board in [STRING] is not ready, reboot ... |
|
Variable fields |
$1: MPU location. |
|
Severity level |
4 |
|
Example |
HA/4/HA_STANDBY_NOT_READY: Standby board in chassis 0 slot 1 is not ready, reboot ... |
|
Explanation |
This message appears on the standby MPU. When batch backup is not complete on the standby MPU, performing active and standby MPU switchover results in restart of the active and standby MPUs. |
|
Recommended action |
Do not perform active and standby MPU switchover before batch backup is complete on the standby MPU. |
HA_STANDBY_TO_MASTER
|
Message text |
Standby board in [STRING] changed to the master. |
|
Variable fields |
$1: MPU location. |
|
Severity level |
5 |
|
Example |
HA/5/HA_STANDBY_TO_MASTER: Standby board in chassis 0 slot 1 changed to the master. |
|
Explanation |
An active and standby MPU switchover occurs. The standby MPU changed to active. |
|
Recommended action |
No action is required. |
HTTPD messages
This section contains HTTP daemon messages.
HTTPD_CONNECT
|
Message text |
[STRING] client [STRING] connected to the server successfully. |
|
Variable fields |
$1: Connection type, HTTP or HTTPS. $2: Client IP address. |
|
Severity level |
6 |
|
Example |
HTTPD/6/HTTPD_CONNECT: HTTP client 192.168.30.117 connected to the server successfully. |
|
Explanation |
The HTTP or HTTPS server accepted the request from a client. An HTTP or HTTPS connection was set up. |
|
Recommended action |
No action is required. |
HTTPD_CONNECT_TIMEOUT
|
Message text |
[STRING] client [STRING] connection idle timeout. |
|
Variable fields |
$1: Connection type, HTTP or HTTPS. $2: Client IP address. |
|
Severity level |
6 |
|
Example |
HTTPD/6/HTTPD_CONNECT_TIMEOUT: HTTP client 192.168.30.117 connection to server idle timeout. |
|
Explanation |
An HTTP or HTTPS connection was disconnected because the idle timeout timer expires. |
|
Recommended action |
No action is required. |
HTTPD_DISCONNECT
|
Message text |
[STRING] client [STRING] disconnected from the server. |
|
Variable fields |
$1: Connection type, HTTP or HTTPS. $2: Client IP address. |
|
Severity level |
6 |
|
Example |
HTTPD/6/HTTPD_DISCONNECT: HTTP client 192.168.30.117 disconnected from the server. |
|
Explanation |
An HTTP or HTTPS client was disconnected from the server. |
|
Recommended action |
No action is required. |
HTTPD_FAIL_FOR_ACL
|
Message text |
[STRING] client [STRING] failed the ACL check and could not connect to the server. |
|
Variable fields |
$1: Connection type, HTTP or HTTPS. $2: Client IP address. |
|
Severity level |
6 |
|
Example |
HTTPD/6/HTTPD_FAIL_FOR_ACL: HTTP client 192.168.30.117 failed the ACL check and cannot connect to the server. |
|
Explanation |
An HTTP or HTTPS client was filtered by the ACL. |
|
Recommended action |
No action is required. |
HTTPD_FAIL_FOR_ACP
|
Message text |
[STRING] client [STRING] was denied by the certificate access control policy and could not connect to the server. |
|
Variable fields |
$1: Connection type, HTTP or HTTPS. $2: Client IP address. |
|
Severity level |
6 |
|
Example |
HTTPD/6/HTTPD_FAIL_FOR_ACP: HTTP client 192.168.30.117 was denied by the certificate attribute access control policy and could not connect to the server. |
|
Explanation |
An HTTP or HTTPS client was denied by the certificate access control policy. |
|
Recommended action |
No action is required. |
HTTPD_REACH_CONNECT_LIMIT
|
Message text |
[STRING] client [STRING] failed to connect to the server, because the number of connections reached the upper limit. |
|
Variable fields |
$1: Connection type, HTTP or HTTPS. $2: Client IP address. |
|
Severity level |
6 |
|
Example |
HTTPD/6/HTTPD_REACH_CONNECT_LIMIT: HTTP client 192.168.30.117 failed to connect to the server, because the number of connections reached the upper limit. |
|
Explanation |
The number of connections reached the limit. |
|
Recommended action |
99. Use the display current-configuration | include session-limit command to view the current limit for connections of the specified type. If the command does not display the limit, the device is using the default setting. 100. If you want to specify a greater limit, execute the aaa session-limit command. If you think the limit is proper, no action is required. |
Identity messages
This section contains user identification messages.
IDENTITY_CSV_IMPORT_FAILED
|
Message text |
Failed to import identity user [STRING] to domain [STRING] from the .csv file. |
|
Variable fields |
$1: Identity username. $2: Identity domain name. |
|
Severity level |
5 |
|
Example |
IDENTITY/5/IDENTITY_CSV_IMPORT_FAILED: Failed to import identity user network-us?er1 to domain system-domain from the .csv file. |
|
Explanation |
Failed to import an identity user account from a .csv file and stopped importing remaining identity user accounts. |
|
Recommended action |
101. Make sure no identity user account with the same name exists on the device. 102. Make sure the identity domain name or the identity username does not contain invalid characters. |
IDENTITY_IMC_IMPORT_FAILED_NO_MEMORY
|
Message text |
Failed to obtain data from IMC. Reason: Not enough memory. |
|
Variable fields |
N/A |
|
Severity level |
5 |
|
Example |
IDENTITY/5/IDENTITY_IMC_IMPORT_FAILED_NO_MEMORY: Failed to obtain data from IMC. Reason: Not enough memory. |
|
Explanation |
Failed to import identity user accounts and online identity user information from the IMC server because of insufficient memory. |
|
Recommended action |
No action is required. |
IDENTITY_LDAP_IMPORT_FAILED_NO_MEMORY
|
Message text |
Failed to obtain data from the LDAP server specified in scheme [STRING]. Reason: Not enough memory. |
|
Variable fields |
$1: LADP scheme name. |
|
Severity level |
5 |
|
Example |
IDENTITY/5/IDENTITY_LDAP_IMPORT_FAILED_NO_MEMORY: Failed to obtain data from the LDAP server specified in scheme test. Reason: Not enough memory. |
|
Explanation |
Failed to import identity users and identity groups from an LDAP server because of insufficient memory. |
|
Recommended action |
No action is required. |
IDENTITY_LDAP_IMPORT_GROUP_FAILED
|
Message text |
Failed to import identity group [STRING] to domain [STRING] from the LDAP server specified in scheme [STRING]. |
|
Variable fields |
$1: Identity group name. $2: Identity domain name. $3: LADP scheme name. |
|
Severity level |
5 |
|
Example |
IDENTITY/5/IDENTITY_LDAP_IMPORT_GROUP_FAILED: Failed to import identity group group-na?me1 to domain system-domain from the LDAP server specified in scheme ldap-scheme1. |
|
Explanation |
Failed to import an identity group from the LDAP server specified in an LDAP scheme. |
|
Recommended action |
103. Make sure no identity group with the same group name exists on the device. 104. Make sure the identity domain name or the identity group name does not contain invalid characters. |
IDENTITY_LDAP_IMPORT_USER_FAILED
|
Message text |
Failed to import identity user [STRING] to domain [STRING] from the LDAP server specified in scheme [STRING]. |
|
Variable fields |
$1: Identity username. $2: Identity domain name. $3: LADP scheme name. |
|
Severity level |
5 |
|
Example |
IDENTITY/5/IDENTITY_LDAP_IMPORT_USER_FAILED: Failed to import identity user user-na?me1 to domain system-domain from the LDAP server specified in scheme ldap-scheme1. |
|
Explanation |
Failed to import an identity user from the LDAP server specified in an LDAP scheme. |
|
Recommended action |
105. Make sure no identity user with the same name exists on the device. 106. Make sure the identity domain name or the identity username does not contain invalid characters. |
IFNET messages
This section contains interface management messages.
IF_JUMBOFRAME_WARN
|
Message text |
The specified size of jumbo frames on the aggregate interface [STRING] is not supported on the member port [STRING]. |
|
Variable fields |
$1: Aggregate interface name. $2: Member port name. |
|
Severity level |
3 |
|
Example |
IFNET/3/IF_JUMBOFRAME_WARN: -MDC=1-Slot=3; The specified size of jumbo frames on the aggregate interface Bridge-Aggregation1 is not supported on the member port GigabitEthernet1/0/1. |
|
Explanation |
Some member ports do not support the jumbo frame size configured on the aggregate interface. |
|
Recommended action |
107. Identity the value range for the jumbo frame size supported on member ports. 108. Specify a jumbo frame size supported by member ports for the aggregate interface. |
INTERFACE_NOTSUPPRESSED
|
Message text |
Interface [STRING] is not suppressed. |
|
Variable fields |
$1: Interface name. |
|
Severity level |
6 |
|
Example |
IFNET/6/INTERFACE_NOTSUPPRESSED: Interface GigabitEthernet1/0/1 is not suppressed. |
|
Explanation |
The interface changed from suppressed state to unsuppressed state. When the interface is unsuppressed, the upper-layer services can detect the physical state changes of the interface. |
|
Recommended action |
No action is required. |
INTERFACE_SUPPRESSED
|
Message text |
Interface [STRING] was suppressed. |
|
Variable fields |
$1: Interface name. |
|
Severity level |
5 |
|
Example |
IFNET/5/INTERFACE_SUPPRESSED: Interface GigabitEthernet1/0/1 was suppressed. |
|
Explanation |
The interface was suppressed because its state frequently changed. When the interface is suppressed, the upper-layer services cannot detect the physical state changes of the interface. |
|
Recommended action |
109. Check whether the network cable of the interface or peer interface is frequently plugged and unplugged. 110. Configure physical state change suppression to adjust the suppression parameters. |
LINK_UPDOWN
|
Message text |
Line protocol state on the interface [STRING] changed to [STRING]. |
|
Variable fields |
$1: Interface name. $2: State of link layer protocol, which can be up or down. |
|
Severity level |
5 |
|
Example |
IFNET/5/LINK_UPDOWN: Line protocol state on the interface GigabitEthernet1/0/1 changed to down. |
|
Explanation |
The link layer protocol state changed on an interface. |
|
Recommended action |
When the link layer protocol state of an interface is down, use the display interface command to display the link layer protocol state and locate the reason for which the link layer protocol state changed to down on the interface. |
PHY_UPDOWN
|
Message text |
Physical state on the interface [STRING] changed to [STRING]. |
|
Variable fields |
$1: Interface name. $2: Link state, which can be up or down. |
|
Severity level |
3 |
|
Example |
IFNET/3/PHY_UPDOWN: Physical state on the interface GigabitEthernet1/0/1 changed to down. |
|
Explanation |
The physical state changed on an interface. |
|
Recommended action |
When the interface is physically down, check whether a physical link is present or whether the link fails. |
PROTOCOL_UPDOWN
|
Message text |
Protocol [STRING] state on the interface [STRING] changed to [STRING]. |
|
Variable fields |
$1: Protocol name. $2: Interface name. $3: Protocol state, which can be up or down. |
|
Severity level |
5 |
|
Example |
IFNET/5/PROTOCOL_UPDOWN: Protocol IPX state on the interface GigabitEthernet1/0/1 changed to up. |
|
Explanation |
The state of a protocol has been changed on an interface. |
|
Recommended action |
When the state of a network layer protocol is down, check the network layer protocol configuration. |
TUNNEL_LINK_UPDOWN
|
Message text |
Line protocol state on the interface [STRING] changed to [STRING]. |
|
Variable fields |
$1: Interface name. $2: Protocol state, which can be up or down. |
|
Severity level |
5 |
|
Example |
IFNET/5/TUNNEL_LINK_UPDOWN: Line protocol state on the interface Tunnel1 changed to down. |
|
Explanation |
The link layer protocol state changed on a tunnel interface. |
|
Recommended action |
When the link layer protocol state of a tunnel interface is down, use the display interface command to display the link layer protocol state and locate the reason for which the link layer protocol state changed to down on the tunnel interface. |
TUNNEL_PHY_UPDOWN
|
Message text |
Physical state on the interface [STRING] changed to [STRING]. |
|
Variable fields |
$1: Interface name. $2: Protocol state, which can be up or down. |
|
Severity level |
3 |
|
Example |
IFNET/3/TUNNEL_PHY_UPDOWN: Physical state on the interface Tunnel1 changed to down. |
|
Explanation |
The link layer state changed on a tunnel interface. |
|
Recommended action |
When the interface is physically down, check whether a physical link is present or whether the link fails. |
VLAN_MODE_CHANGE
|
Message text |
Dynamic VLAN [INT32] has changed to a static VLAN. |
|
Variable fields |
$1: VLAN ID. |
|
Severity level |
5 |
|
Example |
IFNET/5/VLAN_MODE_CHANGE: Dynamic VLAN 20 has changed to a static VLAN. |
|
Explanation |
Creating a VLAN interface for a VLAN cause the dynamic VLAN to become a static VLAN. |
|
Recommended action |
No action is required. |
IKE messages
This section contains IKE messages.
IKE_P1_SA_ESTABLISH_FAIL
|
Message text |
Failed to establish phase 1 SA in [STRING] mode [STRING] state. Reason: [STRING]. SA information: · Role: [STRING] · Local IP: [STRING] · Local ID type: [STRING] · Local ID: [STRING] · Local port: [UINT32] · Retransmissions: [UINT32] · Remote IP: [STRING] · Remote ID type: [STRING] · Remote ID: [STRING] · Remote port: [UINT32] · Recived retransmissions: [UINT32] · Inside VPN instance: [STRING] · Outside VPN instance: [STRING] · Initiator Cookie: [STRING] · Responder Cookie: [STRING] · Connection ID: [UINT32] · Tunnel ID: [UINT32] · IKE profile name: [STRING] |
|
Variable fields |
$1: Negotiation mode: main or aggressive. $2: State of the negotiation state machine. $3: Failure reason: ¡ Failed to verify the peer signature. ¡ HASH payload is missing. ¡ Failed to verify the peer HASH. Local HASH is %s. Peer HASH is %s. ¡ Signature payload is missing. ¡ Failed to get subject name from certificate. ¡ Failed to get certificate. ¡ Failed to get local certificate. ¡ Failed to get private key. ¡ Failed to verify the peer certificate (%s). ¡ Failed to get ID data for constructing ID payload. ¡ Invalid ID payload length: %d. ¡ Invalid ID payload with protocol %u and port %u. ¡ Invalid ID type (%u). ¡ Unsupported attribute %u. ¡ Attribute %s is repeated. ¡ Unsupported DOI %s. ¡ Unsupported IPsec DOI situation (%u). ¡ KE payload is missing. ¡ Invalid KE payload length (%lu). ¡ Invalid nonce payload length (%lu). ¡ No available proposal. ¡ Failed to parse the Cert Request payload. ¡ The proposal payload must be the last payload in the SA payload, but it is found followed by the %s payload. ¡ Unexpected protocol ID (%u) found in proposal payload. ¡ No transform payload in proposal payload. ¡ Transform number is not monotonically increasing. ¡ Invalid transform ID (%s). ¡ No acceptable transform. ¡ Unexpected %s payload in proposal. ¡ Invalid SPI length (%d) in proposal payload. ¡ Only one transform is permitted in one proposal, but %u transforms are found. ¡ Failed to find matching proposal in profile %s. ¡ Failed to find proposal %u in profile %s. ¡ Failed to find keychain %s in profile %s. ¡ Retransmission timeout. ¡ Incorrect configuration. ¡ Failed to construct certificate request payload. ¡ An error notification is received. ¡ Failed to add tunnel. $4: Role, initiator or responder. $5-$9: Information about the local end. $10-$14: Information about the remote end. $15: Inside VPN instance. $16: Outside VPN instance. $17-$18: Initiator cookie and responder cookie. $19: Connection ID. $20: IKE tunnel ID. The default is 4294967295. $21: IKE profile name. |
|
Severity level |
6 |
|
Example |
IKE/6/IKE_P1_SA_ESTABLISH_FAIL: Failed to establish phase 1 SA in main mode IKE_P1_STATE_SEND1 state. Reason: Failed to get certificate. SA information: · Role: Initiator · Local IP: 4.4.4.4 · Local ID type: IPV4_ADDR · Local ID: 4.4.4.4 · Local port: 500 · Retransmissions: 0 · Remote IP: 4.4.4.5 · Remote ID type: IPV4_ADDR · Remote ID: 4.4.4.5 · Remote port: 500 · Recived retransmissions: 0 · Inside VPN instance: aaa · Outside VPN instance : bbb · Initiator Cookie: 4a42af47dbf0b2b1 · Responder Cookie: 8f8c1ff6645efbaf · Connection ID: 1 · Tunnel ID: 1 · IKE profile name: abc |
|
Explanation |
IKE failed to establish a phase 1 SA. This message also displays the failure reason and information about the SA. |
|
Recommended action |
Verify the IKE configuration on the local and remote ends. |
IKE_P1_SA_TERMINATE
|
Message text |
The IKE phase 1 SA was deleted. Reason: [STRING]. SA information: · Role: [STRING] · Local IP: [STRING] · Local ID type: [STRING] · Local ID: [STRING] · Local port: [UINT32] · Retransmissions: [UINT32] · Remote IP: [STRING] · Remote ID type: [STRING] · Remote ID: [STRING] · Remote port: [UINT32] · Recived retransmissions: [UINT32] · Inside VPN instance: [STRING] · Outside VPN instance: [STRING] · Initiator Cookie: [STRING] · Responder Cookie: [STRING] · Connection ID: [UINT32] · Tunnel ID: [UINT32] · IKE profile name: [STRING] |
|
Variable fields |
$1: Reason for the deletion: ¡ DPD timeout. ¡ New IKE SA had been negotiated, and the old one was deleted. ¡ The IKE SA was redundant. ¡ An IKE SA deletion message was received from peer. ¡ IKE keepalive timed out. ¡ The IKE SA expired. ¡ The reset ike sa connection-id command was executed. ¡ All IKE SAs were deleted. ¡ The IKE SA in the GDOI group was deleted. $2: Role, initiator or responder. $3-$7: Information about the local end. $8-$12: Information about the remote end. $13: Inside VPN instance. $14: Outside VPN instance. $15-$16: Initiator cookie and responder cookie. $17: Connection ID. $18: IKE tunnel ID. The default is 4294967295. $19: IKE profile name. |
|
Severity level |
6 |
|
Example |
IKE/6/IKE_P1_SA_TERMINATE: The IKE phase 1 SA was deleted. Reason: DPD timeout. SA information: · Role: Responder · Local IP: 4.4.4.4 · Local ID type: IPV4_ADDR · Local ID: 4.4.4.4 · Local port: 500 · Retransmissions: 0 · Remote IP: 4.4.4.5 · Remote ID type: IPV4_ADDR · Remote ID: 4.4.4.5 · Remote port: 500 · Recived retransmissions: 0 · Inside VPN instance: aaa · Outside VPN instance: bbb · Initiator Cookie: 4a42af47dbf0b2b1 · Responder Cookie: 8f8c1ff6645efbaf · Connection ID: 1 · Tunnel ID: 1 · IKE profile name: abc |
|
Explanation |
The IKE SA established in phase 1 was deleted. This message also displays the deletion reason and information about the SA. |
|
Recommended action |
No action is required. |
IKE_P2_SA_ESTABLISH_FAIL
|
Message text |
Failed to establish phase 2 SA in [STRING] state. Reason: [STRING]. SA information: · Role: [STRING]. · Local address: [STRING]. · Remote address: [STRING]. · Sour addr: [STRING] Port: [UINT32] Protocol: [STRING] · Dest addr: Protocol:[STRING] Port: [UINT32] Protocol: [STRING] · Inside VPN instance: [STRING]. · Outside VPN instance: [STRING]. · Inbound AH SPI: [STRING] · Outbound AH SPI: [STRING] · Inbound ESP SPI: [STRING] · Outbound ESP SPI: [STRING] · Initiator Cookie: [STRING] · Responder Cookie: [STRING]. · Message ID: [STRING]. · Connection ID: [UINT32]. · Tunnel ID: [UINT32]. |
|
Variable fields |
$1: State of the negotiation state machine. $2: Failure reason: ¡ Failed to construct ID payload. ¡ Failed to calculate %s. ¡ Failed to validate %s. ¡ Failed to compute key material. ¡ Incorrect configuration. ¡ Failed to switch IPsec SA. ¡ The nonce payload doesn't exist. ¡ Invalid nonce payload length (%lu). ¡ No valid DH group description in SA payload. ¡ The KE payload doesn't exist. ¡ Too many KE payloads. ¡ The length of the KE payload doesn't match the DH group description. ¡ Failed to send message to IPsec when getting SP. ¡ Failed to send message to IPsec when getting SPI. ¡ Failed to add phase 2 SA. ¡ Retransmission of phase 2 packet timed out. ¡ Collision detected in phase 2 negotiation. ¡ No matching proposal found between the local and remote ends. ¡ Transform number is not monotonically increasing. ¡ Proposal payload has more transforms than specified in the proposal payload. ¡ Proposal payload has less transforms than specified in the proposal payload. ¡ Attribute %d is repeated in IPsec transform %d. ¡ SA_LIFE_TYPE attribute is repeated in packet. ¡ The SA_LIFE_TYPE attribute must be in front of the SA_LIFE_DURATION attribute. ¡ Unsupported IPsec attribute %s. ¡ The encapsulation mode must be specified in the IPsec transform set. ¡ Invalid SPI length (%u) in IPsec proposal. ¡ Invalid SPI (%u) in IPsec proposal. ¡ The Transform ID (%d) in transform %d doesn't match authentication algorithm %s (%u). ¡ Failed to get SPI from proposal. ¡ No transform in IPsec proposal. ¡ A proposal payload contains more than one AH proposal. ¡ Invalid next payload (%u) in proposal. ¡ No ESP or AH proposal. ¡ Unsupported DOI. ¡ Unsupported IPsec DOI situation (%u). ¡ Invalid IPsec proposal %u. ¡ Failed to get IPsec policy when renegotiating IPsec SA. ¡ Failed to get IPsec policy as phase 2 responder. $3: Role, initiator or responder. $4: Local IP address. $5: Remote IP address. $6-$11: Data flow-related parameters. $12: Inside VPN instance. $13: Outside VPN instance. $14: Inbound AH SPI. $15: Outbound AH SPI. $16: Inbound ESP SPI. $17: Outboundd ESP SPI. $18-$19: Initiator cookie and responder cookie. $20: Message ID. $21: Connection ID. $22: IKE tunnel ID. The default is 4294967295. |
|
Severity level |
6 |
|
Example |
IKE/6/IKE_P2_SA_ESTABLISH_FAIL: Failed to establish phase 2 SA in IKE_P2_STATE_GETSPI state. Reason: Failed to get SPI from proposal. SA information: · Role: Responder · Local address: 2.2.2.2 · Remote address: 1.1.1.1 · Sour addr: 192.168.2.0/255.255.255.0 Port: 0 Protocol: IP · Dest addr: 192.168.1.0/255.255.255.0 Port: 0 Protocol: IP · Inside VPN instance: aaa · Outside VPN instance: bbb · Inbound AH SPI: 192365458 · Outbound AH SPI: 13654581 · Inbound ESP SPI: 292334583 · Outbound ESP SPI: 5923654586 · Initiator Cookie: 4a42af47dbf0b2b1 · Responder Cookie: 8f8c1ff6645efbaf · Message ID: 0xa2b11c8e · Connection ID: 1 · Tunnel ID: 1 |
|
Explanation |
IKE failed to establish a phase 2 SA. This message also displays the failure reason and information about the SA. |
|
Recommended action |
Verify the IKE and IPsec configurations on the local and remote ends. |
IKE_P2_SA_TERMINATE
|
Example |
The IKE phase 2 SA was deleted. Reason: [STRING]. SA information: · Role: [STRING] · Local address: [STRING] · Remote address: [STRING] · Sour addr: [STRING] Port: [UINT32] Protocol: [STRING] · Dest addr: [STRING] Port: [UINT32] Protocol: [STRING] · Inside VPN instance: [STRING] · Outside VPN instance: [STRING] · Inbound AH SPI: [STRING] · Outbound AH SPI: [STRING] · Inbound ESP SPI: [STRING] · Outbound ESP SPI: [STRING] · Initiator Cookie: [STRING] · Responder Cookie: [STRING] · Message ID: [STRING] · Connection ID: [UINT32] · Tunnel ID: [UINT32] |
|
Variable fields |
$1: Reason for the deletion: ¡ The SA expired. ¡ An IPsec SA deletion message was received from peer. ¡ New P2 SA had been negotiated, and the old one was deleted. ¡ All P2 SAs were deleted. ¡ The P2 SA was deleted by SPID. ¡ The P2 SA was deleted by IFIndex. ¡ The P2 SA was deleted by SA index. $2: Role, initiator or responder. $3: Local IP address. $4: Remote IP address. $5-$10: Data flow-related parameters. $11: Inside VPN instance. $12: Outside VPN instance. $13: Inbound AH SPI. $14: Outbound AH SPI. $15: Inbound ESP SPI. $16: Outboundd ESP SPI. $17-$18: Initiator cookie and responder cookie. $19: Message ID. $20: Connection ID. $21: IKE tunnel ID. The default is 4294967295. |
|
Severity level |
6 |
|
Example |
IKE/6/IKE_P2_SA_TERMINATE: The IKE phase 2 SA was deleted. Reason: An IPsec SA deletion message was received. SA information: · Role: Responder · Local address: 2.2.2.2 · Remote address: 1.1.1.1 · Sour addr: 192.168.2.0/255.255.255.0 Port: 0 Protocol: IP · Dest addr: 192.168.1.0/255.255.255.0 Port: 0 Protocol: IP · Inside VPN instance: aaa · Outside VPN instance: bbb · Inbound AH SPI: 192365458 · Outbound AH SPI: 13654581 · Inbound ESP SPI: 292334583 · Outbound ESP SPI: 5923654586 · Initiator Cookie: 4a42af47dbf0b2b1 · Responder Cookie: 8f8c1ff6645efbaf · Message ID: 0xa2b11c8e · Connection ID: 1 · Tunnel ID: 1 |
|
Explanation |
An IKE phase 2 SA was deleted. This message also displays the deletion reason and information about the SA. |
|
Recommended action |
No action is required. |
IKE_XAUTH_FAILE
|
Example |
Failed to pass extended authentication in [STRING] mode [STRING] state. Reason: [STRING]. SA information: · Role: [STRING]. · Local IP: [STRING]. · Local ID type: [STRING]. · Local ID: [STRING]. · Local port: [UINT32]. · Retransmissions: [UINT32] · Remote IP: [STRING]. · Remote ID type: [STRING]. · Remote ID: [STRING]. · Remote port: [UINT32]. · Recived retransmissions: [UINT32] · Inside VPN instance: [STRING]. · Outside VPN instance: [STRING]. · Initiator Cookie: [STRING] · Responder Cookie: [STRING]. · Message ID: [STRING]. · Connection ID: [UINT32] |
|
Variable fields |
$1: Negotiation mode: main or aggressive. $2: State of the negotiation state machine. $3: Failure reason: ¡ Failed to verify the HASH payload. ¡ Failed to parse the attribute payload. $4: Role, initiator or responder. $5-$9: Information about the local end. $10-$14: Information about the remote end. $15: Inside VPN instance. $16: Outside VPN instance. $17-$18: Initiator cookie and responder cookie. $19: Message ID. $20: Connection ID. |
|
Severity level |
6 |
|
Example |
IKE/6/IKE_XAUTU_FAILE: Failed to pass extended authentication, in main mode IKE_XAUTH_STATE_SET state. Reason: Failed to parse the attribute payload. SA information: · Role: Initiator · Local IP: 4.4.4.4 · Local ID type: IPV4_ADDR · Local ID: 4.4.4.4 · Local port: 500 · Retransmissions: 0 · Remote IP: 4.4.4.5 · Remote ID type: IPV4_ADDR · Remote ID: 4.4.4.5 · Remote port: 500 · Recived retransmissions: 0 · Inside VPN instance: aaa · Outside VPN instance: bbb · Initiator Cookie: 4a42af47dbf0b2b1 · Responder Cookie: 8f8c1ff6645efbaf · Message ID: 0xa2b11c8e · Connection ID: 1 |
|
Explanation |
Extended authentication failed. This message also displays the failure reason and information about the SA. |
|
Recommended action |
No action is required. |
IPSEC messages
This section contains IPsec messages.
IPSEC_FAILED_ADD_FLOW_TABLE
|
Message text |
Failed to add flow-table due to [STRING]. |
|
Variable fields |
$1: Reason for the failure. |
|
Severity level |
4 |
|
Example |
IPSEC/4/IPSEC_FAILED_ADD_FLOW_TABLE: Failed to add flow-table due to no enough resource. |
|
Explanation |
Failed to add the flow table. |
|
Recommended action |
If the failure is caused by not enough hardware resources, contact H3C Support. |
IPSEC_PACKET_DISCARDED
|
Message text |
IPsec packet discarded, Src IP:[STRING], Dst IP:[STRING], SPI:[UINT32], SN:[UINT32], Cause:[STRING]. |
|
Variable fields |
$1: Source IP address. $2: Destination IP address. $3: Security parameter index (SPI). $4: Sequence number of the packet. $5: Reason for dropping this packet: · Anti-replay checking failed. · AH authentication failed. · ESP authentication failed. · Invalid SA. · ESP decryption failed. · Source address of packet does not match the SA. · No ACL rule matched. |
|
Severity level |
6 |
|
Example |
IPSEC/6/IPSEC_PACKET_DISCARDED: IPsec packet discarded, Src IP:1.1.1.2, Dest IP:1.1.1.4, SPI:1002, SN:0, Cause:ah authentication failed |
|
Explanation |
An IPsec packet was dropped. |
|
Recommended action |
No action is required. |
IPSEC_SA_ESTABLISH
|
Message text |
IPsec SA was established. · Role: [STRING] · Local address: [STRING] · Remote address: [STRING] · Sour addr: [STRING] Port: [UINT32] Protocol: [STRING] · Dest addr: [STRING] Port: [UINT32] Protocol: [STRING] · Inside VPN instance: [STRING] · Outside VPN instance: [STRING] · Inbound AH SPI: [STRING] · Outbound AH SPI: [STRING] · Inbound ESP SPI: [STRING] · Outbound ESP SPI: [STRING] · ACL number: [UINT32] · ACL name: [STRING] |
|
Variable fields |
$1: Role, initiator or responder. $2: Local IP address. $3: Remote IP address. $4-$9: Data flow related parameters. $10: Inside VPN instance. $11: Outside VPN instance. $12: Inbound AH SPI. $13: Outbound AH SPI. $14: Inbound ESP SPI. $15: Outbound ESP SPI. $16: ACL number. The default is 4294967295. This field is not displayed if the ACL name is displayed. $17: ACL name. This field is not displayed if the ACL number is displayed. |
|
Severity level |
6 |
|
Example |
IPSEC/6/IPSEC_SA_ESTABLISH: IPsec SA was established. Role: Responder Local address: 2.2.2.2 Remote address: 1.1.1.1 Sour addr: 192.168.2.0/255.255.255.0 Port: 0 Protocol: IP Dest addr: 192.168.1.0/255.255.255.0 Port: 0 Protocol: IP Inside VPN instance: aaa Outside VPN instance: bbb Inbound AH SPI: 192365458 Outbound AH SPI: 13654581 Inbound ESP SPI: 292334583 Outbound ESP SPI: 5923654586 ACL number: 3101 |
|
Explanation |
An IPsec SA was established. |
|
Recommended action |
No action is required. |
IPSEC_SA_ESTABLISH_FAIL
|
Message text |
Failed to establish IPsec SA. Reason: [STRING]. SA information: Role: [STRING] Local address: [STRING] Remote address: [STRING] Sour addr: [STRING] Port: [UINT32] Protocol: [STRING] Dest addr: [STRING] Port: [UINT32] Protocol: [STRING] Inside VPN instance: [STRING] Outside VPN instance: [STRING] Inbound AH SPI: [STRING] Outbound AH SPI: [STRING] Inbound ESP SPI: [STRING] Outbound ESP SPI: [STRING] ACL number: [UINT32] ACL name: [STRING] |
|
Variable fields |
$1: Failure reason: · Get SP: Required configuration is missing in the SP. SP ID=%u. · Get SP: The SP's local address doesn't match the local address configured in the IKE profile. SP ID=%u, SP's local address=%s, p2policy's local address=%s. · Get SP: The remote address doesn't exist. SP ID=%u, hostname=%s. · Get SP: The SP's remote address doesn't match the remote address configured in the IKE profile. SP ID=%u, SP's remote address=%s, p2policy's remote address=%s. · Get SP: SP's mode [%d] is not IPSEC_PLCMODE_ISAKMP/ISAKMPTEMPLATE. · Get SP: The SP contains incomplete flow matching configuration. · Get SP: Failed to get the SP. · The policy contains incorrect ACL or IKE profile configuration. PolicyName=%s, Seqnum=%d. · Get SP: The SP doesn't have an IPsec transform set. · Get SP: Failed to create larval SA. · Create SA: Failed to fill the SA. · Create SA: Failed to create SA. · Create SA: Can't find SP. · Failed to create tunnel because a tunnel with the same index and sequence number already exists. Tunnel index=%d, tunnel seq=%d. · Failed to switch SA because the inbound SA can't be found. SPI=%u. · Failed to switch SA because the SA state is incorrect. · Failed to switch SA because the outbound SA can't be found. · Failed to switch SA because the outbound SA using another security protocol can't be found. · Failed to switch SA in kernel. · Failed to notify kernel of the link state change. · Number of IPsec tunnels reached the crypto capacity of the device. · Maximum number of IPsec tunnels already reached. · Failed to add IPsec tunnel. · Failed to add IPsec tunnel to kernel. $2: Role, initiator or responder. $3: Local IP address. $4: Remote IP address. $5-$10: Data flow related parameters. $11: Inside VPN instance. $12: Outside VPN instance. $13: Inbound AH SPI. $14: Outbound AH SPI. $15: Inbound ESP SPI. $16: Outbound ESP SPI. $17: ACL number. The default is 4294967295. This field is not displayed if the ACL name is displayed. $18: ACL name. This field is not displayed if the ACL number is displayed. |
|
Severity level |
6 |
|
Example |
IPSEC/6/IPSEC_SA_ESTABLISH_FAIL: Failed to establish IPsec SA Reason: Failed to add IPsec tunnel. SA information: Role: Responder Local address: 2.2.2.2 Remote address: 1.1.1.1 Sour addr: 192.168.2.0/255.255.255.0 Port: 0 Protocol: IP Dest addr: 192.168.1.0/255.255.255.0 Port: 0 Protocol: IP Inside VPN instance: aaa Outside VPN instance: bbb Inbound AH SPI: 192365458 Outbound AH SPI: 13654581 Inbound ESP SPI: 292334583 Outbound ESP SPI: 5923654586 ACL number: 3101 |
|
Explanation |
Failed to establish an IPsec SA. |
|
Recommended action |
Verify the IPsec configurations on the local and peer devices. |
IPSEC_SA_INITIATION
|
Message text |
Began to establish IPsec SA. Local address: [STRING] Remote address: [STRING] Sour addr: [STRING] Port: [UINT32] Protocol: [STRING] Dest addr: [STRING] Port: [UINT32] Protocol: [STRING] Inside VPN instance: [STRING] Outside VPN instance: [STRING] ACL number: [UINT32] ACL name: [STRING] |
|
Variable fields |
$1: Local IP address. $2: Remote IP address. $3-$8: Data flow related parameters. $9: Inside VPN instance. $10: Outside VPN instance. $11: ACL number. The default is 4294967295. This field is not displayed if the ACL name is displayed. $12: ACL name. This field is not displayed if the ACL number is displayed. |
|
Severity level |
6 |
|
Example |
IPSEC/6/IPSEC_SA_INITIATION: Began to establish IPsec SA. Local address: 2.2.2.2 Remote address: 1.1.1.1 Sour addr: 192.168.2.0/255.255.255.0 Port: 0 Protocol: IP Dest addr: 192.168.1.0/255.255.255.0 Port: 0 Protocol: IP Inside VPN instance: aaa Outside VPN instance: bbb ACL number: 3101 |
|
Explanation |
An IPsec SA was to be established. |
|
Recommended action |
No action is required. |
IPSEC_SA_TERMINATE
|
Message text |
The IPsec SA was deleted. Reason: [STRING] SA information: · Role: [STRING] · Local address: [STRING] · Remote address: [STRING] · Sour addr: [STRING] Port: [UINT32] Protocol: [STRING] · Dest addr: [STRING] Port: [UINT32] Protocol: [STRING] · Inside VPN instance: [STRING] · Outside VPN instance: [STRING] · Inbound AH SPI: [STRING] · Outbound AH SPI: [STRING] · Inbound ESP SPI: [STRING] · Outbound ESP SPI: [STRING] · ACL number: [UINT32] · ACL name: [STRING] |
|
Variable fields |
$1: Reason for the deletion: · SA idle timeout · The reset command was executed · Internal event · Configuration change · An IKE SA deletion message was received $2: Role, initiator or responder. $3: Local IP address. $4: Remote IP address. $5-$10: Data flow related parameters. $11: Inside VPN instance. $12: Outside VPN instance. $13: Inbound AH SPI $14: Outbound AH SPI $15: Inbound ESP SPI $16: Outbound ESP SPI $17: ACL number. The default is 4294967295. This field is not displayed if the ACL name is displayed. $18: ACL name. This field is not displayed if the ACL number is displayed. |
|
Severity level |
6 |
|
Example |
IPSEC/6/IPSEC_SA_TERMINATE: The IPsec SA was deleted. Reason: SA idle timeout. SA information: Role: initiator Local address: 2.2.2.2 Remote address: 1.1.1.1 Sour addr: 192.168.2.0/255.255.255.0 Port: 0 Protocol: IP Dest addr: 192.168.1.0/255.255.255.0 Port: 0 Protocol: IP Inside VPN instance: aaa Outside VPN instance: bbb Inbound AH SPI: 192365458 Outbound AH SPI: 13654581 Inbound ESP SPI: 292334583 Outbound ESP SPI: 5923654586 ACL number: 3101 |
|
Explanation |
An IPsec SA was deleted. |
|
Recommended action |
No action is required. |
IPSEC_ANTI-REPLAY_WINDOWS_ERROR
|
Message text |
Anti-replay dropped a packet: src=[STRING]; time-sent=[STRING], [UINT32] [STRING] [UINT32] [UINT32]:[UINT32]:[UINT32] [UINT32]us; time-received=[STRING], [UINT32] [STRING] [UINT32] [UINT32]:[UINT32]:[UINT32] [UINT32]us; time-diff=[UINT32]us; window-size= +-[FLOAT]ms. |
|
Variable fields |
$1: Source IP address of the packet. $2: Day of the week on which the packet was sent. $3: Day of the month on which the packet was sent. $4: Month in which the packet was sent. $5: Year in which the packet was sent. $6: Hour at which the packet was sent. $7: Minute at which the packet was sent. $8: Second at which the packet was sent. $9: Microsecond at which the packet was sent. $10: Day of the week on which the packet was received. $11: Day of the month on which the packet was received. $12: Month in which the packet was received. $13: Year in which the packet was received. $14: Hour at which the packet was received. $15: Minute at which the packet was received. $16: Second at which the packet was received. $17: Microsecond at which the packet was received. $18: Interval between the time the packet was sent and the time it was received, in microseconds. $19: Half the anti-replay window size, in milliseconds. |
|
Severity level |
6 |
|
Example |
IPSEC/6/IPSEC_ANTI-REPLAY_WINDOWS_ERROR: Anti-replay dropped a packet: src=192.168.58.178;time-sent=Sat, 23 Apr 2016 11:17:29 594565us; time-received =Sat, 23 Apr 2016 11:17:26 707866us; time-diff=2886699us; window-size =+-2500ms. |
|
Explanation |
A packet was dropped. Possible reasons include: · The interval between the time the packet was sent and the time it was received exceeds the anti-replay window size. · Anti-replay is enabled on the receiving IPsec tunnel end but the received packet does not have an anti-replay header. · In tunnel mode, anti-replay is not enabled but the received packet has an anti-replay header. |
|
Recommended action |
No action is required. |
IPSG messages
This section contains IPSG messages.
IPSG_ADDENTRY_ERROR
|
Message text |
|
|
Variable fields |
$1: IP address. If you do not specify an IP address, this field displays N/A. $2: MAC address. If you do not specify a MAC address, this field displays N/A. $3: VLAN ID. If you do not specify a VLAN, this field displays 65535. $4: Interface name. If you do not specify an interface, this field displays N/A. $5: Failure reasons. Available options include: ¡ Unknown error |
|
Severity level |
6 |
|
Example |
|
|
Explanation |
IPSG failed to issue a static or dynamic IPSG binding. The message is sent in any of the following situations: · The IPSG feature is not supported. · The hardware resources are not sufficient for the operation. · An unknown error occurs. |
|
Recommended action |
To resolve the problem, you can perform the following tasks: · Clear the memory to release hardware resources when the failure is caused by insufficient hardware resources. · Add the IPSG binding again if you are adding a static binding. · Contact H3C Support if the failure is caused by an unknown error. |
IPSG_DELENTRY_ERROR
|
Message text |
|
|
Variable fields |
$1: IP address. If you do not specify an IP address, this field displays N/A. $2: MAC address. If you do not specify a MAC address, this field displays N/A. $3: VLAN ID. If you do not specify a VLAN, this field displays 65535. $4: Interface name. If you do not specify an interface, this field displays N/A. $5: Failure reason. Available options include: ¡ Unknown error |
|
Severity level |
6 |
|
Example |
|
|
Explanation |
IPSG failed to delete a global static IPSG binding. The message is sent in any of the following situations: · The IPSG feature is not supported. · An unknown error occurs. |
|
Recommended action |
To resolve the problem, you can perform the following tasks: · Delete the global static IPSG binding again. · Contact H3C Support if the failure is caused by an unknown error. |
IRF
This section contains IRF messages.
IRF_LINK_BLOCK
|
Message text |
IRF port went blocked. |
|
Variable fields |
N/A |
|
Severity level |
2 |
|
Example |
IRF/2/IRF_LINK_BLOCK: IRF port went blocked. |
|
Explanation |
The IRF port was blocked. A blocked IRF port cannot send and receive service packets, but it can send and receive IRF protocol packets. For example, this message appears on the member device that has the lower priority when an IRF member ID conflict is detected for member devices. |
|
Recommended action |
Check the IRF member ID on each member device for any conflict, and change the IRF member IDs of member devices to be unique. |
IRF_LINK_DOWN
|
Message text |
IRF port went down. |
|
Variable fields |
N/A |
|
Severity level |
3 |
|
Example |
IRF/3/IRF_LINK_DOWN: IRF port went down. |
|
Explanation |
The IRF port went down. |
|
Recommended action |
Verify the following items: · Network interfaces have been bound to the IRF port. · The IRF network interfaces and the peer interfaces have Layer 2 connectivity. |
IRF_LINK_UP
|
Message text |
IRF port came up. |
|
Variable fields |
N/A |
|
Severity level |
6 |
|
Example |
IRF/6/IRF_LINK_UP: IRF port came up. |
|
Explanation |
The IRF port came up. |
|
Recommended action |
No action is required. |
IRF_MEMBER_LEFT
|
Message text |
Member [STRING] left the IRF fabric. |
|
Variable fields |
$1: IRF member ID of the device. |
|
Severity level |
4 |
|
Example |
IRF/4/IRF_MEMBER_LEFT: Member 2 left the IRF fabric. |
|
Explanation |
This message occurs when a member device left the IRF fabric. |
|
Recommended action |
No action is required. |
IRF_MEMBERID_CONFLICT
|
Message text |
IRF member ID conflict occurred. The ID [UINT32] has been used for another device with CPU-Mac: [STRING]. |
|
Variable fields |
$1: IRF member ID of the device. $2: CPU MAC address of the device. |
|
Severity level |
4 |
|
Example |
IRF/4/IRF_MEMBERID_CONFLICT:-slot = 5; IRF member ID conflict occurred, The ID 5 has been used for another device with CPU-Mac: 000c-29d7-c1ae. |
|
Explanation |
This message occurs when the device detects that it has the same IRF member ID as another device in the same broadcast domain. |
|
Recommended action |
Check the IRF member IDs and change the IRF member ID of a device. Make sure the member devices use unique member IDs. |
IRF_MEMBERID_CONFLICT_REBOOT
|
Message text |
IRF member ID conflict. For the device to join the IRF fabric,please change the device member ID to a unique one among all the IRF member devices and reboot the device. |
|
Variable fields |
N/A |
|
Severity level |
4 |
|
Example |
IRF/4/IRF_MEMBERID_CONFLICT_REBOOT: IRF member ID conflict. For the device to join the IRF fabric,please change the device member ID to a unique one among all the IRF member devices and reboot the device. |
|
Explanation |
This message occurs if the device fails to join an IRF fabric because it is using the same member ID as another IRF member device. In this situation, the network ports on the device will be blocked until it re-joins the IRF fabric with a unique member ID. |
|
Recommended action |
111. Log in to the device that displayed this message. 112. Change the member ID of the device to a unique one. 113. Reboot the device to re-join the IRF fabric. |
IRF_MERGE
|
Message text |
IRF merge occurred. |
|
Variable fields |
N/A |
|
Severity level |
4 |
|
Example |
IRF/4/IRF_MERGE: IRF merge occurred. |
|
Explanation |
IRF merge occurred. |
|
Recommended action |
No action is required. |
IRF_MERGE_NEED_REBOOT
|
Message text |
IRF merge occurred. This IRF system needs a reboot. |
|
Variable fields |
N/A |
|
Severity level |
4 |
|
Example |
IRF/4/IRF_MERGE_NEED_REBOOT: IRF merge occurred. This IRF system needs a reboot. |
|
Explanation |
IRF merge occurred. This IRF fabric needs a reboot to complete the IRF merge because the master of this IRF fabric failed the master election for IRF merge. |
|
Recommended action |
Reboot the IRF fabric to complete the IRF merge. |
IRF_MERGE_NOT_NEED_REBOOT
|
Message text |
IRF merge occurred. This IRF system does not need to reboot. |
|
Variable fields |
N/A |
|
Severity level |
5 |
|
Example |
IRF/5/IRF_MERGE_NOT_NEED_REBOOT: IRF merge occurred. This IRF system does not need to reboot. |
|
Explanation |
IRF merge occurred. This IRF fabric does not need to reboot because the master of this IRF fabric won the master election for IRF merge. |
|
Recommended action |
No action is required. |
IRF_NEWMEMBER_JOIN
|
Message text |
Member [STRING] joined the IRF fabric. |
|
Variable fields |
$1: IRF member ID of the device. |
|
Severity level |
4 |
|
Example |
IRF/4/IRF_NEWMEMBER_JOIN: Member 2 joined the IRF fabric. |
|
Explanation |
This message occurs when a member device joined the IRF fabric. |
|
Recommended action |
No action is required. |
KDNS messages
This section contains KDNS messages.
KDNS_BIND_PORT_ALLOCETED
|
Message text |
Failed to bind UDP [STRING] connection port [NUMBER] to VPN instance [STRING] for the DNS listener because the port has already been allocated. |
|
Variable fields |
$1: UDP port type: · IPv4 · IPv6 $2: UDP port number. $3: VPN instance name. |
|
Severity level |
3 |
|
Example |
KDNS/3KDNS_BIND_PORT_ALLOCETED: -MDC=1; Failed to bind UDP IPv4 connection port 53 to VPN instance vpn1 for the DNS listener because the port has already been allocated. |
|
Explanation |
The system failed to bind a UDP port to a DNS listener because the port has been used. |
|
Recommended action |
Bind a UDP port that has not been used. |
KHTTP messages
This section contains KHTTP messages.
KHTTP_BIND_PORT_ALLOCETED
|
Message text |
Failed to bind TCP connection [STRING]/[UINT32] to VPN instance [UINT32] because the port was already allocated. |
|
Variable fields |
$1: IP address. $2: Port number. $3: Index of a VPN instance. |
|
Severity level |
3 |
|
Example |
KHTTP/3/KHTTP_BIND_PORT_ALLOCETED: Failed to bind TCP connection 192.168.30.117/10000 to VPN instance 0 because the port was already allocated. |
|
Explanation |
Failed to bind an IP address and a port number to a VPN instance because the port number was already allocated. |
|
Recommended action |
114. Display port information by executing the display tcp-proxy port-info or display ipv6 tcp-proxy port-info command. 115. Rebind the TCP connection to the VPN instance by using an available port number. |
KHTTP_BIND_ADDRESS_INUSED
|
Message text |
Failed to bind TCP connection [STRING]/[UINT32] to VPN instance [UINT32] because the address was already used. |
|
Variable fields |
$1: IP address. $2: Port number. $3: Index of a VPN instance. |
|
Severity level |
3 |
|
Example |
KHTTP/3/KHTTP_BIND_ADDRESS_INUSED: Failed to bind TCP connection 192.168.30.117/10000 to VPN instance 0 because the address was already used. |
|
Explanation |
Failed to bind an IP address and a port number to a VPN instance because the IP address was already used and cannot be reused. |
|
Recommended action |
116. Display IP address information by executing the display tcp-proxy command. 117. Rebind the TCP connection to the VPN instance by using an unused or a reusable IP address. |
L2TP messages
This section contains L2TP messages.
L2TPV2_TUNNEL_EXCEED_LIMIT
|
Message text |
Number of L2TP tunnels exceeded the limit. |
|
Variable fields |
N/A |
|
Severity level |
4 |
|
Example |
L2TPV2/4/L2TPV2_TUNNEL_EXCEED_LIMIT: Number of L2TP tunnels exceeded the limit. |
|
Explanation |
The number of established L2TP tunnels has reached the limit. |
|
Recommended action |
118. Perform one of the following tasks: ¡ Execute the reset l2tp tunnel command to disconnect an idle tunnel. ¡ Wait for the device to automatically disconnect an idle tunnel after the hello interval elapses. 119. If the problem persists, contact H3C for support. |
L2TPV2_SESSION_EXCEED_LIMIT
|
Message text |
Number of L2TP sessions exceeded the limit. |
|
Variable fields |
N/A |
|
Severity level |
4 |
|
Example |
L2TPV2/4/L2TPV2_SESSION_EXCEED_LIMIT: Number of L2TP sessions exceeded the limit. |
|
Explanation |
The number of established L2TP sessions has reached the limit. |
|
Recommended action |
No action is required. |
LAGG messages
This section contains link aggregation messages.
LAGG_ACTIVE
|
Message text |
Member port [STRING] of aggregation group [STRING] changed to the active state. |
|
Variable fields |
$1: Port name. $2: Link aggregation group type and ID. |
|
Severity level |
6 |
|
Example |
LAGG/6/LAGG_ACTIVE: Member port GE1/0/1 of aggregation group BAGG1 changed to the active state. |
|
Explanation |
A member port in an aggregation group changed to the Selected state. |
|
Recommended action |
No action is required. |
LAGG_INACTIVE_AICFG
|
Message text |
Member port [STRING] of aggregation group [STRING] changed to the inactive state, because the member port and the aggregate interface have different attribute configurations. |
|
Variable fields |
$1: Port name. $2: Link aggregation group type and ID. |
|
Severity level |
6 |
|
Example |
LAGG/6/LAGG_INACTIVE_AICFG: Member port GE1/0/1 of aggregation group BAGG1 changed to the inactive state, because the member port and the aggregate interface have different attribute configurations. |
|
Explanation |
A member port in an aggregation group changed to the Unselected state because the member port and the aggregate interface had different attribute configurations. |
|
Recommended action |
Modify the attribute configurations of the member port to be consistent with the aggregate interface. |
LAGG_INACTIVE_BFD
|
Message text |
Member port [STRING] of aggregation group [STRING] changed to the inactive state, because the BFD session state of the port was down. |
|
Variable fields |
$1: Port name. $2: Link aggregation group type and ID. |
|
Severity level |
6 |
|
Example |
LAGG/6/LAGG_INACTIVE_BFD: Member port GE1/0/1 of aggregation group BAGG1 changed to the inactive state, because the BFD session state of the port is down. |
|
Explanation |
A member port in an aggregation group changed to the Unselected state because the BFD session on the port became down. |
|
Recommended action |
To resolve the problem, you can perform the following tasks: · Verify that link failure has occurred and troubleshoot the failure. · Modify the port information and configuration for the port to have the same operational key and attribute configuration as the reference port. |
LAGG_INACTIVE_CONFIGURATION
|
Message text |
Member port [STRING] of aggregation group [STRING] changed to the inactive state, because the aggregation configuration of the port is incorrect. |
|
Variable fields |
$1: Port name. $2: Link aggregation group type and ID. |
|
Severity level |
6 |
|
Example |
LAGG/6/LAGG_INACTIVE_CONFIGURATION: Member port GE1/0/1 of aggregation group BAGG1 changed to the inactive state, because the aggregation configuration of the port is incorrect. |
|
Explanation |
A member port in an aggregation group changed to the Unselected state because the member port and the aggregate interface had different aggregation configuration. |
|
Recommended action |
No action is required. |
LAGG_INACTIVE_DUPLEX
|
Message text |
Member port [STRING] of aggregation group [STRING] changed to the inactive state, because the duplex mode is different between the member port and the reference port. |
|
Variable fields |
$1: Port name. $2: Link aggregation group type and ID. |
|
Severity level |
6 |
|
Example |
LAGG/6/LAGG_INACTIVE_DUPLEX: Member port GE1/0/1 of aggregation group BAGG1 changed to the inactive state, because the duplex mode is different between the member port and the reference port. |
|
Explanation |
A member port in an aggregation group changed to the Unselected state because the duplex mode was different between the member port and the reference port. |
|
Recommended action |
Change the duplex mode of the member port to be the same as the reference port. |
LAGG_INACTIVE_HARDWAREVALUE
|
Message text |
Member port [STRING] of aggregation group [STRING] changed to the inactive state, because of the port's hardware restriction. |
|
Variable fields |
$1: Port name. $2: Link aggregation group type and ID. |
|
Severity level |
6 |
|
Example |
LAGG/6/LAGG_INACTIVE_HARDWAREVALUE: Member port GE1/0/1 of aggregation group BAGG1 changed to the inactive state, because of the port's hardware restriction. |
|
Explanation |
A member port in an aggregation group changed to the Unselected state because of the port's hardware restriction. |
|
Recommended action |
No action is required. |
LAGG_INACTIVE_LOWER_LIMIT
|
Message text |
Member port [STRING] of aggregation group [STRING] changed to the inactive state, because the number of active ports is below the lower limit. |
|
Variable fields |
$1: Port name. $2: Link aggregation group type and ID. |
|
Severity level |
6 |
|
Example |
LAGG/6/LAGG_INACTIVE_LOWER_LIMIT: Member port GE1/0/1 of aggregation group BAGG1 changed to the inactive state, because the number of active ports is below the lower limit. |
|
Explanation |
A member port in an aggregation group was placed in Unselected state because the required minimum number of Selected ports was not reached. |
|
Recommended action |
Make sure the minimum number of Selected ports is met. |
LAGG_INACTIVE_PARTNER
|
Message text |
Member port [STRING] of aggregation group [STRING] changed to the inactive state, because the aggregation configuration of its peer port is incorrect. |
|
Variable fields |
$1: Port name. $2: Link aggregation group type and ID. |
|
Severity level |
6 |
|
Example |
LAGG/6/LAGG_INACTIVE_PARTNER: Member port GE1/0/1 of aggregation group BAGG1 changed to the inactive state, because the aggregation configuration of its peer port is incorrect. |
|
Explanation |
A member port in an aggregation group changed to the Unselected state because the port's partner changed to the Unselected state. |
|
Recommended action |
No action is required. |
LAGG_INACTIVE_PHYSTATE
|
Message text |
Member port [STRING] of aggregation group [STRING] changed to the inactive state, because the physical state of the port is down. |
|
Variable fields |
$1: Port name. $2: Link aggregation group type and ID. |
|
Severity level |
6 |
|
Example |
LAGG/6/LAGG_INACTIVE_PHYSTATE: Member port GE1/0/1 of aggregation group BAGG1 changed to the inactive state, because the physical state of the port is down. |
|
Explanation |
A member port in an aggregation group changed to the Unselected state because the port went down. |
|
Recommended action |
Bring up the member port. |
LAGG_INACTIVE_RESOURCE_INSUFICIE
|
Message text |
Member port [STRING] of aggregation group [STRING] changed to the inactive state, because all aggregate resources are occupied. |
|
Variable fields |
$1: Port name. $2: Link aggregation group type and ID. |
|
Severity level |
6 |
|
Example |
LAGG/6/LAGG_INACTIVE_RESOURCE_INSUFICIE: Member port GE1/0/1 of aggregation group BAGG1 changed to the inactive state, because all aggregate resources are occupied. |
|
Explanation |
A member port in an aggregation group changed to the Unselected state because all aggregation resources were used. |
|
Recommended action |
No action is required. |
LAGG_INACTIVE_SPEED
|
Message text |
Member port [STRING] of aggregation group [STRING] changed to the inactive state, because the speed configuration of the port is incorrect. |
|
Variable fields |
$1: Port name. $2: Link aggregation group type and ID. |
|
Severity level |
6 |
|
Example |
LAGG/6/LAGG_INACTIVE_SPEED: Member port GE1/0/1 of aggregation group BAGG1 changed to the inactive state, because the speed configuration of the port is incorrect. |
|
Explanation |
A member port in an aggregation group changed to the Unselected state because the speed was different between the member port and the reference port. |
|
Recommended action |
Change the speed of the member port to be the same as the reference port. |
LAGG_INACTIVE_UPPER_LIMIT
|
Message text |
Member port [STRING] of aggregation group [STRING] changed to the inactive state, because the number of active ports has reached the upper limit. |
|
Variable fields |
$1: Port name. $2: Link aggregation group type and ID. |
|
Severity level |
6 |
|
Example |
LAGG/6/LAGG_INACTIVE_UPPER_LIMIT: Member port GE1/0/1 of aggregation group BAGG1 changed to the inactive state, because the number of active ports has reached the upper limit. |
|
Explanation |
The number of Selected ports reached the upper limit in a dynamic aggregation group. A member port in the aggregation group changed to the Unselected state because a more eligible port joined the aggregation group. |
|
Recommended action |
No action is required. |
LB messages
This section contains LB messages.
LB_CHANGE_DEFAULTLG_STATE_VS
|
Message text |
The state of link group associated with virtual server [STRING] was changed, primary link group name is [STRING], backup link group name is [STRING], current link group name is [STRING]. |
|
Variable fields |
$1: Virtual server name. $2: Primary link group name. $3: Backup link group name. $4: Current link group name. |
|
Severity level |
5 |
|
Example |
LB/5/LB_CHANGE_DEFAULTLG_STATE_VS: The state of link group associated with virtual server VS was changed, primary link group name is MF, backup link group name is BF, current link group name is CF. |
|
Explanation |
The state of the link group associated with a virtual server changed. |
|
Recommended action |
Check whether the availability criteria setting for the link group is changed. If the setting is not changed, check the network environment and link state. |
LB_CHANGE_DEFAULTSF_STATE_VS
|
Message text |
The state of server farm associated with virtual server [STRING] was changed, primary server farm name is [STRING], backup server farm name is [STRING], current server farm name is [STRING]. |
|
Variable fields |
$1: Virtual server name. $2: Primary server farm name. $3: Backup server farm name. $4: Current server farm name. |
|
Severity level |
5 |
|
Example |
LB/5/LB_CHANGE_DEFAULTSF_STATE_VS: The state of server farm associated with virtual server VS was changed, primary server farm name is MF, backup server farm name is BF, current server farm name is CF. |
|
Explanation |
The state of the server farm associated with a virtual server changed. |
|
Recommended action |
Check whether the availability criteria setting for the server farm is changed. If the setting is not changed, check the network environment and real server state. |
LB_CHANGE_LG_STATE_ACTION
|
Message text |
The state of link group associated with action [STRING] was changed, primary link group name is [STRING], backup link group name is [STRING], current link group name is [STRING]. |
|
Variable fields |
$1: LB action name. $2: Primary link group name. $3: Backup link group name. $4: Current link group name. |
|
Severity level |
5 |
|
Example |
LB/5/LB_CHANGE_LG_STATE_ACTION: The state of link group associated with action ACT was changed, primary link group name is MF, backup link group name is BF, current link group name is CF. |
|
Explanation |
The state of the link group associated with an LB action changed. |
|
Recommended action |
Check whether the availability criteria setting for the link group is changed. If the setting is not changed, check the network environment and link state. |
LB_CHANGE_LG_STATUS
|
Message text |
The state of link group [STRING] was changed to [STRING]. |
|
Variable fields |
$1: Link group name. $2: Link group state: Active or Inactive. |
|
Severity level |
5 |
|
Example |
LB/5/LB_CHANGE_LG_STATUS: The state of link group LG was changed to Active. |
|
Explanation |
The state of a link group changed. |
|
Recommended action |
Check the network environment and link state when the state of a link group is inactive. |
LB_CHANGE_LINK_BUSYSTATUS
|
Message text |
The busy state of link [STRING] was changed to [STRING]. |
|
Variable fields |
$1: Link name. $2: Link busy state: Busy or Normal. |
|
Severity level |
5 |
|
Example |
LB/5/LB_CHANGE_LINK_BUSYSTATUS: The busy state of link LINK was changed to Normal. |
|
Explanation |
The busy state of a link changed. |
|
Recommended action |
No action is required. |
LB_CHANGE_LINK_CONNNUM_OVER
|
Message text |
Chassis:[ChassisID],Slot:[SlotID],CPU:[CPUID].The number of connections of link [STRING] was [UINT], which had reached the upper limit. |
|
Variable fields |
$1: IRF member ID. $2: Slot number of the card. $3: CPU number. $4: Link name. $5: Number of connections on the link. |
|
Severity level |
5 |
|
Example |
LB/5/LB_CHANGE_LINK_CONNNUM_OVER: Chassis:0,Slot:1,CPU:1.The number of connections of link LINK was 100, which had reached the upper limit. |
|
Explanation |
The number of connections on a link reached the upper limit. |
|
Recommended action |
Check whether the maximum number of connections set by using the connection-limit max command is proper if this message is generated frequently. If the set value is proper, expand the link capacity. |
LB_CHANGE_LINK_CONNNUM_RECOVERY
|
Message text |
Chassis:[ChassisID],Slot:[SlotID],CPU:[CPUID].The number of connections of link [STRING] was [UINT], which had recovered to normal state. |
|
Variable fields |
$1: IRF member ID. $2: Slot number of the card. $3: CPU number. $4: Link name. $5: Number of connections on the link. |
|
Severity level |
5 |
|
Example |
LB/5/LB_CHANGE_LINK_CONNNUM_OVER: Chassis:0,Slot:1,CPU:1.The number of connections of link LINK was 100, which had reached the upper limit. |
|
Explanation |
The number of connections on a link dropped below the upper limit. |
|
Recommended action |
No action is required. |
LB_CHANGE_LINK_CONNRATE_OVER
|
Message text |
Chassis:[ChassisID],Slot:[SlotID],CPU:[CPUID].The connection rate of link [STRING] was [UINT], which had reached the upper limit. |
|
Variable fields |
$1: IRF member ID. $2: Slot number of the card. $3: CPU number. $4: Link name. $5: Connection establishment rate on the link. |
|
Severity level |
5 |
|
Example |
LB/5/LB_CHANGE_LINK_CONNRATE_OVER: Chassis:0,Slot:1,CPU:1.The connection rate of link LINK was 100, which had reached the upper limit. |
|
Explanation |
The connection establishment rate on a link reached the upper limit. |
|
Recommended action |
Check whether the maximum connection establishment rate set by using the rate-limit connection command is proper if this message is generated frequently. If the set value is proper, expand the link capacity. |
LB_CHANGE_LINK_CONNRATE_RECOVERY
|
Message text |
Chassis:[ChassisID],Slot:[SlotID],CPU:[CPUID].The connection rate of link [STRING] was [UINT], which had recovered to normal state. |
|
Variable fields |
$1: IRF member ID. $2: Slot number of the card. $3: CPU number. $4: Link name. $5: Connection establishment rate on the link. |
|
Severity level |
5 |
|
Example |
LB/5/LB_CHANGE_LINK_CONNRATE_RECOVERY: Chassis:0,Slot:1,CPU:1.The connection rate of link LINK was 100, which had recovered to normal state. |
|
Explanation |
The connection establishment rate on a link dropped below the upper limit. |
|
Recommended action |
No action is required. |
LB_CHANGE_LINK_HCSTATUS
|
Message text |
The health state of link [STRING] was changed to [STRING]. Last state was kept for [STRING] seconds. |
|
Variable fields |
$1: Link name. $2: Health state of the link: Active or Inactive. $3: Duration for a state in seconds. |
|
Severity level |
5 |
|
Example |
LB/5/LB_CHANGE_LINK_HCSTATUS: The health state of link LINK was changed to Active. Last state was kept for 100 seconds. |
|
Explanation |
The health state of a link changed, and the link stayed in the previous state for a number of seconds. |
|
Recommended action |
Check the network environment and link state when the health state of a link is inactive. |
LB_CHANGE_LINK_PROBERESULT
|
Message text |
The probe state of link [STRING] template [STRING] was changed to [STRING]. |
|
Variable fields |
$1: Link name. $2: Name of the NQA template used by the health monitoring method. $3: Health monitoring result: Succeeded or Failed. |
|
Severity level |
5 |
|
Example |
LB/5/LB_CHANGE_LINK_PROBERESULT: The probe state of link CNC template ICMP was changed to Succeeded. |
|
Explanation |
The health monitoring result for a link changed. |
|
Recommended action |
Check the network environment and link state if the health monitoring result for a link is Failed. |
LB_CHANGE_RS_CONNNUM_OVER
|
Message text |
Chassis:[ChassisID],Slot:[SlotID],CPU:[CPUID].The number of connections of real server [STRING] was [UINT], which had reached the upper limit. |
|
Variable fields |
$1: IRF member ID. $2: Slot number of the card. $3: CPU number. $4: Real server name. $5: Number of connections on the real server. |
|
Severity level |
5 |
|
Example |
LB/5/LB_CHANGE_RS_CONNNUM_OVER: Chassis:0,Slot:1,CPU:1.The number of connections of real server RS was 100, which had reached the upper limit. |
|
Explanation |
The number of connections on a real server reached the upper limit. |
|
Recommended action |
Check whether the maximum number of connections set by using the connection-limit max command is proper if this message is generated frequently. If the set value is proper, expand the real server capacity. |
LB_CHANGE_RS_CONNNUM_RECOVERY
|
Message text |
Chassis:[ChassisID],Slot:[SlotID],CPU:[CPUID].The number of connections of real server [STRING] was [UINT], which had recovered to normal state. |
|
Variable fields |
$1: IRF member ID. $2: Slot number of the card. $3: CPU number. $4: Real server name. $5: Number of connections on the real server. |
|
Severity level |
5 |
|
Example |
LB/5/LB_CHANGE_RS_CONNNUM_RECOVERY: Chassis:0,Slot:1,CPU:1.The number of connections of real server RS was 100, which had recovered to normal state. |
|
Explanation |
The number of connections on a real server dropped below the upper limit. |
|
Recommended action |
No action is required. |
LB_CHANGE_RS_CONNRATE_OVER
|
Message text |
Chassis:[ChassisID],Slot:[SlotID],CPU:[CPUID].The connection rate of real server [STRING] was [UINT], which had reached the upper limit. |
|
Variable fields |
$1: IRF member ID. $2: Slot number of the card. $3: CPU number. $4: Real server name. $5: Connection establishment rate on the real server. |
|
Severity level |
5 |
|
Example |
LB/5/LB_CHANGE_RS_CONNRATE_OVER: Chassis:0,Slot:1,CPU:1.The connection rate of real server RS was 100, which had reached the upper limit. |
|
Explanation |
The connection establishment rate on a real server reached the upper limit. |
|
Recommended action |
Check whether the maximum connection establishment rate set by using the rate-limit connection command is proper if this message is generated frequently. If the set value is proper, expand the real server capacity. |
LB_CHANGE_RS_CONNRATE_RECOVERY
|
Message text |
Chassis:[ChassisID],Slot:[SlotID],CPU:[CPUID].The connection rate of real server [STRING] was [UINT], which had recovered to normal state. |
|
Variable fields |
$1: IRF member ID. $2: Slot number of the card. $3: CPU number. $4: Real server name. $5: Connection establishment rate on the real server. |
|
Severity level |
5 |
|
Example |
LB/5/LB_CHANGE_RS_CONNRATE_RECOVERY: Chassis:0,Slot:1,CPU:1.The connection rate of real server RS was 100, which had recovered to normal state. |
|
Explanation |
The connection establishment rate on a real server dropped below the upper limit. |
|
Recommended action |
No action is required. |
LB_CHANGE_RS_HCSTATUS
|
Message text |
The health state of real server [STRING] was changed to [STRING]. Last state was kept for [STRING] seconds. |
|
Variable fields |
$1: Real server name. $2: Health state of the real server: Active or Inactive. $3: Duration for a state in seconds. |
|
Severity level |
5 |
|
Example |
LB/5/LB_CHANGE_RS_HCSTATUS: The health state of real server RS was changed to Active. Last state was kept for 100 seconds. |
|
Explanation |
The health state of a real server changed, and the real server stayed in the previous state for a number of seconds. |
|
Recommended action |
Check the network environment and real server state when the health state of a real server is inactive. |
LB_CHANGE_RS_PROBERESULT
|
Message text |
The probe result of real server [STRING] template [STRING] was changed to [STRING]. |
|
Variable fields |
$1: Real server name. $2: Name of the NQA template used by the health monitoring method. $3: Health monitoring result: Succeeded or Failed. |
|
Severity level |
5 |
|
Example |
LB/5/LB_CHANGE_RS_PROBERESULT: The probe state of real server RS template ICMP was changed to Succeeded. |
|
Explanation |
The health monitoring result for a real server changed. |
|
Recommended action |
Check the network environment and real server state if the health monitoring result for a real server is Failed. |
LB_CHANGE_SF_STATE_ACTION
|
Message text |
The state of link group associated with action [STRING] was changed, primary link group name is [STRING], backup link group name is [STRING], current link group name is [STRING]. |
|
Variable fields |
$1: LB action name. $2: Primary link group name. $3: Backup link group name. $4: Current link group name. |
|
Severity level |
5 |
|
Example |
LB/5/LB_CHANGE_SF_STATE_ACTION: The state of server farm associated with action ACT was changed, primary server farm name is MF, backup server farm name is BF, current server farm name is CF. |
|
Explanation |
The state of the server farm associated with an LB action changed. |
|
Recommended action |
Check whether the availability criteria setting for the server farm is changed. If the setting is not changed, check the network environment and real server state. |
LB_CHANGE_SF_STATUS
|
Message text |
The state of server farm [STRING] was changed to [STRING]. |
|
Variable fields |
$1: Server farm name. $2: Server farm state: Active or Inactive. |
|
Severity level |
5 |
|
Example |
LB/5/LB_CHANGE_SF_STATUS: The state of server farm SF was changed to Active. |
|
Explanation |
The state of a server farm changed. |
|
Recommended action |
Check the network environment and server farm state when the state of a server farm is inactive. |
LB_CHANGE_VS_CONNNUM_OVER
|
Message text |
Chassis:[ChassisID],Slot:[SlotID],CPU:[CPUID].The number of connections of virtual server [STRING] was [UINT], which had reached the upper limit. |
|
Variable fields |
$1: IRF member ID. $2: Slot number of the card. $3: CPU number. $4: Virtual server name. $5: Number of connections on the virtual server. |
|
Severity level |
5 |
|
Example |
LB/5/LB_CHANGE_VS_CONNNUM_OVER: Chassis:0,Slot:1,CPU:1.The number of connections of virtual server RS was 100, which had reached the upper limit. |
|
Explanation |
The number of connections on a virtual server reached the upper limit. |
|
Recommended action |
Check whether the maximum number of connections set by using the connection-limit max command is proper if this message is generated frequently. If the set value is proper, expand the capacity of real servers associated with the virtual server. |
LB_CHANGE_VS_CONNNUM_RECOVERY
|
Message text |
Chassis:[ChassisID],Slot:[SlotID],CPU:[CPUID].The number of connections of virtual server [STRING] was [UINT], which had recovered to normal state. |
|
Variable fields |
$1: IRF member ID. $2: Slot number of the card. $3: CPU number. $4: Virtual server name. $5: Number of connections on the virtual server. |
|
Severity level |
5 |
|
Example |
LB/5/LB_CHANGE_VS_CONNNUM_RECOVERY: Chassis:0,Slot:1,CPU:1.The number of connections of virtual server RS was 100, which had recovered to normal state. |
|
Explanation |
The number of connections on a virtual server dropped below the upper limit. |
|
Recommended action |
No action is required. |
LB_CHANGE_VS_CONNRATE_OVER
|
Message text |
Chassis:[ChassisID],Slot:[SlotID],CPU:[CPUID].The connection rate of virtual server [STRING] was [UINT], which had reached the upper limit. |
|
Variable fields |
$1: IRF member ID. $2: Slot number of the card. $3: CPU number. $4: Virtual server name. $5: Connection establishment rate on the virtual server. |
|
Severity level |
5 |
|
Example |
LB/5/LB_CHANGE_VS_CONNRATE_OVER: Chassis:0,Slot:1,CPU:1.The connection rate of virtual server VS was 100, which had reached the upper limit. |
|
Explanation |
The connection establishment rate on a virtual server reached the upper limit. |
|
Recommended action |
Check whether the maximum connection establishment rate set by using the rate-limit connection command is proper if this message is generated frequently. If the set value is proper, expand the capacity of real servers associated with the virtual server. |
LB_CHANGE_VS_CONNRATE_RECOVERY
|
Message text |
Chassis:[ChassisID],Slot:[SlotID],CPU:[CPUID].The connection rate of virtual server [STRING] was [UINT], which had recovered to normal state. |
|
Variable fields |
$1: IRF member ID. $2: Slot number of the card. $3: CPU number. $4: Virtual server name. $5: Connection establishment rate on the virtual server. |
|
Severity level |
5 |
|
Example |
LB/5/LB_CHANGE_VS_CONNRATE_RECOVERY: Chassis:0,Slot:1,CPU:1.The connection rate of virtual service VS was 100, which had recovered to normal state. |
|
Explanation |
The connection establishment rate on a virtual server dropped below the upper limit. |
|
Recommended action |
No action is required. |
LB_LINK_STATE_ACTIVE
|
Message text |
The state of link [STRING] is active. |
|
Variable fields |
$1: Link name. |
|
Severity level |
5 |
|
Example |
LB/5/LB_LINK_STATE_ACTIVE: -MDC=1; The state of link lk is active. |
|
Explanation |
This message is generated after an IP address is configured, the health monitoring succeeds, or the undo shutdown command is executed. |
|
Recommended action |
No action is required. |
LB_LINK_STATE_INACTIVE
|
Message text |
The state of link [STRING] is inactive. |
|
Variable fields |
$1: Link name. |
|
Severity level |
5 |
|
Example |
LB_LINK_STATE_INACTIVE: -MDC=1; The state of link lk is inactive. |
|
Explanation |
This message is generated after an IP address is removed from an interface, the health monitoring result changes, or the shutdown command is executed. |
|
Recommended action |
Check the link configuration and health monitoring configuration. |
LB_NAT44_FLOW
|
Message text |
Protocol(1001)=[STRING];SrcIPAddr(1003)=[IPADDR];SrcPort(1004)=[UINT16];NATSrcIPAddr(1005)=[IPADDR];NATSrcPort(1006)=[UINT16];DstIPAddr(1007)=[IPADDR];DstPort(1008)=[UINT16];NATDstIPAddr(1009)=[IPADDR];NATDstPort(1010)=[UINT16];RcvVPNInstance(1042)=[STRING];SndVPNInstance(1043)=[STRING]; |
|
Variable fields |
$1: Protocol type. $2: Source IP address. $3: Source port number. $4: Source IP address after translation. $5: Source port number after translation. $6: Destination IP address. $7: Destination port number. $8: Destination IP address after translation. $9: Destination port number after translation. $10: Source VPN instance name. $11: Destination VPN instance name. |
|
Severity level |
6 |
|
Example |
LB/6/LB_NAT44_FLOW: Protocol(1001)=UDP;SrcIPAddr(1003)=10.10.10.1;SrcPort(1004)=1024;NATSrcIPAddr(1005)=20.20.20.20;NATSrcPort(1006)=1024;DstIPAddr(1007)=20.20.20.1;DstPort(1008)=21;NATDstIPAddr(1009)=20.20.20.1;NATDstPort(1010)=21;RcvVPNInstance(1042)=;SndVPNInstance(1043)=; |
|
Explanation |
This message is generated when a source or destination IPv4 address is translated into another IPv4 address. |
|
Recommended action |
No action is required. |
LB_NAT46_FLOW
|
Message text |
Protocol(1001)=[STRING];SrcIPAddr(1003)=[IPADDR];SrcPort(1004)=[UINT16];NATSrcIPv6Addr(1005)=[IPADDR];NATSrcPort(1006)=[UINT16];DstIPAddr(1007)=[IPADDR];DstPort(1008)=[UINT16];NATDstIPv6Addr(1009)=[IPADDR];NATDstPort(1010)=[UINT16];RcvVPNInstance(1042)=[STRING];SndVPNInstance(1043)=[STRING]; |
|
Variable fields |
$1: Protocol type. $2: Source IP address. $3: Source port number. $4: Source IP address after translation. $5: Source port number after translation. $6: Destination IP address. $7: Destination port number. $8: Destination IP address after translation. $9: Destination port number after translation. $10: Source VPN instance name. $11: Destination VPN instance name. |
|
Severity level |
6 |
|
Example |
LB/6/LB_NAT46_FLOW: Protocol(1001)=UDP;SrcIPAddr(1003)=20.20.20.1;SrcPort(1004)=1024;NATSrcIPv6Addr(1005)=2002::1;NATSrcPort(1006)=1024;DstIPAddr(1007)=30.30.30.1;DstPort(1008)=21;NATDstIPv6Addr(1009)=3002::1;NATDstPort(1010)=21;RcvVPNInstance(1042)=;SndVPNInstance(1043)=; |
|
Explanation |
This message is generated when a source or destination IPv4 address is translated into an IPv6 address. |
|
Recommended action |
No action is required. |
LB_NAT64_FLOW
|
Message text |
Protocol(1001)=[STRING];SrcIPv6Addr(1003)=[IPADDR];SrcPort(1004)=[UINT16];NATSrcIPAddr(1005)=[IPADDR];NATSrcPort(1006)=[UINT16];DstIPv6Addr(1007)=[IPADDR];DstPort(1008)=[UINT16];NATDstIPAddr(1009)=[IPADDR];NATDstPort(1010)=[UINT16];RcvVPNInstance(1042)=[STRING];SndVPNInstance(1043)=[STRING]; |
|
Variable fields |
$1: Protocol type. $2: Source IP address. $3: Source port number. $4: Source IP address after translation. $5: Source port number after translation. $6: Destination IP address. $7: Destination port number. $8: Destination IP address after translation. $9: Destination port number after translation. $10: Source VPN instance name. $11: Destination VPN instance name. |
|
Severity level |
6 |
|
Example |
LB/6/LB_NAT64_FLOW: Protocol(1001)=UDP;SrcIPv6Addr(1003)=1001::1;SrcPort(1004)=1024;NATSrcIPAddr(1005)=20.20.20.1;NATSrcPort(1006)=1024;DstIPv6Addr(1007)=3001::1;DstPort(1008)=21;NATDstIPAddr(1009)=30.30.30.1;NATDstPort(1010)=21;RcvVPNInstance(1042)=;SndVPNInstance(1043)=; |
|
Explanation |
This message is generated when a source or destination IPv6 address is translated into an IPv4 address. |
|
Recommended action |
No action is required. |
LB_NAT66_FLOW
|
Message text |
Protocol(1001)=[STRING];SrcIPv6Addr(1003)=[IPADDR];SrcPort(1004)=[UINT16];NATSrcIPv6Addr(1005)=[IPADDR];NATSrcPort(1006)=[UINT16];DstIPv6Addr(1007)=[IPADDR];DstPort(1008)=[UINT16];NATDstIPv6Addr(1009)=[IPADDR];NATDstPort(1010)=[UINT16];RcvVPNInstance(1042)=[STRING];SndVPNInstance(1043)=[STRING]; |
|
Variable fields |
$1: Protocol type. $2: Source IP address. $3: Source port number. $4: Source IP address after translation. $5: Source port number after translation. $6: Destination IP address. $7: Destination port number. $8: Destination IP address after translation. $9: Destination port number after translation. $10: Source VPN instance name. $11: Destination VPN instance name. |
|
Severity level |
6 |
|
Example |
LB/6/LB_NAT66_FLOW: Protocol(1001)=UDP;SrcIPv6Addr(1003)=1001::1;SrcPort(1004)=1024;NATSrcIPv6Addr(1005)=2002::1;NATSrcPort(1006)=1024;DstIPv6Addr(1007)=3001::1;DstPort(1008)=21;NATDstIPv6Addr(1009)=3002::1;NATDstPort(1010)=21;RcvVPNInstance(1042)=;SndVPNInstance(1043)=; |
|
Explanation |
This message is generated when a source or destination IPv6 address is translated into another IPv6 address. |
|
Recommended action |
No action is required. |
LB_SLB_LICENSE_INSTALLED
|
Message text |
The license for SLB has been installed. Server load balancing is available. |
|
Variable fields |
N/A |
|
Severity level |
5 |
|
Example |
LB/5/LB_SLB_LICENSE_INSTALLED: The license for SLB has been installed. Server load balancing is available. |
|
Explanation |
The license for SLB had been installed. Server load balancing was available. |
|
Recommended action |
No action is required. |
LB_SLB_LICENSE_UNINSTALLED
|
Message text |
The license for SLB has been uninstalled. Server load balancing is not available. |
|
Variable fields |
N/A |
|
Severity level |
5 |
|
Example |
LB/5/LB_SLB_LICENSE_UNINSTALLED: The license for SLB has been uninstalled. Server load balancing is not available. |
|
Explanation |
The license for SLB had been uninstalled. Server load balancing was unavailable. |
|
Recommended action |
Install a license for SLB. |
LB_SLB_LICENSE_EXPIRED
|
Message text |
The license for SLB has expired. Server load balancing is not available. |
|
Variable fields |
N/A |
|
Severity level |
5 |
|
Example |
LB/5/LB_SLB_LICENSE_EXPIRED: The license for SLB has expired. Server load balancing is not available. |
|
Explanation |
The license for SLB had expired. Server load balancing was unavailable. |
|
Recommended action |
Install a license for SLB. |
LIPC messages
This section contains Leopard inter-process communication (LIPC) messages.
LIPC_CHECKDOWN
|
Message text |
The quality of the link is poor. Owner=[STRING], VRF=[INTEGER], local address/port=[INTEGER]/[INTEGER], remote address/port=[INTEGER]/[INTEGER]. |
|
Variable fields |
$1: Name of the process that established the LIPC link. $2: Name of the VRF to which the LIPC link belongs. $3: LIP address of the local node. $4: Port number of the local node. $5: LIP address of the remote node. $6: Port number of the remote node. |
|
Severity level |
4 |
|
Example |
LIPC/4/LIPC_CHECKDOWN: The quality of the link is poor. Owner=1, VRF=0, local address/port=0/20415, remote address/port=8/10515. |
|
Explanation |
Processes will establish an LIPC link during internal communication. LIPC STCP automatically checks the link quality at intervals and outputs this log when the link quality is detected poor. |
|
Recommended action |
No action is required. The system will try to restore the LIPC link of poor quality automatically. If the restoration fails, the system will terminate the LIPC link automatically. |
LIPC_MTCP_CHECK
|
Message text |
Data stays in the receive buffer for an over long time. Owner=[STRING], VRF=[INTEGER], Group=[INTEGER], MID=[INTEGER]. |
|
Variable fields |
$1: Name of the process. $2: Name of the VRF to which the LIPC link belongs to. $3: Multicast group ID of the LIPC link. $4: Multicast group member ID of the LIPC link. |
|
Severity level |
4 |
|
Example |
LIPC/4/LIPC_MTCP_CHECK: Data stays in the receive buffer for an over long time. Owner=fsd, VRF=0, Group=134, MID=10001. |
|
Explanation |
Processes will establish an LIPC link during internal communication. LIPC MTCP assigns a receive buffer to the process and checks at intervals whether data in the buffer is retrieved by the process. If the process has not retrieved data from the receive buffer for a long time and a large amount of data accumulates in the buffer, the process might run abnormally. |
|
Recommended action |
No action is required. |
LIPC_STCP_CHECK
|
Message text |
Data stays in the receive buffer for an over long time. Owner=[STRING], VRF=[INTEGER], local address/port=[INTEGER]/[INTEGER], remote address/port=[INTEGER]/[INTEGER]. |
|
Variable fields |
$1: Name of the process that established the LIPC link. $2: Name of the VRF to which the LIPC link belongs. $3: LIP address of the local node. $4: Port number of the local node. $5: LIP address of the remote node. $6: Port number of the remote node. |
|
Severity level |
4 |
|
Example |
LIPC/4/LIPC_STCP_CHECK: Data stays in the receive buffer for an over long time. Owner=fsd, VRF=0, local address/port=8/10515, remote address/port=0/20415. |
|
Explanation |
Processes will establish an LIPC link during internal communication. LIPC STCP assigns a receive buffer to the process and checks at intervals whether data in the buffer is retrieved by the process. If the process has not retrieved data from the receive buffer for a long time and a large amount of data accumulates in the buffer, the process might run abnormally. |
|
Recommended action |
No action is required. |
LIPC_SUDP_CHECK
|
Message text |
Data stays in the receive buffer for an over long time. Owner=[STRING], VRF=[INTEGER], local address/port=[INTEGER]/[INTEGER], remote address/port=[INTEGER]/[INTEGER]. |
|
Variable fields |
$1: Name of the process that established the LIPC link. $2: Name of the VRF to which the LIPC link belongs. $3: LIP address of the local node. $4: Port number of the local node. $5: LIP address of the remote node. $6: Port number of the remote node. |
|
Severity level |
4 |
|
Example |
LIPC/4/LIPC_SUDP_CHECK: Data stays in the receive buffer for an over long time. Owner=snmpd, VRF=0, local address/port=0/10525, remote address/port=32768/0. |
|
Explanation |
Processes will establish an LIPC link during internal communication. LIPC SUDP assigns a receive buffer to the process and checks at intervals whether data in the buffer is retrieved by the process. If the process has not retrieved data from the receive buffer for a long time and a large amount of data accumulates in the buffer, the process might run abnormally. |
|
Recommended action |
No action is required. |
PORT_CHANGE
|
Message text |
STCP: Node where the listening port number [INT] (MDC: [INT] VRF: [INT]) resides changed from LIP [INT] to LIP [INT]. |
|
Variable fields |
$1: LIPC global port number. $2: Name of the MDC where the LIPC global port resides. $3: Name of the VRF to which the LIPC global port belongs. $4: Name of the old LIPC node where the LIPC global port resides. $5: Name of the new LIPC node where the LIPC global port resides. |
|
Severity level |
5 |
|
Example |
LIPC/5/PORT_CHANGE: Node where the listening port number 620 (MDC: 1 VRF: 1) resides changed from LIP 1 to LIP 3. |
|
Explanation |
STCP assigns an LIPC global port number as a listening port number to each service module as requested. Typically, a service module listens to the port number only on the LIPC node where the port has been requested. This message is generated if the service module listens to the port number on a different LIPC node. STCP will move the port number from the old LIPC node to the new node. |
|
Recommended action |
No action is required. |
LLDP messages
This section contains LLDP messages.
LLDP_CREATE_NEIGHBOR
|
Message text |
[STRING] agent new neighbor created on port [STRING] (IfIndex [UINT32]), neighbor's chassis ID is [STRING], port ID is [STRING]. |
|
Variable fields |
$1: Agent type. $2: Port name. $3: Port ifIndex. $4: Neighbor's chassis ID. $5: Neighbor's port ID. |
|
Severity level |
6 |
|
Example |
LLDP/6/LLDP_CREATE_NEIGHBOR: Nearest bridge agent new neighbor created on port Ten-GigabitEthernet10/0/15 (IfIndex 599), neighbor's chassis ID is 3822-d666-ba00, port ID is GigabitEthernet6/0/5. |
|
Explanation |
The port received an LLDP message from a new neighbor. |
|
Recommended action |
No action is required. |
LLDP_DELETE_NEIGHBOR
|
Message text |
[STRING] agent neighbor deleted on port [STRING] (IfIndex [UINT32]), neighbor's chassis ID is [STRING], port ID is [STRING]. |
|
Variable fields |
$1: Agent type. $2: Port name. $3: Port ifIndex. $4: Neighbor's chassis ID. $5: Neighbor's port ID. |
|
Severity level |
6 |
|
Example |
LLDP/6/LLDP_DELETE_NEIGHBOR: Nearest bridge agent neighbor deleted on port Ten-GigabitEthernet10/0/15 (IfIndex 599), neighbor's chassis ID is 3822-d666-ba00, port ID is GigabitEthernet6/0/5. |
|
Explanation |
The port received a deletion message when a neighbor was deleted. |
|
Recommended action |
No action is required. |
LLDP_LESS_THAN_NEIGHBOR_LIMIT
|
Message text |
The number of [STRING] agent neighbors maintained by port [STRING] (IfIndex [UINT32]) is less than [UINT32], and new neighbors can be added. |
|
Variable fields |
$1: Agent type. $2: Port name. $3: Port ifIndex. $4: Maximum number of neighbors a port can maintain. |
|
Severity level |
6 |
|
Example |
LLDP/6/LLDP_LESS_THAN_NEIGHBOR_LIMIT: The number of nearest bridge agent neighbors maintained by port Ten-GigabitEthernet10/0/15 (IfIndex 599) is less than 5, and new neighbors can be added. |
|
Explanation |
New neighbors can be added for the port because the limit has not been reached. |
|
Recommended action |
No action is required. |
LLDP_NEIGHBOR_AGE_OUT
|
Message text |
[STRING] agent neighbor aged out on port [STRING] (IfIndex [UINT32]), neighbor's chassis ID is [STRING], port ID is [STRING]. |
|
Variable fields |
$1: Agent type. $2: Port name. $3: Port ifIndex. $4: Neighbor's chassis ID. $5: Neighbor's port ID. |
|
Severity level |
5 |
|
Example |
LLDP/5/LLDP_NEIGHBOR_AGE_OUT: Nearest bridge agent neighbor aged out on port Ten-GigabitEthernet10/0/15 (IfIndex599), neighbor's chassis ID is 3822-d666-ba00, port ID is GigabitEthernet6/0/5. |
|
Explanation |
This message is generated when the port failed to receive LLDPDUs from the neighbor within a certain period of time. |
|
Recommended action |
Verify the link status or the receive/transmit status of LLDP on the peer. |
LLDP_NEIGHBOR_AP_RESET
|
Message text |
The neighboring AP of the [STRING] agent on port [STRING] (IfIndex [UINT32]) was restarted due to aging. |
|
Variable fields |
$1: Agent type. $2: Port name. $3: Port ifIndex. |
|
Severity level |
5 |
|
Example |
LLDP/5/LLDP_NEIGHBOR_AP_RESET: The neighboring AP of the nearest bridge agent on port GigabitEthernet1/0/1 (IfIndex 599) was restarted due to aging. |
|
Explanation |
A neighboring AP aged out and was restarted. |
|
Recommended action |
No action is required. |
LLDP_PVID_INCONSISTENT
|
Message text |
PVID mismatch discovered on [STRING] (PVID [UINT32]), with [STRING] [STRING] (PVID [STRING]). |
|
Variable fields |
|
|
Severity level |
|
|
Example |
|
|
Explanation |
|
|
Recommended action |
LLDP_REACH_NEIGHBOR_LIMIT
|
Message text |
The number of [STRING] agent neighbors maintained by the port [STRING] (IfIndex [UINT32]) has reached [UINT32], and no more neighbors can be added. |
|
Variable fields |
$1: Agent type. $2: Port name. $3: Port ifIndex. $4: Maximum number of neighbors a port can maintain. |
|
Severity level |
5 |
|
Example |
LLDP/5/LLDP_REACH_NEIGHBOR_LIMIT: The number of nearest bridge agent neighbors maintained by the port Ten-GigabitEthernet10/0/15 (IfIndex 599) has reached 5, and no more neighbors can be added. |
|
Explanation |
This message is generated when the port with its maximum number of neighbors reached received an LLDP packet. |
|
Recommended action |
No action is required. |
LOAD messages
This section contains load management messages.
BOARD_LOADING
|
Message text |
Board in chassis [INT32] slot [INT32] is loading software images. |
|
Variable fields |
$1: Chassis ID. $2: Slot ID. |
|
Severity level |
4 |
|
Example |
LOAD/4/BOARD_LOADING: Board in chassis 1 slot 5 is loading software images. |
|
Explanation |
The card is loading software images during the boot process. |
|
Recommended action |
No action is required. |
LOAD_FAILED
|
Message text |
Board in chassis [INT32] slot [INT32] failed to load software images. |
|
Variable fields |
$1: Chassis ID. $2: Slot ID. |
|
Severity level |
3 |
|
Example |
LOAD/3/LOAD_FAILED: Board in chassis 1 slot 5 failed to load software images. |
|
Explanation |
The card failed to load software images during the boot process. |
|
Recommended action |
120. Execute the display boot-loader command to identify the startup software images. 121. Execute the dir command to verify that the startup software images exist. If the startup software images do not exist or are damaged, re-upload the software images to the device or set another one as the startup software images. 122. If the problem persists, contract H3C Support. |
LOAD_FINISHED
|
Message text |
Board in chassis [INT32] slot [INT32] has finished loading software images. |
|
Variable fields |
$1: Chassis ID. $2: Slot ID. |
|
Severity level |
5 |
|
Example |
LOAD/5/LOAD_FINISHED: Board in chassis 1 slot 5 has finished loading software images. |
|
Explanation |
The card has finished loading software images. |
|
Recommended action |
No action is required. |
LOGIN messages
This section contains login messages.
LOGIN_FAILED
|
Message text |
[STRING] failed to login from [STRING]. |
|
Variable fields |
$1: Username. $2: Line name or IP address. |
|
Severity level |
5 |
|
Example |
LOGIN/5/LOGIN_FAILED: TTY failed to log in from console0. LOGIN/5/LOGIN_FAILED: usera failed to log in from 192.168.11.22. |
|
Explanation |
A login attempt failed. |
|
Recommended action |
No action is required. |
LOGIN_ INVALID_USERNAME_PWD
|
Message text |
Invalid username or password from [STRING]. |
|
Variable fields |
$1: User line name and user IP address. |
|
Severity level |
5 |
|
Example |
LOGIN/5/LOGIN_INVALID_USERNAME_PWD: Invalid username or password from console0. LOGIN/5/LOGIN_INVALID_USERNAME_PWD: Invalid username or password from 192.168.11.22. |
|
Explanation |
A user entered an invalid username or password. |
|
Recommended action |
No action is required. |
LPDT messages
This section contains loop detection messages.
LPDT_LOOPED
|
Message text |
Loopback exists on [STRING]. |
|
Variable fields |
$1: Port name. |
|
Severity level |
4 |
|
Example |
LPDT/4/LPDT_LOOPED: Loopback exists on Ethernet 6/4/2. |
|
Explanation |
The first intra-VLAN loop was detected on a port. |
|
Recommended action |
Check the links and configuration on the device for the loop, and remove the loop. |
LPDT_RECOVERED
|
Message text |
Loopback on [STRING] recovered. |
|
Variable fields |
$1: Port name. |
|
Severity level |
5 |
|
Example |
LPDT/5/LPDT_RECOVERED: Loopback on Ethernet 6/4/1 recovered. |
|
Explanation |
All intra-VLAN loops on a port were removed. |
|
Recommended action |
No action is required. |
LPDT_VLAN_LOOPED
|
Message text |
Loopback exists on [STRING] in VLAN [UINT16]. |
|
Variable fields |
$1: Port name. $2: VLAN ID. |
|
Severity level |
4 |
|
Example |
LPDT/4/LPDT_VLAN_LOOPED: Loopback exists on Ethernet6/4/1 in VLAN 1. |
|
Explanation |
A loop in a VLAN was detected on a port. |
|
Recommended action |
Check the links and configurations in the VLAN for the loop, and remove the loop. |
LPDT_VLAN_RECOVERED
|
Message text |
Loopback on [STRING] in VLAN [UINT16] recovered. |
|
Variable fields |
$1: Port name. $2: VLAN ID. |
|
Severity level |
5 |
|
Example |
LPDT/5/LPDT_RECOVERED: Loopback on Ethernet6/4/1 in VLAN 1 recovered. |
|
Explanation |
A loop in a VLAN was removed on a port. |
|
Recommended action |
No action is required. |
LS messages
This section contains Local Server messages.
LOCALSVR_PROMPTED_CHANGE_PWD
|
Message text |
Please change the password of [STRING] [STRING], because [STRING]. |
|
Variable fields |
$1: Password type: ¡ device management user. ¡ user line. ¡ user line class. $2: Username, user line name, or user line class name. $3: Reason for password change: ¡ the current password is a weak-password. ¡ the current password is the default password. ¡ it is the first login of the current user or the password had been reset. ¡ the password had expired. |
|
Severity level |
6 |
|
Example |
LOCALSVR/6/LOCALSVR_PROMPTED_CHANGE_PWD: Please change the password of device management user hhh, because the current password is a weak password. |
|
Explanation |
The device generated a log message to prompt a user to change the password of the user, user line, or user line class. The device will generate such a log message every 24 hours after the user logs in to the device if the password does not meet the password control requirements. |
|
Recommended action |
Change the user password as required: · If scheme authentication is used, change the local password of the user. · If password authentication is used, change the authentication password of the user line or user line class for the user. |
LS_ADD_USER_TO_GROUP
|
Message text |
Admin [STRING] added user [STRING] to group [STRING]. |
|
Variable fields |
$1: Admin name. $2: Username. $3: User group name. |
|
Severity level |
4 |
|
Example |
LS/4/LS_ADD_USER_TO_GROUP: Admin admin added user user1 to group group1. |
|
Explanation |
The administrator added a user into a user group. |
|
Recommended action |
No action is required. |
LS_AUTHEN_FAILURE
|
Message text |
User [STRING] from [STRING] failed authentication. [STRING] |
|
Variable fields |
$1: Username. $2: IP address. $3: Failure reason: ¡ User not found. ¡ Password verified failed. ¡ User not active. ¡ Access type mismatch. ¡ Binding attribute is failed. ¡ User in blacklist. |
|
Severity level |
5 |
|
Example |
LS/5/LS_AUTHEN_FAILURE: User cwf@system from 192.168.0.22 failed authentication. "User not found." |
|
Explanation |
The local server rejected a user's authentication request. |
|
Recommended action |
No action is required. |
LS_AUTHEN_SUCCESS
|
Message text |
User [STRING] from [STRING] was authenticated successfully. |
|
Variable fields |
$1: Username. $2: IP address. |
|
Severity level |
6 |
|
Example |
LS/6/LS_AUTHEN_SUCCESS: User cwf@system from 192.168.0.22 was authenticated successfully. |
|
Explanation |
The local server accepted a user's authentication request. |
|
Recommended action |
No action is required. |
LS_DEL_USER_FROM_GROUP
|
Message text |
Admin [STRING] delete user [STRING] from group [STRING]. |
|
Variable fields |
$1: Admin name. $2: Username. $3: User group name. |
|
Severity level |
4 |
|
Example |
LS/4/LS_DEL_USER_FROM_GROUP: Admin admin delete user user1 from group group1. |
|
Explanation |
The administrator deleted a user from a user group. |
|
Recommended action |
No action is required. |
LS_DELETE_PASSWORD_FAIL
|
Message text |
Failed to delete the password for user [STRING]. |
|
Variable fields |
$1: Username. |
|
Severity level |
4 |
|
Example |
LS/4/LS_DELETE_PASSWORD_FAIL: Failed to delete the password for user abcd. |
|
Explanation |
Failed to delete the password for a user. |
|
Recommended action |
Check the file system for errors. |
LS_PWD_ADDBLACKLIST
|
Message text |
User [STRING] was added to the blacklist due to multiple login failures, [STRING]. |
|
Variable fields |
$1: Username. $2: Options include: ¡ but could make other attempts. ¡ and is permanently blocked. ¡ and was temporarily blocked for [UINT32] minutes. |
|
Severity level |
4 |
|
Example |
LS/4/LS_PWD_ADDBLACKLIST: User user1 was added to the blacklist due to multiple login failures, but could make other attempts. |
|
Explanation |
A user was added to the blacklist because of multiple login failures. |
|
Recommended action |
Check the user's password. |
LS_PWD_CHGPWD_FOR_AGEDOUT
|
Message text |
User [STRING] changed the password because it was expired. |
|
Variable fields |
$1: User name. |
|
Severity level |
4 |
|
Example |
LS/4/LS_PWD_CHGPWD_FOR_AGEDOUT: User aaa changed the password because it was expired. |
|
Explanation |
A user changed the password because the password expired. |
|
Recommended action |
No action is required. |
LS_PWD_CHGPWD_FOR_AGEOUT
|
Message text |
User [STRING] changed the password because it was about to expire. |
|
Variable fields |
$1: Username. |
|
Severity level |
4 |
|
Example |
LS/4/LS_PWD_CHGPWD_FOR_AGEOUT: User aaa changed the password because it was about to expire. |
|
Explanation |
A user changed the password because the password is about to expire. |
|
Recommended action |
No action is required. |
LS_PWD_CHGPWD_FOR_COMPOSITION
|
Message text |
User [STRING] changed the password because it had an invalid composition. |
|
Variable fields |
$1: Username. |
|
Severity level |
4 |
|
Example |
LS/4/LS_PWD_CHGPWD_FOR_COMPOSITION: User aaa changed the password because it had an invalid composition. |
|
Explanation |
A user changed the password because it had an invalid composition. |
|
Recommended action |
No action is required. |
LS_PWD_CHGPWD_FOR_FIRSTLOGIN
|
Message text |
User [STRING] changed the password at the first login. |
|
Variable fields |
$1: Username. |
|
Severity level |
4 |
|
Example |
LS/4/LS_PWD_CHGPWD_FOR_FIRSTLOGIN: User aaa changed the password at the first login. |
|
Explanation |
A user changed the password at the first login. |
|
Recommended action |
No action is required. |
LS_PWD_CHGPWD_FOR_LENGTH
|
Message text |
User [STRING] changed the password because it was too short. |
|
Variable fields |
$1: Username. |
|
Severity level |
4 |
|
Example |
LS/4/LS_PWD_CHGPWD_FOR_LENGTH: User aaa changed the password because it was too short. |
|
Explanation |
A user changed the password because it was too short. |
|
Recommended action |
No action is required. |
LS_PWD_FAILED2WRITEPASS2FILE
|
Message text |
Failed to write the password records to file. |
|
Variable fields |
N/A |
|
Severity level |
4 |
|
Example |
LS/4/LS_PWD_FAILED2WRITEPASS2FILE: Failed to write the password records to file. |
|
Explanation |
Failed to write the password records to file. |
|
Recommended action |
No action is required. |
LS_PWD_MODIFY_FAIL
|
Message text |
Admin [STRING] from [STRING] could not modify the password for user [STRING], because [STRING]. |
|
Variable fields |
$1: Admin name. $2: IP address. $3: Username. $4: Failure reason: ¡ passwords do not match. ¡ the password history cannot be written. ¡ the password cannot be verified. |
|
Severity level |
4 |
|
Example |
LS/4/LS_PWD_MODIFY_FAIL: Admin admin from 1.1.1.1 could not modify the password for user user1, because passwords do not match. |
|
Explanation |
An administrator failed to modify a user's password. |
|
Recommended action |
No action is required. |
LS_PWD_MODIFY_SUCCESS
|
Message text |
Admin [STRING] from [STRING] modify the password for user [STRING] successfully. |
|
Variable fields |
$1: Admin name. $2: IP address. $3: Username. |
|
Severity level |
6 |
|
Example |
LS/6/LS_PWD_MODIFY_SUCCESS: Admin admin from 1.1.1.1 modify the password for user abc successfully. |
|
Explanation |
An administrator successfully changed a user's password. |
|
Recommended action |
No action is required. |
LS_REAUTHEN_FAILURE
|
Message text |
User [STRING] from [STRING] failed reauthentication. |
|
Variable fields |
$1: Username. $2: IP address. |
|
Severity level |
5 |
|
Example |
LS/5/LS_REAUTHEN_FAILURE: User abcd from 1.1.1.1 failed reauthentication. |
|
Explanation |
A user failed reauthentication because the old password entered for reauthentication is invalid. |
|
Recommended action |
Check the old password. |
LS_UPDATE_PASSWORD_FAIL
|
Message text |
Failed to update the password for user [STRING]. |
|
Variable fields |
$1: Username. |
|
Severity level |
4 |
|
Example |
LS/4/LS_UPDATE_PASSWORD_FAIL: Failed to update the password for user abc. |
|
Explanation |
Failed to update the password for a user. |
|
Recommended action |
Check the file system for errors. |
LS_USER_CANCEL
|
Message text |
User [STRING] from [STRING] cancelled inputting the password. |
|
Variable fields |
$1: Username. $2: IP address. |
|
Severity level |
5 |
|
Example |
LS/5/LS_USER_CANCEL: User 1 from 1.1.1.1 cancelled inputting the password. |
|
Explanation |
The user cancelled inputting the password or did not input the password in 90 seconds. |
|
Recommended action |
No action is required. |
LS_USER_PASSWORD_EXPIRE
|
Message text |
User [STRING]'s login idle timer timed out. |
|
Variable fields |
$1: Username. |
|
Severity level |
5 |
|
Example |
LS/5/LS_USER_PASSWORD_EXPIRE: User 1's login idle timer timed out. |
|
Explanation |
The login idle time for a user expired. |
|
Recommended action |
No action is required. |
LS_USER_ROLE_CHANGE
|
Message text |
Admin [STRING] [STRING] the user role [STRING] for [STRING]. |
|
Variable fields |
$1: Admin name. $2: Added/Deleted. $3: User role. $4: Username. |
|
Severity level |
4 |
|
Example |
LS/4/LS_USER_ROLE_CHANGE: Admin admin add the user role network-admin for abcd. |
|
Explanation |
The administrator added a user role for a user. |
|
Recommended action |
No action is required. |
MAC messages
This section contains MAC messages.
MAC_TABLE_FULL_GLOBAL
|
Message text |
The number of MAC address entries exceeded the maximum number [UINT32]. |
|
Variable fields |
$1: Maximum number of MAC addresses. |
|
Severity level |
4 |
|
Example |
MAC/4/MAC_TABLE_FULL_GLOBAL: The number of MAC address entries exceeded the maximum number 1024. |
|
Explanation |
The number of entries in the global MAC address table exceeded the maximum number supported by the table. |
|
Recommended action |
No action is required. |
MAC_TABLE_FULL_PORT
|
Message text |
The number of MAC address entries exceeded the maximum number [UINT32] for interface [STRING]. |
|
Variable fields |
$1: Maximum number of MAC addresses. $2: Interface name. |
|
Severity level |
4 |
|
Example |
MAC/4/MAC_TABLE_FULL_PORT: The number of MAC address entries exceeded the maximum number 1024 for interface GigabitEthernet2/0/32. |
|
Explanation |
The number of entries in the MAC address table for an interface exceeded the maximum number supported by the table. |
|
Recommended action |
No action is required. |
MAC_TABLE_FULL_VLAN
|
Message text |
The number of MAC address entries exceeded the maximum number [UINT32] in VLAN [UINT32]. |
|
Variable fields |
$1: Maximum number of MAC addresses. $2: VLAN ID. |
|
Severity level |
4 |
|
Example |
MAC/4/MAC_TABLE_FULL_VLAN: The number of MAC address entries exceeded the maximum number 1024 in VLAN 2. |
|
Explanation |
The number of entries in the MAC address table for a VLAN exceeded the maximum number supported by the table. |
|
Recommended action |
No action is required. |
MACA messages
This section contains MAC authentication messages.
MACA_ENABLE_NOT_EFFECTIVE
|
Message text |
The MAC authentication feature is enabled but is not effective on interface [STRING]. |
|
Variable fields |
$1: Interface type and number. |
|
Severity level |
3 |
|
Example |
MACA/3/MACA_ENABLE_NOT_EFFECTIVE: The MAC authentication feature is enabled but is not effective on interface Ethernet3/1/2. |
|
Explanation |
MAC authentication configuration does not take effect on an interface, because the interface does not support MAC authentication. |
|
Recommended action |
123. Disable MAC authentication on the interface. 124. Reconnect the connected devices to another interface that supports MAC authentication. 125. Enable MAC authentication on the new interface. |
MACSEC messages
This section contains MACsec messages.
MACSEC_MKA_KEEPALIVE_TIMEOUT
|
Message text |
The live peer with SCI [STRING] and CKN [STRING] aged out on interface [STRING]. |
|
Variable fields |
$1: SCI. $2: CKN. $3: Interface name. |
|
Severity level |
4 |
|
Example |
MACSEC/4/MACSEC_MKA_KEEPALIVE_TIMEOUT: The live peer with SCI 00E00100000A0006 and CKN 80A0EA0CB03D aged out on interface GigabitEthernet1/0/1. |
|
Explanation |
A live peer aged out on an interface, because the local participant had not received any MKA packets from the peer before the keepalive timer expired. The local participant removed the peer information from the port. |
|
Recommended action |
Check the link between the local participant and the live peer for link failure. If the link is down, recover the link. |
MACSEC_MKA_PRINCIPAL_ACTOR
|
Message text |
The actor with CKN [STRING] became principal actor on interface [STRING]. |
|
Variable fields |
$1: CKN. $2: Interface name. |
|
Severity level |
6 |
|
Example |
MACSEC/6/MACSEC_MKA_PRINCIPAL_ACTOR: The actor with CKN 80A0EA0CB03D became principal actor on interface GigabitEthernet1/0/1. |
|
Explanation |
The actor with the highest key server priority became the principal actor. |
|
Recommended action |
No action is required. |
MACSEC_MKA_SAK_REFRESH
|
Message text |
The SAK has been refreshed on interface [STRING]. |
|
Variable fields |
$1: Interface name. |
|
Severity level |
6 |
|
Example |
MACSEC/6/MACSEC_MKA_SAK_REFRESH: The SAK has been refreshed on interface GigabitEthernet1/0/1. |
|
Explanation |
The participant on the interface derived or received a new SAK. |
|
Recommended action |
No action is required. |
MACSEC_MKA_SESSION_REAUTH
|
Message text |
The MKA session with CKN [STRING] was re-authenticated on interface [STRING]. |
|
Variable fields |
$1: CKN. $2: Interface name. |
|
Severity level |
6 |
|
Example |
MACSEC/6/MACSEC_MKA_SESSION_REAUTH: The MKA session with CKN 80A0EA0CB03D was re-authenticated on interface GigabitEthernet1/0/1. |
|
Explanation |
The interface performed 802.1X reauthentication. After the 802.1X reauthentication, the participants received a new CAK, and used it to re-establish the MKA session. |
|
Recommended action |
No action is required. |
MACSEC_MKA_SESSION_SECURED
|
Message text |
The MKA session with CKN [STRING] was secured on interface [STRING]. |
|
Variable fields |
$1: CKN. $2: Interface name. |
|
Severity level |
6 |
|
Example |
MACSEC/6/MACSEC_MKA_SESSION_SECURED: The MKA session with CKN 80A020EA0CB03D was secured on interface GigabitEthernet1/0/1. |
|
Explanation |
The MKA session on the interface was secured. Packets are encrypted and transmitted in cipher text. The event occurs in the following situations: · The MKA session state changes from unsecured to secured. · The local participant and the peer negotiate a new MKA session when the following conditions exist: ¡ Both the key server and the peer support MACsec. ¡ A minimum of one participant is enabled with the MACsec desire feature. |
|
Recommended action |
No action is required. |
MACSEC_MKA_SESSION_START
|
Message text |
The MKA session with CKN [STRING] started on interface [STRING]. |
|
Variable fields |
$1: CKN. $2: Interface name. |
|
Severity level |
6 |
|
Example |
MACSEC/6/MACSEC_MKA_SESSION_START: The MKA session with CKN 80A020EA0CB03D started on interface GigabitEthernet1/0/1. |
|
Explanation |
The MKA session negotiation was initiated. Possible reasons include: · New CAK is available after MKA is enabled. · The user re-establishes the MKA session. · The interface that failed MKA session negotiation receives an MKA packet. |
|
Recommended action |
No action is required. |
MACSEC_MKA_SESSION_STOP
|
Message text |
The MKA session with CKN [STRING] stopped on interface [STRING]. |
|
Variable fields |
$1: CKN. $2: Interface name. |
|
Severity level |
5 |
|
Example |
MACSEC/5/MACSEC_MKA_SESSION_STOP: The MKA session with CKN 80A020EA0CB03D stopped on interface GigabitEthernet1/0/1. |
|
Explanation |
The MKA session was terminated. Possible reasons include: · The user removes or re-establishes the MKA session on the interface. · The link associated to the session is down. |
|
Recommended action |
126. Use the display mka session command to check whether the session exists: ¡ If the session has been re-established, ignore the message. ¡ If the session does not exist and is not removed by the user, check the link associated with the session for link failure. 127. Recover the link if the link is down. |
MACSEC_MKA_SESSION_UNSECURED
|
Message text |
The MKA session with CKN [STRING] was not secured on interface [STRING]. |
|
Variable fields |
$1: CKN. $2: Interface name. |
|
Severity level |
5 |
|
Example |
MACSEC/5/MACSEC_MKA_SESSION_UNSECURED: The MKA session with CKN 80A020EA0CB03D was not secured on interface GigabitEthernet1/0/1. |
|
Explanation |
The MKA session on the interface was not secured. Packets are transmitted in plain text. The event occurs in the following situations: · The MKA session state changes from secured to unsecured. · The local participant and the peer negotiate a new MKA session when the following conditions exist: ¡ The key server and the peer are not both MACsec capable. ¡ No participant is enabled with the MACsec desire feature. |
|
Recommended action |
To secure the MKA session, perform the following tasks: · Verify that both the key server and the peer support MACsec. · Verify that a minimum of one participant is enabled with the MACsec desire feature. |
MBUF messages
This section contains MBUF messages.
MBUF_DATA_BLOCK_CREATE_FAIL
|
Message text |
Failed to create an MBUF data block because of insufficient memory. Failure count: [UINT32]. |
|
Variable fields |
$1: Failure count. |
|
Severity level |
2 |
|
Example |
MBUF/2/MBUF_DATA_BLOCK_CREATE_FAIL: Failed to create an MBUF data block because of insufficient memory. Failure count: 128. |
|
Explanation |
The message is output when the system fails to create an MBUF data block 1 minute or more after the most recent creation failure. |
|
Recommended action |
128. Execute the display system internal kernel memory pool | include mbuf command in probe view to view the number of the allocated MBUF data blocks. 129. Execute the display memory command in system view to display the total size of the system memory. 130. Determine whether an excessive number of MBFU data blocks are allocated by comparing the size of the allocated MBUF data blocks with that of the system memory. ¡ If it is not an excessive number, use the memory management commands to check for the memory-intensive modules. ¡ If it is an excessive number, go to step 131. 131. Execute the display system internal mbuf socket statistics command in probe view to view the number of the MBUF data blocks buffered in the socket. Determine whether a process has too many MBUF data blocks buffered in the socket buffer. ¡ If it is too many, locate the reason why the MBUF data blocks cannot be released from the socket buffer. ¡ If it is not too many, use other means to locate the reasons for excessive allocation of MBUF data blocks. 132. If the problem persists, contact H3C Support. |
MFIB messages
This section contains MFIB messages.
MFIB_MEM_ALERT
|
Message text |
MFIB process received system memory alert [STRING] event. |
|
Variable fields |
$1: Type of the memory alert event. |
|
Severity level |
5 |
|
Example |
MFIB/5/MFIB_MEM_ALERT: MFIB process receive system memory alert start event. |
|
Explanation |
The MFIB module received a memory alert event from the system. |
|
Recommended action |
133. Check the system memory to make sure the memory usage does not exceed the thresholds. 134. Release memory for the modules that occupy too many memory resources. |
MGROUP messages
This section contains mirroring group messages.
MGROUP_APPLY_SAMPLER_FAIL
|
Message text |
Failed to apply the sampler for mirroring group [UINT16], because the sampler resources are insufficient. |
|
Variable fields |
$1: Mirroring group ID. |
|
Severity level |
3 |
|
Example |
MGROUP/3/MGROUP_APPLY_SAMPLER_FAIL: Failed to apply the sampler for mirroring group 1, because the sampler resources are insufficient. |
|
Explanation |
A sampler was not applied to the mirroring group because the sampler resources were insufficient. |
|
Recommended action |
No action is required. |
MGROUP_RESTORE_CPUCFG_FAIL
|
Message text |
Failed to restore configuration for mirroring CPU of [STRING] in mirroring group [UINT16], because [STRING] |
|
Variable fields |
$1: Slot number. $2: Mirroring group ID. $3: Failure reason. |
|
Severity level |
3 |
|
Example |
MGROUP/3/MGROUP_RESTORE_CPUCFG_FAIL: Failed to restore configuration for mirroring CPU of chassis 1 slot 2 in mirroring group 1, because the type of the monitor port in the mirroring group is not supported. |
|
Explanation |
When the CPU of the card in the slot is the source CPU in the mirroring group, configuration changes after the card is removed. When the card is reinstalled into the slot, restoring the source CPU configuration might fail. |
|
Recommended action |
Check for the failure reason. If the reason is that the system does not support the changed configuration, delete the unsupported configuration, and reconfigure the source CPU in the mirroring group. |
MGROUP_RESTORE_IFCFG_FAIL
|
Failed to restore configuration for interface [STRING] in mirroring group [UINT16], because [STRING] |
|
|
Variable fields |
$1: Interface name. $2: Mirroring group ID. $3: Failure reason. |
|
Severity level |
3 |
|
Example |
MGROUP/3/MGROUP_RESTORE_IFCFG_FAIL: Failed to restore configuration for interface Ethernet3/1/2 in mirroring group 1, because the type of the monitor port in the mirroring group is not supported. |
|
Explanation |
When the interface of the card in the slot is the monitor port in the mirroring group, configuration changes after the card is removed. When the card is reinstalled into the slot, restoring the monitor port configuration might fail. |
|
Recommended action |
Check for the failure reason. If the reason is that the system does not support the changed configuration, delete the unsupported configuration, and reconfigure the monitor port in the mirroring group. |
MGROUP_SYNC_CFG_FAIL
|
Message text |
Failed to restore configuration for mirroring group [UINT16] in [STRING], because [STRING] |
|
Variable fields |
$1: Mirroring group ID. $2: Slot number. $3: Failure reason. |
|
Severity level |
3 |
|
Example |
MGROUP/3/MGROUP_SYNC_CFG_FAIL: Failed to restore configuration for mirroring group 1 in chassis 1 slot 2, because monitor resources are insufficient. |
|
Explanation |
When the complete mirroring group configuration was synchronized on the card in the slot, restoring configuration failed because resources on the card were insufficient. |
|
Recommended action |
Delete the mirroring group. |
NAT messages
This section contains NAT messages.
NAT_ADDR_BIND_CONFLICT
|
Message text |
Failed to activate NAT configuration on interface [STRING], because global IP addresses already bound to another service card. |
|
Variable fields |
$1: Interface name. |
|
Severity level |
4 |
|
Example |
NAT/4/NAT_ADDR_BIND_CONFLICT: Failed to activate NAT configuration on interface Ethernet0/0/2, because global IP addresses already bound to another service card. |
|
Explanation |
The NAT configuration did not take effect, because the global IP addresses that the interface references have been bound to another service card. |
|
Recommended action |
If multiple interfaces reference the same global IP addresses, you must specify the same service card to process NAT traffic passing through these interfaces. To resolve the problem: 135. Use the display nat all command to check the current configuration. 136. Remove the service card configuration on the interface. 137. Specify the same service card for interfaces referencing the same global IP addresses. |
NAT_ADDRGRP_MEMBER_CONFLICT
|
Message text |
The address range in address group [UINT16] overlaps with the address range in address group [UINT16]. |
|
Variable fields |
$1: NAT address group ID. $2: NAT address group ID. |
|
Severity level |
4 |
|
Example |
NAT/4/NAT_ADDRGRP_MEMBER_CONFLICT: The address range in address group 1 overlaps with the address range in address group 2. |
|
Explanation |
This message is sent if addresses in NAT address groups overlap. |
|
Recommended action |
Modify IP addresses in conflicting NAT address groups. |
NAT_ADDRGRP_RESOURCE_EXHAUST
|
Message text |
The address resources of [STRING] address group [INTEGER] are not enough. |
|
Variable fields |
$1: Address translation mode: · NO-PAT · EIM $2: Address group ID. |
|
Severity level |
4 |
|
Example |
NAT/4/NAT_ADDRGRP_RESOURCE_EXHAUST: The address resources of NO-PAT address group 1 are not enough. |
|
Explanation |
The address resources for the No-PAT or EIM mode are not enough. |
|
Recommended action |
Please add address resources. |
NAT_FAILED_ADD_FLOW_TABLE
|
Message text |
Failed to add flow-table due to [STRING]. |
|
Variable fields |
$1: Failure reason: · no enough resource. · The item already exists. |
|
Severity level |
4 |
|
Example |
NAT/4/NAT_FAILED_ADD_FLOW_TABLE: Failed to add flow-table due to no enough resource. |
|
Explanation |
The system failed to add a flow table due to insufficient hardware resources or NAT address overlapping. |
|
Recommended action |
If the failure is caused by insufficient hardware resources, contact H3C Support. If the failure is caused by address overlapping, reconfigure the NAT addresses. Make sure the NAT address ranges do not overlap. |
NAT_FLOW
|
Message text |
Protocol(1001)=[STRING];Application(1002)=[STRING];SrcIPAddr(1003)=[IPADDR];SrcPort(1004)=[UINT16];NatSrcIPAddr(1005)=[IPADDR];NatSrcPort(1006)=[UINT16];DstIPAddr(1007)=[IPADDR];DstPort(1008)=[UINT16];NatDstIPAddr(1009)=[IPADDR];NatDstPort(1010)=[UINT16];UserName(1113)=[STRING];InitPktCount(1044)=[UINT32];InitByteCount(1046)=[UINT32];RplyPktCount(1045)=[UINT32];RplyByteCount(1047)=[UINT32];RcvVPNInstance(1042)=[STRING];SndVPNInstance(1043)=[STRING];RcvDSLiteTunnelPeer(1040)=[STRING];SndDSLiteTunnelPeer(1041)=[STRING];BeginTime_e(1013)=[STRING];EndTime_e(1014)=[STRING];Event(1048)=([UNIT16])[STRING]; |
|
Variable fields |
$1: Protocol type. $2: Application layer protocol name. $3: Source IP address. $4: Source port number. $5: Source IP address after translation. $6: Source port number after translation. $7: Destination IP address. $8: Destination port number. $9: Destination IP address after translation. $10: Destination port number after translation. $11: Name of identity users. $12: Total number of incoming packets. $13: Total number of incoming bytes. $14: Total number of outgoing packets. $15: Total number of outgoing bytes. $16: Source VPN instance name. $17: Destination VPN instance name. $18: Source DS-Lite tunnel. $19: Destination DS-Lite tunnel. $20: Time when the session is created. $21: Time when the session is removed. $22: Event type. $23: Event description: ¡ Session created. ¡ Active flow threshold. ¡ Normal over. ¡ Aged for timeout. ¡ Aged for reset or config-change. ¡ Other. |
|
Severity level |
6 |
|
Example |
NAT/6/NAT_FLOW: Protocol(1001)=UDP;Application(1002)=sip;SrcIPAddr(1003)=10.10.10.1;SrcPort(1004)=1024;NatSrcIPAddr(1005)=20.20.20.20;NatSrcPort(1006)=1024;DstIPAddr(1007)=20.20.20.1;DstPort(1008)=21;NatDstIPAddr(1009)=20.20.20.1;NatDstPort(1010)=21;UserName(1113)=abc;InitPktCount(1044)=1;InitByteCount(1046)=50;RplyPktCount(1045)=0;RplyByteCount(1047)=0;RcvVPNInstance(1042)=;SndVPNInstance(1043)=;RcvDSLiteTunnelPeer(1040)=;SndDSLiteTunnelPeer(1041)=;BeginTime_e(1013)=03182024082546;EndTime_e(1014)=;Event(1048)=(8)Session created; |
|
Explanation |
This message is sent in one of the following conditions: · A NAT session is created or removed. · Regularly during a NAT session. · The traffic threshold or aging time of a NAT session is reached. |
|
Recommended action |
No action is required. |
NAT_INTERFACE_RESOURCE_EXHAUST
|
Message text |
The address resources of Easy-IP-EIM interface [STRING] are not enough. |
|
Variable fields |
$1: Interface name. |
|
Severity level |
4 |
|
Example |
NAT/4/NAT_INTERFACE_RESOURCE_EXHAUST: The address resources of EASY-IP-EIM interface Route-Aggregation1 are not enough. |
|
Explanation |
The address resources for the Easy-IP-EIM mode on the interface are not enough. |
|
Recommended action |
Please add address resources. |
NAT_NOPAT_IP_USAGE_ALARM
|
Message text |
Address group [UINT16], total IP addresses [UINT16], used IP addresses [UINT16], usage rate over [UINT16]%. |
|
Variable fields |
$1: NAT address group ID. $2: Number of total IP addresses in the NAT address group. $3: Number of used IP addresses in the NAT address group. $4: IP usage of the NAT address group. |
|
Severity level |
6 |
|
Example |
NAT/6/NAT_NOPAT_IP_USAGE_ALARM: -Context=1; Address group 1, total IP addresses 10, used IP addresses 9, usage rate over 90%. |
|
Explanation |
This message is sent when the IP usage of the NAT address group in NO-PAT mode exceeded the threshold. |
|
Recommended action |
No action is required. |
NAT_SERVICE_CARD_RECOVER_FAILURE
|
Message text |
Failed to recover the configuration of binding the service card on chassis [UINT16] slot [UINT16] to interface [STRING], because [STRING]. |
|
Variable fields |
$1: Member ID of the device in the IRF fabric. $2: Number of the slot where the service card resides. $3: Interface name. $4: Reasons why restoring the binding between the service card and the interface fails. |
|
Severity level |
4 |
|
Example |
NAT/4/NAT_SERVICE_CARD_RECOVER_FAILURE: Failed to recover the configuration of binding the service card on chassis 2 slot 3 to interface Ethernet0/0/2, because NAT service is not supported on this service card. |
|
Explanation |
Restoring the binding between the service card and the interface failed. |
|
Recommended action |
· If the operation fails because the NAT addresses have already been bound to another service card: ¡ Use the display nat all command to check the current configuration. ¡ Specify the same service card for interfaces referencing the same NAT addresses. · Check the service card for hardware problems if the failure is caused by one of the following reasons: ¡ NAT service is not supported on this service card. ¡ The hardware resources are not enough. ¡ Unknown error. |
NAT_SERVER_INVALID
|
Message text |
The NAT server with Easy IP is invalid because its global settings conflict with that of another NAT server on this interface. |
|
Variable fields |
N/A |
|
Severity level |
4 |
|
Example |
NAT/4/NAT_SERVER_INVALID: The NAT server with Easy IP is invalid because its global settings conflict with that of another NAT server on this interface. |
|
Explanation |
The NAT Server with Easy IP did not take effect because its global settings conflict with that the global settings of another NAT Server on the same interface. |
|
Recommended action |
Modify the NAT Server configuration on the interface. The combination of protocol type, global IP addresses and global ports must be unique for each NAT Server on the same interface. |
NAT_FAILED_ADD_FLOW_RULE
|
Message text |
Failed to add flow-table due to: [STRING]. |
|
Variable fields |
$1: Reason for the failure. |
|
Severity level |
4 |
|
Example |
NAT/4/NAT_FAILED_ADD_FLOW_TABLE: Failed to add flow-table due to: Not enough resources are available to complete the operation. |
|
Explanation |
The system failed to deploy flow entries. Possible reasons include insufficient hardware resources or memory. |
|
Recommended action |
Contact H3C Support. |
NAT444_PORTBLOCK_USAGE_ALARM
|
Message text |
Address group [UINT16], total port blocks [UINT16], active port blocks [UINT16], usage rate over [UINT16]%. |
|
Variable fields |
$1: Address group ID. $2: Number of port blocks in the address group. $3: Number of assigned port blocks in the address group. $4: Port block usage. |
|
Severity level |
6 |
|
Example |
NAT/6/NAT444_PORTBLOCK_USAGE_ALARM: -Context=1; Address group 1003, total port blocks 10, active port blocks 9, usage rate over 90%. |
|
Explanation |
This message is sent when the port block usage assigned by dynamic NAT444 exceeds the specified threshold. |
|
Recommended action |
Please add port block resources. |
ND messages
This section contains ND messages.
ND_CONFLICT
|
Message text |
[STRING] is inconsistent. |
|
Variable fields |
$1: Configuration type: ¡ M_FLAG. ¡ O_FLAG. ¡ CUR_HOP_LIMIT. ¡ REACHABLE TIME. ¡ NS INTERVAL. ¡ MTU. ¡ PREFIX VALID TIME. ¡ PREFIX PREFERRED TIME. |
|
Severity level |
6 |
|
Example |
ND/6/ND_CONFLICT: PREFIX VALID TIME is inconsistent |
|
Explanation |
The configuration information in the received router advertisement was not consistent with the configuration on the device. A message is sent if an inconsistency is detected. |
|
Recommended action |
Verify that the configurations on the device and the neighboring router are consistent. |
ND_DUPADDR
|
Message text |
Duplicate address: [STRING] on the interface [STRING]. |
|
Variable fields |
$1: IPv6 address that is to be assigned to the interface. $2: Name of the interface. |
|
Severity level |
6 |
|
Example |
ND/6/ND_DUPADDR: Duplicate address: 33::8 on interface Vlan-interface9. |
|
Explanation |
The IPv6 address that was to be assigned to the interface is being used by another device. |
|
Recommended action |
Assign another IPv6 address to the interface. |
ND_HOST_IP_CONFLICT
|
Message text |
|
|
Variable fields |
$1: IPv6 global unicast address of the host. $2: Name of the interface. $3: Name of the interface. |
|
Severity level |
4 |
|
Example |
|
|
Explanation |
The IPv6 global unicast address of the host is being used by another host that connects to the same interface. |
|
Recommended action |
Disconnect the host and assign another IPv6 global unicast address to the host. |
ND_MAC_CHECK
|
Message text |
|
|
Variable fields |
$1: Receiving interface of the ND packet. $2: Source MAC address in the Ethernet frame header of the ND packet. $3: Source link-layer address in the ND packet. |
|
Severity level |
6 |
|
Example |
|
|
Explanation |
The device dropped an ND packet because source MAC consistency check detected that source MAC address and the source link-layer address are not the same in the packet. |
|
Recommended action |
Verify the validity of the ND packet originator. |
ND_SET_PORT_TRUST_NORESOURCE
|
Message text |
|
|
Variable fields |
N/A |
|
Severity level |
6 |
|
Example |
ND/6/ND_SET_PORT_TRUST_NORESOURCE: Not enough resources to complete the operation. |
|
Explanation |
Failed to execute the command because driver resources were not enough. |
|
Recommended action |
Release the driver resources and execute the command again. |
ND_SET_VLAN_REDIRECT_NORESOURCE
|
Message text |
|
|
Variable fields |
N/A |
|
Severity level |
6 |
|
Example |
ND/6/ND_SET_VLAN_REDIRECT_NORESOURCE: Not enough resources to complete the operation. |
|
Explanation |
Failed to execute the command because driver resources were not enough. |
|
Recommended action |
Release the driver resources and execute the command again. |
ND_MAXNUM_IF
|
Message text |
The number of dynamic neighbor entries on interface [STRING] has reached the maximum. |
|
Variable fields |
$1: Interface name. |
|
Severity level |
6 |
|
Example |
The number of dynamic neighbor entries on interface GigabitEthernet3/0/1 has reached the maximum. |
|
Explanation |
The number of dynamic neighbor entries on the interface has reached the upper limit. |
|
Recommended action |
No action is required. |
ND_MAXNUM_DEV
|
Message text |
The number of dynamic neighbor entries for the device has reached the maximum. |
|
Variable fields |
N/A |
|
Severity level |
6 |
|
Example |
The number of dynamic neighbor entries for the device has reached the maximum. |
|
Explanation |
The number of dynamic neighbor entries on the device has reached the upper limit. |
|
Recommended action |
No action is required. |
NETCONF messages
This section contains NETCONF messages.
CLI
|
Message text |
User ([STRING], [STRING][STRING]) performed an CLI operation: [STRING] operation result=[STRING][STRING] |
|
Variable fields |
$1: Username or user line type. · If scheme login authentication was performed for the user, this field displays the username. · If no login authentication was performed or password authentication was performed, this field displays the user line type, such as VTY. $2: User IP address or user line type and relative number. · For a Telnet or SSH user, this field displays the IP address of the user. · For a user who logged in through the console or AUX port, this field displays the user line type and the relative line number, such as console0. $3: ID of the NETCONF session. This field is not displayed for Web and RESTful sessions. $4: Message ID of the NETCONF request. This field is not displayed for Web and RESTful sessions. $5: Operation result, Succeeded or Failed. $6: Cause for an operation failure. This field is displayed only if the failure is caused by a known reason. |
|
Severity level |
6 |
|
Example |
XMLSOAP/6/CLI: -MDC=1; User (test, 169.254.5.222, session ID=1) performed an CLI operation: message ID=101, operation result=Succeeded. |
|
Explanation |
After a CLI command is executed by using NETCONF, the device outputs this message to show the operation result. |
|
Recommended action |
No action is required. |
EDIT-CONFIG
|
Message text |
User ([STRING], [STRING], session ID [UINT16]) performed an edit-config operation: message ID=[STRING], operation result=Succeeded. Or User ([STRING], [STRING], session ID [UINT16]) performed an edit-config operation: message ID=[STRING], operation result=Failed. [STRING] Or User ([STRING], [STRING], session ID [UINT16]) performed an edit-config operation: message ID=[STRING], operation result=Failed, XPath=[STRING], error message=[STRING]. |
|
Variable fields |
$1: Username or user line type. · If scheme login authentication was performed for the user, this field displays the username. · If no login authentication was performed or password authentication was performed, this field displays the user line type, such as VTY. $2: User IP address or user line type and relative line number. · For a Telnet or SSH user, this field displays the IP address of the user. · For a user who logged in through the console or AUX port, this field displays the user line type and the relative line number, such as console0. $3: ID of the NETCONF session. $4: Message ID of the NETCONF request. $5: Error message or XPath expression for an incorrect row. · This field displays an error message if the verbose keyword is not specified in the netconf log command and the failure is caused by a known reason. · This field displays an XPath expression if the verbose keyword is specified in the netconf log command. $6: Error message. This field is displayed only if the verbose keyword is specified in the netconf log command. |
|
Severity level |
6 |
|
Example |
XMLSOAP/6/EDIT-CONFIG: -MDC=1; User (test, 192.168.100.20, session ID 1) performed an edit-config operation: message ID=101, operation result=Succeeded. |
|
Explanation |
The device outputs this log message for each NETCONF setting in an <edit-config> operation to show the configuration result. |
|
Recommended action |
No action is required. |
NETCONF_MSG_DEL
|
Message text |
A NETCONF message was dropped. Reason: Packet size exceeded the upper limit. |
|
Variable fields |
N/A |
|
Severity level |
7 |
|
Example |
NETCONF/7/NETCONF_MSG_DEL: A NETCONF message was dropped. Reason: Packet size exceeded the upper limit. |
|
Explanation |
The system dropped a NETCONF request message that was received from a NETCONF over SSH client or at the XML view. The reason is that the message size exceeded the upper limit. |
|
Recommended action |
138. Reduce the size of the request message. For example, delete blank spaces, carriage returns, and tab characters. 139. Contact H3C Support to segment the request message and then re-encapsulate the segments before sending them to the device. |
REPLY
|
Message text |
Sent a NETCONF reply to the client: Session ID=[UINT16], Content=[STRING]. Or Sent a NETCONF reply to the client: Session ID=[UINT16], Content (partial)=[STRING]. |
|
Variable fields |
$1: ID of the NETCONF session. This field displays a hyphen (-) before the NETCONF session is established. $2: NETCONF packet that the device sent to the NETCONF client. |
|
Severity level |
7 |
|
Example |
XMLSOAP/7/REPLY: -MDC=1; Sent a NETCONF reply to the client: Session ID=2, Content=</env:Body></env:Envelope>. |
|
Explanation |
When sending a NETCONF packet to a client, the device outputs this log message for NETCONF debugging purposes. If a NETCONF packet cannot be sent in one log message, the device uses multiple log messages and adds the partial flag in each log message. |
|
Recommended action |
No action is required. |
THREAD
|
Message text |
Maximum number of NETCONF threads already reached. |
|
Variable fields |
N/A |
|
Severity level |
3 |
|
Example |
XMLCFG/3/THREAD: -MDC=1; Maximum number of NETCONF threads already reached. |
|
Explanation |
The number of NETCONF threads already reached the upper limit. |
|
Recommended action |
Please try again later. |
NQA messages
This section contains NQA messages.
NQA_ENTRY_PROBE_RESULT
|
Message text |
Reaction entry [STRING] of NQA entry admin-name [STRING] operation-tag [STRING]: [STRING]. |
|
Variable fields |
$1: ID of the NQA reaction entry. The value range is 1 to 10. $2: Admin name of the NQA entry. $3: Operation tag of the NQA entry. $4: Test result. The value can be: ¡ Probe-pass: Succeeded. ¡ Probe-fail: Failed. |
|
Severity level |
6 |
|
Example |
NQA/6/NQA_ENTRY_PROBE_RESULT Reaction entry 1 of NQA entry admin-name 1 operation-tag 1: Probe-pass. |
|
Explanation |
A change in the monitoring result of an NQA reaction entry was detected. |
|
Recommended action |
If the test result is Probe-fail, check the network environment. |
NQA_LOG_UNREACHABLE
|
Message text |
Server [STRING] unreachable. |
|
Variable fields |
$1: IP address of the NQA server. |
|
Severity level |
6 |
|
Example |
NQA/6/NQA_LOG_UNREACHABLE: Server 192.168.30.117 unreachable. |
|
Explanation |
An unreachable server was detected. |
|
Recommended action |
Check the network environment. |
NQA_SCHEDULE_FAILURE
|
Message text |
NQA entry ([ STRING ]- [ STRING ]): Failed to start the scheduled NQA operation because port [ STRING] used by the operation is not available. |
|
Variable fields |
$1: Admin name of the NQA operation. $2: Operation tag of the NQA operation. $3: Port number. |
|
Severity level |
6 |
|
Example |
NQA/6/NQA_SCHEDULE_FAILURE: NQA entry (admin-tag): Failed to start the scheduled NQA operation because port 10000 used by the operation is not available. |
|
Explanation |
Failed to start a scheduled NQA operation because the port number used by the operation is not available. |
|
Recommended action |
Change the port number of the NQA operation or disable the service that uses the port number. |
NQA_SET_DRIVE_FAIL
|
Message text |
NQA entry admin-name [STRING] operation-tag [STRING]: [STRING]. |
|
Variable fields |
$1: Admin name of the NQA entry. $2: Operation tag of the NQA entry. $3: Reason for the failure to issue the NQA operation to driver: ¡ Operation failed due to configuration conflicts. ¡ Operation failed because the driver was not ready to perform the operation. ¡ Operation not supported. ¡ Not enough resources to complete the operation. ¡ Operation failed due to an unkonwn error. |
|
Severity level |
6 |
|
Example |
NQA/6/ NQA_SET_DRIVE_FAIL NQA entry admin-name 1 operation-tag 1: Not enough resources to complete the operation. |
|
Explanation |
Failed to issue the NQA operation to driver. |
|
Recommended action |
Follow the instructions to check the configuration. |
NQA_SEVER_FAILURE
|
Message text |
Failed to enable the NQA server because listening port [ STRING ] is not available. |
|
Variable fields |
$1: Port number. |
|
Severity level |
6 |
|
Example |
NQA/6/NQA_SEVER_FAILURE: Failed to enable the NQA server because listening port 10000 is not available. |
|
Explanation |
Failed to enable the NQA server because the port number specified for a listening service is not available. |
|
Recommended action |
Change the port number of the listening service or disable the service that uses the port number. |
NTP messages
This section contains NTP messages.
NTP_CLOCK_CHANGE
|
Message text |
System clock changed from [STRING] to [STRING], the NTP server's IP address is [STRING]. |
|
Variable fields |
$1: Time before synchronization. $2: Time after synchronization. $3: IP address. |
|
Severity level |
5 |
|
Example |
NTP/5/NTP_CLOCK_CHANGE: System clock changed from 02:12:58 12/28/2012 to 02:29:12 12/28/2012, the NTP server's IP address is 192.168.30.116. |
|
Explanation |
The NTP client has synchronized its time to the NTP server. |
|
Recommended action |
No action is required. |
NTP_LEAP_CHANGE
|
Message text |
System Leap Indicator changed from [UINT32] to [UINT32] after clock update. |
|
Variable fields |
$1: Original Leap Indicator. $2: Current Leap Indicator. |
|
Severity level |
5 |
|
Example |
NTP/5/NTP_LEAP_CHANGE: System Leap Indicator changed from 00 to 01 after clock update. |
|
Explanation |
The system Leap Indicator changed. For example, the NTP status changed from unsynchronized to synchronized. NTP Leap Indicator is a two-bit code warning of an impending leap second to be inserted in the NTP timescale. The bits are set before 23:59 on the day of insertion and reset after 00:00 on the following day. This causes the number of seconds (rolloverinterval) in the day of insertion to be increased or decreased by one. |
|
Recommended action |
No action is required. |
NTP_SOURCE_CHANGE
|
Message text |
NTP server's IP address changed from [STRING] to [STRING]. |
|
Variable fields |
$1: IP address of the original time source. $2: IP address of the new time source. |
|
Severity level |
5 |
|
Example |
NTP/5/NTP_SOURCE_CHANGE: NTP server's IP address changed from 1.1.1.1 to 1.1.1.2. |
|
Explanation |
The system changed the time source. |
|
Recommended action |
No action is required. |
NTP_SOURCE_LOST
|
Message text |
Lost synchronization with NTP server with IP address [STRING]. |
|
Variable fields |
$1: IP address. |
|
Severity level |
5 |
|
Example |
NTP/5/NTP_SOURCE_LOST: Lost synchronization with NTP server with IP address 1.1.1.1. |
|
Explanation |
The clock source of the NTP association is in unsynchronized state or it is unreachable. |
|
Recommended action |
140. Verify the NTP server and network connection. 141. For NTP server failures: ¡ Use the ntp-service unicast-server command to specify a new NTP server. ¡ Use the ntp-service multicast-client command to configure the device to operate in NTP multicast client mode and receive NTP multicast packets from a new NTP server. 142. If the problem persists, contract H3C Support. |
NTP_STRATUM_CHANGE
|
Message text |
System stratum changed from [UINT32] to [UINT32] after clock update. |
|
Variable fields |
$1: Original stratum. $2: Current stratum. |
|
Severity level |
5 |
|
Example |
NTP/5/NTP_STRATUM_CHANGE: System stratum changed from 6 to 5 after clock update. |
|
Explanation |
System stratum has changed. |
|
Recommended action |
No action is required. |
OBJP messages
This section contains object policy messages.
OBJP_ACCELERATE_NO_RES
|
Message text |
Failed to accelerate [STRING] object-policy [STRING]. The resources are insufficient. |
|
Variable fields |
$1: Object policy version. $2: Object policy name. |
|
Severity level |
4 |
|
Example |
OBJP/4/OBJP_ACCELERATE_NO_RES: Failed to accelerate IPv6 object-policy a. The resources are insufficient. |
|
Explanation |
Object policy acceleration failed because of insufficient hardware resources. |
|
Recommended action |
Delete unnecessary rules or disable acceleration for other object policies to release hardware resources. |
OBJP_ACCELERATE_NOT_SUPPORT
|
Message text |
Failed to accelerate [STRING] object-policy [STRING]. The operation is not supported. |
|
Variable fields |
$1: Object policy version. $2: Object policy name. |
|
Severity level |
4 |
|
Example |
OBJP/4/OBJP_ACCELERATE_NOT_SUPPORT: Failed to accelerate IPv6 object-policy a. The operation is not supported. |
|
Explanation |
Object policy acceleration failed because the system did not support acceleration. |
|
Recommended action |
No action is required. |
OBJP_ACCELERATE_UNK_ERR
|
Message text |
Failed to accelerate [STRING] object-policy [STRING]. |
|
Variable fields |
$1: Object policy version. $2: Object policy name. |
|
Severity level |
4 |
|
Example |
OBJP/4/OBJP_ACCELERATE_UNK_ERR: Failed to accelerate IPv6 object-policy a. |
|
Explanation |
Object policy acceleration failed because of a system failure. |
|
Recommended action |
No action is required. |
OBJP_RULE_CREATE_SUCCESS
|
Message text |
RuleName(1080)=[STRING];Type(1067)=[STRING];Action(1053)=[STRING]; |
|
Variable fields |
$1: Rule name. $2: Rule type. $3: Action for the rule. |
|
Severity level |
6 |
|
Example |
OBJP/6/OBJP_RULE_CREATE_SUCCESS: RuleName(1080)=zone1-zone2;Type(1067)=IPv4;Action(1053)=Permit; |
|
Explanation |
An object policy rule was created successfully. |
|
Recommended action |
No action is required. |
OBJP_RULE_CREATE_FAIL
|
Message text |
RuleName(1080)=[STRING];Type(1067)=[STRING];Action(1053)=[STRING]; |
|
Variable fields |
$1: Rule name. $2: Rule type. $3: Action for the rule. |
|
Severity level |
6 |
|
Example |
OBJP/6/OBJP_RULE_CREATE_FAIL: RuleName(1080)=zone1-zone2;Type(1067)=IPv4;Action(1053)=Permit; |
|
Explanation |
An object policy rule failed to be created. |
|
Recommended action |
No action is required. |
OBJP_RULE_UPDATE_SUCCESS
|
Message text |
RuleName(1080)=[STRING];RuleID(1078)=[UINT32];Type(1067)=[STRING];Action(1053)=[STRING]; |
|
Variable fields |
$1: Rule name. $2: Rule ID. $3: Rule type. $4: Action for the rule. |
|
Severity level |
6 |
|
Example |
OBJP/6/OBJP_RULE_UPDATE_SUCCESS: RuleName(1080)=zone1-zone2;RuleID(1078)=1;Type(1067)=IPv4;Action(1053)=Permit; |
|
Explanation |
An object policy rule was modified successfully. |
|
Recommended action |
No action is required. |
OBJP_RULE_UPDATE_FAIL
|
Message text |
RuleName(1080)=[STRING];RuleID(1078)=[UINT32];Type(1067)=[STRING];Action(1053)=[STRING]; |
|
Variable fields |
$1: Rule name. $2: Rule ID. $3: Rule type. $4: Action for the rule. |
|
Severity level |
6 |
|
Example |
OBJP/6/OBJP_RULE_UPDATE_FAIL: RuleName(1080)=zone1-zone2;RuleID[1078]=1;Type(1067)=IPv4;Action(1053)=Permit; |
|
Explanation |
An object policy rule failed to be modified. |
|
Recommended action |
No action is required. |
OBJP_RULE_DELETE_SUCCESS
|
Message text |
RuleName(1080)=[STRING];RuleID(1078)=[UINT32];Type(1067)=[STRING]; |
|
Variable fields |
$1: Rule name. $2: Rule ID. $3: Rule type. |
|
Severity level |
6 |
|
Example |
OBJP/6/OBJP_RULE_DELETE_SUCCESS: RuleName(1080)=zone1-zone2;RuleID(1078)=1;Type(1067)=IPv4; |
|
Explanation |
An object policy rule was deleted successfully. |
|
Recommended action |
No action is required. |
OBJP_RULE_DELETE_FAIL
|
Message text |
RuleName(1080)=[STRING];RuleID(1078)=[UINT32];Type(1067)=[STRING]; |
|
Variable fields |
$1: Rule name. $2: Rule ID. $3: Rule type. |
|
Severity level |
6 |
|
Example |
OBJP/6/OBJP_RULE_DELETE_FAIL: RuleName(1080)=zone1-zone2;RuleID(1078)=1;Type(1067)=IPv4; |
|
Explanation |
An object policy rule failed to be deleted. |
|
Recommended action |
No action is required. |
OBJP_RULE_CLRSTAT_SUCCESS
|
Message text |
RuleName(1080)=[STRING];RuleID(1078)=[UINT32];Type(1067)=[STRING]; |
|
Variable fields |
$1: Rule name. $2: Rule ID. $3: Rule type. |
|
Severity level |
6 |
|
Example |
OBJP/6/OBJP_RULE_CLRSTAT_SUCCESS: RuleName(1080)=zone1-zone2;RuleID(1078)=1;Type(1067)=IPv4; |
|
Explanation |
Statistics for an object policy rule were cleared successfully. |
|
Recommended action |
No action is required. |
OBJP_RULE_CLRSTAT_FAIL
|
Message text |
RuleName(1080)=[STRING];RuleID(1078)=[UINT32];Type(1067)=[STRING]; |
|
Variable fields |
$1: Rule name. $2: Rule ID. $3: Rule type. |
|
Severity level |
6 |
|
Example |
OBJP/6/OBJP_RULE_CLRSTAT_FAIL: RuleName(1080)=zone1-zone2;RuleID(1078)=1;Type(1067)=IPv4; |
|
Explanation |
Statistics for an object policy rule failed to be cleared. |
|
Recommended action |
No action is required. |
OBJP_APPLY_POLICY_FAIL
|
Message text |
Failed to apply [STRING] object policy [STRING]. The object policy does not exist. |
|
Variable fields |
$1: Object policy version. $2: Object policy name. |
|
Severity level |
4 |
|
Example |
OBJP/4/OBJP_APPLY_POLICY_FAIL: Failed to apply IPv4 object policy a. The object policy does not exist. |
|
Explanation |
An object policy failed to be applied because the object policy doesn't exist. |
|
Recommended action |
No action is required. |
OBJP_APPLAY_INFO
|
Message text |
Failed to apply policy [STRING]. Reason: [STRING]. |
|
Variable fields |
$1: Object policy name. $2: Failure reason. |
|
Severity level |
4 |
|
Example |
OBJP/4/OBJP_APPLAY_INFO: Failed to apply policy P1. Reason: The operation is not supported. |
|
Explanation |
An object policy failed to be applied. |
|
Recommended action |
No action is required. |
OPENSRC (RSYNC) messages
This section contains OPENSRC RSYNC messages.
Synchronization success
|
Message text |
Rsync transfer statistics(sn=[STRING]):Src files([STRING]::[STRING]) sync transfer successfully. |
|
Variable fields |
$1: Sequence number of the device. $2: IPv4 address of the server. $3: Files or folders to be synchronized on the server. |
|
Severity level |
5 |
|
Example |
OPENSRC/5/SYSLOG: -MDC=1; Rsync transfer statistics(sn=2013AYU0711103):Src files(1.1.1.13::test/dir1) sync transfer successfully. |
|
Explanation |
The file synchronization succeeded. |
|
Recommended action |
No action is required. |
Synchronization failure
|
Message text |
Rsync error(sn=[STRING]):Src files([STRING]::[STRING]) [NUMBER] files transfer failed. |
|
Variable fields |
$1: Sequence number of the device. $2: IPv4 address of the server. $3: Files or folders to be synchronized on the server. $4: Number of files that failed to be synchronized. |
|
Severity level |
5 |
|
Example |
OPENSRC/5/SYSLOG: -MDC=1; Rsync transfer statistics(sn=2013AYU0711103):Src files(1.1.1.13::test/dir1) 2 files transfer failed. |
|
Explanation |
The device failed to synchronize files from the server and recorded the number of files that failed to be synchronized. |
|
Recommended action |
Take actions according to the failure reasons displayed in the synchronization error log. |
Synchronization error
|
Message text |
Rsync error(sn=[STRING]): [STRING]. |
|
Variable fields |
$1: Sequence number of the device. $2: Failure reasons. Available options include: ¡ error starting client-server protocol—The RSYNC process on the device has malfunctioned and cannot provide synchronization services. ¡ error in socket IO—An error occurred to the socket for synchronization. ¡ error in file IO—An error occurred during file system reading. ¡ some files/attrs were not transferred (see previous errors)—Some files or file attributes failed to be synchronized. ¡ error allocating core memory buffers—An error occurred in memory application. ¡ timeout waiting for daemon connection—The request for connection to the server timed out. |
|
Severity level |
5 |
|
Example |
OPENSRC/5/SYSLOG: -MDC=1; Rsync error(sn=2013AYU0711103): error starting client-server protocol . |
|
Explanation |
The device recorded the synchronization failure reasons. |
|
Recommended action |
To resolve the problem, you can perform the following tasks: · Verify that the rsync command syntax is correct. · Verify that the server is reachable. · Verify that the local disk is not full. · Verify that the user is authorized to perform the synchronization. |
OPTMOD messages
This section contains transceiver module messages.
BIAS_HIGH
|
Message text |
[STRING]: Bias current is high. |
|
Variable fields |
$1: Interface type and number. |
|
Severity level |
2 |
|
Example |
OPTMOD/2/BIAS_HIGH: GigabitEthernet1/0/13: Bias current is high. |
|
Explanation |
The bias current of the transceiver module exceeded the high threshold. |
|
Recommended action |
143. Execute the display transceiver diagnosis interface command to verify that the bias current of the transceiver module has exceeded the high threshold. 144. Execute the display transceiver alarm interface command to verify that a high bias current alarm for the transceiver module has been generated and not cleared. 145. Replace the transceiver module. |
BIAS_LOW
|
Message text |
[STRING]: Bias current is low. |
|
Variable fields |
$1: Interface type and number. |
|
Severity level |
5 |
|
Example |
OPTMOD/5/BIAS_LOW: GigabitEthernet1/0/13: Bias current is low. |
|
Explanation |
The bias current of the transceiver module went below the low threshold. |
|
Recommended action |
146. Execute the display transceiver diagnosis interface command to verify that the bias current of the transceiver module is below the low threshold. 147. Execute the display transceiver alarm interface command to verify that a low bias current alarm for the transceiver module has been generated and not cleared. 148. Replace the transceiver module. |
BIAS_NORMAL
|
Message text |
[STRING]: Bias current is normal. |
|
Variable fields |
$1: Interface type and number. |
|
Severity level |
5 |
|
Example |
OPTMOD/5/BIAS_NORMAL: GigabitEthernet1/0/13: Bias current is normal. |
|
Explanation |
The bias current of the transceiver module returned to the acceptable range. |
|
Recommended action |
No action is required. |
CFG_ERR
|
Message text |
[STRING]: Transceiver type and port configuration mismatched. |
|
Variable fields |
$1: Interface type and number. |
|
Severity level |
3 |
|
Example |
OPTMOD/3/CFG_ERR: GigabitEthernet1/0/13: Transceiver type and port configuration mismatched. |
|
Explanation |
The transceiver module type does not match the port configurations. |
|
Recommended action |
Check for the transceiver module type and the current port configurations. If they mismatch, replace the transceiver module or update the port configurations. |
CHKSUM_ERR
|
Message text |
[STRING]: Transceiver information checksum error. |
|
Variable fields |
$1: Interface type and number. |
|
Severity level |
5 |
|
Example |
OPTMOD/5/CHKSUM_ERR: GigabitEthernet1/0/13: Transceiver information checksum error . |
|
Explanation |
Checksum verification on the register information on the transceiver module failed. |
|
Recommended action |
Replace the transceiver module, or contact H3C Support. |
FIBER_SFPMODULE_INVALID
|
Message text |
[STRING]: This transceiver module is not compatible with the interface card. HP does not guarantee the correct operation of the transceiver module. The transceiver module will be invalidated in [UINT32] days. Please replace it with a compatible one as soon as possible. |
|
Variable fields |
$1: Interface type and number. $2: Number of days that the transceiver module will be invalid. |
|
Severity level |
4 |
|
Example |
OPTMOD/4/FIBER_SFPMODULE_INVALID: GigabitEthernet1/0/13: This transceiver module is not compatible with the interface card. HP does not guarantee the correct operation of the transceiver module. The transceiver module will be invalidated in 3 days. Please replace it with a compatible one as soon as possible. |
|
Explanation |
The transceiver module is not compatible with the interface card. |
|
Recommended action |
Replace the transceiver module. |
FIBER_SFPMODULE_NOWINVALID
|
Message text |
[STRING]: This is not a supported transceiver for this platform. HP does not guarantee the normal operation or maintenance of unsupported transceivers. Please review the platform datasheet on the HP web site or contact your HP sales rep for a list of supported transceivers. |
|
Variable fields |
$1: Interface type and number. |
|
Severity level |
4 |
|
Example |
OPTMOD/4/FIBER_SFPMODULE_NOWINVALID: GigabitEthernet1/0/13: This is not a supported transceiver for this platform. HP does not guarantee the normal operation or maintenance of unsupported transceivers. Please review the platform datasheet on the HP web site or contact your HP sales rep for a list of supported transceivers. |
|
Explanation |
The system does not support the transceiver module. |
|
Recommended action |
Replace the transceiver module. |
IO_ERR
|
Message text |
[STRING]: The transceiver information I/O failed. |
|
Variable fields |
$1: Interface type and number. |
|
Severity level |
5 |
|
Example |
OPTMOD/5/IO_ERR: GigabitEthernet1/0/13: The transceiver information I/O failed. |
|
Explanation |
The device failed to access the register information of the transceiver module. |
|
Recommended action |
Execute the display transceiver diagnosis interface and display transceiver alarm interface commands. If both commands fail to be executed, the transceiver module is faulty. Replace the transceiver module. |
MOD_ALM_OFF
|
Message text |
[STRING]: [STRING] was removed. |
|
Variable fields |
$1: Interface type and number. $2: Fault type. |
|
Severity level |
5 |
|
Example |
OPTMOD/5/MOD_ALM_OFF: GigabitEthernet1/0/13: Module_not_ready was removed.. |
|
Explanation |
A fault was removed from the transceiver module. |
|
Recommended action |
No action is required. |
MOD_ALM_ON
|
Message text |
[STRING]: [STRING] was detected. |
|
Variable fields |
$1: Interface type and number. $2: Fault type. |
|
Severity level |
5 |
|
Example |
OPTMOD/5/MOD_ALM_ON: GigabitEthernet1/0/13: Module_not_ready wasdetected. |
|
Explanation |
A fault was detected on the transceiver module. |
|
Recommended action |
149. Execute the display transceive alarm interface command to verify that a corresponding alarm for the fault has been generated and not cleared. 150. Replace the transceiver module. |
MODULE_IN
|
Message text |
[STRING]: The transceiver is [STRING]. |
|
Variable fields |
$1: Interface type and number. $2: Type of the transceiver module. |
|
Severity level |
4 |
|
Example |
OPTMOD/4/MODULE_IN: GigabitEthernet1/0/13: The transceiver is 1000_BASE_T_AN_SFP. |
|
Explanation |
When a transceiver module is inserted, the OPTMOD module generates the message to display the transceiver module type. |
|
Recommended action |
No action is required. |
MODULE_OUT
|
Message text |
[STRING]: Transceiver absent. |
|
Variable fields |
$1: Interface type and number. |
|
Severity level |
4 |
|
Example |
OPTMOD/4/MODULE_OUT: GigabitEthernet1/0/13: The transceiver is absent. |
|
Explanation |
The transceiver module was removed. |
|
Recommended action |
No action is required. |
OPTMOD_COUNTERFEIT_MOUDULE
|
Message text |
The following might be counterfeited H3C transceivers. Please contact the supplier to verify their authenticity. H3C reserves the right to pursue legal actions. [STRING]: Transceiver type [STRING], SN [STRING]. |
|
Variable fields |
$1: Interface type and number. $2: Transceiver type. $3: Transceiver sequence number. |
|
Severity level |
3 |
|
Example |
OPTMOD/3/OPTMOD_COUNTERFEIT_MODULE: The following might be counterfeited H3C transceivers. Please contact the supplier to verify their authenticity. H3C reserves the right to pursue legal actions. GigabitEthernet1/0/1: Transceiver type 1000_BASE_SX_SFP, SN 2013AYU0711103. GigabitEthernet1/0/2: Transceiver type 1000_BASE_SX_SFP, SN 2013AYU0711103. |
|
Explanation |
This log is generated when a probably counterfeited H3C transceiver module is detected. For a counterfeit H3C transceiver module, you cannot obtain any data from the display transceiver diagnosis command. |
|
Recommended action |
Please contact Technical Support. |
OPTMOD_MODULE_CHECK
|
Message text |
An H3C transceiver is detected. Please go to the website www.h3c.com to verify its authenticity. |
|
Variable fields |
N/A |
|
Severity level |
6 |
|
Example |
OPTMOD/6/OPTMOD_MODULE_CHECK: An H3C transceiver is detected. Please go to the website www.h3c.com to verify its authenticity. |
|
Explanation |
The log is generated when an H3C transceiver module is detected. It reminds the user to verify the authenticity of the transceiver module from the H3C website (www.h3c.com). |
|
Recommended action |
No action is required. |
PHONY_MODULE
|
Message text |
[STRING]: A non-H3C transceiver is detected. Please confirm the label of the transceiver. If there is an H3C Logo, it is suspected to be a counterfeit H3C transceiver. This transceiver is NOT sold by H3C. H3C therefore shall NOT guarantee the normal function of the device or assume the maintenance responsibility thereof! |
|
Variable fields |
$1: Interface type and number. |
|
Severity level |
4 |
|
Example |
OPTMOD/4/PHONY_MODULE: A non-H3C transceiver is detected. Please confirm the label of the transceiver. If there is an H3C Logo, it is suspected to be a counterfeit H3C transceiver. This transceiver is NOT sold by H3C. H3C therefore shall NOT guarantee the normal function of the device or assume the maintenance responsibility thereof! |
|
Explanation |
This log is generated when a non-H3C transceiver module is detected. |
|
Recommended action |
Purchase and use genuine H3C transceiver modules for the device. |
RX_ALM_OFF
|
Message text |
STRING]: [STRING] was removed. |
|
Variable fields |
$1: Interface type and number. $2: RX fault type. |
|
Severity level |
5 |
|
Example |
OPTMOD/5/RX_ALM_OFF: GigabitEthernet1/0/13: RX_not_ready was removed. |
|
Explanation |
An RX fault was removed from the transceiver module. |
|
Recommended action |
No action is required. |
RX_ALM_ON
|
Message text |
[STRING]: [STRING] was detected. |
|
Variable fields |
$1: Interface type and number. $2: RX fault type. |
|
Severity level |
5 |
|
Example |
OPTMOD/5/RX_ALM_ON: GigabitEthernet1/0/13: RX_not_ready was detected. |
|
Explanation |
An RX fault was detected on the transceiver module. |
|
Recommended action |
151. Execute the display transceiver alarm interface command to verify that a corresponding alarm for the fault has been generated and not cleared. 152. Replace the transceiver module. |
RX_POW_HIGH
|
Message text |
[STRING]: RX power is high. |
|
Variable fields |
$1: Interface type and number. |
|
Severity level |
5 |
|
Example |
OPTMOD/5/RX_POW_HIGH: GigabitEthernet1/0/13: RX power is high. |
|
Explanation |
The RX power of the transceiver module exceeded the high threshold. |
|
Recommended action |
153. Execute the display transceiver diagnosis interface command to verify that the RX power of the transceiver module has exceeded the high threshold. 154. Execute the display transceiver alarm interface command to verify that a high RX power alarm for the transceiver module has been generated and not cleared. 155. Replace the transceiver module. |
RX_POW_LOW
|
Message text |
[STRING]: RX power is low. |
|
Variable fields |
$1: Interface type and number. |
|
Severity level |
5 |
|
Example |
OPTMOD/5/RX_POW_LOW: GigabitEthernet1/0/13: RX power is low. |
|
Explanation |
The RX power of the transceiver module went below the low threshold. |
|
Recommended action |
156. Execute the display transceiver diagnosis interface command to verify that the RX power of the transceiver module is below the low threshold. 157. Execute the display transceiver alarm interface command to verify that a low RX power alarm for the transceiver module has been generated and not cleared. 158. Replace the transceiver module. |
RX_POW_NORMAL
|
Message text |
[STRING]: RX power is normal. |
|
Variable fields |
$1: Interface type and number. |
|
Severity level |
5 |
|
Example |
OPTMOD/5/RX_POW_NORMAL: GigabitEthernet1/0/13: RX power is normal. |
|
Explanation |
The RX power of the transceiver module returned to the acceptable range. |
|
Recommended action |
No action is required. |
TEMP_HIGH
|
Message text |
[STRING]: Temperature is high. |
|
Variable fields |
$1: Interface type and number |
|
Severity level |
5 |
|
Example |
OPTMOD/5/TEMP_HIGH: GigabitEthernet1/0/13: Temperature is high. |
|
Explanation |
The temperature of the transceiver module exceeded the high threshold. |
|
Recommended action |
159. Verify that the fan trays are operating correctly. ¡ If there are no fan trays, install fan trays. ¡ If the fan trays fail, replace the fan trays. 160. Verify that the ambient temperature is in the acceptable range. If it is out of the acceptable range, take measures to lower the temperature. 161. Replace the transceiver module. |
TEMP_LOW
|
Message text |
[STRING]: Temperature is low. |
|
Variable fields |
$1: Interface type and number. |
|
Severity level |
5 |
|
Example |
OPTMOD/5/TEMP_LOW: GigabitEthernet1/0/13: Temperature is low. |
|
Explanation |
The temperature of the transceiver module went below the low threshold. |
|
Recommended action |
162. Verify that the ambient temperature is in the acceptable range. If it is out of the acceptable range, take measures to raise the temperature. 163. Replace the transceiver module. |
TEMP_NORMAL
|
Message text |
[STRING]: Temperature is normal. |
|
Variable fields |
$1: Interface type and number. |
|
Severity level |
5 |
|
Example |
OPTMOD/5/TEMP_NORMAL: GigabitEthernet1/0/13: Temperature is normal. |
|
Explanation |
The temperature of the transceiver module returned to the acceptable range. |
|
Recommended action |
No action is required. |
TX_ALM_OFF
|
Message text |
[STRING]: [STRING] was removed. |
|
Variable fields |
$1: Interface type and number. $2: TX fault type. |
|
Severity level |
5 |
|
Example |
OPTMOD/5/TX_ALM_OFF: GigabitEthernet1/0/13: TX_fault was removed. |
|
Explanation |
A TX fault was removed from the transceiver module. |
|
Recommended action |
No action is required. |
TX_ALM_ON
|
Message text |
[STRING]: [STRING] was detected. |
|
Variable fields |
$1: Interface type and number. $2: TX fault type. |
|
Severity level |
5 |
|
Example |
OPTMOD/5/TX_ALM_ON: GigabitEthernet1/0/13: TX_fault was detected. |
|
Explanation |
A TX fault was detected on the transceiver module. |
|
Recommended action |
164. Execute the display transceiver alarm interface command to verify that a corresponding alarm for the fault has been generated and not cleared. 165. Replace the transceiver module. |
TX_POW_HIGH
|
Message text |
[STRING]: TX power is high. |
|
Variable fields |
$1: Interface type and number. |
|
Severity level |
2 |
|
Example |
OPTMOD/2/TX_POW_HIGH: GigabitEthernet1/0/13: TX power is high. |
|
Explanation |
The TX power of the transceiver module exceeded the high threshold. |
|
Recommended action |
166. Execute the display transceiver diagnosis interface command to verify that the TX power of the transceiver module has exceeded the high threshold. 167. Execute the display transceiver alarm interface command to verify that a high TX power alarm for the transceiver module has been generated and not cleared. 168. Replace the transceiver module. |
TX_POW_LOW
|
Message text |
[STRING]: TX power is low. |
|
Variable fields |
$1: Interface type and number. |
|
Severity level |
5 |
|
Example |
OPTMOD/5/TX_POW_LOW: GigabitEthernet1/0/13: TX power is low. |
|
Explanation |
The TX power of the transceiver module went below the low threshold. |
|
Recommended action |
169. Execute the display transceiver diagnosis interface command to verify that the TX power of the transceiver module is below the low threshold. 170. Execute the display transceiver alarm interface command to verify that a low TX power alarm for the transceiver module has been generated and not cleared. 171. Replace the transceiver module. |
TX_POW_NORMAL
|
Message text |
[STRING]: TX power is normal. |
|
Variable fields |
$1: Interface type and number. |
|
Severity level |
5 |
|
Example |
OPTMOD/5/TX_POW_NORMAL: GigabitEthernet1/0/13: TX power is normal. |
|
Explanation |
The TX power of the transceiver module returned to the acceptable range. |
|
Recommended action |
No action is required. |
TYPE_ERR
|
Message text |
[STRING]: The transceiver type is not supported by port hardware. |
|
Variable fields |
$1: Interface type and number. |
|
Severity level |
3 |
|
Example |
OPTMOD/3/TYPE_ERR: GigabitEthernet1/0/13: The transceiver type is not supported by port hardware. |
|
Explanation |
The transceiver module is not supported by the port. |
|
Recommended action |
Replace the transceiver module. |
VOLT_HIGH
|
Message text |
[STRING]: Voltage is high. |
|
Variable fields |
$1: Interface type and number |
|
Severity level |
5 |
|
Example |
OPTMOD/5/VOLT_HIGH: GigabitEthernet1/0/13: Voltage is high. |
|
Explanation |
The voltage of the transceiver module exceeded the high threshold. |
|
Recommended action |
172. Execute the display transceiver diagnosis interface command to verify that the voltage of the transceiver module has exceeded the high threshold. 173. Execute the display transceiver alarm interface command to verify that a high voltage alarm for the transceiver module has been generated and not cleared. 174. Replace the transceiver module. |
VOLT_LOW
|
Message text |
[STRING]: Voltage is low. |
|
Variable fields |
$1: Interface type and number. |
|
Severity level |
5 |
|
Example |
OPTMOD/5/VOLT_LOW: GigabitEthernet1/0/13: Voltage is low. |
|
Explanation |
The voltage of the transceiver module went below the low threshold. |
|
Recommended action |
175. Execute the display transceiver diagnosis interface command to verify that the voltage of the transceiver module is below the low threshold. 176. Execute the display transceiver alarm interface command to verify that a low voltage alarm for the transceiver module has been generated and not cleared. 177. Replace the transceiver module. |
VOLT_NORMAL
|
Message text |
[STRING]: Voltage is normal. |
|
Variable fields |
$1: Interface type and number. |
|
Severity level |
5 |
|
Example |
OPTMOD/5/VOLT_NORMAL: GigabitEthernet1/0/13: Voltage is normal. |
|
Explanation |
The voltage of the transceiver module returned to the acceptable range. |
|
Recommended action |
No action is required. |
PBR messages
This section contains PBR messages.
PBR_HARDWARE_ERROR
|
Message text |
Failed to update policy [STRING] due to [STRING]. |
|
Variable fields |
$1: Policy name. $2: Hardware error reasons: ¡ The hardware resources are insufficient. ¡ The system does not support the operation. ¡ The hardware resources are insufficient and the system does not support the operation. |
|
Severity level |
4 |
|
Example |
PBR/4/PBR_HARDWARE_ERROR: Failed to update policy aaa due to insufficient hardware resources and not supported operations. |
|
Explanation |
The device failed to update PBR configuration. |
|
Recommended action |
Modify the PBR policy configuration according to the failure reason. |
PCAPWARE messages
This section contains PCAPWARE messages.
PCAPWARE_STOP
|
Message text |
|
|
Variable fields |
$1: The packet file size exceeded the storage limit. |
|
Severity level |
5 |
|
Example |
|
|
Explanation |
The packet capture stopped because the maximum storage space for .cap files on the device was reached. |
|
Recommended action |
Use one of the following methods: · Increase the maximum storage space for .cap files on the device. · Export the existing .cap files on the device. · Save the .cap files to a remote file server. |
PING messages
This section contains ping messages.
PING_STATISTICS
|
Message text |
[STRING] statistics for [STRING]: [UINT32] packets transmitted, [UINT32] packets received, [DOUBLE]% packet loss, round-trip min/avg/max/std-dev = [DOUBLE]/[DOUBLE]/[DOUBLE]/[DOUBLE] ms. |
|
Variable fields |
$1: Ping or ping6. $2: IP address, IPv6 address, or host name for the destination. $3: Number of sent echo requests. $4: Number of received echo replies. $5: Percentage of the non-replied packets to the total request packets. $6: Minimum round-trip delay. $7: Average round-trip delay. $8: Maximum round-trip delay. $9: Standard deviation round-trip delay. |
|
Severity level |
6 |
|
Example |
PING/6/PING_STATISTICS: Ping statistics for 192.168.0.115: 5 packets transmitted, 5 packets received, 0.0% packet loss, round-trip min/avg/max/std-dev = 0.000/0.800/2.000/0.748 ms. |
|
Explanation |
A user uses the ping command to identify whether a destination in the public network is reachable. |
|
Recommended action |
If there is no packet received, identify whether the interface is down. |
PING_VPN_STATISTICS
|
Message text |
[STRING] statistics for [STRING] in VPN instance [STRING] : [UINT32] packets transmitted, [UINT32] packets received, [DOUBLE]% packet loss, round-trip min/avg/max/std-dev = [DOUBLE]/[DOUBLE]/[DOUBLE]/[DOUBLE] ms. |
|
Variable fields |
$1: Ping or ping6. $2: IP address, IPv6 address, or host name for the destination. $3: VPN instance name. $4: Number of sent echo requests. $5: Number of received echo replies. $6: Percentage of the non-replied packets to the total request packets. $7: Minimum round-trip delay. $8: Average round-trip delay. $9: Maximum round-trip delay. $10: Standard deviation round-trip delay. |
|
Severity level |
6 |
|
Example |
PING/6/PING_VPN_STATISTICS: Ping statistics for 192.168.0.115 in VPN instance vpn1: 5 packets transmitted, 5 packets received, 0.0% packet loss, round-trip min/avg/max/std-dev = 0.000/0.800/2.000/0.748 ms. |
|
Explanation |
A user uses the ping command to identify whether a destination in a private network is reachable. |
|
Recommended action |
If there is no packet received, identify whether the interface is down and identify whether a valid route exists in the routing table. |
PKI messages
This section contains PKI messages.
REQUEST_CERT_FAIL
|
Message text |
Failed to request [STRING] certificate of domain [STRING]. |
|
Variable fields |
$1: Certificate purpose. $2: PKI domain name. |
|
Severity level |
5 |
|
Example |
PKI/5/REQUEST_CERT_FAIL: Failed to request general certificate of domain abc. |
|
Explanation |
Failed to request certificate for a domain. |
|
Recommended action |
Check the configuration of the device and CA server, and the network between them. |
REQUEST_CERT_SUCCESS
|
Message text |
Request [STRING] certificate of domain [STRING] successfully. |
|
Variable fields |
$1: Certificate purpose. $2: PKI domain name. |
|
Severity level |
5 |
|
Example |
PKI/5/REQUEST_CERT_SUCCESS: Request general certificate of domain abc successfully. |
|
Explanation |
Successfully requested certificate for a domain. |
|
Recommended action |
No action is required. |
PKT2CPU messages
This section contains PKT2CPU messages.
PKT2CPU_NO_RESOURCE
|
Message text |
-Interface=[STRING]-ProtocolType=[UINT32]-MacAddr=[STRING]; The resources are insufficient. -Interface=[STRING]-ProtocolType=[UINT32]-SrcPort=[UINT32]-DstPort=[UINT32]; The resources are insufficient. |
|
Variable fields |
$1: Interface type and number. $2: Protocol type. $3: MAC address or source port. $4: Destination port. |
|
Severity level |
4 |
|
Example |
PKT2CPU/4/PKT2CPU_NO_RESOURCE: -Interface=Ethernet0/0/2-ProtocolType=21-MacAddr=0180-c200-0014; The resources are insufficient. |
|
Explanation |
Hardware resources were insufficient. |
|
Recommended action |
Cancel the configuration. |
PKTCPT messages
This section contains packet capture messages.
PKTCPT_AP_OFFLINE
|
Message text |
Failed to start packet capture. Reason: AP was offline. |
|
Variable fields |
N/A |
|
Severity level |
6 |
|
Example |
PKTCPT/6/PKTCPT_AP_OFFLINE: Failed to start packet capture. Reason: AP was offline. |
|
Explanation |
Packet capture failed to start because the AP configured with packet capture was offline. |
|
Recommended action |
178. Verify the AP configuration, and restart packet capture after the AP comes online. 179. If the problem persists, contact H3C Support. |
PKTCPT_AREADY_EXIT
|
Message text |
Failed to start packet capture. Reason: The AP was uploading frames captured during the previous capturing operation. |
|
Variable fields |
N/A |
|
Severity level |
6 |
|
Example |
PKTCPT/6/PKTCPT_AREADY_EXIT: Failed to start packet capture. Reason: The AP was uploading frames captured during the previous capturing operation. |
|
Explanation |
When packet capture is stopped on the AC, the fit AP might be still uploading the captured frames. This message is generated when the user restarted packet capture at that time. |
|
Recommended action |
180. Restart packet capture later. 181. If the problem persists, contact H3C Support. |
PKTCPT_CONN_FAIL
|
Message text |
Failed to start packet capture. Reason: Failed to connect to the FTP server. |
|
Variable fields |
N/A |
|
Severity level |
6 |
|
Example |
PKTCPT/6/PKTCPT_CONN_FAIL: Failed to start packet capture. Reason: Failed to connect to the FTP server. |
|
Explanation |
Packet capture failed to start because the device failed to be connected to the FTP server in the same network segment. |
|
Recommended action |
182. Verify that the URL of the FTP server is valid. Possible reasons for an invalid URL include the specified IP address does not exist or is not the FTP server address, and the specified FTP server port is disabled. 183. Verify that the domain name resolution is successful. 184. Verify that the FTP server is reachable for the device configured with packet capture. 185. Verify that the FTP server is online. 186. If the problem persists, contact H3C Support. |
PKTCPT_INVALID_FILTER
|
Message text |
Failed to start packet capture. Reason: Invalid expression for matching packets to be captured. |
|
Variable fields |
N/A |
|
Severity level |
6 |
|
Example |
PKTCPT/6/PKTCPT_INVALD_FILTER: Failed to start packet capture. Reason: Invalid expression for matching packets to be captured. |
|
Explanation |
Packet capture failed to start because the capture filter expression was invalid. |
|
Recommended action |
187. Correct the capture filter expression. 188. If the problem persists, contact H3C Support. |
PKTCPT_LOGIN_DENIED
|
Message text |
Packet capture aborted. Reason: FTP server login failure. |
|
Variable fields |
N/A |
|
Severity level |
6 |
|
Example |
PKTCPT/6/PKTCPT_LOGIN_DENIED: Packet capture aborted. Reason: FTP server login failure. |
|
Explanation |
Packet capture stopped because the user failed to log in to the FTP server. |
|
Recommended action |
189. Verify the username and password. 190. If the problem persists, contact H3C Support. |
PKTCPT_MEMORY_ALERT
|
Message text |
Packet capture aborted. Reason: Memory threshold reached. |
|
Variable fields |
N/A |
|
Severity level |
6 |
|
Example |
PKTCPT/6/PKTCPT_MEMORY_ALERT: Packet capture aborted. Reason: Memory threshold reached. |
|
Explanation |
Packet capture stopped because the memory threshold was reached. |
|
Recommended action |
N/A |
PKTCPT_OPEN_FAIL
|
Message text |
Failed to start packet capture. Reason: File for storing captured frames not opened. |
|
Variable fields |
N/A |
|
Severity level |
6 |
|
Example |
PKTCPT/6/PKTCPT_OPEN_FAIL: Failed to start packet capture. Reason: File for storing captured frames not opened. |
|
Explanation |
Packer capture failed to start because the file for storing the captured frames cannot be opened. |
|
Recommended action |
191. Verify that the user has the write permission to the file. If the user does not have the write permission, assign the permission to the user. 192. Verify that the specified file has been created and is not used by another feature. If the file is used by another feature, use another file. 193. If the problem persists, contact H3C Support. |
PKTCPT_OPERATION_TIMEOUT
|
Message text |
Failed to start or continue packet capture. Reason: Operation timed out. |
|
Variable fields |
N/A |
|
Severity level |
6 |
|
Example |
PKTCPT/6/PKTCPT_OPERATION_TIMEOUT: Failed to start or continue packet capture. Reason: Operation timed out. |
|
Explanation |
This message is generated when one of the following situations occurs: · Packet capture failed to start because the FTP server in a different network segment is not reachable and the connection timed out. · Packet capture stopped because the FTP server in a different network segment is offline and uploading the captured frames timed out. |
|
Recommended action |
194. Verify that the FTP server is reachable. 195. Verify that the FTP server is online. 196. If the problem persists, contact H3C Support. |
PKTCPT_SERVICE_FAIL
|
Message text |
Failed to start packet capture. Reason: TCP or UDP port binding faults. |
|
Variable fields |
N/A |
|
Severity level |
6 |
|
Example |
PKTCPT/6/PKTCPT_SERVICE_FAIL: Failed to start packet capture. Reason: TCP or UDP port binding faults. |
|
Explanation |
Packet capture failed to start because an error occurs during TCP or UDP port binding. |
|
Recommended action |
197. Verify that Wireshark has been closed before you start packet capture. If it is not closed, close Wireshark, and then restart packet capture. 198. Bind a new TCP or UDP port, and then restart packet capture. 199. If the problem persists, contact H3C Support. |
PKTCPT_UNKNOWN_ERROR
|
Message text |
Failed to start or continue packet capture. Reason: Unknown error. |
|
Variable fields |
N/A |
|
Severity level |
6 |
|
Example |
PKTCPT/6/PKTCPT_UNKNOWN_ERROR: Failed to start or continue the packet capture. Reason: Unknown error. |
|
Explanation |
Packet capture failed to start or packet capture stopped because of an unknown error. |
|
Recommended action |
N/A |
PKTCPT_UPLOAD_ERROR
|
Message text |
Packet capture aborted. Reason: Failed to upload captured frames. |
|
Variable fields |
N/A |
|
Severity level |
6 |
|
Example |
PKTCPT/6/PKTCPT_UPLOAD_ERROR: Packet capture aborted. Reason: Failed to upload captured frames. |
|
Explanation |
Packet capture stopped because the capture failed to upload the captured frames. |
|
Recommended action |
200. Verify that the FTP working directory is not changed. 201. Verify that the user has the write permission to the file on the FTP server. 202. Verify that the FTP server is online. 203. Verify that the FTP server is reachable. 204. Verify that the FTP server has enough memory space. 205. Verify that the packet capture is not stopped during the upload of captured frames. 206. If the problem persists, contact H3C Support. |
PKTCPT_WRITE_FAIL
|
Message text |
Packet capture aborted. Reason: Not enough space to store captured frames. |
|
Variable fields |
N/A |
|
Severity level |
6 |
|
Example |
PKTCPT/6/PKTCPT_WRITE_FAIL: Packet capture aborted. Reason: Not enough space to store captured frames. |
|
Explanation |
Packet capture stopped because the memory space is not enough for storing captured frames. |
|
Recommended action |
207. Delete unnecessary files to release the space. 208. If the problem persists, contact H3C Support. |
Portal messages
This section contains portal messages.
PORTAL_USER_LOGOFF
|
Message text |
UserName=[STRING], IPAddr=[IPADDR], IfName=[STRING], OuterVLAN=[UINT16], InnerVLAN=[UINT16], MACAddr=[MAC], Reason=[STRING], Input Octets=[UINT32], Output Octets=[UINT32], Input Gigawords=[UINT32], Output Gigawords=[UINT32], IPv6Input Octets=[UINT32], IPv6Output Octets=[UINT32], IPv6 Input Gigawords=[UINT32], IPv6Output Gigawords=[UINT32], SessionTime=[UINT32]; User logged off. |
|
Variable fields |
$1: Username. $2: IP address. $3: Interface name. $4: Outer VLAN ID. $5: Inner VLAN ID. $6: MAC address. $7: Reason for user offline, see Table 6. $8: Statistics of the user's upstream IPv4 traffic, in bytes. $9: Statistics of the user's downstream IPv4 traffic, in bytes. $10: Statistics of the user's upstream IPv4 traffic. The measurement unit is 4G bytes. $11: Statistics of the user's downstream IPv4 traffic. The measurement unit is 4G bytes. $12: Statistics of the user's upstream IPv6 traffic, in bytes. $13: Statistics of the user's downstream IPv6 traffic, in bytes. $14: Statistics of the user's upstream IPv6 traffic. The measurement unit is 4G bytes. $15: Statistics of the user's downstream IPv6 traffic. The measurement unit is 4G bytes. $16: Online duration of the user, in seconds. |
|
Severity level |
6 |
|
Example |
PORTAL/6/PORTAL_USER_LOGOFF: -MDC=1; UserName=abc, IPAddr=1.1.1.2, IfName=Route-Aggregation1023.4000, OuterVLAN=N/A, InnerVLAN=4000, MACAddr=0230-0103-5601, Reason=User request, Input Octets=100, Output Octets=200, Input Gigawords=100, Output Gigawords=200, IPv6Input Octets=100, IPv6Output Octets=200, IPv6Input Gigawords=100, IPv6Output Gigawords=200, SessionTime=200; User logged off. |
|
Explanation |
A portal user went offline. Whether IPv6-related fields are displayed depends on the configuration of the portal user-log traffic-separate command. For more information, see portal commands in Security Command Reference. |
|
Recommended action |
Choose the recommended action according to the reason (see Table 6). |
Table 6 Reasons that a user goes offline and recommended actions
|
Reason |
Description |
Recommended action |
|
User request. |
The user requested to be offline. |
No action is required. |
|
DHCP entry deleted. |
The DHCP entry was deleted. |
Verify that the DHCP server configuration is correct. |
|
Idle timeout. |
The traffic of the user in the specified period of time does not reach the idle cut traffic threshold. |
No action is required. |
|
Session timeout. |
The user's online time has reached the session timeout time assigned by the server. |
No action is required. |
|
User detection failure. |
The user failed online detection. |
No action is required. |
|
Force logout by RADIUS server. |
The RADIUS server logged out the user. |
No action is required. |
|
Interface down. |
· The state of the access interface became Down or Deactive. · The access interface is a VLAN interface and a Layer 2 port left the VLAN. |
· Verify that a cable is correctly inserted to the user access interface, and the access interface is not shut down by using the shutdown command. · Verify that the user access interface card or subcard operates normally. · Verify that portal roaming is enabled on the user access Layer 2 Ethernet interface. |
|
Failed to assign a user rule. |
N/A. |
Release memory to ensure enough hardware memory space. |
|
Authorization info changed. |
Authorization information changed for the user. For example, the authorization ACL or user profile was deleted. |
No action is required. |
|
Force logout by access device. |
The device logged out the user. |
Make sure portal authentication functions normally on the user access interface. |
|
User info synchronization failure. |
The device failed to synchronize user information with the server. |
· Make sure the user heartbeat interval configured on the portal authentication server is not greater than the user synchronization detection timeout configured on the access device. · Verify that the server is reachable. |
|
User recovery failure. |
User information recovery failed. |
· Verify that the user access interface is up. · Verify that portal authentication is enabled on the user access interface. · Verify that the session timeout timer for the user does not expire. |
|
Authorization ACL for the online user changed. |
N/A |
· Verify that the authorization ACL for the user is correctly assigned. · Verify that strict checking on authorized ACLs is disabled. |
|
Authorization user profile for the online user changed. |
N/A |
· Verify that the authorization user profile for the user is correctly assigned by using the display user profile command. · Verify that strict checking on authorized user profiles is disabled. |
|
Accounting update failure. |
Failed to update accounting for the user. |
· Verify that the device can correctly communicate with the accounting server. · Verify that the status of the accounting server is active. |
|
Failed to start accounting. |
Failed to start accounting for the user. |
· Verify that the device can correctly communicate with the accounting server. · Verify that the status of the accounting server is active. |
|
User traffic reached threshold. |
Traffic of the user reached the traffic threshold set by the server. |
No action is required. |
|
Authorization ACL does not exist. |
The authorization ACL does not exist. |
Verify that the ACL is correctly configured on the device. |
|
Failed to get physical info. |
Failed to get the physical information. |
No action is required. |
|
Failed to add an ARP or ND entry for the user. |
Failed to add the ARP or ND entry of the user. |
No action is required. |
|
User information does not match user profile. |
The user information and the user profile do not match. |
No action is required. |
|
Authorization user profile does not exist. |
The authorization user profile does not exist. |
Verify that the user profile is correctly configured on the device. |
|
Failed to issue the user rule to the AP. |
Failed to issue the user rule to the AP. |
No action is required. |
|
Deleted the user for SSID switchover. |
The user was logged out after SSID switchover. |
No action is required. |
|
Failed to issue an OpenFlow rule to the AP. |
Failed to issue an OpenFlow rule to the AP. |
No action is required. |
|
Logged out the user after the wireless client disconnected. |
The user was logged out after the wireless client was disconnected. |
No action is required. |
|
Logged out the user when a new user with the same MAC address performed MAC-trigger authentication. |
The user was logged out because a new user with the same MAC address performed MAC-trigger authentication. |
No action is required. |
|
Logged out the user when a new dual-stack user with the same MAC address came online. |
The user was logged out because a new dual-stack user with the same MAC address came online. |
No action is required. |
|
The portal server failed to instruct the device to change the user IP address. |
The portal server failed to instruct the device to change the IP address of the user. |
No action is required. |
|
DHCP received a DHCP release packet. |
The user was logged out because DHCP received a DHCP release message. |
No action is required. |
|
DHCP lease expired. |
The DHCP lease of the user expired. |
No action is required. |
|
DHCP received a DHCP release packet from the WLAN roaming center. |
The WLAN roaming center instructed DHCP to log out the user because of a DHCP release message. |
No action is required. |
|
WLAN roaming center instructed portal to log out the user. |
The WLAN roaming center instructed portal to log out the user. |
No action is required. |
|
Logged out the user after user synchronization through WiFiDog. |
Portal logged out the user after it synchronized user information through WifFiDog. |
No action is required. |
|
The cloud portal server instructed portal to log out the user. |
The cloud portal server instructed portal to log out the user. |
No action is required. |
PORTAL_USER_LOGON_FAIL
|
Message text |
-UserName=[STRING]-IPAddr=[IPADDR]-IfName=[STRING]-OuterVLAN=[UINT16]-InnerVLAN=[UINT16]-MACAddr=[MAC]-Reason=[STRING]; User failed to get online. |
|
Variable fields |
$1: Username. $2: IP address. $3: Interface name. $4: Outer VLAN ID. $5: Inner VLAN ID. $6: MAC address. $7: Login failure reason, see Table 7. |
|
Severity level |
6 |
|
Example |
PORTAL/6/PORTAL_USER_LOGON_FAIL: -UserName=abc-IPAddr=1.1.1.2-IfName=Route-Aggregation1023.4000- OuterVLAN=100-InnerVLAN=4000-MACAddr=0230-0103-5601-Reason= Authentication Failed : 4; User failed to get online. |
|
Explanation |
A portal user failed to come online. |
|
Recommended action |
Choose the recommended action according to the reason, see Table 7. |
Table 7 Reasons that a user fails to come online and recommended actions
|
Reason |
Description |
Recommended action |
|
Authorization failure. |
Authorization failed, or authorization attributes deployment failed. |
· Verify that the device can correctly communicate with the authorization server. · Verify that the authorization user attributes exist on the device and are correctly configured. · Verify that the device supports the authorization user attributes. |
|
Received logout request. |
The user received a logout request from the portal server during the login process. |
Verify that the device can correctly communicate with the AAA server. |
|
Authentication failure. |
Authentication failed. |
· Verify that the device can correctly communicate with the authentication server. · Verify that the shared key is the same on the device and the authentication server. · Verify that the username is valid. · Verify that the password for the username is correct. · Verify that the authentication domain on the device is correct. |
|
Other error. |
Unknown error. |
N/A |
PORTAL_USER_LOGON_SUCCESS
|
Message text |
-UserName=[STRING]-IPAddr=[IPADDR]-IfName=[STRING]-OuterVLAN=[UINT16]-InnerVLAN=[UINT16]-MACAddr=[MAC]:User got online successfully. |
|
Variable fields |
$1: Username. $2: IP address. $3: Interface name. $4: Outer VLAN ID. $5: Inner VLAN ID. $6: MAC address. |
|
Severity level |
6 |
|
Example |
PORTAL/6/PORTAL_USER_LOGON_SUCCESS: -UserName=abc-IPAddr=1.1.1.2-IfName=Route-Aggregation1023.4000- OuterVLAN=100-InnerVLAN=4000-MACAddr=0230-0103-5601; User got online successfully. |
|
Explanation |
A portal user came online successfully. |
|
Recommended action |
No action is required. |
PORTSEC messages
This section contains port security messages.
PORTSEC_PORTMODE_NOT_EFFECTIVE
|
Message text |
The port security mode is configured but is not effective on interface [STRING]. |
|
Variable fields |
$1: Interface type and number. |
|
Severity level |
3 |
|
Example |
PORTSEC/3/PORTSEC_PORTMODE_NOT_EFFECTIVE: The port security mode is configured but is not effective on interface Ethernet3/1/2. |
|
Explanation |
The port security mode does not take effect on an interface, because the interface does not support this mode. |
|
Recommended action |
209. Remove the problem by using one of the following methods: ¡ Change the port security mode to another mode that is supported by the interface. ¡ Reconnect the connected devices to another interface that supports this port security mode, and configure the port security mode on the new interface. 210. If the problem persists, contact H3C Support. |
PORTSEC_NTK_NOT_EFFECTIVE
|
Message text |
The NeedToKnow feature is configured but is not effective on interface [STRING]. |
|
Variable fields |
$1: Interface type and number. |
|
Severity level |
3 |
|
Example |
PORTSEC/3/PORTSEC_NTK_NOT_EFFECTIVE: The NeedToKnow feature is configured but is not effective on interface Ethernet3/1/2. |
|
Explanation |
The NeedToKnow mode does not take effect on an interface, because the interface does not support the NeedToKnow mode. |
|
Recommended action |
211. Remove the problem depending on the network requirements: ¡ If the NeedToKnow feature is not required, disable the NeedToKnow feature on the interface. ¡ If the NeedToKnow feature is required, reconnect the connected devices to another interface that supports the NeedToKnow mode. Then, configure the NeedToKnow mode on the new interface. 212. If the problem persists, contact H3C Support. |
PPP messages
This section contains PPP messages.
IPPOOL_ADDRESS_EXHAUSTED
|
Message text |
The address pool [STRING] was exhausted. |
|
Variable fields |
$1: Pool name. |
|
Severity level |
5 |
|
Example |
PPP/5/IPPOOL_ADDRESS_EXHAUSTED: The address pool aaa was exhausted. |
|
Explanation |
This message is generated when the last address is assigned from the pool. |
|
Recommended action |
Add addresses to the pool. |
PPPOES_MAC_THROTTLE
|
Message text |
The MAC [STRING] triggered MAC throttle on interface [STRING]. |
|
Variable fields |
$1: MAC address. $2: Interface name. |
|
Severity level |
5 |
|
Example |
PPPOES/5/PPPOES_MAC_THROTTLE: -MDC=1; The MAC 001b-21a8-0949 triggered MAC throttle on interface GigabitEthernet1/0/1. |
|
Explanation |
The maximum number of PPPoE session requests from a user within the monitoring time reached the PPPoE access limit on the access interface. The access interface discarded the excessive requests. |
|
Recommended action |
213. Check the PPPoE access limit on the access interface that is configured by using the pppoe-server throttle per-mac command. 214. View the time left for the blocking user on the access interface by executing the display pppoe-server throttled-mac command. 215. If the problem persists, contact the support. |
PWDCTL messages
This section contains password control messages.
PWDCTL_ADD_BLACKLIST
|
Message text |
[STRING] was added to the blacklist for failed login attempts. |
|
Variable fields |
$1: Username. |
|
Severity level |
6 |
|
Example |
PWDCTL/6/PWDCTL_ADD_BLACKLIST: hhh was added to the blacklist for failed login attempts. |
|
Explanation |
The user entered an incorrect password. It failed to log in to the device and was added to the password control blacklist. |
|
Recommended action |
No action is required. |
PWDCTL_CHANGE_PASSWORD
|
Message text |
[STRING] changed the password because [STRING]. |
|
Variable fields |
$1: Username. $2: The reasons for changing password. ¡ it was the first login of the account. ¡ the password had expired. ¡ the password was too short. ¡ the password did not meet the complexity requirement. ¡ the password was default password. |
|
Severity level |
6 |
|
Example |
PWDCTL/6/PWDCTL_CHANGE_PASSWORD: hhh changed the password because it was the first login of the account. |
|
Explanation |
The user changed the password for some reason. For example, the user changed the password because it is the first login of the user's account. |
|
Recommended action |
No action is required. |
PWDCTL_FAILED_TO_OPENFILE
|
Message text |
Failed to create or open the password file. |
|
Variable fields |
N/A |
|
Severity level |
3 |
|
Example |
PWDCTL/3/PWDCTL_FAILED_TO_OPENFILE: Failed to create or open the password file. |
|
Explanation |
The device failed to create or open a .dat file because of file system exception. |
|
Recommended action |
Check the file system of the device for memory space insufficiency. |
PWDCTL_FAILED_TO_WRITEPWD
|
Message text |
Failed to write the password records to file. |
|
Variable fields |
N/A |
|
Severity level |
6 |
|
Example |
PWDCTL/6/PWDCTL_FAILED_TO_WRITEPWD: Failed to write the password records to file. |
|
Explanation |
The device failed to write a password to a file. |
|
Recommended action |
Check the file system of the device for memory space insufficiency. |
PWDCTL_NOTFOUND_USER
|
Message text |
Can't find the username in the password file. |
|
Variable fields |
N/A |
|
Severity level |
3 |
|
Example |
PWDCTL/3/PWDCTL_NOTFOUND_USER: Can't find the username in the file. |
|
Explanation |
This message is sent when the user information cannot be found in the file *.dat. |
|
Recommended action |
Perform either of the following actions: · Create a new local user. · Disable the password control feature and enable it. |
UPDATETIME
|
Message text |
Last login time updated after clock update. |
|
Variable fields |
N/A |
|
Severity level |
6 |
|
Example |
PWDCTL/6/UPDATETIME: Last login time updated after clock update. |
|
Explanation |
Last login time has been updated. |
|
Recommended action |
No action is required. |
QOS messages
This section contains QoS messages.
QOS_AUTHCAR_APPLYUSER_FAIL
|
Message text |
[STRING]; Failed to apply the authorized CAR to the user. Reason: [STRING]. |
|
Variable fields |
$1: User identity. $2: Failure cause: ¡ The resources are insufficient. |
|
Severity level |
4 |
|
Example |
QOS/4/QOS_AUTHCAR_APPLYUSER_FAIL: -MAC=1111-2222-3333-IP=192.168.1.2-SVLAN=100-VPN=”N/A”-Port=GigabitEthernet5/1/5; Failed to apply the authorized CAR to the user. Reason: The resources are insufficient. |
|
Explanation |
A DAE client failed to perform one of the following actions: · Apply an authorized CAR policy when a user came online. · Modify an authorized CAR policy for an online user. |
|
Recommended action |
Modify the CAR policy settings. |
QOS_CAR_APPLYUSER_FAIL
|
Message text |
[STRING]; Failed to apply the [STRING] CAR in [STRING] profile [STRING] to the user. Reason: [STRING]. |
|
Variable fields |
$1: User identity. $2: Application direction. $3: Profile type. $4: Profile name. $5: Failure cause. |
|
Severity level |
4 |
|
Example |
QOS/4/QOS_CAR_APPLYUSER_FAIL: -MAC=1111-2222-3333-IP=192.168.1.2-SVLAN=100-VPN=”N/A”-Port=GigabitEthernet5/1/5; Failed to apply the inbound CAR in user profile a to the user. Reason: The resources are insufficient. |
|
Explanation |
The system failed to perform one of the following actions: · Apply a CAR policy when a user went online. · Modify a configured CAR policy or configure a new CAR policy when a user is online. |
|
Recommended action |
Delete the CAR policy from the profile or modify the parameters of the CAR policy. |
QOS_CBWFQ_REMOVED
|
Message text |
CBWFQ is removed from [STRING]. |
|
Variable fields |
$1: Interface name. |
|
Severity level |
3 |
|
Example |
QOS/3/QOS_CBWFQ_REMOVED: CBWFQ is removed from GigabitEthernet4/0/1. |
|
Explanation |
CBWFQ was removed from an interface because the maximum bandwidth or speed configured on the interface was below the bandwidth or speed required for CBWFQ. |
|
Recommended action |
Increase the bandwidth or speed and apply the removed CBWFQ again. |
QOS_GTS_APPLYUSER_FAIL
|
Message text |
[STRING]; Failed to apply GTS in user profile [STRING] to the user. Reason: [STRING]. |
|
Variable fields |
$1: User identity. $2: User profile name. $3: Failure cause. |
|
Severity level |
4 |
|
Example |
QOS/4/QOS_GTS_APPLYUSER_FAIL: -MAC=1111-2222-3333-IP=192.168.1.2/16-CVLAN=100-Port=GigabitEthernet5/1/5; Failed to apply GTS in user profile a to the user. Reason: The resources are insufficient. |
|
Explanation |
The system failed to perform one of the following actions: · Apply a GTS action when a user went online. · Modify a configured GTS action or configure a new GTS action when a user is online. |
|
Recommended action |
Delete the GTS action from the user profile or modify the parameters of the GTS action. |
QOS_NOT_ENOUGH_BANDWIDTH
|
Message text |
Policy [STRING] requested bandwidth [UINT32](kbps). Only [UINT32](kbps) is available on [STRING]. |
|
Variable fields |
$1: Policy name. $2: Required bandwidth for CBWFQ. $3: Available bandwidth on an interface. $4: Interface name. |
|
Severity level |
3 |
|
Example |
QOS/3/QOS_NOT_ENOUGH_BANDWIDTH: Policy d requested bandwidth 10000(kbps). Only 80(kbps) is available on GigabitEthernet4/0/1. |
|
Explanation |
Configuring CBWFQ on an interface failed because the maximum bandwidth on the interface was less than the bandwidth required for CBWFQ. |
|
Recommended action |
Increase the maximum bandwidth configured for the interface or set lower bandwidth required for CBWFQ. |
QOS_POLICY_APPLYCOPP_CBFAIL
|
Message text |
Failed to apply classifier-behavior [STRING] in policy [STRING] to the [STRING] direction of control plane slot [UINT32]. [STRING]. |
|
Variable fields |
$1: Name of a classifier-behavior association. $2: Policy name. $3: Application direction. $4: Slot number. $5: Failure cause. |
|
Severity level |
4 |
|
Example |
QOS/4/QOS_POLICY_APPLYCOPP_CBFAIL: Failed to apply classifier-behavior d in policy b to the inbound direction of control plane slot 3. The behavior is empty. |
|
Explanation |
The system failed to perform one of the following actions: · Apply a classifier-behavior association to a specific direction of a control plane. · Update a classifier-behavior association applied to a specific direction of a control plane. |
|
Recommended action |
Modify the configuration of the QoS policy according to the failure cause. |
QOS_POLICY_APPLYCOPP_FAIL
|
Message text |
Failed to apply or refresh QoS policy [STRING] to the [STRING] direction of control plane slot [UINT32]. [STRING]. |
|
Variable fields |
$1: Policy name. $2: Traffic direction. $3: Slot number. $4: Failure cause. |
|
Severity level |
4 |
|
Example |
QOS/4/QOS_POLICY_APPLYCOPP_FAIL: Failed to apply or refresh QoS policy b to the inbound direction of control plane slot 3. The operation is not supported. |
|
Explanation |
The system failed to perform one of the following actions: · Apply a QoS policy to a specific direction of a control plane. · Update a QoS policy applied to a specific direction of a control plane. |
|
Recommended action |
Modify the configuration of the QoS policy according to the failure cause. |
QOS_POLICY_APPLYGLOBAL_CBFAIL
|
Message text |
Failed to apply classifier-behavior [STRING] in policy [STRING] to the [STRING] direction globally. [STRING]. |
|
Variable fields |
$1: Name of a classifier-behavior association. $2: Policy name. $3: Traffic direction. $4: Failure cause. |
|
Severity level |
4 |
|
Example |
QOS/4/QOS_POLICY_APPLYGLOBAL_CBFAIL: Failed to apply classifier-behavior a in policy b to the outbound direction globally. The behavior is empty. |
|
Explanation |
The system failed to perform one of the following actions: · Apply a classifier-behavior association to a specific direction globally. · Update a classifier-behavior association applied to a specific direction globally. |
|
Recommended action |
Modify the configuration of the QoS policy according to the failure cause. |
QOS_POLICY_APPLYGLOBAL_FAIL
|
Message text |
Failed to apply or refresh QoS policy [STRING] to the [STRING] direction globally. [STRING]. |
|
Variable fields |
$1: Policy name. $2: Traffic direction. $3: Failure cause. |
|
Severity level |
4 |
|
Example |
QOS/4/QOS_POLICY_APPLYGLOBAL_FAIL: Failed to apply or refresh QoS policy b to the inbound direction globally. The operation is not supported. |
|
Explanation |
The system failed to perform one of the following actions: · Apply a QoS policy to a specific direction globally. · Update a QoS policy applied to a specific direction globally. |
|
Recommended action |
Modify the configuration of the QoS policy according to the failure cause. |
QOS_POLICY_APPLYIF_CBFAIL
|
Message text |
Failed to apply classifier-behavior [STRING] in policy [STRING] to the [STRING] direction of interface [STRING]. [STRING]. |
|
Variable fields |
$1: Name of a classifier-behavior association. $2: Policy name. $3: Traffic direction. $4: Interface name. $5: Failure cause. |
|
Severity level |
4 |
|
Example |
QOS/4/QOS_POLICY_APPLYIF_CBFAIL: Failed to apply classifier-behavior b in policy b to the inbound direction of interface Ethernet3/1/2. The behavior is empty. |
|
Explanation |
The system failed to perform one of the following actions: · Apply a classifier-behavior association to a specific direction of an interface. · Update a classifier-behavior association applied to a specific direction of an interface. |
|
Recommended action |
Modify the configuration of the QoS policy according to the failure cause. |
QOS_POLICY_APPLYIF_FAIL
|
Message text |
Failed to apply or refresh QoS policy [STRING] to the [STRING] direction of interface [STRING]. [STRING]. |
|
Variable fields |
$1: Policy name. $2: Traffic direction. $3: Interface name. $4: Failure cause. |
|
Severity level |
4 |
|
Example |
QOS/4/QOS_POLICY_APPLYIF_FAIL: Failed to apply or refresh QoS policy b to the inbound direction of interface Ethernet3/1/2. The operation is not supported. |
|
Explanation |
The system failed to perform one of the following actions: · Apply a QoS policy to a specific direction of an interface. · Update a QoS policy applied to a specific direction of an interface. |
|
Recommended action |
Modify the configuration of the QoS policy according to the failure cause. |
QOS_POLICY_APPLYUSER_FAIL
|
Message text |
[STRING]; Failed to apply the [STRING] QoS policy [STRING] in user profile [STRING] to the user.Reason: [STRING]. |
|
Variable fields |
$1: User identity. $2: Application direction. $3: QoS policy name. $4: User profile name. $5: Failure cause. |
|
Severity level |
4 |
|
Example |
QOS/4/QOS_POLICY_APPLYUSER_FAIL: -MAC=1111-2222-3333-IP=192.168.1.2/16-CVLAN=100-Port=GigabitEthernet5/1/5; Failed to apply the inbound QoS policy p in user profile a to the user.Reason: The QoS policy is not supported. |
|
Explanation |
The system failed to perform one of the following actions: · Issue the settings of a QoS policy when a user went online. · Modify an applied QoS policy or apply a new QoS policy when a user is online. |
|
Recommended action |
Remove the QoS policy from the user profile or modify the parameters of the QoS policy. |
QOS_POLICY_APPLYVLAN_CBFAIL
|
Message text |
Failed to apply classifier-behavior [STRING] in policy [STRING] to the [STRING] direction of VLAN [UINT32]. [STRING]. |
|
Variable fields |
$1: Name of a classifier-behavior association. $2: Policy name. $3: Application direction. $4: VLAN ID. $5: Failure cause. |
|
Severity level |
4 |
|
Example |
QOS/4/QOS_POLICY_APPLYVLAN_CBFAIL: Failed to apply classifier-behavior b in policy b to the inbound direction of VLAN 2. The behavior is empty. |
|
Explanation |
The system failed to perform one of the following actions: · Apply a classifier-behavior association to a specific direction of a VLAN. · Update a classifier-behavior association applied to a specific direction of a VLAN. |
|
Recommended action |
Modify the configuration of the QoS policy according to the failure cause. |
QOS_POLICY_APPLYVLAN_FAIL
|
Message text |
Failed to apply or refresh QoS policy [STRING] to the [STRING] direction of VLAN [UINT32]. [STRING]. |
|
Variable fields |
$1: Policy name. $2: Application direction. $3: VLAN ID. $4: Failure cause. |
|
Severity level |
4 |
|
Example |
QOS/4/QOS_POLICY_APPLYVLAN_FAIL: Failed to apply or refresh QoS policy b to the inbound direction of VLAN 2. The operation is not supported. |
|
Explanation |
The system failed to perform one of the following actions: · Apply a QoS policy to a specific direction of a VLAN. · Update a QoS policy applied to a specific direction of a VLAN. |
|
Recommended action |
Modify the configuration of the QoS policy according to the failure cause. |
QOS_QMPROFILE_APPLYUSER_FAIL
|
Message text |
[STRING]; Failed to apply queue management profile [STRING] in session group profile [STRING] to the user. Reason: [STRING]. |
|
Variable fields |
$1: User identity. $2: Queue scheduling profile name. $3: Session group profile name. $4: Failure cause. |
|
Severity level |
4 |
|
Example |
QOS/4/QOS_QMPROFILE_APPLYUSER_FAIL: -MAC=1111-2222-3333-IP=192.168.1.2/16-SVLAN=100-Port=GigabitEthernet5/1/5; Failed to apply queue management profile b in session group profile a to the user. Reason: The QMProfile is not supported. |
|
Explanation |
The system failed to perform one of the following actions: · Issue the settings of a queue scheduling profile when a user went online. · Modify an applied queue scheduling profile or apply a new queue scheduling profile when a user is online. |
|
Recommended action |
Remove the queue scheduling profile from the session group profile or modify the parameters of the queue scheduling profile. |
QOS_QMPROFILE_MODIFYQUEUE_FAIL
|
Message text |
Failed to configure queue [UINT32] in queue management profile [STRING]. [STRING]. |
|
Variable fields |
$1: Queue ID. $2: Profile name. $3: Failure cause. |
|
Severity level |
4 |
|
Example |
QOS/4/QOS_QMPROFILE_MODIFYQUEUE_FAIL: Failed to configure queue 1 in queue management profile myqueue. The value is out of range. |
|
Explanation |
The system failed to modify a queue in a queue scheduling profile successfully applied to an interface because the new parameter was beyond port capabilities. |
|
Recommended action |
Remove the queue scheduling profile from the interface, and then modify the parameters for the queue. |
QOS_POLICY_REMOVE
|
Message text |
QoS policy [STRING] failed to be applied to [STRING]. |
|
Variable fields |
$1: QoS policy name. $2: A hub-spoke tunnel on a tunnel interface. |
|
Severity level |
4 |
|
Example |
QOS/4/QOS_POLICY_REMOVE: QoS policy p1 failed to be applied to ADVPN session Tunnel1 192.168.0.3. |
|
Explanation |
This message is generated when a QoS policy applied to a hub-spoke tunnel on a tunnel interface failed to be modified. |
|
Recommended action |
Check the configuration according to the failure cause. |
QOS_POLICY_ACTIVATE
|
Message text |
QoS policy [STRING] was successfully applied to [STRING]. |
|
Variable fields |
$1: QoS policy name. $2: A hub-spoke tunnel on a tunnel interface. |
|
Severity level |
4 |
|
Example |
QOS/4/QOS_POLICY_ACTIVATE: QoS policy p1 was successfully applied to ADVPN session Tunnel1 192.168.0.3. |
|
Explanation |
This message is generated when a QoS policy applied to a hub-spoke tunnel on a tunnel interface is successfully modified. |
|
Recommended action |
No action is required. |
RADIUS messages
This section contains RADIUS messages.
RADIUS_AUTH_FAILURE
|
Message text |
User [STRING] from [STRING] failed authentication. |
|
Variable fields |
$1: Username. $2: IP address. |
|
Severity level |
5 |
|
Example |
RADIUS/5/RADIUS_AUTH_FAILURE: User abc@system from 192.168.0.22 failed authentication. |
|
Explanation |
An authentication request was rejected by the RADIUS server. |
|
Recommended action |
No action is required. |
RADIUS_AUTH_SUCCESS
|
Message text |
User [STRING] from [STRING] was authenticated successfully. |
|
Variable fields |
$1: Username. $2: IP address. |
|
Severity level |
6 |
|
Example |
RADIUS/6/RADIUS_AUTH_SUCCESS: User abc@system from 192.168.0.22 was authenticated successfully. |
|
Explanation |
An authentication request was accepted by the RADIUS server. |
|
Recommended action |
No action is required. |
RADIUS_DELETE_HOST_FAIL
|
Message text |
Failed to delete servers in scheme [STRING]. |
|
Variable fields |
$1: Scheme name. |
|
Severity level |
4 |
|
Example |
RADIUS/4/RADIUS_DELETE_HOST_FAIL: Failed to delete servers in scheme abc. |
|
Explanation |
Failed to delete servers from a RADIUS scheme. |
|
Recommended action |
No action is required. |
RIP messages
This section contains RIP messages.
RIP_MEM_ALERT
|
Message text |
RIP Process received system memory alert [STRING] event. |
|
Variable fields |
$1: Type of the memory alarm. |
|
Severity level |
5 |
|
Example |
RIP/5/RIP_MEM_ALERT: RIP Process received system memory alert start event. |
|
Explanation |
RIP received a memory alarm. |
|
Recommended action |
Check the system memory and release memory for the modules that occupy too many memory resources. |
RIP_RT_LMT
|
Message text |
RIP [UINT32] Route limit reached |
|
Variable fields |
$1: Process ID. |
|
Severity level |
6 |
|
Example |
RIP/6/RIP_RT_LMT: RIP 1 Route limit reached. |
|
Explanation |
The number of routes of a RIP process reached the upper limit. |
|
Recommended action |
216. Check for network attacks. 217. Reduce the number of routes. |
RIPNG messages
This section contains RIPng messages.
RIPNG_MEM_ALERT
|
Message text |
RIPng Process received system memory alert [STRING] event. |
|
Variable fields |
$1: Type of the memory alarm. |
|
Severity level |
5 |
|
Example |
RIPNG/5/RIPNG_MEM_ALERT: RIPNG Process received system memory alert start event. |
|
Explanation |
RIPng received a memory alarm. |
|
Recommended action |
Check the system memory and release memory for the modules that occupy too many memory resources. |
RIPNG_RT_LMT
|
Message text |
RIPng [UINT32] Route limit reached |
|
Variable fields |
$1: Process ID |
|
Severity level |
6 |
|
Example |
RIPNG/6/RIPNG_RT_LMT: RIPng 1 Route limit reached. |
|
Explanation |
The number of routes of a RIPng process reached the upper limit. |
|
Recommended action |
218. Check for network attacks. 219. Reduce the number of routes. |
RM messages
This section contains RM messages.
RM_ACRT_REACH_LIMIT
|
Message text |
Max active [STRING] routes [UINT32] reached in URT of [STRING] |
|
Variable fields |
$1: IPv4 or IPv6. $2: Maximum number of active routes. $3: VPN instance name. |
|
Severity level |
4 |
|
Example |
RM/4/RM_ACRT_REACH_LIMIT: Max active IPv4 routes 100000 reached in URT of VPN1 |
|
Explanation |
The number of active routes reached the upper limit in the unicast routing table of a VPN instance. |
|
Recommended action |
Remove unused active routes. |
RM_ACRT_REACH_THRESVALUE
|
Message text |
Threshold value [UINT32] of max active [STRING] routes reached in URT of [STRING] |
|
Variable fields |
$1: Threshold of the maximum number of active routes in percentage. $2: IPv4 or IPv6. $3: VPN instance name. |
|
Severity level |
4 |
|
Example |
RM/4/RM_ACRT_REACH_THRESVALUE: Threshold value 50% of max active IPv4 routes reached in URT of vpn1 |
|
Explanation |
The percentage of the maximum number of active routes was reached in the unicast routing table of a VPN instance. |
|
Recommended action |
Modify the threshold value or the route limit configuration. |
RM_THRESHLD_VALUE_REACH
|
Message text |
Threshold value [UINT32] of active [STRING] routes reached in URT of [STRING] |
|
Variable fields |
$1: Maximum number of active routes. $2: IPv4 or IPv6. $3: VPN instance name. |
|
Severity level |
4 |
|
Example |
RM/4/RM_THRESHLD_VALUE_REACH: Threshold value 10000 of active IPv4 routes reached in URT of vpn1 |
|
Explanation |
The number of active routes reached the threshold in the unicast routing table of a VPN instance. |
|
Recommended action |
Modify the route limit configuration. |
RRM messages
This section contains RRM messages.
RRM_LOG_ADJUSTCHANNEL
|
Message text |
Channel of radio [UINT32] on AP [STRING] changed from [UINT16] to [UINT16]. |
|
Variable fields |
$1: Radio ID. $2: AP name. $3: Old channel ID. $4: New channel ID. |
|
Severity level |
6 |
|
Example |
RRM/6/RRM_LOG_ADJUSTCHANNEL: Channel of radio 1 on AP ap2 changed from 149 to 52. |
|
Explanation |
The working channel of the radio changed. |
|
Recommended action |
No action is required. |
RTM messages
This section contains RTM messages.
RTM_TCL_NOT_EXIST
|
Message text |
Failed to execute Tcl-defined policy [STRING] because the policy's Tcl script file was not found. |
|
Variable fields |
$1: Name of a Tcl-defined policy. |
|
Severity level |
4 |
|
Example |
RTM/4/RTM_TCL_NOT_EXIST: Failed to execute Tcl-defined policy aaa because the policy's Tcl script file was not found. |
|
Explanation |
The system did not find the Tcl script file for the policy while executing the policy. |
|
Recommended action |
220. Verify that the Tcl script file exists. 221. Reconfigure the policy. |
RTM_TCL_MODIFY
|
Message text |
Failed to execute Tcl-defined policy [STRING] because the policy's Tcl script file had been modified. |
|
Variable fields |
$1: Name of a Tcl-defined policy. |
|
Severity level |
4 |
|
Example |
RTM/4/RTM_TCL_MODIFY: Failed to execute Tcl-defined policy aaa because the policy's Tcl script file had been modified. |
|
Explanation |
The Tcl script file for the policy was modified. |
|
Recommended action |
Reconfigure the policy, or modify the Tcl script to be the same as it was when it was bound with the policy. |
RTM_TCL_LOAD_FAILED
|
Message text |
Failed to load the Tcl script file of policy [STRING]. |
|
Variable fields |
$1: Name of a Tcl-defined policy. |
|
Severity level |
4 |
|
Example |
RTM/4/RTM_TCL_LOAD_FAILED: Failed to load the Tcl script file of policy [STRING]. |
|
Explanation |
The system failed to load the Tcl script file for the policy to memory. |
|
Recommended action |
No action is required. |
SCM messages
This section contains SCM messages.
PROCESS_ABNORMAL
|
Message text |
The process [STRING] exited abnormally. |
|
Variable fields |
$1: Process name. |
|
Severity level |
5 |
|
Example |
SCM/5/PROCESS_ABNORMAL: The process devd exited abnormally. |
|
Explanation |
A service exited abnormally. |
|
Recommended action |
222. Use the display process command to identify whether the process exists. If the process exists, the process is recovered. 223. If the process is not recovered, collect the following information: 224. Execute the view /var/log/trace.log > trace.log command in probe view, and upload the trace.log file saved in the storage media of the device to the server through FTP or TFTP (in binary mode). 225. Execute the display process log command to display process information. If the core field displays Y, the core file was generated when the process exited. 226. Execute the display exception context command to collect process exception information, and save the information. Then, execute the display exception filepath command to display core file path and upload the core file and the file that save the process exception information through FTP or TFTP (in binary mode). 227. Send the files to H3C Support. 228. If the process has been recovered, but reasons need to be located, go to step 223. |
PROCESS_ACTIVEFAILED
|
Message text |
The standby process [STRING] failed to switch to the active process due to uncompleted synchronization, and was restarted. |
|
Variable fields |
$1: Process name. |
|
Severity level |
4 |
|
Example |
SCM/4/PROCESS_ACTIVEFAILED: The standby process [STRING] failed to switch to the active process due to uncompleted synchronization, and was restarted. |
|
Explanation |
The standby process failed to switch to the active process because the active process exited abnormally when the standby process has not completed synchronization. The standby process was restarted. |
|
Recommended action |
No action is required. |
SCM_ABNORMAL_REBOOT
|
Message text |
The process [STRING] can't be restored. Reboot now. (Centralized devices.) The process [STRING] can't be restored. Reboot [STRING] now. (Centralized IRF devices.) (Distributed devices in standalone mode.) (Distributed devices in IRF mode.) |
|
Variable fields |
$1: Process name. $2: Slot ID in the slot xx format. (Distributed devices in standalone mode.) $2: Member ID in the slot xx format. (Centralized IRF devices.) $2: Member ID and slot ID in the chassis xx slot xx format. (Distributed devices in IRF mode.) |
|
Severity level |
3 |
|
Example |
SCM/3/SCM_ABNORMAL_REBOOT: The process ipbased can't be restored. Reboot slot 2 now. (Distributed devices in standalone mode.) (Centralized IRF devices.) |
|
Explanation |
While the device was rebooting, the specified process quitted abnormally and failed to recover after multiple automatic restart attempts. The device will reboot automatically. (Centralized devices.) While the specified slot was rebooting, the specified process quitted abnormally and failed to recover after multiple automatic restart attempts. The slot will restart automatically. (Centralized IRF devices.) (Distributed devices in standalone mode.) (Distributed devices in IRF mode.) |
|
Recommended action |
229. After the device starts up, use the display process command to verify that the process has recovered. (Centralized devices.) 230. After the slot starts up, use the display process command to verify that the process has recovered. (Centralized IRF devices.) (Distributed devices in standalone mode.) (Distributed devices in IRF mode.) 231. If the problem persists, contact H3C Support. |
SCM_ABNORMAL_REBOOTMDC
|
Message text |
The process [STRING] in [STRING] [UINT16] can't be restored. Reboot [STRING] [UINT16] now. |
|
Variable fields |
$1: Process name. $2: Device type, MDC or context. $3: ID of the MDC or context. $4: Device type, MDC or context. $5: ID of the MDC or context. |
|
Severity level |
3 |
|
Example |
SCM/3/SCM_ABNORMAL_REBOOTMDC: The process ipbased in MDC 2 can't be restored. Reboot MDC 2 now. |
|
Explanation |
The process exited abnormally during the startup of the MDC on the active MPU or the context on the main security engine in the security engine group. If the process cannot restore after multiple automatic restart attempts, the MDC or context will restart automatically. This message will be output in MDC 1 or Context 1. |
|
Recommended action |
232. Use the display process command to verify that the process has restored after the card restarts. 233. If the problem persists, contact H3C Support. |
SCM_ABORT_RESTORE
|
Message text |
|
|
Variable fields |
$1: Process name. |
|
Severity level |
3 |
|
Example |
SCM/3/SCM_ABORT_RESTORE: The process ipbased can't be restored, abort it. |
|
Explanation |
The process exited abnormally during the system operation. If the process cannot restore after multiple automatic restart attempts, the device will not restore the process. |
|
Recommended action |
234. Use the display process log command in any view to display the details about process exit. 235. Restart the card or the MDC where the process is located. 236. Provide the output from the display process log command to H3C Support. |
SCM_INSMOD_ADDON_TOOLONG
|
Message text |
Failed to finish loading [STRING] in [UINT32] minutes. |
|
Variable fields |
$1: Kernel file name. $2: File loading duration. |
|
Severity level |
4 |
|
Example |
SCM/4/SCM_INSMOD_ADDON_TOOLONG: Failed to finish loading addon.ko in 30 minutes. |
|
Explanation |
Kernel file loading timed out during device startup. |
|
Recommended action |
237. Restart the card. 238. Contact H3C Support. |
SCM_KERNEL_INIT_TOOLONG
|
Message text |
Kernel init in sequence [STRING] function [STRING] failed to finish in [UINT32] minutes. |
|
Variable fields |
$1: Kernel event phase. $2: Address of the function corresponding to the kernel event. $3: Time duration. |
|
Severity level |
4 |
|
Example |
SCM/4/SCM_KERNEL_INIT_TOOLONG: Kernel init in sequence 0x25e7 function 0x6645ffe2 failed to finish in 15 minutes. |
|
Explanation |
A function at a phase during kernel initialization ran too long. |
|
Recommended action |
239. Restart the card. 240. Contact H3C Support. |
SCM_PROCESS_STARTING_TOOLONG
|
Message text |
The process [STRING] on [STRING] [UINT16] has not finished starting in [UINT32] hours. |
|
Variable fields |
$1: Process name. $2: Device type, MDC or context. This field is not displayed on devices that do not support MDCs or contexts. $3: ID of the MDC or context. This field is not displayed on devices that do not support MDCs or contexts. $4: Time duration. |
|
Severity level |
4 |
|
Example |
SCM/4/ SCM_PROCESS_STARTING_TOOLONG: The process ipbased on MDC 2 has not finished starting in 1 hours. |
|
Explanation |
The process initialization takes a long time and has not been finished. Too many processes have been configured or the process is abnormal. |
|
Recommended action |
241. Wait 6 hours and then verify that the process has been started. 242. Restart the card/MDC/context, and then use the display process command to verify that the process has restored. 243. Contact H3C Support. |
SCM_PROCESS_STILL_STARTING
|
Message text |
The process [STRING] on [STRING] [UINT16] is still starting for [UINT32] minutes. |
|
Variable fields |
$1: Process name. $2: Device type, MDC or context. This field is not displayed on devices that do not support MDCs or contexts. $3: ID of the MDC or context. This field is not displayed on devices that do not support MDCs or contexts. $4: Time duration. |
|
Severity level |
6 |
|
Example |
SCM/6/SCM_PROCESS_STILL_STARTING: The process ipbased on MDC 2 is still starting for 20 minutes. |
|
Explanation |
A process is always in startup state. |
|
Recommended action |
No action is required. |
SCM_SKIP_PROCESS
|
Message text |
The process [STRING] was skipped because it failed to start within 6 hours. |
|
Variable fields |
$1: Process name. |
|
Severity level |
4 |
|
Example |
SCM/4/SCM_SKIP_PROCESS: The process ipbased was skipped because it failed to start within 6 hours. |
|
Explanation |
A process has not completed its startup within six hours during the card/MDC/context startup, skip this process and go on with the startup. |
|
Recommended action |
244. Restart the card/MDC/context. 245. Use the display process command to verify that the process has restored. 246. Provide the output from the display process log command to H3C Support. |
SCM_SKIP_PROCESS
|
Message text |
The process [STRING] on [STRING] [UINT16] was skipped because it failed to start within 6 hours. |
|
Variable fields |
$1: Process name. $2: Device type, MDC or context. This field is not displayed on devices that do not support MDCs or contexts. $3: ID of the MDC or context. This field is not displayed on devices that do not support MDCs or contexts. |
|
Severity level |
3 |
|
Example |
SCM/3/SCM_SKIP_PROCESS: The process ipbased on MDC 2 was skipped because it failed to start within 6 hours. |
|
Explanation |
A process failed to start within 6 hours. The device will skip this process and continue to start. |
|
Recommended action |
247. Restart the card/MDC/context, and then use the display process command to verify that the process has restored. 248. Contact H3C Support. |
SecDiag
This section contains security diagnosis messages.
MONITOR_CONCURRENCY_EXCEED
|
Message text |
Number of concurrent sessions reached the threshold [STRING] on [STRING] |
|
Variable fields |
$1: Threshold for the number of concurrent sessions. $2: Slot ID in the slot xx cpu xx format. If only one CPU is available, the cpu xx section is not displayed. (Distributed devices in standalone mode.) $2: Slot ID in the slot xx cpu xx format. If only one CPU is available, the cpu xx section is not displayed. (Centralized IRF devices.) $2: Chassis ID and slot ID in the chassis xx slot xx cpu xx format. If only one CPU is available, the cpu xx section is not displayed. (Distributed devices in IRF mode.) |
|
Severity level |
1 |
|
Example |
SECDIAG/1/MONITOR_CONCURRENCY_EXCEED: Number of concurrent sessions reached the threshold 3000 on slot 1. (Distributed devices in standalone mode.) (Centralized IRF devices.) |
|
Explanation |
The number of concurrent sessions exceeded the configured threshold. |
|
Recommended action |
Decrease the number of concurrent sessions or add new devices to share the load. |
MONITOR_CONCURRENCY_BELOW
|
Message text |
Number of concurrent sessions dropped below the threshold on [STRING]. |
|
Variable fields |
$1: Slot ID in the slot xx cpu xx format. If only one CPU is available, the cpu xx section is not displayed. (Distributed devices in standalone mode.) $1: Slot ID in the slot xx cpu xx format. If only one CPU is available, the cpu xx section is not displayed. (Centralized IRF devices.) $1: Chassis ID and slot ID in the chassis xx slot xx cpu xx format. If only one CPU is available, the cpu xx section is not displayed. (Distributed devices in IRF mode.) |
|
Severity level |
1 |
|
Example |
SECDIAG/1/MONITOR_CONCURRENCY_BELOW:Session Number of concurrent sessions dropped below the threshold on slot 3 CPU 1. (Distributed devices in standalone mode.) (Centralized IRF devices.) |
|
Explanation |
The number of concurrent sessions decreased below the configured threshold. |
|
Recommended action |
No action is required. |
MONITOR_CONNECTION_EXCEED
|
Message text |
Session establishment rate reached the threshold [STRING] on [STRING]. |
|
Variable fields |
$1: Session establishment rate threshold. $2: Slot ID in the slot xx cpu xx format. If only one CPU is available, the cpu xx section is not displayed. (Distributed devices in standalone mode.) $2: Slot ID in the slot xx cpu xx format. If only one CPU is available, the cpu xx section is not displayed. (Centralized IRF devices.) $2: Chassis ID and slot ID in the chassis xx slot xx cpu xx format. If only one CPU is available, the cpu xx section is not displayed. (Distributed devices in IRF mode.) |
|
Severity level |
1 |
|
Example |
SECDIAG/1/MONITOR_CONNECTION_EXCEED: Session establishment rate reached the threshold 600 on slot 3 CPU 1. (Distributed devices in standalone mode.) (Centralized IRF devices.) |
|
Explanation |
The session establishment rate exceeded the configured threshold. |
|
Recommended action |
Decrease the session establishment rate or add new devices to share the load. |
MONITOR_CONNECTION_BELOW
|
Message text |
Session establishment rate dropped below the threshold on [STRING]. |
|
Variable fields |
$1: Slot ID in the slot xx cpu xx format. If only one CPU is available, the cpu xx section is not displayed. (Distributed devices in standalone mode.) $1: Slot ID in the slot xx cpu xx format. If only one CPU is available, the cpu xx section is not displayed. (Centralized IRF devices.) $1: Chassis ID and slot ID in the chassis xx slot xx cpu xx format. If only one CPU is available, the cpu xx section is not displayed. (Distributed devices in IRF mode.) |
|
Severity level |
1 |
|
Example |
SECDIAG/1/MONITOR_CONNECTION_BELOW: Session establishment rate dropped below the threshold on slot 3 CPU 1. (Distributed devices in standalone mode.) (Centralized IRF devices.) |
|
Explanation |
The session establishment rate decreased below the configured threshold. |
|
Recommended action |
No action is required. |
MONITOR_SECP_IPV4_EXCEED
|
Message text |
Number of IPv4 security policy rules reached the threshold [STRING]. |
|
Variable fields |
$1: IPv4 security policy rule threshold. |
|
Severity level |
1 |
|
Example |
SECDIAG/1/MONITOR_SECP_IPV4_EXCEED: Number of IPv4 security policy rules reached the threshold 500. |
|
Explanation |
The number of IPv4 security policy rules exceeded the configured threshold. |
|
Recommended action |
Decrease the number of IPv4 security policy rules or add new devices to provide higher rule capacity. |
MONITOR_SECP_IPV4_BELOW
|
Message text |
Number of IPv4 security policy rules dropped below the threshold. |
|
Variable fields |
N/A |
|
Severity level |
1 |
|
Example |
SECDIAG/1/MONITOR_SECP_IPV4_BELOW: Number of IPv4 security policy rules dropped below the threshold. |
|
Explanation |
The number of IPv4 security policy rules decreased below the configured threshold. |
|
Recommended action |
No action is required. |
MONITOR_SECP_IPV6_EXCEED
|
Message text |
Number of IPv6 security policy rules reached the threshold [STRING]. |
|
Variable fields |
$1: IPv6 security policy rule threshold. |
|
Severity level |
1 |
|
Example |
SECDIAG/1/MONITOR_SECP_IPV6_EXCEED: Number of IPv6 security policy rules reached the threshold 200. |
|
Explanation |
The number of IPv6 security policy rules exceeded the configured threshold. |
|
Recommended action |
Decrease the number of IPv6 security policy rules or add new devices to provide higher rule capacity. |
MONITOR_SECP_IPV6_BELOW
|
Message text |
Number of IPv6 security policy rules dropped below the threshold. |
|
Variable fields |
N/A |
|
Severity level |
1 |
|
Example |
SECDIAG/1/MONITOR_SECP_IPV6_BELOW: Number of IPv6 security policy rules dropped below the threshold. |
|
Explanation |
The number of IPv6 security policy rules decreased below the configured threshold. |
|
Recommended action |
No action is required. |
MONITOR_CONTEXT_EXCEED
|
Message text |
Number of contexts reached the threshold [STRING]. |
|
Variable fields |
$1: Context usage threshold. |
|
Severity level |
1 |
|
Example |
SECDIAG/1/MONITOR_CONTEXT_EXCEED: Number of contexts reached the threshold 60. |
|
Explanation |
The number of contexts exceeded the configured threshold. |
|
Recommended action |
Decrease the number of contexts or add new devices to share the load. |
MONITOR_CONTEXT_BELOW
|
Message text |
Number of created contexts dropped below the threshold. |
|
Variable fields |
N/A |
|
Severity level |
1 |
|
Example |
SECDIAG/1/MONITOR_CONTEXT_BELOW: Number of created contexts dropped below the threshold. |
|
Explanation |
The number of contexts decreased below the configured threshold. |
|
Recommended action |
No action is required. |
MONITOR_NAT_EXCEED
|
Message text |
Number of NAT server mappings and static NAT mappings reached the threshold [STRING]. |
|
Variable fields |
$1: NAT mapping threshold. |
|
Severity level |
1 |
|
Example |
SECDIAG/1/MONITOR_NAT_EXCEED: Number of NAT server mappings and static NAT mappings reached the threshold 200. |
|
Explanation |
The number of NAT mappings exceeded the configured threshold. |
|
Recommended action |
Decrease the number of NAT mappings or add new devices to provide higher NAT mapping capacity. |
MONITOR_NAT_BELOW
|
Message text |
Number of NAT server mappings and static NAT mappings dropped below the threshold. |
|
Variable fields |
N/A |
|
Severity level |
1 |
|
Example |
SECDIAG/1/MONITOR_NAT_BELOW: Number of NAT server mappings and static NAT mappings dropped below the threshold. |
|
Explanation |
The number of NAT mappings decreased below the configured threshold. |
|
Recommended action |
No action is required. |
MONITOR_BAGG_EXCEED
|
Message text |
Number of Layer 2 aggregate interfaces reached the threshold [STRING]. |
|
Variable fields |
$1: Layer 2 aggregate interface usage threshold. |
|
Severity level |
1 |
|
Example |
SECDIAG/1/MONITOR_BAGG_EXCEED: Number of Layer 2 aggregate interfaces reached the threshold 20. |
|
Explanation |
The number of Layer 2 aggregate interfaces exceeded the configured threshold. |
|
Recommended action |
Decrease the number of Layer 2 aggregate interfaces or add new devices to share the load. |
MONITOR_BAGG_BELOW
|
Message text |
Number of Layer 2 aggregate interfaces dropped below the threshold. |
|
Variable fields |
N/A |
|
Severity level |
1 |
|
Example |
SECDIAG/1/MONITOR_BAGG_BELOW: Number of Layer 2 aggregate interfaces dropped below the threshold. |
|
Explanation |
The number of Layer 2 aggregate interfaces decreased below the configured threshold. |
|
Recommended action |
No action is required. |
MONITOR_RAGG_EXCEED
|
Message text |
Number of Layer 3 aggregate interfaces reached the threshold [STRING]. |
|
Variable fields |
$1: Layer 3 aggregate interface usage threshold. |
|
Severity level |
1 |
|
Example |
SECDIAG/1/MONITOR_RAGG_EXCEED: Number of Layer 3 aggregate interfaces reached the threshold 10. |
|
Explanation |
The number of Layer 3 aggregate interfaces exceeded the configured threshold. |
|
Recommended action |
Decrease the number of Layer 3 aggregate interfaces or add new devices to share the load. |
MONITOR_RAGG_BELOW
|
Message text |
Number of Layer 3 aggregate interfaces dropped below the threshold. |
|
Variable fields |
N/A |
|
Severity level |
1 |
|
Example |
SECDIAG/1/MONITOR_RAGG_BELOW: Number of Layer 3 aggregate interfaces dropped below the threshold. |
|
Explanation |
The number of Layer 3 aggregate interfaces decreased below the configured threshold. |
|
Recommended action |
No action is required. |
MONITOR_BLADE_THROUGHPUT_EXCEED
|
Message text |
Total throughput of blade interfaces reached the threshold [STRING] on [STRING]. |
|
Variable fields |
$1: Inner interface throughput threshold. $2: Slot ID in the slot xx cpu xx format. If only one CPU is available, the cpu xx section is not displayed. (Distributed devices in standalone mode.) $2: Slot ID in the slot xx cpu xx format. If only one CPU is available, the cpu xx section is not displayed. (Centralized IRF devices.) $2: Chassis ID and slot ID in the chassis xx slot xx cpu xx format. If only one CPU is available, the cpu xx section is not displayed. (Distributed devices in IRF mode.) |
|
Severity level |
1 |
|
Example |
SECDIAG/1/MONITOR_BLADE_THROUGHPUT_EXCEED: Total throughput of blade interfaces reached the threshold 1500 on slot 3 CPU 1. (Distributed devices in standalone mode.) (Centralized IRF devices.) |
|
Explanation |
The inner interface throughput exceeded the configured threshold. |
|
Recommended action |
Decrease the inner interface throughput or add new devices to share the load. |
MONITOR_BLADE_THROUGHPUT_BELOW
|
Message text |
Total throughput of blade interfaces dropped below the threshold on [STRING]. |
|
Variable fields |
$1: Slot ID in the slot xx cpu xx format. If only one CPU is available, the cpu xx section is not displayed. (Distributed devices in standalone mode.) $1: Slot ID in the slot xx cpu xx format. If only one CPU is available, the cpu xx section is not displayed. (Centralized IRF devices.) $1: Chassis ID and slot ID in the chassis xx slot xx cpu xx format. If only one CPU is available, the cpu xx section is not displayed. (Distributed devices in IRF mode.) |
|
Severity level |
1 |
|
Example |
SECDIAG/1/MONITOR_BLADE_THROUGHPUT_BELOW: Total throughput of blade interfaces dropped below the threshold on slot 3 CPU 1. (Distributed devices in standalone mode.) (Centralized IRF devices.) |
|
Explanation |
The inner interface throughput decreased below the configured threshold. |
|
Recommended action |
No action is required. |
MONITOR_QACL_EXCEED
|
Message text |
QACL usage reached the threshold [STRING] on [STRING]: Total slices=[STRING], Remaining single slices=[STRING], Remaining double slices=[STRING], Remaining MQC entries=[STRING], Remaining OpenFlow entries=[STRING]. |
|
Variable fields |
$1: QACL resource usage threshold. $2: Slot ID in the slot xx cpu xx core xx format. (Distributed devices in standalone mode.) $2: Slot ID in the slot xx cpu xx core xx format. (Centralized IRF devices.) $2: Chassis ID and slot ID in the chassis xx slot xx cpu xx core xx format. (Distributed devices in IRF mode.) |
|
Severity level |
1 |
|
Example |
SECDIAG/1/MONITOR_QACL_EXCEED: QACL usage reached the threshold 80 on slot 5 CPU 1 core 2: Total slices=10. Remaining single slices=1. Remaining double slices=0. Remaining MQC entries=512. Remaining OpenFlow entries=256. (Distributed devices in standalone mode.) (Centralized IRF devices.) |
|
Explanation |
The QACL resource usage exceeded the configured threshold. |
|
Recommended action |
Decrease the QACL resource usage or add new devices to share the load. |
MONITOR_QACL_BELOW
|
Message text |
QACL usage dropped below the threshold on [STRING]. |
|
Variable fields |
$1: Slot ID in the slot xx cpu xx core xx format. (Distributed devices in standalone mode.) (Centralized IRF devices.) $1: Chassis ID and slot ID in the chassis xx slot xx cpu xx core xx format. (Distributed devices in IRF mode.) |
|
Severity level |
1 |
|
Example |
SECDIAG/1/MONITOR_QACL_BELOW: QACL usage dropped below the threshold on slot 5 CPU 1 core 2. (Distributed devices in standalone mode.) (Centralized IRF devices.) |
|
Explanation |
The QACL resource usage decreased below the configured threshold. |
|
Recommended action |
No action is required. |
MONITOR_BANDWIDTH_EXCEED
|
Message text |
Inbound traffic exceeded the total bandwidth usage threshold [STRING] Mbps. |
|
Variable fields |
$1: Inbound bandwidth usage threshold. |
|
Severity level |
1 |
|
Example |
SECDIAG/1/MONITOR_BANDWIDTH_EXCEED: Inbound traffic exceeded the total bandwidth usage threshold 100 Mbps |
|
Explanation |
The total inbound bandwidth was equal to or greater than the threshold within a period. |
|
Recommended action |
Decrease the total inbound traffic or add new devices to share the load. |
MONITOR_BANDWIDTH_BELOW
|
Message text |
Inbound traffic dropped below total bandwidth usage threshold. |
|
Variable fields |
N/A |
|
Severity level |
1 |
|
Example |
SECDIAG/1/MONITOR_BANDWIDTH_BELOW: Inbound traffic dropped below total bandwidth usage threshold. |
|
Explanation |
After the device sent bandwidth usage alarms, the total inbound bandwidth decreased below the inbound bandwidth usage threshold. |
|
Recommended action |
No action is required. |
SESSION messages
This section contains session messages.
SESSION_IPV4_FLOW
|
Message text |
Protocol(1001)=[STRING];Application(1002)=[STRING];SrcIPAddr(1003)=[IPADDR];SrcPort(1004)=[UINT16];NATSrcIPAddr(1005)=[IPADDR];NATSrcPort(1006)=[UINT16];DstIPAddr(1007)=[IPADDR];DstPort(1008)=[UINT16];NATDstIPAddr(1009)=[IPADDR];NATDstPort(1010)=[UINT16];UserName(1113)=[STRING];InitPktCount(1044)=[UINT32];InitByteCount(1046)=[UINT32];RplyPktCount(1045)=[UINT32];RplyByteCount(1047)=[UINT32];RcvVPNInstance(1042)=[STRING];SndVPNInstance(1043)=[STRING];RcvDSLiteTunnelPeer(1040)=[STRING];SndDSLiteTunnelPeer(1041)=[STRING];BeginTime_e(1013)=[STRING];EndTime_e(1014)=[STRING];Event(1048)=([UNIT16])[STRING]; |
|
Variable fields |
$1: Protocol type. $2: Application protocol name. $3: Source IP address. $4: Source port number. $5: Source IP address after translation. $6: Source port number after translation. $7: Destination IP address. $8: Destination port number. $9: Destination IP address after translation. $10: Destination port number after translation. $11: Name of the identity user. $12: Total number of inbound packets. $13: Total number of inbound bytes. $14: Total number of outbound packets. $15: Total number of outbound bytes. $16: Source VPN instance name. $17: Destination VPN instance name. $18: Source DS-Lite tunnel. $19: Destination DS-Lite tunnel. $20: Time when the session is created. $21: Time when the session is removed. $22: Event type. $23: Event description: ¡ Session created. ¡ Active flow threshold. ¡ Normal over. ¡ Aged for timeout. ¡ Aged for reset or config-change. ¡ Other. |
|
Severity level |
6 |
|
Example |
SESSION/6/SESSION_IPV4_FLOW:Protocol(1001)=UDP;Application(1002)=sip;SrcIPAddr(1003)=10.10.10.1;SrcPort(1004)=1024;NATSrcIPAddr(1005)=10.10.10.1;NATSrcPort(1006)=1024;DstIPAddr(1007)=20.20.20.1;DstPort(1008)=21;NATDstIPAddr(1009)=20.20.20.1;NATDstPort(1010)=21;UserName(1113)=abc;InitPktCount(1044)=1;InitByteCount(1046)=50;RplyPktCount(1045)=0;RplyByteCount(1047)=0;RcvVPNInstance(1042)=;SndVPNInstance(1043)=;RcvDSLiteTunnelPeer(1040)=;SndDSLiteTunnelPeer(1041)=;BeginTime_e(1013)=03182024082546;EndTime_e(1014)=;Event(1048)=(8)Session created; |
|
Explanation |
This message is sent in one of the following conditions: · An IPv4 session is created or removed. · Periodically during an IPv4 session. · The traffic-based or time-based threshold of an IPv4 session is reached. |
|
Recommended action |
No action is required. |
SESSION_IPV6_FLOW
|
Message text |
Protocol(1001)=[STRING];Application(1002)=[STRING];SrcIPv6Addr(1036)=[IPADDR];SrcPort(1004)=[UINT16];DstIPv6Addr(1037)=[IPADDR];DstPort(1008)=[UINT16];UserName(1113)=[STRING];InitPktCount(1044)=[UINT32];InitByteCount(1046)=[UINT32];RplyPktCount(1045)=[UINT32];RplyByteCount(1047)=[UINT32];RcvVPNInstance(1042)=[STRING];SndVPNInstance(1043)=[STRING];BeginTime_e(1013)=[STRING];EndTime_e(1014)=[STRING];Event(1048)=([UNIT16])[STRING]; |
|
Variable fields |
$1: Protocol type. $2: Application protocol name. $3: Source IPv6 address. $4: Source port number. $5: Destination IP address. $6: Destination port number. $7: Name of the identity user. $8: Total number of inbound packets. $9: Total number of inbound bytes. $10: Total number of outbound packets. $11: Total number of outbound bytes. $12: Source VPN instance name. $13: Destination VPN instance name. $14: Time when the session is created. $15: Time when the session is removed. $16: Event type. $17: Event description: ¡ Session created. ¡ Active flow threshold. ¡ Normal over. ¡ Aged for timeout. ¡ Aged for reset or config-change. ¡ Other. |
|
Severity level |
6 |
|
Example |
SESSION/6/SESSION_IPV6_FLOW: Protocol(1001)=UDP;Application(1002)=sip;SrcIPv6Addr(1036)=2001::2;SrcPort(1004)=1024;DstIPv6Addr(1037)=3001::2;DstPort(1008)=53;UserName(1113)=abc;InitPktCount(1044)=1;InitByteCount(1046)=110;RplyPktCount(1047)=0;RplyByteCount(1047)=0;RcvVPNInstance(1042)=;SndVPNInstance(1043)=;BeginTime_e(1013)=03182024082901;EndTime_e(1014)=;Event(1048)=(8)Session created; |
|
Explanation |
This message is sent in one of the following conditions: · An IPv6 session is created or removed. · Periodically during an IPv6 session. · The traffic-based or time-based threshold of an IPv6 session is reached. |
|
Recommended action |
No action is required. |
SESSION_IPV4_DNS
|
Message text |
SrcIPAddr(1003)=[IPADDR];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1041)=[STRING];DSLiteTunnelPeer(1040)=[STRING];DomainName(1076)=[STRING];Action(1049)=[STRING];Reason(1052)=[STRING]. |
|
Variable fields |
$1: Source IPv4 address. $2: Destination IPv4 address. $3: Source VPN instance name. $4: Source DS-Lite tunnel. $5: Domain name. $6: Action: ¡ Drop. ¡ None. $7: Reason for the failure: ¡ Invalid DNS domain name. ¡ Invalid DNS RR. ¡ Invalid DNS header flag. ¡ Invalid DNS header ID. |
|
Severity level |
6 |
|
Example |
SESSION/6/SESSION_IPV4_DNS: SrcIPAddr(1003)=10.10.10.1;DstIPAddr(1007)=20.20.20.1;RcvVPNInstance(1041)=;DSLiteTunnelPeer(1040)=;DomainName(1076)=dnsproxy_test.com;Action(1049)=Drop;Reason(1052)=Invalid DNS domain name. |
|
Explanation |
This message is sent when ASPF inspection for DNS fails. For this message to be sent, enable ALG logging for sessions. |
|
Recommended action |
No action is required. |
SESSION_IPV6_DNS
|
Message text |
SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1041)=[STRING];DomainName(1076)=[STRING];Action(1049)=[STRING];Reason(1052)= [STRING]. |
|
Variable fields |
$1: Source IPv6 address. $2: Destination IPv6 address. $3: Source VPN instance name. $4: Domain name. $5: Action: ¡ Drop. ¡ None. $6: Reason for the failure: ¡ Invalid DNS domain name. ¡ Invalid DNS RR. ¡ Invalid DNS header flag. ¡ Invalid DNS header ID. |
|
Severity level |
6 |
|
Example |
SESSION/6/SESSION_IPV6_DNS:SrcIPv6Addr(1036)=2001::2;DstIPv6Addr(1037)=3001::2;RcvVPNInstance(1042)=;DomainName(1043)=dnsproxy_test.com;Action(1013)=Drop;Reason(1014)=Invalid DNS domain name. |
|
Explanation |
This message is sent when ASPF inspection for DNS fails. For this message to be sent, enable ALG logging for sessions. |
|
Recommended action |
No action is required. |
SHELL messages
This section contains shell messages.
SHELL_CMD
|
Message text |
-Line=[STRING]-IPAddr=[STRING]-User=[STRING]; Command is [STRING] |
|
Variable fields |
$1: User line type and number. If there is not user line information, this field displays **. $2: IP address. If there is not IP address information, this field displays **. $3: Username. If there is not username information, this field displays **. $4: Command string. |
|
Severity level |
6 |
|
Example |
SHELL/6/SHELL_CMD: -Line=aux0-IPAddr=**-User=**; Command is quit |
|
Explanation |
A command was executed. |
|
Recommended action |
No action is required. |
SHELL_CMD_CONFIRM
|
Message text |
Confirm option of command [STRING] is [STRING]. |
|
Variable fields |
$1: Command string. $2: Confirm option. |
|
Severity level |
6 |
|
Example |
SHELL/6/SHELL_CMD_CONFIRM: Confirm option of command save is no. |
|
Explanation |
A user selected a confirmation option for a command. |
|
Recommended action |
No action is required. |
SHELL_CMD_EXECUTEFAIL
|
Message text |
-User=[STRING]-IPAddr=[STRING]; Command [STRING] in view [STRING] failed to be executed. |
|
Variable fields |
$1: Username. $2: IP address. $3: Command string. $4: Command view. |
|
Severity level |
4 |
|
Example |
SHELL/4/SHELL_CMD_EXECUTEFAIL: -User=**-IPAddr=192.168.62.138; Command save in view system failed to be executed. |
|
Explanation |
A command that a background program issued failed to be executed. |
|
Recommended action |
No action is required. |
SHELL_CMD_INPUT
|
Message text |
|
|
Variable fields |
$1: Command string. $2: String entered by the user. |
|
Severity level |
6 |
|
Example |
SHELL/6/SHELL_CMD_INPUT: Input string for the save command is startup.cfg. SHELL/6/SHELL_CMD_INPUT: Input string for the save command is CTRL_C. SHELL/6/SHELL_CMD_INPUT: Input string for the save command is the Enter key. |
|
Explanation |
A user responded to the input requirement of a command. |
|
Recommended action |
No action is required. |
SHELL_CMD_INPUT_TIMEOUT
|
Message text |
Operation timed out: Getting input for the [STRING] command. |
|
Variable fields |
$1: Command string. |
|
Severity level |
6 |
|
Example |
SHELL/6/SHELL_CMD_INPUT_TIMEOUT: Operation timed out: Getting input for the fdisk command. |
|
Explanation |
The user did not respond to the input requirement of a command before the timeout timer expired. |
|
Recommended action |
No action is required. |
SHELL_CMD_MATCHFAIL
|
Message text |
-User=[STRING]-IPAddr=[STRING]; Command [STRING] in view [STRING] failed to be matched. |
|
Variable fields |
$1: Username. $2: IP address. $3: Command string. $4: Command view. |
|
Severity level |
4 |
|
Example |
SHELL/4/SHELL_CMD_MATCHFAIL: -User=**-IPAddr=192.168.62.138; Command description 10 in view system failed to be matched. |
|
Explanation |
The command string has errors, or the view does not support the command. |
|
Recommended action |
Enter the correct command string. Make sure the command is supported in the view. |
SHELL_CMDDENY
|
Message text |
-Line=[STRING]-IPAddr=[STRING]-User=[STRING]; Command=[STRING] is denied. |
|
Variable fields |
$1: User line type and number. If there is not user line information, this field displays **. $2: IP address. If there is not IP address information, this field displays **. $3: Username. If there is not username information, this field displays **. $4: Command string. |
|
Severity level |
5 |
|
Example |
SHELL/5/SHELL_CMDDENY: -Line=vty0-IPAddr=192.168.62.138-User=**; Command vlan 10 is permission denied. |
|
Explanation |
The user did not have the right to execute the command. |
|
Recommended action |
No action is required. |
SHELL_CMDFAIL
|
Message text |
The [STRING] command failed to restore the configuration. |
|
Variable fields |
$1: Command string. |
|
Severity level |
6 |
|
Example |
SHELL/6/SHELL_CMDFAIL: The “vlan 1024” command failed to restore the configuration. |
|
Explanation |
The specified command failed to be restored during a configuration restoration from a .cfg file. |
|
Recommended action |
No action is required. |
SHELL_COMMIT
|
Message text |
The configuration has been committed. |
|
Variable fields |
N/A |
|
Severity level |
5 |
|
Example |
SHELL/5/SHELL_COMMIT: The configuration has been committed. |
|
Explanation |
The commit operation succeeded. |
|
Recommended action |
No action is required. |
SHELL_COMMIT_DELAY
|
Message text |
A configuration rollback will be performed in [INT32] minutes. |
|
Variable fields |
$1: Configuration commit delay timer. |
|
Severity level |
5 |
|
Example |
SHELL/5/SHELL_COMMIT_DELAY: A configuration rollback will be performed in 3 minutes. |
|
Explanation |
The configuration commit delay timer was set successfully. |
|
Recommended action |
Complete and commit the configuration before the timer expires. If you cannot complete the configuration, execute the configuration commit delay command again to delay the expiration. |
SHELL_COMMIT_REDELAY
|
Message text |
The commit delay has been reset, a configuration rollback will be performed in [INT32] minutes. |
|
Variable fields |
$1: Configuration commit delay timer reconfigured. |
|
Severity level |
5 |
|
Example |
SHELL/5/SHELL_COMMIT_REDELAY: The commit delay has been reset, a configuration rollback will be performed in 3 minutes. |
|
Explanation |
The configuration commit delay timer was reconfigured before the timer expires. |
|
Recommended action |
No action is required. |
SHELL_COMMIT_ROLLBACK
|
Message text |
The configuration commit delay is overtime, a configuration rollback will be performed. |
|
Variable fields |
N/A |
|
Severity level |
5 |
|
Example |
SHELL/5/SHELL_COMMIT_ROLLBACK: The configuration commit delay is overtime, a configuration rollback will be performed. |
|
Explanation |
The configuration commit delay timer expired. A configuration rollback will occur. |
|
Recommended action |
Stop configuring the device and wait for the rollback to finish. |
SHELL_COMMIT_ROLLBACKDONE
|
Message text |
The configuration rollback has been performed. |
|
Variable fields |
N/A |
|
Severity level |
5 |
|
Example |
SHELL/5/SHELL_COMMIT_ROLLBACKDONE: The configuration rollback has been performed. |
|
Explanation |
The configuration rollback was finished. |
|
Recommended action |
You can continue to configure the device as required. |
SHELL_COMMIT_ROLLBACKFAILED
|
Message text |
Settings for some commands were not rolled back upon expiration of the configuration commit delay timer. Reason: Configuration rollback is not supported for those commands. |
|
Variable fields |
N/A |
|
Severity level |
5 |
|
Example |
SHELL/5/SHELL_COMMIT_ROLLBACKFAILED: Settings for some commands were not rolled back upon expiration of the configuration commit delay timer. Reason: Configuration rollback is not supported for those commands. |
|
Explanation |
A configuration rollback occurred when the configuration commit delay timer expired. However, some commands were not rolled back. |
|
Recommended action |
Read SHELL log messages to identify the commands that failed to be rolled back. |
SHELL_COMMIT_WILLROLLBACK
|
Message text |
A configuration rollback will be performed in 1 minute. To retain the configuration you have made after executing the configuration commit delay command, execute the commit command. |
|
Variable fields |
N/A |
|
Severity level |
5 |
|
Example |
SHELL/5/SHELL_COMMIT_WILLROLLBACK: A configuration rollback will be performed in 1 minute. To retain the configuration you have made after executing the configuration commit delay command, execute the commit command. |
|
Explanation |
A configuration rollback will be performed in 1 minute. |
|
Recommended action |
Complete the configuration within 1 minute and commit the configuration, or execute the configuration commit delay command again to delay the expiration. |
SHELL_CRITICAL_CMDFAIL
|
Message text |
-User=[STRING]-IPAddr=[STRING]; Command=[STRING] . |
|
Variable fields |
$1: Username. $2: IP address. $3: Command string. |
|
Severity level |
6 |
|
Example |
SHELL/6/SHELL_CRITICAL_CMDFAIL: -User=admin-IPAddr=169.254.0.7; Command is save. |
|
Explanation |
A command failed to be executed. |
|
Recommended action |
No action is required. |
SHELL_LOGIN
|
Message text |
[STRING] logged in from [STRING]. |
|
Variable fields |
$1: Username. $2: User line type and number. |
|
Severity level |
5 |
|
Example |
SHELL/5/SHELL_LOGIN: Console logged in from console0. |
|
Explanation |
A user logged in. |
|
Recommended action |
No action is required. |
SHELL_LOGOUT
|
Message text |
[STRING] logged out from [STRING]. |
|
Variable fields |
$1: Username. $2: User line type and number. |
|
Severity level |
5 |
|
Example |
SHELL/5/SHELL_LOGOUT: Console logged out from console0. |
|
Explanation |
A user logged out. |
|
Recommended action |
No action is required. |
SNMP messages
This section contains SNMP messages.
SNMP_ACL_RESTRICTION
|
Message text |
SNMP [STRING] from [STRING] is rejected due to ACL restriction. |
|
Variable fields |
$1: SNMP community/usm-user/group. $2: IP address of the NMS. |
|
Severity level |
3 |
|
Example |
SNMP/3/SNMP_ACL_RESTRICTION: SNMP community public from 192.168.1.100 is rejected due to ACL restrictions. |
|
Explanation |
SNMP packets are denied because of ACL restrictions. |
|
Recommended action |
Check the ACL configuration on the SNMP agent, and check if the agent was attacked. |
SNMP_AUTHENTICATION_FAILURE
|
Message text |
|
|
Variable fields |
N/A |
|
Severity level |
4 |
|
Example |
SNMP/4/SNMP_AUTHENTICATION_FAILURE: Failed to authenticate SNMP message. |
|
Explanation |
An NMS failed to be authenticated by the agent. |
|
Recommended action |
No action is required. |
SNMP_GET
|
Message text |
-seqNO=[UINT32]-srcIP=[STRING]-op=GET-node=[STRING]-value=[STRING]; The agent received a message. |
|
Variable fields |
$1: Sequence number of an SNMP operation log. $2: IP address of the NMS. $3: MIB object name and OID. $4: Value field of the request packet. |
|
Severity level |
6 |
|
Example |
SNMP/6/SNMP_GET: -seqNO=1-srcIP=192.168.28.28-op=GET-node=sysLocation(1.3.6.1.2.1.1.6.0)-value=; The agent received a message. |
|
Explanation |
SNMP received a Get request from an NMS. The system logs SNMP operations only when SNMP logging is enabled. |
|
Recommended action |
No action is required. |
SNMP_NOTIFY
|
Message text |
Notification [STRING][STRING]. |
|
Variable fields |
$1: Notification name and OID. $2: Variable-binding field of notifications. ¡ If no MIB object exists, only notification name and OID are displayed. ¡ If MIB objects are included, " with " are displayed before the MIB object and OID. MIB objects are separated by semicolons (;). |
|
Severity level |
6 |
|
Example |
SNMP/6/SNMP_NOTIFY: Notification hh3cLogIn(1.3.6.1.4.1.25506.2.2.1.1.3.0.1) with hh3cTerminalUserName(1.3.6.1.4.1.25506.2.2.1.1.2.1.0)=;hh3cTerminalSource(1.3.6.1.4.1.25506.2.2.1.1.2.2.0)=Console. |
|
Explanation |
The SNMP agent sent a notification. This message displays the notification content. |
|
Recommended action |
No action is required. |
SNMP_SET
|
Message text |
-seqNO=[UINT32]-srcIP=[STRING]-op=SET-errorIndex=[UINT32]-errorStatus=[STRING]-node=[STRING]-value=[STRING]; The agent received a message. |
|
Variable fields |
$1: Sequence number of an SNMP operation log. $2: IP address of the NMS. $3: Error index of the Set operation. $4: Error status of the Set operation. $5: MIB object name and OID. $6: Value of the MIB object changed by the Set operation. |
|
Severity level |
6 |
|
Example |
SNMP/6/SNMP_SET: -seqNO=3-srcIP=192.168.28.28-op=SET-errorIndex=0-errorStatus=noError-node=sysLocation(1.3.6.1.2.1.1.6.0)-value=Hangzhou China; The agent received a message. |
|
Explanation |
SNMP received a Set request from an NMS. The system logs SNMP operations only when SNMP logging is enabled. |
|
Recommended action |
No action is required. |
SNMP_USM_NOTINTIMEWINDOW
|
Message text |
-User=[STRING]-IPAddr=[STRING]; SNMPv3 message is not in the time window. |
|
Variable fields |
$1: Username. $2: IP address of the NMS. |
|
Severity level |
4 |
|
Example |
SNMP/4/SNMP_USM_NOTINTIMEWINDOW: -User=admin-IPAddr=169.254.0.7; SNMPv3 message is not in the time window. |
|
Explanation |
The SNMPv3 message is not in the time window. |
|
Recommended action |
No action is required. |
SSHC messages
This section contains SSH client messages.
SSHC_ALGORITHM_MISMATCH
|
Message text |
Failed to log in to SSH server [STRING] because of [STRING] algorithm mismatch. |
|
Variable fields |
$1: IP address of the SSH client. $2: Type of the algorithm, including encryption, key exchange, MAC, and public key. |
|
Severity level |
6 |
|
Example |
SSHC/6/SSHC_ALGORITHM_MISMATCH: Failed to log in to SSH server 192.168.30.11 because of encryption algorithm mismatch. |
|
Explanation |
The SSH client failed to log in to the SSH server because they used different algorithms. |
|
Recommended action |
Make sure the SSH client and the SSH server use the same algorithm. |
SSHS messages
This section contains SSH server messages.
SSHS_ACL_DENY
|
Message text |
The SSH connection request from [IPADDR]([STRING]) was denied by ACL rule (rule ID=[INT16]). |
|
Variable fields |
$1: IP address of the SSH client. $2: VPN instance to which the IP address of the SSH client belongs. $3: ID of the ACL rule that denies the login of the SSH client. If the SSH client is denied by the default rule, default rule is displayed in this field. |
|
Severity level |
5 |
|
Example |
SSHS/5/SSH_ACL_DENY: The SSH connection request from 181.1.1.10 was denied by ACL rule (rule ID=20). SSHS/5/SSH_ACL_DENY: The SSH connection request from 181.1.1.11 was denied by ACL rule (default rule). |
|
Explanation |
An SSH client failed to connect to the SSH server because the client's IP address matched a deny rule of the SSH login control ACL. |
|
Recommended action |
No action is required. |
SSHS_ALGORITHM_MISMATCH
|
Message text |
SSH client [STRING] failed to log in because of [STRING] algorithm mismatch. |
|
Variable fields |
$1: IP address of the SSH client. $2: Type of the algorithm, including encryption, key exchange, MAC, and public key. |
|
Severity level |
6 |
|
Example |
SSHS/6/SSHS_ALGORITHM_MISMATCH: SSH client 192.168.30.117 failed to log in because of encryption algorithm mismatch. |
|
Explanation |
The SSH client failed to log in to the SSH server because they used different algorithms. |
|
Recommended action |
Make sure the SSH client and the SSH server use the same algorithm. |
SSHS_AUTH_EXCEED_RETRY_TIMES
|
Message text |
SSH user [STRING] (IP: [STRING]) failed to log in, because the number of authentication attempts exceeded the upper limit. |
|
Variable fields |
$1: User name. $2: IP address of the SSH client. |
|
Severity level |
6 |
|
Example |
SSHS/6/SSHS_AUTH_EXCEED_RETRY_TIMES: SSH user David (IP: 192.168.30.117) failed to log in, because the number of authentication attempts exceeded the upper limit. |
|
Explanation |
The number of authentication attempts by an SSH user reached the upper limit. |
|
Recommended action |
Prompt the SSH user to use the correct login data to try again. |
SSHS_AUTH_FAIL
|
Message text |
SSH user [STRING] (IP: [STRING]) didn't pass public key authentication for [STRING]. |
|
Variable fields |
$1: Username. $2: IP address of the SSH client. $3: Failure reasons: ¡ Wrong public key algorithm. ¡ Wrong public key. ¡ Wrong digital signature. |
|
Severity level |
5 |
|
Example |
SSHS/5/SSHS_AUTH_FAIL: SSH user David (IP: 192.168.30.117) didn't pass public key authentication for wrong public key algorithm. |
|
Explanation |
An SSH user failed the publickey authentication. |
|
Recommended action |
Tell the SSH user to try to log in again. |
SSHS_AUTH_TIMEOUT
|
Message text |
Authentication timed out for [IPADDR]. |
|
Variable fields |
$1: IP address of the SSH client. |
|
Severity level |
6 |
|
Example |
SSHS/6/SSHS_AUTH_TIMEOUT: Authentication timed out for 1.1.1.1. |
|
Explanation |
The authentication timeout timer expired, and the SSH user failed the authentication. |
|
Recommended action |
Make sure the SSH user enters correct authentication information before the authentication timeout timer expires. |
SSHS_CONNECT
|
Message text |
SSH user [STRING] (IP: [STRING]) connected to the server successfully. |
|
Variable fields |
$1: Username. $2: IP address of the SSH client. |
|
Severity level |
6 |
|
Example |
SSHS/6/SSHS_CONNECT: SSH user David (IP: 192.168.30.117) connected to the server successfully. |
|
Explanation |
An SSH user logged in to the server successfully. |
|
Recommended action |
No action is required. |
SSHS_DECRYPT_FAIL
|
Message text |
The packet from [STRING] failed to be decrypted with [STRING]. |
|
Variable fields |
$1: IP address of the SSH client. $2: Encryption algorithm, such as AES256-CBC. |
|
Severity level |
5 |
|
Example |
SSHS/5/SSHS_DECRYPT_FAIL: The packet from 192.168.30.117 failed to be decrypted with aes256-cbc. |
|
Explanation |
A packet from an SSH client failed to be decrypted. |
|
Recommended action |
No action is required. |
SSHS_DISCONNECT
|
Message text |
SSH user [STRING] (IP: [STRING]) disconnected from the server. |
|
Variable fields |
$1: Username. $2: IP address of the SSH client. |
|
Severity level |
6 |
|
Example |
SSHS/6/SSHS_DISCONNECT: SSH user David (IP: 192.168.30.117) disconnected from the server. |
|
Explanation |
An SSH user logged out. |
|
Recommended action |
No action is required. |
SSHS_ENCRYPT_FAIL
|
Message text |
The packet to [STRING] failed to be encrypted with [STRING]. |
|
Variable fields |
$1: IP address of the SSH client. $2: Encryption algorithm, such as aes256-cbc. |
|
Severity level |
5 |
|
Example |
SSHS/5/SSHS_ENCRYPT_FAIL: The packet to 192.168.30.117 failed to be encrypted with aes256-cbc. |
|
Explanation |
A packet to an SSH client failed to be encrypted. |
|
Recommended action |
No action is required. |
SSHS_LOG
|
Message text |
Authentication failed for [STRING] from [STRING] port [INT32] because of invalid username or wrong password. |
|
Variable fields |
$1: IP address of the SSH client. $2: Username. $3: Port number. |
|
Severity level |
6 |
|
Example |
SSHS/6/SSHS_LOG: Authentication failed for David from 140.1.1.46 port 16266 because of invalid username or wrong password. |
|
Explanation |
An SSH user failed password authentication because the username or password was wrong. |
|
Recommended action |
No action is required. |
SSHS_MAC_ERROR
|
Message text |
SSH server received a packet with wrong message authentication code (MAC) from [STRING]. |
|
Variable fields |
$1: IP address of the SSH client. |
|
Severity level |
6 |
|
Example |
SSHS/6/SSHS_MAC_ERROR: SSH server received a packet with wrong message authentication code (MAC) from 192.168.30.117. |
|
Explanation |
The SSH server received a packet with a wrong MAC from a client. |
|
Recommended action |
No action is required. |
SSHS_REACH_SESSION_LIMIT
|
Message text |
SSH client [STRING] failed to log in. The number of SSH sessions is [NUMBER], and exceeded the limit ([NUMBER]). |
|
Variable fields |
$1: IP address of the SSH client. $2: Number of SSH clients that have logged in to the SSH server. $3: Maximum number of SSH clients that the SSH server supports. |
|
Severity level |
6 |
|
Example |
SSHS/6/SSHS_REACH_SESSION_LIMIT: SSH client 192.168.30.117 failed to log in. The number of SSH sessions is 10, and exceeded the limit (10). |
|
Explanation |
The number of SSH sessions reached the upper limit. |
|
Recommended action |
No action is required. |
SSHS_REACH_USER_LIMIT
|
Message text |
SSH client [STRING] failed to log in, because the number of users reached the upper limit. |
|
Variable fields |
$1: IP address of the SSH client. |
|
Severity level |
6 |
|
Example |
SSHS/6/SSHS_REACH_USER_LIMIT: SSH client 192.168.30.117 failed to log in, because the number of users reached the upper limit. |
|
Explanation |
The number of SSH users reached the upper limit. |
|
Recommended action |
No action is required. |
SSHS_SCP_OPER
|
Message text |
User [STRING] at [IPADDR] requested operation: [STRING]. |
|
Variable fields |
$1: Username. $2: IP address of the SCP client. $3: Requested file operations: ¡ get file "name"'—Downloads the file name from the SCP server. ¡ put file "name"—Uploads the file name to the SCP server. |
|
Severity level |
6 |
|
Example |
SSHS/6/SSHS_SCP_OPER: -MDC=1; User user1 at 1.1.1.1 requested operation: put file "aa". |
|
Explanation |
The SCP sever received an operation request from an SCP client. |
|
Recommended action |
No action is required. |
SSHS_SFTP_OPER
|
Message text |
User [STRING] at [IPADDR] requested operation: [STRING]. |
|
Variable fields |
$1: Username. $2: IP address of the SFTP client. $3: Requested operations on a file or directory: ¡ open dir "path"—Opens the directory path. ¡ open "file" (attribute code code) in MODE mode—Opens the file file with the attribute code code in mode MODE. ¡ remove file "path"—Deletes the file path. ¡ mkdir "path" (attribute code code)—Creates a new directory path with the attribute code code. ¡ rmdir "path"—Deletes the directory path. ¡ rename old "old-name" to new "new-name"—Changes the name of a file or folder from old-name to new-name. |
|
Severity level |
6 |
|
Example |
SSHS/6/SSHS_SFTP_OPER: User user1 at 1.1.1.1 requested operation: open dir "flash:/". |
|
Explanation |
The SFTP sever received an operation request from an SFTP client. |
|
Recommended action |
No action is required. |
SSHS_SRV_UNAVAILABLE
|
Message text |
The [STRING] server is disabled or the [STRING] service type is not supported. |
|
Variable fields |
$1: Service type: Stelnet, SCP, SFTP, or NETCONF. |
|
Severity level |
6 |
|
Example |
SSHS/6/SSHS_SRV_UNAVAILABLE: The SCP server is disabled or the SCP service type is not supported. |
|
Explanation |
The Stelnet, SCP, SFTP, or NETCONF over SSH service was not available. The server was terminating the connection. |
|
Recommended action |
Check the service status or user configuration. |
SSHS_VERSION_MISMATCH
|
Message text |
SSH client [STRING] failed to log in because of version mismatch. |
|
Variable fields |
$1: IP address of the SSH client. |
|
Severity level |
6 |
|
Example |
SSHS/6/SSHS_VERSION_MISMATCH: SSH client 192.168.30.117 failed to log in because of version mismatch. |
|
Explanation |
The SSH client failed to log in to the SSH server because they used different SSH versions. |
|
Recommended action |
Make sure the SSH client and the SSH server use the same SSH version. |
SSL VPN messages
This section contains SSL VPN messages.
SLVPN_ADD_URL
|
Message text |
Set URL (URL [STRING]) for file policy [STRING] in context [STRING]. |
|
Variable fields |
$1: URL of the file to be rewritten. $2: File policy name. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_URL: Set URL (URL http://192.168.1.1:8080/test.js) for file policy fp1 in context ctx1. |
|
Explanation |
The URL of the file to be rewritten was set for a file policy. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_CONTENT_TYPE
|
Message text |
Set the content type for file policy [STRING] in context [STRING]. |
|
Variable fields |
$1: File policy name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_CONTENT_TYPE: Set the content type for file policy fp1 in context ctx1. |
|
Explanation |
The type of file to be rewritten was set for a file policy. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_CONTENT_TYPE_FAILED
|
Message text |
Failed to set the content type for file policy [STRING] in context [STRING]. |
|
Variable fields |
$1: File policy name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_CONTENT_TYPE_FAILED: Failed to set the content type for file policy fp1 in context ctx1. |
|
Explanation |
Failed to set the type of file to be rewritten for a file policy. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_CONTEXT
|
Message text |
Created SSL VPN context [STRING]. |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_CONTEXT: Created SSL VPN context ctx1. |
|
Explanation |
An SSL VPN context was created. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_CONTEXT_FAILED
|
Message text |
Failed to create SSL VPN context [STRING] |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_CONTEXT_FAILED: Failed to create SSL VPN context ctx1. |
|
Explanation |
Failed to create an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_EXCROUTEITEM
|
Message text |
Added exclude route (IP [STRING] mask [STRING]) to route list [STRING] in context [STRING]. |
|
Variable fields |
$1: Destination IP address of the route. $2: Subnet mask of the route. $3: Route list name. $4: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_EXCROUTEITEM: Added exclude route (IP 10.0.0.0 mask 255.0.0.0) to route list rtlist in context ctx1. |
|
Explanation |
An exclude route was added to a route list in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_EXCROUTEITEM_FAILED
|
Message text |
Failed to add exclude route (IP [STRING] mask [STRING]) to route list [STRING] in context [STRING] |
|
Variable fields |
$1: Destination IP address of the route. $2: Subnet mask of the route. $3: Route list name. $4: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_EXCROUTEITEM_FAILED: Failed to add exclude route (IP 10.0.0.0 mask 255.0.0.0) to route list rtlist in context ctx1. |
|
Explanation |
Failed to add an exclude route to a route list in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_FILEPOLICY
|
Message text |
Created file policy [STRING] in context [STRING]. |
|
Variable fields |
$1: File policy name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_FILEPOLICY: Created file policy fp1 in context ctx1. |
|
Explanation |
A file policy was created. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_FILEPOLICY_FAILED
|
Message text |
Failed to create file policy [STRING] in context [STRING]. |
|
Variable fields |
$1: File policy name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_FILEPOLICY_FAILED: Failed to create file policy fp1 in context ctx1. |
|
Explanation |
Failed to create a file policy. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_GATEWAY
|
Message text |
Created SSL VPN gateway [STRING]. |
|
Variable fields |
$1: SSL VPN gateway name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_GATEWAY: Created SSL VPN gateway gw1. |
|
Explanation |
An SSL VPN gateway was created. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_GATEWAY_FAILED
|
Message text |
Failed to create SSL VPN gateway [STRING] |
|
Variable fields |
$1: SSL VPN gateway name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_GATEWAY_FAILED: Failed to create SSL VPN gateway gw1. |
|
Explanation |
Failed to create an SSL VPN gateway. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_INCROUTEITEM
|
Message text |
Added include route (IP [STRING] mask [STRING]) to route list [STRING] in context [STRING]. |
|
Variable fields |
$1: Destination IP address of the route. $2: Subnet mask of the route. $3: Route list name. $4: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_INCROUTEITEM: Added include route (IP 10.0.0.0 mask 255.0.0.0) to route list rtlist in context ctx1. |
|
Explanation |
An include route was added to a route list in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_INCROUTEITEM_FAILED
|
Message text |
Failed to add include route (IP [STRING] mask [STRING]) to route list [STRING] in context [STRING] |
|
Variable fields |
$1: Destination IP address of the route. $2: Subnet mask of the route. $3: Route list name. $4: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_INCROUTEITEM_FAILED: Failed to add include route (IP 10.0.0.0 mask 255.0.0.0) to route list rtlist in context ctx1. |
|
Explanation |
Failed to add an include route to a route list in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_IPADDRESSPOOL
|
Message text |
Created IP address pool [STRING] start-IP [STRING] end-IP [STRING]. |
|
Variable fields |
$1: Name of the IP address pool. $2: Start IP address of the address pool. $3: End IP address of the address pool. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_IPADDRESSPOOL: Created IP address pool pool1 start-IP 20.1.1.1 end-IP 20.1.1.100. |
|
Explanation |
An address pool was created. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_IPADDRESSPOOL_FAILED
|
Message text |
Failed to create IP address pool [STRING] start-IP [STRING] end-IP [STRING] |
|
Variable fields |
$1: Name of the IP address pool. $2: Start IP address of the address pool. $3: End IP address of the address pool. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_IPADDRESSPOOL_FAILED: Failed to create IP address pool pool1 start-IP 20.1.1.1 end-IP 20.1.1.100. |
|
Explanation |
Failed to create an address pool. |
|
Recommended action |
Verify that the address pool to be created does not contain addresses that are already contained in existing address pools. |
SSLVPN_ADD_IPTUNNELACIF
|
Message text |
Specified SSL VPN AC interface [STRING] in context [STRING]. |
|
Variable fields |
$1: Number of an SSL VPN AC interface. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_IPTUNNELACIF: Specified SSL VPN AC interface SSLVPN-AC1 in context ctx. |
|
Explanation |
An SSL VPN AC interface was specified in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_IPTUNNELACIF_FAILED
|
Message text |
Failed to specify SSL VPN AC interface [STRING] in context [STRING] |
|
Variable fields |
$1: Number of an SSL VPN AC interface. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_IPTUNNELACIF_FAILED: Failed to specify SSL VPN AC interface SSLVPN-AC1 in context ctx. |
|
Explanation |
Failed to specify an SSL VPN AC interface in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_IPV4_RANGE
|
Message text |
Specified IPv4 address range (start-IP [STRING] end-IP [STRING]) for SNAT pool [STRING]. |
|
Variable fields |
$1: Start IPv4 address of the SSL VPN SNAT address pool. $2: End IPv4 address of the SSL VPN SNAT address pool. $3: SNAT address pool name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_IPV4_RANGE: Specified IPv4 address range (start-IP 192.168.1.1 end-IP 192.168.1.10) for SNAT pool sp1. |
|
Explanation |
An IPv4 address range was specified for an SSL VPN SNAT address pool. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_IPV4_RANGE_FAILED
|
Message text |
Failed to specify IPv4 address range (start-IP [STRING] end-IP [STRING]) for SNAT pool [STRING]. |
|
Variable fields |
$1: Start IPv4 address of the SSL VPN SNAT address pool. $2: End IPv4 address of the SSL VPN SNAT address pool. $3: SNAT address pool name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_IPV4_RANGE_FAILED: Failed to specify IPV4 address range (start-IP 192.168.1.1 end-IP 192.168.1.10) for SNAT pool sp1. |
|
Explanation |
Failed to specify the IPv4 address range for an SSL VPN SNAT address pool. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_IPV6_RANGE
|
Message text |
Specified IPv6 address range (start-IP [STRING] end-IP [STRING]) for SNAT pool [STRING]. |
|
Variable fields |
$1: Start IPv6 address of the SSL VPN SNAT address pool. $2: End IPv6 address of the SSL VPN SNAT address pool. $3: SNAT address pool name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_IPV6_RANGE: Specified IPv6 address range (start-IP 2000::1 end-IP 2000::10) for SNAT pool sp1. |
|
Explanation |
An IPv6 address range was specified for an SSL VPN SNAT address pool. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_IPV6_RANGE_FAILED
|
Message text |
Failed to specify IPv6 address range (start-IP [STRING] end-IP [STRING]) for SNAT pool [STRING]. |
|
Variable fields |
$1: Start IPv6 address of the SSL VPN SNAT address pool. $2: End IPv6 address of the SSL VPN SNAT address pool. $3: SNAT address pool name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_IPV6_RANGE_FAILED: Failed to specify IPv6 address range (start-IP 2000::1 end-IP 2000::10) for SNAT pool sp1. |
|
Explanation |
Failed to specify the IPv6 address range for an SSL VPN SNAT address pool. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_LOCALPORT
|
Message text |
Added port forwarding entry local-port [STRING] local-name [STRING] remote-server [STRING] remote-port [STRING] [STRING] in port forwarding list [STRING] in context [STRING]. |
|
Variable fields |
$1: Local port number. $2: Local address or local host name. $3: IP address or domain name of a TCP service on an internal server. $4: Port number of the TCP service. $5: Description of the port forwarding entry. This field is empty if no description is configured. $6: Port forwarding list name. $7: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
· SSLVPN/6/SSLVPN_ADD_LOCALPORT: Added port forwarding entry local-port 80 local-name 127.0.0.1 remote-server 192.168.20.35 remote-port 80 in port forwarding list pflist1 in context ctx. · SSLVPN/6/SSLVPN_ADD_LOCALPORT: Added port forwarding entry local-port 80 local-name 127.0.0.1 remote-server 192.168.20.35 remote-port 80 description http in port forwarding list pflist1 in context ctx. |
|
Explanation |
A port forwarding entry was added to a port forwarding list. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_LOCALPORT_FAILED
|
Message text |
Failed to add port forwarding entry local-port [STRING] local-name [STRING] remote-server [STRING] remote-port [STRING] [STRING] in port forwarding list [STRING] in context [STRING] |
|
Variable fields |
$1: Local port number. $2: Local address or local host name. $3: IP address or domain name of a TCP service on an internal server. $4: Port number of the TCP service. $5: Description of the port forwarding entry. This field is empty if no description is configured. $6: Port forwarding list name. $7: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_LOCALPORT_FAILED: Failed to add port forwarding entry ocal-port 80 local-name 127.0.0.1 remote-server 192.168.20.34 remote-port 80 in port forwarding list pflist1 in context ctx. SSLVPN/6/SSLVPN_ADD_LOCALPORT_FAILED: Failed to add port forwarding entry local-port 80 local-name 127.0.0.1 remote-server 192.168.20.34 remote-port 80 description http in port forwarding list pflist1 in context ctx. |
|
Explanation |
Failed to add a port forwarding entry to a port forwarding list. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_NEWCONTENT
|
Message text |
Specified new content [STRING] for rewrite rule [STRING] in file policy [STRING] in context [STRING]. |
|
Variable fields |
$1: New content used to replace the old content. $2: Rewrite rule name. $3: File policy name. $4: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_NEWCONTENT: Specified new content sslvpn rewrite htmlcode(d); for rewrite rule rw in file policy fp in context ctx. |
|
Explanation |
The new content used to replace the old content was specified for a rewrite rule. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_NEWCONTENT_FAILED
|
Message text |
Failed to specify new content [STRING] for rewrite rule [STRING] in file policy [STRING] in context [STRING]. |
|
Variable fields |
$1: New content used to replace the old content. $2: Rewrite rule name. $3: File policy name. $4: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_NEWCONTENT_FAILED: Failed to specify new content sslvpn rewrite htmlcode(d); for rewrite rule rw in file policy fp in context ctx. |
|
Explanation |
Failed to specify the new content used to replace the old content for a rewrite rule. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_OLDCONTENT
|
Message text |
Specified old content [STRING] for rewrite rule [STRING] in file policy [STRING] in context [STRING]. |
|
Variable fields |
$1: Old file content to be replaced. $2: Rewrite rule name. $3: File policy name. $4: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_OLDCONTENT: Specified old content a.b.c.innerHTML = d; for rewrite rule rw in file policy fp in context ctx. |
|
Explanation |
The old file content to be replaced was specified for a rewrite rule. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_OLDCONTENT_FAILED
|
Message text |
Failed to specify old content [STRING] for rewrite rule [STRING] in file policy [STRING] in context [STRING]. |
|
Variable fields |
$1: Old file content to be replaced. $2: Rewrite rule name. $3: File policy name. $4: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_OLDCONTENT_FAILED: Failed to specify old content a.b.c.innerHTML = d; for rewrite rule rw in file policy fp in context ctx. |
|
Explanation |
Failed to specify the old file content to be replaced for a rewrite rule. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_PORTFWD
|
Message text |
Created port forwarding list [STRING] in context [STRING]. |
|
Variable fields |
$1: Port forwarding list name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_PORTFWD: Created port forwarding list pf in context ctx1. |
|
Explanation |
A port forwarding list was created. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_PORTFWD_FAILED
|
Message text |
Failed to create port forwarding list [STRING] in context [STRING] |
|
Variable fields |
$1: Port forwarding list name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_PORTFWD_FAILED: Failed to create port forwarding list pf in context ctx1. |
|
Explanation |
Failed to create a port forwarding list. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_PORTFWD_ITEM
|
Message text |
Created port forwarding item [STRING] in context [STRING]. |
|
Variable fields |
$1: Port forwarding item name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_PORTFWD_ITEM: Created port forwarding item pfitem in context ctx1. |
|
Explanation |
A port forwarding item was created. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_PORTFWD_ITEM_FAILED
|
Message text |
Failed to create port forwarding item [STRING] in context [STRING] |
|
Variable fields |
$1: Port forwarding item name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_PORTFWD_ITEM_FAILED: Failed to create port forwarding item pfitem in context ctx1. |
|
Explanation |
Failed to create a port forwarding item. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_PYGROUP
|
Message text |
Created policy group [STRING] in context [STRING]. |
|
Variable fields |
$1: Policy group name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_PYGROUP: Created policy group pg in context ctx1. |
|
Explanation |
A policy group was created in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_PYGROUP_FAILED
|
Message text |
Failed to create policy group [STRING] in context [STRING] |
|
Variable fields |
$1: Policy group name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_PYGROUP_FAILED: Failed to create policy group pg in context ctx1. |
|
Explanation |
Failed to create a policy group in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_REFER_PFWDITEM
|
Message text |
Assigned port forwarding item [STRING] to port forwarding list [STRING] in context [STRING]. |
|
Variable fields |
$1: Port forwarding item name. $2: Port forwarding list name. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_REFER_PFWDITEM: Assigned port forwarding item pfitem1 to port forwarding list pflist1 in context ctx1. |
|
Explanation |
A port forwarding item was assigned to a port forwarding list. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_REFER_PFWDITEM_FAILED
|
Message text |
Failed to assign port forwarding item [STRING] to port forwarding list [STRING] in context [STRING]. |
|
Variable fields |
$1: Port forwarding item name. $2: Port forwarding list name. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_REFER_PFWDITEM_FAILED: Failed to assign port forwarding item pfitem1 to port forwarding list pflist1 in context ctx1. |
|
Explanation |
Failed to assign a port forwarding item to a port forwarding list. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_REFER_SCUTLIST
|
Message text |
Assigned shortcut list [STRING] to policy group [STRING] in context [STRING]. |
|
Variable fields |
$1: Shortcut list name. $2: SSL VPN policy group name. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_REFER_SCUTLIST: Assigned shortcut list scutlist1 to policy group pg in context ctx1. |
|
Explanation |
A shortcut list was assigned to an SSL VPN policy group. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_REFERIPACL
|
Message text |
Added IP access filter ACL [STRING] in policy group [STRING] in context [STRING]. |
|
Variable fields |
$1: Advanced ACL number. $2: Policy group name. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_REFERIPACL: Added IP access filter ACL 3000 in policy group pgroup in context ctx1. |
|
Explanation |
An ACL for IP access filtering was specified in a policy group. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_REFERIPACL_FAILED
|
Message text |
Failed to add IP access filter ACL [STRING] in policy group [STRING] in context [STRING] |
|
Variable fields |
$1: Advanced ACL number. $2: Policy group name. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_REFERIPACL_FAILED: Failed to add IP access filter ACL 3000 in policy group pgroup in context ctx1. |
|
Explanation |
Failed to specify an ACL for IP access filtering in a policy group. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_REFERPORTFWD
|
Message text |
Specified port forwarding list [STRING] for policy-group [STRING] in context [STRING]. |
|
Variable fields |
$1: Port forwarding list name. $2: Policy group name. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_REFERPORTFWD: Specified port forwarding list pf for policy-group pg in context ctx1. |
|
Explanation |
A port forwarding list was assigned to a policy group. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_REFERPORTFWD_FAILED
|
Message text |
Failed to specify port forwarding list [STRING] for policy-group [STRING] in context [STRING] |
|
Variable fields |
$1: Port forwarding list name. $2: Policy group name. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_REFERPORTFWD_FAILED: Failed to specify port forwarding list pf for policy-group pg in context ctx1. |
|
Explanation |
Failed to assign a port forwarding list to a policy group. |
|
Recommended action |
Make sure a port forwarding list exists before you assign it to a policy group. |
SSLVPN_ADD_REFERSCUTLIST_FAILED
|
Message text |
Failed to assign shortcut list [STRING] to policy group [STRING] in context [STRING]. |
|
Variable fields |
$1: Shortcut list name. $2: SSL VPN policy group name. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_REFERSCUTLIST_FAILED: Failed to assign shortcut list scutlist1 to policy group pg in context ctx1. |
|
Explanation |
Failed to assign a shortcut list to an SSL VPN policy group. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_REFERSHORTCUT
|
Message text |
Assigned shortcut [STRING] to shortcut list [STRING] in context [STRING]. |
|
Variable fields |
$1: Shortcut name. $2: Shortcut list name. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_REFERSHORTCUT: Assigned shortcut shortcut1 to shortcut list scutlist1 in context ctx1. |
|
Explanation |
A shortcut was assigned to a shortcut list. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_REFERSHORTCUT_FAILED
|
Message text |
Failed to assign shortcut [STRING] to shortcut list [STRING] in context [STRING]. |
|
Variable fields |
$1: Shortcut name. $2: Shortcut list name. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_REFERSHORTCUT_FAILED: Failed to assign shortcut shortcut1 to shortcut list scutlist1 in context ctx1. |
|
Explanation |
Failed to assign a shortcut to a shortcut list. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_REFERSNATPOOL
|
Message text |
Specified SNAT pool [STRING] for context [STRING]. |
|
Variable fields |
$1: SNAT address pool name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_REFERSNATPOOL: Specified SNAT pool sp1 for context ctx1. |
|
Explanation |
A SNAT address pool was assigned to an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_REFERSNATPOOL_FAILED
|
Message text |
Failed to specify SNAT pool [STRING] for context [STRING]. |
|
Variable fields |
$1: SNAT address pool name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_REFERSNATPOOL_FAILED: Failed to specify SNAT pool sp1 for context ctx1. |
|
Explanation |
Failed to assign a SNAT address pool to an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_REFERTCPACL
|
Message text |
Added TCP access filter ACL [STRING] in policy group [STRING] in context [STRING]. |
|
Variable fields |
$1: Advanced ACL number. $2: Policy group name. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_REFERTCPACL: Added TCP access filter ACL 3000 in policy group pgroup in context ctx1. |
|
Explanation |
An ACL for TCP access filtering was specified in a policy group. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_REFERTCPACL_FAILED
|
Message text |
Failed to add TCP access filter ACL [STRING] in policy group [STRING] in context [STRING] |
|
Variable fields |
$1: Advanced ACL number. $2: Policy group name. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_REFERTCPACL_FAILED: Failed to add TCP access filter ACL 3000 in policy group pgroup in context ctx1 |
|
Explanation |
Failed to specify an ACL for TCP access filtering in a policy group. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_REFERURIACL
|
Message text |
Added [STRING] access filter URI ACL [STRING] to policy group [STRING] in context [STRING]. |
|
Variable fields |
$1: SSL VPN access mode. Options are: · IP access. · Web access. · TCP access. $2: URI ACL name. $3: Policy group name. $4: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_REFERURIACL: Added IP access filter URI ACL uacl to policy group pgroup in context ctx1. |
|
Explanation |
A URI ACL was specified for IP, Web, or TCP access filtering in a policy group. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_REFERURIACL_FAILED
|
Message text |
Failed to add [STRING] access filter URI ACL [STRING] to policy group [STRING] in context [STRING]. |
|
Variable fields |
$1: SSL VPN access mode. Options are: · IP access · Web access. · TCP access. $2: URI ACL name. $3: Policy group name. $4: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_REFERURIACL_FAILED: Failed to add IP access filter URI ACL uacl to policy group pgroup in context ctx1. |
|
Explanation |
Failed to specify a URI ACL for IP, Web, or TCP access filtering in a policy group. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_REFERURLLIST
|
Message text |
Specified URL list [STRING] for policy-group [STRING] in context [STRING]. |
|
Variable fields |
$1: URL list name. $2: Policy group name. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_REFERURLLIST: Specified URL list urllist for policy-group pg in context ctx1. |
|
Explanation |
A URL list was assigned to a policy group. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_REFERURLLIST_FAILED
|
Message text |
Failed to specify URL list [STRING] for policy-group [STRING] in context [STRING] |
|
Variable fields |
$1: URL list name. $2: Policy group name. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_REFERURLLIST_FAILED: Failed to specify URL list urllist for policy-group pg in context ctx1. |
|
Explanation |
Failed to assign a URL list to a policy group. |
|
Recommended action |
Verity that a URL list exists before you assign it to a policy group. |
SSLVPN_ADD_REFERWEBACL
|
Message text |
Added Web access filter ACL [STRING] in policy group [STRING] in context [STRING]. |
|
Variable fields |
$1: Advanced ACL number. $2: Policy group name. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_REFERWEBACL: Added Web access filter 3000 in policy group pgroup in context ctx1. |
|
Explanation |
An ACL for Web accessing filtering was specified in a policy group. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_REFERWEBACL_FAILED
|
Message text |
Failed to add Web access filter ACL [STRING] in policy group [STRING] in context [STRING] |
|
Variable fields |
$1: Advanced ACL number. $2: Policy group name. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_REFERWEBACL_FAILED: Failed to add Web access filter 3000 in policy group pgroup in context ctx1. |
|
Explanation |
Failed to specify an ACL for Web accessing filtering in a policy group. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_REWRITE_RULE
|
Message text |
Created rewrite rule [STRING] in file policy [STRING] in context [STRING]. |
|
Variable fields |
$1: Rewrite rule name. $2: File policy name. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_REWRITE_RULE: Created rewrite rule rw in file policy fp in context ctx. |
|
Explanation |
A rewrite rule was created. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_REWRITE_RULE_FAILED
|
Message text |
Failed to create rewrite rule [STRING] in file policy [STRING] in context [STRING]. |
|
Variable fields |
$1: Rewrite rule name. $2: File policy name. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_REWRITE_RULE_FAILED: Failed to create rewrite rule rw in file policy fp in context ctx. |
|
Explanation |
Failed to create a rewrite rule. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_ROUTELIST
|
Message text |
Created IP-route-list [STRING] in context [STRING]. |
|
Variable fields |
$1: Route list name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_ROUTELIST: Created IP-route-list rtlist in context ctx1. |
|
Explanation |
A route list was created in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_ROUTELIST_FAILED
|
Message text |
Failed to create IP-route-list [STRING] in context [STRING] |
|
Variable fields |
$1: Route list name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_ROUTELIST_FAILED: Failed to create IP-route-list rtlist in context ctx1. |
|
Explanation |
Failed to create a route list in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_ROUTEREFER
|
Message text |
Configured access-route [STRING] in policy-group [STRING] in context [STRING]. |
|
Variable fields |
$1: Route to be issued to clients. Valid values are: · Route in the format of ip-address mask. · Force-all. This setting forces all traffic to be sent to the SSL VPN gateway. · Route list name in the format of ip-route-list list-name. All routes in the route list will be issued to clients. $2: Policy group name. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
· SSLVPN/6/SSLVPN_ADD_ROUTEREFER: Configured access-route ip-route-list rtlist in policy-group pg in context ctx. · SSLVPN/6/SSLVPN_ADD_ROUTEREFER: Configured access-route 1.0.0.0 255.240.0.0 in policy-group pg in context ctx. · SSLVPN/6/SSLVPN_ADD_ROUTEREFER: Configured access-route force-all in policy-group pg in context ctx. |
|
Explanation |
Routes to be issued to clients were specified in a policy group. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_ROUTEREFER_FAILED
|
Message text |
Failed to configure access-route [STRING] in policy-group [STRING] in context [STRING] |
|
Variable fields |
$1: Route to be issued to clients. Valid values are: · Route in the format of ip-address mask. · Force-all. This setting forces all traffic to be sent to the SSL VPN gateway. · Route list name in the format of ip-route-list list-name. All routes in the route list will be issued to clients. $2: Policy group name. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
· SSLVPN/6/SSLVPN_ADD_ROUTEREFER_FAILED: Failed to configure access-route ip-route-list rtlist in policy-group pg in context ctx. · SSLVPN/6/SSLVPN_ADD_ROUTEREFER_FAILED: Failed to configure access-route 1.0.0.0 255.240.0.0 in policy-group pg in context ctx. · SSLVPN/6/SSLVPN_ADD_ROUTEREFER_FAILED: Failed to configure access-route force-all in policy-group pg in context ctx. |
|
Explanation |
Failed to specify a route or a route list to be issued to clients in a policy group. |
|
Recommended action |
Verify that a route list exists before you specify it in a policy group. |
SSLVPN_ADD_SERVERURL
|
Message text |
Specified URL [STRING] for URL item [STRING] in context [STRING]. |
|
Variable fields |
$1: URL string. $2: URL item name. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_SERVERURL: Specified URL www.abc.com for URL item item1 in context ctx1. |
|
Explanation |
Configured the URL for a URL item. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_SERVERURL_FAILED
|
Message text |
Failed to specify URL [STRING] for URL item [STRING] in context [STRING]. |
|
Variable fields |
$1: URL string. $2: URL item name. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_SERVERURL_FAILED: Failed to specify URL www.abc.com for URL item item1 in context ctx1. |
|
Explanation |
Failed to configure the URL for a URL item. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_SHORTCUT
|
Message text |
Created shortcut [STRING] in context [STRING]. |
|
Variable fields |
$1: Shortcut name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_SHORTCUT: Created shortcut shortcut1 in context ctx1. |
|
Explanation |
A shortcut was created. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_SHORTCUT_FAILED
|
Message text |
Failed to create shortcut [STRING] in context [STRING]. |
|
Variable fields |
$1: Shortcut name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_SHORTCUT_FAILED: Failed to create shortcut shortcut1 in context ctx1. |
|
Explanation |
Failed to create a shortcut. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_SHORTCUTLIST
|
Message text |
Created shortcut list [STRING] in context [STRING]. |
|
Variable fields |
$1: Shortcut list name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_SHORTCUTLIST: Created shortcut list scutlist1 in context ctx1. |
|
Explanation |
A shortcut list was created. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_SHORTCUTLIST_FAILED
|
Message text |
Failed to create shortcut list [STRING] in context [STRING]. |
|
Variable fields |
$1: Shortcut list name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_SHORTCUTLIST_FAILED: Failed to create shortcut list scutlist1 in context ctx1. |
|
Explanation |
Failed to create a shortcut list. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_SNATPOOL
|
Message text |
Created SSL VPN SNAT pool [STRING]. |
|
Variable fields |
$1: SNAT address pool name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_SNATPOOL: Created SSL VPN SNAT pool sp1. |
|
Explanation |
An SSL VPN SNAT address pool was created. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_SNATPOOL_FAILED
|
Message text |
Failed to create SSL VPN SNAT pool [STRING]. |
|
Variable fields |
$1: SNAT address pool name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_SNATPOOL_FAILED: Failed to create SSL VPN SNAT pool sp1. |
|
Explanation |
Failed to create an SSL VPN SNAT address pool. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_URIACL
|
Message text |
Created URI ACL [STRING] in context [STRING]. |
|
Variable fields |
$1: URI ACL name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_URIACL: Created URI ACL uacl in context ctx1. |
|
Explanation |
A URI ACL was created. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_URIACL_FAILED
|
Message text |
Failed to create URI ACL [STRING] in context [STRING]. |
|
Variable fields |
$1: URI ACL name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_URIACL_FAILED: Failed to create URI ACL uacl in context ctx1. |
|
Explanation |
Failed to create a URI ACL. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_URIACL_RULE
|
Message text |
Added rule [UINT32] to URI ACL [STRING] in context [STRING]. |
|
Variable fields |
$1: Rule ID. $2: URI ACL name. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_URIACL_RULE: Added rule 5 to URI ACL uacl in context ctx1. |
|
Explanation |
A rule was added to a URI ACL. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_URIACL_RULE_FAILED
|
Message text |
Failed to add rule [UINT32] to URI ACL [STRING] in context [STRING]. |
|
Variable fields |
$1: Rule ID. $2: URI ACL name. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_URIACL_RULE_FAILED: Failed to add rule 5 to URI ACL uacl in context ctx1. |
|
Explanation |
Failed to add a rule to a URI ACL. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_URL_FAILED
|
Message text |
Failed to set URL (URL [STRING]) for file policy [STRING] in context [STRING]. |
|
Variable fields |
$1: URL of the file to be rewritten. $2: File policy name. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_URL_FAILED: Failed to set URL (URL http://192.168.1.1:8080/test.js) for file policy fp1 in context ctx1. |
|
Explanation |
Failed to set the URL of the file to be rewritten for a file policy. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_URLITEM
|
Message text |
Created URL item [STRING] in context [STRING]. |
|
Variable fields |
$1: URL item name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_URLITEM: Created URL item item1 in context ctx1. |
|
Explanation |
Created a URL item. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_URLITEM_FAILED
|
Message text |
Failed to create URL item [STRING] in context [STRING]. |
|
Variable fields |
$1: URL item name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_URLITEM_FAILED: Failed to create URL item item1 in context ctx1. |
|
Explanation |
Failed to create a URL item. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_URLITEM_REFERURIACL
|
Message text |
Specified URI ACL [STRING] for URL item [STRING] in context [STRING]. |
|
Variable fields |
$1: URI ACL used by the URL item. $2: URL item name. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_URLITEM_REFERURIACL: Specified URI ACL uriacl1 for URL item item1 in context ctx1. |
|
Explanation |
Specified a URI ACL for a URL item. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_URLITEM_REFERURIACL_FAILED
|
Message text |
Failed to specify URI ACL [STRING] for URL item [STRING] in context [STRING]. |
|
Variable fields |
$1: URI ACL used by the URL item. $2: URL item name. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_URLITEM_REFERURIACL_FAILED: Failed to specify URI ACL uriacl1 for URL item item1 in context ctx1. |
|
Explanation |
Failed to specify a URI ACL for a URL item. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_URLLIST
|
Message text |
Created URL list [STRING] in context [STRING]. |
|
Variable fields |
$1: URL list name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_URLLIST: Created URL list urllist in context ctx1. |
|
Explanation |
A URL list was created. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_URLLIST_FAILED
|
Message text |
Failed to create URL list [STRING] in context [STRING] |
|
Variable fields |
$1: URL list name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_URLLIST_FAILED: Failed to create URL list urllist in context ctx1. |
|
Explanation |
Failed to create a URL list. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_URLMAPPING_DOMAIN
|
Message text |
Configured domain mapping for URL item [STRING] in context [STRING]: mapped domain name=[STRING], URL rewriting=[STRING]. |
|
Variable fields |
$1: URL item name. $2: SSL VPN context name. $3: Mapped domain name. $4: Whether absolute path rewriting is enabled. Options are: · enabled. · disabled. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_URLMAPPING_DOMAIN: Configured domain mapping for URL item item1 in context ctx1: mapped domain name=www.abc.com, URL rewriting=enabled. |
|
Explanation |
Configured the domain mapping method for the URL in a URL item. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_URLMAPPING_DOMAIN_FAILED
|
Message text |
Failed to configure domain mapping for URL item [STRING] in context [STRING]: mapped domain name=[STRING], URL rewriting=[STRING]. |
|
Variable fields |
$1: URL item name. $2: SSL VPN context name. $3: Mapped domain name. $4: Whether absolute path rewriting is enabled. Options are: · enabled. · disabled. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_URLMAPPING_DOMAIN_FAILED: Failed to configure domain mapping for URL item item1 in context ctx1: mapped domain name=www.abc.com, URL rewriting=enabled. |
|
Explanation |
Failed to configure the domain mapping method for the URL in a URL item. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_URLMAPPING_VPNPORT
|
Message text |
Configured port mapping for URL item [STRING] in context [STRING]: mapped gateway name=[STRING], virtual host name=[STRING], URL rewriting=[STRING]. |
|
Variable fields |
$1: URL item name. $2: SSL VPN context name. $3: Mapped SSL VPN gateway name. $4: Virtual host name. $5: Whether absolute path rewriting is enabled. Options are: · enabled. · disabled. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_URLMAPPING_VPNPORT: Configured port mapping for URL item item1 in context ctx1: mapped gateway name=www.abc.com, virtual host name=vhost1, URL rewriting=enabled. |
|
Explanation |
Configured the port mapping method for the URL in a URL item. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_URLMAPPING_VPNPORT_FAILED
|
Message text |
Failed to configure port mapping for URL item [STRING] in context [STRING]: mapped gateway name=[STRING], virtual host name=[STRING], URL rewriting=[STRING]. |
|
Variable fields |
$1: URL item name. $2: SSL VPN context name. $3: Mapped SSL VPN gateway name. $4: Virtual host name. $5: Whether absolute path rewriting is enabled. Options are: · enabled. · disabled. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_URLMAPPING_VPNPORT_FAILED: Failed to configure port mapping for URL item item1 in context ctx1: mapped gateway name=gw1, virtual host name=vhost1, URL rewriting=enabled. |
|
Explanation |
Failed to configure the port mapping method for the URL in a URL item. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_USER
|
Message text |
Failed to create user [STRING] in context [STRING]. |
|
Variable fields |
$1: Username. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_USER_FAILED: Failed to create user user1 in context ctx1. |
|
Explanation |
Failed to create an SSL VPN user in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_ADD_USER_FAILED
|
Message text |
Created user [STRING] in context [STRING]. |
|
Variable fields |
$1: Username. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ADD_USER: Created user user1 in context ctx1. |
|
Explanation |
An SSL VPN user was created in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_AAADOMAIN
|
Message text |
Specified AAA domain [STRING] for context [STRING]. |
|
Variable fields |
$1: ISP domain name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CFG_AAADOMAIN: Specified AAA domain myserver for context ctx1. |
|
Explanation |
An ISP domain was specified for authentication, authorization, and accounting of SSL VPN users in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_AAADOMAIN_FAILED
|
Message text |
Failed to specify AAA domain [STRING] for context [STRING]. |
|
Variable fields |
$1: ISP domain name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CFG_AAADOMAIN_FAILED: Failed to specify AAA domain myserver for context ctx1. |
|
Explanation |
Failed to specify an ISP domain for authentication, authorization, and accounting of SSL VPN users in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_AUTHENTICATIONUSE
|
Message text |
Configured authentication use [STRING] in context [STRING]. |
|
Variable fields |
$1: Authentication mode, which indicates the authentication methods required for users to log in to the SSL VPN context. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CFG_AUTHENTICATIONUSE: Configured authentication use all in context ctx1. |
|
Explanation |
Configured the authentication mode of an SSL VPN context. · The all mode indicates that a user must pass all enabled authentication methods to log in to the SSL VPN context. · The any-one mode indicates that a user can log in to the SSL VPN context after passing any enabled authentication method. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_AUTHENTICATIONUSE_FAILED
|
Message text |
Failed to configure authentication use [STRING] in context [STRING]. |
|
Variable fields |
$1: Authentication mode, which indicates the authentication methods required for users to log in to the SSL VPN context. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CFG_AUTHENTICATIONUSE_FAILED: Failed to configure authentication use all in context ctx1. |
|
Explanation |
Failed to configure the authentication mode of an SSL VPN context. · The all mode indicates that a user must pass all enabled authentication methods to log in to the SSL VPN context. · The any-one mode indicates that a user can log in to the SSL VPN context after passing any enabled authentication method. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_BINDIP
|
Message text |
Bound IP addresses [STRING] to user [STRING] in context [STRING]. |
|
Variable fields |
$1: IP address list. $2: SSL VPN username. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CFG_BINDIP: Bound IP addresses 10.1.1.1,10.1.1.3-10.1.1.5 to user user1 in context ctx1. |
|
Explanation |
IP addresses were bound to an SSL VPN user. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_BINDIP_FAILED
|
Message text |
Failed to bind IP addresses [STRING] to user [STRING] in context [STRING]. |
|
Variable fields |
$1: IP address list. $2: SSL VPN username. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CFG_BINDIP_FAILED: Failed to bind IP addresses 10.1.1.1,10.1.1.3-10.1.1.5 to user user1 in context ctx1. |
|
Explanation |
Failed to bind IP addresses to an SSL VPN user. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_BINDIPAUTOALLOC
|
Message text |
Set the number of IP addresses automatically bound to user [STRING] in context [STRING] to [UINT32]. |
|
Variable fields |
$1: SSL VPN username. $2: SSL VPN context name. $3: Number of IP addresses to be automatically bound to the user. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CFG_BINDIPAUTOALLOC: Set the number of IP addresses automatically bound to user user1 in context ctx1 to 3. |
|
Explanation |
The number of IP addresses to be automatically bound to an SSL VPN user was specified. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_BINDIPAUTOALLOC_FAILED
|
Message text |
Failed to set the number of IP addresses automatically bound to user [STRING] in context [STRING] to [UINT32]. |
|
Variable fields |
$1: SSL VPN username. $2: SSL VPN context name. $3: Number of IP addresses to be automatically bound to the user. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CFG_BINDIPAUTOALLOC_FAILED: Failed to set the number of IP addresses automatically bound to user user1 in context ctx1 to 3. |
|
Explanation |
Failed to set the number of IP addresses to be automatically bound to an SSL VPN. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_CONNECTIONS
|
Message text |
Set the maximum number of connections to [STRING] for each session in context [STRING]. |
|
Variable fields |
$1: Maximum number of concurrent connections per session. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CFG_CONNECTIONS: Set the maximum number of connections to 50 for each session in context ctx1. |
|
Explanation |
The maximum number of concurrent connections per session was set in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_CONNECTIONS_FAILED
|
Message text |
Failed to set the maximum number of connections to [STRING] for each session in context [STRING]. |
|
Variable fields |
$1: Maximum number of concurrent connections per session. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CFG_CONNECTIONS_FAILED: Failed to set the maximum number of connections to 50 for each session in context ctx1. |
|
Explanation |
Failed to set the maximum number of concurrent connections per session in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_CONTEXT_USERMAXIMUM
|
Message text |
Configured the maximum number of SSL VPN users in context [UINT32]. |
|
Variable fields |
$1: Context ID. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CFG_CONTEXT_USERMAXIMUM: Configured the maximum number of SSL VPN users in context 2. |
|
Explanation |
The maximum number of SSL VPN users was set in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_CONTEXT_USERMAXIMUM_FAILED
|
Message text |
Failed to configure the maximum number of SSL VPN users in context [UINT32]. |
|
Variable fields |
$1: Context ID. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CFG_CONTEXT_USERMAXIMUM_FAILED: Failed to configure the maximum number of SSL VPN users in context 2. |
|
Explanation |
Failed to configure the maximum number of SSL VPN users in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_CONTEXTVPN
|
Message text |
Associated VPN instance [STRING] with context [STRING]. |
|
Variable fields |
$1: VPN instance name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CFG_CONTEXTVPN: Associated VPN instance vpn1 with context ctx1. |
|
Explanation |
An SSL VPN context was associated with a VPN instance. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_CONTEXTVPN_FAILED
|
Message text |
Failed to associate VPN instance [STRING] with context [STRING] |
|
Variable fields |
$1: VPN instance name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CFG_CONTEXTVPN_FAILED: Failed to associate VPN instance vpn1 with context ctx1. |
|
Explanation |
Failed to associate an SSL VPN context with a VPN instance. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_CTXGATEWAY
|
Message text |
Configured gateway [STRING] [ domain [STRING] | virtual-host [STRING] ] in context [STRING]. |
|
Variable fields |
$1: SSL VPN gateway name. $2: Domain name. $3: Virtual host name. $4: SSL VPN context name. Parameters $2 and $3 cannot be both configured. This message displays parameter $2, $3, or neither, depending on the configuration. |
|
Severity level |
6 |
|
Example |
· SSLVPN/6/SSLVPN_CFG_CTXGATEWAY: Configured gateway gw domain domain1 in context ctx1. · SSLVPN/6/SSLVPN_CFG_CTXGATEWAY: Configured gateway gw virtual-host myhost1 in context ctx1. · SSLVPN/6/SSLVPN_CFG_CTXGATEWAY: Configured gateway gw in context ctx1. |
|
Explanation |
An SSL VPN context was associated with an SSL VPN gateway. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_CTXGATEWAY_FAILED
|
Message text |
Failed to configure gateway [STRING] [ domain [STRING] | virtual-host [STRING] ] in context [STRING] |
|
Variable fields |
$1: SSL VPN gateway name. $2: Domain name. $3: Virtual host name. $4: SSL VPN context name. Parameters $2 and $3 cannot be both configured. This message displays parameter $2, $3, or neither, depending on the configuration. |
|
Severity level |
6 |
|
Example |
· SSLVPN/6/SSLVPN_CFG_CTXGATEWAY_FAILED: Failed to configure gateway gw domain domain1 in context ctx1. · SSLVPN/6/SSLVPN_CFG_CTXGATEWAY_FAILED: Failed to configure gateway gw virtual-host myhost1 in context ctx1. · SSLVPN/6/SSLVPN_CFG_CTXGATEWAY_FAILED: Failed to configure gateway gw in context ctx1. |
|
Explanation |
Failed to associate an SSL VPN context with an SSL VPN gateway. |
|
Recommended action |
249. Make sure the SSL VPN gateway to be associated already exists. 250. Identify the number of SSL VPN gateways associated with the SSL VPN context. If the number reaches the maximum and you want to associate a new gateway, remove an existing gateway association. |
SSLVPN_CFG_DEFAULTPGROUP
|
Message text |
Configured default-policy-group [STRING] in context [STRING]. |
|
Variable fields |
$1: Policy group name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CFG_DEFAULTPGROUP: Configured default-policy group pgroup in context ctx1. |
|
Explanation |
A policy group was specified as the default policy group in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_DEFAULTPGROUP_FAILED
|
Message text |
Failed to configure default-policy-group [STRING] in context [STRING]. |
|
Variable fields |
$1: Policy group name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CFG_DEFAULTPGROUP_FAILED: Failed to configure default-policy-group pgroup in context ctx1. |
|
Explanation |
Failed to specify a policy group as the default policy group in an SSL VPN context. |
|
Recommended action |
Verify that a policy group exists before you specify it as the default policy group in an SSL VPN context. |
SSLVPN_CFG_DNSSERVER
|
Message text |
Specified [STRING] DNS server [STRING] in context [STRING]. |
|
Variable fields |
$1: DNS server type, primary or secondary. $2: IP address of the DNS server. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
· SSLVPN/6/SSLVPN_CFG_DNSSERVER: Specified primary DNS server 1.1.1.1 in context ctx. · SSLVPN/6/SSLVPN_CFG_DNSSERVER: Specified secondary DNS server 1.1.1.2 in context ctx. |
|
Explanation |
A DNS server was specified for IP access in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_DNSSERVER_FAILED
|
Message text |
Failed to specify [STRING] DNS server [STRING] in context [STRING] |
|
Variable fields |
$1: DNS server type, primary or secondary. $2: IP address of the DNS server. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
· SSLVPN/6/SSLVPN_CFG_DNSSERVER_FAILED: Failed to specify primary DNS server 1.1.1.1 in context ctx. · SSLVPN/6/SSLVPN_CFG_DNSSERVER_FAILED: Failed to specify secondary DNS server 1.1.1.2 in context ctx. |
|
Explanation |
Failed to specify a DNS server for IP access in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_EMOSERVER
|
Message text |
Specified EMO server address [STRING] and port [STRING] in context [STRING]. |
|
Variable fields |
$1: Host name or IPv4 address of the EMO server. $2: Port number of the EMO server. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
· SSLVPN/6/SSLVPN_CFG_EMOSERVER: Specified EMO server address 10.10.1.1 and port 9058 in context ctx1. · SSLVPN/6/SSLVPN_CFG_EMOSERVER: Specified EMO server address host and port 9058 in context ctx1. |
|
Explanation |
An EMO server was specified for mobile clients in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_EMOSERVER_FAILED
|
Message text |
Failed to specify EMO server address [STRING] and port [STRING] in context [STRING]. |
|
Variable fields |
$1: Host name or IPv4 address of the EMO server. $2: Port number of the EMO server. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
· SSLVPN/6/SSLVPN_CFG_EMOSERVER_FAILED: Failed to specify EMO server address 10.10.1.1 and port 9058 in context ctx1. · SSLVPN/6/SSLVPN_CFG_EMOSERVER_FAILED: Failed to specify EMO server address host and port 9058 in context ctx1. |
|
Explanation |
Failed to specify an EMO server for mobile clients in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_GATEWAYVPN
|
Message text |
Specify VPN instance [STRING] for gateway [STRING]. |
|
Variable fields |
$1: Name of the VPN instance to which the SSL VPN gateway belongs. $2: Name of the SSL VPN gateway. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CFG_GATEWAYVPN: Specify VPN instance vpn1 for gateway gw1. |
|
Explanation |
A VPN instance was specified for an SSL VPN gateway. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_GATEWAYVPN_FAILED
|
Message text |
Failed to specify VPN instance [STRING] for gateway [STRING] |
|
Variable fields |
$1: Name of the VPN instance to which the SSL VPN gateway belongs. $2: Name of the SSL VPN gateway. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CFG_GATEWAYVPN_FAILED: Failed to specify VPN instance vpn1 for gateway gw1. |
|
Explanation |
Failed to specify a VPN instance for an SSL VPN gateway. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_GWIPADDRESS
|
Message text |
Configured IP address [STRING] and port [STRING] for gateway [STRING]. |
|
Variable fields |
$1: IP address of the SSL VPN gateway. $2: Port number of the SSL VPN gateway. $3: Name of the SSL VPN gateway. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CFG_GWIPADDRESS: Configured IP address 10.10.1.1 and port 8000 for gateway gw1. |
|
Explanation |
An IP address and port number were specified for an SSL VPN gateway. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_GWIPADDRESS_FAILED
|
Message text |
Failed to configure IP address [STRING] and port [STRING] for gateway [STRING] |
|
Variable fields |
$1: IP address of the SSL VPN gateway. $2: Port number of the SSL VPN gateway. $3: Name of the SSL VPN gateway. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CFG_GWIPADDRESS_FAILED: Failed to configure IP address 10.10.1.1 and port 8000 for gateway gw1. |
|
Explanation |
Failed to specify the IP address and port number for an SSL VPN gateway. |
|
Recommended action |
251. Verify that the IP address specified for the SSL VPN gateway is not used by another gateway. 252. Verify that the port specified for the SSL VPN gateway is different from the HTTP-redirect port. |
SSLVPN_CFG_GWIPV6ADDRESS
|
Message text |
Configured IPv6 address [STRING] and port [STRING] for gateway [STRING]. |
|
Variable fields |
$1: IPv6 address of the SSL VPN gateway. $2: Port number of the SSL VPN gateway. $3: Name of the SSL VPN gateway. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CFG_GWIPV6ADDRESS: Configured IPv6 address 1::1 and port 1027 for gateway gw1. |
|
Explanation |
An IPv6 address and port number were specified for an SSL VPN gateway. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_GWIPV6ADDRESS_FAILED
|
Message text |
Failed to configure IPv6 address [STRING] and port [STRING] for gateway [STRING]. |
|
Variable fields |
$1: IPv6 address of the SSL VPN gateway. $2: Port number of the SSL VPN gateway. $3: Name of the SSL VPN gateway. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CFG_GWIPV6ADDRESS_FAILED: Failed to configure IPv6 address 1::1 and port 1027 for gateway gw1. |
|
Explanation |
Failed to specify the IPv6 address and port number for an SSL VPN gateway. |
|
Recommended action |
253. Verify that the IP address specified for the SSL VPN gateway is not used by another gateway. 254. Verify that the port specified for the SSL VPN gateway is different from the HTTP-redirect port. |
SSLVPN_CFG_HTTPREDIRECT
|
Message text |
Configured HTTP-redirect port [STRING] in gateway [STRING]. |
|
Variable fields |
$1: HTTP redirection port number. $2: SSL VPN gateway name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CFG_HTTPREDIRECT: Configured HTTP-redirect port 8000 in gateway gw. |
|
Explanation |
HTTP redirection was enabled. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_HTTPREDIRECT_FAILED
|
Message text |
Failed to configure HTTP-redirect port [STRING] in gateway [STRING] |
|
Variable fields |
$1: HTTP port number. $2: SSL VPN gateway name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CFG_HTTPREDIRECT_FAILED: Failed to configure HTTP-redirect port 8000 in gateway gw. |
|
Explanation |
Failed to enable HTTP redirection for a port on an SSL VPN gateway. |
|
Recommended action |
Verify that the specified HTTP port number is not used by other redirection services. |
SSLVPN_CFG_IMCADDRESS
|
Message text |
Configured the IP address [STRING], port number [STRING], and VPN instance [STRING] of the iMC server in context [STRING]. |
|
Variable fields |
$1: IP address of the IMC server for SMS message authentication. $2: Port number of the IMC server. $3: VPN instance to which the IMC server belongs. $4: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CFG_IMCADDRESS: Configured the IP address 10.10.1.1 and port number 8080 and VPN instance vpn1 of the iMC server in context ctx1. |
|
Explanation |
An IMC server for SMS message authentication was configured in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_IMCADDRESS_FAILED
|
Message text |
Failed to configure the IP address [STRING], port number [STRING], and VPN instance [STRING] of the IMC server in context [STRING]. |
|
Variable fields |
$1: IP address of the IMC server for SMS message authentication. $2: Port number of the IMC server for SMS message authentication. $3: VPN instance to which the IMC server belongs. $4: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CFG_IMCADDRESS_FAILED: Failed to configure the IP address 10.10.1.1 and port number 8080 and VPN instance vpn1 of the IMC server in context ctx1. |
|
Explanation |
Failed to configure an IMC server for SMS message authentication in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_IPTUNNEL_WEBRESOURCE_AUTOPUSH
|
Message text |
Enabled automatic pushing of Web resources after IP access client login in context [STRING]. |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CFG_IPTUNNEL_WEBRESOURCE_AUTOPUSH: Enabled automatic pushing of Web resources after IP access client login in context ctx. |
|
Explanation |
Enabled automatic webpage pushing of accessible resources after IP access client login in an SSL VPN context.. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_IPTUNNEL_WEBRESOURCE_AUTOPUSH_FAILED
|
Message text |
Failed to enable automatic pushing of Web resources after IP access client login in context [STRING]. |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CFG_IPTUNNEL_WEBRESOURCE_AUTOPUSH_FAILED: Failed to enable automatic pushing of Web resources after IP access client login in context ctx. |
|
Explanation |
Failed to enable automatic webpage pushing of accessible resources after IP access client login in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_IPTUNNELPOOL
|
Message text |
Specified address-pool [STRING] mask [STRING] in context [STRING]. |
|
Variable fields |
$1: Name of the address pool. $2: Mask length or mask of the address pool. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CFG_IPTUNNELPOOL: Specified address-pool pool1 mask 255.255.255.0 in context ctx. |
|
Explanation |
An address pool for IP access was specified in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_IPTUNNELPOOL_FAILED
|
Message text |
Failed to specify address-pool [STRING] mask [STRING] in context [STRING] |
|
Variable fields |
$1: Name of the address pool. $2: Mask length or mask of the address pool. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CFG_IPTUNNELPOOL_FAILED: Failed to specify address-pool pool1 mask 255.255.255.0 in context ctx. |
|
Explanation |
Failed to specify an address pool for IP address in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_KEEPALIVE
|
Message text |
Configured IP Tunnel keepalive interval [STRING] seconds in context [STRING]. |
|
Variable fields |
$1: Keepalive interval in seconds. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CFG_KEEPALIVE: Configured IP Tunnel keepalive interval 50 seconds in context ctx. |
|
Explanation |
The keepalive interval for IP access was set in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_KEEPALIVE_FAILED
|
Message text |
Failed to configure IP Tunnel keepalive interval [STRING] seconds in context [STRING] |
|
Variable fields |
$1: Keepalive interval in seconds. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CFG_KEEPALIVE_FAILED: Failed to configure IP Tunnel keepalive interval 50 seconds in context ctx. |
|
Explanation |
Failed to set the keepalive interval for IP access in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_LOCALPORT
|
Message text |
Configured port forwarding instance local-port [STRING] local-name [STRING] remote-server [STRING] remote-port [STRING] [STRING] for port forwarding item [STRING] in context [STRING]. |
|
Variable fields |
$1: Local port number. $2: Local address or local host name. $3: IP address or domain name of a TCP service on an internal server. $4: Port number of the TCP service. $5: Description of the port forwarding instance. This field is not displayed if no description is configured. $6: Name of the port forwarding item for which the port forwarding instance is configured. $7: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
· SSLVPN/6/SSLVPN_CFG_LOCALPORT: Configured port forwarding instance local-port 80 local-name 127.0.0.1 remote-server 192.168.20.35 remote-port 80 for port forwarding item pfitem1 in context ctx. · SSLVPN/6/SSLVPN_CFG_LOCALPORT: Configured port forwarding instance local-port 80 local-name 127.0.0.1 remote-server 192.168.20.35 remote-port 80 description http for port forwarding item pfitem1 in context ctx. |
|
Explanation |
A port forwarding instance was configured for a port forwarding item. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_LOCALPORT_FAILED
|
Message text |
Failed to configure port forwarding instance local-port [STRING] local-name [STRING] remote-server [STRING] remote-port [STRING] [STRING] for port forwarding item [STRING] in context [STRING] |
|
Variable fields |
$1: Local port number. $2: Local address or local host name. $3: IP address or domain name of a TCP service on an internal server. $4: Port number of the TCP service $5: Description of the port forwarding instance. This field is not displayed if no description is configured. $6: Name of the port forwarding item for which the port forwarding instance is configured. $7: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
· SSLVPN/6/SSLVPN_CFG_LOCALPORT_FAILED: Failed to configure port forwarding instance local-port 80 local-name 127.0.0.1 remote-server 192.168.20.34 remote-port 80 for port forwarding item pfitem1 in context ctx. · SSLVPN/6/SSLVPN_CFG_LOCALPORT_FAILED: Failed to configure port forwarding instance local-port 80 local-name 127.0.0.1 remote-server 192.168.20.34 remote-port 80 description http for port forwarding item pfitemt1 in context ctx. |
|
Explanation |
Failed to configure a port forwarding instance for a port forwarding item. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_LOGINMESSAGE
|
Message text |
Configured SSL VPN [STRING] login message [STRING] in context [STRING]. |
|
Variable fields |
$1: Language used on the login page, English or Chinese. $2: Welcome message on the login page. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CFG_LOGINMESSAGE: Configured SSL VPN English login message Welcome in context ctx1. |
|
Explanation |
A login welcome message was configured in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_LOGINMESSAGE_FAILED
|
Message text |
Failed to configure SSL VPN [STRING] login message [STRING] in context [STRING] |
|
Variable fields |
$1: Language used on the login page, English or Chinese. $2: Login welcome message on the login page. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CFG_LOGINMESSAGE_FAILED: Failed to configure SSL VPN English login message Welcome in context ctx1. |
|
Explanation |
Failed to configure the login welcome message in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_LOGO
|
Message text |
Configured SSL VPN logo [STRING] [STRING] in context [STRING]. |
|
Variable fields |
$1: If a logo is configured, this field displays file. If no logo is configured, this field displays none. $2: Log file name. This field is not displayed if the $1 field displays none. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
· SSLVPN/6/SSLVPN_CFG_LOGO: Configured SSL VPN logo file 1.jpg in context ctx1. · SSLVPN/6/SSLVPN_CFG_LOGO: Configured SSL VPN logo none in context ctx1. |
|
Explanation |
A logo to be displayed on SSL VPN webpages was specified. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_LOGO_FAILED
|
Message text |
Failed to configure SSL VPN logo [STRING] [STRING] in context [STRING] |
|
Variable fields |
$1: If a logo is configured, this field displays file. If no logo is configured, this field displays none. $2: Log file name. This field is not displayed if $1 displays none. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
· SSLVPN/6/SSLVPN_CFG_LOGO_FAILED: Failed to configure SSL VPN logo file 1.jpg in context ctx1. · SSLVPN/6/SSLVPN_CFG_LOGO_FAILED: Failed to configure SSL VPN logo none in context ctx1. |
|
Explanation |
Failed to specify a logo to be displayed on SSL VPN webpages. |
|
Recommended action |
Verify that the size of the logo file does not exceed the maximum file size limit. |
SSLVPN_CFG_MAXONLINES
|
Message text |
Set the maximum number of concurrent connections to [STRING] for each SSL VPN user in context [STRING]. |
|
Variable fields |
$1: Maximum number of concurrent connections for each SSL VPN user. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CFG_MAXONLINES: Set the maximum number of concurrent connections to 50 for each SSL VPN user in context ctx1. |
|
Explanation |
The maximum number of concurrent connections for each SSL VPN user was set in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_MAXONLINES_FAILED
|
Message text |
Failed to set maximum number of concurrent connections to [STRING] for each SSL VPN user in context [STRING]. |
|
Variable fields |
$1: Maximum concurrent connections for each SSL VPN user. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CFG_MAXONLINES_FAILED: Failed to set maximum number of concurrent connections to 50 for each SSL VPN user in context ctx1. |
|
Explanation |
Failed to set the maximum number of concurrent connections for each SSL VPN user in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_MAXUSERS
|
Message text |
Set the maximum number of sessions to [STRING] in context [STRING]. |
|
Variable fields |
$1: Maximum number of sessions supported in an SSL VPN context. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CFG_MAXUSERS: Set the maximum number of sessions to 500 in context ctx1. |
|
Explanation |
The maximum number of supported sessions was set in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_MAXUSERS_FAILED
|
Message text |
Failed to set maximum number of sessions to [STRING] in context [STRING] |
|
Variable fields |
$1: Maximum number of sessions supported in an SSL VPN context. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CFG_MAXUSERS_FAILED: Failed to set maximum number of sessions to 500 in context ctx1. |
|
Explanation |
Failed to set the maximum number of supported sessions in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_MSGSERVER
|
Message text |
Specified message server address [STRING] and port [STRING] in context [STRING]. |
|
Variable fields |
$1: Host name or IPv4 address of the message server. $2: Port number of the message server. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
· SSLVPN/6/SSLVPN_CFG_MSGSERVER: Specified message server address 10.10.1.1 and port 8000 in context ctx1. · SSLVPN/6/SSLVPN_CFG_MSGSERVER: Specified message server address host and port 8000 in context ctx1. |
|
Explanation |
A message server was specified for mobile clients in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_MSGSERVER_FAILED
|
Message text |
Failed to specify message server address [STRING] and port [STRING] in context [STRING] |
|
Variable fields |
$1: Host name or IPv4 address of the message server. $2: Port number of the message server. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
· SSLVPN/6/SSLVPN_CFG_MSGSERVER_FAILED: Failed to specify message server address 10.10.1.1 and port 8000 in context ctx1. · SSLVPN/6/SSLVPN_CFG_MSGSERVER_FAILED: Failed to specify message server address host and port 8000 in context ctx1. |
|
Explanation |
Failed to specify a message server for mobile clients in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_PFWDEXECUTION
|
Message text |
Configured script [STRING] for port forwarding item [STRING] in context [STRING]. |
|
Variable fields |
$1: Script of the resource for a port forwarding item. $2: Port forwarding item name. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CFG_PFWDEXECUTION: Configured script url('http://127.0.0.1') for port forwarding item pfitem1 in context ctx. |
|
Explanation |
A resource was configured for a port forwarding item. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_PFWDEXECUTION_FAILED
|
Message text |
Failed to configure script [STRING] for port forwarding item [STRING] in context [STRING]. |
|
Variable fields |
$1: Script of the resource for a port forwarding item. $2: Port forwarding item name. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CFG_PFWDEXECUTION_FAILED: Failed to configure script url('http://127.0.0.1') for port forwarding item pfitem1 in context ctx. |
|
Explanation |
Failed to configure a resource path for a port forwarding item. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_SCUTDESCRIPTION
|
Message text |
Configured description [STRING] for shortcut [STRING] in context [STRING]. |
|
Variable fields |
$1: Description of a shortcut. $2: Shortcut name. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CFG_SCUTDESCRIPTION: Configured description shortcut shortcut1 for shortcut shortcut1 in context ctx. |
|
Explanation |
A description was configured for a shortcut. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_SCUTDESCRIPTION_FAILED
|
Message text |
Failed to configure description [STRING] for shortcut [STRING] in context [STRING]. |
|
Variable fields |
$1: Description of a shortcut. $2: Shortcut name. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CFG_SCUTDESCRIPTION_FAILED: Failed to configure description shortcut shortcut1 for shortcut shortcut1 in context ctx. |
|
Explanation |
Failed to configure a description for a shortcut. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_SCUTEXECUTION
|
Message text |
Configured script [STRING] for shortcut [STRING] in context [STRING]. |
|
Variable fields |
$1: Script of the resource associated with a shortcut. $2: Shortcut name. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CFG_SCUTEXECUTION: Configured script url('http://10.0.0.1') for shortcut shortcut1 in context ctx. |
|
Explanation |
A resource was associated with a shortcut. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_SCUTEXECUTION_FAILED
|
Message text |
Failed to configure script [STRING] for shortcut [STRING] in context [STRING]. |
|
Variable fields |
$1: Script of the resource associated with a shortcut. $2: Shortcut name. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CFG_SCUTEXECUTION_FAILED: Failed to configure script url('http://10.0.0.1') for shortcut shortcut1 in context ctx. |
|
Explanation |
Failed to associate a resource with a shortcut. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_SSLCLIENT
|
Message text |
Specified SSL client policy [STRING] for context [STRING]. |
|
Variable fields |
$1: SSL client policy name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CFG_SSLCLIENT: Specified SSL client policy ssl for context ctx1. |
|
Explanation |
An SSL client policy was specified for an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_SSLCLIENT_FAILED
|
Message text |
Failed to specify SSL client policy [STRING] for context [STRING]. |
|
Variable fields |
$1: SSL client policy name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CFG_SSLCLIENT_FAILED: Failed to specify SSL client policy ssl for context ctx1. |
|
Explanation |
Failed to specify an SSL client policy for an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_SSLSERVER
|
Message text |
Specified SSL server policy [STRING] for gateway [STRING]. |
|
Variable fields |
$1: SSL server policy name. $2: Name of the SSL VPN gateway. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CFG_SSLSERVER: Specified SSL server policy ssl for gateway gw1. |
|
Explanation |
An SSL server policy was specified for an SSL VPN gateway. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_SSLSERVER_FAILED
|
Message text |
Failed to specify SSL server policy [STRING] for gateway [STRING] |
|
Variable fields |
$1: SSL server policy name. $2: Name of the SSL VPN gateway. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CFG_SSLSERVER_FAILED: Failed to specify SSL server policy ssl for gateway gw1. |
|
Explanation |
Failed to specify an SSL server policy for an SSL VPN gateway. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_TIMEOUTIDLE
|
Message text |
Configured session idle timeout to [STRING] minutes in context [STRING]. |
|
Variable fields |
$1: Idle timeout timer for SSL VPN sessions. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CFG_TIMEOUTIDLE: Configured session idle timeout to 50 minutes in context ctx1. |
|
Explanation |
The idle timeout timer for SSL VPN sessions was set in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_TIMEOUTIDLE_FAILED
|
Message text |
Failed to configure session idle timeout to [STRING] minutes in context [STRING] |
|
Variable fields |
$1: Idle timeout timer for SSL VPN sessions. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CFG_TIMEOUTIDLE_FAILED: Failed to configure session idle timeout to 50 minutes in context ctx1. |
|
Explanation |
Failed to set the idle timeout timer for SSL VPN sessions in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_TITLE
|
Message text |
Configured SSL VPN page [STRING] title [STRING] in context [STRING]. |
|
Variable fields |
$1: Language used on the login page, English or Chinese. $2: Title displayed on SSL VPN webpages. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CFG_TITLE: Configured SSL VPN page English title Mytitle in context ctx1. |
|
Explanation |
The title to be displayed on SSL VPN webpages was configured in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_TITLE_FAILED
|
Message text |
Failed to configure SSL VPN page [STRING] title [STRING] in context [STRING] |
|
Variable fields |
$1: Language used on the login page, English or Chinese. $2: Title displayed on SSL VPN webpages. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CFG_TITLE_FAILED: Failed to configure SSL VPN page English title Mytitle in context ctx1. |
|
Explanation |
Failed to configure the title to be displayed on SSL VPN webpages in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_TRAFFICTHRESHOLD
|
Message text |
Set the idle-cut traffic threshold to [STRING] Kilobytes in context [STRING]. |
|
Variable fields |
$1: Idle-cut traffic threshold value. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CFG_TRAFFICTHRESHOLD: Set the idle-cut traffic threshold to 100 Kilobytes in context ctx1. |
|
Explanation |
The SSL VPN session idle-cut traffic threshold was set in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_TRAFFICTHRESHOLD_FAILED
|
Message text |
Failed to set the idle-cut traffic threshold to [STRING] Kilobytes in context [STRING]. |
|
Variable fields |
$1: Idle-cut traffic threshold value. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CFG_TRAFFICTHRESHOLD_FAILED: Failed to set the idle-cut traffic threshold to 100 Kilobytes in context ctx1. |
|
Explanation |
Failed to set the SSL VPN session idle-cut traffic threshold in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_URLLISTHEAD
|
Message text |
Configured heading [STRING] for URL-list [STRING] in context [STRING]. |
|
Variable fields |
$1: URL list heading name. $2: URL list name. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CFG_URLLISTHEAD: Configured heading urlhead for URL-list urllist in context ctx1. |
|
Explanation |
A heading was configured for a URL list. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_URLLISTHEAD_FAILED
|
Message text |
Failed to configure heading [STRING] for URL-list [STRING] in context [STRING] |
|
Variable fields |
$1: URL list heading name. $2: URL list name. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CFG_URLLISTHEAD_FAILED: Failed to configure heading urlhead for URL-list urllist in context ctx1. |
|
Explanation |
Failed to configure a heading for a URL list. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_WEBACCESS_IPCLIENT_AUTOACTIVE
|
Message text |
Enabled automatic IP access client startup after Web login in context [STRING]. |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CFG_WEBACCESS_IPCLIENT_AUTOACTIVE: Enabled automatic IP access client startup after Web login in context ctx. |
|
Explanation |
Enabled automatic IP access client startup after Web login in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_WEBACCESS_IPCLIENT_AUTOACTIVE_FAILED
|
Message text |
Failed to enable automatic IP access client startup after Web login in context [STRING]. |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CFG_WEBACCESS_IPCLIENT_AUTOACTIVE_FAILED: Failed to enable automatic IP access client startup after Web login in context ctx. |
|
Explanation |
Failed to enable automatic IP access client startup after Web login in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_WINSSERVER
|
Message text |
Specified [STRING] WINS server [STRING] in context [STRING]. |
|
Variable fields |
$1: WINS server type, primary or secondary. $2: IPv4 address of the WINS server. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
· SSLVPN/6/SSLVPN_CFG_WINSSERVER: Specified primary WINS server primary 1.1.1.1 in context ctx. · SSLVPN/6/SSLVPN_CFG_WINSSERVER: Specified secondary WINS server secondary 1.1.1.2 in context ctx. |
|
Explanation |
A WIN server for IP access was specified in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CFG_WINSSERVER_FAILED
|
Message text |
Failed to specify [STRING] WINS server [STRING] in context [STRING] |
|
Variable fields |
$1: WINS server type, primary or secondary. $2: IPv4 address of the WINS server. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
· SSLVPN/6/SSLVPN_CFG_WINSSERVER_FAILED: Failed to specify primary WINS server 1.1.1.1 in context ctx. · SSLVPN/6/SSLVPN_CFG_WINSSERVER_FAILED: Failed to specify secondary WINS server 1.1.1.2 in context ctx. |
|
Explanation |
Failed to specify a WINS server for IP access in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CLR_AAADOMAIN
|
Message text |
Deleted the AAA domain specified for context [STRING]. |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CLR_AAADOMAIN: Deleted the AAA domain specified for context ctx1. |
|
Explanation |
The ISP domain configuration was removed from an SSL VPN context. The SSL VPN context will use the default ISP domain for authentication, authorization, and accounting of SSL VPN users. |
|
Recommended action |
No action is required. |
SSLVPN_CLR_AAADOMAIN_FAILED
|
Message text |
Failed to delete the AAA domain specified for context [STRING]. |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CLR_AAADOMAIN_FAILED: Failed to delete the AAA domain specified for context ctx1. |
|
Explanation |
Failed to remove the ISP domain configuration from an SSL VPN context. The SSL VPN context still uses the specified ISP domain for authentication, authorization, and accounting of SSL VPN users. |
|
Recommended action |
No action is required. |
SSLVPN_CLR_AUTHENTICATIONUSE
|
Message text |
Configured authentication use all in context [STRING]. |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CLR_AUTHENTICATIONUSE: Configured authentication use all in context 2. |
|
Explanation |
The authentication mode of an SSL VPN context was set to all. A user must pass all enabled authentication methods to log in to the SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CLR_AUTHENTICATIONUSE_FAILED
|
Message text |
Failed to configure authentication use all in context [STRING]. |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CLR_AUTHENTICATIONUSE_FAILED: Failed to configure authentication use all in context 2. |
|
Explanation |
Failed to specify the authentication mode of an SSL VPN context as all, which indicates that a user must pass all enabled authentication methods to log in to the SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CLR_BINDIP
|
Message text |
Deleted IP address binding configuration for user [STRING] in context [STRING]. |
|
Variable fields |
$1: SSL VPN username. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CLR_BINDIP: Deleted IP address binding configuration for user user1 in context ctx1. |
|
Explanation |
The IP address binding configuration was deleted for an SSL VPN user. |
|
Recommended action |
No action is required. |
SSLVPN_CLR_BINDIP_FAILED
|
Message text |
Failed to delete IP address binding configuration for user [STRING] in context [STRING]. |
|
Variable fields |
$1: SSL VPN username. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CLR_BINDIP_FAILED: Failed to delete IP address binding configuration for user user1 in context ctx1. |
|
Explanation |
Failed to delete the IP address binding configuration for an SSL VPN user. |
|
Recommended action |
No action is required. |
SSLVPN_CLR_CONTEXT_USERMAXIMUM
|
Message text |
Deleted the maximum number of SSL VPN users in context [UINT32]. |
|
Variable fields |
$1: Context ID. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CLR_CONTEXT_USERMAXIMUM: Deleted the maximum number of SSL VPN users in context 2. |
|
Explanation |
The maximum number of SSL VPN users configuration was removed from an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CLR_CONTEXT_USERMAXIMUM_FAILED
|
Message text |
Failed to delete the maximum number of SSL VPN users in context [UINT32]. |
|
Variable fields |
$1: Context ID. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CLR_CONTEXT_USERMAXIMUM_FAILED: Failed to delete the maximum number of SSL VPN users in context 2. |
|
Explanation |
Failed to remove the maximum number of SSL VPN users configuration from an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CLR_CONTEXTVPN
|
Message text |
Deleted the associated VPN instance in context [STRING]. |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CLR_CONTEXTVPN: Deleted the associated VPN instance in context ctx1. |
|
Explanation |
The association between an SSL VPN context and a VPN instance was removed. |
|
Recommended action |
No action is required. |
SSLVPN_CLR_CONTEXTVPN_FAILED
|
Message text |
Failed to delete the associated VPN instance in context [STRING] |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CLR_CONTEXTVPN_FAILED: Failed to delete the associated VPN instance in context ctx1. |
|
Explanation |
Failed to remove the association between an SSL VPN context and a VPN instance. |
|
Recommended action |
No action is required. |
SSLVPN_CLR_CTXGATEWAY
|
Message text |
Deleted gateway in context [STRING]. |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CLR_CTXGATEWAY: Deleted gateway in context ctx1. |
|
Explanation |
An SSL VPN gateway was deleted. |
|
Recommended action |
No action is required. |
SSLVPN_CLR_CTXGATEWAY_FAILED
|
Message text |
Failed to delete gateway in context [STRING] |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CLR_CTXGATEWAY_FAILED: Failed to delete gateway in context ctx1. |
|
Explanation |
Failed to delete an SSL VPN gateway. |
|
Recommended action |
No action is required. |
SSLVPN_CLR_DEFAULT_PGROUP
|
Message text |
Deleted default-policy-group in context [STRING]. |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CLR_DEFAULT_PGROUP: Deleted default-policy-group in context ctx1. |
|
Explanation |
The default policy group configuration was removed from an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CLR_DEFAULT_PGROUP_FAILED
|
Message text |
Failed to delete default-policy-group in context [STRING]. |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CLR_DEFAULT_PGROUP_FAILED: Failed to delete default-policy-group in context ctx1. |
|
Explanation |
Failed to remove the default policy group configuration from an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CLR_DNSSERVER
|
Message text |
Deleted [STRING] DNS server in context [STRING]. |
|
Variable fields |
$1: DNS server type, primary or secondary. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
· SSLVPN/6/SSLVPN_CLR_DNSSERVER: Deleted primary DNS server in context ctx. · SSLVPN/6/SSLVPN_CLR_DNSSERVER: Deleted secondary DNS server in context ctx. |
|
Explanation |
The DNS server configuration was removed from an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CLR_DNSSERVER_FAILED
|
Message text |
Failed to delete [STRING] DNS server in context [STRING] |
|
Variable fields |
$1: DNS server type, primary or secondary. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
· SSLVPN/6/SSLVPN_CLR_DNSSERVER_FAILED: Failed to delete primary DNS server in context ctx. · SSLVPN/6/SSLVPN_CLR_DNSSERVER_FAILED: Failed to delete secondary DNS server in context ctx. |
|
Explanation |
Failed to remove the DNS server configuration from an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CLR_EMOSERVER
|
Message text |
Deleted EMO server in context [STRING]. |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CLR_EMOSERVER: Deleted emo-server in context ctx1. |
|
Explanation |
The Endpoint Mobile Office (EMO) server configuration was removed from an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CLR_EMOSERVER_FAILED
|
Message text |
Failed to delete EMO server in context [STRING]. |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CLR_EMOSERVER_FAILED: Failed to delete EMO server in context ctx1. |
|
Explanation |
Failed to remove the Endpoint Mobile Office (EMO) server configuration from an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CLR_GATEWAYVPN
|
Message text |
Deleted VPN instance for gateway [STRING]. |
|
Variable fields |
$1: SSL VPN gateway name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CLR_GATEWAYVPN: Deleted VPN instance for gateway gw1. |
|
Explanation |
The VPN instance configuration was removed for an SSL VPN gateway. |
|
Recommended action |
No action is required. |
SSLVPN_CLR_GATEWAYVPN_FAILED
|
Message text |
Failed to delete VPN instance for gateway [STRING]. |
|
Variable fields |
$1: SSL VPN gateway name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CLR_GATEWAYVPN_FAILED: Failed to delete VPN instance for gateway gw1. |
|
Explanation |
Failed to remove the VPN instance configuration for an SSL VPN gateway. |
|
Recommended action |
No action is required. |
SSLVPN_CLR_GWIPADDRESS
|
Message text |
Deleted IP address of gateway [STRING]. |
|
Variable fields |
$1: SSL VPN gateway name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CLR_GWIPADDRESS: Deleted IP address of gateway gw1. |
|
Explanation |
The IP address of an SSL VPN gateway was deleted. |
|
Recommended action |
No action is required. |
SSLVPN_CLR_GWIPADDRESS_FAILED
|
Message text |
Failed to delete IP address of gateway [STRING] |
|
Variable fields |
$1: SSL VPN gateway name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CLR_GWIPADDRESS_FAILED: Failed to delete IP address of gateway gw1. |
|
Explanation |
Failed to delete the IP address of an SSL VPN gateway. |
|
Recommended action |
No action is required. |
SSLVPN_CLR_GWIPV6ADDRESS
|
Message text |
Deleted IPv6 address of gateway [STRING]. |
|
Variable fields |
$1: SSL VPN gateway name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CLR_GWIPV6ADDRESS: Deleted IPv6 address of gateway gw1. |
|
Explanation |
The IPv6 address of an SSL VPN gateway was deleted. |
|
Recommended action |
No action is required. |
SSLVPN_CLR_GWIPV6ADDRESS_FAILED
|
Message text |
Failed to delete IPv6 address of gateway [STRING] |
|
Variable fields |
$1: SSL VPN gateway name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CLR_GWIPV6ADDRESS_FAILED: Failed to delete IPv6 address of gateway gw1. |
|
Explanation |
Failed to delete the IPv6 address of an SSL VPN gateway. |
|
Recommended action |
No action is required. |
SSLVPN_CLR_HTTPREDIRECT
|
Message text |
Disabled HTTP-redirect in gateway [STRING]. |
|
Variable fields |
$1: SSL VPN gateway name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CLR_HTTPREDIRECT: Disabled HTTP-redirect in gateway gw. |
|
Explanation |
HTTP redirection was disabled for an SSL VPN gateway. |
|
Recommended action |
No action is required. |
SSLVPN_CLR_HTTPREDIRECT_FAILED
|
Message text |
Failed to disable HTTP-redirect in gateway [STRING] |
|
Variable fields |
$1: SSL VPN gateway name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CLR_HTTPREDIRECT_FAILED: Failed to disable HTTP-redirect in gateway gw. |
|
Explanation |
Failed to disable HTTP redirection for an SSL VPN gateway. |
|
Recommended action |
No action is required. |
SSLVPN_CLR_IMCADDRESS
|
Message text |
Deleted the IP address of the IMC server in context [STRING]. |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CLR_IMCADDRESS: Deleted the IP address of the IMC server in context ctx1. |
|
Explanation |
The IMC server configuration for SMS message authentication was removed from an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CLR_IMCADDRESS_FAILED
|
Message text |
Failed to delete the IP address of the IMC server in context [STRING]. |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CLR_IMCADDRESS_FAILED: Failed to delete the IP address of the IMC server in context ctx1. |
|
Explanation |
Failed to remove the IMC server configuration for SMS message authentication from an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CLR_IPTUNNEL_WEBRESOURCE_AUTOPUSH
|
Message text |
Disabled automatic pushing of Web resources after IP access client login in context [STRING]. |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CLR_IPTUNNEL_WEBRESOURCE_AUTOPUSH: Disabled automatic pushing of Web resources after IP access client login in context ctx. |
|
Explanation |
Disabled automatic webpage pushing of accessible resources after IP access client login in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CLR_IPTUNNEL_WEBRESOURCE_AUTOPUSH_FAILED
|
Message text |
Failed to disable automatic pushing of Web resources after IP access client login in context [STRING]. |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CLR_IPTUNNEL_WEBRESOURCE_AUTOPUSH_FAILED: Failed to disable automatic pushing of Web resources after IP access client login in context ctx. |
|
Explanation |
Failed to disable automatic webpage pushing of accessible resources after IP access client login in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CLR_IPTUNNELPOOL
|
Message text |
Deleted address-pool in context [STRING]. |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CLR_IPTUNNELPOOL: Deleted address-pool in context ctx. |
|
Explanation |
The IP access address pool configuration was removed from an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CLR_IPTUNNELPOOL_FAILED
|
Message text |
Failed to delete address-pool in context [STRING] |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CLR_IPTUNNELPOOL_FAILED: Failed to delete address-pool in context ctx. |
|
Explanation |
Failed to remove the IP access address pool configuration from an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CLR_LOCALPORT
|
Message text |
Deleted the port forwarding instance used by port forwarding item [STRING] in context [STRING]. |
|
Variable fields |
$1: Port forwarding item name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CLR_LOCALPORT: Deleted the port forwarding instance used by port forwarding item pfitem1 in context ctx. |
|
Explanation |
The port forwarding instance used by a port forwarding item was deleted. |
|
Recommended action |
No action is required. |
SSLVPN_CLR_LOCALPORT_FAILED
|
Message text |
Failed to delete the port forwarding instance used by port forwarding item [STRING] in context [STRING] |
|
Variable fields |
$1: Port forwarding item name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CLR_LOCALPORT_FAILED: Failed to delete the port forwarding instance used by port forwarding item pfitem1 in context ctx. |
|
Explanation |
Failed to delete the port forwarding instance used by a port forwarding item. |
|
Recommended action |
No action is required. |
SSLVPN_CLR_LOGO
|
Message text |
Configured SSL VPN logo H3C in context [STRING]. |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CLR_LOGO: Configured SSL VPN logo H3C in context ctx1. |
|
Explanation |
The logo to be displayed on SSL VPN webpages was set to H3C. |
|
Recommended action |
No action is required. |
SSLVPN_CLR_LOGO_FAILED
|
Message text |
Failed to configure SSL VPN logo H3C in context [STRING] |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CLR_LOGO_FAILED: Failed to configure SSL VPN logo H3C in context ctx1. |
|
Explanation |
Failed to set the logo to be displayed on SSL VPN webpages to H3C. |
|
Recommended action |
No action is required. |
SSLVPN_CLR_MSGSERVER
|
Message text |
Deleted message server in context [STRING]. |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CLR_MSGSERVER: Deleted message server in context ctx1. |
|
Explanation |
The message server configuration was removed from an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CLR_MSGSERVER_FAILED
|
Message text |
Failed to delete message server in context [STRING] |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CLR_MSGSERVER_FAILED: Failed to delete message server in context ctx1. |
|
Explanation |
Failed to remove the message server configuration from an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CLR_PFWDEXECUTION
|
Message text |
Deleted the script for port forwarding item [STRING] in context [STRING]. |
|
Variable fields |
$1: Port forwarding item name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CLR_PFWDEXECUTION: Deleted the script for port forwarding item pfitem1 in context ctx. |
|
Explanation |
The resource specified for a port forwarding item was deleted. |
|
Recommended action |
No action is required. |
SSLVPN_CLR_PFWDEXECUTION_FAILED
|
Message text |
Failed to delete the script for port forwarding item [STRING] in context [STRING]. |
|
Variable fields |
$1: Port forwarding item name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CLR_PFWDEXECUTION_FAILED: Failed to delete the script for port forwarding item pfitem1 in context ctx. |
|
Explanation |
Failed to delete the resource specified for a port forwarding item. |
|
Recommended action |
No action is required. |
SSLVPN_CLR_SCUTDESCRIPTION
|
Message text |
Deleted the description for shortcut [STRING] in context [STRING]. |
|
Variable fields |
$1: Shortcut name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CLR_SCUTDESCRIPTION: Deleted the description for shortcut shortcut1 in context ctx. |
|
Explanation |
The description configured for shortcut was deleted. |
|
Recommended action |
No action is required. |
SSLVPN_CLR_SCUTDESCRIPTION_FAILED
|
Message text |
Failed to delete the description for shortcut [STRING] in context [STRING]. |
|
Variable fields |
$1: Shortcut name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CLR_SCUTDESCRIPTION_FAILED: Failed to delete the description for shortcut shortcut1 in context ctx. |
|
Explanation |
Failed to delete the description configured for a shortcut. |
|
Recommended action |
No action is required. |
SSLVPN_CLR_SCUTEXECUTION
|
Message text |
Deleted the script for shortcut [STRING] in context [STRING]. |
|
Variable fields |
$1: Shortcut name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CLR_SCUTEXECUTION: Deleted the script for shortcut shortcut1 in context ctx. |
|
Explanation |
The association between a resource and a shortcut was deleted. |
|
Recommended action |
No action is required. |
SSLVPN_CLR_SCUTEXECUTION_FAILED
|
Message text |
Failed to delete the script for shortcut [STRING] in context [STRING]. |
|
Variable fields |
$1: Shortcut name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CLR_SCUTEXECUTION_FAILED: Failed to delete the script for shortcut shortcut1 in context ctx. |
|
Explanation |
Failed to delete the association between a resource and a shortcut. |
|
Recommended action |
No action is required. |
SSLVPN_CLR_SSLCLIENT
|
Message text |
Deleted the SSL client policy specified for context [STRING]. |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CLR_SSLCLIENT: Deleted the SSL client policy specified for context ctx1. |
|
Explanation |
The SSL client policy configuration was removed from an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CLR_SSLCLIENT_FAILED
|
Message text |
Failed to delete SSL client policy for context [STRING]. |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CLR_SSLCLIENT_FAILED: Failed to delete SSL client policy for context ctx1. |
|
Explanation |
Failed to remove the SSL client policy configuration from an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CLR_SSLSERVER
|
Message text |
Deleted the SSL server policy specified for gateway [STRING]. |
|
Variable fields |
$1: SSL VPN gateway name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CLR_SSLSERVER: Deleted the SSL server policy specified for gateway gw1. |
|
Explanation |
The SSL server policy configuration was removed for an SSL VPN gateway. |
|
Recommended action |
No action is required. |
SSLVPN_CLR_SSLSERVER_FAILED
|
Message text |
Failed to delete SSL server policy for gateway [STRING] |
|
Variable fields |
$1: SSL VPN gateway name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CLR_SSLSERVER_FAILED: Failed to delete SSL server policy for gateway gw1. |
|
Explanation |
Failed to remove the SSL server policy configuration for an SSL VPN gateway. |
|
Recommended action |
No action is required. |
SSLVPN_CLR_TRAFFICTHRESHOLD
|
Message text |
Deleted the idle-cut traffic threshold in context [STRING]. |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CLR_TRAFFICTHRESHOLD: Deleted the idle-cut traffic threshold in context ctx1. |
|
Explanation |
Removed the SSL VPN session idle-cut traffic threshold setting in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CLR_TRAFFICTHRESHOLD_FAILED
|
Message text |
Failed to delete the idle-cut traffic threshold in context [STRING]. |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CLR_TRAFFICTHRESHOLD_FAILED: Failed to delete the idle-cut traffic threshold in context ctx1. |
|
Explanation |
Failed to remove the SSL VPN session idle-cut traffic threshold setting in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CLR_WEBACCESS_IPCLIENT_AUTOACTIVE
|
Message text |
Disabled automatic IP access client startup after Web login in context [STRING]. |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CLR_WEBACCESS_IPCLIENT_AUTOACTIVE: Disabled automatic IP access client startup after Web login in context ctx. |
|
Explanation |
Disabled automatic IP access client startup after Web login in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CLR_WEBACCESS_IPCLIENT_AUTOACTIVE_FAILED
|
Message text |
Failed to disable automatic IP access client startup after Web login in context [STRING]. |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_CLR_WEBACCESS_IPCLIENT_AUTOACTIVE_FAILED: Failed to disable automatic IP access client startup after Web login in context ctx. |
|
Explanation |
Failed to disable automatic IP access client startup after Web login in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CLR_WINSSERVER
|
Message text |
Deleted [STRING] WINS server in context [STRING]. |
|
Variable fields |
$1: WINS server type, primary or secondary. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
· SSLVPN/6/SSLVPN_CLR_WINSSERVER: Deleted primary WINS server 1.1.1.1 in context ctx. · SSLVPN/6/SSLVPN_CLR_WINSSERVER: Deleted secondary WINS server 1.1.1.2 in context ctx. |
|
Explanation |
The WINS server configuration was removed from an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_CLR_WINSSERVER_FAILED
|
Message text |
Failed to delete [STRING] WINS server in context [STRING] |
|
Variable fields |
$1: WINS server type, primary or secondary. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
· SSLVPN/6/SSLVPN_CLR_WINSSERVER_FAILED: Failed to delete primary WINS server 1.1.1.1 in context ctx. · SSLVPN/6/SSLVPN_CLR_WINSSERVER_FAILED: Failed to delete secondary WINS server 1.1.1.2 in context ctx. |
|
Explanation |
Failed to remove the WINS server configuration from an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_CONTENT_TYPE
|
Message text |
Deleted the content type configuration for file policy [STRING] in context [STRING]. |
|
Variable fields |
$1: File policy name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_CONTENT_TYPE: Deleted the content type configuration for file policy fp1 in context ctx1. |
|
Explanation |
The content type configuration was deleted for a file policy. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_CONTENT_TYPE_FAILED
|
Message text |
Failed to delete the content type configuration for file policy [STRING] in context [STRING]. |
|
Variable fields |
$1: File policy name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_CONTENT_TYPE_FAILED: Failed to delete the content type configuration for file policy fp1 in context ctx1. |
|
Explanation |
Failed to delete the content type configuration for a file policy. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_CONTEXT
|
Message text |
Deleted SSL VPN context [STRING]. |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_CONTEXT: Deleted SSL VPN context ctx1. |
|
Explanation |
An SSL VPN context was deleted. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_CONTEXT_FAILED
|
Message text |
Failed to delete SSL VPN context [STRING] |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_CONTEXT_FAILED: Failed to delete SSL VPN context ctx1. |
|
Explanation |
Failed to delete an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_EXCROUTEITEM
|
Message text |
Deleted exclude route (IP [STRING] mask [STRING]) from route list [STRING] in context [STRING]. |
|
Variable fields |
$1: Destination IP address of the route. $2: Subnet mask of the route. $3: Route list name. $4: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_EXCROUTEITEM: Deleted exclude route (IP 10.0.0.0 mask 255.0.0.0) from route list rtlist in context ctx1. |
|
Explanation |
An exclude route was removed from a route list configured in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_EXCROUTEITEM_FAILED
|
Message text |
Failed to delete exclude route (IP [STRING] mask [STRING]) from route list [STRING] in context [STRING] |
|
Variable fields |
$1: Destination IP address of the route. $2: Subnet mask of the route. $3: Route list name. $4: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_EXCROUTEITEM_FAILED: Failed to delete exclude route (IP 10.0.0.0 mask 255.0.0.0) from route list rtlist in context ctx1. |
|
Explanation |
Failed to remove an exclude route from a route list configured in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_FILEPOLICY
|
Message text |
Deleted file policy [STRING] in context [STRING]. |
|
Variable fields |
$1: File policy name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_FILEPOLICY: Deleted file policy fp1 in context ctx1. |
|
Explanation |
A file policy was deleted. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_FILEPOLICY_FAILED
|
Message text |
Failed to delete file policy [STRING] in context [STRING]. |
|
Variable fields |
$1: File policy name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_FILEPOLICY_FAILED: Failed to delete file policy fp1 in context ctx1. |
|
Explanation |
Failed to delete a file policy. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_GATEWAY
|
Message text |
Deleted SSL VPN gateway [STRING]. |
|
Variable fields |
$1: SSL VPN gateway name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_GATEWAY: Deleted SSL VPN gateway gw1. |
|
Explanation |
An SSL VPN gateway was deleted. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_GATEWAY_FAILED
|
Message text |
Failed to delete SSL VPN gateway [STRING] |
|
Variable fields |
$1: SSL VPN gateway name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_GATEWAY_FAILED: Failed to delete SSL VPN gateway gw1. |
|
Explanation |
Failed to delete an SSL VPN gateway. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_INCROUTEITEM
|
Message text |
Deleted inlcude route (IP [STRING] mask [STRING]) from route list [STRING] in context [STRING]. |
|
Variable fields |
$1: Destination IP address of the route. $2: Subnet mask of the route. $3: Route list name. $4: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_INCROUTEITEM: Deleted include route (IP 10.0.0.0 mask 255.0.0.0) from route list rtlist in context ctx1. |
|
Explanation |
An include route was removed from a route list configured in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_INCROUTEITEM_FAILED
|
Message text |
Failed to delete include route (IP [STRING] mask [STRING]) from route list [STRING] in context [STRING] |
|
Variable fields |
$1: Destination IP address of the route. $2: Subnet mask of the route. $3: Route list name. $4: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_INCROUTEITEM_FAILED: Failed to delete include route (IP 10.0.0.0 mask 255.0.0.0) from route list rtlist in context ctx1. |
|
Explanation |
Failed to remove an include route from a route list configured in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_IPADDRESSPOOL
|
Message text |
Deleted IP address pool [STRING]. |
|
Variable fields |
$1: Name of the IP address pool. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_IPADDRESSPOOL: Deleted IP address pool pool1. |
|
Explanation |
An address pool was deleted. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_IPADDRESSPOOL_FAILED
|
Message text |
Failed to delete IP address pool [STRING] |
|
Variable fields |
$1: Name of the IP address pool. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_IPADDRESSPOOL_FAILED: Failed to delete IP address pool pool1. |
|
Explanation |
Failed to delete an address pool. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_IPTUNNELACIF
|
Message text |
Deleted SSL VPN AC interface in context [STRING]. |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_IPTUNNELACIF: Deleted SSL VPN AC interface in context ctx. |
|
Explanation |
The SSL VPN AC interface configuration for IP access was removed from an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_IPTUNNELACIF_FAILED
|
Message text |
Failed to delete SSL VPN AC interface in context [STRING] |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_IPTUNNELACIF_FAILED: Failed to delete SSL VPN AC interface in context ctx. |
|
Explanation |
Failed to remove the SSL VPN AC interface configuration for IP access from an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_IPV4_RANGE
|
Message text |
Deleted the IPv4 address range of SNAT pool [STRING]. |
|
Variable fields |
$1: SNAT address pool name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_IPV4_RANGE: Deleted IPv4 address range of SNAT pool sp1. |
|
Explanation |
The IPv4 address range configuration was removed for an SSL VPN SNAT address pool. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_IPV4_RANGE_FAILED
|
Message text |
Failed to delete the IPv4 address range of SNAT pool [STRING]. |
|
Variable fields |
$1: SNAT address pool name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_IPV4_RANGE_FAILED: Failed to delete IPv4 address range of SNAT pool sp1. |
|
Explanation |
Failed to remove the IPv4 address range configuration for an SSL VPN SNAT address pool. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_IPV6_RANGE
|
Message text |
Deleted IPv6 address range of SNAT pool [STRING]. |
|
Variable fields |
$1: SNAT pool name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_IPV6_RANGE: Deleted IPv6 address range of SNAT pool sp1. |
|
Explanation |
The IPv6 address range configuration was removed for an SSL VPN SNAT address pool. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_IPV6_RANGE_FAILED
|
Message text |
Failed to delete IPv6 address range of SNAT pool [STRING]. |
|
Variable fields |
$1: SNAT pool name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_IPV6_RANGE_FAILED: Failed to delete IPv6 address range of SNAT pool sp1. |
|
Explanation |
Failed to remove the IPv6 address range configuration for an SSL VPN SNAT address pool. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_LOCALPORT
|
Message text |
Deleted port forwarding entry local-port [STRING] local-name [STRING] in port forwarding list [STRING] in context [STRING]. |
|
Variable fields |
$1: Local port number. $2: Local address or local host name. $3: Port forwarding list name. $4: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_LOCALPORT: Deleted port forwarding entry local-port 80 local-name 127.0.0.1 in port forwarding list pflist1 in context ctx. |
|
Explanation |
A port forwarding entry was deleted from a port forwarding list. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_LOCALPORT_FAILED
|
Message text |
Failed to delete port forwarding entry local-port [STRING] local-name [STRING] in port forwarding list [STRING] in context [STRING] |
|
Variable fields |
$1: Local port number. $2: Local address or local host name. $3: Port forwarding list name. $4: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_LOCALPORT_FAILED: Failed to delete port forwarding entry local-port 80 local-name 127.0.0.1 in port forwarding list pflist1 in context ctx. |
|
Explanation |
Failed to delete a port forwarding entry from a port forwarding list. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_NEWCONTENT
|
Message text |
Deleted the new content configuration for rewrite rule [STRING] in file policy [STRING] in context [STRING]. |
|
Variable fields |
$1: Rewrite rule name. $2: File policy name. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_NEWCONTENT: Deleted the new content configuration for rewrite rule rw in file policy fp in context ctx. |
|
Explanation |
The new content configuration was deleted for a rewrite rule. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_NEWCONTENT_FAILED
|
Message text |
Failed to delete the new content configuration for rewrite rule [STRING] in file policy [STRING] in context [STRING]. |
|
Variable fields |
$1: Rewrite rule name. $2: File policy name. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_NEWCONTENT_FAILED: Failed to delete the new content configuration for rewrite rule rw in file policy fp in context ctx. |
|
Explanation |
Failed to delete the new content configuration for a rewrite rule. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_OLDCONTENT
|
Message text |
Deleted the old content configuration for rewrite rule [STRING] in file policy [STRING] in context [STRING]. |
|
Variable fields |
$1: Rewrite rule name. $2: File policy name. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_OLDCONTENT: Deleted the old content configuration for rewrite rule rw in file policy fp in context ctx. |
|
Explanation |
The old content configuration was deleted for a rewrite rule. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_OLDCONTENT_FAILED
|
Message text |
Failed to delete the old content configuration for rewrite rule [STRING] in file policy [STRING] in context [STRING]. |
|
Variable fields |
$1: Rewrite rule name. $2: File policy name. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_OLDCONTENT_FAILED: Failed to delete the old content configuration for rewrite rule rw in file policy fp in context ctx. |
|
Explanation |
Failed to delete the old content configuration for a rewrite rule. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_PORTFWD
|
Message text |
Deleted port forwarding list [STRING] in context [STRING]. |
|
Variable fields |
$1: Port forwarding list name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_PORTFWD: Deleted port forwarding list pf in context ctx1. |
|
Explanation |
A port forwarding list was deleted from an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_PORTFWD_FAILED
|
Message text |
Failed to delete port forwarding list [STRING] in context [STRING] |
|
Variable fields |
$1: Port forwarding list name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_PORTFWD_FAILED: Failed to delete port forwarding list pf in context ctx1. |
|
Explanation |
Failed to delete a port forwarding list from an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_PORTFWD_ITEM
|
Message text |
Deleted port forwarding item [STRING] in context [STRING]. |
|
Variable fields |
$1: Port forwarding item name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_PORTFWD_ITEM: Deleted port forwarding item pfitem in context ctx1. |
|
Explanation |
A port forwarding item was deleted. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_PORTFWD_ITEM_FAILED
|
Message text |
Failed to delete port forwarding item [STRING] in context [STRING] |
|
Variable fields |
$1: Port forwarding item name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_PORTFWD_ITEM_FAILED: Failed to delete port forwarding item pfitem in context ctx1. |
|
Explanation |
Failed to delete a port forwarding item. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_PYGROUP
|
Message text |
Deleted policy group [STRING] in context [STRING]. |
|
Variable fields |
$1: Policy group name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_PYGROUP: Deleted policy group pg in context ctx1. |
|
Explanation |
An SSL VPN policy group was deleted. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_PYGROUP_FAILED
|
Message text |
Failed to delete policy group [STRING] in context [STRING] |
|
Variable fields |
$1: Policy group name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_PYGROUP_FAILED: Failed to delete policy group pg in context ctx1. |
|
Explanation |
Failed to delete an SSL VPN policy group. |
|
Recommended action |
Verify that the policy group is not being used by SSL VPN users. |
SSLVPN_DEL_REFERIPACL
|
Message text |
Deleted IP access filter in policy group [STRING] in context [STRING]. |
|
Variable fields |
$1: Policy group name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_REFERIPACL: Deleted IP access filter in policy group pgroup in context ctx1. |
|
Explanation |
The IP access filtering configuration was removed from a policy group. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_REFERIPACL_FAILED
|
Message text |
Failed to delete IP access filter in policy group [STRING] in context [STRING] |
|
Variable fields |
$1: Policy group name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_REFERIPACL_FAILED: Failed to delete IP access filter in policy group pgroup in context ctx1 |
|
Explanation |
Failed to remove the IP access filtering configuration from a policy group. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_REFERPFWDITEM
|
Message text |
Removed port forwarding item [STRING] from port forwarding list [STRING] in context [STRING]. |
|
Variable fields |
$1: Port forwarding item name. $2: Port forwarding list name. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_REFERPFWDITEM: Removed port forwarding item pfitem1 from port forwarding list pflist1 in context ctx1. |
|
Explanation |
A port forwarding item was removed from a port forwarding list. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_REFERPFWDITEM_FAILED
|
Message text |
Failed to remove port forwarding item [STRING] from port forwarding list [STRING] in context [STRING]. |
|
Variable fields |
$1: Port forwarding item name. $2: Port forwarding list name. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_REFERPFWDITEM_FAILED: Failed to remove port forwarding item pfitem1 from port forwarding list pflist1 in context ctx1. |
|
Explanation |
Failed to remove a port forwarding item from a port forwarding list. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_REFERPORTFWD
|
Message text |
Deleted port forwarding list used by policy-group [STRING] in context [STRING]. |
|
Variable fields |
$1: Policy group name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_REFERPORTFWD: Deleted port forwarding list used by policy-group pg in context ctx1. |
|
Explanation |
The port forwarding list configuration was removed from a policy group. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_REFERPORTFWD_FAILED
|
Message text |
Failed to delete port forwarding list used by policy-group [STRING] in context [STRING] |
|
Variable fields |
$1: Policy group name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_REFERPORTFWD_FAILED: Failed to delete port forwarding list used by policy-group pg in context ctx1. |
|
Explanation |
Failed to remove the port forwarding list configuration from a policy group. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_REFERSCUTLIST
|
Message text |
Removed shortcut list from policy group [STRING] in context [STRING]. |
|
Variable fields |
$1: SSL VPN policy group name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_REFERSCUTLIST: Removed shortcut list from policy group pg in context ctx1. |
|
Explanation |
A shortcut list was removed from an SSL VPN policy group. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_REFERSCUTLIST_FAILED
|
Message text |
Failed to remove shortcut list from policy group [STRING] in context [STRING]. |
|
Variable fields |
$1: SSL VPN policy group name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_REFERSCUTLIST_FAILED: Failed to remove shortcut list from policy group pg in context ctx1. |
|
Explanation |
Failed to remove a shortcut list from an SSL VPN policy group. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_REFERSHORTCUT
|
Message text |
Removed shortcut [STRING] from shortcut list [STRING] in context [STRING]. |
|
Variable fields |
$1: Shortcut name. $2: Shortcut list name. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_REFERSHORTCUT: Removed shortcut shortcut1 from shortcut list scutlist1 in context ctx1. |
|
Explanation |
A shortcut was removed from a shortcut list. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_REFERSHORTCUT_FAILED
|
Message text |
Failed to remove shortcut [STRING] from shortcut list [STRING] in context [STRING]. |
|
Variable fields |
$1: Shortcut name. $2: Shortcut list name. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_REFERSHORTCUT_FAILED: Failed to remove shortcut shortcut1 from shortcut list scutlist1 in context ctx1. |
|
Explanation |
Failed to remove a shortcut from a shortcut list. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_REFERSNATPOOL
|
Message text |
Deleted the SNAT pool used in context [STRING]. |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_REFERSNATPOOL: Deleted the SNAT pool used in context ctx1. |
|
Explanation |
The SNAT address pool configuration was removed from an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_REFERSNATPOOL_FAILED
|
Message text |
Failed to delete the SNAT pool used in context [STRING]. |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_REFERSNATPOOL_FAILED: Failed to delete the SNAT pool used in context cxt1. |
|
Explanation |
Failed to remove the SNAT address pool configuration from an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_REFERTCPACL
|
Message text |
Deleted TCP access filter in policy group [STRING] in context [STRING]. |
|
Variable fields |
$1: Policy group name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_REFERTCPACL: Deleted TCP access filter in policy group pgroup in context ctx1. |
|
Explanation |
The TCP access filtering configuration was removed from a policy group. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_REFERTCPACL_FAILED
|
Message text |
Failed to delete TCP access filter in policy group [STRING] in context [STRING] |
|
Variable fields |
$1: Policy group name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_REFERTCPACL_FAILED: Failed to delete TCP access filter in policy group pgroup in context ctx1. |
|
Explanation |
Failed to remove the TCP access filtering configuration from a policy group. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_REFERURIACL
|
Message text |
Deleted [STRING] access filter URI ACL from policy group [STRING] in context [STRING]. |
|
Variable fields |
$1: SSL VPN access mode. Options are: · IP access. · Web access. · TCP access. $2: Policy group name. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_REFERURIACL: Deleted IP access filter URI ACL from policy group pgroup in context ctx1. |
|
Explanation |
The URI ACL used for IP, Web, or TCP access filtering was removed from a policy group. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_REFERURIACL_FAILED
|
Message text |
Failed to delete [STRING] access filter URI ACL from policy group [STRING] in context [STRING]. |
|
Variable fields |
$1: SSL VPN access mode. Options are: · IP access. · Web access. · TCP access. $2: Policy group name. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_REFERURIACL_FAILED: Failed to delete IP access filter URI ACL from policy group pgroup in context ctx1. |
|
Explanation |
Failed to remove the URI ACL used for IP, Web, or TCP access filtering from a policy group. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_REFERURLITEM
|
Message text |
Deleted URL item [STRING] from URL list [STRING] in context [STRING]. |
|
Variable fields |
$1: URL item name. $2: URL list name. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_REFERURLITEM: Deleted URL item item1 from URL list list1 in context ctx1. |
|
Explanation |
Removed a URL item from a URL list. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_REFERURLITEM_FAILED
|
Message text |
Failed to delete URL item [STRING] from URL list [STRING] in context [STRING]. |
|
Variable fields |
$1: URL item name. $2: URL list name. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_REFERURLITEM_FAILED: Failed to delete URL item item1 from URL list list1 in context ctx1. |
|
Explanation |
Failed to remove a URL item from a URL list. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_REFERURLLIST
|
Message text |
Deleted URL list [STRING] used by policy-group [STRING] in context [STRING]. |
|
Variable fields |
$1: URL list name. $2: Policy group name. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_REFERURLLIST: Deleted URL list urllist used by policy-group pg in context ctx1. |
|
Explanation |
A URL list was removed from a policy group. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_REFERURLLIST_FAILED
|
Message text |
Failed to delete URL list [STRING] used by policy-group [STRING] in context [STRING] |
|
Variable fields |
$1: URL list name. $2: Policy group name. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_REFERURLLIST_FAILED: Failed to delete URL list urllist used by policy-group pg in context ctx1. |
|
Explanation |
Failed to remove a URL list from a policy group. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_REFERWEBACL
|
Message text |
Deleted Web access filter in policy group [STRING] in context [STRING]. |
|
Variable fields |
$1: Policy group name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_REFERWEBACL: Deleted Web access filter in policy group pgroup in context ctx1. |
|
Explanation |
The Web access filtering configuration was removed from a policy group. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_REFERWEBACL_FAILED
|
Message text |
Failed to delete Web access filter in policy group [STRING] in context [STRING] |
|
Variable fields |
$1: Policy group name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_REFERWEBACL_FAILED: Failed to delete Web access filter in policy group pgroup in context ctx1 |
|
Explanation |
Failed to remove the Web access filtering configuration from a policy group. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_REWRITE_RULE
|
Message text |
Deleted rewrite rule [STRING] from file policy [STRING] in context [STRING]. |
|
Variable fields |
$1: Rewrite rule name. $2: File policy name. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_REWRITE_RULE: Deleted rewrite rule rw from file policy fp in context ctx. |
|
Explanation |
A rewrite rule was deleted. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_REWRITE_RULE_FAILED
|
Message text |
Failed to delete rewrite rule [STRING] from file policy [STRING] in context [STRING]. |
|
Variable fields |
$1: Rewrite rule name. $2: File policy name. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_REWRITE_RULE_FAILED: Failed to delete rewrite rule rw from file policy fp in context ctx. |
|
Explanation |
Failed to delete a rewrite rule. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_ROUTELIST
|
Message text |
Deleted IP-route-list [STRING] in context [STRING]. |
|
Variable fields |
$1: Route list name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_ROUTELIST: Deleted IP-route-list rtlist in context ctx1. |
|
Explanation |
A route list was deleted from an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_ROUTELIST_FAILED
|
Message text |
Failed to delete IP-route-list [STRING] in context [STRING] |
|
Variable fields |
$1: Route list name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_ROUTELIST_FAILED: Failed to delete IP-route-list rtlist in context ctx1. |
|
Explanation |
Failed to delete a route list from an SSL VPN context, |
|
Recommended action |
No action is required. |
SSLVPN_DEL_ROUTEREFER
|
Message text |
Deleted access routes in policy-group [STRING] in context [STRING]. |
|
Variable fields |
$1: Policy group name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_ROUTEREFER: Deleted access routes in policy-group pg in context ctx. |
|
Explanation |
Access routes were deleted from a policy group. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_ROUTEREFER_FAILED
|
Message text |
Failed to delete access routes in policy-group [STRING] in context [STRING] |
|
Variable fields |
$1: Policy group name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_ROUTEREFER_FAILED: Failed to delete access routes in policy-group pg in context ctx. |
|
Explanation |
Failed to delete access routes from a policy group. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_SERVERURL
|
Message text |
Deleted URL [STRING] from URL item [STRING] in context [STRING]. |
|
Variable fields |
$1: URL string. $2: URL item name. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_SERVERURL: Deleted URL www.abc.com from URL item item1 in context ctx1. |
|
Explanation |
Deleted the URL configuration from a URL item. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_SERVERURL_FAILED
|
Message text |
Failed to delete URL [STRING] from URL item [STRING] in context [STRING]. |
|
Variable fields |
$1: URL string. $2: URL item name. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_SERVERURL_FAILED: Failed to delete URL www.abc.com from URL item item1 in context ctx1. |
|
Explanation |
Failed to delete the URL configuration from a URL item. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_SHORTCUT
|
Message text |
Deleted shortcut [STRING] in context [STRING]. |
|
Variable fields |
$1: Shortcut name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_SHORTCUT: Deleted shortcut shortcut1 in context ctx1. |
|
Explanation |
A shortcut was deleted. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_SHORTCUT_FAILED
|
Message text |
Failed to delete shortcut [STRING] in context [STRING]. |
|
Variable fields |
$1: Shortcut name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_SHORTCUT_FAILED: Failed to delete shortcut shortcut1 in context ctx1. |
|
Explanation |
Failed to delete a shortcut. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_SHORTCUTLIST
|
Message text |
Deleted shortcut list [STRING] in context [STRING]. |
|
Variable fields |
$1: Shortcut list name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_SHORTCUTLIST: Deleted shortcut list scutlist1 in context ctx1. |
|
Explanation |
A shortcut list was deleted. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_SHORTCUTLIST_FAILED
|
Message text |
Failed to delete shortcut list [STRING] in context [STRING]. |
|
Variable fields |
$1: Shortcut list name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_SHORTCUTLIST_FAILED: Failed to delete shortcut list scutlist1 in context ctx1. |
|
Explanation |
Failed to delete a shortcut list. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_SNATPOOL
|
Message text |
Deleted SSL VPN SNAT pool [STRING]. |
|
Variable fields |
$1: SNAT pool name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_SNATPOOL: Deleted SSL VPN SNAT pool sp1. |
|
Explanation |
A SNAT address pool was deleted. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_SNATPOOL_FAILED
|
Message text |
Failed to delete SSL VPN SNAT pool [STRING]. |
|
Variable fields |
$1: SNAT pool name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_SNATPOOL_FAILED: Failed to delete SSL VPN SNAT pool sp1. |
|
Explanation |
Failed to delete a SNAT address pool. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_URIACL
|
Message text |
Deleted URI ACL [STRING] in context [STRING]. |
|
Variable fields |
$1: URI ACL name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_URIACL: Deleted URI ACL uacl in context ctx1. |
|
Explanation |
A URI ACL was deleted. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_URIACL_FAILED
|
Message text |
Failed to delete URI ACL [STRING] in context [STRING]. |
|
Variable fields |
$1: URI ACL name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_URIACL_FAILED: Failed to delete URI ACL uacl in context ctx1. |
|
Explanation |
Failed to delete a URI ACL. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_URIACL_RULE
|
Message text |
Deleted rule [UINT32] from URI ACL [STRING] in context [STRING]. |
|
Variable fields |
$1: Rule ID. $2: URI ACL name. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_URIACL_RULE: Deleted rule 5 from URI ACL uacl in context ctx1. |
|
Explanation |
A rule was deleted from a URI ACL. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_URIACL_RULE_FAILED
|
Message text |
Failed to delete rule [UINT32] from URI ACL [STRING] in context [STRING]. |
|
Variable fields |
$1: Rule ID. $2: URI ACL name. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_URIACL_RULE_FAILED: Failed to delete rule 5 from URI ACL uacl in context ctx1. |
|
Explanation |
Failed to delete a rule from a URI ACL. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_URL
|
Message text |
Deleted the URL configuration for file policy [STRING] in context [STRING]. |
|
Variable fields |
$1: File policy name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_URL: Deleted the URL configuration for file policy fp1 in context ctx1. |
|
Explanation |
The file URL configuration was deleted for a file policy. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_URL_FAILED
|
Message text |
Failed to delete the URL configuration for file policy [STRING] in context [STRING]. |
|
Variable fields |
$1: File policy name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_URL_FAILED: Failed to delete the URL configuration for file policy fp1 in context ctx1. |
|
Explanation |
Failed to delete the file URL configuration for a file policy. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_URLITEM
|
Message text |
Deleted URL item [STRING] in context [STRING]. |
|
Variable fields |
$1: URL item name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_URLITEM: Deleted URL item item1 in context ctx1. |
|
Explanation |
Deleted a URL item. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_URLITEM_FAILED
|
Message text |
Failed to delete URL item [STRING] in context [STRING]. |
|
Variable fields |
$1: URL item name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_URLITEM_FAILED: Failed to delete URL item item1 in context ctx1. |
|
Explanation |
Failed to delete a URL item. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_URLITEM_REFERURIACL
|
Message text |
Removed URI ACL [STRING] from URL item [STRING] in context [STRING]. |
|
Variable fields |
$1: URI ACL used by the URL item. $2: URL item name. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_URLITEM_REFERURIACL: Removed URI ACL uriacl1 from URL item item1 in context ctx1. |
|
Explanation |
Removed the URI ACL configuration from a URL item. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_URLITEM_REFERURIACL_FAILED
|
Message text |
Failed to remove URI ACL [STRING] from URL item [STRING] in context [STRING]. |
|
Variable fields |
$1: URI ACL used by the URL item. $2: URL item name. $3: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_URLITEM_REFERURIACL_FAILED: Failed to remove URI ACL uriacl1 from URL item item1 in context ctx1. |
|
Explanation |
Failed to remove the URI ACL configuration from a URL item. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_URLLIST
|
Message text |
Deleted URL list [STRING] in context [STRING]. |
|
Variable fields |
$1: URL list name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_URLLIST: Deleted URL list urllist in context ctx1. |
|
Explanation |
A URL list was deleted. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_URLLIST_FAILED
|
Message text |
Failed to delete URL list [STRING] in context [STRING] |
|
Variable fields |
$1: URL list name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_URLLIST_FAILED: Failed to delete URL list urllist in context ctx1. |
|
Explanation |
Failed to delete a URL list. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_URLMAPPING
|
Message text |
Deleted URL mapping from URL item [STRING] in context [STRING]. |
|
Variable fields |
$1: URL item name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_URLMAPPING: Deleted URL mapping from URL item item1 in context ctx1. |
|
Explanation |
Removed the URL mapping configuration from a URL item. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_URLMAPPING_FAILED
|
Message text |
Failed to delete URL mapping from URL item [STRING] in context [STRING]. |
|
Variable fields |
$1: URL item name. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_URLMAPPING_FAILED: Failed to delete URL mapping from URL item item1 in context ctx1. |
|
Explanation |
Failed to remove the URL mapping configuration from a URL item. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_USER
|
Message text |
Deleted user [STRING] in context [STRING]. |
|
Variable fields |
$1: SSL VPN username. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_USER: Deleted user user1 in context ctx1. |
|
Explanation |
An SSL VPN user was deleted. |
|
Recommended action |
No action is required. |
SSLVPN_DEL_USER_FAILED
|
Message text |
Failed to delete user [STRING] in context [STRING]. |
|
Variable fields |
$1: SSL VPN username. $2: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DEL_USER_FAILED: Failed to delete user user1 in context ctx1. |
|
Explanation |
Failed to delete an SSL VPN user. |
|
Recommended action |
No action is required. |
SSLVPN_DISABLE_CONTEXT
|
Message text |
Disabled service in context [STRING]. |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DISABLE_CONTEXT: Disabled service in context ctx1. |
|
Explanation |
An SSL VPN context was disabled. |
|
Recommended action |
No action is required. |
SSLVPN_DISABLE_CONTEXT_FAILED
|
Message text |
Failed to disable service in context [STRING] |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DISABLE_CONTEXT_FAILED: Failed to disable service in context ctx1. |
|
Explanation |
Failed to disable an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_DISABLE_CRTAUTH
|
Message text |
Disabled certificate-authentication in context [STRING]. |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DISABLE_CRTAUTH: Disabled certificate-authentication in context ctx1. |
|
Explanation |
Certificate authentication was disabled in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_DISABLE_CRTAUTH_FAILED
|
Message text |
Failed to disable certificate-authentication in context [STRING]. |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DISABLE_CRTAUTH_FAILED: Failed to disable certificate-authentication in context ctx1. |
|
Explanation |
Failed to disable certificate authentication in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_DISABLE_DYNAMICPWD
|
Message text |
Disabled dynamic-password in context [STRING]. |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DISABLE_DYNAMICPWD: Disabled dynamic-password in context ctx1. |
|
Explanation |
Dynamic password verification was disabled in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_DISABLE_DYNAMICPWD_FAILED
|
Message text |
Failed to disable dynamic-password in context [STRING]. |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DISABLE_DYNAMICPWD_FAILED: Failed to disable dynamic-password in context ctx1. |
|
Explanation |
Failed to disable dynamic password verification in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_DISABLE_GATEWAY
|
Message text |
Disabled service in gateway [STRING]. |
|
Variable fields |
$1: SSL VPN gateway name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DISABLE_GATEWAY: Disabled service in gateway gw1. |
|
Explanation |
An SSL VPN gateway was disabled. |
|
Recommended action |
No action is required. |
SSLVPN_DISABLE_GATEWAY_FAILED
|
Message text |
Failed to disable service in gateway [STRING] |
|
Variable fields |
$1: SSL VPN gateway name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DISABLE_GATEWAY_FAILED: Failed to disable service in gateway gw1. |
|
Explanation |
Failed to disable an SSL VPN gateway. |
|
Recommended action |
No action is required. |
SSLVPN_DISABLE_GLOBAL_LOG
|
Message text |
Disabled SSL VPN logging globally. |
|
Variable fields |
No action is required. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DISABLE_GLOBAL_LOG: Disabled SSL VPN logging globally. |
|
Explanation |
The SSL VPN global logging feature was disabled. |
|
Recommended action |
No action is required. |
SSLVPN_DISABLE_GLOBAL_LOG_FAILED
|
Message text |
Failed to disable SSL VPN logging globally. |
|
Variable fields |
No action is required. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DISABLE_GLOBAL_LOG_FAILED: Failed to disable SSL VPN logging globally. |
|
Explanation |
Failed to disable the SSL VPN global logging feature. |
|
Recommended action |
No action is required. |
SSLVPN_DISABLE_IPTUNNEL_LOG
|
Message text |
Disabled IP tunnel access logging in context [STRING]. Log type is [STRING]. |
|
Variable fields |
$1: SSL VPN context name. $2: Log type. The value is CONNECTION-CLOSE, |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DISABLE_IPTUNNEL_LOG: Disabled IP tunnel access logging in context ctx1. Log type is CONNECTION-CLOSE. |
|
Explanation |
Logging for IP connection close events was disabled. |
|
Recommended action |
No action is required. |
SSLVPN_DISABLE_IPTUNNEL_LOG_FAILED
|
Message text |
Failed to disable IP tunnel access logging in context [STRING]. Log type is [STRING]. |
|
Variable fields |
$1: SSL VPN context name. $2: Log type. The value is CONNECTION-CLOSE, |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DISABLE_IPTUNNEL_LOG_FAILED: Failed to disable IP tunnel access logging in context ctx1. Log type is CONNECTION-CLOSE. |
|
Explanation |
Failed to disable logging for IP connection close events. |
|
Recommended action |
No action is required. |
SSLVPN_DISABLE_PASSWORDAUTH
|
Message text |
Disabled password-authentication in context [STRING]. |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DISABLE_PASSWORDAUTH: Disabled password-authentication in context ctx1. |
|
Explanation |
Disabled password authention in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_DISABLE_PASSWORDAUTH_FAILED
|
Message text |
Failed to disable password-authentication in context [STRING]. |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DISABLE_PASSWORDAUTH_FAILED: Failed to disable password-authentication in context ctx1. |
|
Explanation |
Failed to disable password authention in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_DISABLE_SMSIMC
|
Message text |
Disabled IMC SMS message authentication in context [STRING]. |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DISABLE_SMSIMC: Disabled IMC SMS message authentication in context ctx1. |
|
Explanation |
IMC SMS message authentication was disabled in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_DISABLE_SMSIMC_FAILED
|
Message text |
Failed to disable IMC SMS message authentication in context [STRING]. |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DISABLE_SMSIMC_FAILED: Failed to disable IMC SMS message authentication in context ctx1. |
|
Explanation |
Failed to disable IMC SMS message authentication in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_DISABLE_VERIFYCODE
|
Message text |
Disabled code verification in context [STRING]. |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DISABLE_VERIFYCODE: Disabled code verification in context ctx1. |
|
Explanation |
Code verification was disabled in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_DISABLE_VERIFYCODE_FAILED
|
Message text |
Failed to disable code verification in context [STRING] |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_DISABLE_VERIFYCODE_FAILED: Failed to disable code verification in context ctx1. |
|
Explanation |
Failed to disable code verification in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_ENABLE_CONTEXT
|
Message text |
Enabled service in context [STRING]. |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ENABLE_CONTEXT: Enabled service in context ctx1. |
|
Explanation |
An SSL VPN context was enabled. |
|
Recommended action |
No action is required. |
SSLVPN_ENABLE_CONTEXT_FAILED
|
Message text |
Failed to enable service in context [STRING] |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ENABLE_CONTEXT_FAILED: Failed to enable service in context ctx1. |
|
Explanation |
Failed to enable an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_ENABLE_CRTAUTH
|
Message text |
Enabled certificate-authentication in context [STRING]. |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ENABLE_CRTAUTH: Enabled certificate-authentication in context ctx1. |
|
Explanation |
Certification authentication was enabled in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_ENABLE_CRTAUTH_FAILED
|
Message text |
Failed to enable certificate-authentication in context [STRING]. |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ENABLE_CRTAUTH_FAILED: Failed to enable certificate-authentication in context ctx1. |
|
Explanation |
Failed to enable certification authentication in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_ENABLE_DYNAMICPWD
|
Message text |
Enabled dynamic-password in context [STRING]. |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ENABLE_DYNAMICPWD: Enabled dynamic password verification in context ctx1. |
|
Explanation |
Dynamic password verification was enabled in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_ENABLE_DYNAMICPWD_FAILED
|
Message text |
Failed to enable dynamic-password in context [STRING]. |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ENABLE_DYNAMICPWD_FAILED: Failed to enable dynamic-password in context ctx1. |
|
Explanation |
Failed to enable dynamic password verification in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_ENABLE_FORCELOGOUT
|
Message text |
Enabled force logout in context [STRING]. |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ENABLE_FORCELOGOUT: Enabled force logout in context ctx1. |
|
Explanation |
The force logout feature was enabled. When a login is attempted but logins using the account reach the limit, this feature logs out a user using that account to allow the new login. |
|
Recommended action |
No action is required. |
SSLVPN_ENABLE_FORCELOGOUT_FAILED
|
Message text |
Failed to enable force logout in context [STRING]. |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ENABLE_FORCELOGOUT_FAILED: Failed to enable force logout in context ctx1. |
|
Explanation |
Failed to enable the force logout feature. When a login is attempted but logins using the account reach the limit, this feature logs out a user using that account to allow the new login. |
|
Recommended action |
No action is required. |
SSLVPN_ENABLE_GATEWAY
|
Message text |
Enabled service in gateway [STRING]. |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ENABLE_GATEWAY: Enabled service in gateway gw1. |
|
Explanation |
An SSL VPN gateway was enabled. |
|
Recommended action |
No action is required. |
SSLVPN_ENABLE_GATEWAY_FAILED
|
Message text |
Failed to enable service in gateway [STRING] |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ENABLE_GATEWAY_FAILED: Failed to enable service in gateway gw1. |
|
Explanation |
Failed to enable an SSL VPN gateway. |
|
Recommended action |
No action is required. |
SSLVPN_ENABLE_GLOBAL_LOG
|
Message text |
Enabled SSL VPN logging globally. |
|
Variable fields |
No action is required. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ENABLE_GLOBAL_LOG: Enabled SSL VPN logging globally. |
|
Explanation |
The SSL VPN global logging feature was enabled. |
|
Recommended action |
No action is required. |
SSLVPN_ENABLE_GLOBAL_LOG_FAILED
|
Message text |
Failed to enable SSL VPN logging globally. |
|
Variable fields |
No action is required. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ENABLE_GLOBAL_LOG_FAILED: Failed to enable SSL VPN logging globally. |
|
Explanation |
Failed to enable the SSL VPN global logging feature. |
|
Recommended action |
No action is required. |
SSLVPN_ENABLE_IPTUNNEL_LOG
|
Message text |
Enabled IP tunnel access logging in context [STRING]. Log type is [STRING]. |
|
Variable fields |
$1: SSL VPN context name. $2: Log type. The value is CONNECTION-CLOSE, |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ENABLE_IPTUNNEL_LOG: Enabled IP tunnel access logging in context ctx1. Log type is CONNECTION-CLOSE. |
|
Explanation |
Logging for IP connection close events was enabled. |
|
Recommended action |
No action is required. |
SSLVPN_ENABLE_IPTUNNEL_LOG_FAILED
|
Message text |
Failed to enable IP tunnel access logging in context [STRING]. Log type is [STRING]. |
|
Variable fields |
$1: SSL VPN context name. $2: Log type. The value is CONNECTION-CLOSE, |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ENABLE_IPTUNNEL_LOG_FAILED: Failed to enable IP tunnel access logging in context ctx1. Log type is CONNECTION-CLOSE. |
|
Explanation |
Failed to enable logging for IP connection close events. |
|
Recommended action |
No action is required. |
SSLVPN_ENABLE_PASSWORDAUTH
|
Message text |
Enabled password-authentication in context [STRING]. |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ENABLE_PASSWORDAUTH: Enabled password-authentication in context ctx1. |
|
Explanation |
Password authentication was enabled in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_ENABLE_PASSWORDAUTH_FAILED
|
Message text |
Failed to enable password-authentication in context [STRING]. |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ENABLE_PASSWORDAUTH_FAILED: Failed to enable password-authentication in context ctx1. |
|
Explanation |
Failed to enable password authentication in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_ENABLE_SMSIMC
|
Message text |
Enabled IMC SMS message authentication in context [STRING]. |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ENABLE_SMSIMC: Enabled IMC SMS message authentication in context ctx1. |
|
Explanation |
IMC SMS message authentication was enabled in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_ENABLE_SMSIMC_FAILED
|
Message text |
Failed to enable IMC SMS message authentication in context [STRING]. |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ENABLE_SMSIMC_FAILED: Failed to enable IMC SMS message authentication in context ctx1. |
|
Explanation |
Failed to enable IMC SMS message authentication in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_ENABLE_VERIFYCODE
|
Message text |
Enabled code verification in context [STRING]. |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ENABLE_VERIFYCODE: Enabled code verification in context ctx1. |
|
Explanation |
Code verification was enabled in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_ENABLE_VERIFYCODE_FAILED
|
Message text |
Failed to enable code verification in context [STRING] |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_ENABLE_VERIFYCODE_FAILED: Failed to enable code verification in context ctx1. |
|
Explanation |
Failed to enable code verification in an SSL VPN context. |
|
Recommended action |
No action is required. |
SSLVPN_IP_RESOURCE_DENY
|
Message text |
User [STRING] of context [STRING] from [STRING] denied to access [STRING]:[STRING]. |
|
Variable fields |
$1: Username. $2: SSL VPN context name. $3: User IP address. $4: IP address of the requested resource. $5: Port number of the requested resource. |
|
Severity level |
6 |
|
Example |
SSLVPNK/6/SSLVPN_IP_RESOURCE_DENY: User abc of context ctx1 from 192.168.200.130 denied to access 10.1.1.255:137. |
|
Explanation |
A user was denied access to specific IP resources, possibly caused by ACL-based access filtering. |
|
Recommended action |
Verify that access to the requested resource is not denied by the ACL rules used for IP access filtering. |
SSLVPN_IP_RESOURCE_FAILED
|
Message text |
User [STRING] of context [STRING] from [STRING] failed to access [STRING]:[STRING]. |
|
Variable fields |
$1: Username. $2: SSL VPN context name. $3: User IP address. $4: IP address of the requested resource. $5: Port number of the requested resource. |
|
Severity level |
6 |
|
Example |
SSLVPNK/6/SSLVPN_IP_RESOURCE_FAILED: User abc of context ctx1 from 192.168.200.130 failed to access 10.1.1.255:137. |
|
Explanation |
A user failed to access IP resources, possibly caused by network problems. |
|
Recommended action |
Verify that a route is available to reach the requested IP resource. |
SSLVPN_IP_RESOURCE_PERMIT
|
Message text |
User [STRING] of context [STRING] from [STRING] permitted to access [STRING]:[STRING]. |
|
Variable fields |
$1: Username. $2: SSL VPN context name. $3: User IP address. $4: IP address of the requested resource. $5: Port number of the requested resource. |
|
Severity level |
6 |
|
Example |
SSLVPNK/6/SSLVPN_IP_RESOURCE_PERMIT: User abc of context ctx1 from 192.168.200.130 permitted to access 10.1.1.255:137. |
|
Explanation |
A user accessed IP resources. |
|
Recommended action |
No action is required. |
SSLVPN_IPAC_CONN_CLOSE
|
Message text |
IP connection was [STRING]. Reason: [STRING]. |
|
Variable fields |
$1: Connection close type. Options are: · closed. · aborted. $2: Reason why the connection was closed. Options are: · User logout. · Failure to find peer. · Handshake failed. · Change of IP address pool. · Failure to receive data. · Local retransmission timeout. · Local keepalive timeout. · Local probe timeout. · Received FIN from peer. · Received RST from peer. · No authorized policy group. · Allocated address was bound to another user. · Failure to update client configuration. · Deleted old peer. · Other. |
|
Severity level |
6 |
|
Example |
SSLVPNK/6/SSLVPN_IPAC_CONN_CLOSE: IP connection was closed. Reason: User logout. |
|
Explanation |
The reason for the close of an IP connection was logged. |
|
Recommended action |
No action is required. |
SSLVPN_SERVICE_UNAVAILABLE
|
Message text |
SSL VPN service was unavailable. Reason: [STRING]. |
|
Variable fields |
$1: Reason why the SSL VPN service was unavailable. Options are: · SSL VPN context not enabled. · No available SSL VPN contexts. |
|
Severity level |
6 |
|
Example |
SSLVPNK/6/SSLVPN_SERVICE_UNAVAILABLE: SSL VPN service was unavailable. Reason: SSL VPN context not enabled. |
|
Explanation |
The reason for the unavailability of an SSL VPN service was logged. |
|
Recommended action |
If the reason is SSL VPN context not enabled, enter SSL VPN context view and use the service enable command to enable the context. If the reason is No available SSL VPN contexts, verify that the SSL VPN gateway to which the user is connected is associated with SSL VPN contexts. |
SSLVPN_TCP_RESOURCE_DENY
|
Message text |
User [STRING] of context [STRING] from [STRING] denied to access [STRING]:[STRING] (server-IP=[STRING],port-number=[STRING]). |
|
Variable fields |
$1: Username. $2: SSL VPN context name. $3: User IP address. $4: Address of the remote server. $5: Port number of the remote server. $6: IP address of the remote server. $7: Port number of the remote server. |
|
Severity level |
6 |
|
Example |
SSLVPNK/6/SSLVPN_TCP_RESOURCE_DENY: User abc of context ctx1 from 192.168.200.130 denied to access 10.1.1.255:137 (server-IP=10.1.1.255,port-number=137). |
|
Explanation |
A user was denied access to specific TCP resources, possibly caused by ACL-based access filtering. |
|
Recommended action |
Verify that access to the requested resource is not denied by the ACL rules used for TCP access filtering. |
SSLVPN_TCP_RESOURCE_FAILED
|
Message text |
User [STRING] of context [STRING] from [STRING] failed to access [STRING]:[STRING] (server-IP=[STRING],port-number=[STRING]). |
|
Variable fields |
$1: Username. $2: SSL VPN context name. $3: User IP address. $4: IP address of the remote server. $5: Port number of the remote server. $6: IP address of the remote server. $7: Port number of the remote server. |
|
Severity level |
6 |
|
Example |
SSLVPNK/6/SSLVPN_TCP_RESOURCE_FAILED: User abc of context ctx1 from 192.168.200.130 failed to access 10.1.1.255:137 (server-IP=10.1.1.255,port-number=137). |
|
Explanation |
A user failed to access TCP resources, possibly caused by network problems or DNS resolution failures. |
|
Recommended action |
255. Verify that a route is available to reach the requested TCP resource. 256. Verify that a DNS server is available for domain name resolution. |
SSLVPN_TCP_RESOURCE_PERMIT
|
Message text |
User [STRING] of context [STRING] from [STRING] permitted to access [STRING]:[STRING] (server-IP=[STRING],port-number=[STRING]). |
|
Variable fields |
$1: Username. $2: SSL VPN context name. $3: User IP address. $4: Address of the remote server. $5: Port number of the remote server. $6: IP address of the remote server. $7: Port number of the remote server. |
|
Severity level |
6 |
|
Example |
SSLVPNK/6/SSLVPN_TCP_RESOURCE_PERMIT: User abc of context ctx1 from 192.168.200.130 permitted to access 10.1.1.255:137 (server-IP=10.1.1.255,port-number=137). |
|
Explanation |
A user accessed TCP resources. |
|
Recommended action |
No action is required. |
SSLVPN_UNDO_FORCELOGOUT
|
Message text |
Disabled force logout in context [STRING]. |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_UNDO_FORCELOGOUT: Disabled force logout in context ctx1. |
|
Explanation |
The force logout feature was disabled. When a login is attempted but logins using the account reach the limit, this feature logs out a user using that account to allow the new login. |
|
Recommended action |
No action is required. |
SSLVPN_UNDO_FORCELOGOUT_FAILED
|
Message text |
Failed to disable force logout in context [STRING]. |
|
Variable fields |
$1: SSL VPN context name. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_UNDO_FORCELOGOUT_FAILED: Failed to disable force logout in context ctx1. |
|
Explanation |
Failed to disable the force logout feature. When a login is attempted but logins using the account reach the limit, this feature logs out a user using that account to allow the new login. |
|
Recommended action |
No action is required. |
SSLVPN_USER_LOGIN
|
Message text |
User [STRING] of context [STRING] logged in from [STRING]. |
|
Variable fields |
$1: Username. $2: SSL VPN context name. $3: User IP address. |
|
Severity level |
5 |
|
Example |
SSLVPN/5/SSLVPN_USER_LOGIN: User abc of context ctx logged in from 192.168.200.31. |
|
Explanation |
A user logged in to an SSL VPN gateway. |
|
Recommended action |
No action is required. |
SSLVPN_USER_LOGINFAILED
|
Message text |
User [STRING] of context [STRING] failed to log in from [STRING]. Reason: [STRING]. |
|
Variable fields |
$1: Username. $2: SSL VPN context name. $3: User IP address. $4: Reason for the login failure: · Authentication failed. · Authorization failed. · Accounting failed. · Number of online users exceeded the limit. · Failed to get SMS message code from iMC server. · Maximum number of concurrent online connections for the user already reached. · Login timed out. · The authentication server is not reachable. · The authorization server is not reachable. · The accounting server is not reachable. · Other. |
|
Severity level |
5 |
|
Example |
SSLVPN/5/SSLVPN_USER_LOGINFAILED: User abc of context ctx failed to log in from 192.168.200.31. |
|
Explanation |
A user failed to log in to an SSL VPN gateway. |
|
Recommended action |
No action is required. |
SSLVPN_USER_LOGOUT
|
Message text |
User [STRING] of context [STRING] logged out from [STRING]. Reason: [STRING]. |
|
Variable fields |
$1: Username. $2: SSL VPN context name. $3: User IP address. $4: Reason for user logout: · Idle timeout. · A logout request was received from the Web browser. · A logout request was received from the client. · Forced logout. · A new login was attempted and logins using the account reach the maximum. · Accounting update failed. · Accounting session timed out. · Interface went down. · ADM request was received. · Idle cut for traffic not reach the minimum required amount. |
|
Severity level |
5 |
|
Example |
SSLVPN/5/SSLVPN_USER_LOGOUT: User abc of context ctx logged out from 192.168.200.31. Reason: A logout request was received from the Web browser. |
|
Explanation |
A user logged out of an SSL VPN gateway. |
|
Recommended action |
No action is required. |
SSLVPN_USER_NUMBER
|
Message text |
The number of SSL VPN users reached the upper limit. |
|
Variable fields |
None. |
|
Severity level |
6 |
|
Example |
SSLVPN/6/SSLVPN_USER_NUMBER: The number of SSL VPN users reached the upper limit. |
|
Explanation |
The number of SSL VPN users reached the upper limit. |
|
Recommended action |
No action is required. |
SSLVPN_WEB_RESOURCE_DENY
|
Message text |
User [STRING] of context [STRING] from [STRING] denied to access [STRING] (server-IP=[STRING],port-number=[STRING]). |
|
Variable fields |
$1: Username. $2: SSL VPN context name. $3: User IP address. $4: URL of the requested resource. $5: IP address of the Web server that provides the requested resource. $6: Port number of the Web server. |
|
Severity level |
6 |
|
Example |
SSLVPNK/6/SSLVPN_WEB_RESOURCE_DENY: User abc of context ctx1 from 192.168.200.130 denied to access http://192.168.0.2:80/ (server-IP=192.168.0.2,port-number=80). |
|
Explanation |
A user was denied access to specific Web resources, possibly caused by ACL-based access filtering. |
|
Recommended action |
Verify that access to the requested resource is not denied by the ACL rules used for Web access filtering. |
SSLVPN_WEB_RESOURCE_FAILED
|
Message text |
User [STRING] of context [STRING] from [STRING] failed to access [STRING] (server-IP=[STRING],port-number=[STRING]). |
|
Variable fields |
$1: Username. $2: SSL VPN context name. $3: User IP address. $4: URL of the requested resource. $5: IP address of the Web server that provides the requested resource. $6: Port number of the Web server. |
|
Severity level |
6 |
|
Example |
SSLVPNK/6/SSLVPN_WEB_RESOURCE_FAILED: User abc of context ctx1 from 192.168.200.130 failed to access http://192.168.0.2:80/ (server-IP=192.168.0.2,port-number=80). |
|
Explanation |
A user failed to access Web resources, possibly caused by network problems or DNS resolution failures. |
|
Recommended action |
257. Verify that a route is available to reach the requested Web resource. 258. Verify that a DNS server is available for domain name resolution. |
SSLVPN_WEB_RESOURCE_PERMIT
|
Message text |
User [STRING] of context [STRING] from [STRING] permitted to access [STRING] (server-IP=[STRING],port-number=[STRING]). |
|
Variable fields |
$1: Username. $2: SSL VPN context name. $3: User IP address. $4: URL of the requested resource. $5: IP address of the Web server that provides the requested resource. $6: Port number of the Web server. |
|
Severity level |
6 |
|
Example |
SSLVPNK/6/SSLVPN_WEB_RESOURCE_PERMIT: User abc of context ctx1 from 192.168.200.130 permitted to access http://192.168.0.2:80/ (server-IP=192.168.0.2,port-number=80). |
|
Explanation |
A user accessed Web resources. |
|
Recommended action |
No action is required. |
STAMGR messages
This section contains station management messages.
STAMGR_ADD_FAILVLAN
|
Message text |
|
|
Variable fields |
$1: SSID. $2: MAC address of the client. $3: Name of the AP associated with the client. $4: ID of the radio associated with the client. $5: ID of the Fail VLAN. |
|
Severity level |
5 |
|
Example |
|
|
Explanation |
The client failed to pass the authentication and was assigned to the Auth-Fail VLAN. |
|
Recommended action |
No action is required. |
STAMGR_ADDBAC_INFO
|
Message text |
Add BAS AC [STRING]. |
|
Variable fields |
$1: MAC address of the BAS AC. |
|
Severity level |
6 |
|
Example |
STAMGR/6/STAMGR_ADDBAC_INFO: Add BAS AC 3ce5-a616-28cd. |
|
Explanation |
The BAS AC was connected to the master AC. |
|
Recommended action |
No action is required. |
STAMGR_ADDSTA_INFO
|
Message text |
Add client [STRING]. |
|
Variable fields |
$1: MAC address of the client. |
|
Severity level |
6 |
|
Example |
STAMGR/6/STAMGR_ADDSTA_INFO: Add client 3ce5-a616-28cd. |
|
Explanation |
The client was connected to the BAS AC. |
|
Recommended action |
No action is required. |
STAMGR_AUTHORACL_FAILURE
|
Message text |
|
|
Variable fields |
$1: SSID. $2: MAC address of the client. $3: Name of the AP associated with the client. $4: ID of the radio associated with the client. $5: ACL number. $6: Reason: · This type of ACL is not supported. · The memory resource is not enough. · The ACL conflicts with other ACLs. · The ACL doesn't contain any rules. · The OpenFlow tunnel was not established. · The OpenFlow table is full. · Unknown reason. Error code code was returned. |
|
Severity level |
5 |
|
Example |
|
|
Explanation |
The authentication server failed to assign an ACL to the client. |
|
Recommended action |
No action is required. |
STAMGR_AUTHORUSERPROFILE_FAILURE
|
Message text |
-SSID=[STRING]-UserMAC=[STRING]-APName=[STRING]-RadioID=[STRING]; Failed to assign user profile [STRING]. Reason: [STRING]. |
|
Variable fields |
$1: SSID. $2: MAC address of the client. $3: Name of the AP associated with the client. $4: ID of the radio associated with the client. $5: Name of the authorization user profile. $6: Failure cause: · The user profile doesn’t exist. · No user profiles are created on the device. · The memory resource is not enough. · The OpenFlow tunnel was not established. · Unknown reason. Error code code was returned. |
|
Severity level |
5 |
|
Example |
STAMGR/5/STAMGR_AUTHORUSERPROFILE_FAILURE:-SSID=text-wifi-UserMAC=3ce5-a616-28cd-APName=ap1-RadioID=2; Failed to assign user profile aaa. Reason: No user profiles are created on the device. |
|
Explanation |
The authentication server failed to assign a user profile to the client. |
|
Recommended action |
No action is required. |
STAMGR_BSS_FAILURE
|
Message text |
-APID=[STRING]-RadioID=[STRING]-WLANID=[STRING]-ST Name=[STRING]; The number of BSSs exceeded the upper limit. |
|
Variable fields |
$1: AP ID. $2: Radio ID. $3: WLAN ID. $4: Service template name. |
|
Severity level |
6 |
|
Example |
STAMGR/6/SERVICE_BSS_FAILURE: -APID=1-RadioID=2-WLANID=3-ST Name=1; The number of BSSs exceeded the upper limit. |
|
Explanation |
The number of AP radios using this service template has exceeded the upper limit. |
|
Recommended action |
No action is required. |
STAMGR_CLEINT_BSS_MAXCOUNT
|
Message text |
SSID=[STRING]-APName=[STRING]-RadioID=[STRING]; Number of associated clients reached the upper limit allowed by the BSS. |
|
Variable fields |
$1: SSID defined in the service template. $2: Name of the AP associated with the client. $3: ID of the radio associated with the client. |
|
Severity level |
5 |
|
Example |
STAMGR/5/STAMGR_CLIENT_BSS_MAXCOUNT: SSID=test-wifi-APName=ap1-RadioID=2; Number of associated clients reached the upper limit allowed by the BSS. |
|
Explanation |
The number of associated clients reached the upper limit allowed by the BSS. |
|
Recommended action |
No action is required. |
STAMGR_CLIENT_FAILURE
|
Message text |
Client [STRING] failed to come online from BSS [STRING] with SSID [STRING] on AP [STRING] Radio ID [STRING]. Reason: [STRING]. |
|
Variable fields |
$1: MAC address of the client. $2: BSSID. $3: SSID defined in the service template. $4: Name of the AP associated with the client. $5: ID of the radio associated with the client. $6: Reasons for the client's failure to come online. Table 8 describes the possible reasons. |
|
Severity level |
5 |
|
Example |
STAMGR/5/STAMGR_CLIENT_FAILURE: Client 3303-c2af-b8d2 failed to come online from BSS 0023-12ef-78dc with SSID 1 on AP ap1 Radio ID 1. Reason: Unknown reason. |
|
Explanation |
The client failed to come online from the BSS for a specific reason. |
|
Recommended action |
To resolve the issue: 259. Check the debugging information to locate the issue and resolve it. 260. If the issue persists, contact H3C Support. |
Table 8 Possible failure reasons
|
Possible reasons |
|
Unknown error. |
|
Failed to process open authentication packet from the client. |
|
Failed to send responses when the AC successfully processed open authentication packet from the client. |
|
Failed to create state timer when the AC received authentication packet in Unauth state. |
|
Failed to refresh state timer when the AC received authentication packet in Unauth state. |
|
Received association packet Unauth state. |
|
Received deauthentication packet with reason code code in Unauth state: · 1—Unknown reason. · 3—Client is removed from BSS and is deauthenticated. · 6—Incorrect frame. · 9—Received association or reassociation request before authentication is complete. · 13—Invalid IE. |
|
Received dissociation packet with reason code code in Unauth state: · 1—Unknown reason. · 2—Prior authentication is invalid. · 4—Inactivity timer expired. · 5—Insufficient resources. · 7—Incorrect frame. · 8—Client is removed from BSS and is disassociated. · 10—Failed to negotiate the Power Capability IE. · 11—BSS management switchover. |
|
Received Auth failure packet in Unauth state. |
|
Received state timer timeout in Unauth state. |
|
Received deauthentication packet with reason code code in Auth state: · 1—Unknown reason. · 3—Client is removed from BSS and is deauthenticated. · 6—Incorrect frame. · 9—Received association or reassociation request before authentication is complete. · 13—Invalid IE. |
|
Received authentication packet with inconsistent authentication algorithm or shared key in Auth state. |
|
Received state timer timeout in Auth state. |
|
Failed to process Add Mobile message when client association succeeded in Auth state. |
|
Received inconsistent authentication algorithm or share key in Userauth state. |
|
Failed to check association request when the AC received association packet in Userauth state. |
|
Failed to process IE when the AC received association packet in Userauth state. |
|
Failed to send association responses when the AC received association packet in Userauth state. |
|
Failed to process Add Mobile message when client association succeeded in Userauth state. |
|
Received deauthentication packet with reason code code in Userauth state: · 1—Unknown reason. · 3—Client is removed from BSS and is deauthenticated. · 6—Incorrect frame. · 9—Received association or reassociation request before authentication is complete. · 13—Invalid IE. |
|
Received dissociation packet with reason code code in Userauth state: · 1—Unknown reason. · 2—Prior authentication is invalid. · 4—Inactivity timer expired. · 5—Insufficient resources. · 7—Incorrect frame. · 8—Client is removed from BSS and is disassociated. · 10—Failed to negotiate the Power Capability IE. · 11—BSS management switchover. |
|
Client authentication failed in Userauth state. |
|
Failed to get backup client data while using AP private data to upgrade client. |
|
Failed to set kernel forwarding table while using AP private data to upgrade client. |
|
Failed to add MAC while using AP private data to upgrade client. |
|
Failed to create keepalive and idle timeout timers while using AP private data to upgrade client. |
|
Failed to set kernel forwarding table while upgrading client without using AP private data. |
|
Failed to add MAC while upgrading client without using AP private data. |
|
Failed to activate client while upgrading client without using AP private data. |
|
Failed to synchronize client information to configuration thread while upgrading client without using AP private data. |
|
Failed to create keepalive and idle timeout timers while upgrading client without using AP private data. |
|
Failed to add MAC during inter-device client smooth creation. |
|
Failed to set kernel forwarding table during inter-device client smooth creation. |
|
Failed to send Add Mobile message during inter-device client smooth creation. |
|
Failed to get AP type during inter-device client smooth creation. |
|
Failed to recover service data while recovering running client data from database. |
|
Failed to synchronize data to service thread while recovering basic client data from database. |
|
Failed to add MAC when hierarchy device received upstream Add Mobile message. |
|
Failed to set kernel forwarding table when hierarchy device received upstream Add Mobile message. |
|
Failed to synchronize upstream message when hierarchy device received upstream Add Mobile message. |
|
Failed to create client when hierarchy device received upstream Add Mobile message. |
|
Failed to add MAC when hierarchy device received downstream Add Mobile message. |
|
Failed to synchronize data to service thread when hierarchy device received downstream Add Mobile message. |
|
Failed to set kernel forwarding table when hierarchy device received downstream Add Mobile message. |
|
Failed to send down add pbss to driver when hierarchy device received downstream Add Mobile message. |
|
Failed to synchronize downstream message when hierarchy device received downstream Add Mobile message. |
|
Failed to create client when hierarchy device received downstream Add Mobile message. |
|
Failed to create interval statistics timer when hierarchy device received downstream Add Mobile message. |
|
Failed to obtain AP private data when hierarchy device received downstream Add Mobile message. |
|
Failed to advertise Add Mobile message. |
|
Failed to activate client when hierarchy device received downstream client state synchronization message. |
|
Failed to get AP type when hierarchy device received downstream client state synchronization message. |
|
Failed to synchronize downstream message when hierarchy device received downstream client state synchronization message. |
|
The radio was in down state when hierarchy device received downstream Add Mobile message. |
|
Hierarchy device failed to process the upstream Add Mobile message. |
|
Hierarchy device failed to process downstream Add Mobile message. |
|
Failed to process service thread during inter-device client smooth creation. |
|
Failed to create client during inter-device smooth. |
|
Failed to process upstream client state synchronization message in Userauth state. |
|
Failed to process downstream client state synchronization message in Userauth state. |
|
Hierarchy device failed to process upstream client state synchronization message. |
|
Hierarchy device failed to process downstream client state synchronization message. |
|
AC received message for deleting the client entry. |
|
Fit AP received message for deleting the client. |
|
Different old and new region codes. |
|
Failed to update IGTK. |
|
Failed to update GTK. |
|
Failed to generate IGTK when the first client came online. |
|
TKIP is used to authenticate all clients. |
|
Channel changed. |
|
BssDelAllSta event logged off client normally. |
|
AP down. |
|
Radio down. |
|
Service template disabled. |
|
Service template unbound. |
|
Created BSS during master AC switchover process. |
|
Updated BSS base information when BSS was in deactive state. |
|
Intrusion protection. |
|
Local AC or AP deleted BSS. |
|
BssDelAllSta event logged off client abnormally. |
|
Received VLAN deleted event. |
|
CM received message for logging off client from AM. |
|
The reset wlan client command was executed to log off the client. |
|
Deleted private data on AP: DBM database recovered. |
|
Failed to synchronize authentication succeeded message downstream. |
|
Client RSSI was lower than the threshold and was decreasing. |
|
Configured whitelist for the first time or executed the reset wlan client all command. |
|
Received client offline websocket message. |
|
WMAC logged off all clients associated with the radio. |
|
Timer for sending deassociation message timed out. |
|
The client is in blacklist or deleted from whitelist. |
|
Client was added to the dynamic blacklist. |
|
Failed to roam out. |
|
Implemented inter-AC roaming for the first time. |
|
Successfully roamed to another BSS. |
|
Failed to roam in. |
|
Roaming process received a message for logging off the client. |
|
Roaming process processed Down event and logged off roam-in clients. |
|
Roaming failure. |
|
Successfully performed roaming but failed to recover authentication data. |
|
Roaming timed out. |
|
Seamless roaming failed. |
|
Logged off clients that performed inter- or intra-AC roaming. |
|
Failed to process AccessCtrlChk. Configure permitted AP group or permitted SSID. |
|
Synchronized client information to process and logged off client. |
|
Failed to synchronize client state to uplink devices. |
|
Local AC or remote AP received Add Mobile message updated BSS and logged off clients. |
|
Upgraded HA and logged off all clients. |
|
Synchronized BSS data during master/backup AC switchover process. |
|
Failed to synchronize service template data during master/backup AC switchover process. |
|
BSS aging timer timed out. |
|
Remote AP deleted non-local forwarding BSS. |
|
Failed to find configuration data when synchronizing data. |
|
BSS was deleted: BSS synchronization examination failed or there was no BSS data to be updated. |
|
Failed to get BSS by using WLAN ID. |
|
Unbound inherited service template. |
|
STAMGR process was down automatically or manually. |
|
Deleted redundant clients. |
|
Failed to process authorized doing nodes. |
|
Authorization failed. |
|
NSS value in Operating Mode Notification Action packet doesn't support mandatory VHT-MCS. |
|
Number of sent SA requests exceeded the permitted threshold. |
|
Number of associated clients exceed the upper limit allowed by the AP. |
|
Number of associated clients exceed the upper limit allowed by the AC. |
|
Number of associated clients exceed the upper limit allowed by channel usage. |
|
Deauthenticated by WIPS countermeasure. |
|
Local AC came online again and deleted all clients associated with the BSS. |
|
Failed to upgrade hot-backup. |
|
The illegally created BSS was deleted. |
|
Failed to process requests when receiving UserAuth Success message. |
|
Failed to get AP type when receiving UserAuth Successful message. |
|
Failed to notify client of the recovery of basic client data from database. |
|
Failed to recover basic client data from database. |
|
Client already existed when the AC received Auth packet from the client and checked online clients. |
|
Client already existed during FT Over-the-DS authentication. |
|
SKA authentication failed. |
|
Deadline timer timed out during FT authentication. |
|
Failed to send the response for the successful shared key authentication to the client. |
|
Failed to get FT data during FT authentication. |
|
FT authentication was performed and BSS does not support FT. |
|
Failed to process FT authentication-success result. |
|
Failed to process FT authentication. |
|
Maximum number of clients already reached when remote request message was received. |
|
Failed to fill authorization information while processing authorization message. |
|
Failed to process key negotiation during 802.1X authentication. |
|
Invalid session key length during 802.1X authentication. |
|
802.1X authentication failed. |
|
802.1X server was unreachable. |
|
User timer timed out during 802.1X authentication. |
|
Server timer timed out during 802.1X authentication. |
|
802.1X authentication configuration error. |
|
Received nonexistent authorization VLAN group during 802.1X authentication. |
|
MAC authentication failed. |
|
MAC server was unreachable. |
|
Session time is zero during MAC authentication. |
|
Server timer timed out during MAC authentication. |
|
802.1X authentication failed and the return code is code. |
|
MAC authentication failed and the return code is code. |
|
Authorization failed for 802.1X authentication and the return code is code. |
|
Authorization failed for MAC authentication and the return code is code. |
|
Accounting start failed for 802.1X authentication and the return code is code. |
|
Accounting start failed for MAC authentication and the return code is code. |
|
Accounting update failed for 802.1X authentication and the return code is code. |
|
Accounting update failed for MAC authentication and the return code is code. |
|
Failed to receive client EAP request for 802.1X authentication. |
|
Failed to receive server response for 802.1X authentication. |
|
Failed to receive server response for MAC authentication. |
|
Received client log-off packet during 802.1X authentication. |
|
802.1X client handshake failed. |
|
Incorrect 802.1X authentication method. |
|
WLAN roaming center notified IP conflict detected by address security check. |
|
WLAN roaming center notified MAC conflict detected by address security check. |
|
Roaming failed because the user is in the local address security denylist. |
|
Failed to notify the uplink device of user authentication failure. |
|
Failed to advertise Add Mobile message: CAPWAP translation failure. |
|
Failed to advertise Add Mobile message: Invalid length. |
|
Failed to advertise Add Mobile message: Radio down. |
|
Failed to advertise Add Mobile message: Insufficient memory on the downlink device. |
|
Failed to advertise Add Mobile message: MAC adding failure. |
|
Failed to advertise Add Mobile message: AVL adding failure. |
|
Failed to advertise Add Mobile message: PBSS adding failure. |
|
Failed to advertise Add Mobile message: Downlink synchronization failure. |
|
Failed to advertise Add Mobile message: Statistics report timer creation failure. |
|
Failed to advertise Add Mobile message: AP private data obtaining failure. |
|
Failed to advertise Add Mobile message: Client not found for Add Mobile response. |
|
Failed to advertise Add Mobile message: Client was being deleted for Add Mobile response. |
|
Failed to advertise Add Mobile message: Insufficient memory in kernel. |
|
Failed to advertise Add Mobile message: Forward entry adding failure. |
|
Failed to advertise Add Mobile message: PHY obtaining failure. |
|
Failed to advertise Add Mobile message: Invalid length in kernel. |
|
Failed to advertise Add Mobile message: Client adding failure in driver. |
|
Failed to advertise Add Mobile message: Preamble type setting failure in driver. |
|
Failed to advertise Add Mobile message: Dot11g protection setting failure in driver. |
|
Failed to advertise Add Mobile message: PTK setting failure in driver. |
|
Failed to advertise Add Mobile message: PTK flag update failure. |
|
The client does not match a permit ACL rule. |
|
The client is in the dynamic blacklist. |
|
The client is in the static blacklist. |
|
The client is not in the whitelist. |
|
The number of clients exceed the maximum allowed value of radio. |
|
The number of clients exceed the maximum allowed value of BSS. |
|
Portal logged off the client after the client passed authentication. |
|
Executed the radio-load-balance band-navigation enable association-reject command and the number of rejections does not exceed the configured value. |
|
FT roaming failure: roam timeout. |
|
FT roaming failure: MD IE does not exist in authentication packet. |
|
FT roaming failure: FT IE does not exist in authentication packet. |
|
FT roaming failure: RSN IE does not exist in authentication packet. |
|
FT roaming failure: MD, FT or RSN IE missing at least two in authentication packet. |
|
FT roaming failure: MD, FT, or RSN IE decode error in authentication packet. |
|
FT roaming failure: Mobility domain id of MD IE does not match in authentication packet. |
|
FT roaming failure: Invalid MD IE length in authentication packet. |
|
FT roaming failure: Method of MD IE was not supported in authentication packet. |
|
FT roaming failure: Resource request protocol of MD IE was not supported in authentication packet. |
|
FT roaming failure: R0KHID of FT IE does not exist in authentication packet. |
|
FT roaming failure: R0KHID of FT IE does not match in authentication packet. |
|
FT roaming failure: Invalid RSN IE in authentication packet. |
|
FT roaming failure: PMK cache in device does not exist. |
|
FT roaming failure: SSID does not match. |
|
FT roaming failure: Security information does not match. |
|
FT roaming failure: PMKID does not match. |
|
FT roaming failure: PMKID does not exist in authentication packet. |
|
FT roaming failure: PMK cache in device does not find. |
|
FT roaming failure: PMKID was too many in authentication packet. |
|
FT roaming failure: Select roam policy timeout. |
|
FT roaming failure: Client cache aging-time was zero. |
|
FT roaming failure: MD IE does not exist in reassociation packet. |
|
FT roaming failure: FT IE does not exist in reassociation packet. |
|
FT roaming failure: RSN IE does not exist in reassociation packet. |
|
FT roaming failure: MD, FT, or RSN IE missing at least two in reassociation packet. |
|
FT roaming failure: MD, FT, or RSN IE decode error in reassociation packet. |
|
FT roaming failure: Mobility domain id of MD IE does not match in reassociation packet. |
|
FT roaming failure: Invalid MD IE length in reassociation packet. |
|
FT roaming failure: Method of MD IE was not supported in reassociation packet. |
|
FT roaming failure: Resource request protocol of MD IE was not supported in reassociation packet. |
|
FT roaming failure: R0KHID of FT IE does not exist in reassociation packet. |
|
FT roaming failure: R0KHID of FT IE does not match in reassociation packet. |
|
FT roaming failure: R1KHID of FT IE does not exist in reassociation packet. |
|
FT roaming failure: R1KHID of FT IE does not match in reassociation packet. |
|
FT roaming failure: ANONCE of FT IE does not match in reassociation packet. |
|
FT roaming failure: SNONCE of FT IE does not match in reassociation packet. |
|
FT roaming failure: MIC of FT IE does not match in reassociation packet. |
|
FT roaming failure: Invalid RSN IE in reassociation packet. |
|
FT roaming failure: PMKR1 of FT IE does not exist in reassociation packet. |
|
FT roaming failure: PMKR1 of FT IE does not match in reassociation packet. |
|
FT roaming failure: MD IE and FT IE do not exist but RSN IE of FT exists in authentication packet. |
|
FT roaming failure: MD IE and FT IE do not exist but RSN IE of FT exists in reassociation packet. |
|
FT roaming failure: PMKID was too many in reassociation packet. |
|
FT roaming failure: Roaming information does not match. |
STAMGR_CLIENT_OFFLINE
|
Message text |
Client [STRING] went offline from BSS [STRING] with SSID [STRING] on AP [STRING] Radio ID [STRING]. State changed to Unauth. Reason [STRING] |
|
Variable fields |
$1: MAC address of the client. $2: BSSID. $3: SSID defined in the service template. $4: Name of the AP associated with the client. $5: ID of the radio associated with the client. $6: Reason why the client goes offline. Table 9 describes the possible reasons. |
|
Severity level |
6 |
|
Example |
STAMGR/6/STAMGR_CLIENT_OFFLINE: Client 0023-8933-2147 went offline from BSS 0023-12ef-78dc with SSID abc on AP ap1 Radio ID 2. State changed to Unauth. Reason: Radio down. |
|
Explanation |
The client went offline from the BSS for a specific reason. The state of the client changed to Unauth. |
|
Recommended action |
To resolve the issue: 261. Examine whether the AP and its radios operate correctly if the client went offline abnormally. If the logoff was requested by the client, no action is required. 262. If they do not operate correctly, check the debugging information to locate the issue and resolve it. 263. If the issue persists, contact H3C Support. |
Table 9 Possible logoff reasons
|
Possible reasons |
|
Received disassociation frame in Run state: reason code=String. |
|
Unknown reason. |
|
AC received message for deleting the client entry. |
|
Different old and new region codes. |
|
Failed to update IGTK. |
|
Failed to update GTK. |
|
Failed to generate IGTK when the first client came online. |
|
TKIP is used to authenticate all clients. |
|
Channel changed. |
|
BssDelAllSta event logged off client normally. |
|
Radio down. |
|
Service template disabled. |
|
Service template unbound. |
|
Created BSS during master/backup AC switchover process. |
|
Updated BSS base information when BSS was in deactive state. |
|
Intrusion protection. |
|
Local AC or AP deleted BSS. |
|
BssDelAllSta event logged off client abnormally. |
|
Received VLAN deleted event. |
|
CM received message for logging off client from AM. |
|
The reset wlan client command was executed to log off the client. |
|
DBM database failed to recover client operation data. |
|
Deleted private data on AP: DBM database recovered. |
|
Received deauthentication frame in Run state: reason code=String. |
|
Failed to process (re)association request in Run state. |
|
Unmatched authentication algorithm in received authentication message. |
|
Idle timer timeout. |
|
Keepalive timer timeout. |
|
Received authentication failure message. |
|
Deauthenticated by WIPS countermeasure in Run state. |
|
Failed to synchronize authentication succeeded message downstream. |
|
Client RSSI was lower than the threshold and was marked as decreasing. |
|
Configured whitelist for the first time or executed the reset wlan client all command. |
|
Received client offline websocket message. |
|
WMAC logged off all clients associated with the radio. |
|
Timer for sending disassociation message timed out. |
|
The client is in blacklist or deleted from whitelist. |
|
Client was added to the dynamic blacklist. |
|
Failed to roam out. |
|
Implemented inter-AC roaming for the first time. |
|
Successfully roamed to another BSS. |
|
Failed to roam in. |
|
Roaming process received a message for logging off the client. |
|
Roaming process processed Down event and logged off roam-in clients. |
|
Roaming failure. |
|
Successfully performed roaming but failed to recover authentication data. |
|
Roaming timed out. |
|
Seamless roaming failed. |
|
Logged off clients that performed inter- or intra-AC roaming. |
|
Failed to process AccessCtrlChk when configured permitted AP group or permitted SSID. |
|
Synchronized client information to process and logged off client in Run state. |
|
Failed to synchronize client state to uplink/downlink devices. |
|
Local AC or remote AP received add mobile message, updated BSS, and logged off clients in Run state. |
|
Upgraded HA and logged off all clients. |
|
Synchronized BSS data during master/backup AC switchover process. |
|
Failed to synchronize service template data during master/backup AC switchover process. |
|
BSS aging timer timed out. |
|
Remote AP deleted non-local forwarding BSS. |
|
Failed to find configuration data when synchronizing data. |
|
BSS was deleted: BSS synchronization examination failed or there was no BSS data to be updated. |
|
Failed to get BSS by using WLAN ID. |
|
Unbound inherited service template. |
|
STAMGR process was down automatically or manually. |
|
Deleted redundant clients. |
|
Failed to process authorized doing nodes. |
|
Authorization failed. |
|
NSS value in Operating Mode Notification Action packet doesn't support mandatory VHT-MCS. |
|
Number of sent SA requests exceeded the permitted threshold. |
|
Fit AP received message for deleting the client. |
|
Local AC came online again and deleted all clients associated with the BSS. |
|
Failed to upgrade hot backup. |
|
The illegally created BSS was deleted. |
|
Failed to process requests when receiving UserAuth Success message. |
|
Failed to get AP type when receiving UserAuth Success message. |
|
The client doesn't support mandatory rate. |
|
Disabled access services for 802.11b clients. |
|
The client doesn't support mandatory VHT-MCS. |
|
Enabled the client dot11ac-only feature. |
|
Disabled MUTxBF. |
|
Disabled SUTxBF. |
|
The client doesn't support mandatory MCS. |
|
Channel bandwidth changed. |
|
Enabled the client dot11n-only feature. |
|
Disabled short GI. |
|
Disabled the A-MPDU aggregation method. |
|
Disabled the A-MSDU aggregation method. |
|
Disabled STBC. |
|
Disabled LDPC. |
|
The MIMO capacity decreased, and the MCS supported by the AP can't satisfy the client's negotiated MCS. |
|
The MIMO capacity decreased, and the VHT-MCS supported by the AP can't satisfy the client's negotiated VHT-MCS. |
|
Hybrid capacity increased, which kicked off clients associated with other radios with lower Hybrid capacity. |
|
Failed to add MAC address. |
|
The roaming entry doesn't exist while the AC was processing the roaming request during client smooth reconnection. |
|
Home AC processed the move out response message to update the roaming entry and notified the foreign AC to force the client offline during an inter-AC roaming. |
|
The associated AC left from the mobility group and deleted roam-in entries and roaming entries of the client. |
|
Executed the reset wlan mobility roaming command. |
|
Kicked client because of roaming to another BSSID. |
|
The roaming entry doesn't exist while the AC was processing the Add Preroam message during client smooth reconnection. |
|
Deleted roaming entries of clients in the fail VLAN while processing a fail VLAN delete event. |
|
Deleted the roaming entry of the client while processing a client delete event. |
|
Moving to another SSID on the same radio. |
|
Fail-permit activated and clients were logged off. |
|
Fail-permit deactivated and clients were logged off. |
|
AP triggered (idle timeout). |
|
AP triggered (channel change). |
|
AP triggered (bandwidth change). |
|
Received log-off packet from 802.1X authentication client. |
|
802.1X client handshake failed. |
|
Accounting update timed out for the 802.1X authentication client. |
|
Accounting update timed out for the MAC authentication client. |
|
802.1X authentication client idle cut on AP. |
|
MAC authentication client idle cut on AP. |
|
Session timeout timer expired for the 802.1X authentication client. |
|
Session timeout timer expired for the MAC authentication client. |
|
Received client disassociation message from server for the 802.1X authentication client. |
|
Received client disassociation message from server for the MAC authentication client. |
|
Received nonexistent authorization VLAN group for the 802.1X authentication client. |
|
Received nonexistent authorization VLAN group for the MAC authentication client. |
|
Total client traffic failed to reach the minimum traffic threshold. |
|
Failed to obtain the client IP address before the accounting delay timer expired. |
|
Forced client disassociation because of rate limit issued by DingTalk app. |
|
Logged off client because the EoGRE tunnel went down. |
|
IP conflict detected by address security check. |
|
MAC conflict detected by address security check. |
|
WLAN roaming center notified IP conflict detected by address security check. |
|
WLAN roaming center notified MAC conflict detected by address security check. |
|
Roaming failed because the user is in the local address security denylist. |
|
Failed to notify the uplink device of user authentication failure. |
|
The client does not match a permit ACL rule. |
|
The client is in the dynamic blacklist. |
|
The client is in the static blacklist. |
|
The client is not in the whitelist. |
|
Client supporting BTM roamed to another BSS (Count: Count) successfully. |
|
Client not supporting BTM roamed to another BSS (Count: Count) successfully. |
|
Client supporting BTM was navigated to 5GHz radio from 2.4GHz radio on the same AP (BTM requests: Count). |
|
Portal logged off the client after the client passed authentication. |
|
AP triggered client disassociation. |
|
Client connected to another BSSID. |
|
Received disconnecion-request frame from server for the 802.1X or MAC authentication client. |
|
IP address conflict detected by AC. |
|
Received eapol-logoff frame. |
|
Received eapol-logoff frame during 802.1X authentication. |
|
Previous online user entry removed by clear-previous-connection. |
|
Client IP change triggered accounting restart. |
|
Session timed out for the 802.1X or MAC authentication client. |
|
Fast keepalive failed. |
STAMGR_CLIENT_ONLINE
|
Message text |
Client [STRING] went online from BSS [STRING] vlan [STRING] with SSID [STRING] on AP [STRING] Radio ID [STRING]. State changed to Run. |
|
Variable fields |
$1: MAC address of the client. $2: BSSID. $3: ID of the VLAN in which the client came online. $4: SSID defined in the service template. $5: Name of the AP associated with the client. $6: ID of the radio associated with the client. |
|
Severity level |
6 |
|
Example |
STAMGR/6/STAMGR_CLIENT_ONLINE: Client 0023-8933-2147 went online from BSS 0023-12ef-78dc vlan 1 with SSID abc on AP ap1 Radio ID 2. State changed to Run. |
|
Explanation |
The client came online from the BSS. The state of the client changed to Run. |
|
Recommended action |
No action is required. |
STAMGR_CLEINT_RADIO_MAXCOUNT
|
Message text |
APName=[STRING]-RadioID=[STRING]; Number of associated clients reached the upper limit allowed by the radio. |
|
Variable fields |
$1: Name of the AP associated with the client. $2: ID of the radio associated with the client. |
|
Severity level |
5 |
|
Example |
STAMGR/5/STAMGR_CLIENT_RADIO_MAXCOUNT: APName=ap1-RadioID=2; Number of associated clients reached the upper limit allowed by the radio. |
|
Explanation |
The number of associated clients reached the upper limit allowed by the radio. |
|
Recommended action |
No action is required. |
STAMGR_CLIENT_SNOOPING
|
Message text |
Detected client IP change: Client MAC: [SRTING], IP: [STRING], [STRING], [STRING], Username: [STRING], AP name: [STRING], Radio ID [UCHAR], Channel number: [UINT32], SSID: [STRING], BSSID: [STRING]. |
|
Variable fields |
$1: MAC address of the client. $2: Current IP address of the client. $3: Used IP address of the client. $4: Used IP address of the client. $5: Username of the client. $6: Name of the AP associated with the client. $7: ID of the radio associated with the client. $8: ID of the channel used by the client. $9: SSID of the service template associated with the client. $10: BSSID of the service template associated with the client. |
|
Severity level |
6 |
|
Example |
STAMGR_CLIENT_SNOOPING: Detected client IP change: Client MAC: 31ac-11ea-17ff,IP: 4.4.4.4, IP: 1.1.1.1, IP: 2.2.2.2, IP: -NA-, User name: test, AP name: ap1, Radio ID: 1, Channel number: 161,SSID: 123, BSSID: 25c8-3dd5-261a. |
|
Explanation |
IP change was detected for a specific client. |
|
Recommended action |
No action is required. |
STAMGR_DELBAC_INFO
|
Message text |
Delete BAS AC [STRING]. |
|
Variable fields |
$1: MAC address of the BAS AC. |
|
Severity level |
6 |
|
Example |
STAMGR/6/STAMGR_DELBAC_INFO: Delete BAS AC 3ce5-a616-28cd. |
|
Explanation |
The BAS AC was disconnected from the master AC. |
|
Recommended action |
No action is required. |
STAMGR_DELSTA_INFO
|
Message text |
Delete client [STRING]. |
|
Variable fields |
$1: MAC address of the client. |
|
Severity level |
6 |
|
Example |
STAMGR/6/STAMGR_DELSTA_INFO: Delete client 3ce5-a616-28cd. |
|
Explanation |
The client was disconnected from the BAS AC. |
|
Recommended action |
No action is required. |
STAMGR_ESCAPE_ACTIVE
|
Message text |
The fail-permit mode was activated on radio [STRING] bound with service template [STRING] and SSID [STRING] in BSS [STRING]. Reason: [STRING]. |
|
Variable fields |
$1: Radio ID. $2: Service template name. $3: SSID. $4: BSSID. $5: Reason why the fail-permit mode was activated. Options include: ¡ Unreachable domain—The RADIUS server cannot be reached. ¡ AP disconnected from the AC. |
|
Severity level |
4 |
|
Example |
STAMGR/4/STAMGR_ESCAPE_ACTIVE: The fail-permit mode was activated on radio 1 bound with service template st1 and SSID st1ssid in BSS 0023-12ef-78dc. Reason: AP disconnected from AC. |
|
Explanation |
The configured fail-prmit mode was activated because the RADIUS server cannot be reached or the AP is disconnected from the AC. |
|
Recommended action |
To resolve the issue: 264. Verify that the RADIUS server can be reached and the AP is connected to the AC correctly. 265. If the issue persists, contact H3C Support. |
STAMGR_ESCAPE_DEACTIVE
|
Message text |
The fail-permit mode was deactivated on radio [STRING] bound with service template [STRING] and SSID [STRING] in BSS [STRING]. Reason: [STRING]. |
|
Variable fields |
$1: Radio ID. $2: Service template name. $3: SSID. $4: BSSID. $5: Reason why the fail-permit mode was deactivated. Options include: ¡ Domain is reachable—Connection to the RADIUS server was restored. ¡ AP and AC connection restored. |
|
Severity level |
6 |
|
Example |
STAMGR/6/STAMGR_ESCAPE_DEACTIVE: The fail-permit mode was deactivated on radio 1 bound with service template st1 and SSID st1ssid in BSS 0023-12ef-78dc. Reason: AP and AC connection restored. |
|
Explanation |
The configured fail-prmit mode was deactivated because connection to the RADIUS server or the AP and AC connection was restored. |
|
Recommended action |
No action is required. |
STAMGR_DOMAIN_UNREACHABLE
|
Message text |
Domain [STRING] configured in service template [STRING] with SSID [STRING] is unreachable. |
|
Variable fields |
$1: Domain name. $2: Service template name. $3: SSID. |
|
Severity level |
4 |
|
Example |
STAMGR/4/STAMGR_DOMAIN_UNREACHABLE: Domain mydomain configured in service template st1 with SSID ssidst1 is unreachable. |
|
Explanation |
The authentication domain configured in the service template cannot be reached. |
|
Recommended action |
To resolve the issue: 266. Verify that the RADIUS server can be reached. 267. If the issue persists, contact H3C Support. |
STAMGR_DOMAIN_REACHABLE
|
Message text |
Domain [STRING] configured in service template [STRING] with SSID [STRING] is reachable. |
|
Variable fields |
$1: Domain name. $2: Service template name. $3: SSID. |
|
Severity level |
6 |
|
Example |
STAMGR/6/STAMGR_DOMAIN_REACHABLE: Domain mydomain configured in service template st1 with SSID ssidst1 is reachable. |
|
Explanation |
Connection to the authentication domain configured in the service template restored. |
|
Recommended action |
No action is required. |
STAMGR_MACA_LOGIN_FAILURE
|
Message text |
|
|
Variable fields |
$1: Username. $2: MAC address of the client. $3: SSID. $4: Name of the AP associated with the client. $5: ID of the radio associated with the client. $6: VLAN ID. $7: Username format: · fixed. · MAC address. $8: Reason for the authentication failure: · AAA processed authentication request and returned error code code. ¡ 4—Represents one of the following errors: nonexistent authentication domain, service type error, or incorrect username or password. ¡ 8—Represents one of the following errors: no IP addresses are added to the authentication server, preshared keys configured on the authentication server are different from preshared keys configured on the device, or the authentication server and the device cannot reach each other. ¡ 26—Configuration error exists in the authentication domain. · AAA processed authorization request and returned error code code. ¡ 8—The authentication server and the device cannot reach each other. · Client timeout timer expired. · Received user security information and kicked off the client. · Accounting-update timer expired, and no responses were received from the server. · Kicked off the client when the idle timeout timer expired. · Authentication method error. · Kicked off the client because the server-assigned session timeout timer is 0. · Received session disconnection event. · Unknown reason. |
|
Severity level |
5 |
|
Example |
|
|
Explanation |
The client failed to pass MAC authentication for a specific reason. |
|
Recommended action |
To resolve the issue: 268. Examine the network connection between the device and the AAA server. 269. Verify that the AAA server works correctly. 270. Verify that the AAA server is configured with the correct username and password. 271. Troubleshoot errors one by one according to the returned error code during authentication. 272. If the issue persists, contact H3C Support. |
STAMGR_MACA_LOGIN_SUCC
|
Message text |
|
|
Variable fields |
$1: Username. $2: MAC address of the client. $3: SSID. $4: Name of the AP associated with the client. $5: ID of the radio associated with the client. $6: VLAN ID. $7: Username format: · fixed. · MAC address. |
|
Severity level |
6 |
|
Example |
|
|
Explanation |
The client came online after passing MAC authentication. |
|
Recommended action |
No action is required. |
STAMGR_MACA_LOGOFF
|
Message text |
|
|
Variable fields |
$1: Username. $2: MAC address of the client. $3: SSID. $4: Name of the AP associated with the client. $5: ID of the radio associated with the client. $6: VLAN ID. $7: Username format: · fixed. · MAC address. $8: Reason why the client is logged off. · AAA processed authentication request and returned error code code. Server reason: reason. · The reason field represents the reason returned from the server and is available only when the server returned a reason. Available error codes include: ¡ 4—Represents one of the following errors: nonexistent authentication domain, service type error, or incorrect username or password. ¡ 8—Represents one of the following errors: no IP addresses are added to the authentication server, preshared keys configured on the authentication server are different from preshared keys configured on the device, or the authentication server and the device cannot reach each other. ¡ 26—Configuration error exists in the authentication domain. · AAA processed authorization request and returned error code code. Server reason: reason. · The reason field represents the reason returned from the server and is available only when the server returned a reason. Available error codes include: ¡ 8—The authentication server and the device cannot reach each other. · AAA processed accounting-start request and returned error code code. Server reason: reason. · The reason field represents the reason returned from the server and is available only when the server returned a reason. Available error codes include: ¡ 8—The authentication server and the device cannot reach each other. · AAA processed accounting-update request and returned error code code. Server reason: reason. · The reason field represents the reason returned from the server and is available only when the server returned a reason. Available error codes include: ¡ 8—The authentication server and the device cannot reach each other. · Client timeout timer expired. · Received user security information and kicked off the client. · Lost in shaking hands. · Accounting-update timer expired, and no responses were received from the server. · Kicked off the client when the idle timeout timer expired. · Authentication method error. · Kicked off the client because the server-assigned session timeout timer is 0. · Received session disconnection event. · Received disassociation frame in Run state: reason code=code. · Received deauthentication frame in Run state: reason code=code. · Received disassociation packet in Userauth state. · Received deauthentication packet in Userauth state. · Received client failure message with reason code=code. · Received client offline message with reason code=code. · Unknown reason. |
|
Severity level |
6 |
|
Example |
|
|
Explanation |
The MAC authenticated client was logged off for a specific reason. |
|
Recommended action |
To resolve the issue: 273. Check the debugging information to locate the logoff cause and remove the issue. If the logoff was requested by the client, no action is required. 274. If the issue persists, contact H3C Support. |
STAMGR_ROAM_FAILED
|
Message text |
Client [MAC] on AP [STRING] Radio ID [STRING] failed to roam with reason code [UINT32]. |
|
Variable fields |
$1: MAC address of the client. $2: Name of the AP associated with the client. $3: ID of the radio associated with the client. $4: Reason code for the roaming failure: · 1—Failed to select a roaming policy. · 2—Insufficient memory resources. · 3—Network communication failures. · 4—Lack of local roaming entries. · 5—Failed to add a VLAN. |
|
Severity level |
4 |
|
Example |
STAMGR/4/STAMGR_ROAM_FAILED: Client 001f-3ca8-1092 on AP ap1 Radio ID 2 failed to roam with reason code 1. |
|
Explanation |
The client failed to roam for a specific reason. |
|
Recommended action |
To resolve the issue, depending on the reason code: · 1—Use the display wlan client verbose command to verify that the authentication method has changed. · 2—Use the display process memory command to check memory resource usage for each module. · 3—Use the display wlan mobility group command to check the IACTP tunnel state. · 4—Use the display wlan mobility group command to check the IACTP tunnel state. · 5—Check the trace.log file for VLAN adding failure reason. |
STAMGR_ROAM_SUCCESS
|
Message text |
Client [MAC] roamed from BSSID [MAC] on AP [STRING] Radio ID [STRING] of AC IP [IPADDR] to BSSID [MAC] on AP [STRING] Radio ID [STRING] of AC IP [IPADDR] successfully. |
|
Variable fields |
$1: MAC address of the client. $2: BSSID of the AP associated with the client before roaming. $3: Name of the AP associated with the client before roaming. $4: ID of the radio associated with the client before roaming. $5: IP address of the AC associated with the client before roaming. $6: BSSID of the AP associated with the client after roaming. $7: Name of the AP associated with the client after roaming. $8: ID of the radio associated with the client after roaming. $9: IP address of the AC associated with the client after roaming. |
|
Severity level |
6 |
|
Example |
STAMGR/6/STAMGR_ROAM_SUCCESS: Client 0021-005f-dffd roamed from BSSID 000f-e289-6ad0 on AP ap1 Radio ID 2 of AC IP 172.25.0.81 to BSSID 000f-e2ab-baf0 on AP ap2 Radio ID 2 of AC IP 172.25.0.82 successfully. |
|
Explanation |
The client roamed successfully. |
|
Recommended action |
No action is required. |
STAMGR_SAVI_BIND
|
Message text |
Bound IP address [STRING] to client [STRING] associated with radio [STRING] of AP [STRING] in BSS [STRING] with SSID [STRING]. Binding type: [STRING]. |
|
Variable fields |
$1: IP address of the client. $2: MAC address of the client. $3: ID of the radio associated with the client. $4: Name of the AP associated with the client. $5: BSSID. $6: SSID of the service template. $7: IP address binding type: · DHCP. · DHCPv6. · ND. |
|
Severity level |
6 |
|
Example |
STAMGR/6/STAMGR_SAVI_BIND: Bound IP address 192.168.1.1 to client b0f9-6393-72e0 associated with radio 2 of AP ap1 in BSS b0f9-6393-72f0 with SSID abc. Binding type: DHCP. |
|
Explanation |
The device created an SAVI binding entry. |
|
Recommended action |
No action is required. |
STAMGR_SAVI_UNBIND
|
Message text |
Unbound IP address [STRING] from client [STRING] associated with radio [STRING] of AP [STRING] in BSS [STRING] with SSID [STRING]. |
|
Variable fields |
$1: IP address of the client. $2: MAC address of the client. $3: ID of the radio associated with the client. $4: Name of the AP associated with the client. $5: BSSID. $6: SSID of the service template. |
|
Severity level |
6 |
|
Example |
STAMGR/6/STAMGR_SAVI_UNBIND: Unbound IP address 192.168.1.1 from client b0f9-6393-72e0 associated with radio 2 of AP ap1 in BSS b0f9-6393-72f0 with SSID abc. |
|
Explanation |
The device deleted an SAVI binding entry. |
|
Recommended action |
No action is required. |
STAMGR_SAVI_UNKNOWN_SOURCE_IP
|
Message text |
Received a data packet with unknown source IP [STRING] destined to IP [STRING] from client [STRING] associated with radio [STRING] of AP [STRING] in BSS [STRING] with SSID [STRING]. IP protocol: [STRING]. |
|
Variable fields |
$1: Source IP address. $2: Destination IP address. $3: MAC address of the client. $4: ID of the radio associated with the client. $5: Name of the AP associated with the client. $6: BSSID. $7: SSID of the service template. $8: IP protocol version. |
|
Severity level |
6 |
|
Example |
STAMGR/6/STAMGR_SAVI_UNKNOWN_SOURCE_IP: Received a data packet with unknown source IP 192.168.1.1 destined to IP 192.168.1.2 from client 0023-8933-2147 associated with radio 2 of AP ap1 in BSS 0023-12ef-78dc with SSID abc. IP protocol: 17. |
|
Explanation |
The device received a data packet with a source IP address that does not match any SAVI binding entries. |
|
Recommended action |
No action is required. |
STAMGR_SERVICE_FAILURE
|
Message text |
Service failure occurred on BSS [STRING] after service template [STRING] with SSID [STRING] was bound to radio [STRING] on AP [STRING] with AP ID [STRING]. Reason: [STRING], code=0x[STRING]. |
|
Variable fields |
$1: BSSID. $2: Name of the service template. $3: SSID defined in the service template. $4: Radio ID. $5: AP name. $6: AP ID. $7: Reason for the service failure, as described in Table 10. $8: Error code. |
|
Severity level |
6 |
|
Example |
STAMGR/6/SERVICE_FAILURE: Service failure occurred on BSS 0023-12ef-78dc after service template st1 with SSID st1ssid was bound to radio 1 on AP ap1 with AP ID 1. Reason: Failed to activate BSS when AP came online, code=0x61140001. |
|
Explanation |
After the AP came online, BSS activation failed for a specific reason with error code 0x61140001. |
|
Recommended action |
To resolve the issue: 275. Check the debugging information to locate the failure cause and remove the issue. 276. If the issue persists, contact H3C Support. |
Table 10 Possible service failure reasons
|
Possible reasons |
|
Failed to create a BSS interface during smooth BSS interface creation. |
|
Replied with failure to transmit interface creation node during smooth BSS interface creation. |
|
Failed to set forwarding location during smooth recovery of AP data. |
|
Failed to initiate a series of locations during smooth recovery of AP data. |
|
Failed to send message of creating BSS interface to worker thread during smooth recovery of AP data. |
|
Failed to create handle during smooth recovery of AP data. |
|
Failed to activate BSS during smooth recovery of AP data. |
|
Failed to set kernel forwarding table during smooth recovery of AP data. |
|
Failed to create BSS node when AP came online. |
|
Failed to create BSS handle when AP came online. |
|
Insufficient memory for creating BSS node when AP came online. |
|
Failed to get radio private data while creating BSS node in general process. |
|
Failed to initiate a series of locations while creating BSS node in general process. |
|
Failed to set kernel forwarding table while creating BSS node in general process. |
|
Failed to create BSS node during smooth recovery of BSS data. |
|
Failed to get AP location while recovering BSS running data from DBM. |
|
Failed to get radio private data while recovering BSS running data from DBM. |
|
Failed to add BSS index to interface index while recovering BSS running data from DBM. |
|
Failed to create BSS handle when hierarchy device received Add WLAN message. |
|
Failed to initiate a series of locations when hierarchy device received Add WLAN message. |
|
Failed to set forwarding location when hierarchy device received Add WLAN message. |
|
Failed to send message to worker thread when hierarchy device received Add WLAN message. |
|
Failed to set kernel forwarding table when hierarchy device received Add WLAN message. |
|
Failed to activate BSS when hierarchy device received Add WLAN message. |
|
Failed to issue Add WLAN message when hierarchy device received Add WLAN message. |
|
Failed to activate BSS when service template was bound. |
|
Failed to create BSS node when service template was bound. |
|
Failed to create BSS handle when service template was bound. |
|
Failed to add bind node to mapped radio list of the service template while recovering service template binding information for service thread from pending database. |
|
Failed to create BSS node while recovering service template binding information for service thread from pending database. |
|
Failed to add bind node to mapped radio list of the service template while creating BSS from Merger. |
|
Failed to create BSS node while creating BSS from Merger. |
|
Failed to apply for memory while creating BSS node. |
|
Failed to calculate BSSID while creating BSS node. |
|
Service thread received interface creation failure while creating BSS interface during smooth recovery of AP data. |
|
Failed to add BSS index to interface index while creating BSS interface during smooth recovery of AP data. |
|
Failed to add VLAN on the interface while creating BSS interface during smooth recovery of AP data. |
|
Failed to set the source MAC address of the interface while creating BSS interface during smooth recovery of AP data. |
|
Failed to set kernel forwarding table while creating BSS interface during smooth recovery of AP data. |
|
Failed to activate BSS while creating BSS interface during smooth recovery of AP data. |
|
Replied with failure to transmit interface creation node when hierarchy device created an interface accordingly. |
|
Failed to create BSS interface when BSS created an interface accordingly. |
|
Failed to add BSS index to interface index when BSS created an interface accordingly. |
|
Failed to add VLAN on the interface when BSS created an interface accordingly. |
|
Failed to set source MAC address of the interface when BSS created an interface accordingly. |
|
Failed to set kernel forwarding table when BSS created an interface accordingly. |
|
Failed to issue ADD BSS message when BSS created an interface accordingly. |
|
Replied with failure to transmit interface creation node when hierarchy device created an interface accordingly for an invalid interface. |
|
Created BSS rollback for failed resources while issuing ADD BSS message callback. |
|
Failed to enable packet socket while recovering BSS running data from DBM. |
|
Failed to create BSS node while recovering BSS running data from DBM. |
|
Failed to initiate BSS while creating BSS node. |
|
Failed to activate BSS when service template was enabled. |
|
Invalid BSS interface index while upgrading BSS with AP private data. |
|
Failed to upgrade backup BSS to real BSS while upgrading BSS with AP private data. |
|
Failed to set kernel forwarding table while upgrading BSS with AP private data. |
|
Failed to activate BSS while upgrading BSS with AP private data. |
|
Invalid BSS interface index while upgrading BSS without AP private data. |
|
Failed to set kernel forwarding table while upgrading BSS without AP private data. |
|
Failed to activate BSS while upgrading BSS without AP private data. |
|
Failed to create BSS interface while creating general BSS process. |
|
Failed to activate BSS during smooth recovery of BSS data. |
|
Failed to activate BSS while recovering service template binding information for service thread from pending database. |
|
Failed to activate BSS while creating BSS from Merger. |
|
Failed to activate BSS when AP came online. |
|
Failed to activate BSS when other module sent activation request. |
|
Failed to activate BSS when other module received activation request. |
|
Failed to send response node of creating interface while creating interface during smooth recovery of AP data. |
|
Failed to add BSS index to interface index when hierarchy device created an interface accordingly. |
|
Failed to add VLAN on the interface when hierarchy device created an interface accordingly. |
|
Failed to set source MAC address of the interface when hierarchy device created an interface accordingly. |
|
Failed to set kernel forwarding table when hierarchy device created an interface accordingly. |
|
Failed to activate BSS when hierarchy device created an interface accordingly. |
|
Failed to issue Add BSS message when hierarchy device created an interface accordingly. |
|
Insufficient memory when hierarchy device received BSS creation message. |
|
Failed to fill BSS basic data when hierarchy device received BSS creation message. |
|
Failed to initiate BSS service phase when hierarchy device received BSS creation message. |
|
Failed to receive Add WLAN message when hierarchy device received BSS creation message. |
|
Failed to get radio private data because of invalid AP ID when hierarchy device received BSS creation message. |
|
Failed to get radio private data because of invalid radio ID when hierarchy device received BSS creation message. |
|
Failed to get radio private data when hierarchy device received Add WLAN message. |
|
Failed to issue message when hierarchy device received Add WLAN message. |
|
Failed to get BSS data through WLAN ID during smooth recovery of BSS data. |
|
Failed to issue Add WLAN message while creating BSS node in general process. |
|
Failed to create BSS interface when hierarchy device created an interface accordingly. |
|
Failed to create BSS interface when hierarchy device created an interface accordingly for an invalid interface. |
|
Failed to set forwarding location while creating BSS node in general process. |
|
Replied with failure to transmit interface creation node when BSS created an interface accordingly. |
|
Failed to update BSS key data when hierarchy device received Add WLAN message. |
|
Replied with failure to transmit interface creation node when BSS created an interface accordingly for an existing BSS. |
STAMGR_SERVICE_OFF
|
Message text |
BSS [STRING] was deleted after service template [STRING] with SSID [STRING] was unbound from radio [STRING] on AP [STRING]. Reason: [STRING]. |
|
Variable fields |
$1: BSSID. $2: Name of the service template. $3: SSID defined in the service template. $4: Radio ID. $5: AP name. $6: Reason for the BSS deletion. · Unknown reason. · AP down. · Deleted BSS with the Delete mark when inter-AC BSS smooth ended. · Hierarchy device received BSS delete message. · Deleted AP private data from APMGR when AP smooth ended. · WLAS was triggered, and service was shut down temporarily. · Intrusion protection was triggered, and service was shut down permanently. · Service module received Update WLAN message when BSS was inactive. · Disabled service template. · Unbound service template. · Deleted BSS with the Delete mark when inter-AC AP smooth ended. · BSS aging timer timed out. · Deleted non-local forwarding BSS when AP enabled with remote AP went offline. · Failed to find configuration data while synchronizing data. · AP did not come online or service template was disabled. · Failed to find the WLAN ID from APMGR while BSS was smoothing WLAN ID. · Unbound inherited service template. · The stamgr process became down automatically or was shut down manually. · Failed to use AP private data to upgrade backup BSS. · Failed to upgrade backup BSS. · Failed to synchronize service template data to the Merger bind list while upgrading backup data. |
|
Severity level |
6 |
|
Example |
STAMGR/6/SERVICE_OFF: BSS 0023-12ef-78dc was deleted after service template st1 with SSID st1ssid was unbound from radio 1 on AP ap1. Reason: Failed to find configuration data while synchronizing data. |
|
Explanation |
The BSS was deleted for a specific reason. |
|
Recommended action |
To resolve the issue: 277. Verify that the BSS is deleted as requested. If the BSS is deleted as requested, no action is required. 278. Locate the deletion cause and remove the issue if the BSS is deleted abnormally, 279. If the issue persists, contact H3C Support. |
STAMGR_SERVICE_ON
|
Message text |
BSS [STRING] was created after service template [STRING] with SSID [STRING] was bound to radio [STRING] on AP [STRING]. |
|
Variable fields |
$1: BSSID. $2: Name of the service template. $3: SSID defined in the service template. $4: Radio ID. $5: AP name. |
|
Severity level |
6 |
|
Example |
STAMGR/6/SERVICE_ON: BSS 0023-12ef-78dc was created after service template st1 with SSID 1 was bound to radio 1 on AP ap1. |
|
Explanation |
The BSS was created. |
|
Recommended action |
No action is required. |
STAMGR_STA_ADDMOB_LKUP_ENDOFIOCTL
|
Message text |
APID=[UINT32]-MAC=[STRING]-BSSID=[STRING]; AC doesn't need to send client information to uplink device: Client information already arrived at the end of the IOCTL tunnel. |
|
Variable fields |
$1: ID of the AP associated with the client. $2: MAC address of the client. $3: BSSID of the service template associated with the client. |
|
Severity level |
7 |
|
Example |
STAMGR/7/STAMGR_STA_ADDMOB_LKUP_ENDOFIOCTL: APID=667-MAC=d4f4-6f69-d7a1-BSSID=600b-0301-d5a0; The AC doesn't need to send client information to uplink device: Client information already arrived at the end of the IOCTL tunnel. |
|
Explanation |
The AC does not need to send client information to the uplink device because client information already arrived at the end of the IOCTL tunnel. |
|
Recommended action |
To resolve the issue depending on the network infrastructure: · Fit AP+AC network—No action is required if this message is output. If no message is output, locate the issue according to the debugging information and resolve the issue. · AC hierarchical network—No action is required if this message is output by the central AC. If this message is output by a local AC, locate the issue according to the debugging information and resolve the issue. |
STAMGR_STAIPCHANGE_INFO
|
Message text |
IP address of client [STRING] changed to [STRING]. |
|
Variable fields |
$1: MAC address of the client. $2: New IP address of the client. |
|
Severity level |
6 |
|
Example |
STAMGR/6/STAMGR_STAIPCHANGE_INFO: IP address of client 3ce5-a616-28cd changed to 4.4.4.4. |
|
Explanation |
The IP address of the client was updated. |
|
Recommended action |
No action is required. |
STAMGR_TRIGGER_IP
|
Message text |
|
|
Variable fields |
$1: SSID. $2: MAC address of the client. $3: Name of the AP associated with the client. $4: ID of the radio associated with the client. $5: ID of the access VLAN. $6: Action: · Added the user to the blocked MAC address list. · Closed the user's BSS temporarily. · Closed the user's BSS permanently. |
|
Severity level |
5 |
|
Example |
|
|
Explanation |
Intrusion protection was triggered and the action was displayed. |
|
Recommended action |
No action is required. |
STM messages
This section contains IRF messages.
STM_AUTO_UPDATE_FAILED
|
Message text |
Slot [UINT32] auto-update failed. Reason: [STRING]. |
|
Variable fields |
$1: IRF member ID. $2: Failure reason: ¡ Timeout when loading—The IRF member device failed to complete loading software within the required time period. ¡ Wrong description when loading—The file description in the software image file does not match the current attributes of the software image. This issue might occur when the file does not exist or is corrupted. ¡ Disk full when writing to disk—The subordinate device does not have sufficient storage space. |
|
Severity level |
4 |
|
Example |
STM/4/STM_AUTO_UPDATE_FAILED: Slot 5 auto-update failed. Reason: Timeout when loading. |
|
Explanation |
Software synchronization from the master failed on a subordinate device. |
|
Recommended action |
280. Remove the issue depending on the failure reason: ¡ If the failure reason is Timeout when loading, verify that all IRF links are up. ¡ If the failure reason is Wrong description when loading, download the software images again. ¡ If the failure reason is Disk full when writing to disk, delete unused files to free the storage space. 281. Upgrade software manually for the device to join the IRF fabric, and then connect the device to the IRF fabric. |
STM_AUTO_UPDATE_FAILED
|
Message text |
Chassis [UINT32] slot [UINT32] auto-update failed. Reason: [STRING]. |
|
Variable fields |
$1: IRF member ID. $2: Slot number of an MPU. $3: Failure reason: ¡ Timeout when loading—The MPU failed to complete loading software within the required time period. ¡ Wrong description when loading—The file description in the software image file does not match the current attributes of the software image. This issue might occur when the file does not exist or is corrupted. ¡ Disk full when writing to disk—The MPU does not have sufficient storage space. |
|
Severity level |
4 |
|
Example |
STM/4/STM_AUTO_UPDATE_FAILED: Chassis 1 slot 1 auto-update failed. Reason: Timeout when loading. |
|
Explanation |
Software synchronization from the master failed on an MPU. |
|
Recommended action |
282. Remove the issue depending on the failure reason: ¡ If the failure reason is Timeout when loading, verify that all IRF links are up. ¡ If the failure reason is Wrong description when loading, download the software images again. ¡ If the failure reason is Disk full when writing to disk, delete unused files to free the storage space. 283. Upgrade software manually for the device that holds the MPU, and then connect the device to the IRF fabric. |
STM_AUTO_UPDATE_FINISHED
|
Message text |
File loading finished on slot [UINT32]. |
|
Variable fields |
$1: IRF member ID. |
|
Severity level |
5 |
|
Example |
STM/5/STM_AUTO_UPDATE_FINISHED: File loading finished on slot 3. |
|
Explanation |
The member device finished loading software images. |
|
Recommended action |
No action is required. |
STM_AUTO_UPDATE_FINISHED
|
Message text |
File loading finished on chassis [UINT32] slot [UINT32]. |
|
Variable fields |
$1: IRF member ID. $2: Slot number of an MPU. |
|
Severity level |
5 |
|
Example |
STM/5/STM_AUTO_UPDATE_FINISHED: File loading finished on chassis 1 slot 3. |
|
Explanation |
The MPU finished loading software images. |
|
Recommended action |
No action is required. |
STM_AUTO_UPDATING
|
Message text |
Don't reboot the slot [UINT32]. It is loading files. |
|
Variable fields |
$1: IRF member ID. |
|
Severity level |
5 |
|
Example |
STM/5/STM_AUTO_UPDATING: Don't reboot the slot 2. It is loading files. |
|
Explanation |
The member device is loading software images. To avoid software upgrade failure, do not reboot the member device. |
|
Recommended action |
No action is required. |
STM_AUTO_UPDATING
|
Message text |
Don't reboot the chassis [UINT32] slot [UINT32]. It is loading files. |
|
Variable fields |
$1: IRF member ID. $2: Slot number of an MPU. |
|
Severity level |
5 |
|
Example |
STM/5/STM_AUTO_UPDATING: Don't reboot the chassis 1 slot 2. It is loading files. |
|
Explanation |
The MPU is loading software images. To avoid software upgrade failure, do not reboot the MPU. |
|
Recommended action |
No action is required. |
STM_LINK_DOWN
|
Message text |
IRF port [UINT32] went down. |
|
Variable fields |
$1: IRF port name. |
|
Severity level |
3 |
|
Example |
STM/3/STM_LINK_DOWN: IRF port 2 went down. |
|
Explanation |
This event occurs when all physical interfaces bound to an IRF port are down. |
|
Recommended action |
Check the physical interfaces bound to the IRF port. Make sure a minimum of one member physical interface is up. |
STM_LINK_TIMEOUT
|
Message text |
IRF port [UINT32] went down because the heartbeat timed out. |
|
Variable fields |
$1: IRF port name. |
|
Severity level |
2 |
|
Example |
STM/2/STM_LINK_TIMEOUT: IRF port 1 went down because the heartbeat timed out. |
|
Explanation |
The IRF port went down because of heartbeat timeout. |
|
Recommended action |
Check the IRF link for link failure. |
STM_LINK_UP
|
Message text |
IRF port [UINT32] came up. |
|
Variable fields |
$1: IRF port name. |
|
Severity level |
6 |
|
Example |
STM/6/STM_LINK_UP: IRF port 1 came up. |
|
Explanation |
An IRF port came up. |
|
Recommended action |
No action is required. |
STM_MERGE
|
Message text |
IRF merge occurred. |
|
Variable fields |
N/A |
|
Severity level |
4 |
|
Example |
STM/4/STM_MERGE: IRF merge occurred. |
|
Explanation |
IRF merge occurred. |
|
Recommended action |
No action is required. |
STM_MERGE_NEED_REBOOT
|
Message text |
IRF merge occurred. This IRF system needs a reboot. |
|
Variable fields |
N/A |
|
Severity level |
4 |
|
Example |
STM/4/STM_MERGE_NEED_REBOOT: IRF merge occurred. This IRF system needs a reboot. |
|
Explanation |
You must reboot the current IRF fabric for IRF merge, because it failed in the master election. |
|
Recommended action |
Log in to the IRF fabric, and use the reboot command to reboot the IRF fabric. |
STM_MERGE_NOT_NEED_REBOOT
|
Message text |
IRF merge occurred. This IRF system does not need to reboot. |
|
Variable fields |
N/A |
|
Severity level |
5 |
|
Example |
STM/5/STM_MERGE_NOT_NEED_REBOOT: IRF merge occurred. This IRF system does not need to reboot. |
|
Explanation |
You do not need to reboot the current IRF fabric for IRF merge, because it was elected the master. |
|
Recommended action |
Reboot the IRF fabric that has failed in the master election to finish the IRF merge. |
STM_SAMEMAC
|
Message text |
Failed to stack because of the same bridge MAC addresses. |
|
Variable fields |
N/A |
|
Severity level |
4 |
|
Example |
STM/4/STM_SAMEMAC: Failed to stack because of the same bridge MAC addresses. |
|
Explanation |
Failed to set up the IRF fabric because some member devices are using the same bridge MAC address. |
|
Recommended action |
284. Verify that IRF bridge MAC persistence is disabled on the member devices. To disable this feature, use the undo irf mac-address persistent command. 285. If the problem persists, contact H3C Support. |
STM_SOMER_CHECK
|
Message text |
Neighbor of IRF port [UINT32] cannot be stacked. |
|
Variable fields |
$1: IRF port name. |
|
Severity level |
3 |
|
Example |
STM/3/STM_SOMER_CHECK: Neighbor of IRF port 1 cannot be stacked. |
|
Explanation |
The neighbor connected to the IRF port cannot form an IRF fabric with the device. |
|
Recommended action |
Check the following items: · The device models can form an IRF fabric. · The IRF settings are correct. For more information, see the IRF configuration guide for the device. |
STP messages
This section contains STP messages.
STP_BPDU_PROTECTION
|
Message text |
BPDU-Protection port [STRING] received BPDUs. |
|
Variable fields |
$1: Interface name. |
|
Severity level |
4 |
|
Example |
STP/4/STP_BPDU_PROTECTION: BPDU-Protection port Ethernet1/0/4 received BPDUs. |
|
Explanation |
A BPDU-guard-enabled port received BPDUs. |
|
Recommended action |
Check whether the downstream device is a terminal and check for possible attacks from the downstream device or other devices. |
STP_BPDU_RECEIVE_EXPIRY
|
Message text |
Instance [UINT32]'s port [STRING] received no BPDU within the rcvdInfoWhile interval. Information of the port aged out. |
|
Variable fields |
$1: Instance ID. $2: Interface name. |
|
Severity level |
5 |
|
Example |
STP/5/STP_BPDU_RECEIVE_EXPIRY: Instance 0's port GigabitEthernet0/4/1 received no BPDU within the rcvdInfoWhile interval. Information of the port aged out. |
|
Explanation |
The state of a non-designated port changed because the port did not receive a BPDU within the max age. |
|
Recommended action |
Check the STP status of the upstream device and possible attacks from other devices. |
STP_CONSISTENCY_RESTORATION
|
Message text |
|
|
Variable fields |
$1: VLAN ID. $2: Interface name. |
|
Severity level |
6 |
|
Example |
STP/6/STP_CONSISTENCY_RESTORATION: Consistency restored on VLAN 10's port GigabitEthernet0/1/1. |
|
Explanation |
Port link type or PVID inconsistency was removed on a port. |
|
Recommended action |
No action is required. |
STP_DETECTED_TC
|
Message text |
[STRING] [UINT32]'s port [STRING] detected a topology change. |
|
Variable fields |
$1: Instance or VLAN. $2: Instance ID or VLAN ID. $3: Interface name. |
|
Severity level |
6 |
|
Example |
STP/6/STP_DETECTED_TC: Instance 0's port GigabitEthernet0/1/1 detected a topology change. |
|
Explanation |
The MSTP instance or VLAN to which a port belongs had a topology change, and the local end detected the change. |
|
Recommended action |
Identify the topology change cause and handle the issue. For example, if the change is caused by a link down event, recover the link. |
STP_DISABLE
|
Message text |
STP is now disabled on the device. |
|
Variable fields |
N/A |
|
Severity level |
6 |
|
Example |
STP/6/STP_DISABLE: STP is now disabled on the device. |
|
Explanation |
STP was globally disabled on the device. |
|
Recommended action |
No action is required. |
STP_DISCARDING
|
Message text |
Instance [UINT32]'s port [STRING] has been set to discarding state. |
|
Variable fields |
$1: Instance ID. $2: Interface name. |
|
Severity level |
6 |
|
Example |
STP/6/STP_DISCARDING: Instance 0's port Ethernet1/0/2 has been set to discarding state. |
|
Explanation |
MSTP calculated the state of ports within an instance, and a port was set to the discarding state. |
|
Recommended action |
No action is required. |
STP_ENABLE
|
Message text |
STP is now enabled on the device. |
|
Variable fields |
N/A |
|
Severity level |
6 |
|
Example |
STP/6/STP_ENABLE: STP is now enabled on the device. |
|
Explanation |
STP was globally enabled on the device. |
|
Recommended action |
No action is required. |
STP_FORWARDING
|
Message text |
Instance [UINT32]'s port [STRING] has been set to forwarding state. |
|
Variable fields |
$1: Instance ID. $2: Interface name. |
|
Severity level |
6 |
|
Example |
STP/6/STP_FORWARDING: Instance 0's port Ethernet1/0/2 has been set to forwarding state. |
|
Explanation |
MSTP calculated the state of ports within an instance, and a port was set to the forwarding state. |
|
Recommended action |
No action is required. |
STP_LOOP_PROTECTION
|
Message text |
Instance [UINT32]'s LOOP-Protection port [STRING] failed to receive configuration BPDUs. |
|
Variable fields |
$1: Instance ID. $2: Interface name. |
|
Severity level |
4 |
|
Example |
STP/4/STP_LOOP_PROTECTION: Instance 0's LOOP-Protection port Ethernet1/0/2 failed to receive configuration BPDUs. |
|
Explanation |
A loop-guard-enabled port failed to receive configuration BPDUs. |
|
Recommended action |
Check the STP status of the upstream device and possible attacks from other devices. |
STP_NOT_ROOT
|
Message text |
The current switch is no longer the root of instance [UINT32]. |
|
Variable fields |
$1: Instance ID. |
|
Severity level |
5 |
|
Example |
STP/5/STP_NOT_ROOT: The current switch is no longer the root of instance 0. |
|
Explanation |
The current switch is no longer the root bridge of an instance. It received a superior BPDU after it was configured as the root bridge. |
|
Recommended action |
Check the bridge priority configuration and possible attacks from other devices. |
STP_NOTIFIED_TC
|
Message text |
[STRING] [UINT32]'s port [STRING] was notified of a topology change. |
|
Variable fields |
$1: Instance or VLAN. $2: Instance ID or VLAN ID. $3: Interface name. |
|
Severity level |
6 |
|
Example |
STP/6/STP_NOTIFIED_TC: Instance 0's port GigabitEthernet0/1/1 was notified of a topology change. |
|
Explanation |
The neighboring device on a port notified the current device that a topology change occurred in the instance or VLAN to which the port belongs. |
|
Recommended action |
Identify the topology change cause and handle the issue. For example, if the change is caused by a link down event, recover the link. |
STP_PORT_TYPE_INCONSISTENCY
|
Message text |
Access port [STRING] in VLAN [UINT32] received PVST BPDUs from a trunk or hybrid port. |
|
Variable fields |
$1: Interface name. $2: VLAN ID. |
|
Severity level |
4 |
|
Example |
|
|
Explanation |
An access port received PVST BPDUs from a trunk or hybrid port. |
|
Recommended action |
Check the port link type setting on the ports. |
STP_PVID_INCONSISTENCY
|
Message text |
Port [STRING] with PVID [UINT32] received PVST BPDUs from a port with PVID [UINT32]. |
|
Variable fields |
$1: Interface name. $2: VLAN ID. $3: VLAN ID. |
|
Severity level |
4 |
|
Example |
|
|
Explanation |
A port received PVST BPDUs from a remote port with a different PVID. |
|
Recommended action |
Verify that the PVID is consistent on both ports. |
STP_PVST_BPDU_PROTECTION
|
Message text |
PVST BPDUs were received on port [STRING], which is enabled with PVST BPDU protection. |
|
Variable fields |
$1: Interface name. |
|
Severity level |
4 |
|
Example |
|
|
Explanation |
In MSTP mode, a port enabled with PVST BPDU guard received PVST BPDUs. |
|
Recommended action |
Identify the device that sends the PVST BPDUs. |
STP_ROOT_PROTECTION
|
Message text |
Instance [UINT32]'s ROOT-Protection port [STRING] received superior BPDUs. |
|
Variable fields |
$1: Instance ID. $2: Interface name. |
|
Severity level |
4 |
|
Example |
STP/4/STP_ROOT_PROTECTION: Instance 0's ROOT-Protection port Ethernet1/0/2 received superior BPDUs. |
|
Explanation |
A root-guard-enabled port received BPDUs that are superior to the BPDUs generated by itself. |
|
Recommended action |
Check the bridge priority configuration and possible attacks from other devices. |
SYSEVENT
This section contains system event messages.
EVENT_TIMEOUT
|
Message text |
Module [UINT32]'s processing for event [UINT32] timed out. Module [UINT32]'s processing for event [UINT32] on [STRING] timed out. |
|
Variable fields |
$1: Module ID. $2: Event ID. $3: MDC MDC-ID or Context Context-ID. |
|
Severity level |
6 |
|
Example |
SYSEVENT/6/EVENT_TIMEOUT: -MDC=1; Module 0x1140000's processing for event 0x20000010 timed out. SYSEVENT/6/EVENT_TIMEOUT: -Context=1; Module 0x33c0000's processing for event 0x20000010 on context 16 timed out. |
|
Explanation |
A module's processing for an event timed out. Logs generated on the default MDC or context for the default MDC or context do not include the MDC MDC-ID or Context Context-ID. Logs generated on the default MDC or context for a non-default MDC or context include the MDC MDC-ID or Context Context-ID. Logs generated on a non-default MDC or context for the local MDC or context do not include the MDC MDC-ID or Context Context-ID. |
|
Recommended action |
No action is required. |
SYSLOG messages
This section contains syslog messages.
ENCODING
|
Message text |
Set the character set encoding to [STRING] for syslog messages. |
|
Variable fields |
$1: Character set encoding, which can be UTF-8 or GB18030. |
|
Severity level |
6 |
|
Example |
SYSLOG/6/ENCODING: Set the character set encoding to UTF-8 for syslog messages. |
|
Explanation |
Set the character set encoding to UTF-8 for syslog messages. |
|
Recommended action |
For the user' login terminal to correctly display Chinese characters in log messages received from the information center, make sure the information center and the terminal use the same character set encoding. |
SYSLOG_LOGBUFFER_FAILURE
|
Message text |
Log cannot be sent to the logbuffer because of communication timeout between syslog and DBM processes. |
|
Variable fields |
N/A |
|
Severity level |
4 |
|
Example |
SYSLOG/4/SYSLOG_LOGBUFFER_FAILURE: Log cannot be sent to the logbuffer because of communication timeout between syslog and DBM processes. |
|
Explanation |
Failed to send the log to the logbuffer because the communication between syslog and DBM processes timed out. |
|
Recommended action |
Contact H3C Support. |
SYSLOG_LOGFILE_FULL
|
Message text |
Log file space is full. |
|
Variable fields |
N/A |
|
Severity level |
4 |
|
Example |
SYSLOG/4/SYSLOG_LOGFILE_FULL: Log file space is full. |
|
Explanation |
The log file space is full. |
|
Recommended action |
Back up the log file and remove it, and then bring up interfaces if needed. |
SYSLOG_RESTART
|
Message text |
System restarted -- [STRING] [STRING] Software. |
|
Variable fields |
$1: Company name. $2: Software name. |
|
Severity level |
6 |
|
Example |
SYSLOG/6/SYSLOG_RESTART: System restarted -- H3C Comware Software |
|
Explanation |
A system restart log was created. |
|
Recommended action |
No action is required. |
TELNETD messages
This section contains Telnet daemon messages.
TELNETD_ACL_DENY
|
Message text |
The Telnet Connection request from [IPADDR]([STRING]) was denied by ACL rule (rule ID=[INT32]) |
|
Variable fields |
$1: IP address of the Telnet client. $2: VPN instance to which the Telnet client belongs. $3: ID of the rule that denied the Telnet client. If a Telnet client does not match created ACL rules, the device denies the client based on the default ACL rule. |
|
Severity level |
5 |
|
Example |
TELNETD/5/TELNETD_ACL_DENY:The Telnet connection request from 181.1.1.10 was denied by ACL rule (rule ID=20). TELNETD/5/TELNETD_ACL_DENY:The Telnet connection request from 181.1.1.10 was denied by ACL rule (default rule). |
|
Explanation |
Telnet login control ACLs control which Telnet clients can access the Telnet service on the device. The device sends this log message when it denies a Telnet client. |
|
Recommended action |
No action is required. |
TELNETD_REACH_SESSION_LIMIT
|
Message text |
Telnet client $1 failed to log in. The current number of Telnet sessions is [NUMBER]. The maximum number allowed is ([NUMBER]). |
|
Variable fields |
$1: IP address of the Telnet client. $2: Current number of Telnet sessions. $3: Maximum number of Telnet sessions allowed by the device. |
|
Severity level |
|
|
Example |
|
|
Explanation |
The number of Telnet connections reached the limit. |
|
Recommended action |
286. Use the display current-configuration | include session-limit command to view the current limit for Telnet connections. If the command does not display the limit, the device is using the default setting. 287. If you want to set a greater limit, execute the aaa session-limit command. If you think the limit is proper, no action is required. |
UFLT messages
This section contains URL filtering messages.
UFLT_MATCH_IPV4_LOG (syslog)
|
Message text |
Protocol(1001)=[STRING];Application(1002)=[STRING];URL(1093)=[STRING];URLCategory(1094)=[STRING];PolicyName(1079)=[STRING];SrcIPAddr(1003)=[IPADDR];SrcPort(1004)=[UINT16];DstIPAddr(1007)=[IPADDR];DstPort(1008)=[UINT16];SrcZoneName(1025)=[STRING];DstZoneName(1035)=[STRING];UserName(1113)=[STRING];Action(1053)=[STRING]; |
|
Variable fields |
$1: Protocol type. $2: Application protocol name. $3: URL content. $4: URL category name. $5: URL filtering policy name. $6: Source IP address. $7: Source port number. $8: Destination IP address. $9: Destination port number. $10: Source security zone. $11: Destination security zone. $12: Name of the identity user. $13: Actions applied to the packet. Available actions are: · Block-Source. · Permit. · Drop. · Reset. · Redirect. |
|
Severity level |
6 |
|
Example |
UFLT/6/UFLT_MATCH_IPV4_LOG:Protocol(1001)=TCP;Application(1002)=http;URL(1093)=google.com;URLCategory(1094)=Fashion&Beauty;PolicyName(1079)=policy1;SrcIPAddr(1003)=1.2.3.4;SrcPort(1004)=8080;DstIPAddr(1007)=6.1.1.1;DstPort(1008)=8080;SrcZoneName(1025)=spf;DstZoneName(1035)=spf;UserName(1113)=abc;Action(1053)=Drop; |
|
Explanation |
An IPv4 packet matched a URL filtering rule. |
|
Recommended action |
No action is required. |
UFLT_MATCH_IPV6_LOG (syslog)
|
Message text |
Protocol(1001)=[STRING];Application(1002)=[STRING];URL(1093)=[STRING];URLCategory(1094)=[STRING];PolicyName(1079)=[STRING];SrcIPv6Addr(1036)=[IPADDR];SrcPort(1004)=[UINT16];DstIPv6Addr(1037)=[IPADDR];DstPort(1008)=[UINT16];SrcZoneName(1025)=[STRING];DstZoneName(1035)=[STRING];UserName(1113)=[STRING];Action(1053)=[STRING]; |
|
Variable fields |
$1: Protocol type. $2: Application protocol name. $3: URL content. $4: URL category name. $5: URL filtering policy name. $6: Source IPv6 address. $7: Source port number. $8: Destination IPv6 address. $9: Destination port number. $10: Source security zone. $11: Destination security zone. $12: Username. $13: Actions applied to the packet. Available actions are: ¡ Block-Source. ¡ Permit. ¡ Drop. ¡ Reset. ¡ Redirect. |
|
Severity level |
6 |
|
Example |
UFLT/6/UFLT_MATCH_IPV6_LOG:Protocol(1001)=TCP;Application(1002)=http;URL(1093)=google.com;URLCategory(1094)=Fashion&Beauty;PolicyName(1079)=policy1;SrcIPv6Addr(1036)=2001::2;SrcPort(1004)=51396;DstIPv6Addr(1037)=3001::2;DstPort(1008)=25;SrcZoneName(1025)=spf;DstZoneName(1035)=spf;UserName(1113)=aaa;Action(1053)=Drop; |
|
Explanation |
An IPv6 packet matched a URL filtering rule. |
|
Recommended action |
No action is required. |
UFLT_NOT MATCH_IPV4_LOG (syslog)
|
Message text |
Protocol(1001)=[STRING];Application(1002)=[STRING];URL(1093)=[STRING];URLCategory(1094)=[STRING];PolicyName(1079)=[STRING];SrcIPAddr(1003)=[IPADDR];SrcPort(1004)=[UINT16];DstIPAddr(1007)=[IPADDR];DstPort(1008)=[UINT16];SrcZoneName(1025)=[STRING];DstZoneName(1035)=[STRING];UserName(1113)=[STRING];Action(1053)=[STRING]; |
|
Variable fields |
$1: Protocol type. $2: Application protocol name. $3: URL content. $4: URL category name. This field displays Unknown if no matching URL category is found for the packet. $5: URL filtering policy name. $6: Source IP address. $7: Source port number. $8: Destination IP address. $9: Destination port number. $10: Source security zone. $11: Destination security zone. $12: Username. $13: Actions applied to the packet. Available actions are: ¡ Block-Source. ¡ Permit. ¡ Drop. ¡ Reset. ¡ Redirect. |
|
Severity level |
6 |
|
Example |
UFLT/6/UFLT_NOT_MATCH_IPV4_LOG:Protocol(1001)=TCP;Application(1002)=http;URL(1093)=google.com;URLCategory(1094)=Unknown;PolicyName(1079)=policy1;SrcIPAddr(1003)=1.2.3.4;SrcPort(1004)=8080;DstIPAddr(1007)=6.1.1.1;DstPort(1008)=8080;SrcZoneName(1025)=spf;DstZoneName(1035)=spf;UserName(1113)=abc;Action(1053)=Drop; |
|
Explanation |
No matching URL filtering rule was found for an IPv4 packet. |
|
Recommended action |
No action is required. |
UFLT_NOT MATCH_IPV6_LOG (syslog)
|
Message text |
Protocol(1001)=[STRING];Application(1002)=[STRING];URL(1093)=[STRING];URLCategory(1094)=[STRING];PolicyName(1079)=[STRING];SrcIPv6Addr(1036)=[IPADDR];SrcPort(1004)=[UINT16];DstIPv6Addr(1037)=[IPADDR];DstPort(1008)=[UINT16];SrcZoneName(1025)=[STRING];DstZoneName(1035)=[STRING];UserName(1113)=[STRING];Action(1053)=[STRING]; |
|
Variable fields |
$1: Protocol type. $2: Application protocol name. $3: URL content. $4: URL category name. $5: URL filtering policy name. $6: Source IPv6 address. $7: Source port number. $8: Destination IPv6 address. $9: Destination port number. $10: Source security zone. $11: Destination security zone. $12: Username. $13: Actions applied to the packet. Available actions are: ¡ Block-Source. ¡ Permit. ¡ Drop. ¡ Reset. ¡ Redirect. |
|
Severity level |
6 |
|
Example |
UFLT/6/UFLT_NOT_MATCH_IPV6_LOG:Protocol(1001)=TCP;Application(1002)=http;URL(1093)=google.com;URLCategory(1094)=Unknown;PolicyName(1079)=policy1;SrcIPv6Addr(1036)=2001::2;SrcPort(1004)=51396;DstIPv6Addr(1037)=3001::2;DstPort(1008)=25;SrcZoneName(1025)=spf;DstZoneName(1035)=spf;UserName(1113)=aaa;Action(1053)=Drop; |
|
Explanation |
No matching URL filtering rule was found for an IPv6 packet. |
|
Recommended action |
No action is required. |
UFLT_MATCH_IPv4_LOG (fast log)
|
Message text |
Protocol(1001)=[STRING];Application(1002)=[STRING];UserName(1113)=[STRING];SrcMacAddr(1021)=[STRING];SrcIPAddr(1003)=[IPADDR];SrcPort(1004)=[UINT16];NATSrcIPAddr(1005)=[IPADDR];NATSrcPort(1006)=[UINT16];DstIPAddr(1007)=[IPADDR];DstPort(1008)=[UINT16];NATDstIPAddr(1009)=[IPADDR];NATDstPort(1010)=[UINT16];SrcZoneName(1025)=[STRING];DstZoneName(1035)=[STRING];PolicyName(1079)=[STRING];URLCategory(1094)=[STRING];URL(1093)=[STRING];VistTime(1114)=[STRING];Client(1110)=[STRING];Action(1053)=[STRING]; |
|
Variable fields |
$1: Protocol type. $2: Application protocol name. $3: Username. $4: Source MAC address. $5: Source IP address. $6: Source port number. $7: Source IP address after NAT. $8: Source port number after NAT. $9: Destination IP address. $10: Destination port number. $11: Destination IP address after NAT. $12: Destination port number after NAT. $13: Source security zone. $14: Destination security zone. $15: URL filtering policy name. $16: URL category name. $17: URL content. $18: Access time. $19: Client type. This field is not supported in the current software version. $20: Actions applied to the packet. Available actions are: ¡ Block-Source. ¡ Permit. ¡ Drop. ¡ Reset. ¡ Redirect. |
|
Severity level |
6 |
|
Example |
UFLT/6/UFLT_MATCH_IPv4_LOG: Protocol(1001)=TCP;Application(1002)=SouhuNews;UserName(1113)=;SrcMacAddr(1021)=08-00-27-11-93-78;SrcIPAddr(1003)=112.1.1.2;SrcPort(1004)=3887;NATSrcIPAddr(1005)=112.1.1.2;NATSrcPort(1006)=3887;DstIPAddr(1007)=114.1.1.2;DstPort(1008)=80;NATDstIPAddr(1009)=114.1.1.2;NATDstPort(1010)=80;SrcZoneName(1025)=in;DstZoneName(1035)=out;PolicyName(1079)=1;URLCategory(1094)=SearchEngines&Portals;URL(1093)=news.sohu.com/upload/itoolbar/itoolbar.index.loader.20140923.js;VistTime(1114)=1480688515;Client(1110)=;Action(1053)=Permit; |
|
Explanation |
An IPv4 packet matched a URL filtering rule. |
|
Recommended action |
No action is required. |
UFLT_MATCH_IPv6_LOG (fast log)
|
Message text |
Protocol(1001)=[STRING];Application(1002)=[STRING];UserName(1113)=[STRING];SrcMacAddr(1021)=[STRING];SrcIPv6Addr(1036)=[IPADDR];SrcPort(1004)=[UINT16];DstIPv6Addr(1037)=[IPADDR];DstPort(1008)=[UINT16];SrcZoneName(1025)=[STRING];DstZoneName(1035)=[STRING];PolicyName(1079)=[STRING];URLCategory(1094)=[STRING];URL(1093)=[STRING];VistTime(1114)=[STRING];Client(1110)=[STRING]; Action(1053)=[STRING]; |
|
Variable fields |
$1: Protocol type. $2: Application protocol name. $3: Username. $4: Source MAC address. $5: Source IPv6 address. $6: Source port number. $7: Destination IPv6 address. $8: Destination port number. $9: Source security zone. $10: Destination security zone. $11: URL filtering policy name. $12: URL category name. $13: URL content. $14: Access time. $15: Client type. This field is not supported in the current software version. $16: Actions applied to the packet. Available actions are: ¡ Block-Source. ¡ Permit. ¡ Drop. ¡ Reset. ¡ Redirect. |
|
Severity level |
6 |
|
Example |
UFLT/6/UFLT_MATCH_IPv6_LOG: Protocol(1001)=TCP;Application(1002)=SouhuNews;UserName(1113)=;SrcMacAddr(1021)=08-00-27-11-93-78;SrcIPv6Addr(1036)=2001::2;SrcPort(1004)=51396;DstIPv6Addr(1037)=3001::2;DstPort(1008)=25;SrcZoneName(1025)=in;DstZoneName(1035)=out;PolicyName(1079)=1;URLCategory(1094)=SearchEngines&Portals;URL(1093)=news.sohu.com/upload/itoolbar/itoolbar.index.loader.20140923.js;VistTime(1114)=1480688515;Client(1110)=;Action(1053)=Permit; |
|
Explanation |
An IPv6 packet matched a URL filtering rule. |
|
Recommended action |
No action is required. |
UFLT_NOT_MATCH_IPv4_LOG (fast log)
|
Message text |
Protocol(1001)=[STRING];Application(1002)=[STRING];UserName(1113)=[STRING];SrcMacAddr(1021)=[STRING];SrcIPAddr(1003)=[IPADDR];SrcPort(1004)=[UINT16];NATSrcIPAddr(1005)=[IPADDR];NATSrcPort(1006)=[UINT16];DstIPAddr(1007)=[IPADDR];DstPort(1008)=[UINT16];NATDstIPAddr(1009)=[IPADDR];NATDstPort(1010)=[UINT16];SrcZoneName(1025)=[STRING];DstZoneName(1035)=[STRING];PolicyName(1079)=[STRING];URLCategory(1094)=[STRING];URL(1093)=[STRING];VistTime(1114)=[STRING];Client(1110)=[STRING];Action(1053)=[STRING]; |
|
Variable fields |
$1: Protocol type. $2: Application protocol name. $3: Username. $4: Source MAC address. $5: Source IP address. $6: Source port number. $7: Source IP address after NAT. $8: Source port number after NAT. $9: Destination IP address. $10: Destination port number. $11: Destination IP address after NAT. $12: Destination port number after NAT. $13: Source security zone. $14: Destination security zone. $15: URL filtering policy name. $16: URL category name. $17: URL content. $18: Access time. $19: Client type. This field is not supported in the current software version. $20: Actions applied to the packet. Available actions are: ¡ Block-Source. ¡ Permit. ¡ Drop. ¡ Reset. ¡ Redirect. |
|
Severity level |
6 |
|
Example |
UFLT/6/UFLT_NOT_MATCH_IPv4_LOG: Protocol(1001)=TCP;Application(1002)=SouhuNews;UserName(1113)=;SrcMacAddr(1021)=08-00-27-11-93-78;SrcIPAddr(1003)=112.1.1.2;SrcPort(1004)=3887;NATSrcIPAddr(1005)=112.1.1.2;NATSrcPort(1006)=3887;DstIPAddr(1007)=114.1.1.2;DstPort(1008)=80;NATDstIPAddr(1009)=114.1.1.2;NATDstPort(1010)=80;SrcZoneName(1025)=in;DstZoneName(1035)=out;PolicyName(1079)=1;URLCategory(1094)=Unknown;URL(1093)=news.sohu.com/upload/itoolbar/index/toolbar_bg_130315.gif;VistTime(1114)=1480691551;Client(1110)=;Action(1053)=Permit; |
|
Explanation |
No matching URL filtering rule was found for an IPv4 packet. |
|
Recommended action |
No action is required. |
UFLT_NOT_MATCH_IPv6_LOG (fast log)
|
Message text |
Protocol(1001)=[STRING];Application(1002)=[STRING];UserName(1113)=[STRING];SrcMacAddr(1021)=[STRING];SrcIPv6Addr(1036)=[IPADDR];SrcPort(1004)=[UINT16];DstIPv6Addr(1037)=[IPADDR];DstPort(1008)=[UINT16];SrcZoneName(1025)=[STRING];DstZoneName(1035)=[STRING]; PolicyName(1079)=[STRING];URLCategory(1094)=[STRING];URL(1093)=[STRING];VistTime(1114)=[STRING];Client(1110)=[STRING]; Action(1053)=[STRING]; |
|
Variable fields |
$1: Protocol type. $2: Application protocol name. $3: Username. $4: Source MAC address. $5: Source IPv6 address. $6: Source port number. $7: Destination IPv6 address. $8: Destination port number. $9: Source security zone. $10: Destination security zone. $11: URL filtering policy name. $12: URL category name. $13: URL content. $14: Access time. $15: Client type. This field is not supported in the current software version. $16: Actions applied to the packet. Available actions are: ¡ Block-Source. ¡ Permit. ¡ Drop. ¡ Reset. ¡ Redirect. |
|
Severity level |
6 |
|
Example |
UFLT/6/UFLT_NOT_MATCH_IPv6_LOG: Protocol(1001)=TCP;Application(1002)=SouhuNews;UserName(1113)=;SrcMacAddr(1021)=08-00-27-11-93-78;SrcIPv6Addr(1036)=2001::2;SrcPort(1004)=51396;DstIPv6Addr(1037)=3001::2;DstPort(1008)=25;SrcZoneName(1025)=in;DstZoneName(1035)=out;PolicyName(1079)=1;URLCategory(1094)=Unknown;URL(1093)=news.sohu.com/upload/itoolbar/itoolbar.index.loader.20140923.js;VistTime(1114)=1480688515;Client(1110)=;Action(1053)=Permit; |
|
Explanation |
No matching URL filtering rule was found for an IPv6 packet. |
|
Recommended action |
No action is required. |
UFLT_WARNING
|
Message text |
Updated the URL filtering signature library successfully. |
|
Variable fields |
None. |
|
Severity level |
4 |
|
Example |
UFLT/4/UFLT_WARNING: -Context=1; Updated the URL filtering signature library successfully. |
|
Explanation |
The URL filtering signature library was updated successfully through a manual offline update or triggered online update. |
|
Recommended action |
No action is required. |
UFLT_WARNING
|
Message text |
Rolled back the URL filtering signature library successfully. |
|
Variable fields |
None. |
|
Severity level |
4 |
|
Example |
UFLT/4/UFLT_WARNING: -Context=1; Rolled back the URL filtering signature library successfully. |
|
Explanation |
The URL filtering signature library was rolled back to the previous or factory default version successfully. |
|
Recommended action |
No action is required. |
VLAN messages
This section contains VLAN messages.
VLAN_FAILED
|
Message text |
Failed to add interface [STRING] to the default VLAN. |
|
Variable fields |
$1: Interface name. |
|
Severity level |
4 |
|
Example |
VLAN/4/VLAN_FAILED: Failed to add interface S-Channel4/2/0/19:100 to the default VLAN. |
|
Explanation |
An S-channel interface was created when hardware resources were insufficient. The S-channel interface failed to be assigned to the default VLAN. |
|
Recommended action |
No action is required. |
VLAN_VLANMAPPING_FAILED
|
Message text |
The configuration failed because of resource insufficiency or conflicts on [STRING]. |
|
Variable fields |
$1: Interface name. |
|
Severity level |
4 |
|
Example |
VLAN/4/VLAN_VLANMAPPING_FAILED: The configuration failed because of resource insufficiency or conflicts on Ethernet0/0. |
|
Explanation |
Part of or all VLAN mapping configurations on the interface were lost because of one of the following occurrences: · Hardware resources were insufficient for the interface. · The interface joined or left a Layer 2 aggregation group. |
|
Recommended action |
No action is required. |
VLAN_VLANSTRIP_REG_DIFF_CONFIG
|
Message text |
The value of the vlan-strip register is different from the configuration on interface [STRING]. |
|
Variable fields |
$1: Interface name. |
|
Severity level |
3 |
|
Example |
VLAN/3/VLAN_VLANSTRIP_REG_DIFF_CONFIG: The value of the vlan-strip register is different from the configuration on interface GigabitEthernet1/0/1. |
|
Explanation |
The VLAN tag stripping configuration on an interface is different from the value of the vlan-strip register. |
|
Recommended action |
Check the operating environments of VMs and hosts, and configure VLAN tag stripping again. |
VLAN_VLANTRANSPARENT_FAILED
|
Message text |
The configuration failed because of resource insufficiency or conflicts on [STRING]. |
|
Variable fields |
$1: Interface name. |
|
Severity level |
4 |
|
Example |
VLAN/4/VLAN_VLANTRANSPARENT_FAILED: The configuration failed because of resource insufficiency or conflicts on Ethernet0/0. |
|
Explanation |
Part of or all VLAN transparent transmission configurations on the interface were lost because of one of the following occurrences: · Hardware resources were insufficient for the interface. · The interface joined or left a Layer 2 aggregation group. |
|
Recommended action |
No action is required. |
WCLT messages
This section contains WCLT messages.
WLAN_FSM_CHANGE
|
Message text |
[UINT32] FSM changed from [STRING] to [STRING]: BSSID=[STRING], SSID=[STRING], RSSI=[STRING], Channel=[UINT32], Online Duration=[TIME]d [TIME]h [TIME]m [TIME]s. Reason: [STRING]. |
|
Variable fields |
$1: Radio ID. $2: AP state before the change: · Init—The device is in initialization state. · UnAuth—The device has not been authenticated. · Auth—The device is being authenticated. · Assoc—The device is attempting to associate with a WLAN. · Run—The device is in running state. $3: AP state after the change. · Init—The device is in initialization state. · UnAuth—The device has not been authenticated. · Auth—The device is being authenticated. · Assoc—The device is attempting to associate with a WLAN. · Run—The device is in running state. $4: BSSID. $5: SSID. $6: Signal strength. $7: Channel. $8: Number of days in the online duration. $9: Number of hours in the online duration. $10: Number of minutes in the online duration. $11: Number of seconds in the online duration. $12: State change reason. Options include: · Send auth(recv probe resp)—The device received a probe response and sent an authentication frame. · Send assoc req—The device sent an association request. · Recv assoc resp—The device received an association response. · Recv deauth—The device received a deauthentication frame. · Recv disasso—The device received a disassociation frame. · Send auth(unauth status timeout)—The unauthentication state timed out and the device sent an authentication frame. · Unauth status timeout, failed to send auth—The unauthentication state timed out and the device sent an authentication failure frame. · Auth status timeout—The authentication state timed out. · Asso status timeout—The association state timed out. · Keepalive beacon timeout—The beacon-based keepalive timed out. · Recv action—The device received an action frame. · FSM init, change to unauth—The device state changed from initialization to unauthentication. · Change to disconnect(cfg)—Connection terminated because of manual configuration. · Undo SSID—The SSID configuration was removed. · Send probe request(channel change)—The device sent a probe request after a channel change. · Send probe request failed(channel change)—The device failed to send a probe request after a channel change. · Radio down—The associated radio became unavailable. · Unauth status proc probe resp failed—The device failed to process a probe response in Unauth state. · Proc auth failed(Open System)—The device failed to process an open system authentication frame. · Proc auth failed(Shared Key)—The device failed to process a shared key authentication frame. · Proc asso resp failed—The device failed to process an association response. · Change channel IE(beacon)—The channel changed in a received beacon frame. · Change channel IE(probe resp)—The channel changed in a received probe response. · Send probe request(connct bss)—The device sent a probe request and did not change its channel. · Connect BSS failed—The device failed to access a BSS. · Share-key failed—Shared key authentication failed during association. · 4H failed—Four-way handshake failed during association. · Select better BSS by roam—The device performed a BSS roaming. · Change to disconnect(dbm)—Disabling the client mode triggered device reassociation. · Scan aging—The entry for the associated BSS expired. · Unauth status timeout, no need send auth—The device failed to receive probe responses in UnAuth state and stays in UnAuth state. · Auth direct(connct bss)—The device did not receive any probe response and sent an authentication frame directly. · Active detect timeout—The probe request-based keepalive timed out. |
|
Severity level |
6 |
|
Example |
WCLT/6/WLAN_FSM_CHANGE: [1] FSM changed from Auth to Assoc: BSSID=50da-00df-33e0, SSID=agv, RSSI=52, Channel=36, Online Duration=2d 3h 10m 20s. Reason: Send assoc. |
|
Explanation |
The state of the fat AP changed. |
|
Recommended action |
No action is required. |
WEB messages
This section contains Web messages.
LOGIN
|
Message text |
[STRING] logged in from [STRING]. |
|
Variable fields |
$1: Username of the user. $2: IP address of the user. |
|
Severity level |
5 |
|
Example |
WEB/5/LOGIN: admin logged in from 127.0.0.1. |
|
Explanation |
A user logged in successfully. |
|
Recommended action |
No action is required. |
LOGIN_FAILED
|
Message text |
[STRING] failed to log in from [STRING]. |
|
Variable fields |
$1: Username of the user. $2: IP address of the user. |
|
Severity level |
5 |
|
Example |
WEB/5/LOGIN_FAILED: admin failed to log in from 127.0.0.1. |
|
Explanation |
A user failed to log in. |
|
Recommended action |
No action is required. |
LOGOUT
|
Message text |
[STRING] logged out from [STRING]. |
|
Variable fields |
$1: Username of the user. $2: IP address of the user. |
|
Severity level |
5 |
|
Example |
WEB/5/LOGOUT: admin logged out from 127.0.0.1. |
|
Explanation |
A user logged out successfully. |
|
Recommended action |
No action is required. |
WFF messages
This section contains WLAN fast forwarding (WFF) messages.
WFF_HARDWARE_INIT_FAILED
|
Message text |
Firmware [UINT32] was set to pass-through mode because initialization failed. |
|
Variable fields |
$1: Firmware number. |
|
Severity level |
5 |
|
Example |
WFF/5/WFF_HARDWARE_INIT_FAILED: Firmware 0 was set to pass-through mode because initialization failed. |
|
Explanation |
The pass-through mode was set for the firmware because of firmware initialization failure. |
|
Recommended action |
No action is required. |
WFF_HARDWARE_IPC_FAILED
|
Message text |
Firmware [UINT32] was set to pass-through mode because IPC check failed. |
|
Variable fields |
$1: Firmware number. |
|
Severity level |
5 |
|
Example |
WFF/5/WFF_HARDWARE_IPC_FAILED: Firmware 0 was set to pass-through mode because IPC check failed. |
|
Explanation |
The pass-through mode was set for the firmware because of IPC check failure. |
|
Recommended action |
No action is required. |
WFF_HARDWARE_LOOPBACK_FAILED
|
Message text |
Firmware [UINT32] was set to pass-through mode because loopback check failed. |
|
Variable fields |
$1: Firmware number. |
|
Severity level |
5 |
|
Example |
WFF/5/WFF_HARDWARE_LOOPBACK_FAILED: Firmware 0 was set to pass-through mode because loopback check failed. |
|
Explanation |
The pass-through mode was set for the firmware because of loopback check failure. |
|
Recommended action |
No action is required. |
WFF_HARDWARE_PCIE_FAILED
|
Message text |
Firmware [UINT32] was set to pass-through mode because PCIE check failed. |
|
Variable fields |
$1: Firmware number. |
|
Severity level |
5 |
|
Example |
WFF/5/WFF_HARDWARE_LOOPBACK_FAILED: Firmware 0 was set to pass-through mode because PCIE check failed. |
|
Explanation |
The pass-through mode was set for the firmware because of a PCIE check failure. |
|
Recommended action |
No action is required. |
WIPS messages
This section contains WIPS messages.
APFLOOD
|
Message text |
-VSD=[STRING]; AP flood detected. |
|
Variable fields |
$1: VSD name. |
|
Severity level |
5 |
|
Example |
WIPS/5/APFLOOD: -VSD=home; AP flood detected. |
|
Explanation |
The number of APs detected in the specified VSD reached the threshold. |
|
Recommended action |
Determine whether the device has suffered an attack. |
AP_CHANNEL_CHANGE
|
Message text |
-VSD=[STRING]-SrcMAC=[MAC]; Channel change detected. |
|
Variable fields |
$1: VSD name. $2: MAC address of the AP. |
|
Severity level |
5 |
|
Example |
WIPS/5/AP_CHANNEL_CHANGE: -VSD=home-SrcMAC=1122-3344-5566; Channel change detected. |
|
Explanation |
The channel of the specified AP changed. |
|
Recommended action |
Determine whether the channel change is valid. |
ASSOCIATEOVERFLOW
|
Message text |
-VSD=[STRING]-SrcMAC=[MAC]; Association/Reassociation DoS attack detected. |
|
Variable fields |
$1: VSD name. $2: MAC address of the AP. |
|
Severity level |
5 |
|
Example |
WIPS/5/ASSOCIATEOVERFLOW: -VSD=home-SrcMAC=1122-3344-5566; Association/Reassociation DoS attack detected. |
|
Explanation |
The specified AP sent an association response with the status code 17. |
|
Recommended action |
Determine whether the AP has suffered an attack. |
WIPS_DOS
|
Message text |
-VSD=[STRING]; [STRING] rate attack detected. |
|
Variable fields |
$1: VSD name. $2: Device type: AP or client. |
|
Severity level |
5 |
|
Example |
WIPS/5/WIPS_DOS: -VSD=home; AP rate attack detected. |
|
Explanation |
The number of device entries learned within the specified interval reached the threshold. |
|
Recommended action |
Determine whether the device suffers an attack. |
WIPS_FLOOD
|
Message text |
-VSD=[STRING]-APName=[STRING]-SrcMAC=[MAC]; [STRING] flood detected. |
|
Variable fields |
$1: VSD name. $2: Name of the sensor. $3: Attacker's MAC address. $4: Flood attack type. Options include the following: · Association request · Authentication · Disassociation · Reassociation request · Deauthentication · Null data · Beacon · Probe request · BlockAck · CTS · RTS · EAPOL start |
|
Severity level |
5 |
|
Example |
WIPS/5/WIPS_FLOOD: -VSD=home-APName=ap1-SrcMAC=1122-3344-5566; Association request flood detected. |
|
Explanation |
The number of a specific type of packets detected by the specified AP in the specified VSD within the specified interval reached the threshold. |
|
Recommended action |
Determine whether the packet sender is an authorized device. |
HONEYPOT
|
Message text |
-VSD=[STRING]-SrcMAC=[MAC]; Honeypot AP detected. |
|
Variable fields |
$1: VSD name. $2: MAC address of the AP. |
|
Severity level |
5 |
|
Example |
WIPS/5/HONEYPOT: -VSD=home-SrcMAC=1122-3344-5566; Honeypot AP detected. |
|
Explanation |
The specified AP was detected as a honeypot AP. |
|
Recommended action |
Determine whether the device has suffered an attack. |
HTGREENMODE
|
Message text |
-VSD=[STRING]-SrcMAC=[MAC]; HT-Greenfield AP detected. |
|
Variable fields |
$1: VSD name. $2: MAC address of the AP. |
|
Severity level |
5 |
|
Example |
WIPS/5/HTGREENMODE: -VSD=home-SrcMAC=1122-3344-5566; HT-Greenfield AP detected. |
|
Explanation |
The specified AP was detected as an HT-greenfield AP. |
|
Recommended action |
Determine whether the device has suffered an attack. |
WIPS_MALF
|
Message text |
-VSD=[STRING]-SrcMAC=[MAC]; Error detected: [STRING]. |
|
Variable fields |
$1: VSD name. $2: Sender's MAC address. $3: Malformed packet type. Options include the following: · invalid ie length—Invalid IE length. · duplicated ie—Duplicate IE. · redundant ie—Redundant IE. · invalid pkt length—Invalid packet length. · illegal ibss ess—Abnormal IBSS and ESS setting. · invalid source addr—Invalid source MAC address. · overflow eapol key—Oversized EAPOL key. · malf auth—Malformed authentication request frame. · malf assoc req—Malformed association request frame. · malf ht ie—Malformed HT IE. · large duration—Oversized duration. · null probe resp—Malformed probe response frame. · invalid deauth code—Invalid deauthentication code. · invalid disassoc code—Invalid disassociation code. · over flow ssid—Oversized SSID. · fata jack—FATA-Jack. |
|
Severity level |
5 |
|
Example |
WIPS/5/WIPS_MALF: -VSD=home-SrcMAC=1122-3344-5566; Error detected: fata jack. |
|
Explanation |
A malformed packet was detected. |
|
Recommended action |
Determine whether the packet sender is an authorized device. |
MAN_IN_MIDDLE
|
Message text |
-VSD=[STRING]-SrcMAC=[MAC]; Man-in-the-middle attack detected. |
|
Variable fields |
$1: VSD name. $2: MAC address of the client. |
|
Severity level |
5 |
|
Example |
WIPS/5/MAN_IN_MIDDLE: -VSD=home-SrcMAC=1122-3344-5566; Man-in-the-middle attack detected. |
|
Explanation |
The specified client suffered a man-in-the-middle attack. |
|
Recommended action |
Determine whether the client has suffered a man-in-the-middle attack. |
WIPS_ROGUE
|
Message text |
-VSD=[STRING]-SrcMAC=[MAC]; Rogue AP detected by radio 1 of sensor [STRING] on channel 149 (RSSI=84). |
|
Variable fields |
$1: VSD name. $2: MAC address of the rogue AP. |
|
Severity level |
5 |
|
Example |
WIPS/5/WIPS_ROGUE: -VSD=home-SrcMAC=1122-3344-5566; Rogue AP detected by radio 1 of sensor ap1 on channel 149 (RSSI=84). |
|
Explanation |
A rogue AP was detected. |
|
Recommended action |
Enable WIPS to take countermeasures against rogue APs. |
WIPS_SPOOF
|
Message text |
-VSD=[STRING]-SrcMAC=[MAC]; [STRING] detected. |
|
Variable fields |
$1: VSD name. $2: MAC address of the device being spoofed. $3: Spoofing attack type. Options include the following: · AP spoofing AP—A fake AP spoofs an authorized AP. · AP spoofing client—A fake AP spoofs an authorized client. · AP spoofing ad-hoc—A fake AP spoofs an Ad hoc device. · Ad-hoc spoofing AP—An Ad hoc device spoofs an authorized AP. · Client spoofing AP—A client spoofs an authorized AP. |
|
Severity level |
5 |
|
Example |
WIPS/5/WIPS_SPOOF: -VSD=home-SrcMAC=1122-3344-5566; AP spoofing AP detected. |
|
Explanation |
A spoofing attack was detected. |
|
Recommended action |
Determine whether the packet sender is an authorized device. |
WIPS_UNAUTH
|
Message text |
-VSD=[STRING]-SrcMAC=[MAC];Unauthorized client detected by radio 1 of sensor [STRING] on channel 149 (RSSI=84). |
|
Variable fields |
$1: VSD name. $2: MAC address of the unauthorized client. |
|
Severity level |
5 |
|
Example |
WIPS/5/WIPS_UNAUTH: -VSD=home-SrcMAC=1122-3344-5566; Unauthorized client detected by radio 1 of sensor ap1 on channel 149 (RSSI=84). |
|
Explanation |
An unauthorized client was detected. |
|
Recommended action |
Determine whether unauthorized clients exist. |
WIPS_WEAKIV
|
Message text |
-VSD=[STRING]-SrcMAC=[MAC]; Weak IV detected. |
|
Variable fields |
$1: VSD name. $2: Sender's MAC address. |
|
Severity level |
5 |
|
Example |
WIPS/5/WIPS_WEAKIV: -VSD=home-SrcMAC=1122-3344-5566; Weak IV detected. |
|
Explanation |
A weak IV was detected. |
|
Recommended action |
Use a more secure encryption method to encrypt packets. |
WIRELESSBRIDGE
|
Message text |
-VSD=[STRING]-AP1=[MAC]-AP2=[MAC]]; Wireless bridge detected. |
|
Variable fields |
$1: VSD name. $2: MAC address of AP 1. $3: MAC address of AP 2. |
|
Severity level |
5 |
|
Example |
WIPS/5/WIRELESSBRIDGE: -VSD=home-AP1=1122-3344-5566-AP2=7788-9966-5544; Wireless bridge detected. |
|
Explanation |
The specified APs set up a wireless bridge. |
|
Recommended action |
Determine whether the wireless bridge is valid. |
WLANAUD messages
This section contains WLANAUD messages.
WLANAUD_CLIENT_ONLINE
|
Message text |
· UserIP=[STRING], UserMAC=[STRING], APMAC=[STRING]. · UserMAC=[STRING], UserIP=[STRING], APName=[ STRING], APMAC=[STRING], SSID=[ STRING], BSSID=[ STRING]. |
|
Variable fields |
$1: IP address of the client. $2: MAC address of the client. $3: MAC address of the AP with which the client is associated. $4: Name of the AP with which the client is associated. $5: SSID with which the client is associated. $6: BSSID with which the client is associated. |
|
Severity level |
5 |
|
Example |
· WLANAUD/5/WLAN_CLIENT_ONLINE: UserIP=192.168.0.1, UserMAC=0023-8933-2147, APMAC=31AC-11EA-17FF. · WLANAUD/5/WLAN_CLIENT_ONLINE: UserMAC=31ac-11ea-17ff, UserIP=192.168.0.1, APName=ap1, APMAC=000f-ea00-3350, SSID=zhongyan, BSSID=000f-ea00-3352. |
|
Explanation |
A client was associated with an AP. |
|
Recommended action |
No action is required. |
WMESH messages
This section contains WLAN mesh messages.
MESH_ACTIVELINK_SWITCH
|
Message text |
Switch an active link from [MAC] ([CHAR]) to [MAC] ([CHAR]): peer quantity = [UINT64], link quantity = [UINT16], switch reason = [UINT32]. |
|
Variable fields |
$1: Mesh peer MAC address before active/standby link switchover. $2: RSSI on the link before active/standby link switchover. $3: Mesh peer MAC address after active/standby link switchover. $4: RSSI on the link after active/standby link switchover. $5: Mesh peer quantity after active/standby link switchover. $6: Mesh link quantity after active/standby link switchover. $7: Reason for link switchover: · 1—First mesh link establishment. · 2—Active switchover (MLSP link switchover optimization disabled). · 3—Active switchover (MLSP link switchover optimization enabled). · 4—Passive switchover or switchover after forced logoff. |
|
Severity level |
5 |
|
Example |
WMESH/5/MESH_ACTIVELINK_SWITCH: Switch an active link from 50da-00d2-4b50 (55) to 50da-00d2-49e0 (74): peer quantity = 3, link quantity = 2, switch reason = 2. |
|
Explanation |
An active/standby mesh link switchover occurred. |
|
Recommended action |
No action is required. |
MESH_LINKDOWN
|
Message text |
Mesh link on interface [CHAR] is down: peer MAC = [MAC], RSSI = [CHAR], reason: [STRING] ([STRING]). |
|
Variable fields |
$1: Link interface number. $2: Mesh peer MAC address. $3: RSSI on the link. $4: Reason: · AP status change. · Radio status change. · Mesh configuration change—Mesh configuration, such as mesh profile or mesh policy, changed. · Mesh BSS deleted. · Excessive RSSI—The link RSSI has exceeded the link saturation RSSI. · Weak RSSI. · Packet check failure. · Link keepalive failure. · Active link keepalive failure. · Worst link replaced when MLSP link limit is reached. · Neighbor zerocfg status change—The state of a neighbor of the temporary link is changed from zero configuration to non-zero configuration. · Neighbor refresh. · Mesh link established during scan initialization or auto channel scan. · Unknown reason. $5: Link terminated by: · local. · peer. |
|
Severity level |
5 |
|
Example |
WMESH/5/MESH_LINKDOWN: Mesh link on interface 50 is down: peer MAC = 50da-00d2-4b50, RSSI = 45, reason: AP status change (peer). |
|
Explanation |
A mesh link was terminated. |
|
Recommended action |
No action is required. |
MESH_LINKUP
|
Message text |
Mesh link on interface [CHAR] is up: peer MAC = [MAC], peer radio mode = [UINT32], RSSI = [CHAR]. |
|
Variable fields |
$1: Link interface number. $2: Mesh peer MAC address. $3: Mesh peer radio mode: · 0—Any mode except for 802.11n and 802.11ac. · 1—802.11n. · 2—802.11ac. $4: RSSI on the link. |
|
Severity level |
5 |
|
Example |
WMESH/5/MESH_LINKUP: Mesh link on interface 51 is up: peer MAC = 50da-00d2-4b50, peer radio mode = 0, RSSI = 74. |
|
Explanation |
A mesh link was established. |
|
Recommended action |
No action is required. |
MESH_REVOPEN_MAC
|
Message text |
Received a link open request from AP [MAC] in confirm received state. |
|
Variable fields |
$1: AP MAC address. |
|
Severity level |
5 |
|
Example |
WMESH/5/MESH_REVOPEN_MAC: Received a link open request from AP 50da-00d2-4b50 in confirm received state. |
|
Explanation |
The MP received a Link Open request in confirm received state. |
|
Recommended action |
No action is required. |
WRDC messages
This section contains WRDC messages.
WRDC_USER_DELETE
|
Message text |
-UserMAC=[STRING]-UserIP=[IPADDR]. A user was deleted. |
|
Variable fields |
$1: Client MAC address. $2: Client IP address. |
|
Severity level |
6 |
|
Example |
WRDC/6/WRDC_USER_DELETE: -UserMAC=0021-0011-0033-UserIP=192.168.1.2. A user was deleted. |
|
Explanation |
The WLAN roaming center deleted a client entry after the client went offline from all ACs. |
|
Recommended action |
No action is required. |
WRDC_USER_OFFLINE
|
Message text |
-UserMAC=[STRING]-UserIP=[IPADDR]-ACIP =[IPADDR]; A user went offline. Reason: [STRING]. |
|
Variable fields |
$1: Client MAC address. $2: Client IP address. $3: IP address of the AC from which the client came online. $4: Reason: · User request—The client requested to go offline. · DHCP release—The DHCP release of the client's IP address has expired. · Other reason. |
|
Severity level |
6 |
|
Example |
WRDC/6/WRDC_USER_OFFLINE: -UserMAC=0021-0011-0033-UserIP=192.168.1.2-ACIP=192.168.3.1; A user went offline. Reason: User request. |
|
Explanation |
A client went offline. |
|
Recommended action |
No action is required. |
WRDC_USER_ONLINE
|
Message text |
-UserMAC=[STRING]-UserIP=[IPADDR]-ACIP=[IPADDR]. A user came online. |
|
Variable fields |
$1: Client MAC address. $2: Client IP address. $3: IP address of the AC from which the client came online. |
|
Severity level |
6 |
|
Example |
WRDC/6/WRDC_USER_ONLINE: -UserMAC=0021-0011-0033-UserIP=192.168.1.2-ACIP=192.168.3.1. A user came online. |
|
Explanation |
A client came online. |
|
Recommended action |
No action is required. |
WRDC_USER_ROAM
|
Message text |
-UserMAC=[STRING]-UserIP=[IPADDR]. A user roamed from AC [IPADDR] to AC [IPADDR]. |
|
Variable fields |
$1: Client MAC address. $2: Client IP address. $3: IP address of the AC from which the client came online before roaming. $4: IP address of the AC from which the client came online after roaming. |
|
Severity level |
6 |
|
Example |
WRDC/6/WRDC_USER_ROAM: -UserMAC=0021-0011-0033-UserIP=192.168.1.2. A user roamed from AC 192.168.3.1 to AC 192.168.3.2. |
|
Explanation |
A client performed an inter-AC roaming. |
|
Recommended action |
No action is required. |
WSA messages
This section contains Wireless Spectrum Analysis (WSA) messages.
WSA_DEVICE
|
Message text |
|
|
Variable fields |
$1: AP ID. $2: Radio ID. $3: Interference devices. Options include the following: ¡ Bluetooth devices. ¡ Other fixed frequency devices. ¡ Cordless phones using fixed frequency. ¡ Video devices using fixed frequency. ¡ Audio devices using fixed frequency. ¡ Other hopper frequency devices. ¡ Frequency-hopping cordless phone bases. ¡ Frequency-hopping cordless networks (2.4 GHz). ¡ Microsoft Xboxes. ¡ Other devices. ¡ Frequency-hopping cordless networks (5 GHz). |
|
Severity level |
5 |
|
Example |
WSA/5/WSA_DEVICE: [APID: 1, RADIODID: 2]; Bluetooth devices detected. |
|
Explanation |
The radio interface of an AP detected an interference device. |
|
Recommended action |
Determine whether the device has suffered an attack. |
