| Title | Size | Downloads |
|---|---|---|
| H3C Access Controllers System Log Messages Reference-6W102-book.pdf | 2.88 MB |
- Table of Contents
- Related Documents
-
|
|
|
H3C Access Controllers System Log Messages Reference
|
|
|
Software version: Release 5420
Document version: 6W102-20190603
Copyright © 2019 New H3C Technologies Co., Ltd. All rights reserved.
No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.
Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.
The information in this document is subject to change without notice.
Contents
ACL_ACCELERATE_NONCONTIGUOUSMASK
ACL_ACCELERATE_NOT_SUPPORTHOPBYHOP
ACL_ACCELERATE_NOT_SUPPORTMULTITCPFLAG
Application account extraction messages
Application audit and management messages
AUDIT_RULE_MATCH_MAIL_IPV4_LOG
AUDIT_RULE_MATCH_FORUM_IPV4_LOG
AUDIT_RULE_MATCH_SEARCH_IPV4_LOG
AUDIT_RULE_MATCH_FILE_IPV4_LOG
AUDIT_RULE_MATCH_OTHER_IPV4_LOG
AUDIT_RULE_MATCH_MAIL_IPV6_LOG
AUDIT_RULE_MATCH_FORUM_IPV6_LOG
AUDIT_RULE_MATCH_SEARCH_IPV6_LOG
AUDIT_RULE_MATCH_FILE_IPV6_LOG
AUDIT_RULE_MATCH_OTHER_IPV6_LOG
ARP_ACTIVE_ACK_NOREQUESTED_REPLY
ATK_ICMPV6_DEST_UNREACH_RAW_SZ
ATK_ICMPV6_GROUPREDUCTION_RAW_SZ
ATK_ICMPV6_PACKETTOOBIG_RAW_SZ
ATK_IP4_TCP_INVALIDFLAGS_RAW_SZ
ATK_IP6_TCP_INVALIDFLAGS_RAW_SZ
ATK_IPOPT_LOOSESRCROUTE_RAW_SZ
ATK_IPOPT_STRICTSRCROUTE_RAW_SZ
DOT1X_NOTENOUGH_EADFREERULE_RES
DOT1X_NOTENOUGH_EADPORTREDIR_RES
DOT1X_NOTENOUGH_EADMACREDIR_RES
DOT1X_NOTENOUGH_ENABLEDOT1X_RES
DOT1X_NOTSUPPORT_EADFREEIP_RES
DOT1X_NOTSUPPORT_EADFREERULE_RES
DOT1X_NOTSUPPORT_EADMACREDIR_RES
DOT1X_NOTSUPPORT_EADPORTREDIR_RES
EDEV_FAILOVER_GROUP_STATE_CHANGE
ETHOAM_CONNECTION_FAIL_TIMEOUT
ETHOAM_CONNECTION_FAIL_UNSATISF
ETHOAM_ENTER_LOOPBACK_CTRLLING
ETHOAM_LOCAL_ERROR_FRAME_PERIOD
ETHOAM_LOCAL_ERROR_FRAME_SECOND
ETHOAM_LOOPBACK_EXIT_ERROR_STATU
ETHOAM_REMOTE_ERROR_FRAME_PERIOD
ETHOAM_REMOTE_ERROR_FRAME_SECOND
FCLINK_FDISC_REJECT_NORESOURCE
FCLINK_FLOGI_REJECT_NORESOURCE
FCOE_INTERFACE_NOTSUPPORT_FCOE
IDENTITY_IMC_IMPORT_FAILED_NO_MEMORY
IDENTITY_LDAP_IMPORT_FAILED_NO_MEMORY
IDENTITY_LDAP_IMPORT_GROUP_FAILED
IDENTITY_LDAP_IMPORT_USER_FAILED
Managing and obtaining system log messages
Obtaining log messages from the console terminal
Obtaining log messages from the log buffer
Obtaining log messages from a monitor terminal
Obtaining log messages from the log file
Obtaining log messages from a log host
IPSEC_ANTI-REPLAY_WINDOWS_ERROR
L2PT_CREATE_TUNNELGROUP_FAILED
LAGG_INACTIVE_RESOURCE_INSUFICIE
LB_CHANGE_LINK_CONNNUM_RECOVERY
LB_CHANGE_LINK_CONNRATE_RECOVERY
LB_CHANGE_RS_CONNRATE_RECOVERY
LB_CHANGE_VS_CONNRATE_RECOVERY
NAT_INTERFACE_RESOURCE_EXHAUST
NAT_SERVICE_CARD_RECOVER_FAILURE
ND_SET_VLAN_REDIRECT_NORESOURCE
OFP_FLOW_ADD_TABLE_MISS_FAILED
OFP_FLOW_DEL_TABLE_MISS_FAILED
OFP_FLOW_MOD_TABLE_MISS_FAILED
PFILTER_VLAN_IPV4_DACT_UNK_ERR
PFILTER_VLAN_IPV6_DACT_UNK_ERR
PORTSEC_PORTMODE_NOT_EFFECTIVE
QOS_QMPROFILE_MODIFYQUEUE_FAIL
RPR_PROTECTION_INCONSISTENT_OVER
RPR_TOPOLOGY_INCONSISTENT_OVER
MONITOR_BLADE_THROUGHPUT_EXCEED
MONITOR_BLADE_THROUGHPUT_BELOW
STAMGR_AUTHORUSERPROFILE_FAILURE
STAMGR_STA_ADDMOB_LKUP_ENDOFIOCTL
UFLT_NOT MATCH_IPV4_LOG (syslog)
UFLT_NOT MATCH_IPV6_LOG (syslog)
UFLT_MATCH_IPv4_LOG (fast log)
UFLT_MATCH_IPv6_LOG (fast log)
UFLT_NOT_MATCH_IPv4_LOG (fast log)
UFLT_NOT_MATCH_IPv6_LOG (fast log)
AAA messages
This section contains AAA messages.
AAA_FAILURE
|
Message text |
-AAAType=[STRING]-AAADomain=[STRING]-Service=[STRING]-UserName=[STRING]; AAA failed. |
|
Variable fields |
$1: AAA type. $2: AAA scheme. $3: Service. $4: Username. |
|
Severity level |
5 |
|
Example |
AAA/5/AAA_FAILURE: -AAAType=AUTHOR-AAADomain=domain1-Service=login-UserName=cwf@system; AAA failed. |
|
Explanation |
An AAA request was rejected. The following are the common reasons: · No response was received from the server. · The username or password was incorrect. · The service type that the user applied for was incorrect. |
|
Recommended action |
1. Verify that the device is correctly connected to the server. 2. Enter the correct username and password. 3. Verify that the server settings are the same as the settings on the device. 4. If the problem persists, contact H3C Support. |
AAA_LAUNCH
|
Message text |
-AAAType=[STRING]-AAADomain=[STRING]-Service=[STRING]-UserName=[STRING]; AAA launched. |
|
Variable fields |
$1: AAA type. $2: AAA scheme. $3: Service. $4: Username. |
|
Severity level |
6 |
|
Example |
AAA/6/AAA_LAUNCH: -AAAType=AUTHEN-AAADomain=domain1-Service=login-UserName=cwf@system; AAA launched. |
|
Explanation |
An AAA request was received. |
|
Recommended action |
No action is required. |
AAA_SUCCESS
|
Message text |
-AAAType=[STRING]-AAADomain=[STRING]-Service=[STRING]-UserName=[STRING]; AAA succeeded. |
|
Variable fields |
$1: AAA type. $2: AAA scheme. $3: Service. $4: Username. |
|
Severity level |
6 |
|
Example |
AAA/6/AAA_SUCCESS: -AAAType=AUTHOR-AAADomain=domain1-Service=login-UserName=cwf@system; AAA succeeded. |
|
Explanation |
An AAA request was accepted. |
|
Recommended action |
No action is required. |
ACL messages
This section contains ACL messages.
ACL_ACCELERATE_NO_RES
|
Message text |
Failed to accelerate [STRING] ACL [UINT32]. The resources are insufficient. |
|
Variable fields |
$1: ACL type. $2: ACL number. |
|
Severity level |
4 |
|
Example |
ACL/4/ACL_ACCELERATE_NO_RES: Failed to accelerate IPv6 ACL 2001. The resources are insufficient. |
|
Explanation |
Hardware resources were insufficient for accelerating an ACL. |
|
Recommended action |
Delete some rules or disabled ACL acceleration for other ACLs to release hardware resources. |
ACL_ACCELERATE_NONCONTIGUOUSMASK
|
Message text |
Failed to accelerate ACL [UINT32]. ACL acceleration supports only contiguous wildcard masks. |
|
Variable fields |
$1: ACL number. |
|
Severity level |
4 |
|
Example |
ACL/4/ACL_ACCELERATE_NONCONTIGUOUSMASK: Failed to accelerate ACL 2001. ACL acceleration supports only contiguous wildcard masks. |
|
Explanation |
ACL acceleration failed because rules containing noncontiguous wildcard masks exist in the ACL. |
|
Recommended action |
Check the ACL rules and delete the unsupported configuration. |
ACL_ACCELERATE_NOT_SUPPORT
|
Message text |
Failed to accelerate [STRING] ACL [UINT32]. The operation is not supported. |
|
Variable fields |
$1: ACL type. $2: ACL number. |
|
Severity level |
4 |
|
Example |
ACL/4/ACL_ACCELERATE_NOT_SUPPORT: Failed to accelerate IPv6 ACL 2001. The operation is not supported. |
|
Explanation |
ACL acceleration failed because the system does not support ACL acceleration. |
|
Recommended action |
No action is required. |
ACL_ACCELERATE_NOT_SUPPORTHOPBYHOP
|
Message text |
Failed to accelerate IPv6 ACL [UINT32]. ACL acceleration does not support the rules that contain the hop-by-hop keywords. |
|
Variable fields |
$1: ACL number. |
|
Severity level |
4 |
|
Example |
ACL/4/ACL_ACCELERATE_NOT_SUPPORTHOPBYHOP: Failed to accelerate IPv6 ACL 2001. ACL acceleration does not support the rules that contain the hop-by-hop keywords. |
|
Explanation |
ACL acceleration failed for the IPv6 ACL because rules containing the hop-by-hop keyword exist in the ACL. |
|
Recommended action |
Check the ACL rules and delete the unsupported configuration. |
ACL_ACCELERATE_NOT_SUPPORTMULTITCPFLAG
|
Message text |
Failed to accelerate IPv6 ACL [UINT32]. ACL acceleration does not support specifying multiple TCP flags in one rule. |
|
Variable fields |
$1: ACL number. |
|
Severity level |
4 |
|
Example |
ACL/4/ACL_ACCELERATE_NOT_SUPPORTMULTITCPFLAG: Failed to accelerate IPv6 ACL 2001. ACL acceleration does not support specifying multiple TCP flags in one rule. |
|
Explanation |
ACL acceleration failed for the IPv6 ACL because rules containing multiple TCP flags exist in the ACL. |
|
Recommended action |
Check the ACL rules and delete the unsupported configuration. |
ACL_ACCELERATE_UNK_ERR
|
Message text |
Failed to accelerate [STRING] ACL [UINT32]. |
|
Variable fields |
$1: ACL type. $2: ACL number. |
|
Severity level |
4 |
|
Example |
ACL/4/ACL_ACCELERATE_UNK_ERR: Failed to accelerate IPv6 ACL 2001. |
|
Explanation |
ACL acceleration failed because of an unknown error. |
|
Recommended action |
No action is required. |
ACL_DYNRULE_COMMENT
|
Message text |
The comment of [STRING], which was generated dynamically, can't be added or deleted manually. |
|
Variable fields |
$1: Dynamic ACL rule information. |
|
Severity level |
6 |
|
Example |
ACL/6/ACL_DYNRULE_COMMENT: The comment of IPv4 ACL 3000 rule 1, which was generated dynamically, can't be added or deleted manually. |
|
Explanation |
The comment of a dynamic ACL rule can't be added or deleted manually. |
|
Recommended action |
No action is required. |
ACL_DYNRULE_MDF
|
Message text |
[STRING], which was generated dynamically, was deleted or modified manually. |
|
Variable fields |
$1: Dynamic ACL rule information. |
|
Severity level |
5 |
|
Example |
ACL/5/ACL_DYNRULE_MDF: IPv4 ACL 3000 rule 1, which was generated dynamically, was deleted or modified manually. |
|
Explanation |
A dynamic ACL rule was deleted or modified manually. |
|
Recommended action |
Make sure deleting or modifying the dynamic ACL rule does not affect ongoing services on the network. |
ACL_IPV6_STATIS_INFO
|
Message text |
IPv6 ACL [UINT32] [STRING] [UINT64] packet(s). |
|
Variable fields |
$1: ACL number. $2: ID and content of an IPv6 ACL rule. $3: Number of packets that matched the rule. |
|
Severity level |
6 |
|
Example |
ACL/6/ACL_IPV6_STATIS_INFO: IPv6 ACL 2000 rule 0 permit source 1:1::/64 logging 1000 packet(s). |
|
Explanation |
The number of packets matching the IPv6 ACL rule changed. |
|
Recommended action |
No action is required. |
ACL_NO_MEM
|
Message text |
Failed to configure [STRING] ACL [UINT] due to lack of memory. |
|
Variable fields |
$1: ACL type. $2: ACL number. |
|
Severity level |
3 |
|
Example |
ACL/3/ACL_NO_MEM: Failed to configure ACL 2001 due to lack of memory. |
|
Explanation |
Configuring the ACL failed because memory is insufficient. |
|
Recommended action |
Use the display memory-threshold command to check the memory usage. |
ACL_RULE_REACH_MAXNUM
|
Message text |
The maximum number of rules in [STRING] ACL [UNIT32] already reached. |
|
Variable fields |
$1: ACL type. $2: ACL number. |
|
Severity level |
5 |
|
Example |
ACL/5/ACL_RULE_REACH_MAXNUM:The maximum number of rules in IPv4 ACL 3000 already reached. |
|
Explanation |
A dynamic ACL rule failed to be added because the maximum number of rules in the ACL already reached. |
|
Recommended action |
Delete unused ACL rules. |
ACL_RULE_SUBID_EXCEED
|
Message text |
The rule ID in [STRING] ACL [UNIT32] is out of range. |
|
Variable fields |
$1: ACL type. $2: ACL number. |
|
Severity level |
5 |
|
Example |
ACL/5/ ACL_RULE_SUBID_EXCEED: The rule ID in IPv4 ACL 3000 is out of range. |
|
Explanation |
A dynamic ACL rule failed to be added because the rule ID is out of range. |
|
Recommended action |
Modify the rule numbering step for the ACL. |
ACL_STATIS_INFO
|
Message text |
ACL [UINT32] [STRING] [UINT64] packet(s). |
|
Variable fields |
$1: ACL number. $2: ID and content of an IPv4 ACL rule. $3: Number of packets that matched the rule. |
|
Severity level |
6 |
|
Example |
ACL/6/ACL_STATIS_INFO: ACL 2000 rule 0 permit source 1.1.1.1 0 logging 10000 packet(s). |
|
Explanation |
The number of packets matching the IPv4 ACL rule changed. |
|
Recommended action |
No action is required. |
ANCP messages
This section contains ANCP messages.
ANCP_INVALID_PACKET
|
Message text |
-NeighborName=[STRING]-State=[STRING]-MessageType=[STRING]; The [STRING] value [STRING] is wrong, and the value [STRING] is expected. |
|
Variable fields |
$1: ANCP neighbor name. $2: Neighbor state. $4: Field. $5: Wrong value of the field. $6: Expected value of the field. |
|
Severity level |
6 |
|
Example |
ANCP/6/ANCP_INVALID_PACKET: -NeighborName=Dslam-State=SYNSENT-MessageType=SYNACK; The Sender Instance value 0 is wrong, and the value 1 is expected. |
|
Explanation |
The system received an adjacency message that had a field with a wrong value. |
|
Recommended action |
No action is required. |
ANTIVIRUS messages
This section contains antivirus messages.
ANTIVIRUS_IPV4_INTERZONE
|
Message text |
Protocol(1001)=[STRING];Application(1002)=[STRING];SrcIPAddr(1003)=[IPADDR];SrcPort(1004)=[UINT16];DstIPAddr(1007)=[IPADDR];DstPort(1008)=[UINT16];RcvVPNInstance(1042)=[STRING];SrcZoneName(1025)=[STRING];DstZoneName(1035)=[STRING];UserName(1113)=[STRING];PolicyName(1079)=[STRING];VirusName(1085)=[STRING];VirusID(1086)=[UINT32];Severity(1087)=[STRING];Action(1053)=[STRING];HitDirection(1115)=[STRING];RealSrcIP(1100)=[STRING]; |
|
Variable fields |
$1: Protocol type. $2: Application layer protocol name. $3: Source IPv4 address. $4: Source port number. $5: Destination IPv4 address. $6: Destination port number. $7: Receiving VPN instance. $8: Source security zone name. $9: Destination security zone name. $10: Username. $11: Policy name. $12: Virus name. $13: Virus ID. $14: Severity level: ¡ LOW. ¡ MEDIUM. ¡ HIGH. ¡ CRITICAL. $15: Action: ¡ Reset & Logging. ¡ Permit & Logging. ¡ Redirect & Logging. $16: Direction of matching packets: ¡ original. ¡ reply. $17: Actual source IPv4 address. |
|
Severity level |
4 |
|
Example |
ANTI-VIR/4/ANTIVIRUS_IPV4_INTERZONE:-Context=1;Protocol(1001)=TCP;Application(1002)=http;SrcIPAddr(1003)=100.10.10.40;SrcPort(1004)=56690;DstIPAddr(1007)=200.10.10.40;DstPort(1008)=80;RcvVPNInstance(1042)=;SrcZoneName(1025)=spf;DstZoneName(1035)=spf;UserName(1113)=abc;PolicyName(1079)=av;VirusName(1085)=MODIFIED-EICAR-Test-File;VirusID(1086)=95;Severity(1087)=MEDIUM;Action(1053)=Reset & Logging;HitDirection(1115)=original;RealSrcIP(1100)=10.10.10.10,20.20.20.20; |
|
Explanation |
This message is sent when an IPv4 packet matches a virus signature. |
|
Recommended action |
No action is required. |
ANTIVIRUS_IPV6_INTERZONE
|
Message text |
Protocol(1001)=[STRING];Application(1002)=[STRING];SrcIPv6Addr(1036)=[IPADDR];SrcPort(1004)=[UINT16];DstIPv6Addr(1037)=[IPADDR];DstPort(1008)=[UINT16];RcvVPNInstance(1042)=-[STRING];SrcZoneName(1025)=[STRING];DstZoneName(1035)=[STRING];UserName(1113)=[STRING];PolicyName(1079)=[STRING];VirusName(1085)=[STRING];VirusID(1086)=[UINT32];Severity(1087)=[STRING];Action(1053)=[STRING];HitDirection(1115)=[STRING];RealSrcIP(1100)=[STRING]; |
|
Variable fields |
$1: Protocol type. $2: Application layer protocol name. $3: Source IPv6 address. $4: Source port number. $5: Destination IPv6 address. $6: Destination port number. $7: Receiving VPN instance. $8: Source security zone name. $9: Destination security zone name. $10: Username. $11: Policy name. $12: Virus name. $13: Virus ID. $14: Severity level: ¡ LOW. ¡ MEDIUM. ¡ HIGH. ¡ CRITICAL. $15: Action: ¡ Reset & Logging. ¡ Permit & Logging. ¡ Redirect & Logging. $16: Direction of matching packets: ¡ original. ¡ reply. $17: Actual source IPv6 address. |
|
Severity level |
4 |
|
Example |
ANTI-VIR/4/ANTIVIRUS_IPV6_INTERZONE:-Context=1;Protocol(1001)=TCP;Application(1002)=http;SrcIPv6Addr(1036)=100::40;SrcPort(1004)=56690;DstIPv6Addr(1037)=200::40;DstPort(1008)=80;RcvVPNInstance(1042)=;SrcZoneName(1025)=spf;DstZoneName(1035)=spf;UserName(1113)=aaa;PolicyName(1079)=av;VirusName(1085)=MODIFIED-EICAR-Test-File;VirusID(1086)=95;Severity(1087)=MEDIUM;Action(1053)=Reset & Logging;HitDirection(1115)=original;RealSrcIP(1100)=10::1; |
|
Explanation |
This message is sent when an IPv6 packet matches a virus signature. |
|
Recommended action |
No action is required. |
ANTIVIRUS_WARNING
|
Message text |
Updated the antivirus signature library successfully. |
|
Variable fields |
N/A |
|
Severity level |
4 |
|
Example |
ANTI-VIR/4/ANTIVIRUS_WARNING: -Context=1; Updated the antivirus signature library successfully. |
|
Explanation |
This message is sent when the antivirus signature library is immediately or locally updated. |
|
Recommended action |
No action is required. |
ANTIVIRUS_WARNING
|
Message text |
Rolled back the antivirus signature library successfully. |
|
Variable fields |
N/A |
|
Severity level |
4 |
|
Example |
ANTI-VIR/4/ANTIVIRUS_WARNING: -Context=1; Rolled back the antivirus signature library successfully. |
|
Explanation |
This message is sent when the antivirus signature library is rolled back to the previous version or the factory version. |
|
Recommended action |
No action is required. |
ANTIVIRUS_WARNING
|
Message text |
Failed to update the antivirus signature library because no valid license was found for the antivirus feature. |
|
Variable fields |
N/A |
|
Severity level |
4 |
|
Example |
ANTI-VIR/4/ANTIVIRUS_WARNING: -Context=1; Failed to update the antivirus signature library because no valid license was found for the antivirus feature. |
|
Explanation |
This message is sent when one of the following antivirus signature library upgrade failure occurs: · Web-based or CLI-based immediate upgrade failed because no valid license is found. · Web-based local upgrade failed because no valid license is found. |
|
Recommended action |
No action is required. |
APMGR messages
This section contains access point management messages.
AP_CREATE_FAILURE
|
Message text |
Failed to create an AP with entity ID [UINT32] and model [STRING]. Reason: Region code is not available. |
|
Variable fields |
$1: AP ID. $2: AP model. |
|
Severity level |
6 |
|
Example |
APMGR/6/AP_CREATE_FAILURE: Failed to create an AP with entity ID 1 and model WA2620i-AGN. Reason: Region code is not available. |
|
Explanation |
The system fails to create an AP because the AP is not specified with a region code. |
|
Recommended action |
Specify a region code in global configuration view. |
AP_REBOOT_REASON
|
Message text |
AP in Run state is rebooting. Reason: The physical status of the radio is down. |
|
Variable fields |
N/A |
|
Severity level |
6 |
|
Example |
APMGR/6/AP_REBOOT_REASON: AP in Run state is rebooting. Reason: The physical status of the radio is down. |
|
Explanation |
The AP is rebooting because a physical radio interface of the AP is in down state. |
|
Recommended action |
Verify that radio configurations on the AP are correct after the reboot. |
APMGR_ADDBAC_INFO
|
Message text |
Add BAS AC [STRING]. |
|
Variable fields |
$1: MAC address of the BAS AC. |
|
Severity level |
6 |
|
Example |
APMGR/6/APMGR_ADDBAC_INFO: Add BAS AC 3ce5-a616-28cd. |
|
Explanation |
The BAS AC was connected to the master AC. |
|
Recommended action |
No action is required. |
APMGR_AP_CFG_FAILED
|
Message text |
Failed to reset AP [STRING]. Reason: The AP is writing an image file into the flash. |
|
Variable fields |
$1: AP name. |
|
Severity level |
4 |
|
Example |
APMGR/4/APMGR_CFG_FAILD: Failed to reset AP ap2. Reason: The AP is writing an image file into the flash. |
|
Explanation |
AP reset failed because the AP is writing an image file into the flash. |
|
Recommended action |
Restart the AP after the AP finishes writing an image file into the flash. |
APMGR_AP_ONLINE
|
Message text |
The AP failed to come online in discovery stage. Reason: AP model [$1] is not supported. |
|
Variable fields |
$1: AP model. |
|
Severity level |
6 |
|
Example |
APMGR/6/APMGR_AP_ONLINE: The AP failed to come online in discovery stage. Reason: AP model wa2620i-AGN is not supported. |
|
Explanation |
The AP fails to come online because its model is not supported by the AC and the AC cannot receive discovery requests from the AP. |
|
Recommended action |
No action is required. |
APMGR_DELBAC_INFO
|
Message text |
Delete BAS AC [STRING]. |
|
Variable fields |
$1: MAC address of the BAS AC. |
|
Severity level |
6 |
|
Example |
APMGR/6/APMGR_DELBAC_INFO: Delete BAS AC 3ce5-a616-28cd. |
|
Explanation |
The BAS AC was disconnected from the master AC. |
|
Recommended action |
No action is required. |
APMGR_LOG_ADD_AP_FAIL
|
Message text |
AP [STRING] failed to come online using serial ID [STRING]: MAC address [STRING] is being used by AP [STRING]. |
|
Variable fields |
$1: AP name. $2: Serial ID. $3: MAC address. $4: AP name. |
|
Severity level |
4 |
|
Example |
APMGR/4/APMGR_LOG_ADD_AP_FAIL: AP ap1 failed to come online using serial ID 01247ef96: MAC address 0023-7961-5201 is being used by AP ap2. |
|
Explanation |
The AP failed to come online because a manual AP that has the same MAC address already exists on the AC. |
|
Recommended action |
Delete either the manual AP that has the MAC address or the serial ID. |
APMGR_LOG_LACOFFLINE
|
Message text |
Local AC [STRING] went offline. State changed to Idle. |
|
Variable fields |
$1: Name of the local AC. |
|
Severity level |
6 |
|
Example |
APMGR/6/APMGR_LOG_LACOFFLINE: Local AC ac1 went offline. State changed to Idle. |
|
Explanation |
The local AC went offline. The state of the local AC changed to Idle. |
|
Recommended action |
1. If the local AC went offline abnormally, check the debugging information to locate the problem and resolve it. 2. If the problem persists, contact H3C Support. |
APMGR_LOG_LACONLINE
|
Message text |
Local AC [STRING] went online. State changed to Run. |
|
Variable fields |
$1: Name of the local AC. |
|
Severity level |
6 |
|
Example |
APMGR/6/APMGR_LOG_LACONLINE: Local AC ac1 went online. State changed to Run.. |
|
Explanation |
The local AC came online. The state of the local AC changed to Run. |
|
Recommended action |
No action is required. |
APMGR_LOG_MEMALERT
|
Message text |
The memory usage of the AC has reached the threshold. |
|
Variable fields |
N/A |
|
Severity level |
4 |
|
Example |
APMGR/4/APMGR_LOG_MEMALERT: The memory usage of the AC has reached the threshold. |
|
Explanation |
The AP failed to come online because the memory utilization exceeded the limit. |
|
Recommended action |
Stop creating manual APs and prevent APs from coming online. |
APMGR_LOG_NOLICENSE
|
Message text |
AP failed to come online in [STRING]. Reason: No license for the [STRING]. |
|
Variable fields |
$1: AP state: · discover. · join. $2: AP type: · common AP. · WTU AP. |
|
Severity level |
6 |
|
Example |
APMGR/6/APMGR_LOG_NOLICENSE: AP failed to come online in discover. Reason: No license for the common AP. |
|
Explanation |
The AP failed to come online because the number of APs allowed by the license on the AC has reached the upper limit. |
|
Recommended action |
Purchase an upgrade license for AP number extension. |
APMGR_LOG_OFFLINE
|
Message text |
AP [STRING] went offline. State changed to Idle. |
|
Variable fields |
$1: AP name. |
|
Severity level |
6 |
|
Example |
APMGR/6/APMGR_LOG_OFFLINE: AP ap1 went offline. State changed to Idle. |
|
Explanation |
The AP went offline. The state of the AP changed to Idle. |
|
Recommended action |
If the AP went offline abnormally, check the debugging information to locate the problem and resolve it. |
APMGR_LOG_ONLINE
|
Message text |
AP [STRING] came online. State changed to Run. |
|
Variable fields |
$1: AP name. |
|
Severity level |
6 |
|
Example |
APMGR/6/APMGR_LOG_ONLINE: AP ap1 came online. State changed to Run. |
|
Explanation |
The AP came online. The state of the AP changed to Run. |
|
Recommended action |
No action is required. |
APMGR_LOG_ONLINE_FAILED
|
Message text |
[STRING] ([STRING]) failed to come online in join state. Reason: [STRING] ([STRING]) was offline. |
|
Variable fields |
$1: Name of a WTU or WAP. $2: Serial ID of a WTU or WAP. $3: Name of the connected WT or SPM. $4: Serial ID of the connected WT or SPM. |
|
Severity level |
6 |
|
Example |
· APMGR/6/APMGR_AP_ONLINE_FAILED: WTU (219801A0WA916BQ12535) failed to come online in join state. Reason: WT (219801A11UC173000153) was offline. · APMGR/6/APMGR_AP_ONLINE_FAILED: WAP (219801A0VW916AG00254) failed to come online in join state. Reason: SPM (219801A13DB05B0004350) was offline. |
|
Explanation |
· The WTU cannot come online because its connected WT is offline. · The WAP cannot come online because its connected SPM is offline. |
|
Recommended action |
Make the WT or SPM come online. |
APMGR_REACH_MAX_APNUMBER
|
Message text |
An AP failed to come online: Maximum number of APs already reached. |
|
Variable fields |
N/A |
|
Severity level |
4 |
|
Example |
APMGR/4/APMGR_REACH_MAX_APNEMBER: An AP failed to come online: Maximum number of APs already reached. |
|
Explanation |
An AP failed to come online because the number of APs on the AC already reached the upper limit. |
|
Recommended action |
No action is required. |
APMGR_SWAC_DRV_FAILED
|
Message text |
Failed to install WLAN feature package. Reason: Insufficient hardware resources. |
|
Variable fields |
N/A |
|
Severity level |
3 |
|
Example |
APMGR/3/SWAC_DRV_FAILED: Failed to install WLAN feature package. Reason: Insufficient hardware resources. |
|
Explanation |
The system failed to install the WLAN feature package because of insufficient hardware resources. |
|
Recommended action |
To resolve the problem: 1. Uninstall the WLAN feature package. 2. Locate the reason that causes hardware resource exhaustion and remove the issue. 3. Reinstall the WLAN feature package. 4. If the problem persists, contact H3C Support. |
CWC_AP_DOWN
|
Message text |
CAPWAP tunnel to AC [STRING] went down. Reason: [STRING]. |
|
Variable fields |
$1: AC IP address. $2: Reason: · Added AP IP address. · Deleted AP IP address. · AP interface used for CAPWAP tunnel went down. · AP config changed. · AP was reset. · Number of echo retransmission attempts exceeded the limit. · No license for the AP. · Full retransmission queue. · Data channel timer expired. · Backup AC IP address changed. · Backup tunnel changed to master tunnel. · Failed to change backup tunnel to master tunnel. · Backup method changed. · N/A. |
|
Severity level |
6 |
|
Example |
CWC/6/CWC_AP_DOWN: CAPWAP tunnel to AC 192.168.10.1 went down. Reason: AP was reset. |
|
Explanation |
The CAPWAP tunnel between the AP and the AC was terminated for a specific reason. |
|
Recommended action |
Examine the network connection between the AP and the AC. |
CWC_AP_UP
|
Message text |
[STRING] CAPWAP tunnel to AC [STRING] went up. |
|
Variable fields |
$1: Tunnel type: · Master. · Backup. $2: AC IP address. |
|
Severity level |
6 |
|
Example |
CWC/6/CWC_AP_UP: Master CAPWAP tunnel to AC 192.168.10.1 went up. |
|
Explanation |
The AP was connected to the AC successfully and entered Run state. |
|
Recommended action |
No action is required. |
CWC_AP_REBOOT
|
Message text |
AP in state [STRING] is rebooting. Reason: [STRING] |
|
Variable fields |
$1: AP state. $2: Reason: · Image was downloaded successfully. · Reset by admin. · Reset by CloudTunnel, · Reset on cloud, · The radio status was incorrect, · WT was offline, · Stayed in idle state for a long time. |
|
Severity level |
6 |
|
Example |
CWC/6/CWC_AP_REBOOT: AP in State Run is rebooting. Reason: Reset by admin. |
|
Explanation |
The AP rebooted for a specific reason. |
|
Recommended action |
No action is required. |
CWC_IMG_DOWNLOAD_COMPLETE
|
Message text |
System software image file [STRING] downloading through the CAPWAP tunnel to AC [STRING] completed. |
|
Variable fields |
$1: Image file name. $2: AC IP address. |
|
Severity level |
6 |
|
Example |
CWC/6/CWC_IMG_DOWNLOAD_COMPLETE: System software image file 5800.ipe downloading through the CAPWAP tunnel to AC 192.168.10.1 completed. |
|
Explanation |
The AP downloaded the image file from the AC successfully. |
|
Recommended action |
No action is required. |
CWS_IMG_DOWNLOAD_FAILED
|
Message text |
Failed to download image file [STRING1] for [STRING2] [STRING3]. |
|
Variable fields |
$1: Image file name. $2: AP or local AC. $3: Name of the AP or local AC. |
|
Severity level |
6 |
|
Example |
CWS/6/CWS_IMG_DOWNLOAD_FAILED: Failed to download image file wa4300.ipe for AP ap1. |
|
Explanation |
The AP or the local AC failed to download the image file from the AC. |
|
Recommended action |
No action is required. |
CWC_IMG_DOWNLOAD_START
|
Message text |
Started to download the system software image file [STRING] through the CAPWAP tunnel to AC [STRING]. |
|
Variable fields |
$1: Image file name. $2: AC IP address. |
|
Severity level |
6 |
|
Example |
CWC/6/CWC_IMG_DOWNLOAD_START: Started to download the system software image file 5800.ipe through the CAPWAP tunnel to AC 192.168.10.1. |
|
Explanation |
The AP started to download the image file from the AC. |
|
Recommended action |
Make sure the AP is correctly connected to the AC. |
CWC_IMG_NO_ENOUGH_SPACE
|
Message text |
Insufficient flash memory space for downloading system software image file [STRING]. |
|
Variable fields |
$1: Image file name. |
|
Severity level |
6 |
|
Example |
CWC/6/CWC_IMG_NO_ENOUGH_SPACE: Insufficient flash memory space for downloading system software image file 5800.ipe. |
|
Explanation |
The AP failed to download the image file from the AC because of insufficient flash memory. |
|
Recommended action |
Delete files not in use from the AP. |
CWC_LOCALAC_DOWN
|
Message text |
CAPWAP tunnel to Central AC [STRING] went down. Reason: [STRING]. |
|
Variable fields |
$1: IP address of the central AC. $2: Reason: · Added local AC IP address. · Deleted local AC IP address. · Local AC interface used for CAPWAP tunnel went down. · Local AC config changed. · N/A |
|
Severity level |
4 |
|
Example |
CWC/4/CWC_LOCALAC_DOWN: CAPWAP tunnel to Central AC 2.2.2.1 went down. Reason: Local AC config changed. |
|
Explanation |
The CAPWAP tunnel between the central AC and the local AC was terminated for a specific reason. |
|
Recommended action |
To resolve the problem: 1. Examine the network connection between the central AC and the local AC. 2. Verify that the central AC is correctly configured. 3. Verify that the local AC is correctly configured. 4. If the problem persists, contact H3C Support. |
CWC_LOCALAC_UP
|
Message text |
CAPWAP tunnel to Central AC [STRING] went up. |
|
Variable fields |
$1: IP address of the central AC. |
|
Severity level |
6 |
|
Example |
CWC/6/CWC_LOCALAC_UP: CAPWAP tunnel to Central AC 2.2.2.1 went up. |
|
Explanation |
The central AC has established a CAPWAP tunnel with the local AC. |
|
Recommended action |
No action is required. |
CWC_RUN_DOWNLOAD_COMPLETE
|
Message text |
File [STRING] successfully downloaded through the CAPWAP tunnel to AC [STRING]. |
|
Variable fields |
$1: File name. $2: AC IP address. |
|
Severity level |
6 |
|
Example |
CWC/6/CWC_RUN_DOWNLOAD_COMPLETE: File ac.cfg successfully downloaded through the CAPWAP tunnel to AC 192.168.10.1. |
|
Explanation |
The AP downloaded the file from the AC successfully. |
|
Recommended action |
No action is required. |
CWC_RUN_DOWNLOAD_START
|
Message text |
Started to download the file [STRING] through the CAPWAP tunnel to AC [STRING]. |
|
Variable fields |
$1: File name. $2: AC IP address. |
|
Severity level |
6 |
|
Example |
CWC/6/CWC_RUN_DOWNLOAD_START: Started to download the file ac.cfg through the CAPWAP tunnel to AC 192.168.10.1. |
|
Explanation |
The AP started to download the file from the AC. |
|
Recommended action |
Make sure the AP is correctly connected to the AC. |
CWC_RUN_NO_ENOUGH_SPACE
|
Message text |
Insufficient flash memory space for downloading file [STRING]. |
|
Variable fields |
$1: File name. |
|
Severity level |
6 |
|
Example |
CWC/6/CWC_RUN_NO_ENOUGH_SPACE: Insufficient flash memory space for downloading file ac.cfg. |
|
Explanation |
The AP failed to download the file from the AC because of insufficient flash memory. |
|
Recommended action |
Delete files not in use from the AP. |
CWS_AP_DOWN
|
Message text |
CAPWAP tunnel to AP [STRING] went down. Reason: [STRING]. |
|
Variable fields |
$1: AP name. $2: Reason: · Neighbor dead timer expired. · AP was reset by admin. · AP was reset by CloudTunnel. · AP was reset on cloud. · WT was offline. · AP was deleted. · Serial number changed. · Processed join request in Run state. · Failed to retransmit message. · Received WTP tunnel down event from AP. · Backup AC closed the backup tunnel. · Backup AP upgrade failed. · AC is inactive. · Tunnel switched. · N/A. |
|
Severity level |
6 |
|
Example |
CWS/6/CWS_AP_DOWN: CAPWAP tunnel to AP ap1 went down. Reason: AP was reset by admin. |
|
Explanation |
The AP went offline for a specific reason. |
|
Recommended action |
To resolve the problem: 1. Examine the network connection between the AP and the AC. 2. Verify that the AP is correctly configured. 3. Verify that the AC is correctly configured. 4. If the problem persists, contact H3C Support. |
CWS_AP_UP
|
Message text |
[STRING] CAPWAP tunnel to AP [STRING] went up. |
|
Variable fields |
$1: Tunnel type: · Master. · Backup. $2: AP name or serial ID. |
|
Severity level |
6 |
|
Example |
CWS/6/CWS_AP_UP: Backup CAPWAP tunnel to AP ap1 went up. |
|
Explanation |
The AP came online and entered Run state. |
|
Recommended action |
No action is required. |
CWS_IMG_DOWNLOAD_COMPLETE
|
Message text |
System software image file [STRING] downloading through the CAPWAP tunnel for AP [STRING] completed. |
|
Variable fields |
$1: Image file name. $2: AP name. |
|
Severity level |
6 |
|
Example |
CWS/6/CWS_IMG_DOWNLOAD_COMPLETE: System software image file 5800.ipe downloading through the CAPWAP tunnel for AP ap2 completed. |
|
Explanation |
The AP downloaded the image file from the AC successfully. |
|
Recommended action |
No action is required. |
CWS_IMG_DOWNLOAD_FAILED
|
Message text |
Failed to download image file [STRING] for the AP. AC memory is not enough. |
|
Variable fields |
$1: Name of an image file. |
|
Severity level |
6 |
|
Example |
CWS/6/CWS_IMG_DOWNLOAD_FAILED: Failed to download image file wa4300anchor.ipe for the AP. AC memory is not enough. |
|
Explanation |
The AP failed to download an image file from the AC because of insufficient AC memory. |
|
Recommended action |
No action is required. |
CWS_IMG_DOWNLOAD_START
|
Message text |
AP [STRING] started to download the system software image file [STRING]. |
|
Variable fields |
$1: AP name. $2: Image file name. |
|
Severity level |
6 |
|
Example |
CWS/6/CWS_IMG_DOWNLOAD_START: AP ap1 started to download the system software image file 5800.ipe. |
|
Explanation |
The AP started to download the image file from the AC. |
|
Recommended action |
No action is required. |
CWS_IMG_OPENFILE_FAILED
|
Message text |
Failed to open the image file [STRING]. |
|
Variable fields |
$1: Path of the image file to be downloaded to the AP. |
|
Severity level |
3 |
|
Example |
CWS/3/CWS_IMG_OPENFILE_FAILED: Failed to open the image file slot1#cfa0:/wa5600.ipe. |
|
Explanation |
The AP failed to open the image file downloaded from the AC. |
|
Recommended action |
No action is required. |
CWS_LOCALAC_DOWN
|
Message text |
CAPWAP tunnel to local AC [STRING] went down. Reason: [STRING]. |
|
Variable fields |
$1: IP address of the local AC. $2: Reason: · Neighbor dead timer expired. · Local AC was deleted. · Serial number changed. · Processed join request in Run state. · Failed to retransmit message. · N/A |
|
Severity level |
4 |
|
Example |
CWS/4/CWS_LOCALAC_DOWN: CAPWAP tunnel to local AC 1.1.1.1 went down. Reason: Local AC was deleted. |
|
Explanation |
The CAPWAP tunnel between the central AC and the local AC was terminated for a specific reason. |
|
Recommended action |
To resolve the problem: 1. Examine the network connection between the central AC and the local AC. 2. Verify that the central AC is correctly configured. 3. Verify that the local AC is correctly configured. 4. If the problem persists, contact H3C Support. |
CWS_LOCALAC_UP
|
Message text |
CAPWAP tunnel to local AC [STRING] went up. |
|
Variable fields |
$1: IP address of the local AC. |
|
Severity level |
6 |
|
Example |
CWS/6/CWS_LOCALAC_UP: CAPWAP tunnel to local AC 1.1.1.1 went up. |
|
Explanation |
The central AC has established a CAPWAP tunnel with the local AC. |
|
Recommended action |
No action is required. |
CWS_RUN_DOWNLOAD_COMPLETE
|
Message text |
File [STRING] successfully downloaded through the CAPWAP tunnel for AP [STRING]. |
|
Variable fields |
$1: File name. $2: AP name. |
|
Severity level |
6 |
|
Example |
CWS/6/CWS_RUN_DOWNLOAD_COMPLETE: File ac.cfg successfully downloaded through the CAPWAP tunnel for AP ap2. |
|
Explanation |
The AP downloaded the file from the AC successfully. |
|
Recommended action |
No action is required. |
CWS_RUN_DOWNLOAD_START
|
Message text |
AP [STRING] started to download the file [STRING]. |
|
Variable fields |
$1: AP name. $2: File name. |
|
Severity level |
6 |
|
Example |
CWS/6/CWS_RUN_DOWNLOAD_START: AP ap1 started to download the file ac.cfg. |
|
Explanation |
The AP started to download the file from the AC. |
|
Recommended action |
No action is required. |
RADIO
|
Message text |
APMGR/6/RADIO: Current channel usage [UINT32] of radio [CHAR] on AP [STRING] exceeded the threshold. |
|
Variable fields |
$1: Current channel usage. $2: Radio ID. $3: AP name. |
|
Severity level |
6 |
|
Example |
APMGR/6/RADIO: Current channel usage 63% of radio 2 on AP ap1 exceeded the threshold. |
|
Explanation |
The current channel usage on a radio has exceeded the channel usage threshold. |
|
Recommended action |
Execute the channel command to switch the working channel to a channel with low usage. |
Application account extraction messages
This section contains application account extraction messages.
USER-NETLOG
|
Message text |
Protocol(1001)= [STRING];SrcIPAddr(1003)= [IPADDR];SrcPort(1004)= [UINT16];DstIPAddr(1007)= [IPADDR];DstPort(1008)= [UINT16]; User(1098)=%s; Application(1002)= [STRING]; Account(1101)= [STRING]. |
|
Variable fields |
$1: Protocol address. $2: Source IP address. $3: Source port number. $4: Destination IP address. $5: Destination port number. $6: Username. $7: Application name. $8: User account. |
|
Severity level |
6 |
|
Example |
UDPI/6/USER-NETLOG:-Chassis=1-Slot=5.1;Protocol(1001)=UDP;SrcIPAddr(1003)=22.1.1.2;SrcPort(1004)=0;DstIPAddr(1007)=21.1.1.2;DstPort(1008)=65297;User(1098)=22.1.1.2; Application(1002)=ZhenAiWang; Account(1101)=72753475. |
|
Explanation |
This message is generated when a packet matches application account characteristics. |
|
Recommended action |
None |
Application audit and management messages
This section contains application audit and management messages.
AUDIT_RULE_MATCH_IM_IPV4_LOG
|
Message text |
Protocol(1001)=[STRING];SrcIPAddr(1003)=[IPADDR];SrcPort(1004)=[UINT16];DstIPAddr(1007)=[IPADDR];DstPort(1008)=[UINT16];SrcZoneName(1025)=[STRING];DstZoneName(1035)=[STRING];UserName(1113)=[STRING];PolicyName(1079)=[STRING];Application(1002)=[STRING];Behavior(1101)=[STRING];BehaviorContent(1102)={Account(1103)=[STRING],Content(1104)=[STRING],FileName(1097)=[STRING],FileSize(1105)=[STRING]};Client(1110)=[STRING];SoftVersion(1111)=[STRING];Action(1053)=[STRING]; |
|
Variable fields |
$1: Protocol type. $2: Source IPv4 address. $3: Source port number. $4: Destination IPv4 address. $5: Destination port number. $6: Source security zone name. $7: Destination security zone name. $8: Username. $9: Application audit and management policy name. $10: Application name. $11: Application behavior. $12: Application behavior content. $13: Account. $14: Content. $15: File name. $16: File size. $17: Client type. $18: Application software version. $19: Action name: Permit or Deny. |
|
Severity level |
6 |
|
Example |
AUDIT/6/AUDIT_RULE_MATCH_IM_IPV4_LOG:Protocol(1001)=TCP;SrcIPAddr(1003)=1.2.3.4;SrcPort(1004)=8080;DstIPAddr(1007)=6.1.1.1;DstPort(1008)=8080;SrcZoneName(1025)=spf;DstZoneName(1035)=spf;UserName(1113)=hjp;PolicyName(1079)=policy1;Application(1002)=QQ;Behavior(1101)=Login;BehaviorContent(1102)={Account(1103)=12345678,Content(1104)=test,FileName(1097)=text,FileSize(1105)=152389};Client(1110)=PC;SoftVersion(1111)=;Action(1053)=Deny; |
|
Explanation |
This message is generated when an IPv4 packet matches an audit rule for an IM application. |
|
Recommended action |
No action is required. |
AUDIT_RULE_MATCH_MAIL_IPV4_LOG
|
Message text |
Protocol(1001)=[STRING];SrcIPAddr(1003)=[IPADDR];SrcPort(1004)=[UINT16];DstIPAddr(1007)=[IPADDR];DstPort(1008)=[UINT16];SrcZoneName(1025)=[STRING];DstZoneName(1035)=[STRING];UserName(1113)=[STRING];PolicyName(1079)=[STRING];Application(1002)=[STRING];Behavior(1101)=[STRING];BehaviorContent(1102)={Sender_addr(1106)=[STRING],Receiver_addr(1107)=[STRING],Subject(1108)=[STRING],Body(1109)=[STRING]};Client(1110)=[STRING];SoftVersion(1111)=[STRING];Action(1053)=[STRING]; |
|
Variable fields |
$1: Protocol type. $2: Source IPv4 address. $3: Source port number. $4: Destination IPv4 address. $5: Destination port number. $6: Source security zone name. $7: Destination security zone name. $8: Username. $9: Application audit and management policy name. $10: Application name. $11: Application behavior. $12: Application behavior content. $13: Sender. $14: Receiver. $15: Subject. $16: Body. $17: Client type. $18: Application software version. $19: Action name: Permit or Deny. |
|
Severity level |
6 |
|
Example |
AUDIT/6/AUDIT_RULE_MATCH_MAIL_IPV4_LOG:Protocol(1001)=TCP;SrcIPAddr(1003)=1.2.3.4;SrcPort(1004)=8080;DstIPAddr(1007)=6.1.1.1;DstPort(1008)=8080;SrcZoneName(1025)=spf;DstZoneName(1035)=spf;UserName(1113)=hjp;PolicyName(1079)=policy1;Application(1002)=smtp;Behavior(1101)=SendMail;BehaviorContent(1102)={Sender_addr(1106)="wb"<wb@ubuntu.wb>,Receiver_addr(1107)=<wb@ubuntu.wb>,Subject(1108)=test,Body(1109)=abc};Client(1110)=PC;SoftVersion(1111)=;Action(1053)=Deny; |
|
Explanation |
This message is generated when an IPv4 packet matches an audit rule for an email application. |
|
Recommended action |
No action is required. |
AUDIT_RULE_MATCH_FORUM_IPV4_LOG
|
Message text |
Protocol(1001)=[STRING];SrcIPAddr(1003)=[IPADDR];SrcPort(1004)=[UINT16];DstIPAddr(1007)=[IPADDR];DstPort(1008)=[UINT16];SrcZoneName(1025)=[STRING];DstZoneName(1035)=[STRING];UserName(1113)=[STRING];PolicyName(1079)=[STRING];Application(1002)=[STRING];Behavior(1101)=[STRING];BehaviorContent(1102)={Account(1103)=[STRING],Content(1104)=[STRING]};Client(1110)=[STRING];SoftVersion(1111)=[STRING];Action(1053)=[STRING]; |
|
Variable fields |
$1: Protocol type. $2: Source IPv4 address. $3: Source port number. $4: Destination IPv4 address. $5: Destination port number. $6: Source security zone name. $7: Destination security zone name. $8: Username. $9: Application audit and management policy name. $10: Application name. $11: Application behavior. $12: Application behavior content. $13: Account. $14: Content. $15: Client type. $16: Application software version. $17: Action name: Permit or Deny. |
|
Severity level |
6 |
|
Example |
AUDIT/6/AUDIT_RULE_MATCH_FORUM_IPV4_LOG:Protocol(1001)=TCP;SrcIPAddr(1003)=1.2.3.4;SrcPort(1004)=8080;DstIPAddr(1007)=6.1.1.1;DstPort(1008)=8080;SrcZoneName(1025)=spf;DstZoneName(1035)=spf;UserName(1113)=hjp;PolicyName(1079)=policy1;Application(1002)=SinaWeibo;Behavior(1101)=Comment;BehaviorContent(1102)={Account(1103)=hjk123456,Content(1104)=hello};Client(1110)=PC;SoftVersion(1111)=;Action(1053)=Deny; |
|
Explanation |
This message is generated when an IPv4 packet matches an audit rule for a social networking application. |
|
Recommended action |
No action is required. |
AUDIT_RULE_MATCH_SEARCH_IPV4_LOG
|
Message text |
Protocol(1001)=[STRING];SrcIPAddr(1003)=[IPADDR];SrcPort(1004)=[UINT16];DstIPAddr(1007)=[IPADDR];DstPort(1008)=[UINT16];SrcZoneName(1025)=[STRING];DstZoneName(1035)=[STRING];UserName(1113)=[STRING];PolicyName(1079)=[STRING];Application(1002)=[STRING];Behavior(1101)=[STRING];BehaviorContent(1102)={Keyword(1095)=[STRING]};Client(1110)=[STRING];SoftVersion(1111)=[STRING];Action(1053)=[STRING]; |
|
Variable fields |
$1: Protocol type. $2: Source IPv4 address. $3: Source port number. $4: Destination IPv4 address. $5: Destination port number. $6: Source security zone name. $7: Destination security zone name. $8: Username. $9: Application audit and management policy name. $10: Application name. $11: Application behavior. $12: Application behavior content. $13: Keyword. $14: Client type. $15: Application software version. $16: Action name: Permit or Deny. |
|
Severity level |
6 |
|
Example |
AUDIT/6/AUDIT_RULE_MATCH_SEARCH_IPV4_LOG:Protocol(1001)=TCP;SrcIPAddr(1003)=1.2.3.4;SrcPort(1004)=8080;DstIPAddr(1007)=6.1.1.1;DstPort(1008)=8080;SrcZoneName(1025)=spf;DstZoneName(1035)=spf;UserName(1113)=hjp;PolicyName(1079)=policy1;Application(1002)=BaiduSearch;Behavior(1101)=Search;BehaviorContent(1102)={Keyword(1095)=12345678};Client(1110)=PC;SoftVersion(1111)=;Action(1053)=Deny; |
|
Explanation |
This message is generated when an IPv4 packet matches an audit rule for a search engine application. |
|
Recommended action |
No action is required. |
AUDIT_RULE_MATCH_FILE_IPV4_LOG
|
Message text |
Protocol(1001)=[STRING];SrcIPAddr(1003)=[IPADDR];SrcPort(1004)=[UINT16];DstIPAddr(1007)=[IPADDR];DstPort(1008)=[UINT16];SrcZoneName(1025)=[STRING];DstZoneName(1035)=[STRING];UserName(1113)=[STRING];PolicyName(1079)=[STRING];Application(1002)=[STRING];Behavior(1101)=[STRING];BehaviorContent(1102)={Account(1103)=[STRING],FileName(1097)=[STRING]};Client(1110)=[STRING];SoftVersion(1111)=[STRING];Action(1053)=[STRING]; |
|
Variable fields |
$1: Protocol type. $2: Source IPv4 address. $3: Source port number. $4: Destination IPv4 address. $5: Destination port number. $6: Source security zone name. $7: Destination security zone name. $8: Username. $9: Application audit and management policy name. $10: Application name. $11: Application behavior. $12: Application behavior content. $13: Account. $14: File name $15: Client type. $16: Application software version. $17: Action name: Permit or Deny. |
|
Severity level |
6 |
|
Example |
AUDIT/6/AUDIT_RULE_MATCH_FILE_IPV4_LOG:Protocol(1001)=TCP;SrcIPAddr(1003)=1.2.3.4;SrcPort(1004)=8080;DstIPAddr(1007)=6.1.1.1;DstPort(1008)=8080;SrcZoneName(1025)=spf;DstZoneName(1035)=spf;UserName(1113)=hjp;PolicyName(1079)=policy1;Application(1002)=ftp;Behavior(1101)=UploadFile;BehaviorContent(1102)={Account(1103)=ghj123,FileName(1097)=abc.txt};Client(1110)=PC;SoftVersion(1111)=;Action(1053)=Deny; |
|
Explanation |
This message is generated when an IPv4 packet matches an audit rule for a file transfer application. |
|
Recommended action |
No action is required. |
AUDIT_RULE_MATCH_AS_IPV4_LOG
|
Message text |
Protocol(1001)=[STRING];SrcIPAddr(1003)=[IPADDR];SrcPort(1004)=[UINT16];DstIPAddr(1007)=[IPADDR];DstPort(1008)=[UINT16];SrcZoneName(1025)=[STRING];DstZoneName(1035)=[STRING];UserName(1113)=[STRING];PolicyName(1079)=[STRING];Application(1002)=[STRING];Behavior(1101)=[STRING];BehaviorContent(1102)={Account(1103)=[STRING],Content(1104)=[STRING]};Client(1110)=[STRING];SoftVersion(1111)=[STRING];Action(1053)=[STRING]; |
|
Variable fields |
$1: Protocol type. $2: Source IPv4 address. $3: Source port number. $4: Destination IPv4 address. $5: Destination port number. $6: Source security zone name. $7: Destination security zone name. $8: Username. $9: Application audit and management policy name. $10: Application name. $11: Application behavior. $12: Application behavior content. $13: Account. $14: Content $15: Client type. $16: Application software version. $17: Action name: Permit or Deny. |
|
Severity level |
6 |
|
Example |
AUDIT/6/AUDIT_RULE_MATCH_AS_IPV4_LOG:Protocol(1001)=TCP;SrcIPAddr(1003)=1.2.3.4;SrcPort(1004)=8080;DstIPAddr(1007)=6.1.1.1;DstPort(1008)=8080;SrcZoneName(1025)=spf;DstZoneName(1035)=spf;UserName(1113)=hjp;PolicyName(1079)=policy1;Application(1002)=tonghuashun;Behavior(1101)=Login;BehaviorContent(1102)={Account(1103)=hjk123456,Content(1104)=hello};Client(1110)=PC;SoftVersion(1111)=;Action(1053)=Deny; |
|
Explanation |
This message is generated when an IPv4 packet matches an audit rule for an entertainment or stock application. |
|
Recommended action |
No action is required. |
AUDIT_RULE_MATCH_OTHER_IPV4_LOG
|
Message text |
Protocol(1001)=[STRING];SrcIPAddr(1003)=[IPADDR];SrcPort(1004)=[UINT16];DstIPAddr(1007)=[IPADDR];DstPort(1008)=[UINT16];SrcZoneName(1025)=[STRING];DstZoneName(1035)=[STRING];UserName(1113)=[STRING];PolicyName(1079)=[STRING];Application(1002)=[STRING];Behavior(1101)=[STRING];BehaviorContent(1102)={Account(1103)=[STRING],Password(1112)=[STRING],Content(1104)=[STRING]};Client(1110)=[STRING];SoftVersion(1111)=[STRING];Action(1053)=[STRING]; |
|
Variable fields |
$1: Protocol type. $2: Source IPv4 address. $3: Source port number. $4: Destination IPv4 address. $5: Destination port number. $6: Source security zone name. $7: Destination security zone name. $8: Username. $9: Application audit and management policy name. $10: Application name. $11: Application behavior. $12: Application behavior content. $13: Account. $14: Password. $15: Content. $16: Client type. $17: Application software version. $18: Action name: Permit or Deny. |
|
Severity level |
6 |
|
Example |
AUDIT/6/AUDIT_RULE_MATCH_OTHER_IPV4_LOG:Protocol(1001)=TCP;SrcIPAddr(1003)=1.2.3.4;SrcPort(1004)=8080;DstIPAddr(1007)=6.1.1.1;DstPort(1008)=8080;SrcZoneName(1025)=spf;DstZoneName(1035)=spf;UserName(1113)=hjp;PolicyName(1079)=policy1;Application(1002)=Telnet;Behavior(1101)=Download;BehaviorContent(1102)={Account(1103)=hjk123456,Password(1112)=hhh123,Content(1104)=hello};Client(1110)=PC;SoftVersion(1111)=;Action(1053)=Deny; |
|
Explanation |
This message is generated when an IPv4 packet matches an audit rule for an unclassified application. |
|
Recommended action |
No action is required. |
AUDIT_RULE_MATCH_IM_IPV6_LOG
|
Message text |
Protocol(1001)=[STRING];SrcIPv6Addr(1036)=[IPADDR];SrcPort(1004)=[UINT16];DstIPv6Addr(1037)=[IPADDR];DstPort(1008)=[UINT16];SrcZoneName(1025)=[STRING];DstZoneName(1035)=[STRING];UserName(1113)=[STRING];PolicyName(1079)=[STRING];Application(1002)=[STRING];Behavior(1101)=[STRING];BehaviorContent(1102)={Account(1103)=[STRING],Content(1104)=[STRING],FileName(1097)=[STRING],FileSize(1105)=[STRING]};Client(1110)=[STRING];SoftVersion(1111)= [STRING];Action(1053)=[STRING]; |
|
Variable fields |
$1: Protocol type. $2: Source IPv6 address. $3: Source port number. $4: Destination IPv6 address. $5: Destination port number. $6: Source security zone name. $7: Destination security zone name. $8: Username. $9: Application audit and management policy name. $10: Application name. $11: Application behavior. $12: Application behavior content. $13: Account. $14: Content. $15: File name. $16: File size. $17: Client type. $18: Application software version. $19: Action name: Permit or Deny. |
|
Severity level |
6 |
|
Example |
AUDIT/6/AUDIT_RULE_MATCH_IM_IPV6_LOG:Protocol(1001)=TCP;SrcIPv6Addr(1036)=2001::2;SrcPort(1004)=51396;DstIPv6Addr(1037)=3001::2;DstPort(1008)=25;SrcZoneName(1025)=spf;DstZoneName(1035)=spf;UserName(1113)=hjp;PolicyName(1079)=policy1;Application(1002)=QQ;Behavior(1101)=Login;BehaviorContent(1102)={Account(1103)=12345678,Content(1104)=test,FileName(1097)=text,FileSize(1105)=152389};Client(1110)=PC;SoftVersion(1111)=;Action(1053)=Deny; |
|
Explanation |
This message is generated when an IPv6 packet matches an audit rule for an IM application. |
|
Recommended action |
No action is required. |
AUDIT_RULE_MATCH_MAIL_IPV6_LOG
|
Message text |
Protocol(1001)=[STRING];SrcIPv6Addr(1036)=[IPADDR];SrcPort(1004)=[UINT16];DstIPv6Addr(1037)=[IPADDR];DstPort(1008)=[UINT16];SrcZoneName(1025)=[STRING];DstZoneName(1035)=[STRING];UserName(1113)=[STRING];PolicyName(1079)=[STRING];Application(1002)=[STRING];Behavior(1101)=[STRING];BehaviorContent(1102)={Sender_addr(1106)=[STRING],Receiver_addr(1107)=[STRING],Subject(1108)=[STRING],Body(1109)=[STRING]};Client(1110)=[STRING];SoftVersion(1111)=[STRING];Action(1053)=[STRING]; |
|
Variable fields |
$1: Protocol type. $2: Source IPv6 address. $3: Source port number. $4: Destination IPv6 address. $5: Destination port number. $6: Source security zone name. $7: Destination security zone name. $8: Username. $9: Application audit and management policy name. $10: Application name. $11: Application behavior. $12: Application behavior content. $13: Sender. $14: Receiver. $15: Subject. $16: Body. $17: Client type. $18: Application software version. $19: Action name: Permit or Deny. |
|
Severity level |
6 |
|
Example |
AUDIT/6/AUDIT_RULE_MATCH_MAIL_IPV6_LOG:Protocol(1001)=TCP;SrcIPv6Addr(1036)=2001::2;SrcPort(1004)=51396;DstIPv6Addr(1037)=3001::2;DstPort(1008)=25;SrcZoneName(1025)=spf;DstZoneName(1035)=spf;UserName(1113)=hjp;PolicyName(1079)=policy1;Application(1002)=smtp;Behavior(1101)=SendMail;BehaviorContent(1102)={Sender_addr(1106)="wb"<wb@ubuntu.wb>,Receiver_addr(1107)=<wb@ubuntu.wb>,Subject(1108)=test,Body(1109)=abc};Client(1110)=PC;SoftVersion(1111)=;Action(1053)=Deny; |
|
Explanation |
This message is generated when an IPv6 packet matches an audit rule for an email application. |
|
Recommended action |
No action is required. |
AUDIT_RULE_MATCH_FORUM_IPV6_LOG
|
Message text |
Protocol(1001)=[STRING];SrcIPv6Addr(1036)=[IPADDR];SrcPort(1004)=[UINT16];DstIPv6Addr(1037)=[IPADDR];DstPort(1008)=[UINT16];SrcZoneName(1025)=[STRING];DstZoneName(1035)=[STRING];UserName(1113)=[STRING];PolicyName(1079)=[STRING];Application(1002)=[STRING];Behavior(1101)=[STRING];BehaviorContent(1102)={Account(1103)=[STRING],Content(1104)=[STRING]};Client(1110)=[STRING];SoftVersion(1111)=[STRING];Action(1053)=[STRING]; |
|
Variable fields |
$1: Protocol type. $2: Source IPv6 address. $3: Source port number. $4: Destination IPv6 address. $5: Destination port number. $6: Source security zone name. $7: Destination security zone name. $8: Username. $9: Application audit and management policy name. $10: Application name. $11: Application behavior. $12: Application behavior content. $13: Account. $14: Content. $15: Client type. $16: Application software version. $17: Action name: Permit or Deny. |
|
Severity level |
6 |
|
Example |
AUDIT/6/AUDIT_RULE_MATCH_FORUM_IPV6_LOG:Protocol(1001)=TCP;SrcIPv6Addr(1036)=2001::2;SrcPort(1004)=51396;DstIPv6Addr(1037)=3001::2;DstPort(1008)=25;SrcZoneName(1025)=spf;DstZoneName(1035)=spf;UserName(1113)=hjp;PolicyName(1079)=policy1;Application(1002)=SinaWeibo;Behavior(1101)=Comment;BehaviorContent(1102)={Account(1103)=hjk123456,Content(1104)=hello};Client(1110)=PC;SoftVersion(1111)=;Action(1053)=Deny; |
|
Explanation |
This message is generated when an IPv6 packet matches an audit rule for a social networking application. |
|
Recommended action |
No action is required. |
AUDIT_RULE_MATCH_SEARCH_IPV6_LOG
|
Message text |
Protocol(1001)=[STRING];SrcIPv6Addr(1036)=[IPADDR];SrcPort(1004)=[UINT16];DstIPv6Addr(1037)=[IPADDR];DstPort(1008)=[UINT16];SrcZoneName(1025)=[STRING];DstZoneName(1035)=[STRING];UserName(1113)=[STRING];PolicyName(1079)=[STRING];Application(1002)=[STRING];Behavior(1101)=[STRING];BehaviorContent(1102)={Keyword(1095)=[STRING]};Client(1110)=[STRING];SoftVersion(1111)=[STRING];Action(1053)=[STRING]; |
|
Variable fields |
$1: Protocol type. $2: Source IPv4 address. $3: Source port number. $4: Destination IPv4 address. $5: Destination port number. $6: Source security zone name. $7: Destination security zone name. $8: Username. $9: Application audit and management policy name. $10: Application name. $11: Application behavior. $12: Application behavior content. $13: Keyword. $14: Client type. $15: Application software version. $16: Action name: Permit or Deny. |
|
Severity level |
6 |
|
Example |
AUDIT/6/AUDIT_RULE_MATCH_SEARCH_IPV6_LOG:Protocol(1001)=TCP;SrcIPv6Addr(1036)=2001::2;SrcPort(1004)=51396;DstIPv6Addr(1037)=3001::2;DstPort(1008)=25;SrcZoneName(1025)=spf;DstZoneName(1035)=spf;UserName(1113)=hjp;PolicyName(1079)=policy1;Application(1002)=BaiduSearch;Behavior(1101)=Search;BehaviorContent(1102)={Keyword(1095)=12345678};Client(1110)=PC;SoftVersion(1111)=;Action(1053)=Deny; |
|
Explanation |
This message is generated when an IPv6 packet matches an audit rule for a search engine application. |
|
Recommended action |
No action is required. |
AUDIT_RULE_MATCH_FILE_IPV6_LOG
|
Message text |
Protocol(1001)=[STRING];SrcIPv6Addr(1036)=[IPADDR];SrcPort(1004)=[UINT16];DstIPv6Addr(1037)=[IPADDR];DstPort(1008)=[UINT16];SrcZoneName(1025)=[STRING];DstZoneName(1035)=[STRING];UserName(1113)=[STRING];PolicyName(1079)=[STRING];Application(1002)=[STRING];Behavior(1101)=[STRING];BehaviorContent(1102)={Account(1103)=[STRING],FileName(1097)=[STRING]};Client(1110)=[STRING];SoftVersion(1111)=[STRING];Action(1053)=[STRING]; |
|
Variable fields |
$1: Protocol type. $2: Source IPv6 address. $3: Source port number. $4: Destination IPv6 address. $5: Destination port number. $6: Source security zone name. $7: Destination security zone name. $8: Username. $9: Application audit and management policy name. $10: Application name. $11: Application behavior. $12: Application behavior content. $13: Account. $14: File name $15: Client type. $16: Application software version. $17: Action name: Permit or Deny. |
|
Severity level |
6 |
|
Example |
AUDIT/6/AUDIT_RULE_MATCH_FILE_IPV6_LOG:Protocol(1001)=TCP;SrcIPv6Addr(1036)=2001::2;SrcPort(1004)=51396;DstIPv6Addr(1037)=3001::2;DstPort(1008)=25;SrcZoneName(1025)=spf;DstZoneName(1035)=spf;UserName(1113)=hjp;PolicyName(1079)=policy1;Application(1002)=ftp;Behavior(1101)=UploadFile;BehaviorContent(1102)={Account(1103)=ghj123,FileName(1097)=abc.txt};Client(1110)=PC;SoftVersion(1111)=;Action(1053)=Deny; |
|
Explanation |
This message is generated when an IPv6 packet matches an audit rule for a file transfer application. |
|
Recommended action |
No action is required. |
AUDIT_RULE_MATCH_AS_IPV6_LOG
|
Message text |
Protocol(1001)=[STRING];SrcSrcIPv6Addr(1036)=[IPADDR];SrcPort(1004)=[UINT16];DstIPv6Addr(1037)=[IPADDR];DstPort(1008)=[UINT16];SrcZoneName(1025)=[STRING];DstZoneName(1035)=[STRING];UserName(1113)=[STRING];PolicyName(1079)=[STRING];Application(1002)=[STRING];Behavior(1101)=[STRING];BehaviorContent(1102)={Account(1103)=[STRING],Content(1104)=[STRING]};Client(1110)=[STRING];SoftVersion(1111)=[STRING];Action(1053)=[STRING]; |
|
Variable fields |
$1: Protocol type. $2: Source IPv6 address. $3: Source port number. $4: Destination IPv6 address. $5: Destination port number. $6: Source security zone name. $7: Destination security zone name. $8: Username. $9: Application audit and management policy name. $10: Application name. $11: Application behavior. $12: Application behavior content. $13: Account. $14: Content $15: Client type. $16: Application software version. $17: Action name: Permit or Deny. |
|
Severity level |
6 |
|
Example |
AUDIT/6/AUDIT_RULE_MATCH_AS_IPV6_LOG:Protocol(1001)=TCP;SrcIPv6Addr(1036)=2001::2;SrcPort(1004)=51396;DstIPv6Addr(1037)=3001::2;DstPort(1008)=25;SrcZoneName(1025)=spf;DstZoneName(1035)=spf;UserName(1113)=hjp;PolicyName(1079)=policy1;Application(1002)=tonghuashun;Behavior(1101)=Login;BehaviorContent(1102)={Account(1103)=hjk123456,Content(1104)=hello};Client(1110)=PC;SoftVersion(1111)=;Action(1053)=Deny; |
|
Explanation |
This message is generated when an IPv6 packet matches an audit rule for an entertainment or stock application. |
|
Recommended action |
No action is required. |
AUDIT_RULE_MATCH_OTHER_IPV6_LOG
|
Message text |
Protocol(1001)=[STRING];SrcIPv6Addr(1036)=[IPADDR];SrcPort(1004)=[UINT16];DstIPv6Addr(1037)=[IPADDR];DstPort(1008)=[UINT16];SrcZoneName(1025)=[STRING];DstZoneName(1035)=[STRING];UserName(1113)=[STRING];PolicyName(1079)=[STRING];Application(1002)=[STRING];Behavior(1101)=[STRING];BehaviorContent(1102)={Account(1103)=[STRING],Password(1112)=[STRING],Content(1104)=[STRING]};Client(1110)=[STRING];SoftVersion(1111)=[STRING];Action(1053)=[STRING]; |
|
Variable fields |
$1: Protocol type. $2: Source IPv6 address. $3: Source port number. $4: Destination IPv6 address. $5: Destination port number. $6: Source security zone name. $7: Destination security zone name. $8: Username. $9: Application audit and management policy name. $10: Application name. $11: Application behavior. $12: Application behavior content. $13: Account. $14: Password. $15: Content. $16: Client type. $17: Application software version. $18: Action name: Permit or Deny. |
|
Severity level |
6 |
|
Example |
AUDIT/6/AUDIT_RULE_MATCH_OTHER_IPV6_LOG:Protocol(1001)=TCP;SrcIPv6Addr(1036)=2001::2;SrcPort(1004)=51396;DstIPv6Addr(1037)=3001::2;DstPort(1008)=25;SrcZoneName(1025)=spf;DstZoneName(1035)=spf;UserName(1113)=hjp;PolicyName(1079)=policy1;Application(1002)=Telnet;Behavior(1101)=Download;BehaviorContent(1102)={Account(1103)=hjk123456,Password(1112)=hhh123,Content(1104)=hello};Client(1110)=PC;SoftVersion(1111)=;Action(1053)=Deny; |
|
Explanation |
This message is generated when an IPv6 packet matches an audit rule for an unclassified application. |
|
Recommended action |
No action is required. |
APR messages
This section contains APR messages.
NBAR_WARNING
|
Message text |
Updated the APR signature library successfully. |
|
Variable fields |
N/A |
|
Severity level |
4 |
|
Example |
NBAR/4/NBAR_WARNING: -Context=1; Updated the APR signature library successfully. |
|
Explanation |
The APR signature library was updated successfully. The device outputs this log message for one of the following conditions: · The triggered update operation succeeds. · The local update operation succeeds. |
|
Recommended action |
No action is required. |
NBAR_WARNING
|
Message text |
Rolled back the APR signature library successfully. |
|
Variable fields |
N/A |
|
Severity level |
4 |
|
Example |
NBAR/4/NBAR_WARNING: -Context=1; Rolled back the APR signature library successfully. |
|
Explanation |
The APR signature library was rolled back successfully to the last version or the factory version. |
|
Recommended action |
No action is required. |
NBAR_WARNING
|
Message text |
Failed to update the APR signature library because no valid license was found for the NBAR feature. |
|
Variable fields |
N/A |
|
Severity level |
4 |
|
Example |
NBAR/4/NBAR_WARNING: -Context=1; Failed to update the APR signature library because no valid license was found for the NBAR feature. |
|
Explanation |
The APR signature library update failed because no valid license was found for updating the APR signature library. The device outputs this log message for one of the following conditions: · Failed to perform a triggered update operation. · Failed to perform a local update operation through the Web interface. |
|
Recommended action |
ARP messages
This section contains ARP messages.
ARP_ACTIVE_ACK_NO_REPLY
|
Message text |
No ARP reply from IP [STRING] was received on interface [STRING]. |
|
Variable fields |
$1: IP address. $2: Interface name. |
|
Severity level |
6 |
|
Example |
ARP/6/ARP_ACTIVE_ACK_NO_REPLY: No ARP reply from IP 192.168.10.1 was received on interface Ethernet0/1/0. |
|
Explanation |
The ARP active acknowledgement feature did not receive an ARP reply after it sent an ARP request to the sender IP of an ARP message. This message indicates the risk of attacks. |
|
Recommended action |
1. Verify that the learned ARP entries on the device are consistent with the existing legal devices. When gateways and servers are on the network, check the ARP entries for these devices first. 2. If the ARP entries are correct and the attack continues, contact H3C Support. |
ARP_ACTIVE_ACK_NOREQUESTED_REPLY
|
Message text |
Interface [STRING] received from IP [STRING] an ARP reply that was not requested by the device. |
|
Variable fields |
$1: Interface name. $2: IP address. |
|
Severity level |
6 |
|
Example |
ARP/6/ARP_ACTIVE_ACK_NOREQUESTED_REPLY: Interface Ethernet0/1/0 received from IP 192.168.10.1 an ARP reply that was not requested by the device. |
|
Explanation |
The ARP active acknowledgement feature received an unsolicited ARP reply from a sender IP. This message indicates the risk of attacks. |
|
Recommended action |
No action is required. The device discards the ARP reply automatically. |
ARP_BINDRULETOHW_FAILED
|
Message text |
Failed to download binding rule to hardware on the interface [STRING], SrcIP [IPADDR], SrcMAC [MAC], VLAN [UINT16], Gateway MAC [MAC]. |
|
Variable fields |
$1: Interface name. $2: Source IP address. $3: Source MAC address. $4: VLAN ID. $5: Gateway MAC address. |
|
Severity level |
5 |
|
Example |
ARP/5/ARP_BINDRULETOHW_FAILED: Failed to download binding rule to hardware on the interface Ethernet1/0/1, SrcIP 1.1.1.132, SrcMAC 0015-E944-A947, VLAN 1, Gateway MAC 00A1-B812-1108. |
|
Explanation |
The system failed to set a binding rule to the hardware on an interface. The message is sent in any of the following situations: · The resources are not sufficient for the operation. · The memory is not sufficient for the operation. · A hardware error occurs. |
|
Recommended action |
To resolve the problem: 1. Execute the display qos-acl resource command to check if the ACL resources for the operation are sufficient. ¡ If yes, proceed to step 2. ¡ If no, delete unnecessary configuration to release ACL resources. If no configuration can be deleted, proceed to step 2. 2. Execute the display memory command to check if the memory for the operation is sufficient. ¡ If yes, proceed to step 3. ¡ If no, delete unnecessary configuration to release memory. If no configuration can be deleted, proceed to step 3. 3. Delete the configuration and perform the operation again. |
ARP_DYNAMIC
|
Message text |
The maximum number of dynamic ARP entries for the device reached. |
|
Variable fields |
N/A |
|
Severity level |
6 |
|
Example |
The maximum number of dynamic ARP entries for the device reached. |
|
Explanation |
This message is displayed when the maximum number of dynamic ARP entries on the device is reached. |
|
Recommended action |
No action is required. |
ARP_DYNAMIC_IF
|
Message text |
The maximum number of dynamic ARP entries for interface [STRING] reached. |
|
Variable fields |
$1: Interface name. |
|
Severity level |
6 |
|
Example |
The maximum number of dynamic ARP entries for interface GigabitEthernet3/0/1 reached. |
|
Explanation |
This message is displayed when maximum number of dynamic ARP entries on an interface is reached. |
|
Recommended action |
No action is required. |
ARP_DYNAMIC_SLOT
|
Message text |
The maximum number of dynamic ARP entries for [STRING] reached. |
|
Variable fields |
$1: Slot number (in standalone mode) or chassis number and slot number (in IRF mode). |
|
Severity level |
6 |
|
Example |
The maximum number of dynamic ARP entries for slot 2 reached. The maximum number of dynamic ARP entries for chassis 1 slot 2 reached. |
|
Explanation |
This message is displayed when the maximum number of dynamic ARP entries on a slot is reached. |
|
Recommended action |
No action is required. |
ARP_HOST_IP_CONFLICT
|
Message text |
|
|
Variable fields |
$1: IP address. $2: Interface name. $3: Interface name. |
|
Severity level |
4 |
|
Example |
|
|
Explanation |
The sender IP address in a received ARP message conflicted with the IP address of a host connected to another interface. |
|
Recommended action |
Check whether the hosts that send the ARP messages are legitimate. Disconnect the illegal host from the network. |
ARP_RATE_EXCEEDED
|
Message text |
The ARP packet rate ([UINT32] pps) exceeded the rate limit ([UINT32] pps) on interface [STRING] in the last [UINT32] seconds. |
|
Variable fields |
$1: ARP packet rate. $2: ARP limit rate. $3: Interface name. $4: Interval time. |
|
Severity level |
4 |
|
Example |
ARP/4/ARP_RATE_EXCEEDED: The ARP packet rate (100 pps) exceeded the rate limit (80 pps) on interface Ethernet0/1/0 in the last 10 seconds. |
|
Explanation |
An interface received ARP messages at a higher rate than the rate limit. |
|
Recommended action |
Verify that the hosts at the sender IP addresses are legitimate. |
ARP_SENDER_IP_INVALID
|
Message text |
Sender IP [STRING] was not on the same network as the receiving interface [STRING]. |
|
Variable fields |
$1: IP address. $2: Interface name. |
|
Severity level |
6 |
|
Example |
ARP/6/ARP_SENDER_IP_INVALID: Sender IP 192.168.10.2 was not on the same network as the receiving interface Ethernet0/1/0. |
|
Explanation |
The sender IP of a received ARP message was not on the same network as the receiving interface. |
|
Recommended action |
Verify that the host at the sender IP address is legitimate. |
ARP_SENDER_MAC_INVALID
|
Message text |
Sender MAC [STRING] was not identical to Ethernet source MAC [STRING] on interface [STRING]. |
|
Variable fields |
$1: MAC address. $2: MAC address. $3: Interface name. |
|
Severity level |
6 |
|
Example |
ARP/6/ARP_SENDER_MAC_INVALID: Sender MAC 0000-5E14-0E00 was not identical to Ethernet source MAC 0000-5C14-0E00 on interface Ethernet0/1/0. |
|
Explanation |
An interface received an ARP message. The sender MAC address in the message body was not identical to the source MAC address in the Ethernet header. |
|
Recommended action |
Verify that the host at the sender MAC address is legitimate. |
ARP_SRC_MAC_FOUND_ATTACK
|
Message text |
An attack from MAC [STRING] was detected on interface [STRING]. |
|
Variable fields |
$1: MAC address. $2: Interface name. |
|
Severity level |
6 |
|
Example |
ARP/6/ARP_SRC_MAC_FOUND_ATTACK: An attack from MAC 0000-5E14-0E00 was detected on interface Ethernet0/1/0. |
|
Explanation |
The source MAC-based ARP attack detection feature received more ARP packets from the same MAC address within 5 seconds than the specified threshold. This message indicates the risk of attacks. |
|
Recommended action |
Verify that the host at the source MAC address is legitimate. |
ARP_TARGET_IP_INVALID
|
Message text |
Target IP [STRING] was not the IP of the receiving interface [STRING]. |
|
Variable fields |
$1: IP address. $2: Interface name. |
|
Severity level |
6 |
|
Example |
ARP/6/ARP_TARGET_IP_INVALID: Target IP 192.168.10.2 was not the IP of the receiving interface Ethernet0/1/0. |
|
Explanation |
The target IP address of a received ARP message was not the IP address of the receiving interface. |
|
Recommended action |
Verify that the host at the sender IP address is legitimate. |
DUPIFIP
|
Message text |
Duplicate address [STRING] on interface [STRING], sourced from [STRING]. |
|
Variable fields |
$1: IP address. $2: Interface name. $3: MAC Address. |
|
Severity level |
6 |
|
Example |
ARP/6/DUPIFIP: Duplicate address 1.1.1.1 on interface Ethernet1/1/1, sourced from 0015-E944-A947. |
|
Explanation |
ARP detected a duplicate address. The sender IP in the received ARP packet was being used by the receiving interface. |
|
Recommended action |
Modify the IP address configuration. |
DUPIP
|
Message text |
IP address [STRING] conflicted with global or imported IP address, sourced from [STRING]. |
|
Variable fields |
$1: IP address. $2: MAC Address. |
|
Severity level |
6 |
|
Example |
ARP/6/DUPIP: IP address 30.1.1.1 conflicted with global or imported IP address, sourced from 0000-0000-0001. |
|
Explanation |
The sender IP address of the received ARP packet conflicted with the global or imported IP address. |
|
Recommended action |
Modify the IP address configuration. |
DUPVRRPIP
|
Message text |
IP address [STRING] conflicted with VRRP virtual IP address on interface [STRING], sourced from [STRING]. |
|
Variable fields |
$1: IP address. $2: Interface name. $3: MAC address. |
|
Severity level |
6 |
|
Example |
ARP/6/DUPVRRPIP: IP address 1.1.1.1 conflicted with VRRP virtual IP address on interface Ethernet1/1/1, sourced from 0015-E944-A947. |
|
Explanation |
The sender IP address of the received ARP packet conflicted with the VRRP virtual IP address. |
|
Recommended action |
Modify the IP address configuration. |
ASPF messages
This section contains ASPF messages.
ASPF_IPV4_DNS
|
Message text |
SrcIPAddr(1003)=[IPADDR];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];RcvDSLiteTunnelPeer(1040)=[STRING];DomainName(1099)=[STRING];Action(1053)=[STRING];Reason(1056)=[STRING]. |
|
Variable fields |
$1: Source IPv4 address. $2: Destination IPv4 address. $3: VPN instance name. $4: Local address of a DS-Lite tunnel. $5: Domain name. $6: Action on the detected illegal packets: · drop—Drops illegal packets. · logging—Generates log messages. · none—Does not process the packets and allows illegal packets to pass. $7: Reason why the message was generated: · Invalid DNS RR. · Failed to check DNS header flag. · Failed to check DNS header ID. |
|
Severity level |
6 |
|
Example |
ASPF/6/ASPF_IPV4_DNS:SrcIPAddr(1003)=1.1.1.3;DstIPAddr(1007)=2.1.1.2;RcvVPNInstance(1042)=vpn;RcvDSLiteTunnelPeer(1040)=dstunnel1;DomainName(1099)=www.h3c.com;Action(1053)=drop,logging;Reason(1056)=Check DNS RR invalid. |
|
Explanation |
ASPF inspection for DNS is configured. The device takes a specific action on IPv4 packets that are determined to be illegal for a reason. |
|
Recommended action |
No action is required. |
ASPF_IPV6_DNS
|
Message text |
SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];RcvVPNInstance(1042)=[STRING];DomainName(1099)=[STRING];Action(1053)=[STRING];Reason(1056)=[STRING]. |
|
Variable fields |
$1: Source IPv6 address. $2: Destination IPv6 address. $3: VPN instance name. $4: Domain name. $5: Action on the detected illegal packets: · drop—Drops illegal packets. · logging—Generates log messages. · none—Does not process the packet and allows illegal packets to pass. $6: Reason why the message was generated: · Invalid DNS RR. · Failed to check DNS header flag. · Failed to check DNS header ID. |
|
Severity level |
6 |
|
Example |
ASPF/6/ASPF_IPV6_DNS:SrcIPv6Addr(1036)=2001::1;DstIPv6Addr(1037)=3001::1;RcvVPNInstance(1042)=vpn;DomainName(1099)=www.h3c.com;Action(1053)=drop,logging;Reason(1056)=Check DNS RR invalid. |
|
Explanation |
ASPF inspection for DNS is configured. The device takes a specific action on IPv6 packets that are determined to be illegal for a reason. |
|
Recommended action |
No action is required. |
ATK messages
This section contains attack detection and prevention messages.
ATK_ICMP_ADDRMASK_REQ
|
Message text |
IcmpType(1062)=[UINT32];RcvIfName(1023)=[STRING];SrcIPAddr(1003)=[IPADDR];SndDSLiteTunnelPeer(1041)=[STRING];DstIPAddr(1007)=[IPADDR];RcvVPNInstance(1042)=[STRING];Action(1053)=[STRING];BeginTime_c(1011)=[STRING];EndTime_c(1012)=[STRING];AtkTimes(1054)=[UINT32]. |
|
Variable fields |
$1: ICMP message type. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. $8: Start time of the attack. $9: End time of the attack. $10: Attack times. |
|
Severity level |
5 |
|
Example |
ATK/5/ATK_ICMP_ADDRMASK_REQ:IcmpType(1062)=17;RcvIfName(1023)=Ethernet0/0/2;SrcIPAddr(1003)=9.1.1.1;SndDSLiteTunnelPeer(1041)=--;DstIPAddr(1007)=6.1.1.1;RcvVPNInstance(1042)=;Action(1053)=logging;BeginTime_c(1011)=20131011091319;EndTime_c(1012)=20131011091819;AtkTimes(1054)=2. |
|
Explanation |
This message is sent when ICMP address mask request logs are aggregated. |
|
Recommended action |