- Released At: 16-04-2021
- Page Views:
- Downloads:
- Table of Contents
- Related Documents
-
|
H3C S6300 Switch Series |
System Log Messages Reference |
|
|
Document version: 6W100-20210413
Copyright © 2021 New H3C Technologies Co., Ltd. All rights reserved.
No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.
Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.
The information in this document is subject to change without notice.
Contents
Managing and obtaining system log messages
Obtaining log messages from the console terminal
Obtaining log messages from a monitor terminal
Obtaining log messages from the log buffer
Obtaining log messages from the log file
Obtaining log messages from a log host
ARP_ACTIVE_ACK_NOREQUESTED_REPLY
ATKDF_ICMPV6_GROUPREDUCTION_RAW
ATKDF_IP4_TCP_INVALIDFLAGS_RAW
ATKDF_IP6_TCP_INVALIDFLAGS_RAW
ATKDF_IPOPT_STRICTSRCROUTE_RAW
BFD_MAD_INTERFACE_CHANGE_STATE
DOT1X_NOTENOUGH_EADFREERULE_RES
DOT1X_NOTENOUGH_EADMACREDIR_RES
DOT1X_NOTENOUGH_EADPORTREDIR_RES
DOT1X_NOTENOUGH_ENABLEDOT1X_RES
ETHOAM_CONNECTION_FAIL_TIMEOUT
ETHOAM_CONNECTION_FAIL_UNSATISF
ETHOAM_ENTER_LOOPBACK_CTRLLING
ETHOAM_LOCAL_ERROR_FRAME_PERIOD
ETHOAM_LOCAL_ERROR_FRAME_SECOND
ETHOAM_LOOPBACK_EXIT_ERROR_STATU
ETHOAM_REMOTE_ERROR_FRAME_PERIOD
ETHOAM_REMOTE_ERROR_FRAME_SECOND
FCOE_INTERFACE_NOTSUPPORT_FCOE
FCLINK_FDISC_REJECT_NORESOURCE
FCLINK_FLOGI_REJECT_NORESOURCE
FCOE_FIPS_HARD_RESOURCE_NOENOUGH
FCOE_FIPS_HARD_RESOURCE_RESTORE
IF_BUFFER_CONGESTION_OCCURRENCE
L2PT_CREATE_TUNNELGROUP_FAILED
LACP_MAD_INTERFACE_CHANGE_STATE
LAGG_INACTIVE_RESOURCE_INSUFICIE
OFP_FLOW_ADD_TABLE_MISS_FAILED
OFP_FLOW_DEL_TABLE_MISS_FAILED
OFP_FLOW_MOD_TABLE_MISS_FAILED
PFILTER_VLAN_IPV4_DACT_UNK_ERR
PFILTER_VLAN_IPV6_DACT_UNK_ERR
Introduction
This document includes the following system messages:
· Messages specific to Release 24xx of the device.
· Messages for the Comware 7 software platform version based on which Release 24xx was produced. Some platform system messages might not be available on the device.
This document is intended only for managing 6300 switches. Do not use this document for any other device models.
This document assumes that the readers are familiar with data communications technologies and H3C networking products.
System log message format
By default, the system log messages use one of the following formats depending on the output destination:
· Log host:
<PRI>TIMESTAMP Sysname %%vendorMODULE/severity/MNEMONIC: location; CONTENT
· Destinations except for the log host:
Prefix TIMESTAMP Sysname MODULE/severity/MNEMONIC: CONTENT
Table 1 System log message elements
Element |
Description |
<PRI> |
Priority identifier. It is calculated by using the following formula: Priority identifier=facilityx8+severity Where: · Facility is specified by using the info-center loghost command. A log host uses this parameter to identify log sources and filter log messages. · Severity represents the importance of the message. For more information about severity levels, see Table 2. |
Prefix |
Message type identifier. The element uses the following symbols to indicate message severity: · Percentage sign (%)—Informational and higher levels. · Asterisk (*)—Debug level. |
TIMESTAMP |
Date and time when the event occurred. The following are commands for configuring the timestamp format: · Log host—Use the info-center timestamp loghost command. · Non-log host destinations—Use the info-center timestamp command. |
Sysname |
Name or IP address of the device that generated the message. |
%%vendor |
Manufacturer flag. This element is %%10 for H3C. |
MODULE |
Name of the module that produced the message. |
severity |
Severity level of the message. (For more information about severity levels, see Table 2.) |
MNEMONIC |
Text string that uniquely identifies the system message. The maximum length is 32 characters. |
location |
Optional. This element presents location information for the message in the following format: -attribute1=x-attribute2=y…-attributeN=z This element is separated from the message description by using a semicolon (;). |
CONTENT |
Text string that contains detailed information about the event or error. For variable fields in this element, this document uses the representations in Table 3. |
System log messages are classified into eight severity levels from 0 to 7. The lower the number, the higher the severity.
Table 2 System log message severity levels
Level |
Severity |
Description |
0 |
Emergency |
The system is unusable. For example, the system authorization has expired. |
1 |
Alert |
Action must be taken immediately. For example, traffic on an interface exceeds the upper limit. |
2 |
Critical |
Critical condition. For example, the device temperature exceeds the upper limit, the power module fails, or the fan tray fails. |
3 |
Error |
Error condition. For example, the link state changes or a storage card is unplugged. |
4 |
Warning |
Warning condition. For example, an interface is disconnected, or the memory resources are used up. |
5 |
Notification |
Normal but significant condition. For example, a terminal logs in to the device, or the device reboots. |
6 |
Informational |
Informational message. For example, a command or a ping operation is executed. |
7 |
Debug |
Debugging message. |
For variable fields in the message text, this document uses the representations in Table 3. The values are case insensitive, even though the representations are uppercase letters.
Table 3 Variable field representations
Representation |
Information type |
INT16 |
Signed 16-bit decimal number. |
UINT16 |
Unsigned 16-bit decimal number. |
INT32 |
Signed 32-bit decimal number. |
UINT32 |
Unsigned 32-bit decimal number. |
INT64 |
Signed 64-bit decimal number. |
UINT64 |
Unsigned 64-bit decimal number. |
DOUBLE |
Two dot-separated signed 32-bit decimal numbers. The format is [INTEGER].[INTEGER]. |
HEX |
Hexadecimal number. |
CHAR |
Single character. |
STRING |
Character string. |
IPADDR |
IP address. |
MAC |
MAC address. |
DATE |
Date. |
TIME |
Time. |
Managing and obtaining system log messages
You can manage system log messages by using the information center.
By default, the information center is enabled. Log messages can be output to the console, log buffer, monitor terminal, log host, and log file.
To filter log messages, use the info-center source command to specify log output rules. A log output rule specifies the source modules and the lowest severity level of log messages that can be output to a destination. A log message is output if its severity level is higher than or equal to the specified level. For example, if you specify a severity level of 6 (informational), log messages that have a severity level from 0 to 6 are output.
For more information about using the information center, see the network management and monitoring configuration guide for the product.
Obtaining log messages from the console terminal
Access the device through the console port. Real-time log messages are displayed on the console terminal.
Obtaining log messages from a monitor terminal
Monitor terminals refer to terminals that access the device through the AUX, VTY, or TTY lines (for example, Telnet).
To display log messages on the monitor terminal, you must execute the terminal monitor command. The lowest level of log messages that can be displayed is determined by both the terminal logging level and info-center source commands.
The terminal monitor and terminal logging level commands take effect only for the current terminal session. To display log messages on the monitor terminal or filter displayed log messages by severity after a relogin, you must re-execute the commands.
Obtaining log messages from the log buffer
Use the display logbuffer command to display history log messages in the log buffer.
Obtaining log messages from the log file
By default, the log file feature automatically saves logs from the log file buffer to the log file every 24 hours. You can use the info-center logfile frequency command to change the automatic saving internal. To manually save logs to the log file, use the logfile save command.
The log file buffer is cleared each time a save operation is performed.
By default, you can obtain the log file from the cfa0:/logfile/ path if the CF card is not partitioned. If the CF card is partitioned, the file path is cfa1:/logfile/. To display the contents of the log file, use the more command.
Obtaining log messages from a log host
Use the info-center loghost command to specify the service port number and IP address of a log host. To specify multiple log hosts, repeat the command.
For a successful log message transmission, make sure the specified port number is the same as the port number used on the log host. The default service port number is 514.
Software module list
Table 4 lists all software modules that might produce system log messages.
Module name representation |
Module name expansion |
AAA |
Authentication, Authorization and Accounting |
ACL |
Access Control List |
APMGR |
Access Point Management |
ARP |
Address Resolution Protocol |
ATK |
Attack Detection and Prevention |
BFD |
Bidirectional Forwarding Detection |
BGP |
Border Gateway Protocol |
CFD |
Connectivity Fault Detection |
CFGMAN |
Configuration Management |
DEV |
Device Management |
DHCP |
Dynamic Host Configuration Protocol |
DHCPR |
DHCP relay agent |
DHCPS |
DHCP server |
DHCPS6 |
IPv6 DHCP server |
DHCPSP4 |
DHCP snooping |
DHCPSP6 |
IPv6 DHCP snooping |
DIAG |
Diagnosis |
DLDP |
Device Link Detection Protocol |
DOT1X |
802.1X |
ETHOAM |
Ethernet Operation, Administration and Maintenance |
EVB |
Edge Virtual Bridging |
EVIISIS |
Ethernet Virtual Interconnect Intermediate System-to-Intermediate System |
FILTER |
Filter |
FCOE |
Fibre Channel Over Ethernet |
FCLINK |
Fibre Channel Link |
FCZONE |
Fibre Channel Zone |
FIPS |
FIP Snooping |
FTPD |
File Transfer Protocol Daemon |
HA |
High Availability |
HTTPD |
Hypertext Transfer Protocol Daemon |
IFNET |
Interface Net Management |
IKE |
Internet Key Exchange |
IPSEC |
IP Security |
IPSG |
IP Source Guard |
IRDP |
ICMP Router Discovery Protocol |
ISIS |
Intermediate System-to-Intermediate System |
ISSU |
In-Service Software Upgrade |
L2PT |
Layer 2 Protocol Tunneling |
L2VPN |
Layer 2 VPN |
LAGG |
Link Aggregation |
LDP |
Label Distribution Protocol |
LLDP |
Link Layer Discovery Protocol |
LOAD |
Load Management |
LOGIN |
Login |
LPDT |
Loopback Detection |
LS |
Local Server |
LSPV |
LSP Verification |
MAC |
Media Access Control |
MACA |
MAC Authentication |
MACSEC |
MACsec |
MBFD |
MPLS BFD |
MDC |
Multitenant Device Context |
MFIB |
Multicast Forwarding Information Base |
MGROUP |
Mirroring group |
MPLS |
Multiprotocol Label Switching |
MSTP |
Multiple Spanning Tree Protocol |
MTLK |
Monitor Link |
ND |
Neighbor Discovery |
NQA |
Network Quality Analyzer |
NTP |
Network Time Protocol |
OFP |
OpenFlow |
OPTMOD |
Optical Module |
OSPF |
Open Shortest Path First |
OSPFV3 |
Open Shortest Path First Version 3 |
PBB |
Provider Backbone Bridge |
PBR |
Policy-Based Routing |
PEX |
Port Extender |
PFILTER |
Packet Filter |
PIM |
Protocol Independent Multicast |
PING |
Packet Internet Groper |
PKI |
Public Key Infrastructure |
PKT2CPU |
Packet to CPU |
PORTSEC |
Port Security |
PPP |
Point to Point Protocol |
PWDCTL |
Password Control |
QOS |
Quality of Service |
RADIUS |
Remote Authentication Dial In User Service |
RIP |
Routing Information Protocol |
RIPNG |
Routing Information Protocol Next Generation |
RM |
Routing Management |
SCM |
Service Control Manager |
Static CRLSP |
|
SFLOW |
Sampled FLOW |
SHELL |
Shell |
Static LSP |
|
SMLK |
Smart Link |
SNMP |
Simple Network Management Protocol |
SPBM |
Shortest Path Bridging MAC Mode |
SSHS |
Secure Shell Server |
STAMGR |
Station Management |
STM |
Stack Topology Management (IRF) |
STP |
Spanning Tree Protocol |
SYSEVENT |
System Event |
SYSLOG |
System Log |
TACACS |
Terminal Access Controller Access Control System |
TELNETD |
Telecom Munication Network Protocol Daemon |
TRILL |
Transparent Interconnect of Lots of Links |
VLAN |
Virtual Local Area Network |
VRRP |
Virtual Router Redundancy Protocol |
Using this document
This document categorizes system log messages by software modules. The modules are ordered alphabetically. For each module, the system log messages are also listed in alphabetic order of their mnemonic names.
This document explains messages in tables. Table 5 describes information provided in these tables.
Table 5 Message explanation table contents
Item |
Content |
Example |
Message text |
Presents the message description. |
ACL [UINT32] [STRING] [UINT64] packet(s). |
Variable fields |
Briefly describes the variable fields in the order that they appear in the message text. The variable fields are numbered in the "$Number" form to help you identify their location in the message text. |
$1: ACL number. $2: ID and content of an ACL rule. $3: Number of packets that matched the rule. |
Severity level |
Provides the severity level of the message. |
6 |
Example |
Provides a real message example. The examples do not include the "<PRI>TIMESTAMP Sysname %%vendor" part or the "Prefix TIMESTAMP Sysname" part, because information in this part varies with system settings. |
ACL/6/ACL_STATIS_INFO: ACL 2000 rule 0 permit source 1.1.1.1 0 logging 10000 packet(s). |
Explanation |
Explains the message, including the event or error cause. |
Number of packets that matched an ACL rule. This message is sent when the packet counter changes. |
Recommended action |
Provides recommended actions. For informational messages, no action is required. |
No action is required. |
AAA messages
This section contains AAA messages.
AAA_FAILURE
Message text |
-AAAType=[STRING]-AAADomain=[STRING]-Service=[STRING]-UserName=[STRING]; AAA failed. |
Variable fields |
$1: AAA type. $2: AAA scheme. $3: Service. $4: User name. |
Severity level |
5 |
Example |
AAA/5/AAA_FAILURE: -AAAType=AUTHOR-AAADomain=domain1-Service=login-UserName=cwf@system; AAA is failed. |
Explanation |
An AAA request was rejected. The following are the common reasons: · No response was received from the server. · The user name or password was incorrect. · The service type that the user applied for was incorrect. |
Recommended action |
1. Verify that the device is correctly connected to the server. 2. Enter the correct username and password. 3. Verify that the server settings are the same as the settings on the device. 4. If the problem persists, contact H3C Support. |
AAA_LAUNCH
Message text |
-AAAType=[STRING]-AAADomain=[STRING]-Service=[STRING]-UserName=[STRING]; AAA launched. |
Variable fields |
$1: AAA type. $2: AAA scheme. $3: Service. $4: User name. |
Severity level |
6 |
Example |
AAA/6/AAA_LAUNCH: -AAAType=AUTHEN-AAADomain=domain1-Service=login-UserName=cwf@system; AAA launched. |
Explanation |
An AAA request was received. |
Recommended action |
No action is required. |
AAA_SUCCESS
Message text |
-AAAType=[STRING]-AAADomain=[STRING]-Service=[STRING]-UserName=[STRING]; AAA is successful. |
Variable fields |
$1: AAA type. $2: AAA scheme. $3: Service. $4: User name. |
Severity level |
6 |
Example |
AAA/6/AAA_SUCCESS: -AAAType=AUTHOR-AAADomain=domain1-Service=login-UserName=cwf@system; AAA is successful. |
Explanation |
An AAA request was accepted. |
Recommended action |
No action is required. |
ACL messages
This section contains ACL messages.
ACL_IPV6_STATIS_INFO
Message text |
IPv6 ACL [UINT32] [STRING] [UINT64] packet(s). |
Variable fields |
$1: ACL number. $2: ID and content of an IPv6 ACL rule. $3: Number of packets that matched the rule. |
Severity level |
6 |
Example |
ACL6/6/ACL_IPV6_STATIS_INFO: IPv6 ACL 2000 rule 0 permit source 1:1::/64 logging 1000 packet(s). |
Explanation |
The number of packets matching the IPv6 ACL rule changed. |
Recommended action |
No action is required. |
ACL_NO_MEM
Message text |
Failed to configure [STRING] ACL [UINT] due to lack of memory. |
Variable fields |
$1: ACL version. $2: ACL number. |
Severity level |
3 |
Example |
ACL/3/ACL_NO_MEM: Failed to configure ACL 2001 due to lack of memory. |
Explanation |
Configuring the ACL failed because memory is insufficient. |
Recommended action |
Use the display memory-threshold command to check the memory usage. |
ACL_STATIS_INFO
Message text |
ACL [UINT32] [STRING] [UINT64] packet(s). |
Variable fields |
$1: ACL number. $2: ID and content of an IPv4 ACL rule. $3: Number of packets that matched the rule. |
Severity level |
6 |
Example |
ACL/6/ACL_STATIS_INFO: ACL 2000 rule 0 permit source 1.1.1.1 0 logging 10000 packet(s). |
Explanation |
The number of packets matching the IPv4 ACL rule changed. |
Recommended action |
No action is required. |
ACL_RESOURCE_INFO
Message text |
The [STRING]’s TCAM resource usage is [UINT32]% ([UINT32] entries used, totally [UINT32] entries), higher than threshold([UINT32]%) on chassis [UINT32] slot [UINT32]. |
Variable fields |
$1: Resource name: MAC, ROUTE, or ACL. $2: TCAM resource usage. $3: Number of TCAM entries used. $4: Total number of TCAM entries. $5: Resource usage threshold. $6: IRF member ID. $7: Slot ID. |
Severity level |
6 |
Example |
The ACL’s TCAM resource usage is 87%(87 entries used, totally 100 entries), higher than threshold(80%) on chassis 1 slot 2. |
Explanation |
The TCAM usage exceeded the threshold. |
Recommended action |
No action is required. |
APMGR messages
This section contains access point management messages.
APMGR_ADDBAC_INFO
Message text |
Add BAS AC [STRING]. |
Variable fields |
$1: MAC address of the BAS AC. |
Severity level |
6 |
Example |
APMGR/6/APMGR_ADDBAC_INFO: Add BAS AC 3ce5-a616-28cd. |
Explanation |
The BAS AC was connected to the master AC. |
Recommended action |
No action is required. |
APMGR_DELBAC_INFO
Message text |
Delete BAS AC [STRING]. |
Variable fields |
$1: MAC address of the BAS AC. |
Severity level |
6 |
Example |
APMGR/6/APMGR_DELBAC_INFO: Delete BAS AC 3ce5-a616-28cd. |
Explanation |
The BAS AC was disconnected from the master AC. |
Recommended action |
No action is required. |
ARP messages
This section contains ARP messages.
ARP_ACTIVE_ACK_NO_REPLY
Message text |
No ARP reply from IP [STRING] was received on interface [STRING] |
Variable fields |
$1: IP address. $2: Interface name. |
Severity level |
6 |
Example |
ARP/6/ARP_ACTIVE_ACK_NO_REPLY: No ARP reply from IP 192.168.10.1 was received on interface GigabitEthernet1/0/1. |
Explanation |
An attack was detected by ARP active acknowledgement. An interface sent an ARP request to the sender IP of a received ARP message, but did not receive an ARP reply. |
Recommended action |
Verify that the host that sends the ARP message is legitimate. |
ARP_ACTIVE_ACK_NOREQUESTED_REPLY
Message text |
Interface [STRING] received from IP [STRING] an ARP reply that was not requested by the device. |
Variable fields |
$1: Interface name. $2: IP address. |
Severity level |
6 |
Example |
ARP/6/ARP_ACTIVE_ACK_NOREQUESTED_REPLY: Interface GigabitEthernet1/0/1 received from IP 192.168.10.1 an ARP reply that was not requested by the device. |
Explanation |
The ARP active acknowledgement feature received an unsolicited ARP reply from a sender IP. This message indicates the risk of attacks. |
Recommended action |
No action is required. The device discards the ARP reply automatically. |
ARP_RATE_EXCEEDED
Message text |
The ARP packet rate ([UINT32] pps) exceeded the rate limit ([UINT32] pps) on interface [STRING] in the last [UINT32] seconds |
Variable fields |
$1: ARP packet rate. $2: ARP limit rate. $3: Interface name. $4: Interval time. |
Severity level |
4 |
Example |
ARP/4/ARP_RATE_EXCEEDED: The ARP packet rate (100 pps) exceeded the rate limit (80 pps) on interface GigabitEthernet1/0/1 in the last 10 seconds. |
Explanation |
An interface received ARP messages at a higher rate than the rate limit. |
Recommended action |
Verify that the host that sends the ARP packets is legitimate. |
ARP_SENDER_IP_INVALID
Message text |
Sender IP [STRING] was not on the same network as the receiving interface [STRING] |
Variable fields |
$1: IP address. $2: Interface name. |
Severity level |
6 |
Example |
ARP/6/ARP_SENDER_IP_INVALID: Sender IP 192.168.10.2 was not on the same network as the receiving interface GigabitEthernet1/0/1. |
Explanation |
The sender IP of a received ARP message was not on the same network as the receiving interface. |
Recommended action |
Verify that the host with the sender IP address is legitimate. |
ARP_SENDER_MAC_INVALID
Message text |
Sender MAC [STRING] was not identical to Ethernet source MAC [STRING] on interface [STRING] |
Variable fields |
$1: MAC address. $2: MAC address. $3: Interface name. |
Severity level |
6 |
Example |
ARP/6/ARP_SENDER_MAC_INVALID: Sender MAC 0000-5E14-0E00 was not identical to Ethernet source MAC 0000-5C14-0E00 on interface GigabitEthernet1/0/1. |
Explanation |
An interface received an ARP message. The sender MAC address in the message body was not identical to the source MAC address in the Ethernet header. |
Recommended action |
Verify that the host with the sender MAC address is legitimate. |
ARP_SENDER_SMACCONFLICT_VSI
Message text |
Packet was discarded because its sender MAC address was the MAC address of the receiving interface. Interface: [STRING], sender IP: [STRING], target IP: [STRING],VSI index: [UINT32], link ID: [UINT32]. |
Variable fields |
$1: Interface name. $2: Sender IP address. $3: Target IP address. $4: VSI index. $5: Link ID. |
Severity level |
6 |
Example |
ARP/6/ARP_SENDER_SMACCONFLICT_VSI: Packet discarded for the sender MAC address is the same as the receiving interface. Interface: VSI3 sender IP: 1.1.2.2 target IP: 1.1.2.1, VSI Index: 2, Link ID: 0 |
Explanation |
The device discarded an ARP packet from a VSI because the sender MAC address of the ARP packet is the same as the MAC address of the receiving interface. |
Recommended action |
No action is required. |
ARP_SENDER_SMACCONFLICT
Message text |
Packet was discarded because its sender MAC address was the MAC address of the receiving interface. Interface: [STRING], sender IP: [STRING], target IP: [STRING]. |
Variable fields |
$1: Interface name. $2: Sender IP address. $3: Target IP address. |
Severity level |
6 |
Example |
ARP/6/ARP_SENDER_SMACCONFLICT: Packet discarded for the sender MAC address is the same as the receiving interface. Interface: GE1/0/1 sender IP: 1.1.2.2 target IP: 1.1.2.1, |
Explanation |
The device discarded an ARP packet because the sender MAC address of the ARP packet is the same as the MAC address of the receiving interface. |
Recommended action |
No action is required. |
ARP_SRC_MAC_FOUND_ATTACK
Message text |
An attack from MAC [STRING] was detected on interface [STRING] |
Variable fields |
$1: MAC address. $2: Interface name. |
Severity level |
6 |
Example |
ARP/6/ARP_SRC_MAC_FOUND_ATTACK: An attack from MAC 0000-5E14-0E00 was detected on interface GigabitEthernet1/0/1. |
Explanation |
An attack was detected by source MAC-based ARP attack detection. The number of ARP packets that the device received from the same MAC address within 5 seconds exceeded the specified threshold. |
Recommended action |
Verify that the host with the source MAC address is legitimate. |
ARP_TARGET_IP_INVALID
Message text |
Target IP [STRING] was not the IP of the receiving interface [STRING] |
Variable fields |
$1: IP address. $2: Interface name. |
Severity level |
6 |
Example |
ARP/6/ARP_TARGET_IP_INVALID: Target IP 192.168.10.2 was not the IP of the receiving interface GigabitEthernet1/0/1. |
Explanation |
The target IP address of a received ARP message was not the IP address of the receiving interface. |
Recommended action |
Verify that the host that sends this ARP message is legitimate. |
DUPIFIP
Message text |
Duplicate address [STRING] on interface [STRING], sourced from [STRING] |
Variable fields |
$1: IP address. $2: Interface name. $3: MAC Address. |
Severity level |
6 |
Example |
ARP/6/DUPIFIP: Duplicate address 1.1.1.1 on interface GigabitEthernet1/0/1, sourced from 0015-E944-A947 |
Explanation |
A duplicate address was detected by ARP. The sender IP in a received ARP packet was being used by the receiving interface. |
Recommended action |
Modify the IP address configuration. |
DUPIP
Message text |
IP address [STRING] conflicts with global or imported IP address, sourced from [STRING] |
Variable fields |
$1: IP address. $2: MAC Address. |
Severity level |
6 |
Example |
ARP/6/DUPIP: IP address 30.1.1.1 conflicts with global or import IP address, sourced from 0000-0000-0001 |
Explanation |
The sender IP address of the received ARP packet conflicted with the global or imported IP address. |
Recommended action |
Modify the IP address configuration. |
DUPVRRPIP
Message text |
IP address [STRING] collision with VRRP virtual IP address on interface [STRING], sourced from [STRING] |
Variable fields |
$1: IP address. $2: Interface name. $3: MAC address. |
Severity level |
6 |
Example |
ARP/6/DUPVRRPIP: IP address 1.1.1.1 conflicts with VRRP virtual IP address on interface GigabitEthernet1/0/1, sourced from 0015-E944-A947 |
Explanation |
The sender IP address of the received ARP packet conflicted with the VRRP virtual IP address. |
Recommended action |
Modify the IP address configuration. |
ARP_SENDER_SMACCONFLICT
Message text |
Packet was discarded because its sender MAC address was the MAC address of the receiving interface. Interface: [STRING], sender IP: [STRING], target IP: [STRING]. |
Variable fields |
$1: Interface name. $2: Sender IP address. $3: Target IP address. |
Severity level |
6 |
Example |
ARP/6/ARP_SENDER_SMACCONFLICT: Packet discarded for the sender MAC address is the same as the receiving interface. Interface: GigabitEthernet1/0/1 sender IP: 1.1.2.2 target IP: 1.1.2.1, |
Explanation |
The sender MAC address of a received ARP packet conflicts with the MAC address of the device. |
Recommended action |
No action is required. |
ARP_SENDER_SMACCONFLICT_VSI
Message text |
Packet was discarded because its sender MAC address was the MAC address of the receiving interface. Interface: [STRING], sender IP: [STRING], target IP: [STRING],VSI index: [UINT32], link ID: [UINT32]. |
Variable fields |
$1: Interface name. $2: Sender IP address. $3: Target IP address. $4: VSI index. $5: Link ID. |
Severity level |
6 |
Example |
ARP/6/ ARP_SENDER_SMACCONFLICT_VSI: Packet discarded for the sender MAC address is the same as the receiving interface. Interface: VSI3 sender IP: 1.1.2.2 target IP: 1.1.2.1, VSI Index: 2, Link ID: 0 |
Explanation |
The sender MAC address of a received ARP packet conflicts with the MAC address of the device. The receiving interface is a VSI interface. |
Recommended action |
No action is required. |
ATK messages
This section contains attack detection and prevention messages.
ATKDF_ICMP_ADDRMASK_REQ
Message text |
IcmpType(1058)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: ICMP message type. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. $8: Start time of the attack. $9: End time of the attack. $10: Attack times. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_ICMP_ADDRMASK_REQ: IcmpType(1058)=17; RcvIfName(1023)=GigabitEthernet1/0/1; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging; BeginTime_c(1011)=20131011091319; EndTime_c(1012)=20131011091819; AtkTimes(1050)=2; |
Explanation |
This message is sent when ICMP address mask request logs are aggregated. |
Recommended action |
No action is required. |
ATKDF_ICMP_ADDRMASK_REQ_RAW
Message text |
IcmpType(1058)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: ICMP message type. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_ICMP_ADDRMASK_REQ_RAW: IcmpType(1058)=17; RcvIfName(1023)=GigabitEthernet1/0/1; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging; |
Explanation |
If log aggregation is enabled, for ICMP address mask requests of the same attributes, this message is sent only when the first request is received. If log aggregation is disabled, this message is sent every time an ICMP address mask request is received. |
Recommended action |
No action is required. |
ATKDF_ICMP_ADDRMASK_RPL
Message text |
IcmpType(1058)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: ICMP message type. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. $8: Start time of the attack. $9: End time of the attack. $10: Attack times. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_ICMP_ADDRMASK_RPL: IcmpType(1058)=18; RcvIfName(1023)=GigabitEthernet1/0/1; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging; BeginTime_c(1011)=20131011091319; EndTime_c(1012)=20131011091819; AtkTimes(1050)=2; |
Explanation |
This message is sent when ICMP address mask reply logs are aggregated. |
Recommended action |
No action is required. |
ATKDF_ICMP_ADDRMASK_RPL_RAW
Message text |
IcmpType(1058)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: ICMP message type. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_ICMP_ADDRMASK_RPL_RAW: IcmpType(1058)=18; RcvIfName(1023)=GigabitEthernet1/0/1; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging; |
Explanation |
If log aggregation is enabled, for ICMP address mask replies of the same attributes, this message is sent only when the first reply is received. If log aggregation is disabled, this message is sent every time an ICMP address mask reply is received. |
Recommended action |
No action is required. |
ATKDF_ICMP_ECHO_REQ
Message text |
IcmpType(1058)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: ICMP message type. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. $8: Start time of the attack. $9: End time of the attack. $10: Attack times. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_ICMP_ECHO_REQ: IcmpType(1058)=8; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging; BeginTime_c(1011)=20131011091319; EndTime_c(1012)=20131011091819; AtkTimes(1050)=2; |
Explanation |
This message is sent when ICMP echo request logs are aggregated. |
Recommended action |
No action is required. |
ATKDF_ICMP_ECHO_REQ_RAW
Message text |
IcmpType(1058)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; DstPort(1004)=[UINT16]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: ICMP message type. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Destination port number. $7: Name of the receiving VPN instance. $8: Actions against the attack. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_ICMP_ECHO_REQ_RAW: IcmpType(1058)=8; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DstPort(1004)=22; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging; |
Explanation |
If log aggregation is enabled, for ICMP echo requests of the same attributes, this message is sent only when the first request is received. If log aggregation is disabled, this message is sent every time an ICMP echo request is received. |
Recommended action |
No action is required. |
ATKDF_ICMP_ECHO_RPL
Message text |
IcmpType(1058)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: ICMP message type. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. $8: Start time of the attack. $9: End time of the attack. $10: Attack times. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_ICMP_ECHO_RPL: IcmpType(1058)=0; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging; BeginTime_c(1011)=20131011091319; EndTime_c(1012)=20131011091819; AtkTimes(1050)=2; |
Explanation |
This message is sent when ICMP echo reply logs are aggregated. |
Recommended action |
No action is required. |
ATKDF_ICMP_ECHO_RPL_RAW
Message text |
IcmpType(1058)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: ICMP message type. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_ICMP_ECHO_RPL_RAW: IcmpType(1058)=0; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging; |
Explanation |
If log aggregation is enabled, for ICMP echo replies of the same attributes, this message is sent only when the first reply is received. If log aggregation is disabled, this message is sent every time an ICMP echo reply is received. |
Recommended action |
No action is required. |
ATKDF_ICMP_FLOOD
Message text |
RcvIfName(1023)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; UpperLimit(1048)=[UINT32]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]. |
Variable fields |
$1: Receiving interface name. $2: Destination IP address. $3: Name of the receiving VPN instance. $4: Rate limit. $5: Actions against the attack. $6: Start time of the attack. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_ICMP_FLOOD: RcvIfName(1023)=GigabitEthernet1/0/2; DstIPAddr(1007)=6.1.1.5; RcvVPNInstance(1041)=--; UpperLimit(1048)=10; Action(1049)=logging; BeginTime_c(1011)=20131009093351. |
Explanation |
This message is sent when the number of ICMP packets sent to a destination per second exceeds the rate limit. |
Recommended action |
No action is required. |
ATKDF_ICMP_INFO_REQ
Message text |
IcmpType(1058)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: ICMP message type. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. $8: Start time of the attack. $9: End time of the attack. $10: Attack times. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_ICMP_INFO_REQ: IcmpType(1058)=15; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging; BeginTime_c(1011)=20131011091319; EndTime_c(1012)=20131011091819; AtkTimes(1050)=2; |
Explanation |
This message is sent when ICMP information request logs are aggregated. |
Recommended action |
No action is required. |
ATKDF_ICMP_INFO_REQ_RAW
Message text |
IcmpType(1058)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: ICMP message type. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_ICMP_INFO_REQ_RAW: IcmpType(1058)=15; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging; |
Explanation |
If log aggregation is enabled, for ICMP information requests of the same attributes, this message is sent only when the first request is received. If log aggregation is disabled, this message is sent every time an ICMP information request is received. |
Recommended action |
No action is required. |
ATKDF_ICMP_INFO_RPL
Message text |
IcmpType(1058)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: ICMP message type. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. $8: Start time of the attack. $9: End time of the attack. $10: Attack times. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_ICMP_INFO_RPL: IcmpType(1058)=16; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging; BeginTime_c(1011)=20131011091319; EndTime_c(1012)=20131011091819; AtkTimes(1050)=2; |
Explanation |
This message is sent when ICMP information reply logs are aggregated. |
Recommended action |
No action is required. |
ATKDF_ICMP_INFO_RPL_RAW
Message text |
IcmpType(1058)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: ICMP message type. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_ICMP_INFO_RPL_RAW: IcmpType(1058)=16; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging; |
Explanation |
If log aggregation is enabled, for ICMP information replies of the same attributes, this message is sent only when the first reply is received. If log aggregation is disabled, this message is sent every time an ICMP information reply is received. |
Recommended action |
No action is required. |
ATKDF_ICMP_LARGE
Message text |
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_ICMP_LARGE: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging; BeginTime_c(1011)=20131011074913; EndTime_c(1012)=20131011075413; AtkTimes(1050)=2; |
Explanation |
This message is sent when large ICMP packet logs are aggregated. |
Recommended action |
No action is required. |
ATKDF_ICMP_LARGE_RAW
Message text |
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_ICMP_LARGE_RAW: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging; |
Explanation |
If log aggregation is enabled, for large ICMP packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a large ICMP packet is received. |
Recommended action |
No action is required. |
ATKDF_ICMP_PARAPROBLEM
Message text |
IcmpType(1058)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: ICMP message type. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. $8: Start time of the attack. $9: End time of the attack. $10: Attack times. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_ICMP_PARAPROBLEM: IcmpType(1058)=12; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging; BeginTime_c(1011)=20131011091319; EndTime_c(1012)=20131011091819; AtkTimes(1050)=2; |
Explanation |
This message is sent when ICMP parameter problem logs are aggregated. |
Recommended action |
No action is required. |
ATKDF_ICMP_PARAPROBLEM_RAW
Message text |
IcmpType(1058)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: ICMP message type. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_ICMP_PARAPROBLEM_RAW: IcmpType(1058)=12; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging; |
Explanation |
If log aggregation is enabled, for ICMP parameter problem packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time an ICMP parameter problem packet is received. |
Recommended action |
No action is required. |
ATKDF_ICMP_PINGOFDEATH
Message text |
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_ICMP_PINGOFDEATH: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging; BeginTime_c(1011)=20131011074913; EndTime_c(1012)=20131011075413; AtkTimes(1050)=2; |
Explanation |
This message is sent when logs are aggregated for ICMP packets larger than 65535 bytes with the MF flag set to 0. |
Recommended action |
No action is required. |
ATKDF_ICMP_PINGOFDEATH_RAW
Message text |
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_ICMP_PINGOFDEATH_RAW: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging; |
Explanation |
This message is for the ping of death attack. The attack uses ICMP packets larger than 65535 bytes with the MF flag set to 0. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
Recommended action |
No action is required. |
ATKDF_ICMP_REDIRECT
Message text |
IcmpType(1058)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: ICMP message type. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. $8: Start time of the attack. $9: End time of the attack. $10: Attack times. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_ICMP_REDIRECT: IcmpType(1058)=5; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging; BeginTime_c(1011)=20131011091319; EndTime_c(1012)=20131011091819; AtkTimes(1050)=2; |
Explanation |
This message is sent when ICMP redirect logs are aggregated. |
Recommended action |
No action is required. |
ATKDF_ICMP_REDIRECT_RAW
Message text |
IcmpType(1058)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: ICMP message type. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_ICMP_REDIRECT_RAW: IcmpType(1058)=5; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging; |
Explanation |
If log aggregation is enabled, for ICMP redirect packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time an ICMP redirect packet is received. |
Recommended action |
No action is required. |
ATKDF_ICMP_SMURF
Message text |
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_ICMP_SMURF: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging; BeginTime_c(1011)=20131011074913; EndTime_c(1012)=20131011075413; AtkTimes(1050)=2; |
Explanation |
This message is sent when logs are aggregated for ICMP echo requests whose destination IP address is one of the following addresses: · A broadcast or network address of A, B, or C class. · An IP address of D or E class. · The broadcast or network address of the network where the receiving interface resides. |
Recommended action |
No action is required. |
ATKDF_ICMP_SMURF_RAW
Message text |
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_ICMP_SMURF_RAW: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging; |
Explanation |
This message is for the smurf attack. The attack uses ICMP echo requests with the destination IP address being one of the following addresses: · A broadcast or network address of A, B, or C class. · An IP address of D or E class. · The broadcast or network address of the network where the receiving interface resides. If log aggregation is enabled, for requests of the same attributes, this message is sent only when the first request is received. If log aggregation is disabled, this message is sent every time a request is received. |
Recommended action |
No action is required. |
ATKDF_ICMP_SOURCEQUENCH
Message text |
IcmpType(1058)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: ICMP message type. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. $8: Start time of the attack. $9: End time of the attack. $10: Attack times. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_ICMP_SOURCEQUENCH: IcmpType(1058)=4; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging; BeginTime_c(1011)=20131011091319; EndTime_c(1012)=20131011091819; AtkTimes(1050)=2; |
Explanation |
This message is sent when ICMP source quench logs are aggregated. |
Recommended action |
No action is required. |
ATKDF_ICMP_SOURCEQUENCH_RAW
Message text |
IcmpType(1058)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: ICMP message type. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_ICMP_SOURCEQUENCH_RAW: IcmpType(1058)=4; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging; |
Explanation |
If log aggregation is enabled, for ICMP source quench packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time an ICMP source quench packet is received. |
Recommended action |
No action is required. |
ATKDF_ICMP_TIMEEXCEED
Message text |
IcmpType(1058)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: ICMP message type. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. $8: Start time of the attack. $9: End time of the attack. $10: Attack times. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_ICMP_TIMEEXCEED: IcmpType(1058)=11; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging; BeginTime_c(1011)=20131011091319; EndTime_c(1012)=20131011091819; AtkTimes(1050)=2; |
Explanation |
This message is sent when ICMP time exceeded logs are aggregated. |
Recommended action |
No action is required. |
ATKDF_ICMP_TIMEEXCEED_RAW
Message text |
IcmpType(1058)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: ICMP message type. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_ICMP_TIMEEXCEED_RAW: IcmpType(1058)=11; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging; |
Explanation |
If log aggregation is enabled, for ICMP time exceeded packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time an ICMP time exceeded packet is received. |
Recommended action |
No action is required. |
ATKDF_ICMP_TRACEROUTE
Message text |
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_ICMP_TRACEROUTE: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging; BeginTime_c(1011)=20131011074913; EndTime_c(1012)=20131011075413; AtkTimes(1050)=2; |
Explanation |
This message is sent when logs are aggregated for ICMP time exceeded packets of code 0. |
Recommended action |
No action is required. |
ATKDF_ICMP_TRACEROUTE_RAW
Message text |
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_ICMP_TRACEROUTE_RAW: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging; |
Explanation |
If log aggregation is enabled, for ICMP time exceeded packets of code 0 of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time an ICMP time exceeded packet of code 0 is received. |
Recommended action |
No action is required. |
ATKDF_ICMP_TSTAMP_REQ
Message text |
IcmpType(1058)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: ICMP message type. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. $8: Start time of the attack. $9: End time of the attack. $10: Attack times. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_ICMP_TSTAMP_REQ: IcmpType(1058)=13; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging; BeginTime_c(1011)=20131011091319; EndTime_c(1012)=20131011091819; AtkTimes(1050)=2; |
Explanation |
This message is sent when ICMP timestamp logs are aggregated. |
Recommended action |
No action is required. |
ATKDF_ICMP_TSTAMP_REQ_RAW
Message text |
IcmpType(1058)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: ICMP message type. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_ICMP_TSTAMP_REQ_RAW: IcmpType(1058)=13; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging; |
Explanation |
If log aggregation is enabled, for ICMP timestamp packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time an ICMP timestamp packet is received. |
Recommended action |
No action is required. |
ATKDF_ICMP_TSTAMP_RPL
Message text |
IcmpType(1058)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: ICMP message type. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. $8: Start time of the attack. $9: End time of the attack. $10: Attack times. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_ICMP_TSTAMP_RPL: IcmpType(1058)=14; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging; BeginTime_c(1011)=20131011091319; EndTime_c(1012)=20131011091819; AtkTimes(1050)=2; |
Explanation |
This message is sent when ICMP timestamp reply logs are aggregated. |
Recommended action |
No action is required. |
ATKDF_ICMP_TSTAMP_RPL_RAW
Message text |
IcmpType(1058)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: ICMP message type. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_ICMP_TSTAMP_RPL_RAW: IcmpType(1058)=14; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging; |
Explanation |
If log aggregation is enabled, for ICMP timestamp replies of the same attributes, this message is sent only when the first reply is received. If log aggregation is disabled, this message is sent every time an ICMP timestamp reply is received. |
Recommended action |
No action is required. |
ATKDF_ICMP_TYPE
Message text |
IcmpType(1058)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: ICMP message type. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. $8: Start time of the attack. $9: End time of the attack. $10: Attack times. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_ICMP_TYPE: IcmpType(1058)=38; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging; BeginTime_c(1011)=20131011091319; EndTime_c(1012)=20131011091819; AtkTimes(1050)=2; |
Explanation |
This message is sent when logs are aggregated for user-defined ICMP packets. |
Recommended action |
No action is required. |
ATKDF_ICMP_TYPE_RAW
Message text |
IcmpType(1058)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: ICMP message type. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_ICMP_TYPE_RAW: IcmpType(1058)=38; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging; |
Explanation |
If log aggregation is enabled, for user-defined ICMP packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a user-defined ICMP packet is received. |
Recommended action |
No action is required. |
ATKDF_ICMP_UNREACHABLE
Message text |
IcmpType(1058)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: ICMP message type. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. $8: Start time of the attack. $9: End time of the attack. $10: Attack times. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_ICMP_UNREACHABLE: IcmpType(1058)=3; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging; BeginTime_c(1011)=20131011091319; EndTime_c(1012)=20131011091819; AtkTimes(1050)=2; |
Explanation |
This message is sent when ICMP destination unreachable logs are aggregated. |
Recommended action |
No action is required. |
ATKDF_ICMP_UNREACHABLE_RAW
Message text |
IcmpType(1058)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: ICMP message type. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Actions against the attack. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_ICMP_UNREACHABLE_RAW: IcmpType(1058)=3; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging; |
Explanation |
If log aggregation is enabled, for ICMP destination unreachable packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time an ICMP destination unreachable packet is received. |
Recommended action |
No action is required. |
ATKDF_ICMPV6_DEST_UNREACH
Message text |
Icmpv6Type(1059)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: ICMPv6 message type. $2: Receiving interface name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_ICMPV6_DEST_UNREACH: Icmpv6Type(1059)=133; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPv6Addr(1036)=5600::12; DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--; Action(1049)=logging; BeginTime_c(1011)=20131011100935; EndTime_c(1012)=20131011101435; AtkTimes(1050)=2; |
Explanation |
This message is sent when ICMPv6 destination unreachable logs are aggregated. |
Recommended action |
No action is required. |
ATKDF_ICMPV6_DEST_UNREACH_RAW
Message text |
Icmpv6Type(1059)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: ICMPv6 message type. $2: Receiving interface name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_ICMPV6_DEST_UNREACH_RAW: Icmpv6Type(1059)=133; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPv6Addr(1036)=5600::12; DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--; Action(1049)=logging; |
Explanation |
If log aggregation is enabled, for ICMPv6 destination unreachable packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time an ICMPv6 destination unreachable packet is received. |
Recommended action |
No action is required. |
ATKDF_ICMPV6_ECHO_REQ
Message text |
Icmpv6Type(1059)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: ICMPv6 message type. $2: Receiving interface name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_ICMPV6_ECHO_REQ: Icmpv6Type(1059)=128; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPv6Addr(1036)=5600::12; DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--; Action(1049)=logging; BeginTime_c(1011)=20131011100935; EndTime_c(1012)=20131011101435; AtkTimes(1050)=2; |
Explanation |
This message is sent when ICMPv6 echo request logs are aggregated. |
Recommended action |
No action is required. |
ATKDF_ICMPV6_ECHO_REQ_RAW
Message text |
Icmpv6Type(1059)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: ICMPv6 message type. $2: Receiving interface name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_ICMPV6_ECHO_REQ_RAW: Icmpv6Type(1059)=128; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPv6Addr(1036)=5600::12; DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--; Action(1049)=logging; |
Explanation |
If log aggregation is enabled, for ICMPv6 echo requests of the same attributes, this message is sent only when the first request is received. If log aggregation is disabled, this message is sent every time an ICMPv6 echo request is received. |
Recommended action |
No action is required. |
ATKDF_ICMPV6_ECHO_RPL
Message text |
Icmpv6Type(1059)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: ICMPv6 message type. $2: Receiving interface name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_ICMPV6_ECHO_RPL: Icmpv6Type(1059)=129; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPv6Addr(1036)=5600::12; DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--; Action(1049)=logging; BeginTime_c(1011)=20131011100935; EndTime_c(1012)=20131011101435; AtkTimes(1050)=2; |
Explanation |
This message is sent when ICMPv6 echo reply logs are aggregated. |
Recommended action |
No action is required. |
ATKDF_ICMPV6_ECHO_RPL_RAW
Message text |
Icmpv6Type(1059)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: ICMPv6 message type. $2: Receiving interface name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_ICMPV6_ECHO_RPL_RAW: Icmpv6Type(1059)=129; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPv6Addr(1036)=5600::12; DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--; Action(1049)=logging; |
Explanation |
If log aggregation is enabled, for ICMPv6 echo replies of the same attributes, this message is sent only when the first reply is received. If log aggregation is disabled, this message is sent every time an ICMPv6 echo reply is received. |
Recommended action |
No action is required. |
ATKDF_ICMPV6_FLOOD
Message text |
RcvIfName(1023)=[STRING]; DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; UpperLimit(1048)=[UINT32]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]. |
Variable fields |
$1: Receiving interface name. $2: Destination IPv6 address. $3: Name of the receiving VPN instance. $4: Rate limit. $5: Actions against the attack. $6: Start time of the attack. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_ICMPV6_FLOOD: RcvIfName(1023)=GigabitEthernet1/0/2; DstIPv6Addr(1007)=2002::2; RcvVPNInstance(1041)=--; UpperLimit(1048)=10; Action(1049)=logging; BeginTime_c(1011)=20131009093351. |
Explanation |
This message is sent when the number of ICMPv6 packets sent to a destination per second exceeds the rate limit. |
Recommended action |
No action is required. |
ATKDF_ICMPV6_GROUPQUERY
Message text |
Icmpv6Type(1059)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: ICMPv6 message type. $2: Receiving interface name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_ICMPV6_GROUPQUERY: Icmpv6Type(1059)=130; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPv6Addr(1036)=5600::12; DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--; Action(1049)=logging; BeginTime_c(1011)=20131011100935; EndTime_c(1012)=20131011101435; AtkTimes(1050)=2; |
Explanation |
This message is sent when ICMPv6 multicast listener query logs are aggregated. |
Recommended action |
No action is required. |
ATKDF_ICMPV6_GROUPQUERY_RAW
Message text |
Icmpv6Type(1059)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: ICMPv6 message type. $2: Receiving interface name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_ICMPV6_GROUPQUERY_RAW: Icmpv6Type(1059)=130; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPv6Addr(1036)=5600::12; DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--; Action(1049)=logging; |
Explanation |
If log aggregation is enabled, for ICMPv6 multicast listener queries of the same attributes, this message is sent only when the first query is received. If log aggregation is disabled, this message is sent every time an ICMPv6 multicast listener query is received. |
Recommended action |
No action is required. |
ATKDF_ICMPV6_GROUPREDUCTION
Message text |
Icmpv6Type(1059)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: ICMPv6 message type. $2: Receiving interface name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_ICMPV6_GROUPREDUCTION: Icmpv6Type(1059)=132; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPv6Addr(1036)=5600::12; DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--; Action(1049)=logging; BeginTime_c(1011)=20131011100935; EndTime_c(1012)=20131011101435; AtkTimes(1050)=2; |
Explanation |
This message is sent when ICMPv6 multicast listener done logs are aggregated. |
Recommended action |
No action is required. |
ATKDF_ICMPV6_GROUPREDUCTION_RAW
Message text |
Icmpv6Type(1059)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: ICMPv6 message type. $2: Receiving interface name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_ICMPV6_GROUPREDUCTION_RAW: Icmpv6Type(1059)=132; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPv6Addr(1036)=5600::12; DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--; Action(1049)=logging; |
Explanation |
If log aggregation is enabled, for ICMPv6 multicast listener done packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time an ICMPv6 multicast listener done packet is received. |
Recommended action |
No action is required. |
ATKDF_ICMPV6_GROUPREPORT
Message text |
Icmpv6Type(1059)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: ICMPv6 message type. $2: Receiving interface name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_ICMPV6_GROUPREPORT: Icmpv6Type(1059)=131; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPv6Addr(1036)=5600::12; DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--; Action(1049)=logging; BeginTime_c(1011)=20131011100935; EndTime_c(1012)=20131011101435; AtkTimes(1050)=2; |
Explanation |
This message is sent when ICMPv6 multicast listener report logs are aggregated. |
Recommended action |
No action is required. |
ATKDF_ICMPV6_GROUPREPORT_RAW
Message text |
Icmpv6Type(1059)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: ICMPv6 message type. $2: Receiving interface name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_ICMPV6_GROUPREPORT_RAW: Icmpv6Type(1059)=131; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPv6Addr(1036)=5600::12; DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--; Action(1049)=logging; |
Explanation |
If log aggregation is enabled, for ICMPv6 multicast listener reports of the same attributes, this message is sent only when the first report is received. If log aggregation is disabled, this message is sent every time an ICMPv6 multicast listener report is received. |
Recommended action |
No action is required. |
ATKDF_ICMPV6_LARGE
Message text |
RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: Receiving interface name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. $6: Start time of the attack. $7: End time of the attack. $8: Attack times. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_ICMPV6_LARGE: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPv6Addr(1036)=5600::12; DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--; Action(1049)=logging; BeginTime_c(1011)=20131011100935; EndTime_c(1012)=20131011101435; AtkTimes(1050)=2; |
Explanation |
This message is sent when large ICMPv6 packet logs are aggregated. |
Recommended action |
No action is required. |
ATKDF_ICMPV6_LARGE_RAW
Message text |
RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: Receiving interface name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_ICMPV6_LARGE_RAW: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPv6Addr(1036)=5600::12; DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--; Action(1049)=logging; |
Explanation |
If log aggregation is enabled, for large ICMPv6 packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a large ICMPv6 packet is received. |
Recommended action |
No action is required. |
ATKDF_ICMPV6_PACKETTOOBIG
Message text |
Icmpv6Type(1059)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: ICMPv6 message type. $2: Receiving interface name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_ICMPV6_PACKETTOOBIG: Icmpv6Type(1059)=136; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPv6Addr(1036)=5600::12; DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--; Action(1049)=logging; BeginTime_c(1011)=20131011100935; EndTime_c(1012)=20131011101435; AtkTimes(1050)=2; |
Explanation |
This message is sent when ICMPv6 packet too big logs are aggregated. |
Recommended action |
No action is required. |
ATKDF_ICMPV6_PACKETTOOBIG_RAW
Message text |
Icmpv6Type(1059)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: ICMPv6 message type. $2: Receiving interface name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_ICMPV6_PACKETTOOBIG_RAW: Icmpv6Type(1059)=136; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPv6Addr(1036)=5600::12; DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--; Action(1049)=logging; |
Explanation |
If log aggregation is enabled, for ICMPv6 packet too big packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time an ICMPv6 packet too big packet is received. |
Recommended action |
No action is required. |
ATKDF_ICMPV6_PARAPROBLEM
Message text |
Icmpv6Type(1059)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: ICMPv6 message type. $2: Receiving interface name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_ICMPV6_PARAPROBLEM: Icmpv6Type(1059)=135; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPv6Addr(1036)=5600::12; DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--; Action(1049)=logging; BeginTime_c(1011)=20131011100935; EndTime_c(1012)=20131011101435; AtkTimes(1050)=2; |
Explanation |
This message is sent when ICMPv6 parameter problem logs are aggregated. |
Recommended action |
No action is required. |
ATKDF_ICMPV6_PARAPROBLEM_RAW
Message text |
Icmpv6Type(1059)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: ICMPv6 message type. $2: Receiving interface name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_ICMPV6_PARAPROBLEM_RAW: Icmpv6Type(1059)=135; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPv6Addr(1036)=5600::12; DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--; Action(1049)=logging; |
Explanation |
If log aggregation is enabled, for ICMPv6 parameter problem packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time an ICMPv6 parameter problem packet is received. |
Recommended action |
No action is required. |
ATKDF_ICMPV6_TIMEEXCEED
Message text |
Icmpv6Type(1059)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: ICMPv6 message type. $2: Receiving interface name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_ICMPV6_TIMEEXCEED: Icmpv6Type(1059)=134; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPv6Addr(1036)=5600::12; DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--; Action(1049)=logging; BeginTime_c(1011)=20131011100935; EndTime_c(1012)=20131011101435; AtkTimes(1050)=2; |
Explanation |
This message is sent when ICMPv6 time exceeded logs are aggregated. |
Recommended action |
No action is required. |
ATKDF_ICMPV6_TIMEEXCEED_RAW
Message text |
Icmpv6Type(1059)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: ICMPv6 message type. $2: Receiving interface name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_ICMPV6_TIMEEXCEED_RAW: Icmpv6Type(1059)=134; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPv6Addr(1036)=5600::12; DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--; Action(1049)=logging; |
Explanation |
If log aggregation is enabled, for ICMPv6 time exceeded packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time an ICMPv6 time exceeded packet is received. |
Recommended action |
No action is required. |
ATKDF_ICMPV6_TRACEROUTE
Message text |
RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: Receiving interface name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. $6: Start time of the attack. $7: End time of the attack. $8: Attack times. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_ICMPV6_TRACEROUTE: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPv6Addr(1036)=5600::12; DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--; Action(1049)=logging; BeginTime_c(1011)=20131011100935; EndTime_c(1012)=20131011101435; AtkTimes(1050)=2; |
Explanation |
This message is sent when logs are aggregated for ICMPv6 time exceeded packets of code 0. |
Recommended action |
No action is required. |
ATKDF_ICMPV6_TRACEROUTE_RAW
Message text |
RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; |
Variable fields |
$1: Receiving interface name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. $6: Start time of the attack. $7: End time of the attack. $8: Attack times. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_ICMPV6_TRACEROUTE_RAW: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPv6Addr(1036)=5600::12; DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--; Action(1049)=logging; BeginTime_c(1011)=20131011100935; EndTime_c(1012)=20131011101435; |
Explanation |
If log aggregation is enabled, for ICMPv6 time exceeded packets of code 0 of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time an ICMPv6 time exceeded packet of code 0 is received. |
Recommended action |
No action is required. |
ATKDF_ICMPV6_TYPE
Message text |
Icmpv6Type(1059)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: ICMPv6 message type. $2: Receiving interface name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_ICMPV6_TYPE: Icmpv6Type(1059)=38; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPv6Addr(1036)=5600::12; DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--; Action(1049)=logging; BeginTime_c(1011)=20131011100935; EndTime_c(1012)=20131011101435; AtkTimes(1050)=2; |
Explanation |
This message is sent when logs are aggregated for user-defined ICMPv6 packets. |
Recommended action |
No action is required. |
ATKDF_ICMPV6_TYPE_RAW
Message text |
Icmpv6Type(1059)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: ICMPv6 message type. $2: Receiving interface name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_ICMPV6_TYPE_RAW: Icmpv6Type(1059)=38; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPv6Addr(1036)=5600::12; DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--; Action(1049)=logging; |
Explanation |
If log aggregation is enabled, for user-defined ICMPv6 packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a user-defined ICMPv6 packet is received. |
Recommended action |
No action is required. |
ATKDF_IP_OPTION
Message text |
IPOptValue(1057)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Protocol(1001)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: IP option value. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Protocol type. $8: Actions against the attack. $9: Start time of the attack. $10: End time of the attack. $11: Attack times. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_IP_OPTION: IPOptValue(1057)=38; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Protocol(1001)=RAWIP; Action(1049)=logging; BeginTime_c(1011)=20131011063123; EndTime_c(1012)=20131011063623; AtkTimes(1050)=3; |
Explanation |
This message is sent when logs are aggregated for packets with a user-defined IP option. |
Recommended action |
No action is required. |
ATKDF_IP_OPTION_RAW
Message text |
IPOptValue(1057)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Protocol(1001)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: IP option value. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Protocol type. $8: Actions against the attack. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_IP_OPTION_RAW: IPOptValue(1057)=38; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Protocol(1001)=RAWIP; Action(1049)=logging; |
Explanation |
If log aggregation is enabled, for packets with a user-defined IP option and of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet with a user-defined IP option is received. |
Recommended action |
No action is required. |
ATKDF_IP4_ACK_FLOOD
Message text |
RcvIfName(1023)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; UpperLimit(1048)=[UINT32]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]. |
Variable fields |
$1: Receiving interface name. $2: Destination IP address. $3: Name of the receiving VPN instance. $4: Rate limit. $5: Actions against the attack. $6: Start time of the attack. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP4_ACK_FLOOD: RcvIfName(1023)=GigabitEthernet1/0/2; DstIPAddr(1007)=6.1.1.5; RcvVPNInstance(1041)=--; UpperLimit(1048)=10; Action(1049)=logging; BeginTime_c(1011)=20131009093351. |
Explanation |
This message is sent when the number of IPv4 ACK packets sent to a destination per second exceeds the rate limit. |
Recommended action |
No action is required. |
ATKDF_IP4_DIS_PORTSCAN
Message text |
RcvIfName(1023)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]. |
Variable fields |
$1: Receiving interface name. $2: Destination IP address. $3: Name of the receiving VPN instance. $4: Actions against the attack. $5: Start time of the attack. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP4_DIS_PORTSCAN: RcvIfName(1023)=GigabitEthernet1/0/2; DstIPAddr(1007)=6.1.1.5; RcvVPNInstance(1041)=vpn1; Action(1049)=logging,block-source; BeginTime_c(1011)=20131009052955. |
Explanation |
This message is sent when an IPv4 distributed port scan attack is detected. |
Recommended action |
No action is required. |
ATKDF_IP4_DNS_FLOOD
Message text |
RcvIfName(1023)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; UpperLimit(1048)=[UINT32]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]. |
Variable fields |
$1: Receiving interface name. $2: Destination IP address. $3: Name of the receiving VPN instance. $4: Rate limit. $5: Actions against the attack. $6: Start time of the attack. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP4_DNS_FLOOD: RcvIfName(1023)=GigabitEthernet1/0/2; DstIPAddr(1007)=6.1.1.5; RcvVPNInstance(1041)=--; UpperLimit(1048)=10; Action(1049)=logging; BeginTime_c(1011)=20131009093351. |
Explanation |
This message is sent when the number of IPv4 DNS queries sent to a destination per second exceeds the rate limit. |
Recommended action |
No action is required. |
ATKDF_IP4_FIN_FLOOD
Message text |
RcvIfName(1023)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; UpperLimit(1048)=[UINT32]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]. |
Variable fields |
$1: Receiving interface name. $2: Destination IP address. $3: Name of the receiving VPN instance. $4: Rate limit. $5: Actions against the attack. $6: Start time of the attack. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP4_FIN_FLOOD: RcvIfName(1023)=GigabitEthernet1/0/2; DstIPAddr(1007)=6.1.1.5; RcvVPNInstance(1041)=--; UpperLimit(1048)=10; Action(1049)=logging; BeginTime_c(1011)=20131009093351. |
Explanation |
This message is sent when the number of IPv4 FIN packets sent to a destination per second exceeds the rate limit. |
Recommended action |
No action is required. |
ATKDF_IP4_FRAGMENT
Message text |
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Protocol(1001)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Protocol type. $7: Actions against the attack. $8: Start time of the attack. $9: End time of the attack. $10: Attack times. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP4_FRAGMENT: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Protocol(1001)=TCP; Action(1049)=logging; BeginTime_c(1011)=20131011074913; EndTime_c(1012)=20131011075413; AtkTimes(1050)=3; |
Explanation |
This message is sent when logs are aggregated for IPv4 packets with an offset smaller than 5 but bigger than 0. |
Recommended action |
No action is required. |
ATKDF_IP4_FRAGMENT_RAW
Message text |
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Protocol(1001)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Protocol type. $7: Actions against the attack. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP4_FRAGMENT_RAW: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Protocol(1001)=TCP; Action(1049)=logging; |
Explanation |
This message is for the IPv4 fragment attack. The attack uses IPv4 packets with an offset smaller than 5 but bigger than 0. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
Recommended action |
No action is required. |
ATKDF_IP4_HTTP_FLOOD
Message text |
RcvIfName(1023)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; UpperLimit(1048)=[UINT32]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]. |
Variable fields |
$1: Receiving interface name. $2: Destination IP address. $3: Name of the receiving VPN instance. $4: Rate limit. $5: Actions against the attack. $6: Start time of the attack. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP4_HTTP_FLOOD: RcvIfName(1023)=GigabitEthernet1/0/2; DstIPAddr(1007)=6.1.1.5; RcvVPNInstance(1041)=--; UpperLimit(1048)=10; Action(1049)=logging; BeginTime_c(1011)=20131009093351. |
Explanation |
This message is sent when the number of IPv4 HTTP Get packets sent to a destination per second exceeds the rate limit. |
Recommended action |
No action is required. |
ATKDF_IP4_IMPOSSIBLE
Message text |
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Protocol(1001)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Protocol type. $7: Actions against the attack. $8: Start time of the attack. $9: End time of the attack. $10: Attack times. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP4_IMPOSSIBLE: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Protocol(1001)=TCP; Action(1049)=logging; BeginTime_c(1011)=20131011074913; EndTime_c(1012)=20131011075413; AtkTimes(1050)=3; |
Explanation |
This message is sent when logs are aggregated for IPv4 packets whose source IPv4 address is the same as the destination IPv4 address. |
Recommended action |
No action is required. |
ATKDF_IP4_IMPOSSIBLE_RAW
Message text |
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Protocol(1001)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Protocol type. $7: Actions against the attack. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP4_IMPOSSIBLE_RAW: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Protocol(1001)=TCP; Action(1049)=logging; |
Explanation |
This message is for the IPv4 impossible packet attack. The attack uses IPv4 packets whose source IPv4 address is the same as the destination IPv4 address. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
Recommended action |
No action is required. |
ATKDF_IP4_IPSWEEP
Message text |
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]. |
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Name of the receiving VPN instance. $5: Actions against the attack. $6: Start time of the attack. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP4_IPSWEEP: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.5; DSLiteTunnelPeer(1040)=--; RcvVPNInstance(1041)=vpn1; Action(1049)=logging,block-source; BeginTime_c(1011)=20131009060657. |
Explanation |
This message is sent when an IPv4 sweep attack is detected. |
Recommended action |
No action is required. |
ATKDF_IP4_PORTSCAN
Message text |
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; RcvVPNInstance(1041)=[STRING]; DstIPAddr(1007)=[IPADDR]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]. |
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Name of the receiving VPN instance. $5: Destination IP address. $6: Actions against the attack. $7: Start time of the attack. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP4_PORTSCAN: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.5; DSLiteTunnelPeer(1040)=--; RcvVPNInstance(1041)=vpn1; DstIPAddr(1007)=6.1.1.5; Action(1049)=logging,block-source; BeginTime_c(1011)=20131009052955. |
Explanation |
This message is sent when an IPv4 port scan attack is detected. |
Recommended action |
No action is required. |
ATKDF_IP4_RST_FLOOD
Message text |
RcvIfName(1023)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; UpperLimit(1048)=[UINT32]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]. |
Variable fields |
$1: Receiving interface name. $2: Destination IP address. $3: Name of the receiving VPN instance. $4: Rate limit. $5: Actions against the attack. $6: Start time of the attack. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP4_RST_FLOOD: RcvIfName(1023)=GigabitEthernet1/0/2; DstIPAddr(1007)=6.1.1.5; RcvVPNInstance(1041)=--; UpperLimit(1048)=10; Action(1049)=logging; BeginTime_c(1011)=20131009093351. |
Explanation |
This message is sent when the number of IPv4 RST packets sent to a destination per second exceeds the rate limit. |
Recommended action |
No action is required. |
ATKDF_IP4_SYN_FLOOD
Message text |
RcvIfName(1023)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; UpperLimit(1048)=[UINT32]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]. |
Variable fields |
$1: Receiving interface name. $2: Destination IP address. $3: Name of the receiving VPN instance. $4: Rate limit. $5: Actions against the attack. $6: Start time of the attack. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP4_SYN_FLOOD: RcvIfName(1023)=GigabitEthernet1/0/2; DstIPAddr(1007)=6.1.1.5; RcvVPNInstance(1041)=--; UpperLimit(1048)=10; Action(1049)=logging; BeginTime_c(1011)=20131009093351. |
Explanation |
This message is sent when the number of IPv4 SYN packets sent to a destination per second exceeds the rate limit. |
Recommended action |
No action is required. |
ATKDF_IP4_SYNACK_FLOOD
Message text |
RcvIfName(1023)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; UpperLimit(1048)=[UINT32]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]. |
Variable fields |
$1: Receiving interface name. $2: Destination IP address. $3: Name of the receiving VPN instance. $4: Rate limit. $5: Actions against the attack. $6: Start time of the attack. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP4_SYNACK_FLOOD: RcvIfName(1023)=GigabitEthernet1/0/2; DstIPAddr(1007)=6.1.1.5; RcvVPNInstance(1041)=--; UpperLimit(1048)=10; Action(1049)=logging; BeginTime_c(1011)=20131009093351. |
Explanation |
This message is sent when the number of IPv4 SYN-ACK packets sent to a destination per second exceeds the rate limit. |
Recommended action |
No action is required. |
ATKDF_IP4_TCP_ALLFLAGS
Message text |
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP4_TCP_ALLFLAGS: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging; BeginTime_c(1011)=20131011074913; EndTime_c(1012)=20131011075413; AtkTimes(1050)=3; |
Explanation |
This message is sent when logs are aggregated for IPv4 TCP packets that have all flags set. |
Recommended action |
No action is required. |
ATKDF_IP4_TCP_ALLFLAGS_RAW
Message text |
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP4_TCP_ALLFLAGS_RAW: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging; |
Explanation |
This message is for IPv4 TCP packets that have all flags set. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
Recommended action |
No action is required. |
ATKDF_IP4_TCP_FINONLY
Message text |
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP4_TCP_FINONLY: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging; BeginTime_c(1011)=20131011074913; EndTime_c(1012)=20131011075413; AtkTimes(1050)=3; |
Explanation |
This message is sent when logs are aggregated for IPv4 TCP packets that have only the FIN flag set. |
Recommended action |
No action is required. |
ATKDF_IP4_TCP_FINONLY_RAW
Message text |
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP4_TCP_FINONLY_RAW: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging; |
Explanation |
This message is for IPv4 TCP packets that have only the FIN flag set. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
Recommended action |
No action is required. |
ATKDF_IP4_TCP_INVALIDFLAGS
Message text |
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP4_TCP_INVALIDFLAGS: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging; BeginTime_c(1011)=20131011074913; EndTime_c(1012)=20131011075413; AtkTimes(1050)=3; |
Explanation |
This message is sent when logs are aggregated for IPv4 TCP packets that have invalid flag settings. Invalid flag settings include the following: · The RST and FIN flags are both set. · The RST and SYN flags are both set. · The RST, FIN, and SYN flags are all set. · The PSH, RST, and FIN flags are all set. · The PSH, RST, and SYN flags are all set. · The PSH, RST, SYN, and FIN flags are all set. · The ACK, RST, and FIN flags are all set. · The ACK, RST, and SYN flags are all set. · The ACK, RST, SYN, and FIN flags are all set. · The ACK, PSH, SYN, and FIN flags are all set. · The ACK, PSH, RST, and FIN flags are all set. · The ACK, PSH, RST, and SYN flags are all set. |
Recommended action |
No action is required. |
ATKDF_IP4_TCP_INVALIDFLAGS_RAW
Message text |
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP4_TCP_INVALIDFLAGS_RAW: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging; |
Explanation |
This message is for IPv4 TCP packets that have invalid flag settings. Invalid flag settings include the following: · The RST and FIN flags are both set. · The RST and SYN flags are both set. · The RST, FIN, and SYN flags are all set. · The PSH, RST, and FIN flags are all set. · The PSH, RST, and SYN flags are all set. · The PSH, RST, SYN, and FIN flags are all set. · The ACK, RST, and FIN flags are all set. · The ACK, RST, and SYN flags are all set. · The ACK, RST, SYN, and FIN flags are all set. · The ACK, PSH, SYN, and FIN flags are all set. · The ACK, PSH, RST, and FIN flags are all set. · The ACK, PSH, RST, and SYN flags are all set. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
Recommended action |
No action is required. |
ATKDF_IP4_TCP_LAND
Message text |
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP4_TCP_LAND: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging; BeginTime_c(1011)=20131011074913; EndTime_c(1012)=20131011075413; AtkTimes(1050)=3; |
Explanation |
This message is sent when logs are aggregated for IPv4 TCP SYN packets whose source IP address is a loopback address or the same as the destination IP address. |
Recommended action |
No action is required. |
ATKDF_IP4_TCP_LAND_RAW
Message text |
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP4_TCP_LAND_RAW: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging; |
Explanation |
This message is for the IPv4 land attack. The attack uses IPv4 TCP SYN packets whose source IP address is a loopback address or the same as the destination IP address. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
Recommended action |
No action is required. |
ATKDF_IP4_TCP_NULLFLAG
Message text |
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP4_TCP_NULLFLAG: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging; BeginTime_c(1011)=20131011074913; EndTime_c(1012)=20131011075413; AtkTimes(1050)=4; |
Explanation |
This message is sent when logs are aggregated for IPv4 TCP packets that have no flag set. |
Recommended action |
No action is required. |
ATKDF_IP4_TCP_NULLFLAG_RAW
Message text |
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP4_TCP_NULLFLAG_RAW: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging; |
Explanation |
This message is for IPv4 TCP packets that have no flag set. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
Recommended action |
No action is required. |
ATKDF_IP4_TCP_SYNFIN
Message text |
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP4_TCP_SYNFIN: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging; BeginTime_c(1011)=20131011074913; EndTime_c(1012)=20131011075413; AtkTimes(1050)=2; |
Explanation |
This message is sent when logs are aggregated for IPv4 TCP packets that have SYN and FIN flags set. |
Recommended action |
No action is required. |
ATKDF_IP4_TCP_SYNFIN_RAW
Message text |
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP4_TCP_SYNFIN_RAW: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging; |
Explanation |
This message is for IPv4 TCP packets that have SYN and FIN flags set. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
Recommended action |
No action is required. |
ATKDF_IP4_TCP_WINNUKE
Message text |
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP4_TCP_WINNUKE: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging; BeginTime_c(1011)=20131011074913; EndTime_c(1012)=20131011075413; AtkTimes(1050)=5; |
Explanation |
This message is sent when logs are aggregated for IPv4 TCP packets with destination port 139, the URG flag set, and a nonzero Urgent Pointer. |
Recommended action |
No action is required. |
ATKDF_IP4_TCP_WINNUKE_RAW
Message text |
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP4_TCP_WINNUKE_RAW: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging; |
Explanation |
This message is for the IPv4 WinNuke attack. The attack uses IPv4 TCP packets with destination port 139, the URG flag set, and a nonzero Urgent Pointer. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
Recommended action |
No action is required. |
ATKDF_IP4_TEARDROP
Message text |
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Protocol(1001)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Protocol type. $7: Actions against the attack. $8: Start time of the attack. $9: End time of the attack. $10: Attack times. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP4_TEARDROP: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Protocol(1001)=TCP; Action(1049)=logging; BeginTime_c(1011)=20131011074913; EndTime_c(1012)=20131011075413; AtkTimes(1050)=3; |
Explanation |
This message is sent when logs are aggregated for IPv4 overlapping fragments. |
Recommended action |
No action is required. |
ATKDF_IP4_TEARDROP_RAW
Message text |
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Protocol(1001)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Protocol type. $7: Actions against the attack. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP4_TEARDROP_RAW: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Protocol(1001)=TCP; Action(1049)=logging; |
Explanation |
If log aggregation is enabled, for IPv4 overlapping fragments of the same attributes, this message is sent only when the first overlapping fragment is received. If log aggregation is disabled, this message is sent every time an IPv4 overlapping fragment is received. |
Recommended action |
No action is required. |
ATKDF_IP4_TINY_FRAGMENT
Message text |
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Protocol(1001)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Protocol type. $7: Actions against the attack. $8: Start time of the attack. $9: End time of the attack. $10: Attack times. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP4_TINY_FRAGMENT: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Protocol(1001)=TCP; Action(1049)=logging; BeginTime_c(1011)=20131011074913; EndTime_c(1012)=20131011075413; AtkTimes(1050)=6; |
Explanation |
This message is sent when logs are aggregated for IPv4 packets with a datagram smaller than 68 bytes and the MF flag set. |
Recommended action |
No action is required. |
ATKDF_IP4_TINY_FRAGMENT_RAW
Message text |
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Protocol(1001)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Protocol type. $7: Actions against the attack. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP4_TINY_FRAGMENT_RAW: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Protocol(1001)=TCP; Action(1049)=logging; |
Explanation |
This message is for the IPv4 tiny fragment attack. The attack uses IPv4 packets with a datagram smaller than 68 bytes and the MF flag set. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
Recommended action |
No action is required. |
ATKDF_IP4_UDP_BOMB
Message text |
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP4_UDP_BOMB: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging; BeginTime_c(1011)=20131011074913; EndTime_c(1012)=20131011075413; AtkTimes(1050)=2; |
Explanation |
This message is sent when logs are aggregated for IPv4 UDP packets in which the length value in the IP header is larger than the IP header length plus the length in the UDP header. |
Recommended action |
No action is required. |
ATKDF_IP4_UDP_BOMB_RAW
Message text |
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP4_UDP_BOMB_RAW: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging; |
Explanation |
This message is for IPv4 UDP bomb attack. The attack uses IPv4 UDP packets in which the length value in the IP header is larger than the IP header length plus the length in the UDP header. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
Recommended action |
No action is required. |
ATKDF_IP4_UDP_FLOOD
Message text |
RcvIfName(1023)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; UpperLimit(1048)=[UINT32]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]. |
Variable fields |
$1: Receiving interface name. $2: Destination IP address. $3: Name of the receiving VPN instance. $4: Rate limit. $5: Actions against the attack. $6: Start time of the attack. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP4_UDP_FLOOD: RcvIfName(1023)=GigabitEthernet1/0/2; DstIPAddr(1007)=6.1.1.5; RcvVPNInstance(1041)=--; UpperLimit(1048)=10; Action(1049)=logging; BeginTime_c(1011)=20131009093351. |
Explanation |
This message is sent when the number of IPv4 UDP packets sent to a destination per second exceeds the rate limit. |
Recommended action |
No action is required. |
ATKDF_IP4_UDP_FRAGGLE
Message text |
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP4_UDP_FRAGGLE: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging; BeginTime_c(1011)=20131011074913; EndTime_c(1012)=20131011075413; AtkTimes(1050)=11; |
Explanation |
This message is sent when logs are aggregated for IPv4 UDP packets with source port 7 and destination port 19. |
Recommended action |
No action is required. |
ATKDF_IP4_UDP_FRAGGLE_RAW
Message text |
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP4_UDP_FRAGGLE_RAW: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging; |
Explanation |
This message is for IPv4 UDP fraggle attack. The attack uses IPv4 UDP packets with source port 7 and destination port 19. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
Recommended action |
No action is required. |
ATKDF_IP4_UDP_SNORK
Message text |
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP4_UDP_SNORK: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging; BeginTime_c(1011)=20131011074913; EndTime_c(1012)=20131011075413; AtkTimes(1050)=2; |
Explanation |
This message is sent when logs are aggregated for IPv4 UDP packets with source port 7, 19, or 135, and destination port 135. |
Recommended action |
No action is required. |
ATKDF_IP4_UDP_SNORK_RAW
Message text |
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP4_UDP_SNORK_RAW: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging; |
Explanation |
This message is for IPv4 UDP snork attack. The attack uses IPv4 UDP packets with source port 7, 19, or 135, and destination port 135. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
Recommended action |
No action is required. |
ATKDF_IP6_ACK_FLOOD
Message text |
RcvIfName(1023)=[STRING]; DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; UpperLimit(1048)=[UINT32]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]. |
Variable fields |
$1: Receiving interface name. $2: Destination IPv6 address. $3: Name of the receiving VPN instance. $4: Rate limit. $5: Actions against the attack. $6: Start time of the attack. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP6_ACK_FLOOD: RcvIfName(1023)=GigabitEthernet1/0/2; DstIPv6Addr(1037)=2::2; RcvVPNInstance(1041)=--; UpperLimit(1048)=10; Action(1049)=logging; BeginTime_c(1011)=20131009100434. |
Explanation |
This message is sent when the number of IPv6 ACK packets sent to a destination per second exceeds the rate limit. |
Recommended action |
No action is required. |
ATKDF_IP6_DIS_PORTSCAN
Message text |
RcvIfName(1023)=[STRING]; DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]. |
Variable fields |
$1: Receiving interface name. $2: Destination IPv6 address. $3: Name of the receiving VPN instance. $4: Actions against the attack. $5: Start time of the attack. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP6_DIS_PORTSCAN: RcvIfName(1023)=GigabitEthernet1/0/2; DstIPv6Addr(1037)=2::2; RcvVPNInstance(1041)=--; Action(1049)=logging; BeginTime_c(1011)=20131009100928. |
Explanation |
This message is sent when an IPv6 distributed port scan attack is detected. |
Recommended action |
No action is required. |
ATKDF_IP6_DNS_FLOOD
Message text |
RcvIfName(1023)=[STRING]; DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; UpperLimit(1048)=[UINT32]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]. |
Variable fields |
$1: Receiving interface name. $2: Destination IPv6 address. $3: Name of the receiving VPN instance. $4: Rate limit. $5: Actions against the attack. $6: Start time of the attack. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP6_DNS_FLOOD: RcvIfName(1023)=GigabitEthernet1/0/2; DstIPv6Addr(1037)=2::2; RcvVPNInstance(1041)=--; UpperLimit(1048)=10; Action(1049)=logging; BeginTime_c(1011)=20131009100434. |
Explanation |
This message is sent when the number of IPv6 DNS queries sent to a destination per second exceeds the rate limit. |
Recommended action |
No action is required. |
ATKDF_IP6_FIN_FLOOD
Message text |
RcvIfName(1023)=[STRING]; DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; UpperLimit(1048)=[UINT32]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]. |
Variable fields |
$1: Receiving interface name. $2: Destination IPv6 address. $3: Name of the receiving VPN instance. $4: Rate limit. $5: Actions against the attack. $6: Start time of the attack. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP6_FIN_FLOOD: RcvIfName(1023)=GigabitEthernet1/0/2; DstIPv6Addr(1037)=2::2; RcvVPNInstance(1041)=--; UpperLimit(1048)=10; Action(1049)=logging; BeginTime_c(1011)=20131009100434. |
Explanation |
This message is sent when the number of IPv6 FIN packets sent to a destination per second exceeds the rate limit. |
Recommended action |
No action is required. |
ATKDF_IP6_FRAGMENT
Message text |
RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Protocol(1001)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: Receiving interface name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Protocol type. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP6_FRAGMENT: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPv6Addr(1036)=1::1; DstIPv6Addr(1037)=1::1; RcvVPNInstance(1041)=--; Protocol(1001)=IPv6-ICMP; Action(1049)=logging; BeginTime_c(1011)=20131011103335; EndTime_c(1012)=20131011103835; AtkTimes(1050)=2; |
Explanation |
This message is sent when logs are aggregated for IPv6 packets with an offset smaller than 5 but bigger than 0. |
Recommended action |
No action is required. |
ATKDF_IP6_FRAGMENT_RAW
Message text |
RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Protocol(1001)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: Receiving interface name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Protocol type. $6: Actions against the attack. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP6_FRAGMENT_RAW: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPv6Addr(1036)=1::1; DstIPv6Addr(1037)=1::1; RcvVPNInstance(1041)=--; Protocol(1001)=IPv6-ICMP; Action(1049)=logging; |
Explanation |
This message is for the IPv6 fragment attack. The attack uses IPv6 packets with an offset smaller than 5 but bigger than 0. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
Recommended action |
No action is required. |
ATKDF_IP6_HTTP_FLOOD
Message text |
RcvIfName(1023)=[STRING]; DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; UpperLimit(1048)=[UINT32]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]. |
Variable fields |
$1: Receiving interface name. $2: Destination IPv6 address. $3: Name of the receiving VPN instance. $4: Rate limit. $5: Actions against the attack. $6: Start time of the attack. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP6_HTTP_FLOOD: RcvIfName(1023)=GigabitEthernet1/0/2; DstIPv6Addr(1037)=2::2; RcvVPNInstance(1041)=--; UpperLimit(1048)=10; Action(1049)=logging; BeginTime_c(1011)=20131009100434. |
Explanation |
This message is sent when the number of IPv6 HTTP Get packets sent to a destination per second exceeds the rate limit. |
Recommended action |
No action is required. |
ATKDF_IP6_IMPOSSIBLE
Message text |
RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Protocol(1001)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: Receiving interface name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Protocol type. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP6_IMPOSSIBLE: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPv6Addr(1036)=1::1; DstIPv6Addr(1037)=1::1; RcvVPNInstance(1041)=--; Protocol(1001)=IPv6-ICMP; Action(1049)=logging; BeginTime_c(1011)=20131011103335; EndTime_c(1012)=20131011103835; AtkTimes(1050)=2; |
Explanation |
This message is sent when logs are aggregated for IPv6 packets whose source IPv6 address is the same as the destination IPv6 address. |
Recommended action |
No action is required. |
ATKDF_IP6_IMPOSSIBLE_RAW
Message text |
RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Protocol(1001)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: Receiving interface name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Protocol type. $6: Actions against the attack. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP6_IMPOSSIBLE_RAW: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPv6Addr(1036)=1::1; DstIPv6Addr(1037)=1::1; RcvVPNInstance(1041)=--; Protocol(1001)=IPv6-ICMP; Action(1049)=logging; |
Explanation |
This message is for the IPv6 impossible packet attack. The attack uses IPv6 packets whose source IPv6 address is the same as the destination IPv6 address. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
Recommended action |
No action is required. |
ATKDF_IP6_IPSWEEP
Message text |
RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]. |
Variable fields |
$1: Receiving interface name. $2: Source IPv6 address. $3: Name of the receiving VPN instance. $4: Actions against the attack. $5: Start time of the attack. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP6_IPSWEEP: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPv6Addr(1036)=1::5; RcvVPNInstance(1041)=--; Action(1049)=logging,block-source; BeginTime_c(1011)=20131009100639. |
Explanation |
This message is sent when an IPv6 sweep attack is detected. |
Recommended action |
No action is required. |
ATKDF_IP6_PORTSCAN
Message text |
RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; DstIPv6Addr(1037)=[IPADDR]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]. |
Variable fields |
$1: Receiving interface name. $2: Source IPv6 address. $3: Name of the receiving VPN instance. $4: Destination IPv6 address. $5: Actions against the attack. $6: Start time of the attack. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP6_PORTSCAN: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPv6Addr(1036)=1::5; RcvVPNInstance(1041)=--; DstIPv6Addr(1037)=2::2; Action(1049)=logging,block-source; BeginTime_c(1011)=20131009100455. |
Explanation |
This message is sent when an IPv6 port scan attack is detected. |
Recommended action |
No action is required. |
ATKDF_IP6_RST_FLOOD
Message text |
RcvIfName(1023)=[STRING]; DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; UpperLimit(1048)=[UINT32]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]. |
Variable fields |
$1: Receiving interface name. $2: Destination IPv6 address. $3: Name of the receiving VPN instance. $4: Rate limit. $5: Actions against the attack. $6: Start time of the attack. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP6_RST_FLOOD: RcvIfName(1023)=GigabitEthernet1/0/2; DstIPv6Addr(1037)=2::2; RcvVPNInstance(1041)=--; UpperLimit(1048)=10; Action(1049)=logging; BeginTime_c(1011)=20131009100434. |
Explanation |
This message is sent when the number of IPv6 RST packets sent to a destination per second exceeds the rate limit. |
Recommended action |
No action is required. |
ATKDF_IP6_SYN_FLOOD
Message text |
RcvIfName(1023)=[STRING]; DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; UpperLimit(1048)=[UINT32]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]. |
Variable fields |
$1: Receiving interface name. $2: Destination IPv6 address. $3: Name of the receiving VPN instance. $4: Rate limit. $5: Actions against the attack. $6: Start time of the attack. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP6_SYN_FLOOD: RcvIfName(1023)=GigabitEthernet1/0/2; DstIPv6Addr(1037)=2::2; RcvVPNInstance(1041)=--; UpperLimit(1048)=10; Action(1049)=logging; BeginTime_c(1011)=20131009100434. |
Explanation |
This message is sent when the number of IPv6 SYN packets sent to a destination per second exceeds the rate limit. |
Recommended action |
No action is required. |
ATKDF_IP6_SYNACK_FLOOD
Message text |
RcvIfName(1023)=[STRING]; DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; UpperLimit(1048)=[UINT32]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]. |
Variable fields |
$1: Receiving interface name. $2: Destination IPv6 address. $3: Name of the receiving VPN instance. $4: Rate limit. $5: Actions against the attack. $6: Start time of the attack. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP6_SYNACK_FLOOD: RcvIfName(1023)=GigabitEthernet1/0/2; DstIPv6Addr(1037)=2::2; RcvVPNInstance(1041)=--; UpperLimit(1048)=10; Action(1049)=logging; BeginTime_c(1011)=20131009100434. |
Explanation |
This message is sent when the number of IPv6 SYN-ACK packets sent to a destination per second exceeds the rate limit. |
Recommended action |
No action is required. |
ATKDF_IP6_TCP_ALLFLAGS
Message text |
RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: Receiving interface name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. $6: Start time of the attack. $7: End time of the attack. $8: Attack times. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP6_TCP_ALLFLAGS: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPv6Addr(1036)=1::1; DstIPv6Addr(1037)=2::11; RcvVPNInstance(1041)=--; Action(1049)=logging; BeginTime_c(1011)=20131009103631; EndTime_c(1012)=20131009104131; AtkTimes(1050)=2; |
Explanation |
This message is sent when logs are aggregated for IPv6 TCP packets that have all flags set. |
Recommended action |
No action is required. |
ATKDF_IP6_TCP_ALLFLAGS_RAW
Message text |
RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: Receiving interface name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP6_TCP_ALLFLAGS_RAW: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPv6Addr(1036)=2000::1; DstIPv6Addr(1037)=2003::200; RcvVPNInstance(1041)=--; Action(1049)=logging; |
Explanation |
This message is for IPv6 TCP packets that have all flags set. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
Recommended action |
No action is required. |
ATKDF_IP6_TCP_FINONLY
Message text |
RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: Receiving interface name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. $6: Start time of the attack. $7: End time of the attack. $8: Attack times. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP6_TCP_FINONLY: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPv6Addr(1036)=1::1; DstIPv6Addr(1037)=2::11; RcvVPNInstance(1041)=--; Action(1049)=logging; BeginTime_c(1011)=20131009103631; EndTime_c(1012)=20131009104131; AtkTimes(1050)=2; |
Explanation |
This message is sent when logs are aggregated for IPv6 TCP packets that have only the FIN flag set. |
Recommended action |
No action is required. |
ATKDF_IP6_TCP_FINONLY_RAW
Message text |
RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: Receiving interface name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP6_TCP_FINONLY_RAW: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPv6Addr(1036)=2000::1; DstIPv6Addr(1037)=2003::200; RcvVPNInstance(1041)=--; Action(1049)=logging; |
Explanation |
This message is for IPv6 TCP packets that have only the FIN flag set. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
Recommended action |
No action is required. |
ATKDF_IP6_TCP_INVALIDFLAGS
Message text |
RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: Receiving interface name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. $6: Start time of the attack. $7: End time of the attack. $8: Attack times. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP6_TCP_INVALIDFLAGS: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPv6Addr(1036)=1::1; DstIPv6Addr(1037)=2::11; RcvVPNInstance(1041)=--; Action(1049)=logging; BeginTime_c(1011)=20131009103631; EndTime_c(1012)=20131009104131; AtkTimes(1050)=2; |
Explanation |
This message is sent when logs are aggregated for IPv6 TCP packets that have invalid flag settings. Invalid flag settings include the following: · The RST and FIN flags are both set. · The RST and SYN flags are both set. · The RST, FIN, and SYN flags are all set. · The PSH, RST, and FIN flags are all set. · The PSH, RST, and SYN flags are all set. · The PSH, RST, SYN, and FIN flags are all set. · The ACK, RST, and FIN flags are all set. · The ACK, RST, and SYN flags are all set. · The ACK, RST, SYN, and FIN flags are all set. · The ACK, PSH, SYN, and FIN flags are all set. · The ACK, PSH, RST, and FIN flags are all set. · The ACK, PSH, RST, and SYN flags are all set. |
Recommended action |
No action is required. |
ATKDF_IP6_TCP_INVALIDFLAGS_RAW
Message text |
RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: Receiving interface name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP6_TCP_INVALIDFLAGS_RAW: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPv6Addr(1036)=2000::1; DstIPv6Addr(1037)=2003::200; RcvVPNInstance(1041)=--; Action(1049)=logging; |
Explanation |
This message is for IPv6 TCP packets that have invalid flag settings. Invalid flag settings include the following: · The RST and FIN flags are both set. · The RST and SYN flags are both set. · The RST, FIN, and SYN flags are all set. · The PSH, RST, and FIN flags are all set. · The PSH, RST, and SYN flags are all set. · The PSH, RST, SYN, and FIN flags are all set. · The ACK, RST, and FIN flags are all set. · The ACK, RST, and SYN flags are all set. · The ACK, RST, SYN, and FIN flags are all set. · The ACK, PSH, SYN, and FIN flags are all set. · The ACK, PSH, RST, and FIN flags are all set. · The ACK, PSH, RST, and SYN flags are all set. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
Recommended action |
No action is required. |
ATKDF_IP6_TCP_LAND
Message text |
RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: Receiving interface name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. $6: Start time of the attack. $7: End time of the attack. $8: Attack times. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP6_TCP_LAND: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPv6Addr(1036)=1::1; DstIPv6Addr(1037)=2::11; RcvVPNInstance(1041)=--; Action(1049)=logging; BeginTime_c(1011)=20131009103631; EndTime_c(1012)=20131009104131; AtkTimes(1050)=2; |
Explanation |
This message is sent when logs are aggregated for IPv6 TCP SYN packets whose source IPv6 address is a loopback address or the same as the destination IPv6 address. |
Recommended action |
No action is required. |
ATKDF_IP6_TCP_LAND_RAW
Message text |
RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: Receiving interface name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP6_TCP_LAND_RAW: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPv6Addr(1036)=2000::1; DstIPv6Addr(1037)=2003::200; RcvVPNInstance(1041)=--; Action(1049)=logging; |
Explanation |
This message is for the IPv6 land attack. The attack uses IPv6 TCP SYN packets whose source IPv6 address is a loopback address or the same as the destination IPv6 address. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
Recommended action |
No action is required. |
ATKDF_IP6_TCP_NULLFLAG
Message text |
RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: Receiving interface name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. $6: Start time of the attack. $7: End time of the attack. $8: Attack times. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP6_TCP_NULLFLAG: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPv6Addr(1036)=1::1; DstIPv6Addr(1037)=2::11; RcvVPNInstance(1041)=--; Action(1049)=logging; BeginTime_c(1011)=20131009103631; EndTime_c(1012)=20131009104131; AtkTimes(1050)=2; |
Explanation |
This message is sent when logs are aggregated for IPv6 TCP packets that have no flag set. |
Recommended action |
No action is required. |
ATKDF_IP6_TCP_NULLFLAG_RAW
Message text |
RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: Receiving interface name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP6_TCP_NULLFLAG_RAW: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPv6Addr(1036)=2000::1; DstIPv6Addr(1037)=2003::200; RcvVPNInstance(1041)=--; Action(1049)=logging; |
Explanation |
This message is for IPv6 TCP packets that have no flag set. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
Recommended action |
No action is required. |
ATKDF_IP6_TCP_SYNFIN
Message text |
RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: Receiving interface name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. $6: Start time of the attack. $7: End time of the attack. $8: Attack times. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP6_TCP_SYNFIN: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPv6Addr(1036)=1::1; DstIPv6Addr(1037)=2::11; RcvVPNInstance(1041)=--; Action(1049)=logging; BeginTime_c(1011)=20131009103631; EndTime_c(1012)=20131009104131; AtkTimes(1050)=2; |
Explanation |
This message is sent when logs are aggregated for IPv6 TCP packets that have SYN and FIN flags set. |
Recommended action |
No action is required. |
ATKDF_IP6_TCP_SYNFIN_RAW
Message text |
RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: Receiving interface name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP6_TCP_SYNFIN_RAW: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPv6Addr(1036)=2000::1; DstIPv6Addr(1037)=2003::200; RcvVPNInstance(1041)=--; Action(1049)=logging; |
Explanation |
This message is for IPv6 TCP packets that have SYN and FIN flags set. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
Recommended action |
No action is required. |
ATKDF_IP6_TCP_WINNUKE
Message text |
RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: Receiving interface name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. $6: Start time of the attack. $7: End time of the attack. $8: Attack times. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP6_TCP_WINNUKE: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPv6Addr(1036)=1::1; DstIPv6Addr(1037)=2::11; RcvVPNInstance(1041)=--; Action(1049)=logging; BeginTime_c(1011)=20131009103631; EndTime_c(1012)=20131009104131; AtkTimes(1050)=2; |
Explanation |
This message is sent when logs are aggregated for IPv6 TCP packets with destination port 139, the URG flag set, and a nonzero Urgent Pointer. |
Recommended action |
No action is required. |
ATKDF_IP6_TCP_WINNUKE_RAW
Message text |
RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: Receiving interface name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP6_TCP_WINNUKE_RAW: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPv6Addr(1036)=1::1; DstIPv6Addr(1037)=2::11; RcvVPNInstance(1041)=--; Action(1049)=logging; |
Explanation |
This message is for the IPv6 WinNuke attack. The attack uses IPv6 TCP packets with destination port 139, the URG flag set, and a nonzero Urgent Pointer. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
Recommended action |
No action is required. |
ATKDF_IP6_UDP_FLOOD
Message text |
RcvIfName(1023)=[STRING]; DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; UpperLimit(1048)=[UINT32]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]. |
Variable fields |
$1: Receiving interface name. $2: Destination IPv6 address. $3: Name of the receiving VPN instance. $4: Rate limit. $5: Actions against the attack. $6: Start time of the attack. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP6_UDP_FLOOD: RcvIfName(1023)=GigabitEthernet1/0/2; DstIPv6Addr(1037)=2::2; RcvVPNInstance(1041)=--; UpperLimit(1048)=10; Action(1049)=logging; BeginTime_c(1011)=20131009100434. |
Explanation |
This message is sent when the number of IPv6 UDP packets sent to a destination per second exceeds the rate limit. |
Recommended action |
No action is required. |
ATKDF_IP6_UDP_FRAGGLE
Message text |
RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: Receiving interface name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. $6: Start time of the attack. $7: End time of the attack. $8: Attack times. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP6_UDP_FRAGGLE: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPv6Addr(1036)=1::1; DstIPv6Addr(1037)=2::11; RcvVPNInstance(1041)=--; Action(1049)=logging; BeginTime_c(1011)=20131009103631; EndTime_c(1012)=20131009104131; AtkTimes(1050)=2; |
Explanation |
This message is sent when logs are aggregated for IPv6 UDP packets with source port 7 and destination port 19. |
Recommended action |
No action is required. |
ATKDF_IP6_UDP_FRAGGLE_RAW
Message text |
RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: Receiving interface name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP6_UDP_FRAGGLE_RAW: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPv6Addr(1036)=1::1; DstIPv6Addr(1037)=2::11; RcvVPNInstance(1041)=--; Action(1049)=logging; |
Explanation |
This message is for IPv6 UDP fraggle attack. The attack uses IPv6 UDP packets with source port 7 and destination port 19. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
Recommended action |
No action is required. |
ATKDF_IP6_UDP_SNORK
Message text |
RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: Receiving interface name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. $6: Start time of the attack. $7: End time of the attack. $8: Attack times. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP6_UDP_SNORK: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPv6Addr(1036)=1::1; DstIPv6Addr(1037)=2::11; RcvVPNInstance(1041)=--; Action(1049)=logging; BeginTime_c(1011)=20131009103631; EndTime_c(1012)=20131009104131; AtkTimes(1050)=2; |
Explanation |
This message is sent when logs are aggregated for IPv6 UDP packets with source port 7, 19, or 135, and destination port 135. |
Recommended action |
No action is required. |
ATKDF_IP6_UDP_SNORK_RAW
Message text |
RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: Receiving interface name. $2: Source IPv6 address. $3: Destination IPv6 address. $4: Name of the receiving VPN instance. $5: Actions against the attack. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IP6_UDP_SNORK_RAW: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPv6Addr(1036)=1::1; DstIPv6Addr(1037)=2::11; RcvVPNInstance(1041)=--; Action(1049)=logging; |
Explanation |
This message is for IPv6 UDP snork attack. The attack uses IPv6 UDP packets with source port 7, 19, or 135, and port 135. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet is received. |
Recommended action |
No action is required. |
ATKDF_IPOPT_ABNORMAL
Message text |
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Protocol(1001)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Protocol type. $7: Actions against the attack. $8: Start time of the attack. $9: End time of the attack. $10: Attack times. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IPOPT_ABNORMAL: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Protocol(1001)=RAWIP; Action(1049)=logging; BeginTime_c(1011)=20131011072002; EndTime_c(1012)=20131011072502; AtkTimes(1050)=3; |
Explanation |
This message is sent when logs are aggregated for packets with more than two IP options. |
Recommended action |
No action is required. |
ATKDF_IPOPT_ABNORMAL_RAW
Message text |
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Protocol(1001)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: Receiving interface name. $2: Source IP address. $3: IP address of the peer DS-Lite tunnel interface. $4: Destination IP address. $5: Name of the receiving VPN instance. $6: Protocol type. $7: Actions against the attack. |
Severity level |
3 |
Example |
ATTACK/3/ATKDF_IPOPT_ABNORMAL_RAW: RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Protocol(1001)=RAWIP; Action(1049)=logging; |
Explanation |
This message is for packets that each has more than two IP options. If log aggregation is enabled, for packets of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet with more than two IP options is received. |
Recommended action |
No action is required. |
ATKDF_IPOPT_LOOSESRCROUTE
Message text |
IPOptValue(1057)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Protocol(1001)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)= [UINT32]; |
Variable fields |
$1: IP option value. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Protocol type. $8: Actions against the attack. $9: Start time of the attack. $10: End time of the attack. $11: Attack times. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_IPOPT_LOOSESRCROUTE: IPOptValue(1057)=131; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Protocol(1001)=RAWIP; Action(1049)=logging; BeginTime_c(1011)=20131011063123; EndTime_c(1012)=20131011063623; AtkTimes(1050)=3; |
Explanation |
This message is sent when logs are aggregated for packets with IP option 131. |
Recommended action |
No action is required. |
ATKDF_IPOPT_LOOSESRCROUTE_RAW
Message text |
IPOptValue(1057)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Protocol(1001)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: IP option value. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Protocol type. $8: Actions against the attack. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_IPOPT_LOOSESRCROUTE_RAW: IPOptValue(1057)=131; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Protocol(1001)=RAWIP; Action(1049)=logging; |
Explanation |
If log aggregation is enabled, for packets with IP option 131 and of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet with IP option 131 is received. |
Recommended action |
No action is required. |
ATKDF_IPOPT_RECORDROUTE
Message text |
IPOptValue(1057)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Protocol(1001)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: IP option value. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Protocol type. $8: Actions against the attack. $9: Start time of the attack. $10: End time of the attack. $11: Attack times. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_IPOPT_RECORDROUTE: IPOptValue(1057)=7; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Protocol(1001)=RAWIP; Action(1049)=logging; BeginTime_c(1011)=20131011063123; EndTime_c(1012)=20131011063623; AtkTimes(1050)=3; |
Explanation |
This message is sent when logs are aggregated for packets with IP option 7. |
Recommended action |
No action is required. |
ATKDF_IPOPT_RECORDROUTE_RAW
Message text |
IPOptValue(1057)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Protocol(1001)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: IP option value. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Protocol type. $8: Actions against the attack. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_IPOPT_RECORDROUTE_RAW: IPOptValue(1057)=7; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Protocol(1001)=RAWIP; Action(1049)=logging; |
Explanation |
If log aggregation is enabled, for packets with IP option 7 and of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet with IP option 7 is received. |
Recommended action |
No action is required. |
ATKDF_IPOPT_ROUTEALERT
Message text |
IPOptValue(1057)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Protocol(1001)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: IP option value. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Protocol type. $8: Actions against the attack. $9: Start time of the attack. $10: End time of the attack. $11: Attack times. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_IPOPT_ROUTEALERT: IPOptValue(1057)=148; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Protocol(1001)=RAWIP; Action(1049)=logging; BeginTime_c(1011)=20131011063123; EndTime_c(1012)=20131011063623; AtkTimes(1050)=3; |
Explanation |
This message is sent when logs are aggregated for packets with IP option 148. |
Recommended action |
No action is required. |
ATKDF_IPOPT_ROUTEALERT_RAW
Message text |
IPOptValue(1057)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Protocol(1001)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: IP option value. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Protocol type. $8: Actions against the attack. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_IPOPT_ROUTEALERT_RAW: IPOptValue(1057)=148; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Protocol(1001)=RAWIP; Action(1049)=logging; |
Explanation |
If log aggregation is enabled, for packets with IP option 148 and of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet with IP option 148 is received. |
Recommended action |
No action is required. |
ATKDF_IPOPT_SECURITY
Message text |
IPOptValue(1057)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Protocol(1001)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: IP option value. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Protocol type. $8: Actions against the attack. $9: Start time of the attack. $10: End time of the attack. $11: Attack times. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_IPOPT_SECURITY: IPOptValue(1057)=130; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Protocol(1001)=RAWIP; Action(1049)=logging; BeginTime_c(1011)=20131009091022; EndTime_c(1012)=20131009091522; AtkTimes(1050)=2; |
Explanation |
This message is sent when logs are aggregated for packets with IP option 130. |
Recommended action |
No action is required. |
ATKDF_IPOPT_SECURITY_RAW
Message text |
IPOptValue(1057)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Protocol(1001)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: IP option value. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Protocol type. $8: Actions against the attack. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_IPOPT_SECURITY_RAW: IPOptValue(1057)=130; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Protocol(1001)=RAWIP; Action(1049)=logging; |
Explanation |
If log aggregation is enabled, for packets with IP option 130 and of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet with IP option 130 is received. |
Recommended action |
No action is required. |
ATKDF_IPOPT_STREAMID
Message text |
IPOptValue(1057)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Protocol(1001)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: IP option value. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Protocol type. $8: Actions against the attack. $9: Start time of the attack. $10: End time of the attack. $11: Attack times. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_IPOPT_STREAMID: IPOptValue(1057)=136; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Protocol(1001)=RAWIP; Action(1049)=logging; BeginTime_c(1011)=20131011063123; EndTime_c(1012)=20131011063623; AtkTimes(1050)=3; |
Explanation |
This message is sent when logs are aggregated for packets with IP option 136. |
Recommended action |
No action is required. |
ATKDF_IPOPT_STREAMID_RAW
Message text |
IPOptValue(1057)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Protocol(1001)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: IP option value. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Protocol type. $8: Actions against the attack. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_IPOPT_STREAMID_RAW: IPOptValue(1057)=136; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Protocol(1001)=RAWIP; Action(1049)=logging; |
Explanation |
If log aggregation is enabled, for packets with IP option 136 and of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet with IP option 136 is received. |
Recommended action |
No action is required. |
ATKDF_IPOPT_STRICTSRCROUTE
Message text |
IPOptValue(1057)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Protocol(1001)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: IP option value. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Protocol type. $8: Actions against the attack. $9: Start time of the attack. $10: End time of the attack. $11: Attack times. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_IPOPT_STRICTSRCROUTE: IPOptValue(1057)=137; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Protocol(1001)=RAWIP; Action(1049)=logging; BeginTime_c(1011)=20131011063123; EndTime_c(1012)=20131011063623; AtkTimes(1050)=3; |
Explanation |
This message is sent when logs are aggregated for packets with IP option 137. |
Recommended action |
No action is required. |
ATKDF_IPOPT_STRICTSRCROUTE_RAW
Message text |
IPOptValue(1057)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Protocol(1001)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: IP option value. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Protocol type. $8: Actions against the attack. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_IPOPT_STRICTSRCROUTE_RAW: IPOptValue(1057)=137; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Protocol(1001)=RAWIP; Action(1049)=logging; |
Explanation |
If log aggregation is enabled, for packets with IP option 137 and of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet with IP option 137 is received. |
Recommended action |
No action is required. |
ATKDF_IPOPT_TIMESTAMP
Message text |
IPOptValue(1057)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Protocol(1001)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: IP option value. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Protocol type. $8: Actions against the attack. $9: Start time of the attack. $10: End time of the attack. $11: Attack times. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_IPOPT_TIMESTAMP: IPOptValue(1057)=68; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Protocol(1001)=RAWIP; Action(1049)=logging; BeginTime_c(1011)=20131011063123; EndTime_c(1012)=20131011063623; AtkTimes(1050)=3; |
Explanation |
This message is sent when logs are aggregated for packets with IP option 68. |
Recommended action |
No action is required. |
ATKDF_IPOPT_TIMESTAMP_RAW
Message text |
IPOptValue(1057)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Protocol(1001)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: IP option value. $2: Receiving interface name. $3: Source IP address. $4: IP address of the peer DS-Lite tunnel interface. $5: Destination IP address. $6: Name of the receiving VPN instance. $7: Protocol type. $8: Actions against the attack. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_IPOPT_TIMESTAMP_RAW: IPOptValue(1057)=68; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Protocol(1001)=RAWIP; Action(1049)=logging; |
Explanation |
If log aggregation is enabled, for packets with IP option 68 and of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time a packet with IP option 68 is received. |
Recommended action |
No action is required. |
ATKDF_IPV6_EXT_HEADER
Message text |
IPv6ExtHeader(1060)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32]; |
Variable fields |
$1: IPv6 extension header value. $2: Receiving interface name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. $7: Start time of the attack. $8: End time of the attack. $9: Attack times. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_IPV6_EXT_HEADER: IPv6ExtHeader(1060)=43; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPv6Addr(1036)=1::1; DstIPv6Addr(1037)=2::11; RcvVPNInstance(1041)=--; Action(1049)=logging; BeginTime_c(1011)=20131009103631; EndTime_c(1012)=20131009104131; AtkTimes(1050)=2; |
Explanation |
This message is sent when logs are aggregated for IPv6 packets with a user-defined extension header. |
Recommended action |
No action is required. |
ATKDF_IPV6_EXT_HEADER_RAW
Message text |
IPv6ExtHeader(1060)=[UINT32]; RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING]; |
Variable fields |
$1: IPv6 extension header value. $2: Receiving interface name. $3: Source IPv6 address. $4: Destination IPv6 address. $5: Name of the receiving VPN instance. $6: Actions against the attack. |
Severity level |
5 |
Example |
ATTACK/5/ATKDF_IPV6_EXT_HEADER_RAW: IPv6ExtHeader(1060)=43; RcvIfName(1023)=GigabitEthernet1/0/2; SrcIPv6Addr(1036)=1::1; DstIPv6Addr(1037)=2::11; RcvVPNInstance(1041)=--; Action(1049)=logging; |
Explanation |
If log aggregation is enabled, for IPv6 packets with a user-defined extension header and of the same attributes, this message is sent only when the first packet is received. If log aggregation is disabled, this message is sent every time an IPv6 packet with a user-defined extension header is received. |
Recommended action |
No action is required. |
BFD messages
This section contains BFD messages.
BFD_CHANGE_FSM
Message text |
Sess[STRING], Sta: [STRING]->[STRING], Diag: [UINT32] |
Variable fields |
$1: Source address, destination address, interface, and message type of the BFD session. $2: Name of FSM before changing. $3: Name of FSM after changing. $4: Diagnostic code. |
Severity level |
5 |
Example |
BFD/5/BFD_CHANGE_FSM:Sess[20.0.4.2/20.0.4.1,LD/RD:533/532, Interface:Vlan204, SessType:Ctrl, LinkType:INET], Sta: INIT->UP, Diag: 0. |
Explanation |
The FSM of the BFD session has been changed. This informational message appears when a BFD session comes up or goes down. Unexpected session loss might indicate high error or packet loss rates in the network. |
Recommended action |
Check for incorrect BFD configuration or network congestion. |
BFD_MAD_INTERFACE_CHANGE_STATE
Message text |
[STRING] used for BFD MAD changed to the [STRING] state. |
Variable fields |
$1: Interface used for BFD MAD. $2: BFD MAD status of the interface, which can be failure or normal. |
Severity level |
5 |
Example |
BFD/5/BFD_MAD_INTERFACE_CHANGE_STATE: Vlan-interface2 used for BFD MAD changed to the failure state. |
Explanation |
The BFD MAD status of the interface changed. |
Recommended action |
Check whether the interface is down. |
BFD_REACHED_UPPER_LIMIT
Message text |
The total number of BFD sessions [UINT] reached the upper limit. Please avoid creating a new session. |
Variable fields |
$1: Total number of BFD sessions. |
Severity level |
5 |
Example |
BFD/5/BFD_REACHED_UPPER_LIMIT: The total number of BFD sessions 100 reached upper limit. Please avoid creating a new session. |
Explanation |
The total number of BFD sessions reached the upper limit. |
Recommended action |
Check the BFD session configuration. |
BGP messages
This section contains BGP messages.
BGP_EXCEED_ROUTE_LIMIT
Message text |
The number of routes from peer [STRING] in exceeded the limit [UINT32]. |
Variable fields |
$1: BGP peer IP address. $2: Maximum number of routes. |
Severity level |
4 |
Example |
BGP/4/BGP_EXCEEDED_ROUTE_LIMIT: The number of routes from peer 1.1.1.1 in exceeded the limit 100. |
Explanation |
The number of routes received from a peer exceeded the maximum number of routes that can be received from the peer. |
Recommended action |
Check whether you need to increase the maximum number of routes. |
BGP_EXCEEDS_THRESHOLD
Message text |
Threshold value [UINT32] reached for prefixes received from peer [STRING]. |
Variable fields |
$1: Percentage of received routes to the maximum number of routes. $2: Peer IP address. |
Severity level |
5 |
Example |
BGP/5/BGP_RECHED_THRESHOLD: Threshold value 20 reached for prefixes received from peer 1.1.1.1. |
Explanation |
The number of received routes reached the threshold. |
Recommended action |
Check whether you need to increase the threshold value or the maximum number of routes that can be received from the peer. |
BGP_MEM_ALERT
Message text |
BGP Process receive system memory alert [STRING] event. |
Variable fields |
$1: Type of the memory alarm. |
Severity level |
5 |
Example |
BGP/5/BGP_MEM_ALERT: BGP Process receive system memory alert start event. |
Explanation |
BGP received a memory alarm. |
Recommended action |
Check the system memory. |
BGP_STATE_CHANGED
Message text |
[STRING] state is changed from [STRING] to [STRING]. BGP. [STRING]: [STRING] State is changed from [STRING]to [STRING]. |
Variable fields |
$1: VPN instance name. $2: Peer IP address. $3: Name of FSM before a state change. $4: Name of FSM after a state change. |
Severity level |
5 |
Example |
BGP/5/BGP_STATE_CHANGED: BGP.vpn1:192.99.0.2 state is changed from ESTABLISHED to IDLE. |
Explanation |
The FSM of a BGP peer changed. This message is generated when a BGP peer comes up or goes down. |
Recommended action |
If a peer goes down unexpectedly, check for network failure or packet loss. |
CFD messages
This section contains CFD messages.
CFD_CROSS_CCM
Message text |
MEP [UINT16] in SI [INT32] received a cross-connect CCM. It’s SrcMAC is [MAC], SeqNum is [INT32], RMEP is [UINT16], MD ID is [STRING], MA ID is [STRING]. |
Variable fields |
$1: Service instance ID. $2: Local MEP ID. $3: Source MAC address. $4: Sequence number. $5: Remote MEP ID. $6: MD ID. If no MD ID is available, "without ID" is displayed. $7: MA ID. |
Severity level |
6 |
Example |
CFD/6/CFD_CROSS_CCM: MEP 13 in SI 10 received a cross-connect CCM. Its SrcMAC is 0011-2233-4401, SeqNum is 78, RMEP is 12, MD ID is without ID, MA ID is 0. |
Explanation |
A MEP received a cross-connect CCM containing a different MA ID or MD ID. |
Recommended action |
Check the configurations of MEPs at both ends. Make sure the MEPs have the same configurations, including MD, MA, and level. |
CFD_ERROR_CCM
Message text |
MEP [UINT16] in SI [INT32] received an error CCM. It’s SrcMAC is [MAC], SeqNum is [INT32], RMEP is [UINT16], MD ID is [STRING], MA ID is [STRING]. |
Variable fields |
$1: Service instance ID. $2: Local MEP ID. $3: Source MAC address. $4: Sequence number. $5: Remote MEP ID. $6: MD ID. If no MD ID is available, "without ID" is displayed. $7: MA ID. |
Severity level |
6 |
Example |
CFD/6/CFD_ERROR_CCM: MEP 2 in SI 7 received an error CCM. Its SrcMAC is 0011-2233-4401, SeqNum is 21, RMEP is 2, MD ID is 7, MA ID is 1. |
Explanation |
A MEP received an error CCM containing an unexpected MEP ID or lifetime. |
Recommended action |
Check the CCM configuration. Make sure the CCM intervals are the same at both ends, and the remote MEP ID is included in the MEP list of the local end. |
CFD_LOST_CCM
Message text |
MEP [UINT16] in SI [INT32] failed to receive CCMs from RMEP [UINT16]. |
Variable fields |
$1: Local MEP ID. $2: Service instance ID. $3: Remote MEP ID. |
Severity level |
6 |
Example |
CFD/6/CFD_LOST_CCM: MEP 1 in SI 7 received CCMs from RMEP 2. |
Explanation |
A MEP failed to receive CCMs within 3.5 sending intervals because the link was faulty or the remote MEP did not send CCM within 3.5 sending intervals. |
Recommended action |
1. Check the link status for a faulty state (for example, the down or unidirectional state), and then recover the link. 2. Check the configuration of the remote MEP. If the remote MEP is configured with the same service instance, make sure the CCM sending intervals are the same at both ends. 3. If the problem persists, contact H3C Support. |
CFD_RECEIVE_CCM
Message text |
MEP [UINT16] in SI [INT32] received CCMs from RMEP [UINT16] |
Variable fields |
$1: Local MEP ID. $2: Service instance ID. $3: Remote MEP ID. |
Severity level |
6 |
Example |
CFD/6/CFD_RECEIVE_CCM: MEP 1 in SI 7 received CCMs from RMEP 2. |
Explanation |
A MEP received CCMs from a remote MEP. |
Recommended action |
No action is required. |
CFGMAN messages
This section contains configuration management messages.
CFGMAN_CFGCHANGED
Message text |
-EventIndex=[INT32]-CommandSource=[INT32]-ConfigSource=[INT32]-ConfigDestination=[INT32]; Configuration is changed. |
Variable fields |
$1: Event index in the range of 1 to 2147483647. $2: Specify the source command which brought the log, in the range of 1 to 3. $3: Source of the configuration data event, in the range of 1 to 7. $4: Destination for the configuration data event, in the range of 1 to 7. |
Severity level |
5 |
Example |
CFGMAN/5/CFGMAN_CFGCHANGED: -EventIndex=[6]-Comman dSource=[2]-ConfigSource=[4]-ConfigDestination=[2]; Configuration is changed. |
Explanation |
The device recorded the logtale index, cmdsource, configsource, and configdestination for the running configuration that changed in the past 10 minutes. |
Recommended action |
No action is required. |
CFGMAN_OPTCOMPLETION
Message text |
-OperateType=[INT32]-OperateTime=[INT32]-OperateState=[INT32]-OperateEndTime=[INT32]; Operation is completed. |
Variable fields |
$1: Operation type in the range of 1 to 6. $2: Operation time. $3: Operation state in the range of 1 to 20. $4: Operation end time. |
Severity level |
5 |
Example |
CFGMAN/5/CFGMAN_OPTCOMPLETION: -OperateType=[1]-OperateTime=[248]-OperateState=[2]-OperateEndTime=[959983]; Operation is completed. |
Explanation |
The device recorded the type, state, start time, and end time of an operation. |
Recommended action |
No action is required. |
DEV messages
This section contains device management messages.
BOARD_REBOOT
Message text |
Board is rebooting on [STRING]. |
Variable fields |
$1: Chassis number and slot number or slot number. |
Severity level |
5 |
Example |
DEV/5/BOARD_REBOOT: Board is rebooting on Chassis 1 Slot 5. |
Explanation |
A card was manually or automatically rebooted. |
Recommended action |
If an unexpected automatic reboot occurred, perform the following tasks: 4. Execute the display version command after the card starts up. 5. Check the Last reboot reason field for the reboot reason. 6. If an exception caused the reboot, contact H3C Support. |
BOARD_REMOVED
Message text |
Board is removed from [STRING], type is [STRING]. |
Variable fields |
$1: Chassis number and slot number or slot number. $2: Card type. |
Severity level |
3 |
Example |
DEV/3/BOARD_REMOVED: Board is removed from Chassis 1 Slot 5, type is LSQ1FV48SA. |
Explanation |
An LPU or standby MPU was removed. |
Recommended action |
If the LPU or MPU was not manually removed, perform the following tasks: 1. Verify that the card is securely seated. 2. Replace the card if the message persists. 3. If the problem persists, contact H3C Support. |
BOARD_STATE_FAULT
Message text |
Board state changes to FAULT on [STRING], type is [STRING]. |
Variable fields |
$1: Chassis number and slot number or slot number. $2: Card type. |
Severity level |
2 |
Example |
DEV/2/BOARD_STATE_FAULT: Board state changes to FAULT on Chassis 1 Slot 5, type is LSQ1FV48SA. |
Explanation |
The card was starting up (initializing or loading software) or was not operating correctly. |
Recommended action |
· If the card was newly installed, wait for the card to start up. The required startup time varies by card model and software version and is typically less than 10 minutes. · If the card was not newly installed, contact H3C Support. |
BOARD_STATE_NORMAL
Message text |
Board state changes to NORMAL on [STRING], type is [STRING]. |
Variable fields |
$1: Chassis number and slot number or slot number. $2: Card type. |
Severity level |
5 |
Example |
DEV/5/BOARD_STATE_NORMAL: Board state changes to NORMAL on Chassis 1 Slot 5, type is LSQ1FV48SA. |
Explanation |
A newly installed LPU or standby MPU completed initialization. |
Recommended action |
No action is required. |
CFCARD_INSERTED
Message text |
Compact Flash Card is inserted in [STRING] Compact Flash Slot [INT32]. |
Variable fields |
$1: Chassis number and slot number or slot number. $2: CF card slot ID. |
Severity level |
4 |
Example |
DEV/4/CFCARD_INSERTED: Compact Flash Card is inserted in Chassis 1 Slot 5 Compact Flash Slot 1. |
Explanation |
A CF card was installed. |
Recommended action |
No action is required. |
CFCARD_REMOVED
Message text |
Compact Flash Card is removed from [STRING] Compact Flash Slot [INT32]. |
Variable fields |
$1: Chassis number and slot number or slot number. $2: CF card slot ID. |
Severity level |
3 |
Example |
DEV/3/CFCARD_REMOVED: Compact Flash Card is removed from Chassis 1 Slot 5 Compact Flash Slot 1. |
Explanation |
A CF card was removed. |
Recommended action |
If the CF card was not manually removed, perform the following tasks: 1. Verify that the card is securely seated. 2. Replace the card if the message persists. 3. If the problem persists, contact H3C Support. |
CHASSIS_REBOOT
Message text |
Chassis [INT32] is rebooting now. |
Variable fields |
$1: Chassis number. |
Severity level |
5 |
Example |
DEV/5/CHASSIS_REBOOT: Chassis 1 is rebooting now. |
Explanation |
The chassis was manually or automatically rebooted. |
Recommended action |
If an unexpected automatic reboot occurs, perform the following tasks: 1. Execute the display version command after the chassis starts up. 2. Check the Last reboot reason field for the reboot reason. 3. If an exception caused the reboot, contact H3C Support. |
DEV_CLOCK_CHANGE
Message text |
-User=[STRING]-IPAddr=[IPADDR]; System clock changed from [STRING] to [STRING]. |
Variable fields |
$1: Username of the login user. $2: IP address of the login user. $3: Old time. $4: New time. |
Severity level |
5 |
Example |
DEV/5/DEV_CLOCK_CHANGE: -User=[STRING]-IPAddr=[IPADDR]; System clock changed from 15:49:52 11/02/2011 to 15:50:00 11/02/2011. |
Explanation |
The system time changed. |
Recommended action |
No action is required. |
FAN_ABSENT
Message text |
Pattern 1: Fan [INT32] is absent. Pattern 2: Chassis [STRING] fan [INT32] is absent. |
Variable fields |
Pattern 1: $1: Fan tray ID. Pattern 2: $1: Chassis number. $2: Fan tray ID. |
Severity level |
3 |
Example |
Pattern 1: DEV/3/FAN_ABSENT: Fan 2 is absent. Pattern 2: DEV/3/FAN_ABSENT: Chassis 1 fan 2 is absent. |
Explanation |
A fan tray was not in place. |
Recommended action |
1. Check the fan tray slot: ¡ If the fan tray slot is empty, install a fan tray. ¡ If a fan tray is present, verify that the fan tray is securely seated. 2. Replace the fan tray if the message persists. 3. If the problem persists, contact H3C Support. |
FAN_DIRECTION_NOT_PREFERRED
Message text |
Fan [INT32] airflow direction is not preferred on slot [INT32], please check it. |
Variable fields |
$1: Fan tray ID. $2: Slot number. |
Severity level |
1 |
Example |
DEV/1/FAN_DIRECTION_NOT_PREFERRED: Fan 1 airflow direction is not preferred on slot 3, please check it. |
Explanation |
The airflow direction of the fan tray is different from the airflow direction setting. |
Recommended action |
1. Verify that the airflow direction setting is correct. 2. Verify that the fan tray model provides the same airflow direction as the configured setting. 3. If the problem persists, contact H3C Support. |
FAN_FAILED
Message text |
Pattern 1: Fan [INT32] failed. Pattern 2: Chassis [STRING] fan [INT32] failed. |
Variable fields |
Pattern 1: $1: Fan tray ID. Pattern 2: $1: Chassis number. $2: Fan tray ID. |
Severity level |
2 |
Example |
Pattern 1: DEV/2/FAN_FAILED: Fan 2 failed. Pattern 2: DEV/2/FAN_FAILED: Chassis 1 fan 2 failed. |
Explanation |
The fan tray stopped because of an exception. |
Recommended action |
Replace the fan tray. |
FAN_RECOVERED
Message text |
Pattern 1: Fan [INT32] recovered. Pattern 2: Chassis [STRING] fan [INT32] recovered. |
Variable fields |
Pattern 1: $1: Fan tray ID. Pattern 2: $1: Chassis number. $2: Fan tray ID. |
Severity level |
5 |
Example |
Pattern 1: DEV/5/FAN_RECOVERED: Fan 2 recovered. Pattern 2: DEV/5/FAN_RECOVERED: Chassis 1 fan 2 recovered. |
Explanation |
The fan tray started to operate correctly after it was installed. |
Recommended action |
No action is required. |
POWER_ABSENT
Message text |
Pattern 1: Power [INT32] is absent. Pattern 2: Chassis [STRING] power [INT32] is absent. |
Variable fields |
Pattern 1: $1: Power supply ID. Pattern 2: $1: Chassis number. $2: Power supply ID. |
Severity level |
3 |
Example |
Pattern 1: DEV/3/POWER_ABSENT: Power 1 is absent. Pattern 2: DEV/3/POWER_ABSENT: Chassis 1 power 1 is absent. |
Explanation |
A power supply was removed. |
Recommended action |
1. Check the power supply slot. ¡ If the power supply slot is empty, install a power supply. ¡ If a power supply is present, verify that the power supply is securely seated. 2. If the problem persists, replace the power supply. 3. If the problem persists, contact H3C Support. |
POWER_FAILED
Message text |
Pattern 1: Power [INT32] failed. Pattern 2: Chassis [STRING] power [INT32] failed. |
Variable fields |
Pattern 1: $1: Power supply ID. Pattern 2: $1: Chassis number. $2: Power supply ID. |
Severity level |
2 |
Example |
Pattern 1: DEV/2/POWER_FAILED: Power 1 failed. Pattern 2: DEV/2/POWER_FAILED: Chassis 1 power 1 failed. |
Explanation |
A power supply failed. |
Recommended action |
Replace the power supply. |
POWER_MONITOR_ABSENT
Message text |
Pattern 1: Power monitor unit [INT32] is absent. Pattern 2: Chassis [STRING] power monitor unit [INT32] is absent. |
Variable fields |
Pattern 1: $1: Power monitoring module ID. Pattern 2: $1: Chassis number. $2: Power monitoring module ID. |
Severity level |
3 |
Example |
Pattern 1: DEV/3/POWER_MONITOR_ABSENT: Power monitor unit 1 is absent. Pattern 2: DEV/3/POWER_MONITOR_ABSENT: Chassis 2 power monitor unit 1 is absent. |
Explanation |
A power monitoring module was removed. |
Recommended action |
1. Check the power monitoring module slot. ¡ If the power monitoring module slot is empty, install a power monitoring module. ¡ If a power monitoring module is present, verify that the power monitoring module is securely seated. 2. If the problem persists, replace the power monitoring module. 3. If the problem persists, contact H3C Support. |
POWER_MONITOR_FAILED
Message text |
Pattern 1: Power monitor unit [INT32] failed. Pattern 2: Chassis [STRING] power monitor unit [INT32] failed. |
Variable fields |
Pattern 1: $1: Power monitoring module ID. Pattern 2: $1: Chassis number. $2: Power monitoring module ID. |
Severity level |
2 |
Example |
Pattern 1: DEV/2/POWER_MONITOR_FAILED: Power monitor unit 1 failed. Pattern 2: DEV/2/POWER_MONITOR_FAILED: Chassis 2 power monitor unit 1 failed. |
Explanation |
A power monitoring module failed. |
Recommended action |
Replace the power monitoring module. |
POWER_MONITOR_FAN_FAILED
Message text |
Pattern 1: Warning: Fan of power module [INT32] fails to operate. Please check it. Pattern 2: Warning: Fan of power module [INT32] on chassis [INT32] fails to operate. Please check it. |
Variable fields |
Pattern 1: $1: Power module ID. Pattern 2: $1: Power module ID. $2: Chassis number. |
Severity level |
4 |
Example |
Pattern 1: DRVPLAT/4/DrvDebug: Warning: Fan of power module 2 fails to operate. Please check it. |
Explanation |
The fan of a power module failed. |
Recommended action |
Check the fan of the power module. If the fan cannot operate correctly, replace the power module. |
POWER_MONITOR_OVERTEMPERATURE
Message text |
Pattern 1: Warning: Overtemperature condition is detected on power module [INT32]. Please check it. Pattern 2: Warning: Overtemperature condition is detected on power module [INT32] of chassis [INT32]. Please check it. |
Variable fields |
Pattern 1: $1: Power module ID. Pattern 2: $1: Power module ID. $2: Chassis number. |
Severity level |
4 |
Example |
Pattern 1: DRVPLAT/4/DrvDebug: Warning: Overtemperature condition is detected on power module 2. Please check it. |
Explanation |
The temperature of a power module exceeded the threshold. |
Recommended action |
1. Verify that the ambient temperature is within the allowed temperature range and the ventilation system is operating correctly. 2. Check the fan of the power module. If the fan cannot operate correctly, replace the power module. |
POWER_MONITOR_RECOVERED
Message text |
Pattern 1: Power monitor unit [INT32] recovered. Pattern 2: Chassis [STRING] power monitor unit [INT32] recovered. |
Variable fields |
Pattern 1: $1: Power monitoring module ID. Pattern 2: $1: Chassis number. $2: Power monitoring module ID. |
Severity level |
5 |
Example |
Pattern 1: DEV/5/POWER_MONITOR_RECOVERED: Power monitor unit 1 recovered. Pattern 2: DEV/5/POWER_MONITOR_RECOVERED: Chassis 2 power monitor unit 1 recovered. |
Explanation |
The power monitoring module started to operate correctly after it was installed. |
Recommended action |
No action is required. |
POWER_RECOVERED
Message text |
Pattern 1: Power [INT32] recovered. Pattern 2: Chassis [STRING] power [INT32] recovered. |
Variable fields |
Pattern 1: $1: Power supply ID. Pattern 2: $1: Chassis number. $2: Power supply ID. |
Severity level |
5 |
Example |
Pattern 1: DEV/5/POWER_RECOVERED: Power 1 recovered. Pattern 2: DEV/5/POWER_RECOVERED: Chassis 1 power 1 recovered. |
Explanation |
The power supply started to operate correctly after it was installed. |
Recommended action |
No action is required. |
RPS_ABSENT
Message text |
Pattern 1: RPS [INT32] is absent. Pattern 2: Chassis [STRING] RPS [INT32] is absent. |
Variable fields |
Pattern 1: $1: RPS ID. Pattern 2: $1: Chassis number. $2: RPS ID. |
Severity level |
3 |
Example |
Pattern 1: DEV/3/RPS_ABSENT: RPS 1 is absent. Pattern 2: DEV/3/RPS_ABSENT: Chassis 1 RPS 1 is absent. |
Explanation |
An RPS was removed. |
Recommended action |
1. Check the RPS slot. ¡ If the RPS slot is empty, install a RPS. ¡ If an RPS is present, verify that the RPS is securely seated. 2. If the problem persists, replace the RPS. 3. If the problem persists, contact H3C Support. |
RPS_NORMAL
Message text |
Pattern 1: RPS [INT32] is normal. Pattern 2: Chassis [INT32] RPS [INT32] is normal. |
Variable fields |
Pattern 1: $1: RPS ID. Pattern 2: $1: Chassis number. $2: RPS ID. |
Severity level |
5 |
Example |
Pattern 1: DEV/5/RPS_NORMAL: RPS 1 is normal. Pattern 2: DEV/5/RPS_NORMAL: Chassis 1 RPS 1 is normal. |
Explanation |
The RPS started to operate correctly after it was installed. |
Recommended action |
No action is required. |
SUBCARD_FAULT
Message text |
SubCard state changes to FAULT on [STRING] SubSlot [INT32], type is [STRING]. |
Variable fields |
$1: Chassis number and slot number or slot number. $2: Subslot number. $3: Subcard type. |
Severity level |
2 |
Example |
DEV/2/SUBCARD_FAULT: SubCard state changes to FAULT on Chassis 1 slot 5 SubSlot 1, type is MIM-1ATM-OC3SML. |
Explanation |
The subcard failed, or its status changed to Fault after it was rebooted. |
Recommended action |
Track the status of the subcard. · If the status of the subcard changes to Normal later, no action is required. · If the status is always Fault, replace the subcard. |
SUBCARD_INSERTED
Message text |
SubCard is inserted in [STRING] SubSlot [INT32], type is [STRING]. |
Variable fields |
$1: Chassis number and slot number or slot number. $3: Subslot number. $4: Subcard type. |
Severity level |
4 |
Example |
DEV/4/SUBCARD_INSERTED: SubCard is inserted in Chassis 1 Slot 5 SubSlot 1, type is MIM-1ATM-OC3SML. |
Explanation |
A subcard was installed. |
Recommended action |
No action is required. |
SUBCARD_REBOOT
Message text |
SubCard is rebooting on [STRING] SubSlot [INT32]. |
Variable fields |
$1: Chassis number and slot number or slot number. $2: Subslot number. |
Severity level |
5 |
Example |
DEV/5/SUBCARD_REBOOT: SubCard is rebooting on Chassis 1 Slot 5 SubSlot 1. |
Explanation |
The subcard was manually or automatically rebooted. |
Recommended action |
· If the subcard operates correct after it starts up, no action is required. · If you want to know the reboot reason or the subcard keeps rebooting, contact H3C Support. |
SUBCARD_REMOVED
Message text |
SubCard is removed from [STRING] SubSlot [INT32], type is [STRING]. |
Variable fields |
$1: Chassis number and slot number or slot number. $2: Subslot number. $3: Subcard type. |
Severity level |
3 |
Example |
DEV/3/SUBCARD_REMOVED: SubCard is removed from Chassis 1 Slot 5 SubSlot 1, type is MIM-1ATM-OC3SML. |
Explanation |
A subcard was removed. |
Recommended action |
If the subcard was not manually removed, perform the following tasks: 1. Verify that the subcard is securely seated. 2. Replace the subcard if the message persists. 3. If the problem persists, contact H3C Support. |
SYSTEM_REBOOT
Message text |
System is rebooting now. |
Variable fields |
N/A |
Severity level |
5 |
Example |
DEV/5/SYSTEM_REBOOT: System is rebooting now. |
Explanation |
The system was manually or automatically rebooted. |
Recommended action |
If an unexpected automatic reboot occurred, perform the following tasks: 1. Execute the display version command after the system starts up. 2. Check the Last reboot reason field for the reboot reason. 3. If an exception caused the reboot, contact H3C Support. |
TEMPERATURE_ALARM
Message text |
Temperature is greater than alarm upper limit on [STRING]sensor [STRING] [INT32]. |
Variable fields |
$1: Chassis number and slot number or slot number. $2: Sensor type. $3: Sensor ID. |
Severity level |
4 |
Example |
DEV/4/TEMPERATURE_ALARM: Temperature is greater than alarm upper limit on Chassis 1 slot 5 sensor inflow 1. |
Explanation |
A sensor's temperature exceeded the high-temperature alarming threshold. The ambient temperature was too high or the fan tray was not operating correctly. |
Recommended action |
1. Verify that the ambient temperature is normal and the ventilation system is operating correctly. 2. Use the display fan command to verify that the fan trays are in position and operating correctly. If a fan tray is missing, install the fan tray. If a fan tray does not operate correctly, replace it. |
TEMPERATURE_LOW
Message text |
Temperature is less than lower limit on [STRING] sensor [STRING] [INT32]. |
Variable fields |
$1: Chassis number and slot number or slot number. $2: Sensor type. $3: Sensor ID. |
Severity level |
4 |
Example |
DEV/4/TEMPERATURE_LOW: Temperature is less than lower limit on Chassis 1 slot 5 sensor inflow 1. |
Explanation |
A sensor's temperature fell below the low-temperature threshold. |
Recommended action |
Adjust the ambient temperature higher. |
TEMPERATURE_NORMAL
Message text |
Temperature changes to normal on [STRING] sensor [STRING] [INT32]. |
Variable fields |
$1: Chassis number and slot number or slot number. $2: Sensor type. $3: Sensor ID. |
Severity level |
5 |
Example |
DEV/5/TEMPERATURE_NORMAL: Temperature changes to normal on Chassis 1 slot 5 sensor inflow 1. |
Explanation |
A sensor's temperature is normal (between the low-temperature threshold and the high-temperature warning threshold). |
Recommended action |
No action is required. |
TEMPERATURE_SHUTDOWN
Message text |
Temperature is greater than shutdown upper limit on [STRING] sensor [STRING] [INT32] the slot will be powered off automatically. |
Variable fields |
$1: Chassis number and slot number or slot number. $2: Sensor type. $3: Sensor ID. |
Severity level |
2 |
Example |
DEV/2/TEMPERATURE_SHUTDOWN: Temperature is greater than shutdown upper limit on Chassis 1 slot 5 sensor inflow 1 the slot will be powered off automatically. |
Explanation |
A sensor's temperature exceeded the high-temperature shutdown threshold. The ambient temperature was too high or the fan tray was not operating correctly. |
Recommended action |
1. Verify that the ambient temperature is normal and the ventilation system is operating correctly. 2. Use the display fan command to verify that the fan trays are in position and operating correctly. If a fan tray is missing, install the fan tray. If a fan tray does not operate correctly, replace it. |
TEMPERATURE_WARNING
Message text |
Temperature is greater than warning upper limit on [STRING]sensor [STRING] [INT32]. |
Variable fields |
$1: Chassis number and slot number or slot number. $2: Sensor type. $3: Sensor ID. |
Severity level |
4 |
Example |
DEV/4/TEMPERATURE_WARNING: Temperature is greater than warning upper limit on Chassis 1 slot 2 sensor inflow 1. |
Explanation |
A sensor's temperature exceeded the high-temperature warning threshold. The ambient temperature was too high or the fan tray was not operating correctly. |
Recommended action |
1. Verify that the ambient temperature is normal and the ventilation system is operating correctly. 2. Use the display fan command to verify that the fan trays are in position and operating correctly. If a fan tray is missing, install the fan tray. If a fan tray does not operate correctly, replace it. |
DHCP
This section contains DHCP messages.
DHCP_NOTSUPPORTED
Message text |
Failed to apply filtering rules for DHCP packets because some rules are not supported. |
Variable fields |
N/A |
Severity level |
3 |
Example |
DHCP/3/DHCP_NOTSUPPORTED: Failed to apply filtering rules for DHCP packets because some rules are not supported. |
Explanation |
The system failed to apply filtering rules for DHCP packets because some rules are not supported on the device. |
Recommended action |
No action is required. |
DHCP_NORESOURCES
Message text |
Failed to apply filtering rules for DHCP packets because hardware resources are insufficient. |
Variable fields |
N/A |
Severity level |
3 |
Example |
DHCP/3/DHCP_NORESOURCES: Failed to apply filtering rules for DHCP packets because hardware resources are insufficient. |
Explanation |
The system failed to apply filtering rules for DHCP packets because the hardware resources are insufficient. |
Recommended action |
Release hardware resources and apply the rules again. |
DHCPR
This section contains DHCP relay agent messages.
DHCPR_SERVERCHANGE
Message text |
Switched to the server at [IPADDR] because the current server did not respond. |
Variable fields |
$1: IP address of the DHCP server. |
Severity level |
3 |
Example |
DHCPR/3/DHCPR_SERVERCHANGE: -MDC=1; Switched to the server at 2.2.2.2 because the current server did not respond. |
Explanation |
The DHCP relay agent did not receive any responses from the current DHCP server and switched to another DHCP server for IP address acquisition. |
Recommended action |
No action is required. |
DHCPR_SWITCHMASTER
Message text |
Switched to the master DHCP server at [IPADDR]. |
Variable fields |
$1: IP address of the master DHCP server. |
Severity level |
3 |
Example |
DHCPR/3/DHCPR_SWITCHMASTER: -MDC=1; Switched to the master DHCP server at 2.2.2.2. |
Explanation |
After a switchback delay time, the DHCP relay agent switched from a backup DHCP server to the master DHCP server for IP address acquisition. |
Recommended action |
No action is required. |
DHCPS messages
This section contains DHCP server messages.
DHCPS_ALLOCATE_IP
Message text |
DHCP server received a DHCP client's request packet on interface [STRING], and allocated an IP address [IPADDR](lease [UINT32] seconds) for the DHCP client(MAC [MAC]) from [STRING] pool. |
Variable fields |
$1: Name of the interface on which DHCP server is configured. $2: IPv4 address assigned to the DHCP client. $3: Lease duration of the assigned IPv4 address. $4: MAC address of the DHCP client. $5: Name of the address pool to which the assigned IPv4 address belongs. |
Severity level |
5 |
Example |
DHCPS/5/DHCPS_ALLOCATE_IP: DHCP server received a DHCP client’s request packet on interface GigabitEthernet1/0/2, and allocated an IP address 1.0.0.91(lease 86400 seconds) for the DHCP client(MAC 0000-0000-905a) from p1 pool. |
Explanation |
The DHCP server assigned an IPv4 address to a DHCP client. |
Recommended action |
No action is required. |
DHCPS_CONFLICT_IP
Message text |
A conflict IP [IPADDR] from [STRING] pool was detected by DHCP server on interface [STRING]. |
Variable fields |
$1: IPv4 address that is in conflict. $2: Name of the address pool to which the conflicting IPv4 address belongs. $3: Name of the interface on which DHCP server is configured. |
Severity level |
5 |
Example |
DHCPS/5/DHCPS_CONFLICT_IP: A conflict IP 100.1.1.1 from p1 pool was detected by DHCP server on interface GigabitEthernet1/0/2. |
Explanation |
The DHCP server deleted a conflicting IPv4 address from an address pool. |
Recommended action |
No action is required. |
DHCPS_EXTEND_IP
Message text |
DHCP server received a DHCP client's request packet on interface [STRING], and extended lease from [STRING] pool for the DHCP client (IP [IPADDR], MAC [MAC]). |
Variable fields |
$1: Name of the interface on which DHCP server is configured. $2: Name of the address pool to which the client's IPv4 address belongs. $3: IPv4 address of the DHCP client. $4: MAC address of the DHCP client. |
Severity level |
5 |
Example |
DHCPS/5/DHCPS_EXTEND_IP: DHCP server received a DHCP client’s request packet on interface GigabitEthernet1/0/2, and extended lease from p1 pool for the DHCP client (IP 1.0.0.91, MAC 0000-0000-905a). |
Explanation |
The DHCP server extended the lease for a DHCP client. |
Recommended action |
No action is required. |
DHCPS_FILE
Message text |
Failed to save DHCP client information due to lack of storage resources. |
Variable fields |
N/A |
Severity level |
4 |
Example |
DHCPS/4/DHCPS_FILE: Failed to save DHCP client information due to lack of storage resources. |
Explanation |
The DHCP server failed to save DHCP bindings to the backup file due to lack of storage resources. |
Recommended action |
Delete unnecessary files to release resources. |
DHCPS6 messages
This section contains DHCPv6 server messages.
DHCPS6_ALLOCATE_ADDRESS
Message text |
DHCPv6 server received a DHCPv6 client’s request packet on interface [STRING], and allocated an IPv6 address [IPADDR] (lease [UINT32] seconds) for the DHCP client(DUID [HEX], IAID [HEX]) from [STRING] pool. |
Variable fields |
$1: Name of the interface on which DHCPv6 server is configured. $2: IPv6 address assigned to the DHCPv6 client. $3: Lease duration of the assigned IPv6 address. $4: DUID of the DHCPv6 client. $5: IAID of the DHCPv6 client. $6: Name of the address pool to which the assigned IPv6 address belongs. |
Severity level |
5 |
Example |
DHCPS6/5/DHCPS6_ALLOCATE_ADDRESS: DHCPv6 server received a DHCPv6 client’s request packet on interface GigabitEthernet1/0/2, and allocated an IPv6 address 2000::3(lease 60 seconds) for the DHCP client(DUID 0001000118137c37b4b52facab5a, IAID 10b4b52f) from p1 pool. |
Explanation |
The DHCPv6 server assigned an IPv6 address to a DHCPv6 client. |
Recommended action |
No action is required. |
DHCPS6_ALLOCATE_PREFIX
Message text |
DHCPv6 server received a DHCPv6 client’s request packet on interface [STRING], and allocated an IPv6 prefix [IPADDR] (lease [UINT32] seconds) for the DHCP client(DUID [HEX], IAID [HEX]) from [STRING] pool. |
Variable fields |
$1: Name of the interface on which DHCPv6 server is configured. $2: IPv6 prefix assigned to the DHCPv6 client. $3: Lease duration of the assigned IPv6 prefix. $4: DUID of the DHCPv6 client. $5: IAID of the DHCPv6 client. $6: Name of the address pool to which the assigned IPv6 prefix belongs. |
Severity level |
5 |
Example |
DHCPS6/5/DHCPS6_ALLOCATE_PREFIX: DHCPv6 server received a DHCPv6 client’s request packet on interface GigabitEthernet1/0/2, and allocated an IPv6 prefix 2000::(lease 60 seconds) for the DHCP client(DUID 0001000118137c37b4b52facab5a, IAID 10b4b52f) from p1 pool. |
Explanation |
The DHCPv6 server assigned an IPv6 prefix to a DHCPv6 client. |
Recommended action |
No action is required. |
DHCPS6_CONFLICT_ADDRESS
A conflict IPv6 address [IPADDR] from [STRING] pool was detected by DHCPv6 server on interface [STRING]. |
|
Variable fields |
$1: IPv6 address that is in conflict. $2: Name of the address pool to which the conflicting IPv6 address belongs. $3: Name of the interface on which DHCPv6 server is configured. |
Severity level |
5 |
Example |
DHCPS6/5/DHCPS6_CONFLICT_ADDRESS: A conflict IPv6 address 33::1 from p1 pool was detected by DHCPv6 server on interface GigabitEthernet1/0/2. |
Explanation |
The DHCPv6 server deleted a conflicting IPv6 address from an address pool. |
Recommended action |
No action is required. |
DHCPS6_EXTEND_ADDRESS
Message text |
DHCPv6 server received a DHCP client’s request packet on interface [STRING], and extended lease from [STRING] pool for the DHCP client (IPv6 address [IPADDR], DUID [HEX], IAID [HEX]). |
Variable fields |
$1: Name of the interface on which DHCPv6 server is configured. $2: Name of the address pool to which the client's IPv6 address belongs. $3: IPv6 address of the DHCPv6 client. $4: DUID of the DHCPv6 client. $5: IAID of the DHCPv6 client. |
Severity level |
5 |
Example |
DHCPS6/5/DHCPS6_EXTEND_ADDRESS: DHCPv6 server received a DHCP client’s request packet on interface GigabitEthernet1/0/2, and extended lease from p1 pool for the DHCP client (IPv6 address 2000::3, DUID 0001000118137c37b4b52facab5a, IAID 10b4b52f). |
Explanation |
The DHCPv6 server extended the address lease for a DHCPv6 client. |
Recommended action |
No action is required. |
DHCPS6_EXTEND_PREFIX
Message text |
DHCPv6 server received a DHCP client’s request packet on interface [STRING], and extended lease from [STRING] pool for the DHCP client (IPv6 prefix [IPADDR], DUID [HEX], IAID [HEX]). |
Variable fields |
$1: Name of the interface on which DHCPv6 server is configured. $2: Name of the address pool to which the client's IPv6 prefix belongs. $3: IPv6 prefix of the DHCPv6 client. $4: DUID of the DHCPv6 client. $5: IAID of the DHCPv6 client. |
Severity level |
5 |
Example |
DHCPS6/5/DHCPS6_EXTEND_PREFIX: DHCPv6 server received a DHCP client’s request packet on interface GigabitEthernet1/0/2, and extended lease from p1 pool for the DHCP client (IPv6 prefix 2000::, DUID 0001000118137c37b4b52facab5a, IAID 10b4b52f). |
Explanation |
The DHCPv6 server extended the prefix lease for a DHCPv6 client. |
Recommended action |
No action is required. |
DHCPS6_FILE
Message text |
Failed to save DHCP client information due to lack of storage resources. |
Variable fields |
N/A |
Severity level |
4 |
Example |
DHCPS6/4/DHCPS6_FILE: Failed to save DHCP client information due to lack of storage resources. |
Explanation |
The DHCPv6 server failed to save DHCPv6 bindings to the backup file due to lack of storage resources. |
Recommended action |
Delete unnecessary files to release resources. |
DHCPS6_RECLAIM_ADDRESS
Message text |
DHCPv6 server reclaimed a [STRING] pool's lease(IPv6 address [IPADDR], lease [UINT32] seconds), which is allocated for the DHCPv6 client (DUID [HEX], IAID [HEX]). |
Variable fields |
$1: Name of the address pool to which the assigned IPv6 address belongs. $2: IPv6 address assigned to the DHCPv6 client. $3: Lease duration of the assigned IPv6 address. $4: DUID of the DHCPv6 client. $5: IAID of the DHCPv6 client. |
Severity level |
5 |
Example |
DHCPS6/5/DHCPS6_RECLAIM_ADDRESS: DHCPv6 server reclaimed a p1 pool’s lease(IPv6 address 2000::3, lease 60 seconds), which is allocated for the DHCPv6 client (DUID 0001000118137c37b4b52facab5a, IAID 10b4b52f). |
Explanation |
The DHCPv6 server reclaimed an IPv6 address assigned to a DHCPv6 client. |
Recommended action |
No action is required. |
DHCPSP4
This section contains DHCP snooping messages.
DHCPSP4_FILE
Message text |
Failed to save DHCP client information due to lack of storage resources. |
Variable fields |
N/A |
Severity level |
4 |
Example |
DHCPSP4/4/DHCPSP4_FILE: Failed to save DHCP client information due to lack of storage resources. |
Explanation |
The DHCP snooping device failed to save DHCP snooping entries to the backup file due to lack of storage resources. |
Recommended action |
Delete unnecessary files to release resources. |
DHCPSP6
This section contains DHCPv6 snooping messages.
DHCPSP6_FILE
Message text |
Failed to save DHCP client information due to lack of storage resources. |
Variable fields |
N/A |
Severity level |
4 |
Example |
DHCPSP6/4/DHCPSP6_FILE: Failed to save DHCP client information due to lack of storage resources. |
Explanation |
The DHCPv6 snooping device failed to save DHCPv6 snooping entries to the backup file due to lack of storage resources. |
Recommended action |
Delete unnecessary files to release resources. |
DIAG messages
This section contains diagnostic messages.
MEM_ALERT
Message text |
system memory info: total used free shared buffers cached Mem: [ULONG] [ULONG] [ULONG] [ULONG] [ULONG] [ULONG] -/+ buffers/cache: [ULONG] [ULONG] Swap: [ULONG] [ULONG] [ULONG] Lowmem: [ULONG] [ULONG] [ULONG] |
Variable fields |
· Mem—Memory information of the whole system: ¡ $1: Size of the allocatable physical memory of the system. The system physical memory includes non-allocatable and allocatable physical memory. Non-allocatable physical memory is used for kernel code storage, kernel management cost, and running of basic functions. Allocatable physical memory is used for running of service modules and file storage. The size of non-allocatable physical memory is automatically calculated by the system. The size of the allocatable physical memory is the total physical memory size minus the non-allocatable physical memory size. ¡ $2: Size of the physical memory used by the system. ¡ $3: Size of the free physical memory in the system. ¡ $4: Size of the physical memory shared by processes. ¡ $5: Size of the used file buffer. ¡ $6: Size of memory used by the cache. · -/+ buffers/cache—Memory usage information of applications. ¡ $7: -/+ Buffers/Cache:used = Mem:Used – Mem:Buffers – Mem:Cached (size of the physical memory used by applications). ¡ $8: -/+ Buffers/Cache:free = Mem:Free + Mem:Buffers + Mem:Cached (size of the physical memory available for applications). · Swap—Swap usage information: ¡ $9: Total size of the swap space. ¡ $10: Size of the used swap space. ¡ $11: Size of the free swap space. · Lowmem—Low memory usage information: ¡ $12: Total size of the low memory. ¡ $13: Size of the used low memory. ¡ $14: Size of the free low memory. |
Severity level |
4 |
Example |
DIAG/4/MEM_ALERT: system memory info: total used free shared buffers cached Mem: 1784424 920896 863528 0 0 35400 -/+ buffers/cache: 885496 898928 Swap: 0 0 0 Lowmem: 735848 637896 97952 |
Explanation |
A memory alarm was generated, displaying memory usage information. The system generates this message when the used memory size is greater than or equal to the minor, severe, or critical threshold of memory usage. |
Recommended action |
1. Use the display memory-threshold command to display the minor, severe, and critical threshold values. If the thresholds are not proper, use the memory-threshold command to change them. 2. Display the ARP table and routing table to verify that the device is not under attack. 3. Examine and optimize the networking, for example, reduce the number of routes or use a device with higher performance. |
MEM_BELOW_THRESHOLD
Message text |
Memory usage has dropped below [STRING] threshold. |
Variable fields |
$1: Memory usage threshold name: minor, severe, or critical. |
Severity level |
1 |
Example |
DIAG/1/MEM_BELOW_THRESHOLD: Memory usage has dropped below critical threshold. |
Explanation |
A memory alarm was removed. The system generates this message when the size of the system free memory is greater than a memory alarm recovery threshold. |
Recommended action |
No action is required. |
MEM_EXCEED_THRESHOLD
Message text |
Memory [STRING] threshold has been exceeded. |
Variable fields |
$1: Memory usage threshold name: minor, severe, or critical. |
Severity level |
1 |
Example |
DIAG/1/MEM_EXCEED_THRESHOLD: Memory minor threshold has been exceeded. |
Explanation |
The amount of used memory space exceeded a threshold. When the used memory size is greater than or equal to the minor, severe, or critical threshold of memory usage, the system generates this message and notifies services modules to perform auto repair, such as releasing memory and stopping requesting memory. |
Recommended action |
1. Use the display memory-threshold command to display the minor, severe, and critical threshold values. If the thresholds are not proper, use the memory-threshold command to change them. 2. Display the ARP table and routing table to verify that the device is not under attack. Examine and optimize the networking, for example, reduce the number of routes or use a device with higher performance. |
DLDP messages
This section contains DLDP messages.
DLDP_AUTHENTICATION_FAILED
Message text |
The DLDP packet failed the authentication because of unmatched [STRING] field. |
Variable fields |
$1: Authentication field. ¡ AUTHENTICATION PASSWORD—Authentication password mismatch. ¡ AUTHENTICATION TYPE—Authentication type mismatch. ¡ INTERVAL—Advertisement interval mismatch. |
Severity level |
5 |
Example |
DLDP/5/DLDP_AUTHENTICATION_FAILED: The DLDP packet failed the authentication because of unmatched INTERVAL field. |
Explanation |
The packet authentication failed. Possible reasons: · Unmatched authentication type. · Unmatched authentication password. · Unmatched advertisement interval. |
Recommended action |
Verify that the two ends use the same DLDP authentication type, authentication password, and advertisement interval. |
DLDP_LINK_BIDIRECTIONAL
Message text |
DLDP detected a bidirectional link on interface [STRING]. |
Variable fields |
$1: Interface name. |
Severity level |
6 |
Example |
DLDP/6/DLDP_LINK_BIDIRECTIONAL: DLDP detected a bidirectional link on interface GigabitEthernet1/0/1. |
Explanation |
DLDP detected a bidirectional link on an interface. |
Recommended action |
No action is required. |
DLDP_LINK_UNIDIRECTIONAL
Message text |
DLDP detected a unidirectional link on interface [STRING]. [STRING]. |
Variable fields |
$1: Interface name. $2: Action according to the port shutdown mode: ¡ DLDP automatically blocked the interface. ¡ Please manually shut down the interface. |
Severity level |
3 |
Example |
DLDP/3/DLDP_LINK_UNIDIRECTIONAL: DLDP detected a unidirectional link on interface GigabitEthernet1/0/1. DLDP automatically blocked the interface. |
Explanation |
DLDP detected a unidirectional link on an interface. |
Recommended action |
Check for connectivity issues, including incorrect cable connection and cable falloff. |
DLDP_NEIGHBOR_AGED
Message text |
A neighbor on interface [STRING] was deleted because the neighbor was aged. The neighbor's system MAC is [MAC], and the port index is [UINT16]. |
Variable fields |
$1: Interface name. $2: MAC address. $3: Port index. |
Severity level |
5 |
Example |
DLDP/5/DLDP_NEIGHBOR_AGED: A neighbor on interface GigabitEthernet1/0/1 was deleted because the neighbor was aged. The neighbor's system MAC is 000f-e269-5f21, and the port index is 1. |
Explanation |
The interface deleted an aged neighbor. |
Recommended action |
No action is required. |
DLDP_NEIGHBOR_CONFIRMED
Message text |
A neighbor was confirmed on interface [STRING]. The neighbor's system MAC is [MAC], and the port index is [UINT16]. |
Variable fields |
$1: Interface name. $2: MAC address. $3: Port index. |
Severity level |
6 |
Example |
DLDP/6/DLDP_NEIGHBOR_CONFIRMED: A neighbor was confirmed on interface GigabitEthernet1/0/1. The neighbor's system MAC is 000f-e269-5f21, and the port index is 1. |
Explanation |
The interface detected a confirmed neighbor. |
Recommended action |
No action is required. |
DLDP_NEIGHBOR_DELETED
Message text |
A neighbor on interface [STRING] was deleted because a [STRING] packet arrived. The neighbor's system MAC is [MAC], and the port index is [UINT16]. |
Variable fields |
$1: Interface name. $2: Packet type, DISABLE or LINKDOWN. $3: MAC address. $4: Port index. |
Severity level |
5 |
Example |
DLDP/5/DLDP_NEIGHBOR_DELETED: A neighbor on interface GigabitEthernet1/0/1 was deleted because a DISABLE packet arrived. The neighbor's system MAC is 000f-e269-5f21, and the port index is 1. |
Explanation |
The interface deleted a confirmed neighbor because it received a DISABLE or LINKDOWN packet. |
Recommended action |
No action is required. |
DOT1X messages
This section contains 802.1X messages.
DOT1X_LOGIN_FAILURE
Message text |
-IfName=[STRING]-MACAddr=[STRING]-VLANID=[STRING]-Username=[STRING]; User failed 802.1X authentication. |
Variable fields |
$1: Interface type and number. $2: MAC address. $3: VLAN ID. $4: Username. |
Severity level |
6 |
Example |
DOT1X/6/DOT1X_LOGIN_FAILURE:-IfName=GigabitEthernet1/0/4-MACAddr=0010-8400-22b9-VLANID=444-Username=aaa; User failed 802.1X authentication. |
Explanation |
The user failed 802.1X authentication. |
Recommended action |
Locate the failure cause and handle the issue according to the failure cause. |
DOT1X_LOGIN_SUCC
Message text |
-IfName=[STRING]-MACAddr=[STRING]-VLANID=[STRING]-Username=[STRING]; User passed 802.1X authentication and came online. |
Variable fields |
$1: Interface type and number. $2: MAC address. $3: VLAN ID. $4: Username. |
Severity level |
6 |
Example |
DOT1X/6/DOT1X_LOGIN_SUCC:-IfName=GigabitEthernet1/0/4-MACAddr=0010-8400-22b9-VLANID=444-Username=aaa; User passed 802.1X authentication and came online. |
Explanation |
The user passed 802.1X authentication. |
Recommended action |
No action is required. |
DOT1X_LOGOFF
Message text |
-IfName=[STRING]-MACAddr=[STRING]-VLANID=[STRING]-Username=[STRING]-ErrCode=[STRING]; 802.1X user was logged off. |
Variable fields |
$1: Interface type and number. $2: MAC address. $3: VLAN ID. $4: Username. $5: Error code. |
Severity level |
6 |
Example |
DOT1X/6/DOT1X_LOGOFF:-IfName=GigabitEthernet1/0/4-MACAddr=0010-8400-22b9-VLANID=444-Username=aaa-ErrCode=11; 802.1X user was logged off. |
Explanation |
The 802.1X user was logged off. |
Recommended action |
Locate the failure cause and handle the issue according to the failure cause. If the logoff is as requested, no action is required. |
DOT1X_NOTENOUGH_EADFREEIP_RES
Message text |
Failed to assign a rule for free IP [IPADDR] on interface [STRING] due to lack of ACL resources. |
Variable fields |
$1: Free IP. $2: Interface type and number. |
Severity level |
3 |
Example |
DOT1X/3/DOT1X_NOTENOUGH_EADFREEIP_RES: Failed to assign a rule for free IP 1.1.1.0 on interface GigabitEthernet3/1/2 due to lack of ACL resources. |
Explanation |
The device failed to assign an ACL rule to permit a free IP on an interface because of ACL resource shortage. |
Recommended action |
Disable 802.1X on the interface, and then re-enable 802.1X. |
DOT1X_NOTENOUGH_EADFREERULE_RES
Message text |
Failed to assign a rule for permitting DHCP and DNS packets on interface [STRING] due to lack of ACL resources. |
Variable fields |
$1: Interface type and number. |
Severity level |
3 |
Example |
DOT1X/3/DOT1X_NOTENOUGH_EADFREERULE_RES: Failed to assign a rule for permitting DHCP and DNS packets on interface GigabitEthernet3/1/2 due to lack of ACL resources. |
Explanation |
The device failed to assign an ACL rule to permit DHCP and DNS packets on an interface because of ACL resource shortage. |
Recommended action |
Disable 802.1X on the interface, and then re-enable 802.1X. |
DOT1X_NOTENOUGH_EADMACREDIR_RES
Message text |
Failed to assign a rule for redirecting HTTP packets with source MAC address [MAC] on interface [STRING]. |
Variable fields |
$1: Source MAC address of HTTP packets. $2: Interface type and number. |
Severity level |
3 |
Example |
DOT1X/3/DOT1X_NOTENOUGH_EADMACREDIR_RES: Failed to assign a rule for redirecting HTTP packets with source MAC address 00e0-fc00-5915 on interface GigabitEthernet3/1/2. |
Explanation |
The device failed to assign a rule for redirecting HTTP packets with the designated source MAC on an interface because of ACL resource shortage. |
Recommended action |
Disable 802.1X on the interface, and then re-enable 802.1X. |
DOT1X_NOTENOUGH_EADPORTREDIR_RES
Message text |
Failed to assign a rule for redirecting HTTP packets on interface [STRING] due to lack of ACL resources. |
Variable fields |
$1: Interface type and number. |
Severity level |
3 |
Example |
DOT1X/3/DOT1X_NOTENOUGH_EADPORTREDIR_RES: Failed to assign a rule for redirecting HTTP packets on interface GigabitEthernet3/1/2 due to lack of ACL resources. |
Explanation |
The device failed to assign an ACL rule to redirect HTTP packets on an interface because of ACL resource shortage. |
Recommended action |
Disable 802.1X on the interface, and then re-enable 802.1X. |
DOT1X_NOTENOUGH_ENABLEDOT1X_RES
Message text |
Failed to enable 802.1X on interface [STRING] due to lack of ACL resources. |
Variable fields |
$1: Interface type and number. |
Severity level |
3 |
Example |
DOT1X/3/DOT1X_NOTENOUGH_ENABLEDOT1X_RES: Failed to enable 802.1X on interface GigabitEthernet3/1/2 due to lack of ACL resources. |
Explanation |
Failed to enable 802.1X on an interface because of ACL resource shortage. |
Recommended action |
Disable 802.1X on the interface, and then re-enable 802.1X. |
DOT1X_SMARTON_FAILURE
Message text |
-IfName=[STRING]-MACAddr=[STRING]; User failed SmartOn authentication because [STRING]. |
Variable fields |
$1: Interface type and number. $2: MAC address. $3: Cause of failure: ¡ the password is mismatched. ¡ the switch ID is mismatched. |
Severity level |
6 |
Example |
DOT1X/6/DOT1X_SMARTON_FAILURE:-IfName=GigabitEthernet1/0/4-MACAddr=0010-8400-22b9; User failed SmartOn authentication because the password is mismatched. |
Explanation |
SmartOn authentication failed for a specific reason. |
Recommended action |
Handle the issue according to the failure cause. |
DOT1X_UNICAST_NOT_EFFECTIVE
Message text |
The unicast trigger feature is enabled but is not effective on interface [STRING]. |
Variable fields |
$1: Interface type and number. |
Severity level |
3 |
Example |
DOT1X/3/DOT1X_UNICAST_NOT_EFFECTIVE: The unicast trigger feature is enabled but is not effective on interface GigabitEthernet3/1/2. |
Explanation |
The unicast trigger setting does not take effect on an interface, because the interface does not support unicast trigger. |
Recommended action |
1. Reconnect the 802.1X clients to an interface that supports the unicast trigger feature. 2. Enable 802.1X and the unicast trigger feature on the new interface. |
ETHOAM messages
This section contains Ethernet OAM messages.
ETHOAM_CONNECTION_FAIL_DOWN
Message text |
The link is down on port [string] because a remote failure occurred on peer port. |
Variable fields |
$1: Port name. |
Severity level |
5 |
Example |
ETHOAM/5/ETHOAM_OAM_LINK_DOWN: The link is down on port GigabitEthernet1/0/1 because a remote failure occurred on peer port. |
Explanation |
The link went down because a remote failure occurred on the peer port. |
Recommended action |
Check the link status or the OAM status on the peer. |
ETHOAM_CONNECTION_FAIL_TIMEOUT
Message text |
Port [string] removed the OAM connection because it received no Information OAMPDU before the timer times out. |
Variable fields |
$1: Port name. |
Severity level |
5 |
Example |
ETHOAM/5/ETHOAM_CONNECTION_FAIL_TIMEOUT: Port GigabitEthernet1/0/1 removed the OAM connection because it received no Information OAMPDU before the timer times out. |
Explanation |
The port removed the OAM connection because it had not received Information OAMPDUs before the timer timed out. |
Recommended action |
Check the link status or the OAM status on the peer. |
ETHOAM_CONNECTION_FAIL_UNSATISF
Message text |
Port [string] failed to establish an OAM connection because the peer doesn’t match the capacity of the local port. |
Variable fields |
$1: Port name. |
Severity level |
3 |
Example |
ETHOAM/3/ETHOAM_CONNECTION_FAIL_UNSATISF: Port GigabitEthernet1/0/1 failed to establish an OAM connection because the peer doesn’t match the capacity of the local port. |
Explanation |
Failed to establish an OAM connection because the OAM protocol states do not match at the two ends. |
Recommended action |
Check the protocol state field of OAM packets sent by both ends. |
ETHOAM_CONNECTION_SUCCEED
Message text |
An OAM connection is established on port [string]. |
Variable fields |
$1: Port name. |
Severity level |
6 |
Example |
ETHOAM/6/ETHOAM_CONNECTION_SUCCEED: An OAM connection is established on port GigabitEthernet1/0/1. |
Explanation |
An OAM connection was established. |
Recommended action |
No action is required. |
ETHOAM_DISABLE
Message text |
Ethernet OAM is now disabled on port [string]. |
Variable fields |
$1: Port name. |
Severity level |
6 |
Example |
ETHOAM/6/ETHOAM_DISABLE: Ethernet OAM is now disabled on port GigabitEthernet1/0/1. |
Explanation |
Ethernet OAM was disabled. |
Recommended action |
No action is required. |
ETHOAM_DISCOVERY_EXIT
Message text |
OAM port [string] quits OAM connection. |
Variable fields |
$1: Port name. |
Severity level |
5 |
Example |
ETHOAM/5/ ETHOAM_DISCOVERY_EXIT: OAM port GigabitEthernet1/0/1 quits OAM connection. |
Explanation |
The local port ended the OAM connection. |
Recommended action |
No action is required. |
ETHOAM_ENABLE
Message text |
Ethernet OAM is now enabled on port [string]. |
Variable fields |
$1: Port name. |
Severity level |
6 |
Example |
ETHOAM/6/ETHOAM_ENABLE: Ethernet OAM is now enabled on port GigabitEthernet1/0/1. |
Explanation |
Ethernet OAM was enabled. |
Recommended action |
No action is required. |
ETHOAM_ENTER_LOOPBACK_CTRLLED
Message text |
The local OAM entity enters remote loopback as controlled DTE on OAM port [string]. |
Variable fields |
$1: Port name. |
Severity level |
6 |
Example |
ETHOAM/6/ ETHOAM_ENTER_LOOPBACK_CTRLLED: The local OAM entity enters remote loopback as controlled DTE on OAM port GigabitEthernet1/0/1. |
Explanation |
This event occurs when you enable OAM loopback on the peer end. |
Recommended action |
No action is required. |
ETHOAM_ENTER_LOOPBACK_CTRLLING
Message text |
The local OAM entity enters remote loopback as controlling DTE on OAM port [string]. |
Variable fields |
$1: Port name. |
Severity level |
6 |
Example |
ETHOAM/6/ ETHOAM_ENTER_LOOPBACK_CTRLLING: The local OAM entity enters remote loopback as controlling DTE on OAM port GigabitEthernet1/0/1. |
Explanation |
This event occurs when you enable OAM loopback on the port. |
Recommended action |
No action is required. |
ETHOAM_LOCAL_DYING_GASP
Message text |
A local Dying Gasp event has occurred on [string]. |
Variable fields |
$1: Interface name. |
Severity level |
4 |
Example |
ETHOAM/4/ETHOAM_LOCAL_DYING_GASP: A local Dying Gasp event has occurred on GigabitEthernet1/0/1. |
Explanation |
A local Dying Gasp event occurs when you reboot the local device or shut down the interface. |
Recommended action |
Do not use the link until it recovers. |
ETHOAM_LOCAL_ERROR_FRAME
Message text |
An errored frame event occurred on local port [string]. |
Variable fields |
$1: Port name. |
Severity level |
6 |
Example |
ETHOAM/6/ETHOAM_LOCAL_ERROR_FRAME: An errored frame event occurred on local port GigabitEthernet1/0/1. |
Explanation |
An errored frame event occurred on the local port. |
Recommended action |
Check the link. |
ETHOAM_LOCAL_ERROR_FRAME_PERIOD
Message text |
An errored frame period event occurred on local port [string]. |
Variable fields |
$1: Port name. |
Severity level |
6 |
Example |
ETHOAM/6/ETHOAM_LOCAL_ERROR_FRAME_PERIOD: An errored frame period event occurred on local port GigabitEthernet1/0/1. |
Explanation |
An errored frame period event occurred on the local port. |
Recommended action |
Check the link. |
ETHOAM_LOCAL_ERROR_FRAME_SECOND
Message text |
An errored frame seconds event occurred on local port [string]. |
Variable fields |
$1: Port name. |
Severity level |
6 |
Example |
ETHOAM/6/ETHOAM_LOCAL_ERROR_FRAME_SECOND: An errored frame seconds event occurred on local port GigabitEthernet1/0/1. |
Explanation |
An errored frame seconds event occurred on the local port. |
Recommended action |
Check the link. |
ETHOAM_LOCAL_LINK_FAULT
Message text |
A local Link Fault event occurred on [string]. |
Variable fields |
$1: Port name. |
Severity level |
4 |
Example |
ETHOAM/4/ETHOAM_LOCAL_LINK_FAULT: A local Link Fault event occurred on GigabitEthernet1/0/1. |
Explanation |
This event occurs when the local link goes down. |
Recommended action |
Re-connect the Rx end of the fiber on the local port. |
ETHOAM_LOOPBACK_EXIT
Message text |
OAM port [string] quits remote loopback. |
Variable fields |
$1: Port name. |
Severity level |
4 |
Example |
ETHOAM/4/ETHOAM_LOOPBACK_EXIT: OAM port GigabitEthernet1/0/1 quits remote loopback. |
Explanation |
The OAM port ended remote loopback after remote loopback was disabled on the port and the OAM connection was torn down. |
Recommended action |
No action is required. |
ETHOAM_LOOPBACK_EXIT_ERROR_STATU
Message text |
OAM port [string] quits remote loopback due to incorrect multiplexer or parser status. |
Variable fields |
$1: Port name. |
Severity level |
6 |
Example |
ETHOAM/6/ETHOAM_LOOPBACK_EXIT_ERROR_STATU: OAM port GigabitEthernet1/0/1 quits remote loopback due to incorrect multiplexer or parser status. |
Explanation |
OAM port GigabitEthernet1/0/1 ended remote loopback due to incorrect multiplexer or parser status. |
Recommended action |
Disable, and then re-enable Ethernet OAM on the OAM entity. |
ETHOAM_LOOPBACK_NO_RESOURCE
Message text |
OAM port [string] can’t enter remote loopback due to insufficient resources. |
Variable fields |
$1: Port name. |
Severity level |
4 |
Example |
ETHOAM/4/ETHOAM_LOOPBACK_NO_RESOURCE: OAM port GigabitEthernet1/0/1 can’t enter remote loopback due to insufficient resources. |
Explanation |
The OAM port cannot enter remote loopback due to insufficient resources when you execute the oam remote-loopback start command on the local or remote OAM entity. |
Recommended action |
Release the resources, and then execute the oam remote-loopback start command again. |
ETHOAM_LOOPBACK_NOT_SUPPORT
Message text |
OAM port [string] can’t enter remote loopback because the operation is not supported. |
Variable fields |
$1: Port name. |
Severity level |
4 |
Example |
ETHOAM/4/ETHOAM_LOOPBACK_NOT_SUPPORT: OAM port GigabitEthernet1/0/1 can't enter remote loopback because the operation is not supported. |
Explanation |
The OAM port cannot enter remote loopback because the operation is not supported on the device. |
Recommended action |
No action is required. |
ETHOAM_QUIT_LOOPBACK_CTRLLED
Message text |
The local OAM entity quits remote loopback as controlled DTE on OAM port [string]. |
Variable fields |
$1: Port name. |
Severity level |
6 |
Example |
ETHOAM/6/ ETHOAM_QUIT_LOOPBACK_CTRLLED: The local OAM entity quits remote loopback as controlled DTE on OAM port GigabitEthernet1/0/1. |
Explanation |
The local OAM entity ended remote loopback as controlled DTE after you disabled OAM loopback on the peer end. |
Recommended action |
No action is required. |
ETHOAM_QUIT_LOOPBACK_CTRLLING
Message text |
The local OAM entity quits remote loopback as controlling DTE on OAM port [string]. |
Variable fields |
$1: Port name. |
Severity level |
6 |
Example |
ETHOAM/6/ETHOAM_QUIT_LOOPBACK_CONTROLLING: The local OAM entity quits remote loopback as controlling DTE on OAM port GigabitEthernet1/0/1. |
Explanation |
The local OAM entity ended remote loopback as controlling DTE after you disabled OAM loopback on the port. |
Recommended action |
No action is required. |
ETHOAM_REMOTE_CRITICAL
Message text |
A remote Critical event occurred on [string]. |
Variable fields |
$1: Port name. |
Severity level |
4 |
Example |
ETHOAM/4/ETHOAM_REMOTE_CRITICAL: A remote Critical event occurred on GigabitEthernet1/0/1. |
Explanation |
A remote critical event occurred. |
Recommended action |
Do not use the link until it recovers. |
ETHOAM_REMOTE_DYING_GASP
Message text |
A remote Dying Gasp event occurred on [string]. |
Variable fields |
$1: Port name. |
Severity level |
4 |
Example |
ETHOAM/4/ETHOAM_REMOTE_DYING_GASP: A remote Dying Gasp event occurred on GigabitEthernet1/0/1. |
Explanation |
This event occurs when you reboot the remote device and shut down the port. |
Recommended action |
Do not use this link until it recovers. |
ETHOAM_REMOTE_ERROR_FRAME
Message text |
An errored frame event occurred on the peer port [string]. |
Variable fields |
$1: Port name. |
Severity level |
6 |
Example |
ETHOAM/6/ETHOAM_REMOTE_ERROR_FRAME: An errored frame event occurred on the peer port GigabitEthernet1/0/1. |
Explanation |
An errored frame event occurred on the peer. |
Recommended action |
Check the link. |
ETHOAM_REMOTE_ERROR_FRAME_PERIOD
Message text |
An errored frame period event occurred on the peer port [string]. |
Variable fields |
$1: Port name. |
Severity level |
6 |
Example |
ETHOAM/6/ETHOAM_REMOTE_ERROR_FRAME_PERIOD: An errored frame period event occurred on the peer port GigabitEthernet1/0/1. |
Explanation |
An errored frame period event occurred on the peer port. |
Recommended action |
Check the link. |
ETHOAM_REMOTE_ERROR_FRAME_SECOND
Message text |
An errored frame seconds event occurred on the peer port [string]. |
Variable fields |
$1: Port name. |
Severity level |
6 |
Example |
ETHOAM/6/ETHOAM_REMOTE_ERROR_FRAME_SECOND: An errored frame seconds event occurred on the peer port GigabitEthernet1/0/1. |
Explanation |
An errored frame seconds event occurred on the peer. |
Recommended action |
Check the link. |
ETHOAM_REMOTE_ERROR_SYMBOL
Message text |
An errored symbol event occurred on the peer port [string]. |
Variable fields |
$1: Port name. |
Severity level |
6 |
Example |
ETHOAM/6/ETHOAM_REMOTE_ERROR_SYMBOL: An errored symbol event occurred on the peer port GigabitEthernet1/0/1. |
Explanation |
An errored symbol event occurred on the peer. |
Recommended action |
Check the link. |
ETHOAM_REMOTE_EXIT
Message text |
OAM port [string] quits OAM connection because Ethernet OAM is disabled on the peer port. |
Variable fields |
$1: Port name. |
Severity level |
5 |
Example |
ETHOAM/5/ ETHOAM_REMOTE_EXIT: OAM port GigabitEthernet1/0/1 quits OAM connection because Ethernet OAM is disabled on the peer port. |
Explanation |
The local port ended the OAM connection because Ethernet OAM was disabled on the peer port. |
Recommended action |
No action is required. |
ETHOAM_REMOTE_FAILURE_RECOVER
Message text |
Peer port [string] recovered. |
Variable fields |
$1: Port name. |
Severity level |
5 |
Example |
ETHOAM/5/ ETHOAM_REMOTE_FAILURE_RECOVER: Peer port GigabitEthernet1/0/1 recovered. |
Explanation |
The Link fault was cleared from the peer port and the OAM connection was restored. |
Recommended action |
No action is required. |
ETHOAM_REMOTE_LINK_FAULT
Message text |
A remote Link Fault event occurred on [string]. |
Variable fields |
$1: Port name. |
Severity level |
4 |
Example |
ETHOAM/4/ETHOAM_REMOTE_LINK_FAULT: A remote Link Fault event occurred on GigabitEthernet1/0/1. |
Explanation |
The remote link went down. |
Recommended action |
Reconnect the Rx end of the fiber on the remote port. |
ETHOAM_NO_ENOUGH_RESOURCE
Message text |
OAM port [string] the configuration failed because of insufficient hardware resources. |
Variable fields |
$1: Port name. |
Severity level |
4 |
Example |
ETHOAM/4/ ETHOAM_NO_ENOUGH_RESOURCE: GigabitEthernet1/0/1 the configuration failed because of insufficient hardware resources. |
Explanation |
The configuration failed on the OAM port because of insufficient hardware resources. |
Recommended action |
Release the resources, and execute the command again. |
ETHOAM_NOT_CONNECTION_TIMEOUT
Message text |
Port [string] quits Ethernet OAM because it received no Information OAMPDU before the timer times out. |
Variable fields |
$1: Port name. |
Severity level |
5 |
Example |
ETHOAM/5/ ETHOAM_NOT_CONNECTION_TIMEOUT: Port GigabitEthernet1/0/1 quits Ethernet OAM because it received no Information OAMPDU before the timer times out. |
Explanation |
The local port ended Ethernet OAM because it had not received Information OAMPDUs before the timer timed out. |
Recommended action |
Check the link status or the OAM status on the peer. |
EVB messages
This section contains EVB messages.
EVB_AGG_FAILED
Message text |
Remove the port [STRING] from the aggregation group [STRING]. Otherwise, the EVB feature does not take effect. |
Variable fields |
$1: Port name. $2: Aggregate interface name. |
Severity level |
6 |
Example |
EVB/6/EVB_AGG_FAILED: Remove the port GigabitEthernet1/0/5 from the aggregation group Bridge-Aggregation5. Otherwise, the EVB feature does not take effect. |
Explanation |
The EVB bridge failed to process a port in an aggregation group. |
Recommended action |
Remove the port from the aggregation group. |
EVB_VSI_OFFLINE
Message text |
VSI [STRING] went offline. |
Variable fields |
$1: VSI name. |
Severity level |
6 |
Example |
EVB/6/EVB_VSI_OFFLINE: VSI Schannel-Aggregation1:2.0 went offline. |
Explanation |
The VSI interface was deleted. This event occurs in the following situations: · The EVB bridge receives a VDP packet from the EVB station. · The EVB bridge has not received an acknowledgement after a VDP packet times out. |
Recommended action |
No action is required. |
EVB_VSI_ONLINE
Message text |
VSI [STRING] came online, status is [STRING]. |
Variable fields |
$1: VSI name. $2: VSI status. |
Severity level |
6 |
Example |
EVB/6/EVB_VSI_ONLINE: VSI Schannel-Aggregation1:2.0 came online, status is association. |
Explanation |
The EVB bridge received a VDP packet and created a VSI successfully. |
Recommended action |
No action is required. |
EVB_WARNING_NO_LICENSE
Message text |
License of the [STRING] feature will be expired in [UINT32] days. Install a permanent license. |
Variable fields |
$1: Feature name. $2: Validity period of the license. |
Severity level |
6 |
Example |
EVB/6/EVB_WARNING_NO_LICENSE: License of the EVB feature will be expired in 15 days. Install a permanent license. |
Explanation |
The EVB license on an MPU is about to expire. |
Recommended action |
Renew the license. |
EVIISIS messages
This section contains EVI IS-IS messages.
Message text |
The EVIISIS feature has [STRING] license. |
Variable fields |
$1: License state: ¡ available—A valid license was found. ¡ no available—The current license became invalid, or no valid license was found. |
Severity level |
5 |
Example |
EVIISIS/5/EVIISIS_LICENSE: The EVIISIS feature has available license. |
Explanation |
This message is generated when EVI IS-IS license status changes. For example, an EVI IS-IS license is installed or becomes invalid. |
Recommended action |
Install a valid EVI IS-IS license if the current EVI IS-IS license is invalid or no license is available. |
EVIISIS_LICENSE_EXPIRED
Message text |
The EVIISIS feature is being disabled, because its license has expired. |
Variable fields |
N/A |
Severity level |
3 |
Example |
EVIISIS/3/EVIISIS_LICENSE_EXPIRED: The EVIISIS feature is being disabled, because its license has expired. |
Explanation |
The EVI IS-IS license has expired. |
Recommended action |
Install a valid license for EVI IS-IS. |
EVIISIS_LICENSE_EXPIRED_TIME
Message text |
The EVIISIS feature will be disabled in [ULONG] days. |
Variable fields |
$1: Available period of the feature. |
Severity level |
5 |
Example |
EVIISIS/5/EVIISIS_LICENSE_EXPIRED_TIME: The EVIISIS feature will be disabled in 2 days. |
Explanation |
EVI IS-IS will be disabled because no EVI IS-IS license is available. After an active/standby MPU switchover, you can use EVI IS-IS only for 30 days if the new active MPU does not have an EVI IS-IS license. |
Recommended action |
Install a new license. |
EVIISIS_LICENSE_UNAVAILABLE
Message text |
The EVIISIS feature has no available license. |
Variable fields |
N/A |
Severity level |
3 |
Example |
EVIISIS/3/EVIISIS_LICENSE_UNAVAILABLE: The EVIISIS feature has no available license. |
Explanation |
No license was found for EVI IS-IS when the EVI IS-IS process started. |
Recommended action |
Install a valid license for EVI IS-IS. |
EVIISIS_MEM_ALERT
Message text |
EVIISIS process receive system memory alert [STRING] event. |
Variable fields |
$1: Type of the memory alert. |
Severity level |
5 |
Example |
EVIISIS/5/EVIISIS_MEM_ALERT: EVIISIS process receive system memory alert start event. |
Explanation |
EVI IS-IS received a memory alarm. |
Recommended action |
Check the system memory. |
EVIISIS_NBR_CHG
Message text |
EVIISIS [UINT32], [STRING] adjacency [STRING] ([STRING]), state change to: [STRING]. |
Variable fields |
$1: EVI IS-IS process ID. $2: EVI IS-IS neighbor level. $3: Neighbor system ID. $4: Interface name. $5: Current adjacency state. |
Severity level |
5 |
Example |
EVIISIS/5/EVIISIS_NBR_CHG: EVIISIS 1, Level-1 adjacency 0011.2200.1501 (Evi-Link0), state change to: down. |
Explanation |
The EVI IS-IS adjacency state changed on an interface. |
Recommended action |
If the adjacency with a neighbor changes to down or initializing on an interface, check for EVI IS-IS configuration errors and loss of network connectivity. |
FILTER messages
This section contains filter messages.
FILTER_EXECUTION_ICMP
Message text |
RcvIfName(1023)=[STRING];Direction(1070)=[STRING];AclType(1067)=[STRING];Acl(1068)=[STRING];Protocol(1001)=[STRING];SrcIPAddr(1003)=[IPADDR];DstIPAddr(1007)=[IPADDR];IcmpType(1062)=[STRING]([UINT16]);IcmpCode(1063)=[UINT16];MatchAclCount(1069)=[UINT32];Event(1048)=[STRING]; |
Variable fields |
$1: Receiving interface name. $2: Direction. $3: ACL type. $4: ACL number or name. $5: Layer 4 protocol name. $6: Source IP address. $7: Destination IP address. $8: ICMP message type. $9: ICMP message code. $10: Match count. $11: Event information. |
Severity level |
6 |
Example |
FILTER/6/FILTER_EXECUTION_ICMP: RcvIfName(1023)=GigabitEthernet2/0/2;Direction(1067)=inbound;AclType(1064)=ACL;Acl(1065)=3000;Protocol(1001)=ICMP;SrcIPAddr(1003)=100.1.1.1;DstIPAddr(1007)=200.1.1.1;IcmpType(1059)=Echo(8);IcmpCode(1060)=0;MatchAclCount(1066)=1000;Event(1048)=Permit; |
Explanation |
ICMP packets matched the packet filter. This message is sent when the first ICMP packet of a flow matches the packet filter, and it will be sent regularly for the flow. |
Recommended action |
No action is required. |
FILTER_EXECUTION_ICMPV6
Message text |
RcvIfName(1023)=[STRING];Direction(1070)=[STRING];AclType(1067)=[STRING];Acl(1068)=[STRING];Protocol(1001)=[STRING];SrcIPv6Addr(1036)=[IPADDR];DstIPv6Addr(1037)=[IPADDR];Icmpv6Type(1064)=[STRING]([UINT16]);Icmpv6Code(1065)=[UINT16];MatchAclCount(1069)=[UINT32];Event(1048)=[STRING]; |
Variable fields |
$1: Receiving interface name. $2: Direction. $3: ACL type. $4: ACL number or name. $5: Layer 4 protocol name. $6: Source IPv6 address. $7: Destination IPv6 address. $8: ICMPv6 message type. $9: ICMPv6 message code. $10: Match count. $11: Event information. |
Severity level |
6 |
Example |
FILTER/6/FILTER_EXECUTION_ICMPV6: RcvIfName(1023)=GigabitEthernet2/0/2;Direction(1067)=inbound;AclType(1064)=ACL;Acl(1065)=3000;Protocol(1001)=ICMPV6;SrcIPv6Addr(1036)=2001::1;DstIPv6Addr(1037)=3001::1;Icmpv6Type(1064)=Echo(128);Icmpv6Code(1065)=0;MatchAclCount(1066)=1000;Event(1048)=Permit; |
Explanation |
ICMPv6 packets matched the packet filter. This message is sent when the first ICMPv6 packet of a flow matches the packet filter, and it will be sent regularly for the flow. |
Recommended action |
No action is required. |
FILTER_IPV4_EXECUTION
Message text |
RcvIfName(1023)=[STRING];Direction(1070)=[STRING];AclType(1067)=[STRING];Acl(1068)=[STRING];Protocol(1001)=[STRING];SrcIPAddr(1003)=[IPADDR];SrcPort(1004)=[UINT16];DstIPAddr(1007)=[IPADDR];DstPort(1008)=[UINT16];MatchAclCount(1069)=[UINT32];Event(1048)=[STRING]; |
Variable fields |
$1: Receiving interface name. $2: Direction. $3: ACL type. $4: ACL number or name. $5: Layer 4 protocol name. $6: Source IP address. $7: Source port. $8: Destination IP address. $9: Destination port number. $10: Match count. $11: Event information. |
Severity level |
6 |
Example |
FILTER/6/FILTER_IPV4_EXECUTION: RcvIfName(1023)=GigabitEthernet2/0/2;Direction(1070)=inbound;AclType(1067)=ACL;Acl(1068)=3000;Protocol(1001)=TCP;SrcIPAddr(1003)=100.1.1.1;SrcPort(1004)=1025;DstIPAddr(1007)=200.1.1.1;DstPort(1008)=1026;MatchAclCount(1069)=1000;Event(1048)=Permit; |
Explanation |
Packets other than ICMP packets matched the packet filter. This message is sent when the first packet of a flow matches the packet filter, and it will be sent regularly for the flow. |
Recommended action |
No action is required. |
FILTER_IPV6_EXECUTION
Message text |
RcvIfName(1023)=[STRING];Direction(1070)=[STRING];AclType(1067)=[STRING];Acl(1068)=[STRING];Protocol(1001)=[STRING];SrcIPv6Addr(1036)=[IPADDR];SrcPort(1004)=[UINT16];DstIPv6Addr(1037)=[IPADDR];DstPort(1008)=[UINT16];MatchAclCount(1069)=[UINT32];Event(1048)=[STRING]; |
Variable fields |
$1: Receiving interface name. $2: Direction. $3: ACL type. $4: ACL number or name. $5: Layer 4 protocol name. $6: Source IPv6 address. $7: Source port number. $8: Destination IPv6 address. $9: Destination port number. $10: Match count. $11: Event information. |
Severity level |
6 |
Example |
FILTER/6/FILTER_IPV6_EXECUTION: RcvIfName(1023)=GigabitEthernet2/0/2;Direction(1070)=inbound;AclType(1067)=ACL;Acl(1068)=3000;Protocol(1001)=TCP;SrcIPv6Addr(1036)=2001::1;SrcPort(1004)=1025;DstIPv6Addr(1037)=3001::1;DstPort(1008)=1026;MatchAclCount(1069)=1000;Event(1048)=Permit; |
Explanation |
IPv6 packets other than ICMPv6 packets matched the packet filter. This message is sent when the first IPv6 packet of a flow matches the packet filter, and it will be sent regularly for the flow. |
Recommended action |
No action is required. |
FCOE messages
This section contains FCoE messages.
FCOE_INTERFACE_NOTSUPPORT_FCOE
Message text |
Because the aggregate interface [STRING] has been bound to a VFC interface, assigning the interface [STRING] that does not support FCoE to the aggregate interface will cause incorrect processing. |
Variable fields |
$1: Aggregate interface name. $2: Ethernet interface name. |
Severity level |
4 |
Example |
FCOE/4/FCOE_INTERFACE_NOTSUPPORT_FCOE: Because the aggregate interface Bridge-Aggregation 1 has been bound to a VFC interface, assigning the interface Ten-GigabitEthernet 2/0/1 that does not support FCoE to the aggregate interface will cause incorrect processing. |
Explanation |
This message is generated when an interface that does not support FCoE is assigned to an aggregate interface that has been bound to a VFC interface. |
Recommended action |
Assign an interface that supports FCoE to the aggregate interface, or remove the binding from the VFC interface. |
FCOE_LAGG_BIND_ACTIVE
Message text |
The binding between aggregate interface [STRING] and the VFC interface takes effect again, because the member port is unbound from its bound VFC interface or removed from the aggregate interface. |
Variable fields |
$1: Aggregate interface name. |
Severity level |
4 |
Example |
FCOE/4/FCOE_LAGG_BIND_ACTIVE: The binding between aggregate interface Bridge-Aggregation1 and the VFC interface takes effect again, because the member port is unbound from its bound VFC interface or removed from the aggregate interface. |
Explanation |
The binding between an aggregate interface and a VFC interface takes effect, because a member port of the aggregate interface was unbound from its bound VFC interface or removed from the aggregate interface. |
Recommended action |
No action is required. |
FCOE_LAGG_BIND_DEACTIVE
Message text |
The binding between aggregate interface [STRING] and the VFC interface is no longer in effect, because the new member port has been bound to a VFC interface. |
Variable fields |
$1: Aggregate interface name. |
Severity level |
4 |
Example |
FCOE/4/FCOE_LAGG_BIND_DEACTIVE: The binding between aggregate interface Bridge-Aggregation1 and the VFC interface is no longer in effect, because the new member port has been bound to a VFC interface. |
Explanation |
The binding between an aggregate interface and a VFC interface is no longer in effect, because a member port of the aggregate interface was bound to a VFC interface. |
Recommended action |
No action is required. |
FCOE_LICENSE_ERROR
Message text |
No license is found for FCoE. |
Variable fields |
N/A |
Severity level |
3 |
Example |
FCOE/3/FCOE_LICENSE_ERROR: No license is found for FCoE. |
Explanation |
No license is found for FCoE. |
Recommended action |
Install a license for FCoE. |
FCOE_LICENSE_EXPIRED_EXIT
Message text |
FCoE is unavailable because its license has expired. |
Variable fields |
N/A |
Severity level |
3 |
Example |
FCOE/3/FCOE_LICENSE_EXPIRED_EXIT: FCoE is unavailable because its license has expired. |
Explanation |
The FCoE license has expired. |
Recommended action |
Install a valid license for FCoE. |
FCOE_LICENSE_EXPIRED_TIME
Message text |
FCoE will become unavailable in [ULONG] days. |
Variable fields |
$1: Available period of the feature. |
Severity level |
4 |
Example |
FCOE/4/FCOE_LICENSE_EXPIRED_TIME: FCoE will become unavailable in 2 days. |
Explanation |
FCoE will be disabled because the FCoE license has expired. You can use FCoE for 30 days after the license is expired. |
Recommended action |
Install a new license. |
FCLINK messages
This section contains FC link messages.
FCLINK_FDISC_REJECT_NORESOURCE
Message text |
VSAN [UINT16], Interface [STRING]: An FDISC was rejected because the hardware resource is not enough. |
Variable fields |
$1: VSAN ID. $2: Interface name. |
Severity level |
4 |
Example |
FCLINK/4/FCLINK_FDISC_REJECT_NORESOURCE: VSAN 1, Interface FC2/0/1: An FDISC was rejected because the hardware resource is not enough. |
Explanation |
This event occurs if an FDISC packet is received when hardware resources are insufficient. |
Recommended action |
Reduce the number of nodes. |
FCLINK_FLOGI_REJECT_NORESOURCE
Message text |
VSAN [UINT16], Interface [STRING]: An FLOGI was rejected because the hardware resource is not enough. |
Variable fields |
$1: VSAN ID. $2: Interface name. |
Severity level |
4 |
Example |
FCLINK/4/FCLINK_FLOGI_REJECT_NORESOURCE: VSAN 1, Interface FC2/0/1: An FLOGI was rejected because the hardware resource is not enough. |
Explanation |
This event occurs if an FLOGI packet is received when hardware resources are insufficient. |
Recommended action |
Reduce the number of nodes. |
FCZONE messages
This section contains FC zone messages.
FCZONE_HARDZONE_DISABLED
Message text |
VSAN [UINT16]: No enough hardware resource for zone rule, switched to soft zoning. |
Variable fields |
$1: VSAN ID. |
Severity level |
2 |
Example |
FCZONE/2/FCZONE_HARDZONE_DISABLED: VSAN 2: No enough hardware resource for zone rule, switched to soft zoning. |
Explanation |
This event occurs when hardware resources are insufficient. |
Recommended action |
Activate a smaller zone set. |
FCZONE_HARDZONE_ENABLED
Message text |
VSAN [UINT16]: Hardware resource for zone rule is restored, switched to hard zoning. |
Variable fields |
$1: VSAN ID. |
Severity level |
1 |
Example |
FCZONE/1/FCZONE_HARDZONE_ENABLED: VSAN 2: Hardware resource for zone rule is restored, switched to hard zoning. |
Explanation |
Hard zoning in the VSAN was enabled because hardware resources were restored. |
Recommended action |
No action is required. |
FIPS messages
This section contains FIP snooping messages.
FCOE_FIPS_HARD_RESOURCE_NOENOUGH
Message text |
No enough hardware resource for FIP Snooping rule. |
Variable fields |
N/A |
Severity level |
4 |
Example |
FIPS/4/FCOE_FIPS_HARD_RESOURCE_NOENOUGH: No enough hardware resource for FIP Snooping rule. |
Explanation |
This message is generated if hardware resources are insufficient. |
Recommended action |
No action is required. |
FCOE_FIPS_HARD_RESOURCE_RESTORE
Message text |
Hardware resource for FIP Snooping rule is restored. |
Variable fields |
N/A |
Severity level |
6 |
Example |
FIPS/6/FCOE_FIPS_HARD_RESOURCE_RESTORE: Hardware resource for FIP Snooping is restored. |
Explanation |
This message is generated when hardware resources for FIP snooping rules are restored. |
Recommended action |
No action is required. |
FTPD messages
This section contains FTP messages.
FTPD_REACH_SESSION_LIMIT
Message text |
FTP client [IPADDR] failed to log in. Number of FTP sessions reached the limit. |
Variable fields |
$1: IP address of an FTP client. |
Severity level |
6 |
Example |
FTPD/6/FTPD_REACH_SESSION_LIMIT: FTP client 1.1.1.1 failed to log in. Number of FTP sessions reached the limit. |
Explanation |
Number of online FTP users already reached the limit. |
Recommended action |
No action is required. |
FTPD_AUTHOR_FAILED
Message text |
Authorization failed for user [STRING]@[STRING]. |
Variable fields |
$1: Username. $2: User IP address. |
Severity level |
6 |
Example |
FTPD/6/FTPD_AUTHOR_FAILED: Authorization failed for user admin@10.11.115.63. |
Explanation |
Authorization failed for an FTP user. |
Recommended action |
Verify that the FTP service is assigned to the user. |
HA messages
This section contains HA messages.
HA_BATCHBACKUP_FINISHED
Message text |
Batch backup of standby board in [STRING] is finished. |
Variable fields |
$1: MPU location. |
Severity level |
5 |
Example |
HA/5/HA_BATCHBACKUP_FINISHED: Batch backup of standby board in chassis 0 slot 1 is finished. |
Explanation |
Batch backup from the active MPU to the standby MPU was finished. |
Recommended action |
No action is required. |
HA_BATCHBACKUP_STARTED
Message text |
Batch backup(s) of standby board(s) in [STRING] started. |
Variable fields |
$1: MPU location. |
Severity level |
5 |
Example |
HA/5/HA_BATCHBACKUP_STARTED: Batch backup(s) of standby board(s) in chassis 0 slot 1 started. |
Explanation |
Batch backup from the active MPU to the standby MPU started. |
Recommended action |
No action is required. |
HA_STANDBY_NOT_READY
Message text |
Standby board in [STRING] is not ready, reboot ... |
Variable fields |
$1: MPU location. |
Severity level |
4 |
Example |
HA/4/HA_STANDBY_NOT_READY: Standby board in chassis 0 slot 1 is not ready, reboot ... |
Explanation |
Both the active and standby MPUs were rebooted. This event occurs if you perform an active/standby switchover while the standby MPU is backing up the configuration in bulk. |
Recommended action |
Do not perform an active/standby switchover before the standby MPU completes the batch backup. |
HA_STANDBY_TO_MASTER
Message text |
Standby board in [STRING] changes to master. |
Variable fields |
$1: MPU location. |
Severity level |
5 |
Example |
HA/5/HA_STANDBY_TO_MASTER: Standby board in chassis 0 slot 1 changes to master. |
Explanation |
The standby MPU changed to active. |
Recommended action |
No action is required. |
HTTPD messages
This section contains HTTP daemon messages.
HTTPD_CONNECT
Message text |
[STRING] client [STRING] connected to the server successfully. |
Variable fields |
$1: Connection type, HTTP or HTTPS. $2: Client IP address. |
Severity level |
6 |
Example |
HTTPD/6/HTTPD_CONNECT: HTTP client 192.168.30.117 connected to the server successfully. |
Explanation |
The HTTP or HTTPS server accepted the request from a client. The HTTP or HTTPS connection was set up. |
Recommended action |
No action is required. |
HTTPD_CONNECT_TIMEOUT
Message text |
[STRING] client [STRING] connection idle timeout. |
Variable fields |
$1: Connection type, HTTP or HTTPS. $2: Client IP address. |
Severity level |
6 |
Example |
HTTPD/6/HTTPD_CONNECT_TIMEOUT: HTTP client 192.168.30.117 connection to server idle timeout. |
Explanation |
An HTTP or HTTPS connection was disconnected because its idle timeout timer expired. |
Recommended action |
No action is required. |
HTTPD_DISCONNECT
Message text |
[STRING] client [STRING] disconnected from the server. |
Variable fields |
$1: Connection type, HTTP or HTTPS. $2: Client IP address. |
Severity level |
6 |
Example |
HTTPD/6/HTTPD_DISCONNECT: HTTP client 192.168.30.117 disconnected from the server. |
Explanation |
An HTTP or HTTPS client was disconnected from the server. |
Recommended action |
No action is required. |
HTTPD_FAIL_FOR_ACL
Message text |
[STRING] client [STRING] failed the ACL check and could not connect to the server. |
Variable fields |
$1: Connection type, HTTP or HTTPS. $2: Client IP address. |
Severity level |
6 |
Example |
HTTPD/6/HTTPD_FAIL_FOR_ACL: HTTP client 192.168.30.117 failed the ACL check and cannot connect to the server. |
Explanation |
An HTTP or HTTPS client was filtered by the ACL. |
Recommended action |
No action is required. |
HTTPD_FAIL_FOR_ACP
Message text |
[STRING] client [STRING] was denied by the certificate access control policy and could not connect to the server. |
Variable fields |
$1: Connection type, HTTP or HTTPS. $2: Client IP address. |
Severity level |
6 |
Example |
HTTPD/6/HTTPD_FAIL_FOR_ACP: HTTP client 192.168.30.117 was denied by the certificate attribute access control policy and could not connect to the server. |
Explanation |
An HTTP or HTTPS client was denied by the certificate access control policy. |
Recommended action |
No action is required. |
HTTPD_REACH_CONNECT_LIMIT
Message text |
[STRING] client [STRING] failed to connect to the server, because the number of connections reached the upper limit. |
Variable fields |
$1: Connection type, HTTP or HTTPS. $2: Client IP address. |
Severity level |
6 |
Example |
HTTPD/6/HTTPD_REACH_CONNECT_LIMIT: HTTP client 192.168.30.117 failed to connect to the server, because the number of connections reached the upper limit. |
Explanation |
The number of connections reached the limit. |
Recommended action |
No action is required. |
IFNET messages
This section contains interface management messages.
IF_BUFFER_CONGESTION_OCCURRENCE
Message text |
[STRING] congestion occurs on queue [UINT32] of [STRING]. |
Variable fields |
$1: Buffer type, ingress or egress. $2: Queue ID in the range of 0 to 7. $3: Interface name. |
Severity level |
4 |
Example |
IFNET/4/IF_BUFFER_CONGESTION_OCCURRENCE: Ingress congestion occurs on queue 1 of GigabitEthernet 1/0/1. |
Explanation |
Congestion occurred in the ingress buffer for queue 1 on GigabitEthernet 1/0/1. |
Recommended action |
Check the network status. |
IFNET_MAD
Message text |
Multi-active devices detected, please fix it. |
Variable fields |
N/A |
Severity level |
1 |
Example |
IFNET/1/IFNET_MAD: Multi-active devices detected, please fix it. |
Explanation |
MAD detected multiple identical active IRF fabrics. This message appears when an IRF fabric splits. |
Recommended action |
Check the IRF connections for a link failure, and use the IRF configuration guide as a reference to merge the split IRF fabrics. |
INTERFACE_INSERTED
Message text |
Interface [STRING] is inserted. |
Variable fields |
$1: Interface name. |
Severity level |
6 |
Example |
IFNET/6/INTERFACE_INSERTED: Interface GigabitEthernet1/0/1 is inserted. |
Explanation |
An interface was added. |
Recommended action |
No action is required. |
INTERFACE_REMOVED
Message text |
Interface [STRING] is removed. |
Variable fields |
$1: Interface name. |
Severity level |
6 |
Example |
IFNET/6/INTERFACE_REMOVED: Interface GigabitEthernet1/0/1 is removed. |
Explanation |
An interface was removed. |
Recommended action |
No action is required. |
LINK_UPDOWN
Message text |
Line protocol on the interface [STRING] is [STRING]. |
Variable fields |
$1: Interface name. $2: State of link layer protocol. |
Severity level |
5 |
Example |
IFNET/5/LINK_UPDOWN: Line protocol on the interface GigabitEthernet1/0/1 is down. |
Explanation |
The state of the link layer protocol changed on an interface. |
Recommended action |
No action is required. |
PHY_UPDOWN
Message text |
[STRING]: link status is [STRING]. |
Variable fields |
$1: Interface name. $2: Link state. |
Severity level |
3 |
Example |
IFNET/3/PHY_UPDOWN: GigabitEthernet1/0/1: link status is down. |
Explanation |
The link state changed on an interface. |
Recommended action |
No action is required. |
PROTOCOL_UPDOWN
Message text |
Protocol [STRING] on the interface [STRING] is [STRING]. |
Variable fields |
$1: Protocol name. $2: Interface name. $3: Protocol state. |
Severity level |
5 |
Example |
IFNET/5/PROTOCOL_UPDOWN: Protocol IPX on the interface GigabitEthernet1/0/1 is up. |
Explanation |
The state of a protocol changed on an interface. |
Recommended action |
No action is required. |
VLAN_MODE_CHANGE
Message text |
Dynamic VLAN [INT32] has changed to a static VLAN. |
Variable fields |
$1: VLAN ID. |
Severity level |
5 |
Example |
IFNET/5/VLAN_MODE_CHANGE: Dynamic VLAN 20 has changed to a static VLAN. |
Explanation |
Creating a VLAN interface for a VLAN cause the dynamic VLAN to become a static VLAN. |
Recommended action |
No action is required. |
IKE messages
This section contains IKE messages.
IKE_P1_SA_ESTABLISH_FAIL
Message text |
Failed to establish phase 1 SA for the reason of [STRING]. The SA’s source address is [STRING], and its destination address is [STRING]. |
Variable fields |
$1: no matching proposal | invalid ID information | unavailable certificate | unsupported DOI | unsupported situation | invalid proposal syntax | invalid SPI | invalid protocol ID | invalid certificate | authentication failure | invalid message header | invalid transform ID | malformed payload | retransmission timeout | incorrect configuration. $2: Source address. $3: Destination address. |
Severity level |
6 |
Example |
IKE/6/IKE_P1_SA_ESTABLISH_FAIL: Failed to establish phase 1 SA for the reason of no matching proposal. The SA’s source address is 1.1.1.1 and its destination address is 2.2.2.2. |
Explanation |
An IKE SA was not established because of the displayed reason. |
Recommended action |
Check the IKE configuration on the local and remote devices. |
IKE_P2_SA_ESTABLISH_FAIL
Message text |
Failed to establish phase 2 SA for the reason of [STRING]. The SA’s source address is [STRING], and its destination address is [STRING]. |
Variable fields |
$1: invalid key information | invalid ID information | unavailable proposal | unsupported DOI | unsupported situation | invalid proposal syntax | invalid SPI | invalid protocol ID | invalid hash information | invalid message header | malformed payload | retransmission timeout | incorrect configuration. $2: Source address. $3: Destination address. |
Severity level |
6 |
Example |
IKE/6/IKE_P2_SA_ESTABLISH_FAIL: Failed to establish phase 2 SA for the reason of invalid key information. The SA’s source address is 1.1.1.1, and its destination address is 2.2.2.2. |
Explanation |
An IPsec SA was not established because of the displayed reason. |
Recommended action |
Check the IKE and IPsec configurations on the local and remote devices. |
IKE_P2_SA_TERMINATE
Message text |
The IKE phase 2 SA was deleted for the reason of [STRING]. The SA’s source address is [STRING], and its destination address is [STRING]. |
Variable fields |
$1: Reason that the SA is deleted, which is SA expiration. $2: Source address. $3: Destination address. |
Severity level |
6 |
Example |
IKE/6/IKE_P2_SA_TERMINATE: The IKE phase 2 SA was deleted for the reason of SA expiration. The SA’s source address is 1.1.1.1, and its destination address is 2.2.2.2. |
Explanation |
An IPsec SA was deleted because it expired. |
Recommended action |
No action is required. |
IPSEC messages
This section contains IPsec messages.
IPSEC_PACKET_DISCARDED
Message text |
IPsec packet discarded, Src IP:[STRING], Dst IP:[STRING], SPI:[UINT32], SN:[UINT32], Cause:[STRING]. |
Variable fields |
$1: Source IP address. $2: Destination IP address. $3: Security parameter index (SPI). $4: Sequence number of the packet. $5: Reason for dropping this packet: ¡ Anti-replay checking failed. ¡ AH authentication failed. ¡ ESP authentication failed. ¡ Invalid SA. ¡ ESP decryption failed. ¡ Source address of packet does not match the SA. ¡ No ACL rule matched. |
Severity level |
6 |
Example |
IPSEC/6/IPSEC_PACKET_DISCARDED: IPsec packet discarded, Src IP:1.1.1.2, Dest IP:1.1.1.4, SPI:1002, SN:0, Cause:ah authentication failed |
Explanation |
An IPsec packet was dropped. Possible reasons include anti-replay checking failed, AH/ESP authentication failed, invalid SA, ESP decryption failed, source address of packet did not match the SA, and no ACL rule matched. |
Recommended action |
No action is required. |
IPSEC_SA_ESTABLISH
Message text |
Established IPsec SA. The SA’s source address is [STRING], destination address is [STRING], protocol is [STRING], and SPI is [UINT32]. |
Variable fields |
$1: Source address. $2: Destination address. $3: Security protocol. $4: SPI. |
Severity level |
6 |
Example |
IPSEC/6/IPSEC_SA_ESTABLISH: Established IPsec SA. The SA’s source address is 1.1.1.1, destination address is 2.2.2.2, protocol is AH, and SPI is 2435. |
Explanation |
An IPsec SA was established. |
Recommended action |
No action is required. |
IPSEC_SA_ESTABLISH_FAIL
Message text |
Failed to establish IPsec SA for the reason of [STRING]. The SA’s source address is [STRING], and its destination address is [STRING]. |
Variable fields |
$1: Reason for the IPsec SA establishment failure: ¡ Tunnel establishment failure. ¡ Incomplete configuration. ¡ Unavailable transform set. $2: Source address. $3: Destination address. |
Severity level |
6 |
Example |
IPSEC/6/IPSEC_SA_ESTABLISH_FAIL: Failed to establish IPsec SA for the reason of creating tunnel failure. The SA’s source address is 1.1.1.1, and its destination address is 2.2.2.2. |
Explanation |
An IPsec SA was not established. Possible reasons include tunnel establishment failure, incomplete configuration, and unavailable transform set. |
Recommended action |
Verify the IPsec configuration on the local and remote devices. |
IPSEC_SA_INITINATION
Message text |
Began to establish IPsec SA. The SA’s source address is [STRING], and its destination address is [STRING]. |
Variable fields |
$1: Source address. $2: Destination address. |
Severity level |
6 |
Example |
IPSEC/6/IPSEC_SA_INITINATION: Began to establish IPsec SA. The SA’s source address is 1.1.1.1, and its destination address is 2.2.2.2. |
Explanation |
An IPsec SA was being established. |
Recommended action |
No action is required. |
IPSEC_SA_TERMINATE
Message text |
The IPsec SA was deleted for the reason of [STRING]. The SA’s source address is [STRING], destination address is [STRING], protocol is [STRING], and SPI is [UINT32]. |
Variable fields |
$1: Reason for the IPsec SA removal: ¡ SA idle timeout. ¡ reset command executed. $2: Source address. $3: Destination address. $4: Security protocol. $5: SPI. |
Severity level |
6 |
Example |
IPSEC/6/IPSEC_SA_TERMINATE: The IPsec SA was deleted for the reason of SA idle timeout. The SA’s source address is 1.1.1.1, destination address is 2.2.2.2, protocol is ESP, and SPI is 34563. |
Explanation |
An IPsec SA was deleted. Possible reasons include SA idle timeout and using the reset command. |
Recommended action |
No action is required. |
IPSG messages
This section contains IPSG messages.
IPSG_ADDENTRY_ERROR
Message text |
Failed to add an IP source guard binding (IP [STRING], MAC [STRING], and VLAN [UINT16]) on interface [STRING]. [STRING]. |
Variable fields |
$1: IP address. If you do not specify an IP address, this field displays N/A. $2: MAC address. If you do not specify a MAC address, this field displays N/A. $3: VLAN ID. If you do not specify a VLAN, this field displays 65535. $4: Interface name. If you do not specify an interface, this field displays N/A. $5: Failure reason. Available options include: ¡ Feature not supported ¡ Resources not sufficient ¡ Unknown error |
Severity level |
6 |
Example |
IPSG/6/IPSG_ADDENTRY_ERROR: Failed to add an IP source guard binding (IP 1.1.1.1, MAC 0001-0001-0001, and VLAN 1) on interface Vlan-interface1. Resources not sufficient. |
Explanation |
IPSG failed to issue a static or dynamic IPSG binding. The message is sent in any of the following situations: · The IPSG feature is not supported. · The hardware resources are not sufficient for the operation. · An unknown error occurs. |
Recommended action |
To resolve the problem, you can perform the following tasks: · Clear the memory to release hardware resources when the failure is caused by insufficient hardware resources. · Add the IPSG binding again if you are adding a static binding. · Contact H3C Support if the failure is caused by an unknown error. |
IPSG_DELENTRY_ERROR
Message text |
Failed to delete an IP source guard binding (IP [STRING], MAC [STRING], and VLAN [UINT16]) on interface [STRING]. [STRING]. |
Variable fields |
$1: IP address. If you do not specify an IP address, this field displays N/A. $2: MAC address. If you do not specify a MAC address, this field displays N/A. $3: VLAN ID. If you do not specify a VLAN, this field displays 65535. $4: Interface name. If you do not specify an interface, this field displays N/A. $5: Failure reason. Available options include: ¡ Feature not supported ¡ Unknown error |
Severity level |
6 |
Example |
IPSG/6/IPSG_DELENTRY_ERROR: Failed to delete an IP source guard binding (IP 1.1.1.1, MAC 0001-0001-0001, and VLAN 1) on interface Vlan-interface1. Unknown error. |
Explanation |
IPSG failed to delete a global static IPSG binding. The message is sent in any of the following situations: · The IPSG feature is not supported. · An unknown error occurs. |
Recommended action |
To resolve the problem, you can perform the following tasks: · Delete the global static IPSG binding again. · Contact H3C Support if the failure is caused by an unknown error. |
IPSG_ADDEXCLUDEDVLAN_ERROR
Message text |
Failed to add excluded VLANs (start VLAN [UINT16] to end VLAN [UINT16]). [STRING]. |
Variable fields |
$1: Start VLAN ID of the VLAN range that has been configured to be excluded from IPSG filtering. $2: End VLAN ID of the VLAN range that has been configured to be excluded from IPSG filtering. $3: Failure reason. Available options include: ¡ Feature not supported ¡ Resources not sufficient ¡ Unknown error |
Severity level |
6 |
Example |
IPSG/6/IPSG_ADDEXCLUDEDVLAN_ERROR: -MDC=1-Slot=4; Failed to add excluded VLANs (start VLAN 1 to end VLAN 5). Resources not sufficient. |
Explanation |
IPSG failed to issue the specified excluded VLANs. The message is sent in any of the following situations: · Excluded VLANs are not supported. · The hardware resources are not sufficient for the operation. · An unknown error occurs. |
Recommended action |
To resolve the problem, you can perform the following tasks: · Clear the memory to release hardware resources when the failure is caused by insufficient hardware resources. Then configure the excluded VLANs again. · Contact H3C Support if the failure is caused by an unknown error. |
IPSG_DELEXCLUDEDVLAN_ERROR
Message text |
Failed to delete excluded VLANs (start VLAN [UINT16] to end VLAN [UINT16]). [STRING]. |
Variable fields |
$1: Start VLAN ID of the VLAN range that has been configured to be excluded from IPSG filtering. $2: End VLAN ID of the VLAN range that has been configured to be excluded from IPSG filtering. $3: Failure reason. Available options include: ¡ Feature not supported ¡ Resources not sufficient ¡ Unknown error |
Severity level |
6 |
Example |
IPSG/6/IPSG_DELEXCLUDEDVLAN_ERROR: -MDC=1-Slot=4; Failed to delete excluded VLANs (start VLAN 1 to end VLAN 5). Resources not sufficient. |
Explanation |
IPSG failed to delete the specified excluded VLANs. The message is sent in any of the following situations: · Excluded VLANs are not supported. · The hardware resources are not sufficient for the operation. · An unknown error occurs. |
Recommended action |
To resolve the problem, you can perform the following tasks: · Clear the memory to release hardware resources when the failure is caused by insufficient hardware resources. Then delete the excluded VLANs again. · Contact H3C Support if the failure is caused by an unknown error. |
IRDP messages
This section contains IRDP messages.
IRDP_EXCEED_ADVADDR_LIMIT
Message text |
The number of advertisement addresses on interface [STRING] exceeded the limit 255. |
Variable fields |
$1: Interface name. |
Severity level |
6 |
Example |
IRDP/6/IRDP_EXCEED_ADVADDR_LIMIT: The number of advertisement addresses on interface GigabitEthernet1/0/2 exceeded the limit 255. |
Explanation |
The number of addresses to be advertised on an interface exceeded the upper limit. |
Recommended action |
Remove unused addresses on the interface. |
ISIS messages
This section contains IS-IS messages.
ISIS_MEM_ALERT
Message text |
ISIS Process receive system memory alert [STRING] event. |
Variable fields |
$1: Type of the memory alarm. |
Severity level |
5 |
Example |
ISIS/5/ISIS_MEM_ALERT: ISIS Process receive system memory alert start event. |
Explanation |
IS-IS received a memory alarm. |
Recommended action |
Check the system memory. |
ISIS_NBR_CHG
Message text |
IS-IS [UINT32], [STRING] adjacency %s (%s), state change to: %s. |
Variable fields |
$1: IS-IS process ID. $2: Neighbor level. $2: Neighbor ID. $3: Interface name. $4: Current adjacency state. |
Severity level |
5 |
Example |
ISIS/5/ISIS_NBR_CHG: IS-IS 1, Level-1 adjacency 0000.0000.8888 (Eth1/4/1/3), state change to:DOWN. |
Explanation |
The IS-IS adjacency state changed on an interface. |
Recommended action |
When the adjacency with a neighbor changes to down on an interface, check for IS-IS configuration errors and loss of network connectivity. |
ISSU messages
This section contains ISSU messages.
ISSU_ROLLBACKCHECKNORMAL
Message text |
The rollback might not be able to restore the previous version for [STRING] because the status is not normal. |
Variable fields |
$1: Slot number of an MPU, such as slot 1 or chassis 1 slot 2. |
Severity level |
4 |
Example |
ISSU/4/ISSU_ROLLBACKCHECKNORMAL: The rollback might not be able to restore the previous version for chassis 1 slot 2 because the state is not normal. |
Explanation |
While an ISSU was in switching state, a user executed the issu rollback command or the ISSU automatic-rollback timer expired. However, the status of the MPU was not normal. |
Recommended action |
No action is required. |
ISSU_PROCESSWITCHOVER
Message text |
Switchover completed. The standby process became the active process. |
Variable fields |
N/A |
Severity level |
5 |
Example |
ISSU/5/ISSU_PROCESSWITCHOVER: Switchover completed. The standby process became the active process. |
Explanation |
A user executed the issu run switchover command. |
Recommended action |
No action is required. |
L2PT messages
This section contains L2PT messages.
L2PT_SET_MULTIMAC_FAILED
Message text |
|
Variable fields |
$1: MAC address. |
Severity level |
4 |
Example |
L2PT/4/L2PT_SET_MULTIMAC_FAILED: Failed to set a tunnel destination MAC address to 010f-e200-0003. |
Explanation |
Failed to specify the destination multicast MAC address for tunneled packets. |
Recommended action |
No action is required. |
L2PT_CREATE_TUNNELGROUP_FAILED
Message text |
|
Variable fields |
$1: Protocol name. |
Severity level |
4 |
Example |
L2PT/4/L2PT_CREATE_TUNNELGROUP_FAILED: Failed to create a VLAN tunnel group for STP. |
Explanation |
Failed to create a VLAN tunnel group for a protocol. |
Recommended action |
No action is required. |
L2PT_ADD_GROUPMEMBER_FAILED
Message text |
Failed to add [STRING] as a member to the VLAN tunnel group for [STRING]. |
Variable fields |
$1: Interface name. $2: Protocol name. |
Severity level |
4 |
Example |
|
Explanation |
Failed to add an interface to a VLAN tunnel group for a protocol. |
Recommended action |
No action is required. |
L2PT_ENABLE_DROP_FAILED
Message text |
|
Variable fields |
$1: Protocol name. $2: Interface name. |
Severity level |
4 |
Example |
L2PT/4/L2PT_ENABLE_DROP_FAILED: Failed to enable STP packet drop on GigabitEthernet2/0/1. |
Explanation |
Failed to enable L2PT drop for a protocol on an interface. |
Recommended action |
No action is required. |
L2VPN messages
This section contains L2VPN messages.
L2VPN_HARD_RESOURCE_NOENOUGH
Message text |
No enough hardware resource for L2VPN. |
Variable fields |
N/A |
Severity level |
4 |
Example |
L2VPN/4/L2VPN_HARD_RESOURCE_NOENOUGH: No enough hardware resource for L2VPN. |
Explanation |
Hardware resources for L2VPN were insufficient. |
Recommended action |
Check whether unnecessary VSIs, PWs, or ACs had been generated. If yes, delete them. |
L2VPN_HARD_RESOURCE_RESTORE
Message text |
Hardware resource for L2VPN is restored. |
Variable fields |
N/A |
Severity level |
6 |
Example |
L2VPN/6/L2VPN_HARD_RESOURCE_RESTORE: Hardware resource for L2VPN is restored. |
Explanation |
Hardware resources for L2VPN restored. |
Recommended action |
No action is required. |
LAGG messages
This section contains link aggregation messages.
LACP_MAD_INTERFACE_CHANGE_STATE
Message text |
[STRING] used for LACP MAD changed to the [STRING] state. |
Variable fields |
$1: Aggregate interface name. $2: LACP MAD status of the aggregate interface: failure or normal. |
Severity level |
5 |
Example |
LAGG/5/LACP_MAD_INTERFACE_CHANGE_STATE: Bridge-Aggregation1 used for LACP MAD changed to the failure state. |
Explanation |
The LACP MAD status of an aggregate interface changed. |
Recommended action |
If the LACP MAD status of an aggregate interface changed to failure, you can perform the following tasks: · Check whether the aggregate interface is down. · Check whether the peer supports LACP MAD. |
LAGG_ACTIVE
Message text |
Member port [STRING] of aggregation group [STRING] became active. |
Variable fields |
$1: Port name. $2: Link aggregation group type and ID. |
Severity level |
6 |
Example |
LAGG/6/LAGG_ACTIVE: Member port FGE1/0/50 of aggregation group BAGG1 became active. |
Explanation |
A member port in an aggregation group changed to the Selected state. |
Recommended action |
No action is required. |
LAGG_INACTIVE_AICFG
Message text |
Member port [STRING] of aggregation group [STRING] became inactive, because the aggregation configuration of the port is different from that of the aggregation group. |
Variable fields |
$1: Port name. $2: Link aggregation group type and ID. |
Severity level |
6 |
Example |
LAGG/6/LAGG_INACTIVE_AICFG: Member port FGE1/0/50 of aggregation group BAGG1 became inactive, because the aggregation configuration of the port is different from that of the aggregation group. |
Explanation |
A member port in an aggregation group changed to the Unselected state because the member port and the aggregate interface had different attribute configurations. |
Recommended action |
Modify the attribute configurations of the member port to be consistent with the aggregate interface. |
LAGG_INACTIVE_CONFIGURATION
Message text |
Member port [STRING] of aggregation group [STRING] became inactive, because the aggregation configuration on the port is improper. |
Variable fields |
$1: Port name. $2: Link aggregation group type and ID. |
Severity level |
6 |
Example |
LAGG/6/LAGG_INACTIVE_CONFIGURATION: Member port FGE1/0/50 of aggregation group BAGG1 became inactive, because the aggregation configuration on the port is improper. |
Explanation |
A member port in an aggregation group changed to the Unselected state because the member port and the aggregate interface had different aggregation configuration. |
Recommended action |
No action is required. |
LAGG_INACTIVE_DUPLEX
Message text |
Member port [STRING] of aggregation group [STRING] became inactive, because the duplex mode configuration on the port is improper. |
Variable fields |
$1: Port name. $2: Link aggregation group type and ID. |
Severity level |
6 |
Example |
LAGG/6/LAGG_INACTIVE_DUPLEX: Member port FGE1/0/50 of aggregation group BAGG1 became inactive, because the duplex mode configuration on the port is improper. |
Explanation |
A member port in an aggregation group changed to the Unselected state because the duplex mode was different between the member port and the Selected ports. |
Recommended action |
Change the duplex mode of the member port to be the same as the Selected ports. |
LAGG_INACTIVE_HARDWAREVALUE
Message text |
Member port [STRING] of aggregation group [STRING] became inactive, because the hardware restriction on the port is improper. |
Variable fields |
$1: Port name. $2: Link aggregation group type and ID. |
Severity level |
6 |
Example |
LAGG/6/LAGG_INACTIVE_HARDWAREVALUE: Member port FGE1/0/50 of aggregation group BAGG1 became inactive, because the hardware restriction on the port is improper. |
Explanation |
A member port in an aggregation group changed to the Unselected state because of the port's hardware restriction. |
Recommended action |
No action is required. |
LAGG_INACTIVE_LOWER_LIMIT
Message text |
Member port [STRING] of aggregation group [STRING] became inactive, because the number of active ports is below the lower limit. |
Variable fields |
$1: Port name. $2: Link aggregation group type and ID. |
Severity level |
6 |
Example |
LAGG/6/LAGG_INACTIVE_LOWER_LIMIT: Member port FGE1/0/50 of aggregation group BAGG1 became inactive, because the number of active ports is below the lower limit. |
Explanation |
A member port in an aggregation group was placed in Unselected state because the required minimum number of Selected ports was not reached. |
Recommended action |
Make sure the minimum number of Selected ports is met. |
LAGG_INACTIVE_PARTNER
Message text |
Member port [STRING] of aggregation group [STRING] became inactive, because the aggregation configuration of its partner is improper. |
Variable fields |
$1: Port name. $2: Link aggregation group type and ID. |
Severity level |
6 |
Example |
LAGG/6/LAGG_INACTIVE_PARTNER: Member port FGE1/0/50 of aggregation group BAGG1 became inactive, because the aggregation configuration of its partner is improper. |
Explanation |
A member port in an aggregation group changed to the Unselected state because the port's partner changed to the Unselected state. |
Recommended action |
No action is required. |
LAGG_INACTIVE_PHYSTATE
Message text |
Member port [STRING] of aggregation group [STRING] became inactive, because the physical state of the port is down. |
Variable fields |
$1: Port name. $2: Link aggregation group type and ID. |
Severity level |
6 |
Example |
LAGG/6/LAGG_INACTIVE_PHYSTATE: Member port FGE1/0/50 of aggregation group BAGG1 became inactive, because the physical state of the port is down. |
Explanation |
A member port in an aggregation group changed to the Unselected state because the port went down. |
Recommended action |
Bring up the member port. |
LAGG_INACTIVE_RESOURCE_INSUFICIE
Message text |
Member port [STRING] of aggregation group [STRING] became inactive, because all aggregate resources are occupied. |
Variable fields |
$1: Port name. $2: Link aggregation group type and ID. |
Severity level |
6 |
Example |
LAGG/6/LAGG_INACTIVE_RESOURCE_INSUFICIE: Member port FGE1/0/50 of aggregation group BAGG1 became inactive, because all aggregate resources are occupied. |
Explanation |
A member port in an aggregation group changed to the Unselected state because all aggregation resources were used. |
Recommended action |
No action is required. |
LAGG_INACTIVE_SPEED
Message text |
Member port [STRING] of aggregation group [STRING] became inactive, because the speed configuration on the port is improper. |
Variable fields |
$1: Port name. $2: Link aggregation group type and ID. |
Severity level |
6 |
Example |
LAGG/6/LAGG_INACTIVE_SPEED: Member port FGE1/0/50 of aggregation group BAGG1 became inactive, because the speed configuration on the port is improper. |
Explanation |
A member port in an aggregation group changed to the Unselected state because the speed was different between the member port and the Selected ports. |
Recommended action |
Change the speed of the member port to be the same as the Selected ports. |
LAGG_INACTIVE_UPPER_LIMIT
Message text |
Member port [STRING] of aggregation group [STRING] became inactive, because the number of active ports has reached the upper limit. |
Variable fields |
$1: Port name. $2: Link aggregation group type and ID. |
Severity level |
6 |
Example |
LAGG/6/LAGG_INACTIVE_UPPER_LIMIT: Member port FGE1/0/50 of aggregation group BAGG1 became inactive, because the number of active ports has reached the upper limit. |
Explanation |
The number of Selected ports reached the upper limit in a dynamic aggregation group. A member port in the aggregation group changed to the Unselected state because a more eligible port joined the aggregation group. |
Recommended action |
No action is required. |
LDP messages
This section contains LDP messages.
LDP_SESSION_CHG
Message text |
Session ([STRING], [STRING]) is [STRING]. |
Variable fields |
$1: Peer's LDP ID. Value 0.0.0.0:0 indicates that the peer's LDP ID cannot be obtained. $2: VPN instance's name. Value public instance indicates that the session belongs to the public network. $3: State of the session, up or down. When the state is down, the reason why the session becomes down is bracketed. Reasons include: ¡ interface not operational. ¡ MPLS disabled on interface. ¡ LDP disabled on interface. ¡ LDP auto-configure disabled on interface. ¡ VPN instance changed on interface. ¡ LDP instance deleted. ¡ targeted peer deleted. ¡ L2VPN disabled targeted peer. ¡ TE tunnel disabled targeted peer. ¡ session protection disabled targeted peer. ¡ process deactivated. ¡ failed to receive the initialization message. ¡ graceful restart reconnect timer expired. ¡ failed to recover adjacency by NSR. ¡ failed to upgrade session by NSR. ¡ closed the GR session. ¡ keepalive hold timer expired. ¡ adjacency hold timer expired. ¡ session reset manually. ¡ TCP connection down. ¡ received a fatal notification message. ¡ internal error. ¡ memory in critical state. ¡ transport address changed on interface. |
Severity level |
5 |
Example |
LDP/5/LDP_SESSION_CHG: Session (22.22.22.2:0, public instance) is up. LDP/5/LDP_SESSION_CHG: Session (22.22.22.2:0, VPN instance: vpn1) is down (hello hold timer expired). |
Explanation |
The session state changed. |
Recommended action |
1. When the session state comes up, no action is required. 2. When the session state goes down, check the interface state, link state, and other configurations depending on the reason displayed. |
LDP_SESSION_GR
Message text |
Session ([STRING], [STRING]): ([STRING]). |
Variable fields |
$1: Peer's LDP ID. Value 0.0.0.0:0 indicates that the peer's LDP ID cannot be obtained. $2: VPN instance's name. Value public instance indicates that the session belongs to the public network. $3: State of the session graceful restart: ¡ Start reconnection. ¡ Reconnection failed. ¡ Start recovery. ¡ Recovery completed. |
Severity level |
5 |
Example |
LDP/5/LDP_SESSION_GR: Session (22.22.22.2:0, VPN instance: vpn1): Start reconnection. |
Explanation |
When a GR-capable LDP session went down, LDP GR started. This message is generated during the GR of the LDP session, indicating the current GR state. |
Recommended action |
1. Check for the reason of session graceful restart, which can be obtained from the LDP_SESSION_CHG log message. 2. When the graceful restart state Reconnection failed is displayed, verify the interface state, link state, and other configurations according to the reason for the session graceful restart. No action is required for other graceful restart states. |
LDP_SESSION_SP
Message text |
Session ([STRING], [STRING]): ([STRING]). |
Variable fields |
$1: Peer's LDP ID. Value 0.0.0.0:0 indicates that the peer's LDP ID cannot be obtained. $2: VPN instance's name. Value public instance indicates that the session belongs to the public network. $3: State of the session protection: ¡ Hold up the session. ¡ Session recovered successfully. ¡ Session recovery failed. |
Severity level |
5 |
Example |
LDP/5/LDP_SESSION_SP: Session (22.22.22.2:0, VPN instance: vpn1): Hold up the session. |
Explanation |
When the last hello adjacency of the session was removed, session protection started. This message is generated during the session protection process, indicating the current session protection state. |
Recommended action |
Verify the interface state and link state. |
LDP_MPLSLSRID_CHG
Message text |
Please reset LDP sessions if you want to make the new MPLS LSR ID take effect. |
Variable fields |
N/A |
Severity level |
5 |
Example |
LDP/5/LDP_MPLSLSRID_CHG: -MDC=1; Please reset LDP sessions if you want to make the new MPLS LSR ID take effect. |
Explanation |
If you configure an LDP LSR ID by using the lsr-id command in LDP view or LDP-VPN instance view, LDP uses the LDP LSR ID. If no LDP LSR ID is configured, LDP uses the MPLS LSR ID configured by the mpls lsr-id command. If no LDP LSR ID is configured, this message is sent when the MPLS LSR ID is modified. |
Recommended action |
1. Execute the display mpls ldp parameter [ vpn-instance vpn-instance-name ] command to display the LSR ID. 2. Check whether the LSR ID is the same as
the configured MPLS LSR ID. |
LLDP messages
This section contains LLDP messages.
LLDP_CREATE_NEIGHBOR
Message text |
[STRING] agent new neighbor created on Port [STRING] (IfIndex [UINT32]), Chassis ID is [STRING], Port ID is [STRING]. |
Variable fields |
$1: Agent type. $2: Port name. $3: Port ifIndex. $4: Neighbor's chassis ID. $5: Neighbor's port ID. |
Severity level |
6 |
Example |
LLDP/6/LLDP_CREATE_NEIGHBOR: Nearest bridge agent new neighbor created on Port Ten-GigabitEthernet10/0/15 (IfIndex 599), Chassis ID is 3822-d666-ba00, Port ID is GigabitEthernet6/0/5. |
Explanation |
The port received an LLDP message from a new neighbor. |
Recommended action |
No action is required. |
LLDP_DELETE_NEIGHBOR
Message text |
[STRING] agent neighbor deleted on Port [STRING] (IfIndex [UINT32]), Chassis ID is [STRING], Port ID is [STRING]. |
Variable fields |
$1: Agent type. $2: Port name. $3: Port ifIndex. $4: Neighbor's chassis ID. $5: Neighbor's port ID. |
Severity level |
6 |
Example |
LLDP/6/LLDP_DELETE_NEIGHBOR: Nearest bridge agent neighbor deleted on Port Ten-GigabitEthernet10/0/15 (IfIndex 599), Chassis ID is 3822-d666-ba00, Port ID is GigabitEthernet6/0/5. |
Explanation |
The port received a deletion message when a neighbor was deleted. |
Recommended action |
No action is required. |
LLDP_LESS_THAN_NEIGHBOR_LIMIT
Message text |
The number of [STRING] agent neighbors maintained by port [STRING] (IfIndex [UINT32]) is less than [UINT32], and new neighbors can be added. |
Variable fields |
$1: Agent type. $2: Port name. $3: Port ifIndex. $4: Maximum number of neighbors a port can maintain. |
Severity level |
6 |
Example |
LLDP/6/LLDP_LESS_THAN_NEIGHBOR_LIMIT: The number of nearest bridge agent neighbors maintained by port 1 (IfIndex 587599) is less than 16, and new neighbors can be added. |
Explanation |
New neighbors can be added for the port because the limit has not been reached. |
Recommended action |
No action is required. |
LLDP_NEIGHBOR_AGE_OUT
Message text |
[STRING] agent neighbor aged out on Port [STRING] (IfIndex [UINT32]), Chassis ID is [STRING], Port ID is [STRING]. |
Variable fields |
$1: Agent type. $2: Port name. $3: Port ifIndex. $4: Neighbor's chassis ID. $5: Neighbor's port ID. |
Severity level |
5 |
Example |
LLDP/5/LLDP_NEIGHBOR_AGE_OUT: Nearest bridge agent neighbor aged out on Port Ten-GigabitEthernet10/0/15 (IfIndex599), Chassis ID is 3822-d666-ba00, Port ID is GigabitEthernet6/0/5. |
Explanation |
This message is generated when the port failed to receive LLDPDUs from the neighbor within a certain period of time. |
Recommended action |
Verify the link status or the receive/transmit status of LLDP on the peer. |
LLDP_PVID_INCONSISTENT
Message text |
PVID mismatch discovered on [STRING] (PVID [UINT32]), with [STRING] [STRING] (PVID [STRING]). |
Variable fields |
|
Severity level |
|
Example |
|
Explanation |
|
Recommended action |
LLDP_REACH_NEIGHBOR_LIMIT
Message text |
The number of [STRING] agent neighbors maintained by the port [STRING] (IfIndex [UINT32]) has reached [UINT32], and no more neighbors can be added. |
Variable fields |
$1: Agent type. $2: Port name. $3: Port ifIndex. $4: Maximum number of neighbors a port can maintain. |
Severity level |
5 |
Example |
LLDP/5/LLDP_REACH_NEIGHBOR_LIMIT: The number of nearest bridge agent neighbors maintained by the port Ten-GigabitEthernet1/0/15 (IfIndex 15) has reached 5, and no more neighbors can be added. |
Explanation |
This message is generated when the port with its maximum number of neighbors reached received an LLDP packet. |
Recommended action |
No action is required. |
LOAD messages
This section contains load management messages.
BOARD_LOADING
Message text |
Board is loading file on Chassis [INT32] Slot [INT32]. |
Variable fields |
$1: Chassis ID. $2: Slot ID. |
Severity level |
4 |
Example |
LOAD/4/BOARD_LOADING: Board is loading file on Chassis 1 Slot 5. |
Explanation |
The card might have just rebooted. |
Recommended action |
No action is required. |
LOAD_FAILED
Message text |
Board failed to load file on Chassis [INT32] Slot [INT32]. |
Variable fields |
$1: Chassis ID. $2: Slot ID. |
Severity level |
3 |
Example |
LOAD/3/LOAD_FAILED: Board failed to load file on Chassis 1 Slot 5. |
Explanation |
The card failed to load the startup software images during the startup process. |
Recommended action |
1. Execute the display boot-loader command to display the startup software images for the card to load at next startup. 2. Execute the dir command to verify that the startup software images exist. If the startup software images do not exist or are damaged, re-obtain the startup software images or use other software images as the startup software images. 3. If the issue persists, contact H3C support.. |
LOAD_FINISHED
Message text |
Board has finished loading file on Chassis [INT32] Slot [INT32]. |
Variable fields |
$1: Chassis ID. $2: Slot ID. |
Severity level |
5 |
Example |
LOAD/5/LOAD_FINISHED: Board has finished loading file on Chassis 1 Slot 5. |
Explanation |
The card has finished loading files. |
Recommended action |
No action is required. |
LOGIN messages
This section contains login messages.
LOGIN_FAILED
Message text |
[STRING] failed to login from [STRING]. |
Variable fields |
$1: Username. $2: Line name or IP address. |
Severity level |
5 |
Example |
LOGIN/5/LOGIN_FAILED: TTY failed to log in from console0. LOGIN/5/LOGIN_FAILED: usera failed to log in from 192.168.11.22. |
Explanation |
A login attempt failed. |
Recommended action |
No action is required. |
LPDT messages
This section contains loop detection messages.
LPDT_LOOPED
Message text |
Loopback exists on [STRING]. |
Variable fields |
$1: Interface name. |
Severity level |
4 |
Example |
LPDT/4/LPDT_LOOPED: Loopback exists on GigabitEthernet 6/4/2. |
Explanation |
A loop was detected on a port. |
Recommended action |
Check the links and configuration on the device for the loop, and remove the loop. |
LPDT_RECOVERED
Message text |
Loopback on [STRING] recovered. |
Variable fields |
$1: Interface name. |
Severity level |
5 |
Example |
LPDT/5/LPDT_RECOVERED: Loopback on GigabitEthernet 6/4/1 recovered. |
Explanation |
A loop on a port was removed. |
Recommended action |
No action is required. |
LS messages
This section contains Local Server messages.
LS_ADD_USER_TO_GROUP
Message text |
Admin [STRING] added user [STRING] to group [STRING]. |
Variable fields |
$1: Admin name. $2: Username. $3: User group name. |
Severity level |
4 |
Example |
LS/4/LS_ADD_USER_TO_GROUP: Admin admin added user user1 to group group1. |
Explanation |
The administrator added a user into a user group. |
Recommended action |
No action is required. |
LS_AUTHEN_FAILURE
Message text |
User [STRING] from [STRING] failed authentication. [STRING] |
Variable fields |
$1: Username. $2: IP address. $3: Reason of failure: ¡ User not found. ¡ Password verified failed. ¡ User not active. ¡ Access type mismatch. ¡ Binding attribute is failed. ¡ User in blacklist. |
Severity level |
5 |
Example |
LS/5/LS_AUTHEN_FAILURE: User cwf@system from 192.168.0.22 failed authentication. "User not found." |
Explanation |
The local server rejected a user's authentication request. |
Recommended action |
No action is required. |
LS_AUTHEN_SUCCESS
Message text |
User [STRING] from [STRING] was authenticated successfully. |
Variable fields |
$1: Username. $2: IP address. |
Severity level |
6 |
Example |
LS/6/LS_AUTHEN_SUCCESS: User cwf@system from 192.168.0.22 was authenticated successfully. |
Explanation |
The local server accepted a user's authentication request. |
Recommended action |
No action is required. |
LS_DEL_USER_FROM_GROUP
Message text |
Admin [STRING] delete user [STRING] from group [STRING]. |
Variable fields |
$1: Admin name. $2: Username. $3: User group name. |
Severity level |
4 |
Example |
LS/4/LS_DEL_USER_FROM_GROUP: Admin admin delete user user1 from group group1. |
Explanation |
The administrator deleted a user from a user group. |
Recommended action |
No action is required. |
LS_DELETE_PASSWORD_FAIL
Message text |
Failed to delete the password for user [STRING]. |
Variable fields |
$1: Username. |
Severity level |
4 |
Example |
LS/4/LS_DELETE_PASSWORD_FAIL: Failed to delete the password for user abcd. |
Explanation |
Failed to delete the password for a user. |
Recommended action |
Check the file system for errors. |
LS_PWD_ADDBLACKLIST
Message text |
User [STRING] was added to the blacklist due to multiple login failures, [STRING]. |
Variable fields |
$1: Username. $2: Options include: ¡ but could make other attempts. ¡ and is permanently blocked. ¡ and was temporarily blocked for the specified period (in minutes). |
Severity level |
4 |
Example |
LS/4/LS_PWD_ADDBLACKLIST: user1 was added to the blacklist due to multiple login failures, but could make other attempts. |
Explanation |
A user was added to the blacklist because of multiple login failures. |
Recommended action |
Check the user's password. |
LS_PWD_CHGPWD_FOR_AGEDOUT
Message text |
User [STRING] changed the password because it was expired. |
Variable fields |
$1: Username. |
Severity level |
4 |
Example |
LS/4/LS_PWD_CHGPWD_FOR_AGEDOUT: aaa changed the password because it was expired. |
Explanation |
A user changed the password because the password expired. |
Recommended action |
No action is required. |
LS_PWD_CHGPWD_FOR_AGEOUT
Message text |
User [STRING] changed the password because it was about to expire. |
Variable fields |
$1: Username. $2: Aging time. |
Severity level |
4 |
Example |
LS/4/LS_PWD_CHGPWD_FOR_AGEOUT: aaa changed the password because it was about to expire. |
Explanation |
A user changed the password because the password is about to expire. |
Recommended action |
No action is required. |
LS_PWD_CHGPWD_FOR_COMPOSITION
Message text |
User [STRING] changed the password because it had an invalid composition. |
Variable fields |
$1: Username. |
Severity level |
4 |
Example |
LS/4/LS_PWD_CHGPWD_FOR_COMPOSITION: aaa changed the password because it had an invalid composition. |
Explanation |
A user changed the password because it had an invalid composition. |
Recommended action |
No action is required. |
LS_PWD_CHGPWD_FOR_FIRSTLOGIN
Message text |
User [STRING] changed the password at the first login. |
Variable fields |
$1: Username. |
Severity level |
4 |
Example |
LS/4/LS_PWD_CHGPWD_FOR_FIRSTLOGIN: aaa changed the password at the first login. |
Explanation |
A user changed the password at the first login. |
Recommended action |
No action is required. |
LS_PWD_CHGPWD_FOR_LENGTH
Message text |
User [STRING] changed the password because it was too short. |
Variable fields |
$1: Username. |
Severity level |
4 |
Example |
LS/4/LS_PWD_CHGPWD_FOR_LENGTH: aaa changed the password because it was too short. |
Explanation |
A user changed the password because it was too short. |
Recommended action |
No action is required. |
LS_PWD_FAILED2WRITEPASS2FILE
Message text |
Failed to write the password records to file. |
Variable fields |
N/A |
Severity level |
4 |
Example |
LS/4/LS_PWD_FAILED2WRITEPASS2FILE: Failed to write the password records to file. |
Explanation |
Failed to write the password records to file. |
Recommended action |
No action is required. |
LS_PWD_MODIFY_FAIL
Message text |
Admin [STRING] from [STRING] could not modify the password for user [STRING], because [STRING]. |
Variable fields |
$1: Admin name. $2: IP address. $3: Username. $4: Reason. Options include: ¡ passwords did not match. ¡ the password history cannot be written. ¡ the password cannot be verified. |
Severity level |
4 |
Example |
LS/4/LS_PWD_MODIFY_FAIL: Admin admin from 1.1.1.1 could not modify the password for user user1, because passwords do not match. |
Explanation |
An administrator failed to modify a user's password. |
Recommended action |
No action is required. |
LS_PWD_MODIFY_SUCCESS
Message text |
Admin [STRING] from [STRING] modify the password for user [STRING] successfully. |
Variable fields |
$1: Admin name. $2: IP address. $3: Username. |
Severity level |
6 |
Example |
LS/6/LS_PWD_MODIFY_SUCCESS: Admin admin from 1.1.1.1 modify the password for user abc successfully. |
Explanation |
An administrator successfully modified a user's password. |
Recommended action |
No action is required. |
LS_REAUTHEN_FAILURE
Message text |
User [STRING] from [STRING] failed reauthentication. |
Variable fields |
$1: Username. $2: IP address. |
Severity level |
5 |
Example |
LS/5/LS_REAUTHEN_FAILURE: User abcd from 1.1.1.1 failed reauthentication. |
Explanation |
A user failed reauthentication. |
Recommended action |
Check the old password. |
LS_UPDATE_PASSWORD_FAIL
Message text |
Failed to update the password for user [STRING]. |
Variable fields |
$1: Username. |
Severity level |
4 |
Example |
LS/4/LS_UPDATE_PASSWORD_FAIL: Failed to update the password for user abc. |
Explanation |
Failed to update the password for a user. |
Recommended action |
Check the file system for errors. |
LS_USER_CANCEL
Message text |
User [STRING] from [STRING] cancelled inputting the password. |
Variable fields |
$1: Username. $2: IP address. |
Severity level |
5 |
Example |
LS/5/LS_USER_CANCEL: User 1 from 1.1.1.1 cancelled inputting the password. |
Explanation |
The user cancelled inputting the password or did not input the password in 90 seconds. |
Recommended action |
No action is required. |
LS_USER_PASSWORD_EXPIRE
Message text |
User [STRING]'s login idle timer timed out. |
Variable fields |
$1: Username. |
Severity level |
5 |
Example |
LS/5/LS_USER_PASSWORD_EXPIRE: User 1's login idle timer timed out. |
Explanation |
The login idle time for a user expired. |
Recommended action |
No action is required. |
LS_USER_ROLE_CHANGE
Message text |
Admin [STRING] [STRING] the user role [STRING] for [STRING]. |
Variable fields |
$1: Admin name. $2: Added/Deleted. $3: User role. $4: Username. |
Severity level |
4 |
Example |
LS/4/LS_USER_ROLE_CHANGE: Admin admin add user role network-admin for user abcd. |
Explanation |
The administrator added a user role for a user. |
Recommended action |
No action is required. |
LSPV messages
This section contains LSP verification messages.
LSPV_PING_STATIS_INFO
Message text |
Ping statistics for [STRING]: [UINT32] packet(s) transmitted, [UINT32] packet(s) received, [DOUBLE]% packet loss, round-trip min/avg/max = [UINT32]/[ UINT32]/[ UINT32] ms. |
Variable fields |
$1: FEC. $2: Number of echo requests sent. $3: Number of echo replies received. $4: Percentage of the non-replied packets to the total requests. $5: Minimum round-trip delay. $6: Average round-trip delay. $7: Maximum round-trip delay. |
Severity level |
6 |
Example |
LSPV/6/LSPV_PING_STATIS_INFO: Ping statistics for FEC 192.168.1.1/32: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max = 1/2/5 ms. |
Explanation |
Ping statistics for an LSP tunnel or a PW. This message is generated when the ping mpls command is executed. |
Recommended action |
If no reply is received, verify the connectivity of the LSP tunnel or the PW. |
MAC messages
This section contains MAC messages.
MAC_TABLE_FULL_GLOBAL
Message text |
MAC address table exceeded maximum number [UINT32]. |
Variable fields |
$1: Maximum number of MAC addresses. |
Severity level |
4 |
Example |
MAC/4/MAC_TABLE_FULL_GLOBAL: MAC address table exceeded maximum number 2. |
Explanation |
The number of entries in the global MAC address table exceeded the upper limit. |
Recommended action |
No action is required. |
MAC_TABLE_FULL_PORT
Message text |
MAC address table exceeded maximum number [UINT32] on interface [STRING]. |
Variable fields |
$1: Maximum number of MAC addresses. $2: Interface name. |
Severity level |
4 |
Example |
MAC/4/MAC_TABLE_FULL_PORT: MAC address table exceeded maximum number 2 on interface GigabitEthernet2/0/32. |
Explanation |
The number of entries in the MAC address table for an interface exceeded the upper limit. |
Recommended action |
No action is required. |
MAC_TABLE_FULL_VLAN
Message text |
MAC address table exceeded maximum number [UINT32] on Vlan [UINT32]. |
Variable fields |
$1: Maximum number of MAC addresses. $2: VLAN ID. |
Severity level |
4 |
Example |
MAC/4/MAC_TABLE_FULL_VLAN: MAC address table exceeded maximum number 2 on Vlan 2. |
Explanation |
The number of entries in the MAC address table for a VLAN exceeded the upper limit. |
Recommended action |
No action is required. |
MACA messages
This section contains MAC authentication messages.
MACA_ENABLE_NOT_EFFECTIVE
Message text |
MAC authentication is enabled but is not effective on interface [STRING]. |
Variable fields |
$1: Interface type and number. |
Severity level |
3 |
Example |
MACA/3/MACA_ENABLE_NOT_EFFECTIVE: MAC authentication is enabled but is not effective on interface GigabitEthernet3/1/2. |
Explanation |
MAC authentication configuration does not take effect on an interface, because the interface does not support MAC authentication. |
Recommended action |
1. Disable MAC authentication on the interface. 2. Reconnect the connected devices to an interface that supports MAC authentication. 3. Enable MAC authentication on the new interface. |
MACA_LOGIN_FAILURE
Message text |
-IfName=[STRING]-MACAddr=[STRING]-VLANID=[STRING]-Username=[STRING]-UsernameFormat=[STRING]; User failed MAC authentication. |
Variable fields |
$1: Interface type and number. $2: MAC address. $3: VLAN ID. $4: Username. $5: User account format. |
Severity level |
6 |
Example |
MACA/6/MACA_LOGIN_FAILURE:-IfName=GigabitEthernet1/0/4-MACAddr=0010-8400-22b9-VLANID=444-Username=00-10-84-00-22-b9-UsernameFormat=MAC address; User failed MAC authentication. |
Explanation |
A user failed MAC authentication. |
Recommended action |
Locate the failure cause and handle the issue according to the failure cause. |
MACA_LOGIN_SUCC
Message text |
-IfName=[STRING]-MACAddr=[STRING]-VLANID=[STRING]-Username=[STRING]-UsernameFormat=[STRING]; User passed MAC authentication and came online. |
Variable fields |
$1: Interface type and number. $2: MAC address. $3: VLAN ID. $4: Username. $5: User account format. |
Severity level |
6 |
Example |
MACA/6/MACA_LOGIN_SUCC:-IfName=GigabitEthernet1/0/4-MACAddr=0010-8400-22b9-VLANID=444-Username=00-10-84-00-22-b9-UsernameFormat=MAC address; User passed MAC authentication and came online. |
Explanation |
A user passed MAC authentication. |
Recommended action |
No action is required. |
MACA_LOGOFF
Message text |
-IfName=[STRING]-MACAddr=[STRING]-VLANID=[STRING]-Username=[STRING]-UsernameFormat=[STRING]; MAC authentication user was logged off. |
Variable fields |
$1: Interface type and number. $2: MAC address. $3: VLAN ID. $4: Username. $5: User account format. |
Severity level |
6 |
Example |
MACA/6/MACA_LOGOFF:-IfName=GigabitEthernet1/0/4-MACAddr=0010-8400-22b9-VLANID=444-Username=00-10-84-00-22-b9-UsernameFormat=MAC address; MAC authentication user was logged off. |
Explanation |
A MAC authentication user was logged off. |
Recommended action |
Locate the logoff cause and remove the issue. If the logoff was requested by the user, no action is required. |
MACSEC messages
This section contains MACsec messages.
MACSEC_MKA_KEEPALIVE_TIMEOUT
Message text |
The live peer with SCI [STRING] and CKN [STRING] aged out on interface [STRING]. |
Variable fields |
$1: SCI. $2: CKN. $3: Interface type and number. |
Severity level |
4 |
Example |
MACSEC/4/MACSEC_MKA_KEEPALIVE_TIMEOUT: The live peer with SCI 00E00100000A0006 and CKN 80A0EA0CB03D aged out on interface GigabitEthernet1/0/1. |
Explanation |
A live peer aged out on an interface, because the local participant had not received any MKA packets from the peer before the keepalive timer expired. The local participant removed the peer information from the port. |
Recommended action |
Check the link between the local participant and the live peer for link failure. If the link is down, recover the link. |
MACSEC_MKA_PRINCIPAL_ACTOR
Message text |
The actor with CKN [STRING] became principal actor on interface [STRING]. |
Variable fields |
$1: CKN. $2: Interface type and number. |
Severity level |
6 |
Example |
MACSEC/6/MACSEC_MKA_PRINCIPAL_ACTOR: The actor with CKN 80A0EA0CB03D became principal actor on interface GigabitEthernet1/0/1. |
Explanation |
The actor with the highest key server priority became the principal actor. |
Recommended action |
No action is required. |
MACSEC_MKA_SAK_REFRESH
Message text |
The SAK has been refreshed on interface [STRING]. |
Variable fields |
$1: Interface type and number. |
Severity level |
6 |
Example |
MACSEC/6/MACSEC_MKA_SAK_REFRESH: The SAK has been refreshed on interface GigabitEthernet1/0/1. |
Explanation |
The participant on the interface derived or received a new SAK. |
Recommended action |
No action is required. |
MACSEC_MKA_SESSION_REAUTH
Message text |
The MKA session with CKN [STRING] was re-authenticated on interface [STRING]. |
Variable fields |
$1: CKN. $2: Interface type and number. |
Severity level |
6 |
Example |
MACSEC/6/MACSEC_MKA_SESSION_REAUTH: The MKA session with CKN 80A0EA0CB03D was re-authenticated on interface GigabitEthernet1/0/1. |
Explanation |
The interface performed 802.1X reauthentication. After the 802.1X reauthentication, the participants received a new CAK and used it to re-establish the MKA session. |
Recommended action |
No action is required. |
MACSEC_MKA_SESSION_SECURED
Message text |
The MKA session with CKN [STRING] was secured on interface [STRING]. |
Variable fields |
$1: CKN. $2: Interface type and number. |
Severity level |
6 |
Example |
MACSEC/6/MACSEC_MKA_SESSION_SECURED: The MKA session with CKN 80A020EA0CB03D was secured on interface GigabitEthernet1/0/1. |
Explanation |
The MKA session on the interface was secured. Packets are encrypted and transmitted in cipher text. The event occurs in the following situations: · The MKA session state changes from unsecured to secured. · The local participant and the peer negotiate a new MKA session when the following conditions exist: ¡ Both the key server and the peer support MACsec. ¡ A minimum of one participant is enabled with the MACsec desire feature. |
Recommended action |
No action is required. |
MACSEC_MKA_SESSION_START
Message text |
The MKA session with CKN [STRING] started on interface [STRING]. |
Variable fields |
$1: CKN. $2: Interface type and number. |
Severity level |
6 |
Example |
MACSEC/6/MACSEC_MKA_SESSION_START: The MKA session with CKN 80A020EA0CB03D started on interface GigabitEthernet1/0/1. |
Explanation |
The MKA session negotiation was initiated. Possible reasons include: · New CAK is available after MKA is enabled. · The user re-establishes the MKA session. · The interface that failed MKA session negotiation receives an MKA packet. |
Recommended action |
No action is required. |
MACSEC_MKA_SESSION_STOP
Message text |
The MKA session with CKN [STRING] stopped on interface [STRING]. |
Variable fields |
$1: CKN. $2: Interface type and number. |
Severity level |
5 |
Example |
MACSEC/5/MACSEC_MKA_SESSION_STOP: The MKA session with CKN 80A020EA0CB03D stopped on interface GigabitEthernet1/0/1. |
Explanation |
The MKA session was terminated. Possible reasons include: · The user removes or re-establishes the MKA session on the interface. · The link associated to the session is down. |
Recommended action |
1. Use the display mka session command to check whether the session exists: ¡ If the session has been re-established, ignore the message. ¡ If the session does not exist and is not removed by the user, check the link associated with the session for link failure. 2. Recover the link if the link is down. |
MACSEC_MKA_SESSION_UNSECURED
Message text |
The MKA session with CKN [STRING] was not secured on interface [STRING]. |
Variable fields |
$1: CKN. $2: Interface type and number. |
Severity level |
5 |
Example |
MACSEC/5/MACSEC_MKA_SESSION_UNSECURED: The MKA session with CKN 80A020EA0CB03D was not secured on interface GigabitEthernet1/0/1. |
Explanation |
The MKA session on the interface was not secured. Packets are transmitted in plain text. The event occurs in the following situations: · The MKA session state changes from secured to unsecured. · The local participant and the peer negotiate a new MKA session when the following conditions exist: ¡ The key server and the peer are not both MACsec capable. ¡ No participant is enabled with the MACsec desire feature. |
Recommended action |
To secure the MKA session, perform the following tasks: · Verify that both the key server and the peer support MACsec. · Verify that a minimum of one participant is enabled with the MACsec desire feature. |
MBFD messages
This section contains MPLS BFD messages.
MBFD_TRACEROUTE_FAILURE
Message text |
[STRING] in failure. ([STRING].) |
Variable fields |
$1: LSP information. $2: Reason for the LSP failure. |
Severity level |
5 |
Example |
MBFD/5/MBFD_TRACEROUTE_FAILURE: LSP (LDP IPv4: 22.22.2.2/32, nexthop: 20.20.20.2) in failure. (Replying router has no mapping for the FEC.) MBFD/5/MBFD_TRACEROUTE_FAILURE: TE tunnel (RSVP IPv4: Tunnel1) in failure. (No label entry.) |
Explanation |
LSP/MPLS TE tunnel failure was detected by periodic MPLS traceroute. This message is generated when the system receives an MPLS echo reply with an error return code. |
Recommended action |
Verify the configuration for the LSP or MPLS TE tunnel. |
MDC messages
This section contains MDC messages.
MDC_CREATE
Message text |
MDC [UINT16] is created. |
Variable fields |
$1: MDC ID. |
Severity level |
5 |
Example |
MDC/5/MDC_CREATE: MDC 2 is created. |
Explanation |
An MDC was created successfully. |
Recommended action |
No action is required. |
MDC_CREATE_ERR
Message text |
Failed to create MDC [UINT16] for not enough resources. |
Variable fields |
$1: MDC ID. |
Severity level |
5 |
Example |
MDC/5/MDC_CREATE_ERR: Failed to create MDC 2 for not enough resources. |
Explanation |
The standby MPU did not have enough resources to create the MDC. At startup, the standby MPU obtains MDC configuration information from the active MPU and tries to create the same MDCs. If the standby MPU does not have enough resources to create an MDC, it outputs this log message. |
Recommended action |
1. Use the display mdc resource command to display the CPU, memory, and disk space resources on the standby MPU. 2. Perform one of the following tasks: ¡ If the memory space is insufficient, increase the memory space. If the disk space is insufficient, delete unused files. ¡ Use the undo mdc command to remove the specified MDC. 3. Remove the standby MPU. |
MDC_DELETE
Message text |
MDC [UINT16] is deleted. |
Variable fields |
$1: MDC ID. |
Severity level |
5 |
Example |
MDC/5/MDC_DELETE: MDC 2 is deleted. |
Explanation |
An MDC was deleted successfully. |
Recommended action |
No action is required. |
MDC_LICENSE_EXPIRE
Message text |
The MDC feature's license will expire in [UINT32] days. |
Variable fields |
$1: Number of days, in the range of 1 to 30. |
Severity level |
5 |
Example |
MDC/5/MDC_NO_LICENSE_EXIT: The MDC feature's license will expire in 5 days. |
Explanation |
The license for the MDC feature was about to expire. |
Recommended action |
Install a new license. |
MDC_NO_FORMAL_LICENSE
Message text |
The feature MDC has no available formal license. |
Variable fields |
N/A |
Severity level |
5 |
Example |
MDC/5/MDC_NO_FORMAL_LICENSE: The feature MDC has no available formal license. |
Explanation |
The standby MPU became the active MPU but it did not have a formal license. The MDC feature has a free trial period. To use the feature after the period elapses, you must install a license for the standby MPU. |
Recommended action |
Install a formal license. |
MDC_NO_LICENSE_EXIT
Message text |
The MDC feature is being disabled, because it has no license. |
Variable fields |
N/A |
Severity level |
5 |
Example |
MDC/5/MDC_NO_LICENSE_EXIT: The MDC feature is being disabled, because it has no license. |
Explanation |
The MDC feature was disabled because the license for the MDC feature expired or was uninstalled. |
Recommended action |
Install the required license. |
MDC_OFFLINE
Message text |
MDC [UINT16] is offline now. |
Variable fields |
$1: MDC ID. |
Severity level |
5 |
Example |
MDC/5/MDC_OFFLINE: MDC 2 is offline now. |
Explanation |
An MDC was stopped. |
Recommended action |
No action is required. |
MDC_ONLINE
Message text |
MDC [UINT16] is online now. |
Variable fields |
$1: MDC ID. |
Severity level |
5 |
Example |
MDC/5/MDC_ONLINE: MDC 2 is online now. |
Explanation |
An MDC was started. |
Recommended action |
No action is required. |
MDC_STATE_CHANGE
Message text |
MDC [UINT16] state changed to [STRING]. |
Variable fields |
$1: MDC ID. $2: Current status. |
Severity level |
5 |
Example |
MDC/5/MDC_STATE_CHANGE: MDC 2 state changed to active. |
Explanation |
The status of an MDC changed. |
Recommended action |
No action is required. |
MFIB messages
This section contains MFIB messages.
MFIB_MEM_ALERT
Message text |
MFIB Process receive system memory alert [STRING] event. |
Variable fields |
$1: Type of the memory alert event. |
Severity level |
5 |
Example |
MFIB/5/MFIB_MEM_ALERT: MFIB Process receive system memory alert start event. |
Explanation |
MFIB received a memory alert event. |
Recommended action |
Adjust memory-intensive modules and release free memory. |
MGROUP messages
This section contains mirroring group messages.
MGROUP_APPLY_SAMPLER_FAIL
Message text |
Failed to apply the sampler for mirroring group [UINT16], because the sampler resources are insufficient. |
Variable fields |
$1: Mirroring group ID. |
Severity level |
3 |
Example |
MGROUP/3/MGROUP_APPLY_SAMPLER_FAIL: Failed to apply the sampler for mirroring group 1, because the sampler resources are insufficient. |
Explanation |
A sampler was not applied to the mirroring group because the sampler resources were insufficient. |
Recommended action |
No action is required. |
MGROUP_RESTORE_CPUCFG_FAIL
Message text |
Failed to restore configuration for mirroring CPU of [STRING] in mirroring group [UINT16], because [STRING] |
Variable fields |
$1: Slot number. $2: Mirroring group ID. $3: Failure reason. |
Severity level |
3 |
Example |
MGROUP/3/MGROUP_RESTORE_CPUCFG_FAIL: Failed to restore configuration for mirroring CPU of chassis 1 slot 2 in mirroring group 1, because the type of the monitor port in the mirroring group is not supported. |
Explanation |
When the CPU of the card in the slot is the source CPU in the mirroring group, configuration changes after the card is removed. When the card is reinstalled into the slot, restoring the source CPU configuration might fail. |
Recommended action |
Check for the failure reason. If the reason is that the system does not support the changed configuration, delete the unsupported configuration, and reconfigure the source CPU in the mirroring group. |
MGROUP_RESTORE_IFCFG_FAIL
Failed to restore configuration for interface [STRING] in mirroring group [UINT16], because [STRING] |
|
Variable fields |
$1: Interface name. $2: Mirroring group ID. $3: Failure reason. |
Severity level |
3 |
Example |
MGROUP/3/MGROUP_RESTORE_IFCFG_FAIL: Failed to restore configuration for interface GigabitEthernet1/0/2 in mirroring group 1, because the type of the monitor port in the mirroring group is not supported. |
Explanation |
When the interface of the card in the slot is the monitor port in the mirroring group, configuration changes after the card is removed. When the card is reinstalled into the slot, restoring the monitor port configuration might fail. |
Recommended action |
Check for the failure reason. If the reason is that the system does not support the changed configuration, delete the unsupported configuration, and reconfigure the monitor port in the mirroring group. |
MGROUP_SYNC_CFG_FAIL
Message text |
Failed to restore configuration for mirroring group [UINT16] in [STRING], because [STRING] |
Variable fields |
$1: Mirroring group ID. $2: Slot number. $3: Failure reason. |
Severity level |
3 |
Example |
MGROUP/3/MGROUP_SYNC_CFG_FAIL: Failed to restore configuration for mirroring group 1 in chassis 1 slot 2, because monitor resources are insufficient. |
Explanation |
When the complete mirroring group configuration was synchronized on the card in the slot, restoring configuration failed because resources on the card were insufficient. |
Recommended action |
Delete the mirroring group. |
MPLS messages
This section contains MPLS messages.
MPLS_HARD_RESOURCE_NOENOUGH
Message text |
No enough hardware resource for MPLS. |
Variable fields |
N/A |
Severity level |
4 |
Example |
MPLS/4/MPLS_HARD_RESOURCE_NOENOUGH: No enough hardware resource for MPLS. |
Explanation |
Hardware resources for MPLS were insufficient. |
Recommended action |
Check whether unnecessary LSPs had been generated. If yes, configure or modify the LSP generation policy, label advertisement policy, and label acceptance policy to filter out unnecessary LSPs. |
MPLS_HARD_RESOURCE_RESTORE
Message text |
Hardware resource for MPLS is restored. |
Variable fields |
N/A |
Severity level |
6 |
Example |
MPLS/6/MPLS_HARD_RESOURCE_RESTORE: Hardware resource for MPLS is restored. |
Explanation |
Hardware resources for MPLS restored. |
Recommended action |
No action is required. |
MSTP messages
This section contains MSTP messages.
MSTP_BPDU_PROTECTION
Message text |
BPDU-Protection port [STRING] received BPDUs. |
Variable fields |
$1: Interface name. |
Severity level |
4 |
Example |
MSTP/4/MSTP_BPDU_PROTECTION: BPDU-Protection port GigabitEthernet 1/0/4 received BPDUs. |
Explanation |
A BPDU-guard-enabled port received BPDUs. |
Recommended action |
Check whether the downstream device is a terminal and check for possible attacks from the downstream device or other devices. |
MSTP_BPDU_RECEIVE_EXPIRY
Message text |
Instance [UINT32]'s port [STRING] received no BPDU within the rcvdInfoWhile interval. Information of the port aged out. |
Variable fields |
$1: Instance ID. $2: Interface name. |
Severity level |
5 |
Example |
MSTP/5/MSTP_BPDU_RECEIVE_EXPIRY: Instance 0's port GigabitEthernet 1/0/1 received no BPDU within the rcvdInfoWhile interval. Information of the port aged out. |
Explanation |
The state changed because a non-designated port did not receive a BPDU within the max age. |
Recommended action |
Check the STP status of the upstream device and possible attacks from other devices. |
MSTP_DETECTED_TC
Message text |
Instance [UINT32]'s port [STRING] detected a topology change. |
Variable fields |
$1: Instance ID. $2: Interface name. |
Severity level |
6 |
Example |
MSTP/6/MSTP_DETECTED_TC: Instance 0's port GigabitEthernet 1/0/1 detected a topology change. |
Explanation |
The MSTP instance to which the port belongs had a topology change, and the local end detected the change. |
Recommended action |
Identify the topology change cause and handle the issue. For example, if the change is caused by a link down event, recover the link. |
MSTP_DISABLE
Message text |
STP is now disabled on the device. |
Variable fields |
N/A |
Severity level |
6 |
Example |
MSTP/6/MSTP_DISABLE: STP is now disabled on the device. |
Explanation |
STP was disabled globally on the device. |
Recommended action |
No action is required. |
MSTP_DISCARDING
Message text |
Instance [UINT32]'s port [STRING] has been set to discarding state. |
Variable fields |
$1: Instance ID. $2: Interface name. |
Severity level |
6 |
Example |
MSTP/6/MSTP_DISCARDING: Instance 0's port GigabitEthernet 1/0/2 has been set to discarding state. |
Explanation |
MSTP calculated the state of the ports within the instance, and a port was set to the discarding state. |
Recommended action |
No action is required. |
MSTP_ENABLE
Message text |
STP is now enabled on the device. |
Variable fields |
N/A |
Severity level |
6 |
Example |
MSTP/6/MSTP_ENABLE: STP is now enabled on the device. |
Explanation |
STP was enabled globally on the device. |
Recommended action |
No action is required. |
MSTP_FORWARDING
Message text |
Instance [UINT32]'s port [STRING] has been set to forwarding state. |
Variable fields |
$1: Instance ID. $2: Interface name. |
Severity level |
6 |
Example |
MSTP/6/MSTP_FORWARDING: Instance 0's port GigabitEthernet 1/0/2 has been set to forwarding state. |
Explanation |
MSTP calculated the state of the ports within the instance, a port was set to the forwarding state. |
Recommended action |
No action is required. |
MSTP_LOOP_PROTECTION
Message text |
Instance [UINT32]'s LOOP-Protection port [STRING] failed to receive configuration BPDUs. |
Variable fields |
$1: Instance ID. $2: Interface name. |
Severity level |
4 |
Example |
MSTP/4/MSTP_LOOP_PROTECTION: Instance 0's LOOP-Protection port GigabitEthernet 1/0/2 failed to receive configuration BPDUs. |
Explanation |
A loop-guard-enabled port failed to receive configuration BPDUs. |
Recommended action |
Check the STP status of the upstream device and possible attacks from other devices. |
MSTP_NOT_ROOT
Message text |
The current switch is no longer the root of instance [UINT32]. |
Variable fields |
$1: Instance ID. |
Severity level |
5 |
Example |
MSTP/5/MSTP_NOT_ROOT: The current switch is no longer the root of instance 0. |
Explanation |
The current switch is no longer the root bridge of an instance. It received a superior BPDU after it was configured as the root bridge. |
Recommended action |
Check the bridge priority configuration and possible attacks from other devices. |
MSTP_NOTIFIED_TC
Message text |
Instance [UINT32]'s port [STRING] was notified of a topology change. |
Variable fields |
$1: Instance ID. $2: Interface name. |
Severity level |
6 |
Example |
MSTP/6/MSTP_NOTIFIED_TC: Instance 0's port GigabitEthernet 1/0/1 was notified of a topology change. |
Explanation |
The neighboring device notified the current device that a topology change occurred in the instance to which the port belongs. |
Recommended action |
Identify the topology change cause and handle the issue. For example, if the change is caused by a link down event, recover the link. |
MSTP_ROOT_PROTECTION
Message text |
Instance [UINT32]'s ROOT-Protection port [STRING] received superior BPDUs. |
Variable fields |
$1: Instance ID. $2: Interface name. |
Severity level |
4 |
Example |
MSTP/4/MSTP_ROOT_PROTECTION: Instance 0's ROOT-Protection port GigabitEthernet 1/0/2 received superior BPDUs. |
Explanation |
A root-guard-enabled port received BPDUs that are superior to the BPDUs generated by itself. |
Recommended action |
Check the bridge priority configuration and possible attacks from other devices. |
MTLK messages
This section contains Monitor Link messages.
MTLK_UPLINK_STATUS_CHANGE
Message text |
The uplink of monitor link group [UINT32] is [STRING]. |
Variable fields |
$1: Monitor link group ID. $2: Monitor Link group status, up or down. |
Severity level |
6 |
Example |
MTLK/6/MTLK_UPLINK_STATUS_CHANGE: The uplink of monitor link group 1 is up. |
Explanation |
The uplink status of a monitor link group changed to up or down. |
Recommended action |
Check a link when it fails. |
ND messages
This section contains ND messages.
ND_CONFLICT
Message text |
[STRING] is inconsistent |
Variable fields |
$1: Configuration type: ¡ M_FLAG. ¡ O_FLAG. ¡ CUR_HOP_LIMIT. ¡ REACHABLE TIME. ¡ NS INTERVAL. ¡ MTU. ¡ PREFIX VALID TIME. ¡ PREFIX PREFERRED TIME. |
Severity level |
6 |
Example |
ND/6/ND_CONFLICT: PREFIX VALID TIME is inconsistent |
Explanation |
A router advertisement was received, which caused the configuration inconsistency between neighboring routers. |
Recommended action |
Verify that the configurations on the device and the neighboring router are consistent. |
ND_DUPADDR
Message text |
Duplicate address: [STRING] on the interface [STRING] |
Variable fields |
$1: Address that is to be assigned to an interface. $2: Name of the interface. |
Severity level |
6 |
Example |
ND/6/ND_DUPADDR: Duplicate address: 33::8 on interface Vlan-interface9. |
Explanation |
The address that was to be assigned to the interface is already used by another device. |
Recommended action |
Assign a different address to the interface. |
ND_RAGUARD_DROP
Message text |
Dropped RA messages with the source IPv6 address [STRING] on interface [STRING]. [STRING] messages dropped in total on the interface. |
Variable fields |
$1: Source IP address of the dropped RA messages. $2: Name of the interface that received the dropped RA messages. $3: Number of the RA messages dropped on the interface. |
Severity level |
4 |
Example |
ND/4/ND_RAGUARD_DROP: Dropped RA messages with the source IPv6 address FE80::20 on interface GigabitEthernet 1/0/1. 20 messages dropped in total on the interface. |
Explanation |
Forged RA messages were detected on the interface. The device dropped the forged RA messages and generated a log. |
Recommended action |
Check the vadility of the device or host that sends the RA messages based on the RA guard configuration. |
NQA messages
This section contains NQA messages.
NQA_LOG_UNREACHABLE
Message text |
Server [STRING] unreachable. |
Variable fields |
$1: IP address of the NQA server. |
Severity level |
6 |
Example |
NQA/6/NQA_LOG_UNREACHABLE: Server 192.168.30.117 unreachable. |
Explanation |
An unreachable server was detected. |
Recommended action |
Check the network environment. |
NTP messages
This section contains NTP messages.
NTP_CHANGE_LEAP
Message text |
System Leap Indicator changed from [UINT32] to [UINT32] after clock update. |
Variable fields |
$1: Original Leap Indicator. $2: Current Leap Indicator. |
Severity level |
5 |
Example |
NTP/5/NTP_CHANGE_LEAP: System Leap Indicator changed from 00 to 01 after clock update. |
Explanation |
The system Leap Indicator changed. For example, the NTP status changed from unsynchronized to synchronized. NTP Leap Indicator is a two-bit code warning of an impending leap second to be inserted in the NTP timescale. The bits are set before 23:59 on the day of insertion and reset after 00:00 on the following day. This causes the number of seconds (rolloverinterval) in the day of insertion to be increased or decreased by one. |
Recommended action |
No action is required. |
NTP_CHANGE_STRATUM
Message text |
System stratum changed from [UINT32] to [UINT32] after clock update. |
Variable fields |
$1: Original stratum. $2: Current stratum. |
Severity level |
5 |
Example |
NTP/5/NTP_CHANGE_STRATUM: System stratum changed from 6 to 5 after clock update. |
Explanation |
System stratum changed. |
Recommended action |
No action is required. |
NTP_CLOCK_CHANGE
Message text |
System clock changed from [STRING] to [STRING], the server is [STRING]. |
Variable fields |
$1: Time before synchronization. $2: Time after synchronization. $3: IP address. |
Severity level |
5 |
Example |
NTP/5/NTP_CLOCK_CHANGE: System clock changed from 02:12:58:345 12/28/2012 to 02:29:12:879 12/28/2012, the server is 192.168.30.116. |
Explanation |
The NTP server triggered the NTP client to synchronize the client time. |
Recommended action |
No action is required. |
NTP_SOURCE_CHANGE
Message text |
NTP server changed from [STRING] to [STRING]. |
Variable fields |
$1: IP address of the original time source. $2: IP address of the new time source. |
Severity level |
5 |
Example |
NTP/5/NTP_SOURCE_CHANGE: NTP server changed from 1.1.1.1 to 1.1.1.2. |
Explanation |
The system changed the time source. |
Recommended action |
Assign another NTP server as the time source. |
NTP_SOURCE_LOST
Message text |
Lost synchronization with NTP server [STRING]. |
Variable fields |
$1: IP address. |
Severity level |
5 |
Example |
NTP/5/NTP_SOURCE_LOST: Lost synchronization with NTP server 1.1.1.1. |
Explanation |
The clock source of the NTP association is in unsynchronized state or it is unreachable. |
Recommended action |
Check the NTP server and network connection. If the NTP server is faulty, configure a new server as the clock source for the client. |
OFP
This section contains OpenFlow messages.
OFP_ACTIVE
Message text |
Activate openflow instance [UINT16] |
Variable fields |
$1: Instance ID. |
Severity level |
5 |
Example |
OFP/5/OFP_ACTIVE: Activate openflow instance 1. |
Explanation |
A command was received to activate an OpenFlow instance. |
Recommended action |
No action is required. |
OFP_ACTIVE_FAILED
Message text |
Failed to activate instance [UINT16]. |
Variable fields |
$1: Instance ID. |
Severity level |
4 |
Example |
OFP/4/OFP_ACTIVE_FAILED: Failed to activate instance 1. |
Explanation |
An OpenFlow instance failed to be activated. |
Recommended action |
No action is required. |
OFP_CONNECT
Message text |
Openflow instance [UINT16], controller [CHAR] is [STRING]. |
Variable fields |
$1: Instance ID. $2: Controller ID. $3: Connection status: connected or disconnected. |
Severity level |
5 |
Example |
OFP/5/OFP_CONNECT: Openflow instance 1, controller 0 is connected. |
Explanation |
The status of the connection between an OpenFlow instance and a controller changed. |
Recommended action |
No action is required. |
OFP_FAIL_OPEN
Message text |
Openflow instance [UINT16] is in fail [STRING] mode. |
Variable fields |
$1: Instance ID. $2: Connection interruption mode: secure or standalone. |
Severity level |
5 |
Example |
OFP/5/OFP_FAIL_OPEN: Openflow instance 1 is in fail secure mode. |
Explanation |
An activated instance failed to connect to a controller or was disconnected from all controllers. The connection interruption mode was displayed. |
Recommended action |
No action is required. |
OFP_FLOW_ADD
Message text |
Openflow instance [UINT16] controller [CHAR]: add flow entry [UINT32], xid 0x[HEX], cookie 0x[HEX], table id [CHAR]. |
Variable fields |
$1: Instance ID. $2: Controller ID. $3: Rule ID. $4: XID. $5: Cookie of the flow entry. $6: Table ID. |
Severity level |
5 |
Example |
OFP/5/OFP_FLOW_ADD: Openflow instance 1 controller 0: add flow entry 1, xid 0x1, cookie 0x0, table id 0. |
Explanation |
A flow entry was to be added to a flow table according to a flow table modification message that has passed the packet check. |
Recommended action |
No action is required. |
OFP_FLOW_ADD_DUP
Message text |
Openflow instance [UINT16] controller [CHAR]: add duplicate flow entry [UINT32], xid 0x[HEX], cookie 0x[HEX], table id [CHAR]. |
Variable fields |
$1: Instance ID. $2: Controller ID. $3: Rule ID. $4: XID. $5: Cookie. $6: Table ID. |
Severity level |
5 |
Example |
OFP/5/OFP_FLOW_ADD_DUP: Openflow instance 1 controller 0: add duplicate flow entry 1, xid 0x1, cookie 0x1, table id 0. |
Explanation |
A duplicate flow entry was added. |
Recommended action |
No action is required. |
OFP_FLOW_ADD_FAILED
Message text |
Openflow instance [UINT16] controller [CHAR]: failed to add flow entry [UINT32], table id [CHAR]. |
Variable fields |
$1: Instance ID. $2: Controller ID. $3: Rule ID. $4: Table ID. |
Severity level |
4 |
Example |
OFP/4/OFP_FLOW_ADD_FAILED: Openflow instance 1 controller 0: failed to add flow entry 1, table id 0. |
Explanation |
A flow entry failed to be added. |
Recommended action |
No action is required. |
OFP_FLOW_ADD_FAILED_SMOOTH
Message text |
Openflow instance [UINT16]: failed to add flow entry [UINT32], table id [CHAR]. |
Variable fields |
$1: Instance ID. $2: Rule ID. $3: Table ID. |
Severity level |
4 |
Example |
OFP/4/OFP_FLOW_ADD_FAILED: Openflow instance 1: failed to add flow entry 1, table id 0. |
Explanation |
A flow entry failed to be added when a newly installed interface card was synchronizing flow tables from the MPU. |
Recommended action |
No action is required. |
OFP_FLOW_ADD_TABLE_MISS
Message text |
Openflow instance [UINT16] controller [CHAR]: add table miss flow entry, xid 0x[HEX], cookie 0x[HEX], table id [CHAR]. |
Variable fields |
$1: Instance ID. $2: Controller ID. $3: XID. $4: Cookie of the flow entry. $5: Table ID. |
Severity level |
5 |
Example |
OFP/5/OFP_FLOW_ADD_TABLE_MISS: Openflow instance 1 controller 0: add table miss flow entry, xid 0x1, cookie 0x0, table id 0. |
Explanation |
A table-miss flow entry was to be added to a flow table according to a flow table modification message that has passed the packet check. |
Recommended action |
No action is required. |
OFP_FLOW_ADD_TABLE_MISS_FAILED
Message text |
Openflow instance [UINT16] controller [CHAR]: failed to add table miss flow entry, table id [CHAR]. |
Variable fields |
$1: Instance ID. $2: Controller ID. $3: Table ID. |
Severity level |
4 |
Example |
OFP/4/OFP_FLOW_ADD_TABLE_MISS_FAILED: Openflow instance 1 controller 0: failed to add table miss flow entry, table id 0. |
Explanation |
A table-miss flow entry failed to be added. |
Recommended action |
No action is required. |
OFP_FLOW_DEL
Message text |
Openflow instance [UINT16] controller [CHAR]: delete flow entry, xid 0x[HEX], cookie 0x[HEX], table id [STRING]. |
Variable fields |
$1: Instance ID. $2: Controller ID. $3: XID. $4: Cookie of the flow entry. $5: Table ID. |
Severity level |
5 |
Example |
OFP/5/OFP_FLOW_DEL: Openflow instance 1 controller 0: delete flow entry, xid 0x1, cookie 0x0, table id 0. |
Explanation |
A list of flow entries were to be deleted according to a flow table modification message that has passed the packet check. |
Recommended action |
No action is required. |
OFP_FLOW_DEL_TABLE_MISS
Message text |
Openflow instance [UINT16] controller [CHAR]: delete table miss flow entry, xid 0x[HEX], cookie 0x[HEX], table id [STRING]. |
Variable fields |
$1: Instance ID. $2: Controller ID. $3: XID. $4: Cookie of the flow entry. $5: Table ID. |
Severity level |
5 |
Example |
OFP/5/OFP_FLOW_DEL_TABLE_MISS: Openflow instance 1 controller 0: delete table miss flow entry, xid 0x1, cookie 0x0, table id 0. |
Explanation |
A list of table-miss flow entries were to be deleted according to a flow table modification message that has passed the packet check. |
Recommended action |
No action is required. |
OFP_FLOW_DEL_TABLE_MISS_FAILED
Message text |
Openflow instance [UINT16] controller [CHAR]: failed to delete table miss flow entry, table id [STRING]. |
Variable fields |
$1: Instance ID. $2: Controller ID. $3: Table ID. |
Severity level |
4 |
Example |
OFP/4/OFP_FLOW_DEL_TABLE_MISS_FAILED: Openflow instance 1 controller 0: failed to delete table miss flow entry, table id 0. |
Explanation |
A table-miss flow entry failed to be deleted. |
Recommended action |
No action is required. |
OFP_FLOW_MOD
Message text |
Openflow instance [UINT16] controller [CHAR]: modify flow entry, xid 0x[HEX], cookie 0x[HEX], table id [CHAR]. |
Variable fields |
$1: Instance ID. $2: Controller ID. $3: XID. $4: Cookie of the flow entry. $5: Table ID. |
Severity level |
5 |
Example |
OFP/5/OFP_FLOW_MOD: Openflow instance 1 controller 0: modify flow entry, xid 0x1, cookie 0x0, table id 0. |
Explanation |
A list of flow entries were to be modified according to a flow table modification message that has passed the packet check. |
Recommended action |
No action is required. |
OFP_FLOW_MOD_FAILED
Message text |
Openflow instance [UINT16] controller [CHAR]: failed to modify flow entry, table id [CHAR]. |
Variable fields |
$1: Instance ID. $2: Controller ID. $3: Table ID. |
Severity level |
4 |
Example |
OFP/4/OFP_FLOW_MOD_FAILED: Openflow instance 1 controller 0: failed to modify flow entry, table id 0. |
Explanation |
A flow entry failed to be modified. |
Recommended action |
Retry to modify the flow entry. If the flow entry still cannot be modified, delete it. |
OFP_FLOW_MOD_TABLE_MISS
Message text |
Openflow instance [UINT16] controller [CHAR]: modify table miss flow entry, xid 0x[HEX], cookie 0x[HEX], table id [CHAR]. |
Variable fields |
$1: Instance ID. $2: Controller ID. $3: XID. $4: Cookie of the flow entry. $5: Table ID. |
Severity level |
5 |
Example |
OFP/5/OFP_FLOW_MOD_TABLE_MISS: Openflow instance 1 controller 0: modify table miss flow entry, xid 0x1, cookie 0x0, table id 0. |
Explanation |
A list of table-miss flow entries were to be modified according to a flow table modification message that has passed the packet check. |
Recommended action |
No action is required. |
OFP_FLOW_MOD_TABLE_MISS_FAILED
Message text |
Openflow instance [UINT16] controller [CHAR]: failed to modify table miss flow entry, table id [CHAR]. |
Variable fields |
$1: Instance ID. $2: Controller ID. $3: Table ID. |
Severity level |
4 |
Example |
OFP/4/OFP_FLOW_MOD_TABLE_MISS_FAILED: Openflow instance 1 controller 0: failed to modify table miss flow entry, table id 0. |
Explanation |
A table-miss flow entry failed to be modified. |
Recommended action |
Retry to modify the table-miss flow entry. If the entry still cannot be modified, delete it. |
OFP_FLOW_RMV_GROUP
Message text |
The flow entry [UINT32] in table [CHAR] of instance [UINT16] was deleted with a group_mod message. |
Variable fields |
$1: Rule ID. $2: Table ID. $3: Instance ID. |
Severity level |
5 |
Example |
OFP/5/OFP_FLOW_RMV_GROUP: The flow entry 1 in table 0 of instance 1 was deleted with a group_mod message. |
Explanation |
A flow entry was deleted due to a group modification message. |
Recommended action |
No action is required. |
OFP_FLOW_RMV_HARDTIME
Message text |
The flow entry [UINT32] in table [CHAR] of instance [UINT16] was deleted because of an hard-time expiration. |
Variable fields |
$1: Rule ID. $2: Table ID. $3: Instance ID. |
Severity level |
5 |
Example |
OFP/5/OFP_FLOW_RMV_HARDTIME: The flow entry 1 in table 0 of instance 1 was deleted because of an hard-time expiration. |
Explanation |
A flow entry was deleted because of a hard time expiration. |
Recommended action |
No action is required. |
OFP_FLOW_RMV_IDLETIME
Message text |
The flow entry [UINT32] in table [CHAR] of instance [UINT16] was deleted because of an idle-time expiration. |
Variable fields |
$1: Rule ID. $2: Table ID. $3: Instance ID. |
Severity level |
5 |
Example |
OFP/5/OFP_FLOW_RMV_IDLETIME: The flow entry 1 in table 0 of instance 1 was deleted because of an idle-time expiration. |
Explanation |
A flow entry was deleted because of an idle time expiration. |
Recommended action |
No action is required. |
OFP_FLOW_RMV_METER
Message text |
The flow entry [UINT32] in table [CHAR] of instance [UINT16] was deleted with a meter_mod message. |
Variable fields |
$1: Rule ID. $2: Table ID. $3: Instance ID. |
Severity level |
5 |
Example |
OFP/5/OFP_FLOW_RMV_GROUP: The flow entry 1 in table 0 of instance1 was deleted with a meter_mod message. |
Explanation |
A flow entry was deleted due to a meter modification message. |
Recommended action |
No action is required. |
OFP_GROUP_ADD
Message text |
Openflow instance [UINT16] controller [CHAR]: add group [STRING], xid 0x[HEX]. |
Variable fields |
$1: Instance ID. $2: Controller ID. $3: Group ID. $4: XID. |
Severity level |
5 |
Example |
OFP/5/OFP_GROUP_ADD: Openflow instance 1 controller 0: add group 1, xid 0x1. |
Explanation |
A group entry was to be added to a group table according to a group table modification message that has passed the packet check. |
Recommended action |
No action is required. |
OFP_GROUP_ADD_FAILED
Message text |
Openflow instance [UINT16] controller [CHAR]: failed to add group [STRING]. |
Variable fields |
$1: Instance ID. $2: Controller ID. $3: Group ID. |
Severity level |
4 |
Example |
OFP/4/OFP_GROUP_ADD_FAILED: Openflow Instance 1 controller 0: failed to add group 1. |
Explanation |
A group entry failed to be added. |
Recommended action |
No action is required. |
OFP_GROUP_DEL
Message text |
Openflow instance [UINT16] controller [CHAR]: delete group [STRING], xid [HEX]. |
Variable fields |
$1: Instance ID. $2: Controller ID. $3: Group ID. $4: XID. |
Severity level |
5 |
Example |
OFP/5/OFP_GROUP_DEL: Openflow instance 1 controller 0: delete group 1, xid 0x1. |
Explanation |
A group entry was to be deleted according to a group table modification message that has passed the packet check. |
Recommended action |
No action is required. |
OFP_GROUP_MOD
Message text |
Openflow instance [UINT16] controller [CHAR]: modify group [STRING], xid 0x[HEX]. |
Variable fields |
$1: Instance ID. $2: Controller ID. $3: Group ID. $4: XID. |
Severity level |
5 |
Example |
OFP/5/OFP_GROUP_MOD: Openflow instance 1 controller 0: modify group 1, xid 0x1. |
Explanation |
A group entry was to be modified according to a group table modification message that has passed the packet check. |
Recommended action |
No action is required. |
OFP_GROUP_MOD_FAILED
Message text |
Openflow instance [UINT16] controller [CHAR]: failed to modify group [STRING]. |
Variable fields |
$1: Instance ID. $2: Controller ID. $3: Group ID. |
Severity level |
4 |
Example |
OFP/4/OFP_GROUP_MOD_FAILED: Openflow instance 1 controller 0: failed to modify group 1. |
Explanation |
A group entry failed to be modified. |
Recommended action |
Retry to modify the group entry. If the group entry still cannot be modified, delete it. |
OFP_LOCAL_FLOW_FAILED
Message text |
OpenFlow instance [STRING] : failed to deploy local [STRING] flow entry, table id [STRING]. |
Variable fields |
$1: OpenFlow instance ID. $2: Flow entry type: ¡ Miss—Table-miss entry. ¡ standalone—Standalone entry. ¡ vlan [id] manage—Inband management VLAN entry. ¡ slow—Slow protocol entry. $3: Flow entry ID. $4: Table ID. |
Severity level |
6 |
Example |
OFP/6/OFP_KERNEL_LOCAL_FLOW_FAILED: OpenFlow instance 1 : failed to deploy local standalone flow entry, table id 0. |
Explanation |
The system failed to deploy a local flow entry. |
Recommended action |
Verify that ACL resources are sufficient. |
OFP_METER_ADD
Message text |
Openflow instance [UINT16] controller [CHAR]: add meter [STRING], xid 0x[HEX]. |
Variable fields |
$1: Instance ID. $2: Controller ID. $3: Meter ID. $4: XID. |
Severity level |
5 |
Example |
OFP/5/OFP_METER_ADD: Openflow instance 1 controller 0: add meter 1, xid 0x1. |
Explanation |
A meter entry was to be added to a meter table according to a meter table modification message that has passed the packet check. |
Recommended action |
No action is required. |
OFP_METER_ADD_FAILED
Message text |
Openflow instance [UINT16] controller [CHAR]: failed to add meter [STRING]. |
Variable fields |
$1: Instance ID. $2: Controller ID. $3: Meter ID. |
Severity level |
4 |
Example |
OFP/4/OFP_METER_ADD_FAILED: Openflow Instance 1 controller 0: failed to add meter 1. |
Explanation |
A meter entry failed to be added. |
Recommended action |
No action is required. |
OFP_METER_DEL
Message text |
Openflow instance [UINT16] controller [CHAR]: delete meter [STRING], xid 0x[HEX]. |
Variable fields |
$1: Instance ID. $2: Controller ID. $3: Meter ID. $4: XID. |
Severity level |
5 |
Example |
OFP/5/OFP_METER_DEL: Openflow instance 1 controller 0: delete meter 1, xid 0x1. |
Explanation |
A meter entry was to be deleted according to a meter table modification message that has passed the packet check. |
Recommended action |
No action is required. |
OFP_METER_MOD
Message text |
Openflow instance [UINT16] controller [CHAR]: modify meter [STRING], xid 0x[HEX]. |
Variable fields |
$1: Instance ID. $2: Controller ID. $3: Meter ID. $4: XID. |
Severity level |
5 |
Example |
OFP/5/OFP_METER_MOD: Openflow Instance 1 controller 0: modify meter 1, xid 0x1. |
Explanation |
A meter entry was to be modified according to a meter table modification message that has passed the packet check. |
Recommended action |
No action is required. |
OFP_METER_MOD_FAILED
Message text |
Openflow instance [UINT16] controller [CHAR]: failed to modify meter [STRING]. |
Variable fields |
$1: Instance ID. $2: Controller ID. $3: Meter ID. |
Severity level |
4 |
Example |
OFP/4/OFP_METER_MOD_FAILED: Openflow instance 1 controller 0: failed to modify meter 1. |
Explanation |
A meter entry failed to be modified. |
Recommended action |
Retry to modify the meter entry. If the meter entry still cannot be modified, delete it. |
OFP_MISS_RMV_GROUP
Message text |
The table-miss flow entry in table [CHAR] of instance [UINT16] was deleted with a group_mod message. |
Variable fields |
$1: Table ID. $2: Instance ID. |
Severity level |
5 |
Example |
OFP/5/OFP_MISS_RMV_GROUP: The table-miss flow entry in table 0 of instance 1 was deleted with a group_mod message. |
Explanation |
The table-miss flow entry was deleted due to a group modification message. |
Recommended action |
No action is required. |
OFP_MISS_RMV_HARDTIME
Message text |
The table-miss flow entry in table [CHAR] of instance [UINT16] was deleted because of an hard-time expiration. |
Variable fields |
$1: Table ID. $2: Instance ID. |
Severity level |
5 |
Example |
OFP/5/OFP_MISS_RMV_HARDTIME: The table-miss flow entry in table 0 of instance 1 was deleted because of an hard-time expiration. |
Explanation |
The table-miss flow entry was deleted because of a hard time expiration. |
Recommended action |
No action is required. |
OFP_MISS_RMV_IDLETIME
Message text |
The table-miss flow entry in table [CHAR] of instance [UINT16] was deleted because of an idle-time expiration. |
Variable fields |
$1: Table ID. $2: Instance ID. |
Severity level |
5 |
Example |
OFP/5/OFP_MISS_RMV_IDLETIME: The table-miss flow entry in table 0 of instance 1 was deleted because of an idle-time expiration. |
Explanation |
The table-miss flow entry was deleted because of an idle time expiration. |
Recommended action |
No action is required. |
OFP_MISS_RMV_METER
Message text |
The table-miss flow entry in table [CHAR] of instance [UINT16] was deleted with a meter_mod message. |
Variable fields |
$1: Table ID. $2: Instance ID. |
Severity level |
5 |
Example |
OFP/5/OFP_MISS_RMV_METER: The table-miss flow entry in table 0 of instance 1 was deleted with a meter_mod message. |
Explanation |
The table-miss flow entry was deleted due to a meter modification message. |
Recommended action |
No action is required. |
OPTMOD messages
This section contains transceiver module messages.
BIAS_HIGH
Message text |
[STRING]: Bias current is high! |
Variable fields |
$1: Interface type and number. |
Severity level |
2 |
Example |
OPTMOD/2/BIAS_HIGH: GigabitEthernet1/0/13: Bias current is high! |
Explanation |
The bias current of the transceiver module has exceeded the upper limit. |
Recommended action |
Locate the fault and fix it. If it cannot be fixed, replace the transceiver module. |
BIAS_LOW
Message text |
[STRING]: Bias current is low! |
Variable fields |
$1: Interface type and number. |
Severity level |
5 |
Example |
OPTMOD/5/BIAS_LOW: GigabitEthernet1/0/13: Bias current is low! |
Explanation |
The bias current of the transceiver module is below the lower limit. |
Recommended action |
Locate the fault and fix it. If it cannot be fixed, replace the transceiver module. |
BIAS_NORMAL
Message text |
[STRING]: Bias current is normal! |
Variable fields |
$1: Interface type and number. |
Severity level |
5 |
Example |
OPTMOD/5/BIAS_NORMAL: GigabitEthernet1/0/13: Bias current is normal! |
Explanation |
The bias current of the transceiver module has returned to the acceptable range. |
Recommended action |
No action is required. |
CFG_ERR
Message text |
[STRING]: The transceiver type does not match port configuration! |
Variable fields |
$1: Interface type and number. |
Severity level |
3 |
Example |
OPTMOD/3/CFG_ERR: GigabitEthernet1/0/13: The transceiver type does not match port configuration! |
Explanation |
The transceiver module type does not match the port configuration. |
Recommended action |
Identify the reason causing the mismatch and replace the transceiver module. |
CHKSUM_ERR
Message text |
[STRING]: The checksum of transceiver information is bad! |
Variable fields |
$1: Interface type and number |
Severity level |
5 |
Example |
OPTMOD/5/CHKSUM_ERR: GigabitEthernet1/0/13: The checksum of transceiver information is bad! |
Explanation |
The checksum verification on the register information on the transceiver module failed. |
Recommended action |
Locate the fault and fix it. If it cannot be fixed, replace the transceiver module. |
IO_ERR
Message text |
[STRING]: The transceiver information I/O failed! |
Variable fields |
$1: Interface type and number. |
Severity level |
5 |
Example |
OPTMOD/5/IO_ERR: GigabitEthernet1/0/13: The transceiver information I/O failed! |
Explanation |
The device failed to access the register information of the transceiver module. |
Recommended action |
Locate the fault and fix it. If it cannot be fixed, replace the transceiver module. |
MOD_ALM_OFF
Message text |
[STRING]: [STRING] is gone. |
Variable fields |
$1: Interface type and number. $2: Fault type. |
Severity level |
5 |
Example |
OPTMOD/5/MOD_ALM_OFF: GigabitEthernet1/0/13: Module_not_ready is gone. |
Explanation |
A fault was removed from the transceiver module. |
Recommended action |
No action is required. |
MOD_ALM_ON
Message text |
[STRING]: [STRING] is detected! |
Variable fields |
$1: Interface type and number. $2: Fault type. |
Severity level |
5 |
Example |
OPTMOD/5/MOD_ALM_ON: GigabitEthernet1/0/13: Module_not_ready is detected! |
Explanation |
A fault was detected on the transceiver module. |
Recommended action |
Fix the fault. If it cannot be fixed, replace the transceiver module. |
MODULE_IN
Message text |
[STRING]: The transceiver is [STRING]. |
Variable fields |
$1: Interface type and number. $2: Type of the transceiver module. |
Severity level |
4 |
Example |
OPTMOD/4/MODULE_IN: GigabitEthernet1/0/13: The transceiver is 1000_BASE_T_AN_SFP. |
Explanation |
When a transceiver module is inserted, the OPTMOD module generates the message to display the transceiver module type. |
Recommended action |
No action is required. |
MODULE_OUT
Message text |
[STRING]: The transceiver is absent. |
Variable fields |
$1: Interface type and number. |
Severity level |
4 |
Example |
OPTMOD/4/MODULE_OUT: GigabitEthernet1/0/13: The transceiver is absent. |
Explanation |
The transceiver module was removed. |
Recommended action |
No action is required. |
PHONY_MODULE
Message text |
[STRING]: This transceiver is NOT sold by H3C. H3C therefore shall NOT guarantee the normal function of the device or assume the maintenance responsibility thereof! |
Variable fields |
$1: Interface type and number. |
Severity level |
4 |
Example |
OPTMOD/4/PHONY_MODULE: GigabitEthernet1/0/13: This transceiver is NOT sold by H3C. H3C therefore shall NOT guarantee the normal function of the device or assume the maintenance responsibility thereof! |
Explanation |
The transceiver module is not sold by H3C. |
Recommended action |
Verify the transceiver module compatibility. If it is not compatible, replace it. |
RX_ALM_OFF
Message text |
[STRING]: [STRING] is gone. |
Variable fields |
$1: Interface type and number. $2: RX fault type. |
Severity level |
5 |
Example |
OPTMOD/5/RX_ALM_OFF: GigabitEthernet1/0/13: RX_not_ready is gone. |
Explanation |
An RX fault was removed from the transceiver module. |
Recommended action |
No action is required. |
RX_ALM_ON
Message text |
[STRING]: [STRING] is detected! |
Variable fields |
$1: Interface type and number. $2: RX fault type. |
Severity level |
5 |
Example |
OPTMOD/5/RX_ALM_ON: GigabitEthernet1/0/13: RX_not_ready is detected! |
Explanation |
An RX fault was detected on the transceiver module. |
Recommended action |
Fix the fault. If it cannot be fixed, replace the transceiver module. |
RX_POW_HIGH
Message text |
[STRING]: RX power is high! |
Variable fields |
$1: Interface type and number. |
Severity level |
5 |
Example |
OPTMOD/5/RX_POW_HIGH: GigabitEthernet1/0/13: RX power is high! |
Explanation |
The RX power of the transceiver module has exceeded the upper limit. |
Recommended action |
Locate the fault and fix it. If it cannot be fixed, replace the transceiver module. |
RX_POW_LOW
Message text |
[STRING]: RX power is low! |
Variable fields |
$1: Interface type and number. |
Severity level |
5 |
Example |
OPTMOD/5/RX_POW_LOW: GigabitEthernet1/0/13: RX power is low! |
Explanation |
The RX power of the transceiver module is below the lower limit. |
Recommended action |
Locate the fault and fix it. If it cannot be fixed, replace the transceiver module. |
RX_POW_NORMAL
Message text |
[STRING]: RX power is normal! |
Variable fields |
$1: Interface type and number. |
Severity level |
5 |
Example |
OPTMOD/5/RX_POW_NORMAL: GigabitEthernet1/0/13: RX power is normal! |
Explanation |
The RX power of the transceiver module has returned to the acceptable range. |
Recommended action |
No action is required. |
TEMP_HIGH
Message text |
[STRING]: Temperature is high! |
Variable fields |
$1: Interface type and number |
Severity level |
5 |
Example |
OPTMOD/5/TEMP_HIGH: GigabitEthernet1/0/13: Temperature is high! |
Explanation |
The temperature of the transceiver module has exceeded the upper limit. |
Recommended action |
Locate the fault and fix it. If it cannot be fixed, replace the transceiver module. |
TEMP_LOW
Message text |
[STRING]: Temperature is low! |
Variable fields |
$1: Interface type and number. |
Severity level |
5 |
Example |
OPTMOD/5/TEMP_LOW: GigabitEthernet1/0/13: Temperature is low! |
Explanation |
The temperature of the transceiver module is below the lower limit. |
Recommended action |
Locate the fault and fix it. If it cannot be fixed, replace the transceiver module. |
TEMP_NORMAL
Message text |
[STRING]: Temperature is normal! |
Variable fields |
$1: Interface type and number. |
Severity level |
5 |
Example |
OPTMOD/5/TEMP_NORMAL: GigabitEthernet1/0/13: Temperature is normal! |
Explanation |
The temperature of the transceiver module has returned to the acceptable range. |
Recommended action |
No action is required. |
TX_ALM_OFF
Message text |
[STRING]: [STRING] is gone. |
Variable fields |
$1: Interface type and number. $2: TX fault type. |
Severity level |
5 |
Example |
OPTMOD/5/TX_ALM_OFF: GigabitEthernet1/0/13: TX_fault is gone. |
Explanation |
A TX fault was removed from the transceiver module. |
Recommended action |
No action is required. |
TX_ALM_ON
Message text |
[STRING]: [STRING] is detected! |
Variable fields |
$1: Interface type and number. $2: TX fault type. |
Severity level |
5 |
Example |
OPTMOD/5/TX_ALM_ON: GigabitEthernet1/0/13: TX_fault is detected! |
Explanation |
A TX fault was detected on the transceiver module. |
Recommended action |
Fix the fault. If it cannot be fixed, replace the transceiver module. |
TX_POW_HIGH
Message text |
[STRING]: TX power is high! |
Variable fields |
$1: Interface type and number. |
Severity level |
2 |
Example |
OPTMOD/2/TX_POW_HIGH: GigabitEthernet1/0/13: TX power is high! |
Explanation |
The TX power of the transceiver module has exceeded the upper limit. |
Recommended action |
Locate the fault and fix it. If it cannot be fixed replace the transceiver module. |
TX_POW_LOW
Message text |
[STRING]: TX power is low! |
Variable fields |
$1: Interface type and number. |
Severity level |
5 |
Example |
OPTMOD/5/TX_POW_LOW: GigabitEthernet1/0/13: TX power is low! |
Explanation |
The TX power of the transceiver module is below the lower limit. |
Recommended action |
Locate the fault and fix it. If it cannot be fixed, replace the transceiver module. |
TX_POW_NORMAL
Message text |
[STRING]: TX power is normal! |
Variable fields |
$1: Interface type and number. |
Severity level |
5 |
Example |
OPTMOD/5/TX_POW_NORMAL: GigabitEthernet1/0/13: TX power is normal! |
Explanation |
The TX power of the transceiver module has returned to the acceptable range. |
Recommended action |
No action is required. |
TYPE_ERR
Message text |
[STRING]: The transceiver type is not supported by port hardware! |
Variable fields |
$1: Interface type and number. |
Severity level |
3 |
Example |
OPTMOD/3/TYPE_ERR: GigabitEthernet1/0/13: The transceiver type is not supported by port hardware! |
Explanation |
The transceiver module is not supported by the port. |
Recommended action |
Replace the transceiver module. |
VOLT_HIGH
Message text |
[STRING]: Voltage is high! |
Variable fields |
$1: Interface type and number |
Severity level |
5 |
Example |
OPTMOD/5/VOLT_HIGH: GigabitEthernet1/0/13: Voltage is high! |
Explanation |
The voltage of the transceiver module has exceeded the upper limit. |
Recommended action |
Locate the fault and fix it. If it cannot be fixed, replace the transceiver module. |
VOLT_LOW
Message text |
[STRING]: Voltage is low! |
Variable fields |
$1: Interface type and number. |
Severity level |
5 |
Example |
OPTMOD/5/VOLT_LOW: GigabitEthernet1/0/13: Voltage is low! |
Explanation |
The voltage of the transceiver module is below the lower limit. |
Recommended action |
Locate the fault and fix it. If it cannot be fixed, replace the transceiver module. |
VOLT_NORMAL
Message text |
[STRING]: Voltage is normal! |
Variable fields |
$1: Interface type and number. |
Severity level |
5 |
Example |
OPTMOD/5/VOLT_NORMAL: GigabitEthernet1/0/13: Voltage is normal! |
Explanation |
The voltage of the transceiver module has returned to the acceptable range. |
Recommended action |
No action is required. |
OSPF messages
This section contains OSPF messages.
OSPF_DUP_RTRID_NBR
Message text |
OSPF [UINT16] Duplicate router ID [STRING] on interface [STRING], sourced from IP address [IPADDR]. |
Variable fields |
$1: OSPF process ID. $2: Router ID. $3: Interface name. $4: IP address. |
Severity level |
6 |
Example |
OSPF/6/OSPF_DUP_RTRID_NBR: OSPF 1 Duplicate router ID 11.11.11.11 on interface GigabitEthernet1/0/3, sourced from IP address 11.2.2.2. |
Explanation |
Two directly connected devices are configured with the same router ID. |
Recommended action |
Modify the router ID on one device and use the reset ospf process command to make the new router ID take effect. |
OSPF_IP_CONFLICT_INTRA
Message text |
OSPF [UINT16] Received newer self-originated network-LSAs. Possible conflict of IP address [IPADDR] in area [STRING] on interface [STRING]. |
Variable fields |
$1: OSPF process ID. $2: IP address. $3: OSPF area ID. $4: Interface name. |
Severity level |
6 |
Example |
OSPF/6/OSPF_IP_CONFLICT_INTRA: OSPF 1 Received newer self-originated network-LSAs. Possible conflict of IP address 11.1.1.1 in area 0.0.0.1 on interface GigabitEthernet1/0/3. |
Explanation |
The interfaces on two devices in the same OSPF area might have the same primary IP address. At least one of the devices is a DR. |
Recommended action |
Modify the IP address configuration and make sure the modification does not cause router ID conflicts in the same OSPF area. |
OSPF_LAST_NBR_DOWN
Message text |
OSPF [UINT32] Last neighbor down event: Router ID: [STRING] Local address: [STRING] Remote address: [STRING] Reason: [STRING] |
Variable fields |
$1: OSPF process ID. $2: Router ID. $3: Local IP address. $4: Neighbor IP address. $5: Reason. |
Severity level |
6 |
Example |
OSPF/6/OSPF_LAST_NBR_DOWN: OSPF 1 Last neighbor down event: Router ID: 2.2.2.2 Local address: 10.1.1.1 Remote address: 10.1.1.2 Reason: Dead Interval timer expired. |
Explanation |
The device records the OSPF neighbor down event caused by a specific reason. |
Recommended action |
1. When a down event occurred because of configuration changes (for example, interface parameter changes), check for the configuration errors. 2. When a down event occurred because of dead interval expiration, check for the dead interval configuration error and loss of network connectivity. 3. When a down event occurred because of BFD session down, check for the BFD detection time configuration error and loss of network connectivity. 4. When a down event occurred because of interface status changes, check for loss of network connectivity. |
OSPF_MEM_ALERT
Message text |
OSPF Process receive system memory alert [STRING] event. |
Variable fields |
$1: Type of the memory alarm. |
Severity level |
5 |
Example |
OSPF/5/OSPF_MEM_ALERT: OSPF Process receive system memory alert start event. |
Explanation |
OSPF received a memory alarm. |
Recommended action |
Check the system memory. |
OSPF_NBR_CHG
Message text |
OSPF [UINT32] Neighbor [STRING] ([STRING]) from [STRING] to [STRING] |
Variable fields |
$1: OSPF process ID. $2: Neighbor IP address. $3: Interface name. $4: Old adjacency state. $5: New adjacency state. |
Severity level |
5 |
Example |
OSPF/5/OSPF_NBR_CHG: OSPF 1 Neighbor 2.2.2.2 (Vlan-interface100) from Full to Down. |
Explanation |
The OSPF adjacency state changed on an interface. |
Recommended action |
When the adjacency with a neighbor changes from Full to another state on an interface, check for OSPF configuration errors and loss of network connectivity. |
OSPF_RTRID_CONFLICT_INTRA
Message text |
OSPF [UINT16] Received newer self-originated router-LSAs. Possible conflict of router ID [STRING] in area [STRING]. |
Variable fields |
$1: OSPF process ID. $2: Router ID. $3: OSPF area ID. |
Severity level |
6 |
Example |
OSPF/6/OSPF_RTRID_CONFLICT_INTRA: OSPF 1 Received newer self-originated router-LSAs. Possible conflict of router ID 11.11.11.11 in area 0.0.0.1. |
Explanation |
Two indirectly connected devices in the same OSPF area might have the same router ID. |
Recommended action |
Modify the router ID on one device and use the reset ospf process command to make the new router ID take effect. |
OSPF_RTRID_CONFLICT_INTER
Message text |
OSPF [UINT16] Received newer self-originated ase-LSAs. Possible conflict of router ID [STRING]. |
Variable fields |
$1: OSPF process ID. $2: Router ID. |
Severity level |
6 |
Example |
OSPF/6/OSPF_RTRID_CONFILICT_INTER: OSPF 1 Received newer self-originated ase-LSAs. Possible conflict of router ID 11.11.11.11. |
Explanation |
Two indirectly connected devices in the same OSPF area might have the same router ID. One of the devices is an ASBR. |
Recommended action |
Modify the router ID on one device and use the reset ospf process command to make the new router ID take effect. |
OSPF_RT_LMT
Message text |
OSPF [UINT32] route limit reached. |
Variable fields |
$1: OSPF process ID. |
Severity level |
4 |
Example |
OSPF/4/OSPF_RT_LMT: OSPF 1 route limit reached. |
Explanation |
The number of routes of an OSPF process reached the upper limit. |
Recommended action |
1. Check for network attacks. 2. Reduce the number of routes. |
OSPF_RTRID_CHG
Message text |
OSPF [UINT32] New router ID elected, please restart OSPF if you want to make the new router ID take effect. |
Variable fields |
$1: OSPF process ID. |
Severity level |
5 |
Example |
OSPF/5/OSPF_RTRID_CHG: OSPF 1 New router ID elected, please restart OSPF if you want to make the new router ID take effect. |
Explanation |
The OSPF router ID was changed because the user changed the router ID or the interface IP address used as the router ID changed. |
Recommended action |
Use the reset ospf process command to make the new router ID take effect. |
OSPF_VLINKID_CHG
Message text |
OSPF [UINT32] Router ID changed, re-configure Vlink on peer |
Variable fields |
$1: OSPF process ID. |
Severity level |
5 |
Example |
OSPF/5/OSPF_VLINKID_CHG:OSPF 1 Router ID changed, re-configure Vlink on peer |
Explanation |
A new OSPF router ID takes effect. |
Recommended action |
Check and modify the virtual link configuration on the peer router to match the new router ID. |
OSPFV3 messages
This section contains OSPFv3 messages.
OSPFV3_LAST_NBR_DOWN
Message text |
OSPFv3 [UINT32] Last neighbor down event: Router ID: [STRING] local Interface Id: [UINT32] Remote Interface Id: [UINT32] Reason: [STRING]. |
Variable fields |
$1: OSPFv3 process ID. $2: Router ID. $3: Local interface ID. $4: Remote interface ID. $5: Reason. |
Severity level |
6 |
Example |
OSPFV3/6/OSPFV3_LAST_NBR_DOWN: OSPF 1 Last neighbor down event: Router ID: 2.2.2.2 local Interface Id: 1111 Remote Interface Id: 2222 Reason: Dead Interval timer expired. |
Explanation |
The device records the most recent OSPFv3 neighbor down event caused by a specific reason. |
Recommended action |
Check the reason for the most recent OSPFv3 neighbor down event. |
OSPFV3_MEM_ALERT
Message text |
OSPFV3 Process receive system memory alert [STRING] event. |
Variable fields |
$1: Type of the memory alarm. |
Severity level |
5 |
Example |
OSPFV3/5/OSPFV3_MEM_ALERT: OSPFV3 Process receive system memory alert start event. |
Explanation |
OSPFv3 received a memory alarm. |
Recommended action |
Check the system memory. |
OSPFV3_NBR_CHG
Message text |
OSPFv3 [UINT32] Neighbor [STRING] ([STRING]) received [STRING] and its state from [STRING] to [STRING]. |
Variable fields |
$1: Process ID. $2: Neighbor router ID. $3: Interface name. $4: Neighbor event. $5: Old adjacency state. $6: New adjacency state. |
Severity level |
5 |
Example |
OSPFV3/5/OSPFV3_NBR_CHG: OSPFv3 1 Neighbor 2.2.2.2 (Vlan100) received 1-Way from Full to Init. |
Explanation |
The OSPFv3 adjacency state changed on an interface. |
Recommended action |
When the adjacency with a neighbor changes to down on an interface, check for OSPFv3 configuration errors and loss of network connectivity. |
OSPFV3_RT_LMT
Message text |
OSPFv3 [UINT32] Route limit reached. |
Variable fields |
$1: Process ID. |
Severity level |
5 |
Example |
OSPFV3/5/OSPFV3_RT_LMT:OSPFv3 1 Route limit reached. |
Explanation |
The number of routes of an OSPFv3 process reached the upper limit. |
Recommended action |
Modify the route limit configuration. |
PBB messages
This section contains PBB messages.
PBB_JOINAGG_WARNING
Message text |
Because the aggregate interface [STRING] has been configured with PBB, assigning the interface [STRING] that does not support PBB to the aggregate group will cause incorrect processing. |
Variable fields |
$1: Aggregation group name. $2: Interface name. |
Severity level |
4 |
Example |
PBB/4/PBB_JOINAGG_WARNING: Because the aggregate interface Bridge-Aggregation1 has been configured with PBB, assigning the interface Ten-GigabitEthernet9/0/30 that does not support PBB to the aggregate group will cause incorrect processing. |
Explanation |
Because the interface does not support PBB, assigning the interface to an aggregation group configured with PBB will cause incorrect processing. If an aggregate interface is a PBB uplink port, all its members should support PBB. |
Recommended action |
Remove the interface from the aggregation group. |
PBR messages
This section contains PBR messages.
PBR_HARDWARE_ERROR
Message text |
Failed to update policy [STRING] due to [STRING]. |
Variable fields |
$1: Policy name. $2: Hardware error reasons: · The hardware resources are insufficient. · The system does not support the operation. · The hardware resources are insufficient and the system does not support the operation. |
Severity level |
4 |
Example |
PBR/4/PBR_HARDWARE_ERROR: Failed to update policy aaa due to insufficient hardware resources and not supported operations. |
Explanation |
The device failed to update PBR configuration. |
Recommended action |
Modify the PBR policy configuration according to the failure reason. |
PEX messages
This section contains PEX messages.
PEX_ASSOCIATEID_MISMATCHING
Message text |
The associated ID of PEX port [UNIT32] is [UNIT32] on the parent fabric, but the PEX connected to the port has obtained ID [UNIT32]. |
Variable fields |
$1: PEX port ID. $2: Virtual slot or chassis number configured on the parent fabric for a PEX. $3: Virtual slot or chassis number that the PEX has obtained. |
Severity level |
5 |
Example |
PEX/5/PEX_ASSOCIATEID_MISMATCHING: The associated ID of PEX port 1 is 100 on the parent fabric, but the PEX connected to the port has obtained ID 101. |
Explanation |
The configured virtual slot or chassis number for a PEX is different from the virtual slot or chassis number that the PEX has obtained. |
Recommended action |
Check the network connection. |
PEX_CONFIG_ERROR
Message text |
PEX port [UINT32] discarded a REGISTER request received from [STRING] through interface [STRING]. Reason: The PEX was not assigned an ID, or the PEX was assigned an ID equal to or greater than the maximum value ([UINT32]). |
Variable fields |
$1: PEX port ID. $2: PEX model. $3: Name of a PEX physical interface. $4: Maximum virtual slot or chassis number for the PEX model. |
Severity level |
4 |
Example |
PEX/4/PEX_CONFIG_ERROR: PEX port 1 discarded a REGISTER request received from PEX-S5120HI-S5500HI through interface Ten-GigabitEthernet10/0/31. Reason: The PEX was not assigned an ID, or the PEX was assigned an ID equal to or greater than the maximum value 130. |
Explanation |
This message is generated in the following situations: · The PEX is not assigned a virtual slot or chassis number. · The PEX is assigned a virtual slot or chassis number that is greater than the maximum value allowed for the PEX model. |
Recommended action |
1. Use the associate command to assign a valid slot or chassis number to the PEX. Make sure the slot or chassis number is within the value range for the PEX model. 2. If the problem persists, contact H3C Support. |
PEX_CONNECTION_ERROR
Message text |
PEX port [UINT32] discarded a REGISTER request received from [STRING] through interface [STRING]. Reason: Another PEX has been registered on the PEX port. |
Variable fields |
$1: PEX port ID. $2: PEX model. $3: Name of a PEX physical interface. |
Severity level |
4 |
Example |
PEX/4/PEX_CONNECTION_ERROR: PEX port 1 discarded a REGISTER request received from PEX-S5120HI-S5500HI through interface Ten-GigabitEthernet10/0/31. Reason: Another PEX has been registered on the PEX port. |
Explanation |
This message is generated if a PEX port is connected to multiple PEXs. |
Recommended action |
1. Reconnect PEXs to ensure sure that only one PEX is connected to the PEX port. 2. If the problem persists, contact H3C Support. |
PEX_FORBID_STACK
Message text |
Can't connect PEXs [UNIT32] and [UNIT32]: The PEX ports to which the PEXs belong are in different PEX port groups. |
Variable fields |
$1: Virtual slot or chassis number of a PEX. $2: Virtual slot or chassis number of a PEX. |
Severity level |
5 |
Example |
PEX/5/PEX_FORBID_STACK: Can't connect PEXs 100 and 102: The PEX ports to which the PEXs belong are in different PEX port groups. |
Explanation |
PEXs belonging to PEX ports of different PEX port groups were connected. |
Recommended action |
Check the network connection. |
PEX_LINK_BLOCK
Message text |
Status of [STRING] changed from [STRING] to blocked. |
Variable fields |
$1: Name of a PEX physical interface. $2: Data link status of the interface. |
Severity level |
4 |
Example |
PEX/4/PEX_LINK_BLOCK: Status of Ten-GigabitEthernet2/0/1 changed from forwarding to blocked. |
Explanation |
Data link of the PEX physical interface has changed to blocked. The blocked state is a transitional state between forwarding and down. In blocked state, a PEX physical interface can forward protocol packets, but it cannot forward data packets. This state change occurs in one of the following situations: · Incorrect physical connection: ¡ The PEX physical links on a PEX are connected to different PEX ports on the parent device. ¡ The PEX port on the parent device contains physical links to different PEXs. · The data link is forced to the blocked state. In the startup phase, a PEX blocks the link of a PEX physical interface if the interface is physically up, but it is not used for loading startup software. · The physical state of the interface is up, but the PEX connection between the PEX and the parent device has been disconnected. The PEX and the parent device cannot receive PEX heartbeat packets from each other. |
Recommended action |
If a down PEX link changes from blocked to up quickly, you do not need to take action. If the link stays in blocked state, check the PEX cabling to verify that: · The PEX's all PEX physical interfaces are connected to the physical interfaces assigned to the same PEX port on the parent device. · The PEX port contains only physical links to the same PEX. If a forwarding PEX link stays in blocked state when it is changing to the down state, verify that an IRF fabric split has occurred. When an IRF fabric split occur, a PEX link is be blocked if it is connected to the Recovery-state IRF member device. |
PEX_LINK_DOWN
Message text |
Status of [STRING] changed from [STRING] to down. |
Variable fields |
$1: Name of a PEX physical interface. $2: Data link status of the interface. |
Severity level |
4 |
Example |
PEX/4/PEX_LINK_DOWN: Status of Ten-GigabitEthernet2/0/1 changed from forwarding to down. |
Explanation |
Data link of the PEX physical interface has changed to the down state and cannot forward any packets. The following are common reasons for this state change: · Physical link fails. · The interface is shut down administratively. · The system reboots. |
Recommended action |
If the interface has been shut down administratively or in the down state because of a system reboot, use the undo shutdown command to bring up the interface as needed. If the interface is down because of a physical link failure, verify that the cable has been securely connected and is in good condition. |
PEX_LINK_FORWARD
Message text |
Status of [STRING] changed from [STRING] to forwarding. |
Variable fields |
$1: Name of a PEX physical interface. $2: Data link status of the interface. |
Severity level |
5 |
Example |
PEX/5/PEX_LINK_FORWARD: Status of Ten-GigabitEthernet2/0/1 changed from blocked to forwarding. |
Explanation |
Data link of the PEX physical interface has changed to the forwarding state and can forward data packets. This link state change occurs when one of the following events occurs: · The link is detected again after it changes to the blocked state. · The PEX finishes loading startup software images from the parent device through the interface. |
Recommended action |
No action is required. |
PEX_REG_JOININ
Message text |
PEX ([STRING]) registered successfully on PEX port [UINT32]. |
Variable fields |
$1: Virtual slot or chassis number of a PEX. $2: PEX port ID. |
Severity level |
5 |
Example |
PEX/5/PEX_REG_JOININ: PEX (slot 101) registered successfully on PEX port 1. |
Explanation |
The PEX has been registered successfully. You can configure and manage the PEX attached to the PEX port on the parent device as if the PEX was an interface card. |
Recommended action |
No action is required. |
PEX_REG_LEAVE
Message text |
PEX ([STRING]) unregistered on PEX port [UINT32]. |
Variable fields |
$1: Virtual slot or chassis number of a PEX. $2: PEX port ID. |
Severity level |
4 |
Example |
PEX/4/PEX_REG_LEAVE: PEX (slot 101) unregistered on PEX port 1. |
Explanation |
The PEX has been unregistered. You cannot operate the PEX from the parent device. A PEX unregister event occurs when one of the following events occurs: · The PEX reboots. · All physical interfaces in the PEX port are down. For example, all physical interfaces are shut down administratively, or all the physical links are disconnected. · The PEX fails to start up within 30 minutes. · Link detection fails on all physical interfaces in the PEX port. |
Recommended action |
If the event occurs because the PEX reboots or PEX physical interfaces are shut down administratively, use the undo shutdown command to bring up the interfaces as needed. To resolve the problem that occurs for any other reasons: · Use the display device command to verify that the slot or chassis number of the PEX is present and the state is correct. · Use the display pex-port command to verify that the PEX physical interfaces are configured correctly and in a correct state. · Use the display interface command to verify that the physical state of the PEX physical interfaces is up. If the Current state field displays down, check the cabling for a physical link failure. |
PEX_REG_REQUEST
Message text |
Received a REGISTER request on PEX port [UINT32] from PEX ([STRING]). |
Variable fields |
$1: PEX port ID. $2: Virtual slot or chassis number of a PEX. |
Severity level |
5 |
Example |
Pattern 1: PEX/5/PEX_REG_REQUEST: Received a REGISTER request on PEX port 1 from PEX (slot 101). Pattern 2: PEX/5/PEX_REG_REQUEST: Received a REGISTER request on PEX port 1 from PEX (chassis 101). |
Explanation |
The PEX sent a registration request to the parent device. This event occurs when the PEX starts up after PEX configuration is completed and the PEX device is connected to the patent device correctly. The parent device will allow the PEX to load startup software images after it receives a REGISTER request. |
Recommended action |
No action is required. |
PEX_STACKCONNECTION_ERROR
Message text |
A device was connected to a PEX that already had two neighboring devices. |
Variable fields |
N/A |
Severity level |
5 |
Example |
PEX/5/PEX_STACKCONNECTION_ERROR: A device was connected to a PEX that already had two neighboring devices. |
Explanation |
Connection error was detected. A device was connected to a PEX that already has two neighboring devices in an IRF 3 system. |
Recommended action |
Check the network connection. |
PFILTER messages
This section contains packet filter messages.
PFILTER_GLB_IPV4_DACT_NO_RES
Message text |
Failed to apply or refresh the IPv4 default action to the [STRING] direction globally. The resources are insufficient. |
Variable fields |
$1: Traffic direction. |
Severity level |
3 |
Example |
PFILTER/3/PFILTER_GLB_IPV4_DACT_NO_RES: Failed to apply or refresh the IPv4 default action to the inbound direction globally. The resources are insufficient. |
Explanation |
The system failed to apply or refresh the IPv4 default action globally because of insufficient hardware resources. |
Recommended action |
Use the display qos-acl resource command to check the hardware resource usage. |
PFILTER_GLB_IPV4_DACT_UNK_ERR
Message text |
Failed to apply or refresh the IPv4 default action to the [STRING] direction globally. |
Variable fields |
$1: Traffic direction. |
Severity level |
3 |
Example |
PFILTER/3/PFILTER_GLB_IPV4_DACT_UNK_ERR: Failed to apply or refresh the IPv4 default action to the inbound direction globally. |
Explanation |
The system failed to apply or refresh the IPv4 default action globally because of unknown errors. |
Recommended action |
None. |
PFILTER_GLB_IPV6_DACT_NO_RES
Message text |
Failed to apply or refresh the IPv6 default action to the [STRING] direction globally. The resources are insufficient. |
Variable fields |
$1: Traffic direction. |
Severity level |
3 |
Example |
PFILTER/3/PFILTER_GLB_IPV6_DACT_NO_RES: Failed to apply or refresh the IPv6 default action to the inbound direction globally. The resources are insufficient. |
Explanation |
The system failed to apply or refresh the IPv6 default action globally because of insufficient hardware resources. |
Recommended action |
Use the display qos-acl resource command to check the hardware resource usage. |
PFILTER_GLB_IPV6_DACT_UNK_ERR
Message text |
Failed to apply or refresh the IPv6 default action to the [STRING] direction globally. |
Variable fields |
$1: Traffic direction. |
Severity level |
3 |
Example |
PFILTER/3/PFILTER_GLB_IPV6_DACT_UNK_ERR: Failed to apply or refresh the IPv6 default action to the inbound direction globally. |
Explanation |
The system failed to apply or refresh the IPv6 default action globally because of unknown errors. |
Recommended action |
None. |
PFILTER_GLB_MAC_DACT_NO_RES
Message text |
Failed to apply or refresh the MAC default action to the [STRING] direction globally. The resources are insufficient. |
Variable fields |
$1: Traffic direction. |
Severity level |
3 |
Example |
PFILTER/3/PFILTER_GLB_MAC_DACT_NO_RES: Failed to apply or refresh the MAC default action to the inbound direction globally. The resources are insufficient. |
Explanation |
The system failed to apply or refresh the MAC default action globally because of insufficient hardware resources. |
Recommended action |
Use the display qos-acl resource command to check the hardware resource usage. |
PFILTER_GLB_MAC_DACT_UNK_ERR
Message text |
Failed to apply or refresh the MAC default action to the [STRING] direction globally. |
Variable fields |
$1: Traffic direction. |
Severity level |
3 |
Example |
PFILTER/3/PFILTER_GLB_MAC_DACT_UNK_ERR: Failed to apply or refresh the MAC default action to the inbound direction globally. |
Explanation |
The system failed to apply or refresh the MAC default action globally because of unknown errors. |
Recommended action |
None. |
PFILTER_GLB_NO_RES
Message text |
Failed to apply or refresh [STRING] ACL [UINT] [STRING] to the [STRING] direction globally. The resources are insufficient. |
Variable fields |
$1: ACL type. $2: ACL number. $3: Rule ID. $4: Traffic direction. |
Severity level |
3 |
Example |
PFILTER/3/PFILTER_GLB_NO_RES: Failed to apply or refresh IPv6 ACL 2000 rule 1 to the inbound direction globally. The resources are insufficient. |
Explanation |
The system failed to apply or refresh an ACL rule globally because of insufficient hardware resources. |
Recommended action |
Use the display qos-acl resource command to check the hardware resource usage. |
PFILTER_GLB_NOT_SUPPORT
Message text |
Failed to apply or refresh [STRING] ACL [UINT] [STRING] to the [STRING] direction globally. The ACL is not supported. |
Variable fields |
$1: ACL type. $2: ACL number. $3: Rule ID. $4: Traffic direction. |
Severity level |
3 |
Example |
PFILTER/3/PFILTER_GLB_NOT_SUPPORT: Failed to apply or refresh IPv6 ACL 2000 rule 1 to the inbound direction globally. The ACL is not supported. |
Explanation |
The system failed to apply or refresh an ACL rule globally because the ACL rule is not supported. |
Recommended action |
Delete unsupported content from the ACL rule. |
PFILTER_GLB_UNK_ERR
Message text |
Failed to apply or refresh [STRING] ACL [UINT] [STRING] to the [STRING] direction globally. |
Variable fields |
$1: ACL type. $2: ACL number. $3: Rule ID. $4: Traffic direction. |
Severity level |
3 |
Example |
PFILTER/3/PFILTER_GLB_UNK_ERR: Failed to apply or refresh IPv6 ACL 2000 rule 1 to the inbound direction globally. |
Explanation |
The system failed to apply or refresh an ACL rule globally because of unknown errors. |
Recommended action |
None. |
PFILTER_IF_IPV4_DACT_NO_RES
Message text |
Failed to apply or refresh the IPv4 default action to the [STRING] direction of interface [STRING]. The resources are insufficient. |
Variable fields |
$1: Traffic direction. $2: Interface name. |
Severity level |
3 |
Example |
PFILTER/3/PFILTER_IF_IPV4_DACT_NO_RES: Failed to apply or refresh the IPv4 default action to the inbound direction of interface GigabitEthernet 3/1/2. The resources are insufficient. |
Explanation |
The system failed to apply or refresh the IPv4 default action for an interface because of insufficient hardware resources. |
Recommended action |
Use the display qos-acl resource command to check the hardware resource usage. |
PFILTER_IF_IPV4_DACT_UNK_ERR
Message text |
Failed to apply or refresh the IPv4 default action to the [STRING] direction of interface [STRING]. |
Variable fields |
$1: Traffic direction. $2: Interface name. |
Severity level |
3 |
Example |
PFILTER/3/PFILTER_IF_IPV4_DACT_UNK_ERR: Failed to apply or refresh the IPv4 default action to the inbound direction of interface GigabitEthernet 3/1/2. |
Explanation |
The system failed to apply or refresh the IPv4 default action for an interface because of unknown errors. |
Recommended action |
None. |
PFILTER_IF_IPV6_DACT_NO_RES
Message text |
Failed to apply or refresh the IPv6 default action to the [STRING] direction of interface [STRING]. The resources are insufficient. |
Variable fields |
$1: Traffic direction. $2: Interface name. |
Severity level |
3 |
Example |
PFILTER/3/PFILTER_IF_IPV6_DACT_NO_RES: Failed to apply or refresh the IPv6 default action to the inbound direction of interface GigabitEthernet 3/1/2. The resources are insufficient. |
Explanation |
The system failed to apply or refresh the IPv6 default action for an interface because of insufficient hardware resources. |
Recommended action |
Use the display qos-acl resource command to check the hardware resource usage. |
PFILTER_IF_IPV6_DACT_UNK_ERR
Message text |
Failed to apply or refresh the IPv6 default action to the [STRING] direction of interface [STRING]. |
Variable fields |
$1: Traffic direction. $2: Interface name. |
Severity level |
3 |
Example |
PFILTER/3/PFILTER_IF_IPV6_DACT_UNK_ERR: Failed to apply or refresh the IPv6 default action to the inbound direction of interface GigabitEthernet 3/1/2. |
Explanation |
The system failed to apply or refresh the IPv6 default action for an interface because of unknown errors. |
Recommended action |
None. |
PFILTER_IF_MAC_DACT_NO_RES
Message text |
Failed to apply or refresh the MAC default action to the [STRING] direction of interface [STRING]. The resources are insufficient. |
Variable fields |
$1: Traffic direction. $2: Interface name. |
Severity level |
3 |
Example |
PFILTER/3/PFILTER_IF_MAC_DACT_NO_RES: Failed to apply or refresh the MAC default action to the inbound direction of interface GigabitEthernet 3/1/2. The resources are insufficient. |
Explanation |
The system failed to apply or refresh the MAC default action for an interface because of insufficient hardware resources. |
Recommended action |
Use the display qos-acl resource command to check the hardware resource usage. |
PFILTER_IF_MAC_DACT_UNK_ERR
Message text |
Failed to apply or refresh the MAC default action to the [STRING] direction of interface [STRING]. |
Variable fields |
$1: Traffic direction. $2: Interface name. |
Severity level |
3 |
Example |
PFILTER/3/PFILTER_IF_MAC_DACT_UNK_ERR: Failed to apply or refresh the MAC default action to the inbound direction of interface GigabitEthernet 3/1/2. |
Explanation |
The system failed to apply or refresh the MAC default action for an interface because of unknown errors. |
Recommended action |
None. |
PFILTER_IF_NO_RES
Message text |
Failed to apply or refresh [STRING] ACL [UINT] [STRING] to the [STRING] direction of interface [STRING]. The resources are insufficient. |
Variable fields |
$1: ACL type. $2: ACL number. $3: Rule ID. $4: Traffic direction. $5: Interface name. |
Severity level |
3 |
Example |
PFILTER/3/PFILTER_IF_NO_RES: Failed to apply or refresh IPv6 ACL 2000 rule 1 to the inbound direction of interface GigabitEthernet 3/1/2. The resources are insufficient. |
Explanation |
The system failed to apply or refresh an ACL rule to an interface because of insufficient hardware resources. |
Recommended action |
Use the display qos-acl resource command to check the hardware resource usage. |
PFILTER_IF_NOT_SUPPORT
Message text |
Failed to apply or refresh [STRING] ACL [UINT] [STRING] to the [STRING] direction of interface [STRING]. The ACL is not supported. |
Variable fields |
$1: ACL type. $2: ACL number. $3: Rule ID. $4: Traffic direction. $5: Interface name. |
Severity level |
3 |
Example |
PFILTER/3/PFILTER_IF_NOT_SUPPORT: Failed to apply or refresh IPv6 ACL 2000 rule 1 to the inbound direction of interface GigabitEthernet 3/1/2. The ACL is not supported. |
Explanation |
The system failed to apply or refresh an ACL rule to an interface because the ACL rule is not supported. |
Recommended action |
Delete unsupported content from the ACL rule. |
PFILTER_IF_UNK_ERR
Message text |
Failed to apply or refresh [STRING] ACL [UINT] [STRING] to the [STRING] direction of interface [STRING]. |
Variable fields |
$1: ACL type. $2: ACL number. $3: Rule ID. $4: Traffic direction. $5: Interface name. |
Severity level |
3 |
Example |
PFILTER/3/PFILTER_IF_UNK_ERR: Failed to apply or refresh IPv6 ACL 2000 rule 1 to the inbound direction of interface GigabitEthernet 3/1/2. |
Explanation |
The system failed to apply or refresh an ACL rule to an interface because of unknown errors. |
Recommended action |
None. |
PFILTER_IPV6_STATIS_INFO
Message text |
[STRING] ([STRING]): Packet-filter IPv6 [UINT32] [STRING] [STRING] [UINT64] packet(s). |
Variable fields |
$1: Application destination. $2: Traffic direction. $3: ACL number. $4: Rule ID and rule content. $5: Number of packets matching the rule. |
Severity level |
6 |
Example |
ACL/6/PFILTER_IPV6_STATIS_INFO: GigabitEthernet1/0/4 (inbound): Packet-filter IPv6 2000 rule 0 permit source 1:1::/64 logging 1000 packet(s). |
Explanation |
This message is generated when the number of packets matching the IPv6 ACL rule changed. |
Recommended action |
No action is required. |
PFILTER_STATIS_INFO
Message text |
[STRING] ([STRING]): Packet-filter [UINT32] [STRING] [UINT64] packet(s). |
Variable fields |
$1: Application destination. $2: Traffic direction. $3: ACL number. $4: Rule ID and rule content. $5: Number of packets matching the rule. |
Severity level |
6 |
Example |
ACL/6/PFILTER_STATIS_INFO: GigabitEthernet1/0/4 (inbound): Packet-filter 2000 rule 0 permit source 1.1.1.1 0 logging 10000 packet(s). |
Explanation |
This message is generated when the number of packets matching the IPv4 ACL rule changed. |
Recommended action |
No action is required. |
PFILTER_VLAN_IPV4_DACT_NO_RES
Message text |
Failed to apply or refresh the IPv4 default action to the [STRING] direction of VLAN [UINT16]. The resources are insufficient. |
Variable fields |
$1: Traffic direction. $2: VLAN ID. |
Severity level |
3 |
Example |
PFILTER/3/PFILTER_VLAN_IPV4_DACT_NO_RES: Failed to apply or refresh the IPv4 default action to the inbound direction of VLAN 1. The resources are insufficient. |
Explanation |
The system failed to apply or refresh the IPv4 default action for a VLAN because of insufficient hardware resources. |
Recommended action |
Use the display qos-acl resource command to check the hardware resource usage. |
PFILTER_VLAN_IPV4_DACT_UNK_ERR
Message text |
Failed to apply or refresh the IPv4 default action to the [STRING] direction of VLAN [UINT16]. |
Variable fields |
$1: Traffic direction. $2: VLAN ID. |
Severity level |
3 |
Example |
PFILTER/3/PFILTER_VLAN_IPV4_DACT_UNK_ERR: Failed to apply or refresh the IPv4 default action to the inbound direction of VLAN 1. |
Explanation |
The system failed to apply or refresh the IPv4 default action for a VLAN because of unknown errors. |
Recommended action |
None. |
PFILTER_VLAN_IPV6_DACT_NO_RES
Message text |
Failed to apply or refresh the IPv6 default action to the [STRING] direction of VLAN [UINT16]. The resources are insufficient. |
Variable fields |
$1: Traffic direction. $2: VLAN ID. |
Severity level |
3 |
Example |
PFILTER/3/PFILTER_VLAN_IPV6_DACT_NO_RES: Failed to apply or refresh the IPv6 default action to the inbound direction of VLAN 1. The resources are insufficient. |
Explanation |
The system failed to apply or refresh the IPv6 default action for a VLAN because of insufficient hardware resources. |
Recommended action |
Use the display qos-acl resource command to check the hardware resource usage. |
PFILTER_VLAN_IPV6_DACT_UNK_ERR
Message text |
Failed to apply or refresh the IPv6 default action to the [STRING] direction of VLAN [UINT16]. |
Variable fields |
$1: Traffic direction. $2: VLAN ID. |
Severity level |
3 |
Example |
PFILTER/3/PFILTER_VLAN_IPV6_DACT_UNK_ERR: Failed to apply or refresh the IPv6 default action to the inbound direction of VLAN 1. |
Explanation |
The system failed to apply or refresh the IPv6 default action for a VLAN because of unknown errors. |
Recommended action |
None. |
PFILTER_VLAN_MAC_DACT_NO_RES
Message text |
Failed to apply or refresh the MAC default action to the [STRING] direction of VLAN [UINT16]. The resources are insufficient. |
Variable fields |
$1: Traffic direction. $2: VLAN ID. |
Severity level |
3 |
Example |
PFILTER/3/PFILTER_VLAN_MAC_DACT_NO_RES: Failed to apply or refresh the MAC default action to the inbound direction of VLAN 1. The resources are insufficient. |
Explanation |
The system failed to apply or refresh the MAC default action for a VLAN because of insufficient hardware resources. |
Recommended action |
Use the display qos-acl resource command to check the hardware resource usage. |
PFILTER_VLAN_MAC_DACT_UNK_ERR
Message text |
Failed to apply or refresh the MAC default action to the [STRING] direction of VLAN [UINT16]. |
Variable fields |
$1: Traffic direction. $2: VLAN ID. |
Severity level |
3 |
Example |
PFILTER/3/PFILTER_VLAN_MAC_DACT_UNK_ERR: Failed to apply or refresh the MAC default action to the inbound direction of VLAN 1. |
Explanation |
The system failed to apply or refresh the MAC default action for a VLAN because of unknown errors. |
Recommended action |
None. |
PFILTER_VLAN_NO_RES
Message text |
Failed to apply or refresh [STRING] ACL [UINT] [STRING] to the [STRING] direction of VLAN [UINT16]. The resources are insufficient. |
Variable fields |
$1: ACL type. $2: ACL number. $3: Rule ID. $4: Traffic direction. $5: VLAN ID. |
Severity level |
3 |
Example |
PFILTER/3/PFILTER_VLAN_NO_RES: Failed to apply or refresh IPv6 ACL 2000 rule 1 to the inbound direction of VLAN 1. The resources are insufficient. |
Explanation |
The system failed to apply or refresh an ACL rule to a VLAN because of insufficient hardware resources. |
Recommended action |
Use the display qos-acl resource command to check the hardware resource usage. |
PFILTER_VLAN_NOT_SUPPORT
Message text |
Failed to apply or refresh [STRING] ACL [UINT] [STRING] to the [STRING] direction of VLAN [UINT16]. The ACL is not supported. |
Variable fields |
$1: ACL type. $2: ACL number. $3: Rule ID. $4: Traffic direction. $5: VLAN ID. |
Severity level |
3 |
Example |
PFILTER/3/PFILTER_VLAN_NOT_SUPPORT: Failed to apply or refresh ACL 2000 rule 1 to the inbound direction of VLAN 1. The ACL is not supported. |
Explanation |
The system failed to apply or refresh an ACL rule to a VLAN because the ACL rule is not supported. |
Recommended action |
Delete unsupported content from the ACL rule. |
PFILTER_VLAN_UNK_ERR
Message text |
Failed to apply or refresh [STRING] ACL [UINT] [STRING] to the [STRING] direction of VLAN [UINT16]. |
Variable fields |
$1: ACL type. $2: ACL number. $3: Rule ID. $4: Traffic direction. $5: VLAN ID. |
Severity level |
3 |
Example |
PFILTER/3/PFILTER_VLAN_UNK_ERR: Failed to apply or refresh ACL 2000 rule 1 to the inbound direction of VLAN 1. |
Explanation |
The system failed to apply or refresh an ACL rule to a VLAN because of unknown errors. |
Recommended action |
None. |
PIM messages
This section contains PIM messages.
PIM_MEM_ALERT
Message text |
PIM Process receive system memory alert [STRING] event. |
Variable fields |
$1: Event type of the memory alert. |
Severity level |
5 |
Example |
PIM/5/PIM_MEM_ALERT: PIM Process receive system memory alert start event. |
Explanation |
When the memory changed, the PIM module received a memory alert event. |
Recommended action |
Check the system memory. |
PIM_NBR_DOWN
Message text |
[STRING]: Neighbor [STRING] ([STRING]) is down. |
Variable fields |
$1: VPN instance name enclosed in parentheses (()). If the PIM neighbor belongs to the public network, this field is not displayed. Public network or VPN instance. $2: IP address of the neighbor. $3: Interface name. |
Severity level |
5 |
Example |
PIM/5/PIM_NBR_DOWN: Neighbor 10.1.1.1(Vlan-interface10) is down. |
Explanation |
The PIM neighbor went down. |
Recommended action |
Check the PIM configuration and network status. |
PIM_NBR_UP
Message text |
[STRING]: Neighbor [STRING] ([STRING]) is up. |
Variable fields |
$1: VPN instance name enclosed in parentheses (()). If the PIM neighbor belongs to the public network, this field is not displayed. $2: IP address of the neighbor. $3: Interface name. |
Severity level |
5 |
Example |
PIM/5/PIM_NBR_UP: Neighbor 10.1.1.1(Vlan-interface10) is up. |
Explanation |
The PIM neighbor came up. |
Recommended action |
No action is required. |
PING messages
This section contains ping messages.
PING_STATIS_INFO
Message text |
[STRING] [STRING] statistics: [UINT32] packet(s) transmitted, [UINT32] packet(s) received, [DOUBLE]% packet loss, round-trip min/avg/max/std-dev = [DOUBLE]/[DOUBLE]/[DOUBLE]/[DOUBLE] ms. |
Variable fields |
$1: IP address, IPv6 address, or host name for the destination. $2: Ping or ping6. $3: Number of echo requests sent. $4: Number of echo replies received. $5: Percentage of the non-replied packets to the total request packets. $6: Minimum round-trip delay. $7: Average round-trip delay. $8: Maximum round-trip delay. $9: Standard deviation round-trip delay. |
Severity level |
6 |
Example |
PING/6/PING_STATIS_INFO: 192.168.0.115 ping statistics: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 0.000/0.800/2.000/0.748 ms. |
Explanation |
Statistics for a ping operation. |
Recommended action |
If there is no packet received, identify whether the interface is down. |
PING_VPN_STATIS_INFO
Message text |
[STRING] in VPN-instance [STRING] [STRING] statistics: [UINT32] packet(s) transmitted, [UINT32] packet(s) received, [DOUBLE]% packet loss, round-trip min/avg/max/std-dev = [DOUBLE]/[DOUBLE]/[DOUBLE]/[DOUBLE] ms. |
Variable fields |
$1: IP address, IPv6 address, or host name for the destination. $2: VPN instance name. $3: ping or ping6. $4: Number of echo requests sent. $5: Number of echo replies received. $6: Percentage of the non-replied packets to the total request packets. $7: Minimum round-trip delay. $8: Average round-trip delay. $9: Maximum round-trip delay. $10: Standard deviation round-trip delay. |
Severity level |
6 |
Example |
PING/6/PING_VPN_STATIS_INFO: 192.168.0.115 in VPN-instance VPNA ping statistics: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 0.000/0.800/2.000/0.748 ms. |
Explanation |
Statistics for a ping operation. |
Recommended action |
If there is no packet received, identify whether the interface is down. |
PKI messages
This section contains PKI messages.
REQUEST_CERT_FAIL
Message text |
Failed to request certificate of domain [STRING]. |
Variable fields |
$1: PKI domain name |
Severity level |
5 |
Example |
PKI/5/REQUEST_CERT_FAIL: Failed to request certificate of domain abc. |
Explanation |
Failed to request certificate for a domain. |
Recommended action |
Check the configuration of the device and CA server, and the network between them. |
REQUEST_CERT_SUCCESS
Message text |
Request certificate of domain [STRING] successfully. |
Variable fields |
$1: PKI domain name |
Severity level |
5 |
Example |
PKI/5/REQUEST_CERT_SUCCESS: Request certificate of domain abc successfully. |
Explanation |
Successfully requested certificate for a domain. |
Recommended action |
No action is required. |
PKT2CPU messages
This section contains PKT2CPU messages.
PKT2CPU_NO_RESOURCE
Message text |
-Interface=[STRING]-ProtocolType=[UINT32]-MacAddr=[STRING]; The resources is insufficient. -Interface=[STRING]-ProtocolType=[UINT32]-SrcPort=[UINT32]-DstPort=[UINT32]; The resources is insufficient. |
Variable fields |
$1: Interface type and number. $2: Protocol type. $3: MAC address or source port. $4: Destination port. |
Severity level |
4 |
Example |
PKT2CPU/4/PKT2CPU_NO_RESOURCE: -Interface=GigabitEthernet1/0/2-ProtocolType=21-MacAddr=0180-c200-0014; The resources is insufficient. |
Explanation |
Hardware resources were insufficient. |
Recommended action |
Remove the configuration. |
PORTSEC messages
This section contains port security messages.
PORTSEC_ACL_FAILURE
Message text |
-IfName=[STRING]-MACAddr=[STRING]; ACL authorization failed because [STRING]. |
Variable fields |
$1: Interface type and number. $2: MAC address. $3: Cause of failure: ¡ the specified ACL didn't exist. ¡ this type of ACL is not supported. ¡ hardware resources were insufficient. ¡ the specified ACL conflicted with other ACLs applied to the interface. ¡ the specified ACL didn't contain any rules. |
Severity level |
5 |
Example |
PORTSEC/5/PORTSEC_ACL_FAILURE:-IfName=GigabitEthernet1/0/4-MACAddr=0010-8400-22b9; ACL authorization failed because the specified ACL didn't exist. |
Explanation |
ACL authorization failed. |
Recommended action |
Handle the issue according to the failure cause. |
PORTSEC_LEARNED_MACADDR
Message text |
-IfName=[STRING]-MACAddr=[STRING]-VLANID=[STRING]; A new MAC address was learned. |
Variable fields |
$1: Interface type and number. $2: MAC address. $3: VLAN ID. |
Severity level |
6 |
Example |
PORTSEC/6/PORTSEC_LEARNED_MACADDR:-IfName=GigabitEthernet1/0/4-MACAddr=0010-8400-22b9-VLANID=444; A new MAC address was learned. |
Explanation |
A new secure MAC address was learned on the interface. |
Recommended action |
No action is required. |
PORTSEC_NTK_NOT_EFFECTIVE
Message text |
The NeedToKnow feature is configured but is not effective on interface [STRING]. |
Variable fields |
$1: Interface type and number. |
Severity level |
3 |
Example |
PORTSEC/3/PORTSEC_NTK_NOT_EFFECTIVE: The NeedToKnow feature is configured but is not effective on interface GigabitEthernet3/1/2. |
Explanation |
The NeedToKnow mode does not take effect on an interface, because the interface does not support the NeedToKnow mode. |
Recommended action |
Remove the issue depending on the network requirements: 1. If the NeedToKnow feature is not required, disable the NeedToKnow feature on the interface. 2. If the NeedToKnow feature is required, reconnect the connected devices to another interface that supports the NeedToKnow mode. Then, configure the NeedToKnow mode on the new interface. 3. If the problem persists, contact H3C Support. |
PORTSEC_PORTMODE_NOT_EFFECTIVE
Message text |
The port-security mode is configured but is not effective on interface [STRING]. |
Variable fields |
$1: Interface name. |
Severity level |
3 |
Example |
PORTSEC/3/PORTSEC_PORTMODE_NOT_EFFECTIVE: The port-security mode is configured but is not effective on interface GigabitEthernet3/1/2. |
Explanation |
The port security mode does not take effect on an interface, because the interface does not support this mode. |
Recommended action |
Change the port security mode or disable the port security feature on the interface. |
PORTSEC_PROFILE_FAILURE
Message text |
-IfName=[STRING]-MACAddr=[STRING]; Failed to assign a user profile to driver. |
Variable fields |
$1: Interface type and number. $2: MAC address. |
Severity level |
5 |
Example |
PORTSEC/5/PORTSEC_PROFILE_FAILURE:-IfName=GigabitEthernet1/0/4-MACAddr=0010-8400-22b9; Failed to assign a user profile to driver. |
Explanation |
The device failed to assign a user profile to the driver. |
Recommended action |
No action is required. |
PORTSEC_VIOLATION
Message text |
-IfName=[STRING]-MACAddr=[STRING]-VLANID=[STRING]-IfStatus=[STRING]; Intrusion protection was triggered. |
Variable fields |
$1: Interface type and number. $2: MAC address. $3: VLAN ID. $4: Interface status. |
Severity level |
5 |
Example |
PORTSEC/5/PORTSEC_VIOLATION:-IfName=GigabitEthernet1/0/4-MACAddr=0010-8400-22b9-VLANID=444-IfStatus=Up; Intrusion protection was triggered. |
Explanation |
Intrusion protection was triggered. |
Recommended action |
· Check the authentication and port security configuration. · Change the port security mode. |
PPP messages
This section contains PPP messages.
IPPOOL_ADDRESS_EXHAUSTED
Message text |
The address pool [STRING] is exhausted. |
Variable fields |
$1: Pool name. |
Severity level |
5 |
Example |
PPP/5/IPPOOL_ADDRESS_EXHAUSTED: The address pool aaa is exhausted. |
Explanation |
This message is generated when the last address is assigned from the pool. |
Recommended action |
1. Add addresses to the pool. 2. If the problem persists, contact H3C Support. |
PWDCTL messages
This section contains password control messages.
ADDBLACKLIST
Message text |
[STRING] was added to the blacklist for failed login attempts. |
Variable fields |
$1: Username. |
Severity level |
6 |
Example |
PWDCTL/6/ADDBLACKLIST: hhh was added to the blacklist for failed login attempts. |
Explanation |
A user was added to the password control blacklist because of a login failure caused by a wrong password. |
Recommended action |
No action is required. |
CHANGEPASSWORD
Message text |
[STRING] changed the password because [STRING]. |
Variable fields |
$1: Username. $2: Reasons for changing the password. ¡ Because it is the first login of the account. ¡ Because the password had expired. ¡ Because the password was too short. ¡ Because the password was not complex enough. |
Severity level |
6 |
Example |
PWDCTL/6/CNAHGEPASSWORD: hhh changed the password because first login. |
Explanation |
The user changed the password for some reason, for example, for the first login. |
Recommended action |
No action is required. |
FAILEDTOWRITEPWD
Message text |
Failed to write the password records to file. |
Variable fields |
N/A |
Severity level |
6 |
Example |
PWDCTL/6/FAILEDTOWRITEPWD: Failed to write the password records to file. |
Explanation |
The device failed to write a password to a file. |
Recommended action |
1. Check the file system of the device for memory space insufficiency. 2. If the problem persists, contact H3C Support. |
QoS messages
This section contains QoS messages.
QOS_CBWFQ_REMOVED
Message text |
CBWFQ is removed from [STRING]. |
Variable fields |
$1: Interface name. |
Severity level |
3 |
Example |
QOS/3/QOS_CBWFQ_REMOVED: CBWFQ is removed from GigabitEthernet4/0/1. |
Explanation |
CBWFQ was removed from an interface because the maximum bandwidth or speed configured on the interface was below the bandwidth or speed required for CBWFQ. |
Recommended action |
Increase the bandwidth or speed and apply the removed CBWFQ again. |
QOS_POLICY_APPLYCOPP_CBFAIL
Message text |
Failed to apply classifier-behavior [STRING] in policy [STRING] to the [STRING] direction of control plane slot [UINT32]. [STRING]. |
Variable fields |
$1: Name of a classifier-behavior association. $2: Policy name. $3: Traffic direction. $4: Slot number. $5: Cause. |
Severity level |
4 |
Example |
QOS/4/QOS_POLICY_APPLYCOPP_CBFAIL: Failed to apply classifier-behavior d in policy b to the inbound direction of control plane slot 3. No actions in behavior. |
Explanation |
The system failed to perform one of the following actions: · Apply a classifier-behavior association to a specific direction of a control plane. · Update a classifier-behavior association applied to a specific direction of a control plane. |
Recommended action |
Configure actions for the behavior. |
QOS_POLICY_APPLYCOPP_FAIL
Message text |
Failed to apply or refresh QoS policy [STRING] to the [STRING] direction of control plane slot [UINT32]. [STRING]. |
Variable fields |
$1: Policy name. $2: Traffic direction. $3: Slot number. $4: Cause. |
Severity level |
4 |
Example |
QOS/4/QOS_POLICY_APPLYCOPP_FAIL: Failed to apply or refresh QoS policy b to the inbound direction of control plane slot 3. Not supported by hardware. |
Explanation |
The system failed to perform one of the following actions: · Apply a QoS policy to a specific direction of a control plane. · Update a QoS policy applied to a specific direction of a control plane. |
Recommended action |
Modify the contents of the QoS policy. |
QOS_POLICY_APPLYGLOBAL_CBFAIL
Message text |
Failed to apply classifier-behavior [STRING] in policy [STRING] to the [STRING] direction globally. [STRING]. |
Variable fields |
$1: Name of a classifier-behavior association. $2: Policy name. $3: Traffic direction. $4: Cause. |
Severity level |
4 |
Example |
QOS/4/QOS_POLICY_APPLYGLOBAL_CBFAIL: Failed to apply classifier-behavior a in policy b to the outbound direction globally. No actions in behavior. |
Explanation |
The system failed to perform one of the following actions: · Apply a classifier-behavior association to a specific direction globally. · Update a classifier-behavior association applied to a specific direction globally. |
Recommended action |
Configure actions for the behavior. |
QOS_POLICY_APPLYGLOBAL_FAIL
Message text |
Failed to apply or refresh QoS policy [STRING] to the [STRING] direction globally. [STRING]. |
Variable fields |
$1: Policy name. $2: Traffic direction. $3: Cause. |
Severity level |
4 |
Example |
QOS/4/ QOS_POLICY_APPLYGLOBAL_FAIL: Failed to apply or refresh QoS policy b to the inbound direction globally. Not supported by hardware. |
Explanation |
The system failed to perform one of the following actions: · Apply a QoS policy to a specific direction globally. · Update a QoS policy applied to a specific direction globally. |
Recommended action |
Modify the contents of the QoS policy. |
QOS_POLICY_APPLYIF_CBFAIL
Message text |
Failed to apply classifier-behavior [STRING] in policy [STRING] to the [STRING] direction of interface [STRING]. [STRING]. |
Variable fields |
$1: Name of a classifier-behavior association. $2: Policy name. $3: Traffic direction. $4: Interface name. $5: Cause. |
Severity level |
4 |
Example |
QOS/4/QOS_POLICY_APPLYIF_CBFAIL: Failed to apply classifier-behavior b in policy b to the inbound direction of interface GigabitEthernet1/0/2. No actions in behavior. |
Explanation |
The system failed to perform one of the following actions: · Apply a classifier-behavior association to a specific direction of an interface. · Update a classifier-behavior association applied to a specific direction of an interface. |
Recommended action |
Configure actions for the behavior. |
QOS_POLICY_APPLYIF_FAIL
Message text |
Failed to apply or refresh QoS policy [STRING] to the [STRING] direction of interface [STRING]. [STRING]. |
Variable fields |
$1: Policy name. $2: Traffic direction. $3: Interface name. $4: Cause. |
Severity level |
4 |
Example |
QOS/4/QOS_POLICY_APPLYIF_FAIL: Failed to apply or refresh QoS policy b to the inbound direction of interface GigabitEthernet1/0/2. Not supported by hardware. |
Explanation |
The system failed to perform one of the following actions: · Apply a QoS policy to a specific direction of an interface. · Update a QoS policy applied to a specific direction of an interface. |
Recommended action |
Modify the contents of the QoS policy. |
QOS_POLICY_APPLYVLAN_CBFAIL
Message text |
Failed to apply classifier-behavior [STRING] in policy [STRING] to the [STRING] direction of VLAN [UINT32]. [STRING]. |
Variable fields |
$1: Name of a classifier-behavior association. $2: Policy name. $3: Traffic direction. $4: VLAN ID. $5: Cause. |
Severity level |
4 |
Example |
QOS/4QOS_POLICY_APPLYVLAN_CBFAIL: Failed to apply classifier-behavior b in policy b to the inbound direction of VLAN 2. No actions in behavior. |
Explanation |
The system failed to perform one of the following actions: · Apply a classifier-behavior association to a specific direction of a VLAN. · Update a classifier-behavior association applied to a specific direction of a VLAN. |
Recommended action |
Configure actions for the behavior. |
QOS_POLICY_APPLYVLAN_FAIL
Message text |
Failed to apply or refresh QoS policy [STRING] to the [STRING] direction of VLAN [UINT32]. [STRING]. |
Variable fields |
$1: Policy name. $2: Traffic direction. $3: VLAN ID. $4: Cause. |
Severity level |
4 |
Example |
QOS/4/QOS_POLICY_APPLYVLAN_FAIL: Failed to apply or refresh QoS policy b to the inbound direction of VLAN 2. Not supported by hardware. |
Explanation |
The system failed to perform one of the following actions: · Apply a QoS policy to a specific direction of a VLAN. · Update a QoS policy applied to a specific direction of a VLAN. |
Recommended action |
Modify the contents of the QoS policy. |
QOS_NOT_ENOUGH_BANDWIDTH
Message text |
Policy [STRING] requested bandwidth [UINT32](kbps). Only [UINT32](kbps) is available on [STRING]. |
Variable fields |
$1: Policy name. $2: Required bandwidth for CBWFQ. $3: Available bandwidth on an interface. $4: Interface name. |
Severity level |
3 |
Example |
QOS/3/QOS_NOT_ENOUGH_BANDWIDTH: Policy d requested bandwidth 10000(kbps). Only 80(kbps) is available on GigabitEthernet4/0/1. |
Explanation |
Configuring CBWFQ on an interface failed because the maximum bandwidth on the interface was less than the bandwidth required for CBWFQ. |
Recommended action |
Increase the maximum bandwidth configured for the interface or set lower bandwidth required for CBWFQ. |
RADIUS messages
This section contains RADIUS messages.
RADIUS_AUTH_FAILURE
Message text |
User [STRING] from [STRING] failed authentication. |
Variable fields |
$1: Username. $2: IP address. |
Severity level |
5 |
Example |
RADIUS/5/RADIUS_AUTH_FAILURE: User abc@system from 192.168.0.22 failed authentication. |
Explanation |
An authentication request was rejected by the RADIUS server. |
Recommended action |
No action is required. |
RADIUS_AUTH_SUCCESS
Message text |
User [STRING] from [STRING] was authenticated successfully. |
Variable fields |
$1: Username. $2: IP address. |
Severity level |
6 |
Example |
RADIUS/6/RADIUS_AUTH_SUCCESS: User abc@system from 192.168.0.22 was authenticated successfully. |
Explanation |
An authentication request was accepted by the RADIUS server. |
Recommended action |
No action is required. |
RADIUS_DELETE_HOST_FAIL
Message text |
Failed to delete servers in scheme [STRING]. |
Variable fields |
$1: Scheme name. |
Severity level |
4 |
Example |
RADIUS/4/RADIUS_DELETE_HOST_FAIL: Failed to delete servers in scheme abc. |
Explanation |
Failed to delete servers from a RADIUS scheme. |
Recommended action |
No action is required. |
RIP messages
This section contains RIP messages.
RIP_MEM_ALERT
Message text |
RIP Process receive system memory alert [STRING] event. |
Variable fields |
$1: Type of the memory alarm. |
Severity level |
5 |
Example |
RIP/5/RIP_MEM_ALERT: RIP Process receive system memory alert start event. |
Explanation |
RIP received a memory alarm. |
Recommended action |
Check the system memory. |
RIP_RT_LMT
Message text |
RIP [UINT32] Route limit reached |
Variable fields |
$1: Process ID. |
Severity level |
6 |
Example |
RIP/6/RIP_RT_LMT: RIP 1 Route limit reached. |
Explanation |
The number of routes of a RIP process reached the upper limit. |
Recommended action |
1. Check for network attacks. 2. Reduce the number of routes. |
RIPNG messages
This section contains RIPng messages.
RIPNG_MEM_ALERT
Message text |
RIPNG Process receive system memory alert [STRING] event. |
Variable fields |
$1: Type of the memory alarm. |
Severity level |
5 |
Example |
RIPNG/5/RIPNG_MEM_ALERT: RIPNG Process receive system memory alert start event. |
Explanation |
RIPng received a memory alarm. |
Recommended action |
Check the system memory. |
RIPNG_RT_LMT
Message text |
RIPng [UINT32] Route limit reached |
Variable fields |
$1: Process ID |
Severity level |
6 |
Example |
RIPNG/6/RIPNG_RT_LMT: RIPng 1 Route limit reached. |
Explanation |
The number of routes of a RIPng process reached the upper limit. |
Recommended action |
1. Check for network attacks. 2. Reduce the number of routes. |
RM messages
This section contains RM messages.
RM_ACRT_REACH_LIMIT
Message text |
Max active [STRING] routes [UINT32] reached in URT of [STRING] |
Variable fields |
$1: IPv4 or IPv6. $2: Maximum number of active routes. $3: VPN instance name. |
Severity level |
4 |
Example |
RM/4/RM_ACRT_REACH_LIMIT: Max active IPv4 routes 100000 reached in URT of VPN1 |
Explanation |
The number of active routes reached the upper limit in the unicast routing table of a VPN instance. |
Recommended action |
Remove unused active routes. |
RM_ACRT_REACH_THRESVALUE
Message text |
Threshold value [UINT32] of max active [STRING] routes reached in URT of [STRING] |
Variable fields |
$1: Threshold of the maximum number of active routes in percentage. $2: IPv4 or IPv6. $3: VPN instance name. |
Severity level |
4 |
Example |
RM/4/RM_ACRT_REACH_THRESVALUE: Threshold value 50% of max active IPv4 routes reached in URT of vpn1 |
Explanation |
The percentage of the maximum number of active routes was reached in the unicast routing table of a VPN instance. |
Recommended action |
Modify the threshold value or the route limit configuration. |
RM_THRESHLD_VALUE_REACH
Message text |
Threshold value [UINT32] of active [STRING] routes reached in URT of [STRING] |
Variable fields |
$1: Maximum number of active routes. $2: IPv4 or IPv6. $3: VPN instance name. |
Severity level |
4 |
Example |
RM/4/RM_THRESHLD_VALUE_REACH: Threshold value 10000 of active IPv4 routes reached in URT of vpn1 |
Explanation |
The number of active routes reached the threshold in the unicast routing table of a VPN instance. |
Recommended action |
Modify the route limit configuration. |
SCM messages
This section contains SCM messages.
JOBINFO
Message text |
The service [STRING] is[STRING]... |
Variable fields |
$1: Service name. $2: State of the service. |
Severity level |
6 |
Example |
SCM/6/JOBINFO: The service DEV is starting... |
Explanation |
The system is starting, or a user is managing the service. |
Recommended action |
No action is required. |
RECV_DUPLICATEEVENT
Message text |
The service [STRING] receives a duplicate event in status [STRING], ignore it. |
Variable fields |
$1: Service name. $2: Service state. |
Severity level |
5 |
Example |
The service DEV set status stopping (Must be starting), Ignore. |
Explanation |
A service received a duplicate event in the same state. |
Recommended action |
No action is required. |
SERVICE_RESTART
Message text |
Standby service [STRING] in [STRING] failed to become the active service and restarted because of incomplete synchronization. |
Variable fields |
$1: Service name. $2: Card location. |
Severity level |
4 |
Example |
SCM/4/SERVICE_RESTART: Standby service ospf in slot 0 failed to become the active service and restarted because of incomplete synchronization. |
Explanation |
The active service abnormally stopped when the standby service did not complete synchronization to the active service. |
Recommended action |
No action is required. |
SERVICE_STATEERROR
Message text |
The service [STRING] receives an error event in status [STRING], drop it. |
Variable fields |
$1: Service name. $2: Service state. |
Severity level |
5 |
Example |
SCM/5/SERVICE_STATEERROR: The service DEV receives an error event in status starting, drop it. |
Explanation |
A service received an error event in a specific state. |
Recommended action |
No action is required. |
SERVICE_STATUSFAILED
Message text |
The service %s status failed : no response! |
Variable fields |
$1: Service name. |
Severity level |
5 |
Example |
SCM/5/SERVICE_STATUSFAILED: The service DEV status failed : no response! |
Explanation |
A service failed. |
Recommended action |
No action is required. |
SET_WRONGSTATUS
Message text |
The service [STRING] set status [STRING] (Must be [STRING]), Ignore. |
Variable fields |
$1: Service name. $2: Service state. $3: Service state. |
Severity level |
5 |
Example |
SCM/5/SET_WRONGSTATUS: The service DEV receives a duplicate event in status starting, ignore it. |
Explanation |
A service received an event in an incorrect state. |
Recommended action |
No action is required. |
SCRLSP messages
This section contains static CRLSP messages.
SCRLSP_LABEL_DUPLICATE
Message text |
Incoming label [INT32] for static CRLSP [STRING] is duplicate. |
Variable fields |
$1: Incoming label value. $2: Static CRLSP name. |
Severity level |
4 |
Example |
SCRLSP/4/SCRLSP_LABEL_DUPLICATE: Incoming label 1024 for static CRLSP aaa is duplicate. |
Explanation |
The incoming label of a static CRLSP was used by a static PW or by a static LSP. This message is generated when one of the following occurs: · When MPLS is enabled, configure a static CRLSP with the same incoming label as an existing static PW or static LSP. · Enable MPLS when a static CRLSP has the same incoming label as an existing static PW or static LSP. |
Recommended action |
Remove this static CRLSP, and reconfigure it with another incoming label. |
SFLOW messages
This section contains sFlow messages.
SFLOW_HARDWARE_ERROR
Message text |
|
Variable fields |
$1: Configuration item: update sampling mode $2: Interface name. $3: Failure reason: not supported operation |
Severity level |
4 |
Example |
|
Explanation |
The configuration failed because the device does not support the fixed flow sampling mode. |
Recommended action |
Specify the random flow sampling mode. |
SHELL messages
This section contains shell messages.
SHELL_CMD
Message text |
-Line=[STRING]-IPAddr=[STRING]-User=[STRING]; Command is [STRING] |
Variable fields |
$1: Line name. If there is not a line name, '**' is displayed. $2: IP address. If there is not an IP address, '**' is displayed. $3: Username. If there is not a username, '**' is displayed. $4: Command string. |
Severity level |
6 |
Example |
SHELL/6/SHELL_CMD: -Line=aux0-IPAddr=**-User=**; Command is quit |
Explanation |
A command was executed successfully. |
Recommended action |
No action is required. |
SHELL_CMD_CONFIRM
Message text |
Confirm option of command [STRING] is [STRING]. |
Variable fields |
$1: Command string. $4: Confirm option: · yes—The user confirmed the operation. · no—The user denied the operation. · timeout—The user did not confirm or deny the operation before the timeout timer expired. · cancel—The user pressed Ctrl+C to abort the operation. |
Severity level |
6 |
Example |
SHELL/6/SHELL_CMD_CONFIRM: Confirm option of command save is no. |
Explanation |
This message indicates the confirmation option that the user selected for the command. |
Recommended action |
No action is required. |
SHELL_CMD_EXECUTEFAIL
Message text |
-User=[STRING]-IPAddr=[STRING]; Command [STRING] in view [STRING] failed to be executed. |
Variable fields |
$1: Username. $2: IP address. $3: Command string. $4: Command view. |
Severity level |
4 |
Example |
SHELL/4/SHELL_CMD_EXECUTEFAIL: -User=**-IPAddr=192.168.62.138; Command description 10 in view system failed to be executed. |
Explanation |
The command failed to be executed. |
Recommended action |
1. Verify that the command does not conflict with a configured feature. 2. If the problem persists, contact H3C Support. |
SHELL_CMD_INPUT
Message text |
Input string for the [STRING] command is [STRING]. |
Variable fields |
$1: Command string. $2: Input string. |
Severity level |
6 |
Example |
SHELL/6/SHELL_CMD_INPUT: Input string for the save command is startup.cfg. SHELL/6/SHELL_CMD_INPUT: Input string for the save command is CTRL_C. SHELL/6/SHELL_CMD_INPUT: Input string for the save command is the Enter key. |
Explanation |
An interactive command was executed and the user interacted with the command. |
Recommended action |
No action is required. |
SHELL_CMD_INPUT_TIMEOUT
Message text |
Operation timed out: Getting input for the [STRING] command. |
Variable fields |
$1: Command string. |
Severity level |
6 |
Example |
SHELL/6/SHELL_CMD_INPUT_TIMEOUT: Operation timed out: Getting input for the fdisk command. |
Explanation |
An interactive command was executed but the user did not interact with the command before timeout timer expired. |
Recommended action |
No action is required. |
SHELL_CMD_MATCHFAIL
Message text |
-User=[STRING]-IPAddr=[STRING]; Command [STRING] in view [STRING] failed to be matched. |
Variable fields |
$1: Username. $2: IP address. $3: Command string. $4: Command view. |
Severity level |
4 |
Example |
SHELL/4/SHELL_CMD_MATCHFAIL: -User=**-IPAddr=192.168.62.138; Command description 10 in view system failed to be matched. |
Explanation |
The command string has errors, or the view does not support the command. |
Recommended action |
1. Check whether the view supports the command. 2. Verify that you enter the correct command string. 3. If the problem persists, contact H3C Support. |
SHELL_CMDDENY
Message text |
-Line=[STRING]-IPAddr=[STRING]-User=[STRING]; Command [STRING] is permission denied. |
Variable fields |
$1: Line name. If there is not a line name, '**' is displayed. $2: IP address. If there is not an IP address, '**' is displayed. $3: Username. If there is not a username, '**' is displayed. $4: Command string. |
Severity level |
5 |
Example |
SHELL/5/SHELL_CMDDENY: -Line=vty0-IPAddr=192.168.62.138-User=**; Command vlan 10 is permission denied. |
Explanation |
A command was not executed because the user did not have the right to use the command. |
Recommended action |
No action is required. |
SHELL_CMDFAIL
Message text |
Command [STRING] fails to recover configuration. |
Variable fields |
$1: Command string. |
Severity level |
6 |
Example |
SHELL/6/SHELL_CMDFAIL: Command display this fails to recover configuration. |
Explanation |
The configuration restore operation failed. |
Recommended action |
No action is required. |
SHELL_CRITICAL_CMDFAIL
Message text |
-User=[STRING]-IPAddr=[STRING]; Command is [STRING] . |
Variable fields |
$1: Username. $2: IP address. $3: Command string. |
Severity level |
6 |
Example |
SHELL/6/SHELL_CRITICAL_CMDFAIL: -User=admin-IPAddr=169.254.0.7; Command is save. |
Explanation |
A command failed to be executed or was canceled. |
Recommended action |
No action is required. |
SHELL_LOGIN
Message text |
[STRING] login from [STRING]. |
Variable fields |
$1: Username. $2: Line name. |
Severity level |
5 |
Example |
SHELL/5/SHELL_LOGIN: Console logged in from console0. |
Explanation |
A user logged in. |
Recommended action |
No action is required. |
SHELL_LOGOUT
Message text |
[STRING] logout from [STRING]. |
Variable fields |
$1: Username. $2: Line name. |
Severity level |
5 |
Example |
SHELL/5/SHELL_LOGOUT: Console logged out from console0. |
Explanation |
A user logged out. |
Recommended action |
No action is required. |
SLSP messages
This section contains static LSP messages.
SLSP_LABEL_DUPLICATE
Message text |
Incoming label [INT32] for static LSP [STRING] is duplicate. |
Variable fields |
$1: Incoming label value. $2: Static LSP name. |
Severity level |
4 |
Example |
SLSP/4/SLSP_LABEL_DUPLICATE: Incoming label 1024 for static LSP aaa is duplicate. |
Explanation |
The incoming label of a static LSP was used by a static PW or by a static CRLSP. This message is generated when one of the following occurs: · When MPLS is enabled, configure a static LSP with the same incoming label as an existing static CRLSP or static PW. · Enable MPLS when a static LSP has the same incoming label as an existing static CRLSP or static PW. |
Recommended action |
Remove this static LSP, and reconfigure it with another incoming label. |
SMLK messages
This section contains Smart Link messages.
SMLK_LINK_SWITCH
Message text |
Status of port [STRING] in smart link group [UINT16] changes to active. |
Variable fields |
$1: Port name. $2: Smart link group ID. |
Severity level |
4 |
Example |
SMLK/4/SMLK_LINK_SWITCH: Status of port GigabitEthernet1/0/4 in smart link group 1 changes to active. |
Explanation |
The port took over to forward traffic after the former primary port failed. |
Recommended action |
Remove the network faults. |
SNMP messages
This section contains SNMP messages.
SNMP_ACL_RESTRICTION
Message text |
SNMP [STRING] from [STRING] is rejected due to ACL restriction. |
Variable fields |
$1: SNMP community/usm-user/group. $2: IP address of the NMS. |
Severity level |
3 |
Example |
SNMP/3/SNMP_ACL_RESTRICTION: SNMP community public from 192.168.1.100 is rejected due to ACL restrictions. |
Explanation |
A syslog is printed if SNMP packets are denied because of ACL restrictions. |
Recommended action |
Check the ACL configuration on the SNMP agent, and check if the agent was attacked. |
SNMP_GET
Message text |
-seqNO=[UINT32]-srcIP=[STRING]-op=GET-node=[STRING]-value=[STRING]; The agent received a message. |
Variable fields |
$1: Sequence number of an SNMP operation log. $2: IP address of the NMS. $3: MIB object name and OID. $4: Value field of the request packet. |
Severity level |
6 |
Example |
SNMP/6/SNMP_GET: -seqNO=1-srcIP=192.168.28.28-op=GET-node=sysLocation(1.3.6.1.2.1.1.6.0)-value=; The agent received a message. |
Explanation |
SNMP received a Get request from an NMS. The system logs SNMP operations only when SNMP logging is enabled. |
Recommended action |
No action is required. |
SNMP_NOTIFY
Message text |
Notification [STRING] [STRING]. |
Variable fields |
$1: Notification name. $2: The variable-binding filed of notifications. If no variable-binding exists, the OID becomes a null value. |
Severity level |
6 |
Example |
SNMP/6/SNMP_NOTIFY: Notification hh3cLogIn(1.3.6.1.4.1.25506.2.2.1.1.3.0.1) with hh3cTerminalUserName(1.3.6.1.4.1.25506.2.2.1.1.2.1.0)=;hh3cTerminalSource(1.3.6.1.4.1.25506.2.2.1.1.2.2.0)=Console. |
Explanation |
The SNMP agent sent a notification. This message displays the notification content. |
Recommended action |
No action is required. |
SNMP_SET
Message text |
-seqNO=[UINT32]-srcIP=[STRING]-op=SET-errorIndex=[UINT32]-errorStatus=[STRING]-node=[STRING]-value=[STRING]; The agent received a message. |
Variable fields |
$1: Sequence number of an SNMP operation log. $2: IP address of the NMS. $3: Error index of the Set operation. $4: Error status of the Set operation. $5: MIB object name and OID. $6: Value of the MIB object changed by the Set operation. |
Severity level |
6 |
Example |
SNMP/6/SNMP_SET: -seqNO=3-srcIP=192.168.28.28-op=SET-errorIndex=0-errorStatus=noError-node=sysLocation(1.3.6.1.2.1.1.6.0)-value=Hangzhou China; The agent received a message. |
Explanation |
SNMP received a Set request from an NMS. The system logs SNMP operations only when SNMP logging is enabled. |
Recommended action |
No action is required. |
SNMP_USM_NOTINTIMEWINDOW
Message text |
-User=[STRING]-IPAddr=[STRING]; SNMPv3 message is not in time window. |
Variable fields |
$1: Username. $2: IP address. |
Severity level |
4 |
Example |
SNMP/4/SNMP_USM_NOTINTIMEWINDOW: -User=admin-IPAddr=169.254.0.7; SNMPv3 message is not in time window. |
Explanation |
The SNMPv3 message is not in the time window. |
Recommended action |
No action is required. |
SNMP_AUTHENTICATION_FAILURE
Message text |
Failed to authenticate SNMP message. |
Variable fields |
N/A |
Severity level |
4 |
Example |
SNMP/4/SNMP_AUTHENTICATION_FAILURE: Failed to authenticate SNMP message. |
Explanation |
The SNMP agent failed to authenticate an NMS because the community name or username is not the same on the agent and NMS. |
Recommended action |
Verify that an NMS and an SNMP agent use the same community name or username. For SNMPv3, the authentication and privacy modes, and authentication and privacy keys must also be the same on the NMS and agent. |
SPBM messages
This section contains SPBM messages.
SPBM_LICENSE_EXPIRED
Message text |
The SPBM feature is being disabled, because its license has expired. |
Variable fields |
N/A |
Severity level |
3 |
Example |
SPBM/3/SPBM_LICENSE_EXPIRED: The SPBM feature is being disabled, because its license has expired. |
Explanation |
The SPBM license has expired. |
Recommended action |
Install a valid license for SPBM. |
SPBM_LICENSE_EXPIRED_TIME
Message text |
The SPBM feature will be disabled in [ULONG] days. |
Variable fields |
$1: Available period of the feature. |
Severity level |
5 |
Example |
SPBM/5/SPBM_LICENSE_EXPIRED_TIME: The SPBM feature will be disabled in 2 days. |
Explanation |
SPBM will be disabled because the SPBM license has expired. You can use SPBM for 30 days after the license has expired. |
Recommended action |
Install a new license. |
SPBM_LICENSE_UNAVAILABLE
Message text |
The SPBM feature has no available license. |
Variable fields |
N/A |
Severity level |
3 |
Example |
SPBM/3/SPBM_LICENSE_UNAVAILABLE: The SPBM feature has no available license. |
Explanation |
No license is found for SPBM. |
Recommended action |
Install a valid license for SPBM. |
SSHS messages
This section contains SSH server messages.
SSHS_ALGORITHM_MISMATCH
Message text |
SSH client [STRING] failed to log in because of [STRING] algorithm mismatch. |
Variable fields |
$1: IP address of the SSH client. $2: Type of the algorithm, including encryption, key exchange, MAC, and public key. |
Severity level |
6 |
Example |
SSHS/6/SSHS_ALGORITHM_MISMATCH: SSH client 192.168.30.117 failed to log in because of encryption algorithm mismatch. |
Explanation |
The SSH client and the SSH server used different algorithms. |
Recommended action |
Check that the SSH client and the SSH server use the same algorithm. |
SSHS_AUTH_EXCEED_RETRY_TIMES
Message text |
SSH user [STRING] (IP: [STRING]) failed to log in, because the number of authentication attempts exceeded the upper limit. |
Variable fields |
$1: User name. $2: IP address of the SSH client. |
Severity level |
6 |
Example |
SSHS/6/SSHS_AUTH_EXCEED_RETRY_TIMES: SSH user David (IP: 192.168.30.117) failed to log in, because the number of authentication attempts exceeded the upper limit. |
Explanation |
The number of authentication attempts by an SSH user reached the upper limit. |
Recommended action |
Prompt the SSH user to use the correct login data to try again. |
SSHS_AUTH_FAIL
Message text |
SSH user [STRING] (IP: [STRING]) didn't pass public key authentication for [STRING]. |
Variable fields |
$1: Username. $2: IP address of the SSH client. $3: Failure reasons: ¡ Wrong public key algorithm. ¡ Wrong public key. ¡ Wrong digital signature. |
Severity level |
5 |
Example |
SSHS/5/SSHS_AUTH_FAIL: SSH user David (IP: 192.168.30.117) didn't pass public key authentication for wrong public key algorithm. |
Explanation |
An SSH user failed the publickey authentication. |
Recommended action |
Tell the SSH user to try to log in again. |
SSHS_AUTH_TIMEOUT
Message text |
Authentication timed out for [IPADDR]. |
Variable fields |
$1: IP address of the SSH client. |
Severity level |
6 |
Example |
SSHS/6/SSHS_AUTH_TIMEOUT: Authentication timed out for 1.1.1.1. |
Explanation |
The authentication timeout timer expired, and the SSH user failed the authentication. |
Recommended action |
Make sure the SSH user enters the correct authentication information before the authentication timeout timer expires. |
SSHS_CONNECT
Message text |
SSH user [STRING] (IP: [STRING]) connected to the server successfully. |
Variable fields |
$1: Username. $2: IP address of the SSH client. |
Severity level |
6 |
Example |
SSHS/6/SSHS_CONNECT: SSH user David (IP: 192.168.30.117) connected to the server successfully. |
Explanation |
An SSH user logged in to the server successfully. |
Recommended action |
No action is required. |
SSHS_DECRYPT_FAIL
Message text |
The packet from [STRING] failed to be decrypted with [STRING]. |
Variable fields |
$1: IP address of the SSH client. $2: Encryption algorithm, such as AES256-CBC. |
Severity level |
5 |
Example |
SSHS/5/SSHS_DECRYPT_FAIL: The packet from 192.168.30.117 failed to be decrypted with aes256-cbc. |
Explanation |
A packet from an SSH client failed to be decrypted. |
Recommended action |
No action is required. |
SSHS_DISCONNECT
Message text |
SSH user [STRING] (IP: [STRING]) disconnected from the server. |
Variable fields |
$1: Username. $2: IP address of the SSH client. |
Severity level |
6 |
Example |
SSHS/6/SSHS_DISCONNECT: SSH user David (IP: 192.168.30.117) disconnected from the server. |
Explanation |
An SSH user logged out. |
Recommended action |
No action is required. |
SSHS_ENCRYPT_FAIL
Message text |
The packet to [STRING] failed to be encrypted with [STRING]. |
Variable fields |
$1: IP address of the SSH client. $2: Encryption algorithm, such as aes256-cbc. |
Severity level |
5 |
Example |
SSHS/5/SSHS_ENCRYPT_FAIL: The packet to 192.168.30.117 failed to be encrypted with aes256-cbc. |
Explanation |
A packet to an SSH client failed to be encrypted. |
Recommended action |
No action is required. |
SSHS_LOG
Message text |
Authentication failed for user [STRING] from [STRING] port [INT32] because of invalid username or wrong password. Authorization failed for user [STRING] from [STRING] port [INT32]. |
Variable fields |
$1: Username. $2: IP address of the SSH client. $3: Port number. |
Severity level |
6 |
Example |
SSHS/6/SSHS_LOG: Authentication failed for user David from 140.1.1.46 port 16266 because of invalid username or wrong password. SSHS/6/SSHS_LOG: Authorization failed for user David from 140.1.2.46 port 15000. |
Explanation |
An SSH user failed password authentication because the username or password was wrong. Authorization to an SSH user failed. |
Recommended action |
No action is required. |
SSHS_MAC_ERROR
Message text |
SSH server received a packet with wrong message authentication code (MAC) from [STRING]. |
Variable fields |
$1: IP address of the SSH client. |
Severity level |
6 |
Example |
SSHS/6/SSHS_MAC_ERROR: SSH server received a packet with wrong message authentication code (MAC) from 192.168.30.117. |
Explanation |
The SSH server received a packet with a wrong MAC from a client. |
Recommended action |
No action is required. |
SSHS_REACH_SESSION_LIMIT
Message text |
SSH client [STRING] failed to log in, because the number of SSH sessions reached the upper limit. |
Variable fields |
$1: IP address of the SSH client. |
Severity level |
6 |
Example |
SSHS/6/SSHS_REACH_SESSION_LIMIT: SSH client 192.168.30.117 failed to log in, because the number of SSH sessions reached the upper limit. |
Explanation |
The number of SSH sessions reached the upper limit. |
Recommended action |
No action is required. |
SSHS_REACH_USER_LIMIT
Message text |
SSH client [STRING] failed to log in, because the number of users reached the upper limit. |
Variable fields |
$1: IP address of the SSH client. |
Severity level |
6 |
Example |
SSHS/6/SSHS_REACH_USER_LIMIT: SSH client 192.168.30.117 failed to log in, because the number of users reached the upper limit. |
Explanation |
The number of SSH users reached the upper limit. |
Recommended action |
No action is required. |
SSHS_SCP_OPER
Message text |
User [STRING] at [IPADDR] requested operation: [STRING]. |
Variable fields |
$1: Username. $2: IP address of the SSH client. $3: Requested file operation: ¡ get file "name"—Downloads the file name. ¡ put file "name"—Uploads the file name. |
Severity level |
6 |
Example |
SSHS/6/SSHS_SCP_OPER: User user1 at 1.1.1.1 requested operation: put file " flash:/aa". |
Explanation |
The SCP sever received a file operation request from an SSH client. |
Recommended action |
No action is required. |
SSHS_SFTP_OPER
Message text |
User [STRING] at [IPADDR] requested operation: [STRING]. |
Variable fields |
$1: Username. $2: IP address of the SSH client. $3: Requested operation on a file or directory: ¡ open dir "path"—Opens the directory path. ¡ open "file" (attribute code code) in MODE mode—Opens the file file with the attribute code code in Mode mode. ¡ remove file "path"—Deletes the file path. ¡ mkdir "path" (attribute code code)—Creates a new directory path with the attribute code code. ¡ rmdir "path"—Deletes the directory path. ¡ rename old "old-name" to new "new-name"—Changes the name of a file or folder from old-name to new-name. |
Severity level |
6 |
Example |
SSHS/6/SSHS_SFTP_OPER: User user1 at 1.1.1.1 requested operation: open dir "flash:/". |
Explanation |
The SFTP sever received an operation request from an SSH client. |
Recommended action |
No action is required. |
SSHS_SRV_UNAVAILABLE
Message text |
The [STRING] server is disabled or the [STRING] service type is not supported. |
Variable fields |
$1: Service type: ¡ Stelnet. ¡ SCP. ¡ SFTP. ¡ NETCONF. |
Severity level |
6 |
Example |
SSHS/6/SSHS_SRV_UNAVAILABLE: The SCP server is disabled or the SCP service type is not supported. |
Explanation |
The Stelnet, SCP, SFTP, or NETCONF over SSH service is not available. |
Recommended action |
Check the service status or user configuration. |
SSHS_VERSION_MISMATCH
Message text |
SSH client [STRING] failed to log in because of version mismatch. |
Variable fields |
$1: IP address of the SSH client. |
Severity level |
6 |
Example |
SSHS/6/SSHS_VERSION_MISMATCH: SSH client 192.168.30.117 failed to log in because of version mismatch. |
Explanation |
The SSH client and the SSH server used different SSH versions. |
Recommended action |
Check that the SSH client and the SSH server use the same SSH version. |
STAMGR messages
This section contains station management messages.
STAMGR_ADDBAC_INFO
Message text |
Add BAS AC [STRING]. |
Variable fields |
$1: MAC address of the BAS AC. |
Severity level |
6 |
Example |
STAMGR/6/STAMGR_ADDBAC_INFO: Add BAS AC 3ce5-a616-28cd. |
Explanation |
The BAS AC was connected to the master AC. |
Recommended action |
No action is required. |
STAMGR_ADDSTA_INFO
Message text |
Add client [STRING]. |
Variable fields |
$1: MAC address of the client. |
Severity level |
6 |
Example |
STAMGR/6/STAMGR_ADDSTA_INFO: Add client 3ce5-a616-28cd. |
Explanation |
The client was connected to the BAS AC. |
Recommended action |
No action is required. |
STAMGR_DELBAC_INFO
Message text |
Delete BAS AC [STRING]. |
Variable fields |
$1: MAC address of the BAS AC. |
Severity level |
6 |
Example |
STAMGR/6/STAMGR_DELBAC_INFO: Delete BAS AC 3ce5-a616-28cd. |
Explanation |
The BAS AC was disconnected from the master AC. |
Recommended action |
No action is required. |
STAMGR_DELSTA_INFO
Message text |
Delete client [STRING]. |
Variable fields |
$1: MAC address of the client. |
Severity level |
6 |
Example |
STAMGR/6/STAMGR_DELSTA_INFO: Delete client 3ce5-a616-28cd. |
Explanation |
The client was disconnected from the BAS AC. |
Recommended action |
No action is required. |
STAMGR_STAIPCHANGE_INFO
Message text |
IP address of client [STRING] changed to [STRING]. |
Variable fields |
$1: MAC address of the client. $1: New IP address of the client. |
Severity level |
6 |
Example |
STAMGR/6/STAMGR_STAIPCHANGE_INFO: IP address of client 3ce5-a616-28cd changed to 4.4.4.4. |
Explanation |
The IP address of the client was updated. |
Recommended action |
No action is required. |
STM messages
This section contains IRF messages.
STM_AUTO_UPDATE
Message text |
Slot [UINT32] auto-update failed because [STRING]. |
Variable fields |
$1: Slot ID. $2: Failure reason. |
Severity level |
4 |
Example |
STM/4/STM_AUTO_UPDATE: Slot 5 auto-update failed because incompatible software version. |
Explanation |
Software synchronization from the master failed on a slot. |
Recommended action |
Upgrade software manually for the device to join the IRF fabric. |
STM_MEMBERID_CONFLICT
Message text |
Self member-id is changed from [UINT32] to [UINT32]. |
Variable fields |
$1: Old member ID. $2: New member ID. |
Severity level |
4 |
Example |
STM/4/STM_MEMBERID_CONFLICT: Self member-id changed from 1 to 4. |
Explanation |
The device's member ID changed. |
Recommended action |
No action is required. |
STM_MERGE
Message text |
Merge occurs. This IRF need NOT be rebooted. |
Variable fields |
N/A |
Severity level |
5 |
Example |
STM/5/STM_MERGE: Merge occurs. This IRF need NOT be rebooted. |
Explanation |
You do not need to reboot the current IRF fabric for IRF merge, because it was elected the master. |
Recommended action |
No action is required. |
STM_MERGE_NEED_REBOOT
Message text |
Merge occurs. This IRF need be rebooted. |
Variable fields |
N/A |
Severity level |
4 |
Example |
STM/4/STM_MERGE_NEED_REBOOT: Merge occurs. This IRF need be rebooted. |
Explanation |
You must reboot the current IRF fabric for IRF merge, because it failed in the master election. |
Recommended action |
No action is required. |
STM_LINK_RECOVERY
Message text |
Merge occurs. |
Variable fields |
N/A |
Severity level |
4 |
Example |
STM/4/STM_LINK_RECOVERY: Merge occurs. |
Explanation |
IRF merge occurred. |
Recommended action |
No action is required. |
STM_LINK_STATUS_DOWN
Message text |
IRF port [UINT32] is down. |
Variable fields |
$1: IRF port name. |
Severity level |
3 |
Example |
STM/3/STM_LINK_STATUS_DOWN: IRF port 2 is down. |
Explanation |
The IRF port went down. This event occurs when all physical interfaces bound to an IRF port are down. |
Recommended action |
Check the physical interfaces bound to the IRF port. Make sure at least one member physical interface is up. |
STM_LINK_STATUS_TIMEOUT
Message text |
IRF port [UINT32] is down because heartbeat timed out. |
Variable fields |
$1: IRF port name. |
Severity level |
2 |
Example |
STM/2/STM_LINK_STATUS_TIMEOUT: IRF port 1 is down because heartbeat timed out. |
Explanation |
The IRF port went down because of heartbeat timeout. |
Recommended action |
Check the IRF link for link failure. |
STM_LINK_STATUS_UP
Message text |
IRF port [UINT32] is up. |
Variable fields |
$1: IRF port name. |
Severity level |
6 |
Example |
STM/6/STM_LINK_STATUS_UP: IRF port 1 is up. |
Explanation |
An IRF port came up. |
Recommended action |
No action is required. |
STM_SOMER_CHECK
Message text |
Neighbor of IRF port [UINT32] can't be stacked. |
Variable fields |
$1: IRF port name. |
Severity level |
3 |
Example |
STM/3/STM_SOMER_CHECK: Neighbor of IRF port 1 can't be stacked. |
Explanation |
The neighbor connected to the IRF port cannot form an IRF fabric with the device. |
Recommended action |
1. Check the following items: 2. The device models can form an IRF fabric. 3. The IRF settings are correct. For more information, see the IRF configuration guide for the device. 4. If the problem persists, contact H3C Support. |
STP messages
This section contains STP messages.
STP_DISPUTE
Message text |
[STRING] [UINT32]'s port [STRING] received an inferior BPDU from a designated port which is in forwarding or learning state. |
Variable fields |
$1: Instance or VLAN. $2: Instance ID or VLAN ID. $3: Interface name. |
Severity level |
4 |
Example |
STP/4/STP_DISPUTE: Instance 0's port GigabitEthernet1/0/2 received an inferior BPDU from a designated port which is in forwarding or learning state. |
Explanation |
A port in the MSTI or VLAN received a low-priority BPDU from a designated port in forwarding or learning state. |
Recommended action |
Verify that the peer port can receive packets from the local port: 1. Use the display stp abnormal-port command to display information about ports that are blocked by dispute protection. 2. Verify that the VLAN configurations on the local and peer ports are consistent. 3. Shut down the link between the two ports and then bring up the link, or connect the local port to another port. |
STP_LOOPBACK_PROTECTION
Message text |
[STRING] [UINT32]'s port [STRING] received its own BPDU. |
Variable fields |
$1: Instance or VLAN. $2: Instance ID or VLAN ID. $3: Interface name. |
Severity level |
4 |
Example |
STP/4/STP_LOOPBACK_PROTECTION: Instance 0's port GigabitEthernet1/0/2 received its own BPDU. |
Explanation |
A port in the MSTI or VLAN received a BPDU sent by itself. |
Recommended action |
Check for forged BPDUs from attackers or loops in the network. |
SYSEVENT
This section contains system event messages.
EVENT_TIMEOUT
Message text |
Module [UINT32]'s processing for event [UINT32] timed out. |
Variable fields |
$1: Module ID. $2: Event ID. |
Severity level |
6 |
Example |
SYSEVENT/6/EVENT_TIMEOUT: -MDC=1; Module 0x1140000's processing for event 0x20000010 timed out. |
Explanation |
A module's processing for an event timed out. |
Recommended action |
No action is required. |
SYSLOG messages
This section contains syslog messages.
SYSLOG_LOGFILE_FULL
Message text |
Log file space is full. |
Variable fields |
N/A |
Severity level |
4 |
Example |
SYSLOG/4/SYSLOG_LOGFILE_FULL: Log file space is full. |
Explanation |
The log file space is full. |
Recommended action |
Back up the log file, delete the original log file, and then bring up interfaces if needed. |
SYSLOG_RESTART
Message text |
System restarted -- [STRING] [STRING] Software. |
Variable fields |
$1: Company name. Available options include H3C. $2: Software name. Available options include Comware and Router. |
Severity level |
6 |
Example |
SYSLOG/6/SYSLOG_RESTART: System restarted -- H3C Comware Software |
Explanation |
A system restart log was created. |
Recommended action |
No action is required. |
TACACS messages
This section contains TACACS messages.
TACACS_AUTH_FAILURE
Message text |
User [STRING] from [STRING] failed authentication. |
Variable fields |
$1: Username. $2: IP address. |
Severity level |
5 |
Example |
TACACS/5/TACACS_AUTH_FAILURE: User cwf@system from 192.168.0.22 failed authentication. |
Explanation |
An authentication request was rejected by the TACACS server. |
Recommended action |
No action is required. |
TACACS_AUTH_SUCCESS
Message text |
User [STRING] from [STRING] was authenticated successfully. |
Variable fields |
$1: Username. $2: IP address. |
Severity level |
6 |
Example |
TACACS/6/TACACS_AUTH_SUCCESS: User cwf@system from 192.168.0.22 was authenticated successfully. |
Explanation |
An authentication request was accepted by the TACACS server. |
Recommended action |
No action is required. |
TACACS_DELETE_HOST_FAIL
Message text |
Failed to delete servers in scheme [STRING]. |
Variable fields |
$1: Scheme name. |
Severity level |
4 |
Example |
TACACS/4/TACACS_DELETE_HOST_FAIL: Failed to delete servers in scheme abc. |
Explanation |
Failed to delete servers from a TACACS scheme. |
Recommended action |
No action is required. |
TELNETD messages
This section contains Telnet messages.
TELNETD_REACH_SESSION_LIMIT
Message text |
Telnet client [IPADDR] failed to log in. Number of Telnet sessions reached the limit. |
Variable fields |
$1: IP address of a Telnet client. |
Severity level |
6 |
Example |
TELNETD/6/TELNETD_REACH_SESSION_LIMIT:Telent client 1.1.1.1 failed to log in. Number of Telnet sessions reached the limit. |
Explanation |
Number of online Telnet users already reached the limit. |
Recommended action |
No action is required. |
TRILL messages
This section contains TRILL messages.
TRILL_DUP_SYSTEMID
Message text |
Duplicate system ID [STRING] in [STRING] PDU sourced from RBridge 0x[HEX]. |
Variable fields |
$1: System ID. $2: PDU type. $3: Source RBridge's nickname. |
Severity level |
5 |
Example |
TRILL/5/TRILL_DUP_SYSTEMID: Duplicate system ID 0011.2200.1501 in LSP PDU sourced from RBridge 0xc758. |
Explanation |
The local RBridge received an LSP or IIH PDU that has the same system ID as the local RBridge. The possible reasons include: · The same system ID is assigned to the local RBridge and the remote RBridge. · The local RBridge received a self-generated LSP PDU with an old nickname. |
Recommended action |
Please check the RBridge system IDs on the campus network. |
TRILL_INTF_CAPABILITY
Message text |
The interface [STRING] does not support TRILL. |
Variable fields |
$1: Interface name. |
Severity level |
4 |
Example |
TRILL/4/TRILL_INTF_CAPABILITY: The interface GigabitEthernet1/0/3 does not support TRILL. |
Explanation |
An interface that does not support TRILL was assigned to a link aggregation group. |
Recommended action |
Remove the interface that does not support TRILL from the link aggregation group. |
TRILL_INTF ENTERED_SUSPENDED
Message text |
Interface [STRING] entered the suspended state. |
Variable fields |
$1: Interface name. |
Severity level |
4 |
Example |
TRILL/4/TRILL_INTF_ENTERED_SUSPENDED: Interface Ten-GigabitEthernet1/0/1 entered the suspended state. |
Explanation |
The RB put a TRILL port to the suspended state. The message is sent in any of the following situations: · The TRILL port is on the same broadcast network as a high-priority TRILL port of the RB. · Loops exist on the TRILL port. |
Recommended action |
To resolve the problem, perform the following tasks: · Remove redundant TRILL ports of the RB from the broadcast network. · Eliminate the loops on the TRILL port. |
TRILL_INTF EXITED_SUSPENDED
Message text |
Interface [STRING] exited the suspended state. |
Variable fields |
$1: Interface name. |
Severity level |
4 |
Example |
TRILL/4/TRILL_INTF_EXITED_SUSPENDED: Interface Ten-GigabitEthernet1/0/1 exited the suspended state. |
Explanation |
A TRILL port exited the suspended state. The message is sent in any of the following situations: · Redundant TRILL ports of the RB are removed from the broadcast network that is connected to the TRILL port. · Loops are eliminated from the TRILL port. |
Recommended action |
No action is required. |
TRILL_LICENSE_UNAVAILABLE
Message text |
The TRILL feature has no available license. |
Variable fields |
N/A |
Severity level |
3 |
Example |
TRILL/3/TRILL_LICENSE_UNAVAILABLE: The TRILL feature has no available license. |
Explanation |
No license was found for TRILL when the TRILL process started. |
Recommended action |
Install a license for TRILL. |
TRILL_LICENSE_EXPIRED
Message text |
The TRILL feature is being disabled, because its license has expired. |
Variable fields |
N/A |
Severity level |
3 |
Example |
TRILL/3/TRILL_LICENSE_EXPIRED: The TRILL feature is being disabled, because its license has expired. |
Explanation |
TRILL is being disabled because its license has expired. |
Recommended action |
Install a valid license for TRILL. |
TRILL_LICENSE_EXPIRED_TIME
Message text |
The TRILL feature will be disabled in [ULONG] days. |
Variable fields |
$1: Available period of the feature. |
Severity level |
5 |
Example |
TRILL/5/TRILL_LICENSE_EXPIRED_TIME: The TRILL feature will be disabled in 2 days. |
Explanation |
TRILL will be disabled because no TRILL license is available. After an active/standby MPU switchover, you can use TRILL only for 30 days if the new active MPU does not have a TRILL license. |
Recommended action |
Install a new license. |
TRILL_MEM_ALERT
Message text |
TRILL process receive system memory alert [STRING] event. |
Variable fields |
$1: Type of the memory alert event. |
Severity level |
5 |
Example |
TRILL/5/TRILL_MEM_ALERT: TRILL process receive system memory alert start event. |
Explanation |
TRILL received a memory alert event from the system. |
Recommended action |
Check the system memory. |
TRILL_NBR_CHG
Message text |
TRILL [UINT32], [STRING] adjacency [STRING] ([STRING]), state change to: [STRING]. |
Variable fields |
$1: TRILL process ID. $2: Neighbor level. $3: Neighbor system ID. $4: Interface name. $5: Current neighbor state. |
Severity level |
5 |
Example |
TRILL/5/TRILL_NBR_CHG: TRILL 1, Level-1 adjacency 0011.2200.1501 (GigabitEthernet1/0/3), state change to: down. |
Explanation |
The state of a TRILL neighbor changed. |
Recommended action |
When the neighbor state changes to down or initializing, please check the TRILL configuration and network status according to the reason for the neighbor state change. |
VLAN messages
This section contains VLAN messages.
VLAN_FAILED
Message text |
Failed to add interface [STRING] to the default VLAN. |
Variable fields |
$1: Interface name. |
Severity level |
4 |
Example |
VLAN/4/VLAN_FAILED: Failed to add interface S-Channel 4/2/0/19:100 to the default VLAN. |
Explanation |
An S-channel interface was created when hardware resources were insufficient. The S-channel interface failed to be assigned to the default VLAN. |
Recommended action |
No action is required. |
VLAN_VLANMAPPING_FAILED
Message text |
The configuration failed because of resource insufficiency or conflicts on [STRING]. |
Variable fields |
$1: Interface name. |
Severity level |
4 |
Example |
VLAN/4/VLAN_VLANMAPPING_FAILED: The configuration failed because of resource insufficiency or conflicts on GigabitEthernet1/0/1. |
Explanation |
Part of or all VLAN mapping configurations on the interface were lost because of one of the following occurrences: · Hardware resources were insufficient for the interface. · The interface joined or left a Layer 2 aggregation group. |
Recommended action |
No action is required. |
VLAN_VLANTRANSPARENT_FAILED
Message text |
The configuration failed because of resource insufficiency or conflicts on [STRING]. |
Variable fields |
$1: Interface name. |
Severity level |
4 |
Example |
VLAN/4/VLAN_VLANTRANSPARENT_FAILED: The configuration failed because of resource insufficiency or conflicts on GigabitEthernet1/0/1. |
Explanation |
Part of or all VLAN transparent transmission configurations on the interface were lost because of one of the following occurrences: · Hardware resources were insufficient for the interface. · The interface joined or left a Layer 2 aggregation group. |
Recommended action |
No action is required. |
VRRP messages
This section contains VRRP messages.
VRRP_AUTH_FAILED
Message text |
Authentication failed in [STRING] virtual router [UINT32] (configured on [STRING]): [STRING]. |
Variable fields |
$1: VRRP version. $2: VRRP group number. $3: Name of the interface where the VRRP group is configured. $4: Error information details. |
Severity level |
6 |
Example |
VRRP/6/VRRP_AUTH_FAILED: Authentication failed in IPv4 virtual router 10 (configured on GigabitEthernet1/0/1): authentication type mismatch. |
Explanation |
A VRRP packet was received, but did not pass the authentication examination. |
Recommended action |
Check the configuration of the VRRP group on the specified interface. Make sure every router in the VRRP group uses the same authentication mode and authentication key. |
VRRP_CONFIG_ERROR
Message text |
The [STRING] virtual router [UINT32] (configured on [STRING]) detected a VRRP configuration error: [STRING]. |
Variable fields |
$1: VRRP version. $2: VRRP group number. $3: Name of the interface where VRRP group is configured. $4: Error information details. |
Severity level |
6 |
Example |
VRRP/6/VRRP_CONFIG_ERROR: The IPv4 virtual router 10 (configured on GigabitEthernet1/0/1) detected a VRRP configuration error: VIRTUAL IP ADDRESS COUNT ERROR. |
Explanation |
The VRRP group configuration was not correct. For example, the virtual IP address count of the VRRP group was not the same on the members. |
Recommended action |
Check the VRRP group configuration on the specified interface. Make sure every member in the VRRP group uses the same configuration. |
VRRP_PACKET_ERROR
Message text |
The [STRING] virtual router [UINT32] (configured on [STRING]) received an error packet: [STRING]. |
Variable fields |
$1: VRRP version. $2: VRRP group number. $3: Interface where the VRRP group is configured. $4: Error information details. |
Severity level |
6 |
Example |
VRRP/6/VRRP_PACKET_ERROR: The IPv4 virtual router 10 (configured on GigabitEthernet1/0/1) received an error packet: CKSUM ERROR. |
Explanation |
The VRRP group received an invalid VRRP packet. For example, the checksum was not correct. |
Recommended action |
Check the VRRP group configuration on the specified interface. |
VRRP_STATUS_CHANGE
Message text |
The status of [STRING] virtual router [UINT32] (configured on [STRING]) changed from [STRING] to [STRING]: [STRING]. |
Variable fields |
$1: VRRP version. $2: VRRP group number. $3: Name of the interface where the VRRP group is configured. $4: Original status. $5: Current status. $6: Reason for status change. |
Severity level |
6 |
Example |
VRRP/6/VRRP_STATUS_CHANGE: The status of IPv4 virtual router 10 (configured on GigabitEthernet1/0/1) changed (from Backup to Master): Timer expired. |
Explanation |
The VRRP group status changed because the timer expired. |
Recommended action |
Check the VRRP group status to make sure it is operating correctly. |
VRRP_VF_STATUS_CHANGE
Message text |
The [STRING] virtual router [UINT32] (configured on [STRING]) virtual forwarder [UINT32] detected status change (from [STRING] to [STRING]): [STRING]. |
Variable fields |
$1: VRRP version. $2: VRRP group number. $3: Name of the interface where the VRRP group is configured. $4: VF ID. $5: Original status of VF. $6: Current status of VF. $7: Reason for the status change. |
Severity level |
6 |
Example |
VRRP/6/VRRP_VF_STATUS_CHANGE: The IPv4 virtual router 10 (configured on GigabitEthernet5/0/1) virtual forwarder 2 detected status change (from Active to Initialize): Weight changed. |
Explanation |
The status of the virtual forwarder changed because the weight changed, the timeout timer expired, or VRRP went down. |
Recommended action |
Check the status of the track entry. |
VRRP_VMAC_INEFFECTIVE
Message text |
The [STRING] virtual router [UINT32] (configured on [STRING]) failed to add virtual MAC: [STRING]. |
Variable fields |
$1: VRRP version. $2: VRRP group number. $3: Name of the interface where the VRRP group is configured. $4: Reason for the error. |
Severity level |
3 |
Example |
VRRP/3/VRRP_VMAC_INEFFECTIVE: The IPv4 virtual router 10 (configured on GigabitEthernet1/0/1) failed to add virtual MAC: Hardware resources insufficient. |
Explanation |
The virtual router failed to add a virtual MAC address. |
Recommended action |
Find out the root cause for the operation failure and fix the problem. |
VRRP_STATUS_CHANGE
Message text |
The status of [STRING] virtual router [UINT32] (configured on [STRING]) changed from [STRING] to [STRING]: [STRING]. |
Variable fields |
$1: VRRP version. $2: VRRP group number. $3: Name of the interface where the VRRP group is configured. $4: Original status. $5: Current status. $6: Reason for status change: · Interface event received—An interface event was received. · IP address deleted—The virtual IP address has been deleted. · The status of the tracked object changed—The status of the associated track entry changed. · VRRP packet received—A VRRP advertisement was received. · Current device has changed to IP address owner—The current device has become the IP address owner. · Zero priority packet received—A VRRP packet containing priority 0 was received. · Preempt—Preemption occurred. · Master group drove—The state of the master group changed. |
Severity level |
6 |
Example |
VRRP/6/VRRP_STATUS_CHANGE: The status of IPv4 virtual router 10 (configured on GigabitEthernet1/0/1) changed (from Backup to Master): Master-down-timer expired. |
Explanation |
The VRRP group status changed because of the following reasons: · An interface event was received. · The virtual IP address has been deleted. · The status of the associated track entry changed. · A VRRP advertisement was received. · The current device has become the IP address owner. · The master down timer (3 × VRRP advertisement interval + Skew_Time) expired. · A VRRP packet containing priority 0 was received. · Preemption occurred. · The state of the master group changed. |
Recommended action |
Check the VRRP group status to make sure it is operating correctly. |
VRRP_VF_STATUS_CHANGE
Message text |
The [STRING] virtual router [UINT32] (configured on [STRING]) virtual forwarder [UINT32] detected status change (from [STRING] to [STRING]): [STRING]. |
Variable fields |
$1: VRRP version. $2: VRRP group number. $3: Name of the interface where the VRRP group is configured. $4: VF ID. $5: Original status of VF. $6: Current status of VF. $7: Reason for the status change. |
Severity level |
6 |
Example |
VRRP/6/VRRP_VF_STATUS_CHANGE: The IPv4 virtual router 10 (configured on GigabitEthernet5/1) virtual forwarder 2 detected status change (from Active to Initialize): Weight changed. |
Explanation |
The status of the virtual forwarder has changed because the weight changed, the timeout timer expired, or VRRP went down. |
Recommended action |
Check the status of the track entry. |
VRRP_VMAC_INEFFECTIVE
Message text |
The [STRING] virtual router [UINT32] (configured on [STRING]) failed to add virtual MAC: [STRING]. |
Variable fields |
$1: VRRP version. $2: VRRP group number. $3: Name of the interface where the VRRP group is configured. $4: Reason for the error. |
Severity level |
3 |
Example |
VRRP/3/VRRP_VMAC_INEFFECTIVE: The IPv4 virtual router 10 (configured on GigabitEthernet1/0/1) failed to add virtual MAC: Insufficient hardware resources. |
Explanation |
The virtual router failed to add a virtual MAC address. |
Recommended action |
Find out the root cause for the operation failure and fix the problem. |