Cisco ASA Series Syslog Messages
Syslog Messages 101001-520025
Downloads: This chapterpdf (PDF - 1.79MB) The complete bookPDF (PDF - 4.73MB) | Feedback

Table of Contents

Syslog Messages 101001-520025

Messages 101001 to 199021

101001

101002

101003, 101004

101005

103001

103002

103003

103004

103005

103006

103007

104001, 104002

104003

104004

105001

105002

105003

105004

105005

105006, 105007

105008

105009

105010

105011

105020

105021

105031

105032

105034

105035

105036

105037

105038

105039

105040

105042

105043

105044

105045

105046

105047

105048

106001

106002

106006

106007

106010

106011

106012

106013

106014

106015

106016

106017

106018

106020

106021

106022

106023

106024

106025, 106026

106027

106100

106101

106102

106103

107001

107002

108002

108003

108004

108005

108006

108007

109001

109002

109003

109005

109006

109007

109008

109010

109011

109012

109013

109014

109016

109017

109018

109019

109020

109021

109022

109023

109024

109025

109026

109027

109028

109029

109030

109031

109032

109033

109034

109036

109037

109038

109039

109100

109101

109102

109103

109104

110002

110003

110004

111001

111002

111003

111004

111005

111007

111008

111009

111010

111111

112001

113001

113003

113004

113006

113007

113008

113009

113010

113011

113012

113013

113014

113015

113016

113017

113018

113019

113020

113021

113022

113023

113024

113025

113026

113027

113028

113029

113030

113031

113032

113033

113034

113035

113036

113037

113038

113039

113040

113041

113042

114001

114002

114003

114004

114005

114006

114007

114008

114009

114010

114011

114012

114013

114014

114015

114016

114017

114018

114019

114020

114021

114022

114023

115000

115001

115002

120001

120002

120003

120004

120005

120006

120007

120008

120009

120010

120012

199001

199002

199003

199005

199010

199011

199012

199013

199014

199015

199016

199017

199018

199019

199020

199021

Messages 201002 to 219002

201002

201003

201004

201005

201006

201008

201009

201010

201011

201012

201013

202001

202005

202010

208005

209003

209004

209005

210001

210002

210003

210005

210006

210007

210008

210010

210020

210021

210022

211001

211003

211004

212001

212002

212003

212004

212005

212006

212009

212010

212011

212012

213001

213002

213003

213004

213005

213006

213007

214001

215001

217001

216001

216002

216003

216004

216005

218001

218002

218003

218004

219002

Messages 302003 to 342001

302003

302004

302010

302012

302013

302014

302015

302016

302017

302018

302019

302020

302021

302022

302023

302024

302025

302026

302027

302033

302034

302302

302303

302304

303002

303004

303005

304001

304002

304003

304004

304005

304006

304007

304008

304009

305005

305006

305007

305008

305009

305010

305011

305012

305013

308001

308002

311001

311002

311003

311004

312001

313001

313004

313005

313008

313009

314001

314002

314003

314004

314005

314006

315004

315011

316001

316002

317001

317002

317003

317004

317005

317006

317007

317008

318001

318002

318003

318004

318005

318006

318007

318008

318009

318101

318102

318103

318104

318105

318106

318107

318108

318109

318110

318111

318112

318113

318114

318115

318116

318117

318118

318119

318120

318121

318122

318123

318125

318126

318127

319001

319002

319003

319004

320001

321001

321002

321003

321004

321005

321006

321007

322001

322002

322003

322004

323001

323002

323003

323004

323005

323006

323007

324000

324001

324002

324003

324004

324005

324006

324007

324008

324300

324301

325001

325002

325004

325005

325006

326001

326002

326004

326005

326006

326007

326008

326009

326010

326011

326012

326013

326014

326015

326016

326017

326019

326020

326021

326022

326023

326024

326025

326026

326027

326028

327001

327002

327003

328001

328002

329001

331001

331002

332001

332002

332003

332004

333001

333002

333003

333004

333005

333006

333007

333008

333009

333010

334001

334002

334003

334004

334005

334006

334007

334008

334009

335001

335002

335003

335004

335004

335005

335006

335007

335008

335009

335010

335011

335012

335013

335014

336001

336002

336003

336004

336005

336006

336007

336008

336009

336010

336011

336012

336013

336014

336015

336016

336019

337001

337002

337003

337004

337005

337006

337007

337008

337009

338001

338002

338003

338004

338005

338006

338007

338008

338101

338102

338103

338104

338201

338202

338203

338204

338301

338302

338303

338304

338305

338306

338307

338308

338309

338310

339001

339002

339003

339004

339005

339006

339007

339008

339009

340001

340002

341001

341002

341003

341004

341005

341006

341007

341008

341010

341011

342001

342002

342003

342004

Messages 400000 to 450001

4000 nn

401001

401002

401003

401004

401005

402114

402115

402116

402117

402118

402119

402120

402121

402122

402123

402124

402125

402126

402127

402128

402129

402130

402131

402140

402141

402142

402143

402144

402145

402146

402147

402148

403101

403102

403103

403104

403106

403107

403108

403109

403110

403500

403501

403502

403503

403504

403505

403506

403507

405001

405002

405003

405101

405102

405103

405104

405105

405106

405107

405201

405300

405301

406001

406002

407001

407002

407003

408001

408002

408003

409001

409002

409003

409004

409005

409006

409007

409008

409009

409010

409011

409012

409013

409023

409101

409102

409103

409104

409105

409106

409107

409108

409109

409110

409111

409112

409113

409114

409115

409116

409117

409118

409119

409120

409121

409122

409123

409125

409128

410001

410002

410003

410004

411001

411002

411003

411004

411005

412001

412002

413001

413002

413003

413004

413005

413006

413007

413008

414001

414002

414003

414004

414005

414006

414007

414008

415001

415002

415003

415004

415005

415006

415007

415008

415009

415010

415011

415012

415013

415014

415015

415016

415017

415018

415019

415020

416001

417001

417004

417006

418001

419001

419002

419003

420001

420002

420003

420004

420005

420006

420007

420008

421001

421002

421003

421004

421005

421006

421007

422004

422005

422006

423001

423002

423003

423004

423005

424001

424002

425001

425002

425003

425004

425005

425006

426001

426002

426003

426004

426101

426102

426103

426104

428002

429001

429002

429003

429004

429005

429006

429007

429008

431001

431002

434001

434002

434003

434004

434007

444004

444005

444007

444008

444009

444100

444101

444102

444103

444104

444105

444106

444107

444108

444109

444110

444111

446001

446003

447001

448001

450001

Messages 500001 to 520025

500001

500002

500003

500004

500005

501101

502101

502102

502103

502111

502112

503001

503101

504001

504002

505001

505002

505003

505004

505005

505006

505007

505008

505009

505010

505011

505012

505013

505014

505015

505016

506001

507001

507002

507003

508001

508002

509001

520001

520002

520003

520004

520005

520010

520011

520013

520020

520021

520022

520023

520024

520025

Syslog Messages 101001-520025

This chapter lists syslog messages 101001 through 520025 in numerical order. See Chapter 2 for syslog messages 602101-780004.


Note When a number is skipped in a sequence, the message is no longer in the ASA code.


For information about how to configure logging, SNMP, and NetFlow, see the CLI configuration guide.

Table 1-1 lists the message classes and the ranges of message IDs that are associated with each class. The valid range for message IDs is between 100000 and 999999.

 

Table 1-1 Syslog Message Classes and Associated Message ID Numbers

Logging Class
Definition
Syslog Message ID Numbers

auth

User Authentication

109, 113

Access Lists

106

Application Firewall

415

bridge

Transparent Firewall

110, 220

ca

PKI Certification Authority

717

citrix

Citrix Client

723

Clustering

747

Card Management

323

config

Command Interface

111, 112, 208, 308

csd

Secure Desktop

724

cts

Cisco TrustSec

776

dap

Dynamic Access Policies

734

eap, eapoudp

EAP or EAPoUDP for Network Admission Control

333, 334

eigrp

EIGRP Routing

336

email

E-mail Proxy

719

Environment Monitoring

735

ha

Failover

101, 102, 103, 104, 105, 210, 311, 709, 727

Identity-based Firewall

746

ids

Intrusion Detection System

400, 733

IKEv2 Toolkit

750, 751, 752

ip

IP Stack

209, 215, 313, 317, 408

ipaa

IP Address Assignment

735

ips

Intrusion Protection System

400, 401, 420

IPv6

325

Blacklists, Whitelists, and Graylists

338

Load Balancing

728

Licensing

444

mdm-proxy

MDM Proxy

802

nac

Network Admission Control

731, 732

nacpolicy

NAC Policy

731

nacsettings

NAC Settings to apply NAC Policy

732

Network Access Point

713

np

Network Processor

319

NP SSL

725

ospf

OSPF Routing

318, 409, 503, 613

Password Encryption

742

Phone Proxy

337

rip

RIP Routing

107, 312

rm

Resource Manager

321

Smart Call Home

120

session

User Session

106, 108, 201, 202, 204, 302, 303, 304, 305, 314, 405, 406, 407, 500, 502, 607, 608, 609, 616, 620, 703, 710

snmp

SNMP

212

ScanSafe

775

ssl

SSL Stack

725

svc

SSL VPN Client

722

sys

System

199, 211, 214, 216, 306, 307, 315, 414, 604, 605, 606, 610, 612, 614, 615,701, 711, 741

Threat Detection

733

UC-IME

339

tag-switching

Service Tag Switching

779

vm

VLAN Mapping

730

vpdn

PPTP and L2TP Sessions

213, 403, 603

vpn

IKE and IPsec

316, 320, 402, 404, 501, 602, 702, 713, 714, 715

vpnc

VPN Client

611

vpnfo

VPN Failover

720

vpnlb

VPN Load Balancing

718

VXLAN

778

webfo

WebVPN Failover

721

webvpn

WebVPN Client

716

NAT and PAT

305

This chapter includes the following sections:

Messages 101001 to 199021

This section includes messages from 101001 to 199021.

101001

Error Message %ASA-1-101001: (Primary) Failover cable OK.

Explanation The failover cable is present and functioning correctly. Primary can also be listed as Secondary for the secondary unit.

Recommended Action None required.

101002

Error Message %ASA-1-101002: (Primary) Bad failover cable.

Explanation The failover cable is present, but not functioning correctly. Primary can also be listed as Secondary for the secondary unit.

Recommended Action Replace the failover cable.

101003, 101004

Error Message %ASA-1-101003: (Primary) Failover cable not connected (this unit). Error Message %ASA-1-101004: (Primary) Failover cable not connected (other unit).

Explanation Failover mode is enabled, but the failover cable is not connected to one unit of the failover pair. Primary can also be listed as Secondary for the secondary unit.

Recommended Action Connect the failover cable to both units of the failover pair.

101005

Error Message %ASA-1-101005: (Primary) Error reading failover cable status.

Explanation The failover cable is connected, but the primary unit is unable to determine its status.

Recommended Action Replace the cable.

103001

Error Message %ASA-1-103001: (Primary) No response from other firewall (reason code = code).

Explanation The primary unit is unable to communicate with the secondary unit over the failover cable. Primary can also be listed as Secondary for the secondary unit. Table 1-2 lists the reason codes and the descriptions to determine why the failover occurred.

 

Table 1-2 Reason Codes

Reason Code
Description

1

The local unit is not receiving the hello packet on the failover LAN interface when LAN failover occurs or on the serial failover cable when serial failover occurs, and declares that the peer is down.

2

An interface did not pass one of the four failover tests, which are as follows: 1) Link Up, 2) Monitor for Network Traffic, 3) ARP, and 4) Broadcast Ping.

3

No proper ACK for 15+ seconds after a command was sent on the serial cable.

4

The failover LAN interface is down, and other data interfaces are not responding to additional interface testing. In addition, the local unit is declaring that the peer is down.

5

The standby peer went down during the configuration synchronization process.

Recommended Action Verify that the failover cable is connected correctly and both units have the same hardware, software, and configuration. If the problem persists, contact the Cisco TAC.

103002

Error Message %ASA-1-103002: (Primary) Other firewall network interface interface_number OK.

Explanation The primary unit has detected that the network interface on the secondary unit is okay. Primary can also be listed as Secondary for the secondary unit.

Recommended Action None required.

103003

Error Message %ASA-1-103003: (Primary) Other firewall network interface interface_number failed.

Explanation The primary unit has detected a bad network interface on the secondary unit. Primary can also be listed as Secondary for the secondary unit.

Recommended Action Check the network connections on the secondary unit and the network hub connection. If necessary, replace the failed network interface.

103004

Error Message %ASA-1-103004: (Primary) Other firewall reports this firewall failed. Reason: reason-string

Explanation The primary unit received a message from the secondary unit indicating that the primary unit has failed. Primary can also be listed as Secondary for the secondary unit. The reason can be one of the following:

  • Missed poll packets on failover command interface exceeded threshold.
  • LAN failover interface failed.
  • Peer failed to enter Standby Ready state.
  • Failed to complete configuration replication. This firewall's configuration may be out of sync.
  • Failover message transmit failure and no ACK for busy condition received.

Recommended Action Verify the status of the primary unit.

103005

Error Message %ASA-1-103005: (Primary) Other firewall reporting failure. Reason: SSM card failure

Explanation The secondary unit has reported an SSM card failure to the primary unit. Primary can also be listed as Secondary for the secondary unit.

Recommended Action Verify the status of the secondary unit.

103006

Error Message %ASA-1-103006: (Primary|Secondary) Mate version ver_num is not compatible with ours ver_num

Explanation The ASA has detected a peer unit that is running a version that is different than the local unit and is not compatible with the HA Hitless Upgrade feature.

  • ver_num —Version number

Recommended Action Install the same or a compatible version image on both units.

103007

Error Message %ASA-1-103007: (Primary|Secondary) Mate version ver_num is not identical with ours ver_num

Explanation The ASA has detected that the peer unit is running a version that is not identical, but supports Hitless Upgrade and is compatible with the local unit. The system performance may be degraded because the image version is not identical, and the ASA may develop a stability issue if the nonidentical image runs for an extended period.

  • ver_num —Version number

Recommended Action Install the same image version on both units as soon as possible.

104001, 104002

Error Message %ASA-1-104001: (Primary) Switching to ACTIVE (cause: string). Error Message %ASA-1-104002: (Primary) Switching to STANDBY (cause: string).

Explanation You have forced the failover pair to switch roles, either by entering the failover active command on the standby unit, or the no failover active command on the active unit. Primary can also be listed as Secondary for the secondary unit. Possible values for the string variable are as follows:

  • state check
  • bad/incomplete config
  • ifc [interface] check, mate is healthier
  • the other side wants me to standby
  • in failed state, cannot be active
  • switch to failed state
  • other unit set to active by CLI config command fail active

Recommended Action If the message occurs because of manual intervention, no action is required. Otherwise, use the cause reported by the secondary unit to verify the status of both units of the pair.

104003

Error Message %ASA-1-104003: (Primary) Switching to FAILED.

Explanation The primary unit has failed.

Recommended Action Check the messages for the primary unit for an indication of the nature of the problem (see message 104001). Primary can also be listed as Secondary for the secondary unit.

104004

Error Message %ASA-1-104004: (Primary) Switching to OK.

Explanation A previously failed unit reports that it is operating again. Primary can also be listed as Secondary for the secondary unit.

Recommended Action None required.

105001

Error Message %ASA-1-105001: (Primary) Disabling failover.

Explanation In version 7.x and later, this message may indicate the following: failover has been automatically disabled because of a mode mismatch (single or multiple), a license mismatch (encryption or context), or a hardware difference (one unit has an IPS SSM installed, and its peer has a CSC SSM installed). Primary can also be listed as Secondary for the secondary unit.

Recommended Action None required.

105002

Error Message %ASA-1-105002: (Primary) Enabling failover.

Explanation You have used the failover command with no arguments on the console, after having previously disabled failover. Primary can also be listed as Secondary for the secondary unit.

Recommended Action None required.

105003

Error Message %ASA-1-105003: (Primary) Monitoring on interface interface_name waiting

Explanation The ASA is testing the specified network interface with the other unit of the failover pair. Primary can also be listed as Secondary for the secondary unit.

Recommended Action None required. The ASA monitors its network interfaces frequently during normal operation.

105004

Error Message %ASA-1-105004: (Primary) Monitoring on interface interface_name normal

Explanation The test of the specified network interface was successful. Primary can also be listed as Secondary for the secondary unit.

Recommended Action None required.

105005

Error Message %ASA-1-105005: (Primary) Lost Failover communications with mate on interface interface_name.

Explanation One unit of the failover pair can no longer communicate with the other unit of the pair. Primary can also be listed as Secondary for the secondary unit.

Recommended Action Verify that the network connected to the specified interface is functioning correctly.

105006, 105007

Error Message %ASA-1-105006: (Primary) Link status Up on interface interface_name. Error Message %ASA-1-105007: (Primary) Link status Down on interface interface_name.

Explanation The results of monitoring the link status of the specified interface have been reported. Primary can also be listed as Secondary for the secondary unit.

Recommended Action If the link status is down, verify that the network connected to the specified interface is operating correctly.

105008

Error Message %ASA-1-105008: (Primary) Testing interface interface_name.

Explanation Testing of a specified network interface has occurred. This testing is performed only if the ASA fails to receive a message from the standby unit on that interface after the expected interval. Primary can also be listed as Secondary for the secondary unit.

Recommended Action None required.

105009

Error Message %ASA-1-105009: (Primary) Testing on interface interface_name {Passed|Failed}.

Explanation The result (either Passed or Failed) of a previous interface test has been reported. Primary can also be listed as Secondary for the secondary unit.

Recommended Action None required if the result is Passed. If the result is Failed, you should check the network cable connection to both failover units, that the network itself is functioning correctly, and verify the status of the standby unit.

105010

Error Message %ASA-3-105010: (Primary) Failover message block alloc failed

Explanation Block memory was depleted. This is a transient message and the ASA should recover. Primary can also be listed as Secondary for the secondary unit.

Recommended Action Use the show blocks command to monitor the current block memory.

105011

Error Message %ASA-1-105011: (Primary) Failover cable communication failure

Explanation The failover cable is not permitting communication between the primary and secondary units. Primary can also be listed as Secondary for the secondary unit.

Recommended Action Ensure that the cable is connected correctly.

105020

Error Message %ASA-1-105020: (Primary) Incomplete/slow config replication

Explanation When a failover occurs, the active ASA detects a partial configuration in memory. Normally, this is caused by an interruption in the replication service. Primary can also be listed as Secondary for the secondary unit.

Recommended Action After the ASA detects the failover, the ASA automatically reboots and loads the configuration from flash memory and/or resynchronizes with another ASA. If failovers occurs continuously, check the failover configuration and make sure that both ASAs can communicate with each other.

105021

Error Message %ASA-1-105021: ( failover_unit) Standby unit failed to sync due to a locked context_name config. Lock held by lock_owner_name

Explanation During configuration synchronization, a standby unit will reload itself if some other process locks the configuration for more than five minutes, which prevents the failover process from applying the new configuration. This can occur when an administrator pages through a running configuration on the standby unit while configuration synchronization is in process. See also the show running-config command in privileged EXEC mode and the pager lines num command in global configuration mode in the Cisco ASA 5500 Series Command Reference.

Recommended Action Avoid viewing or modifying the configuration on the standby unit when it first boots up and is in the process of establishing a failover connection with the active unit.

105031

Error Message %ASA-1-105031: Failover LAN interface is up

Explanation The LAN failover interface link is up.

Recommended Action None required.

105032

Error Message %ASA-1-105032: LAN Failover interface is down

Explanation The LAN failover interface link is down.

Recommended Action Check the connectivity of the LAN failover interface. Make sure that the speed or duplex setting is correct.

105034

Error Message %ASA-1-105034: Receive a LAN_FAILOVER_UP message from peer.

Explanation The peer has just booted and sent the initial contact message.

Recommended Action None required.

105035

Error Message %ASA-1-105035: Receive a LAN failover interface down msg from peer.

Explanation The peer LAN failover interface link is down. The unit switches to active mode if it is in standby mode.

Recommended Action Check the connectivity of the peer LAN failover interface.

105036

Error Message %ASA-1-105036: dropped a LAN Failover command message.

Explanation The ASA dropped an unacknowledged LAN failover command message, indicating a connectivity problem exists on the LAN failover interface.

Recommended Action Check that the LAN interface cable is connected.

105037

Error Message %ASA-1-105037: The primary and standby units are switching back and forth as the active unit.

Explanation The primary and standby units are switching back and forth as the active unit, indicating a LAN failover connectivity problem or software bug exists.

Recommended Action Make sure that the LAN interface cable is connected.

105038

Error Message %ASA-1-105038: (Primary) Interface count mismatch

Explanation When a failover occurs, the active ASA detects a partial configuration in memory. Normally, this is caused by an interruption in the replication service. Primary can also be listed as Secondary for the secondary unit.

Recommended Action Once the failover is detected by the ASA, the ASA automatically reboots and loads the configuration from flash memory and/or resynchronizes with another ASA. If failovers occur continuously, check the failover configuration and make sure that both ASAs can communicate with each other.

105039

Error Message %ASA-1-105039: (Primary) Unable to verify the Interface count with mate. Failover may be disabled in mate.

Explanation Failover initially verifies that the number of interfaces configured on the primary and secondary ASAs are the same. This message indicates that the primary ASA is not able to verify the number of interfaces configured on the secondary ASA. This message indicates that the primary ASA is not able to communicate with the secondary ASA over the failover interface. Primary can also be listed as Secondary for the secondary unit.

Recommended Action Verify the failover LAN, interface configuration, and status on the primary and secondary ASAs. Make sure that the secondary ASA is running the ASA application and that failover is enabled.

105040

Error Message %ASA-1-105040: (Primary) Mate failover version is not compatible.

Explanation The primary and secondary ASAs should run the same failover software version to act as a failover pair. This message indicates that the secondary ASA failover software version is not compatible with the primary ASA. Failover is disabled on the primary ASA. Primary can also be listed as Secondary for the secondary ASA.

Recommended Action Maintain consistent software versions between the primary and secondary ASAs to enable failover.

105042

Error Message %ASA-1-105042: (Primary) Failover interface OK

Explanation The LAN failover interface link is up.

Explanation The interface used to send failover messages to the secondary ASA is functioning. Primary can also be listed as Secondary for the secondary ASA.

Recommended Action None required.

105043

Error Message %ASA-1-105043: (Primary) Failover interface failed

Explanation The LAN failover interface link is down.

Recommended Action Check the connectivity of the LAN failover interface. Make sure that the speed or duplex setting is correct.

105044

Error Message %ASA-1-105044: (Primary) Mate operational mode mode is not compatible with my mode mode.

Explanation When the operational mode (single or multiple) does not match between failover peers, failover will be disabled.

Recommended Action Configure the failover peers to have the same operational mode, and then reenable failover.

105045

Error Message %ASA-1-105045: (Primary) Mate license (number contexts) is not compatible with my license (number contexts).

Explanation When the feature licenses do not match between failover peers, failover will be disabled.

Recommended Action Configure the failover peers to have the same feature license, and then reenable failover.

105046

Error Message %ASA-1-105046 (Primary|Secondary) Mate has a different chassis

Explanation Two failover units have a different type of chassis. For example, one has a three-slot chassis; the other has a six-slot chassis.

Recommended Action Make sure that the two failover units are the same.

105047

Error Message %ASA-1-105047: Mate has a io_card_name1 card in slot slot_number which is different from my io_card_name2

Explanation The two failover units have different types of cards in their respective slots.

Recommended Action Make sure that the card configurations for the failover units are the same.

105048

Error Message %ASA-1-105048: ( unit) Mate’s service module ( application) is different from mine ( application)

Explanation The failover process detected that different applications are running on the service modules in the active and standby units. The two failover units are incompatible if different service modules are used.

  • unit —Primary or secondary
  • application —The name of the application, such as InterScan Security Card

Recommended Action Make sure that both units have identical service modules before trying to reenable failover.

106001

Error Message %ASA-2-106001: Inbound TCP connection denied from IP_address/port to IP_address/port flags tcp_flags on interface interface_name

Explanation An attempt was made to connect to an inside address is denied by the security policy that is defined for the specified traffic type. The IP address displayed is the real IP address instead of the IP address that appears through NAT. Possible tcp_flags values correspond to the flags in the TCP header that were present when the connection was denied. For example, a TCP packet arrived for which no connection state exists in the ASA, and it was dropped. The tcp_flags in this packet are FIN and ACK.

The tcp_flags are as follows:

  • ACK—The acknowledgment number was received
  • FIN—Data was sent
  • PSH—The receiver passed data to the application
  • RST—The connection was reset
  • SYN—Sequence numbers were synchronized to start a connection
  • URG—The urgent pointer was declared valid

Recommended Action None required.

106002

Error Message %ASA-2-106002: protocol Connection denied by outbound list acl_ID src inside_address dest outside_address

Explanation The specified connection failed because of an outbound deny command. The protocol variable can be ICMP, TCP, or UDP.

Recommended Action Use the show outbound command to check outbound lists.

106006

Error Message %ASA-2-106006: Deny inbound UDP from outside_address/outside_port to inside_address/inside_port on interface interface_name.

Explanation An inbound UDP packet was denied by the security policy that is defined for the specified traffic type.

Recommended Action None required.

106007

Error Message %ASA-2-106007: Deny inbound UDP from outside_address/outside_port to inside_address/inside_port due to DNS {Response|Query}.

Explanation A UDP packet containing a DNS query or response was denied.

Recommended Action If the inside port number is 53, the inside host probably is set up as a caching name server. Add an access-list command statement to permit traffic on UDP port 53 and a translation entry for the inside host. If the outside port number is 53, a DNS server was probably too slow to respond, and the query was answered by another server.

106010

Error Message %ASA-3-106010: Deny inbound protocol src [ interface_name : source_address/source_port ] [([ idfw_user | FQDN_string ], sg_info)] dst [ interface_name : dest_address / dest_port }[([ idfw_user | FQDN_string ], sg_info)]

Explanation An inbound connection was denied by your security policy.

Recommended Action Modify the security policy if traffic should be permitted. If the message occurs at regular intervals, contact the remote peer administrator.

106011

Error Message %ASA-3-106011: Deny inbound (No xlate) string

Explanation The message appears under normal traffic conditions if there are internal users that are accessing the Internet through a web browser. Any time a connection is reset, when the host at the end of the connection sends a packet after the ASA receives the connection reset, this message appears. It can typically be ignored.

Recommended Action Prevent this message from getting logged to the syslog server by entering the no logging message 106011 command.

106012

Error Message %ASA-6-106012: Deny IP from IP_address to IP_address, IP options hex.

Explanation An IP packet was seen with IP options. Because IP options are considered a security risk, the packet was discarded.

Recommended Action Contact the remote host system administrator to determine the problem. Check the local site for loose source routing or strict source routing.

106013

Error Message %ASA-2-106013: Dropping echo request from IP_address to PAT address IP_address

Explanation The ASA discarded an inbound ICMP Echo Request packet with a destination address that corresponds to a PAT global address. The inbound packet is discarded because it cannot specify which PAT host should receive the packet.

Recommended Action None required.

106014

Error Message %ASA-3-106014: Deny inbound icmp src interface_name : IP_address [([ idfw_user | FQDN_string ], sg_info)] dst interface_name : IP_address [([ idfw_user | FQDN_string ], sg_info)] (type dec, code dec)

Explanation The ASA denied any inbound ICMP packet access. By default, all ICM P packets are denied access unless specifically allowed.

Recommended Action None required.

106015

Error Message %ASA-6-106015: Deny TCP (no connection) from IP_address /port to IP_address /port flags tcp_flags on interface interface_name.

Explanation The ASA discarded a TCP packet that has no associated connection in the ASA connection table. The ASA looks for a SYN flag in the packet, which indicates a request to establish a new connection. If the SYN flag is not set, and there is no existing connection, the ASA discards the packet.

Recommended Action None required unless the ASA receives a large volume of these invalid TCP packets. If this is the case, trace the packets to the source and determine the reason these packets were sent.

106016

Error Message %ASA-2-106016: Deny IP spoof from ( IP_address) to IP_address on interface interface_name.

Explanation A packet arrived at the ASA interface that has a destination IP address of 0.0.0.0 and a destination MAC address of the ASA interface. In addition, this message is generated when the ASA discarded a packet with an invalid source address, which may include one of the following or some other invalid address:

  • Loopback network (127.0.0.0)
  • Broadcast (limited, net-directed, subnet-directed, and all-subnets-directed)
  • The destination host (land.c)

To further enhance spoof packet detection, use the icmp command to configure the ASA to discard packets with source addresses belonging to the internal network, because the access-list command has been deprecated and is no longer guaranteed to work correctly.

Recommended Action Determine if an external user is trying to compromise the protected network. Check for misconfigured clients.

106017

Error Message %ASA-2-106017: Deny IP due to Land Attack from IP_address to IP_address

Explanation The ASA received a packet with the IP source address equal to the IP destination, and the destination port equal to the source port. This message indicates a spoofed packet that is designed to attack systems. This attack is referred to as a Land Attack.

Recommended Action If this message persists, an attack may be in progress. The packet does not provide enough information to determine where the attack originates.

106018

Error Message %ASA-2-106018: ICMP packet type ICMP_type denied by outbound list acl_ID src inside_address dest outside_address

Explanation The outgoing ICMP packet with the specified ICMP from local host (inside_address) to the foreign host (outside_address) was denied by the outbound ACL list.

Recommended Action None required.

106020

Error Message %ASA-2-106020: Deny IP teardrop fragment (size = number, offset = number) from IP_address to IP_address

Explanation The ASA discarded an IP packet with a teardrop signature containing either a small offset or fragment overlapping. This is a hostile event that circumvents the ASA or an Intrusion Detection System.

Recommended Action Contact the remote peer administrator or escalate this issue according to your security policy.

106021

Error Message %ASA-1-106021: Deny protocol reverse path check from source_address to dest_address on interface interface_name

Explanation An attack is in progress. Someone is attempting to spoof an IP address on an inbound connection. Unicast RPF, also known as reverse route lookup, detected a packet that does not have a source address represented by a route and assumes that it is part of an attack on your ASA.

This message appears when you have enabled Unicast RPF with the ip verify reverse-path command. This feature works on packets input to an interface; if it is configured on the outside, then the ASA checks packets arriving from the outside.

The ASA looks up a route based on the source_address. If an entry is not found and a route is not defined, then this message appears and the connection is dropped.

If there is a route, the ASA checks which interface it corresponds to. If the packet arrived on another interface, it is either a spoof or there is an asymmetric routing environment that has more than one path to a destination. The ASA does not support asymmetric routing.

If the ASA is configured on an internal interface, it checks static route command statements or RIP, and if the source_address is not found, then an internal user is spoofing their address.

Recommended Action Even though an attack is in progress, if this feature is enabled, no user action is required. The ASA repels the attack.

106022

Error Message %ASA-1-106022: Deny protocol connection spoof from source_address to dest_address on interface interface_name

Explanation A packet matching a connection arrived on a different interface from the interface on which the connection began. In addition, the ip verify reverse-path command is not configured.

For example, if a user starts a connection on the inside interface, but the ASA detects the same connection arriving on a perimeter interface, the ASA has more than one path to a destination. This is known as asymmetric routing and is not supported on the ASA.

An attacker also might be attempting to append packets from one connection to another as a way to break into the ASA. In either case, the ASA shows this message and drops the connection.

Recommended Action Check that the routing is not asymmetric.

106023

Error Message %ASA-4-106023: Deny protocol src [ interface_name : source_address / source_port ] [([ idfw_user | FQDN_string ], sg_info)] dst interface_name : dest_address / dest_port [([ idfw_user | FQDN_string ], sg_info)] [type { string }, code { code }] by access_group acl_ID [0x8ed66b60, 0xf8852875]

Explanation A real IP packet was denied by the ACL. This message appears even if you do not have the log option enabled for an ACL. The IP address is the real IP address instead of the values that display through NAT. Both user identity information and FQDN information is provided for the IP addresses if a matched one is found. The ASA logs either identity information (domain\user) or FQDN (if the username is not available). If the identity information or FQDN is available, the ASA logs this information for both the source and destination.

Recommended Action If messages persist from the same source address, a footprinting or port scanning attempt might be occurring. Contact the remote host administrator.

106024

Error Message %ASA-2-106024: Access rules memory exhausted

Explanation The access list compilation process has run out of memory. All configuration information that has been added since the last successful access list was removed from the ASA, and the most recently compiled set of access lists will continue to be used.

Recommended Action Access lists, AAA, ICMP, SSH, Telnet, and other rule types are stored and compiled as access list rule types. Remove some of these rule types so that others can be added.

106025, 106026

Error Message %ASA-6-106025: Failed to determine the security context for the packet:sourceVlan:source_address dest_address source_port dest_port protocol Error Message %ASA-6-106026: Failed to determine the security context for the packet:sourceVlan:source_address dest_address source_port dest_port protocol

Explanation The security context of the packet in multiple context mode cannot be determined. Both messages can be generated for IP packets being dropped in either router and transparent mode.

Recommended Action None required.

106027

Error Message %ASA-4-106027:Failed to determine the security context for the packet:vlansource Vlan#:ethertype src sourceMAC dst destMAC

Explanation The security context of the packet in multiple context mode cannot be determined. This message is generated for non-IP packets being dropped in transparent mode only.

Recommended Action None required.

106100

Error Message %ASA-6-106100: access-list acl_ID {permitted | denied | est-allowed} protocol interface_name / source_address ( source_port) ( idfw_user, sg_info) interface_name / dest_address ( dest_port) ( idfw_user, sg_info) hit-cnt number ({first hit | number -second interval}) hash codes

Explanation The initial occurrence or the total number of occurrences during an interval are listed. This message provides more information than message 106023, which only logs denied packets, and does not include the hit count or a configurable level.

When an access-list line has the log argument, it is expected that this message ID might be triggered because of a nonsynchronized packet reaching the ASA and being evaluated by the access list. For example, if an ACK packet is received on the ASA (for which no TCP connection exists in the connection table), the ASA might generate message 106100, indicating that the packet was permitted; however, the packet is later correctly dropped because of no matching connection.

The following list describes the message values:

  • permitted | denied | est-allowed—These values specify if the packet was permitted or denied by the ACL. If the value is est-allowed, the packet was denied by the ACL but was allowed for an already established session (for example, an internal user is allowed to accesss the Internet, and responding packets that would normally be denied by the ACL are accepted).
  • protocol —TCP, UDP, ICMP, or an IP protocol number.
  • interface_name —The interface name for the source or destination of the logged flow. The VLAN interfaces are supported.
  • source_address —The source IP address of the logged flow. The IP address is the real IP address instead of the values that display through NAT.
  • dest_address —The destination IP address of the logged flow. The IP address is the real IP address instead of the values that display through NAT.
  • source_port —The source port of the logged flow (TCP or UDP). For ICMP, the number after the source port is the message type.
  • idfw_user— The user identity username, including the domain name that is added to the existing syslog when the ASA can find the username for the IP address.
  • sg_info— The security group tag that is added to the syslog when the ASA can find a security group tag for the IP address. The security group name is displayed with the security group tag, if available.
  • dest_port —The destination port of the logged flow (TCP or UDP). For ICMP, the number after the destination port is the ICMP message code, which is available for some message types. For type 8, it is always 0. For a list of ICMP message types, see the following URL: http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xml.
  • hit-cnt number —The number of times this flow was permitted or denied by this ACL entry in the configured time interval. The value is 1 when the ASA generates the first message for this flow.
  • first hit—The first message generated for this flow.
  • number -second interval—The interval in which the hit count is accumulated. Set this interval using the access-list command with the interval option.
  • hash codes—Two are always printed for the object group ACE and the constituent regular ACE. Values are determined on which ACE that the packet hit. To display these hash codes, enter the show-access list command.

Recommended Action None required.

106101

Error Message %ASA-1-106101 The number of ACL log deny-flows has reached limit ( number).

Explanation If you configured the log option for an ACL deny statement (access-list id deny command), and a traffic flow matches the ACL statement, the ASA caches the flow information. This message indicates that the number of matching flows that are cached on the ASA exceeds the user-configured limit (using the access-list deny-flow-max command). This message might be generated as a result of a DoS attack.

  • number— The limit configured using the access-list deny-flow-max command

Recommended Action None required.

106102

Error Message %ASA-6-106102: access-list acl_ID {permitted|denied} protocol for user username interface_name / source_address source_port interface_name / dest_address dest_port hit-cnt number {first hit| number -second interval} hash codes

Explanation A packet was either permitted or denied by an access-list that was applied through a VPN filter. This message is the VPN/AAA filter equivalent of message 106100.

Recommended Action None required.

106103

Error Message %ASA-4-106103: access-list acl_ID denied protocol for user username interface_name / source_address source_port interface_name / dest_address dest_port hit-cnt number first hit hash codes

Explanation A packet was denied by an access-list that was applied through a VPN filter. This message is the VPN/AAA filter equivalent of message106023.

Recommended Action None required.

107001

Error Message %ASA-1-107001: RIP auth failed from IP_address : version=number, type=string, mode=string, sequence=number on interface interface_name

Explanation The ASA received a RIP reply message with bad authentication. This message might be caused by a misconfiguration on the router or the ASA or by an unsuccessful attempt to attack the routing table of the ASA.

Recommended Action This message indicates a possible attack and should be monitored. If you are not familiar with the source IP address listed in this message, change your RIP authentication keys between trusted entities. An attacker might be trying to determine the existing keys.

107002

Error Message %ASA-1-107002: RIP pkt failed from IP_address : version=number on interface interface_name

Explanation A router bug, a packet with non-RFC values inside, or a malformed entry may have caused this message to appear. This should not happen, and may be an attempt to exploit the routing table of the ASA.

Recommended Action This message indicates a possible attack and should be monitored. The packet has passed authentication, if enabled, and bad data is in the packet. Monitor the situation and change the keys if there are any doubts about the originator of the packet.

108002

Error Message %ASA-2-108002: SMTP replaced string: out source_address in inside_address data: string

Explanation A Mail Guard (SMTP) message has been generated by the inspect esmtp command. The ASA has replaced an invalid character in an e-mail address with a space.

Recommended Action None required.

108003

Error Message %ASA-2-108003: Terminating ESMTP/SMTP connection; malicious pattern detected in the mail address from source_interface:source_address/source_port to dest_interface:dest_address/dset_port. Data: string

Explanation The ASA has detected a malicious pattern in an e-mail address and drops the connection. An attack is in progress.

Recommended Action None required.

108004

Error Message %ASA-4-108004: action_class: action ESMTP req_resp from src_ifc:sip | sport to dest_ifc:dip | dport;further_info

Explanation An ESMTP classification is performed on an ESMTP message, and the specified criteria are satisfied. The configured action is taken.

  • action_class —The class of action: ESMTP Classification for ESMTP match commands; ESMTP Parameter for parameter commands
  • action —Action taken: Dropped, Dropped connection for, Reset connection for, or Masked header flags for
  • req_resp —Request or Response
  • src_ifc —Source interface name
  • sip|sport —Source IP address or source port
  • dest_ifc —Destination interface name
  • dip|dport —Destination IP address or destination port
  • further info —One of the following:

For a single match command: matched Class id : match_command (for example, matched Class 1234: match body length 100).

For parameter commands: parameter-command : descriptive-message (for example, mail-relay: No Mail Relay allowed)

Recommended Action None required.

108005

Error Message %ASA-6-108005: action_class: Received ESMTP req_resp from src_ifc:sip | sport to dest_ifc:dip | dport;further_info

Explanation An ESMTP classification is performed on an ESMTP message, and the specified criteria are satisfied. The standalone log action is taken.

  • action_class —The class of action: ESMTP Classification for ESMTP match commands; ESMTP Parameter for parameter commands
  • req_resp —Request or Response
  • src_ifc —Source interface name
  • sip|sport —Source IP address or source port
  • dest_ifc —Destination interface name
  • dip|dport —Destination IP address or destination port
  • further info —One of the following:

For a single match command: matched Class id : match_command (for example, matched Class 1234: match body length 100)

For parameter commands (commands under the parameter section): parameter-command : descriptive-message (for example, mail-relay: No Mail Relay allowed)

Recommended Action None required.

108006

Error Message %ASA-7-108006: Detected ESMTP size violation from src_ifc:sip | sport to dest_ifc:dip | dport; declared size is: decl_size, actual size is act_size.

Explanation This event is generated when an ESMTP message size exceeds the size declared in the RCPT command.

  • src_ifc —Source interface name
  • sip|sport —Source IP address or source port
  • dest_ifc —Destination interface name
  • dip|dport —Destination IP address or destination port
  • decl_size —Declared size
  • act_size —Actual size

Recommended Action None required.

108007

Error Message %ASA-6-108007: TLS started on ESMTP session between client client-side interface-name : client IP address / client port and server server-side interface-name : server IP address / server port

Explanation On an ESMTP connection, the server has responded with a 220 reply code to the client STARTTLS command. The ESMTP inspection engine no longer inspects the traffic on this connection.

  • client-side interface-name —The name for the interface that faces the client side
  • client IP address —The IP address of the client
  • client port —The TCP port number for the client
  • server-side interface-name —The name for the interface that faces the server side
  • server IP address —The IP address of the server
  • server port —The TCP port number for the server

Recommended Action Log and review the message. Check whether the ESMTP policy map associated with this connection has the allow-tls action log setting. If not, contact the Cisco TAC.

109001

Error Message %ASA-6-109001: Auth start for user user from inside_address/ inside_port to outside_address/ outside_port

Explanation The ASA is configured for AAA and detects an authentication request by the specified user.

Recommended Action None required.

109002

Error Message %ASA-6-109002: Auth from inside_address/inside_port to outside_address/outside_port failed (server IP_address failed) on interface interface_name.

Explanation An authentication request failed because the specified authentication server cannot be contacted by the module.

Recommended Action Check that the authentication daemon is running on the specified authentication server.

109003

Error Message %ASA-6-109003: Auth from inside_address to outside_address/outside_port failed (all servers failed) on interface interface_name, so marking all servers ACTIVE again.

Explanation No authentication server can be found.

Recommended Action Ping the authentication servers from the ASA. Make sure that the daemons are running.

109005

Error Message %ASA-6-109005: Authentication succeeded for user user from inside_address/inside_port to outside_address/outside_port on interface interface_name.

Explanation The specified authentication request succeeded.

Recommended Action None required.

109006

Error Message %ASA-6-109006: Authentication failed for user user from inside_address/inside_port to outside_address/outside_port on interface interface_name.

Explanation The specified authentication request failed, possibly because of an incorrect password.

Recommended Action None required.

109007

Error Message %ASA-6-109007: Authorization permitted for user user from inside_address/inside_port to outside_address/outside_port on interface interface_name.

Explanation The specified authorization request succeeded.

Recommended Action None required.

109008

Error Message %ASA-6-109008: Authorization denied for user user from outside_address/outside_port to inside_address/ inside_port on interface interface_name.

Explanation A user is not authorized to access the specified address, possibly because of an incorrect password.

Recommended Action None required.

109010

Error Message %ASA-3-109010: Auth from inside_address/inside_port to outside_address/outside_port failed (too many pending auths) on interface interface_name.

Explanation An authentication request cannot be processed because the server has too many requests pending.

Recommended Action Check to see if the authentication server is too slow to respond to authentication requests. Enable the Flood Defender feature with the floodguard enable command.

109011

Error Message %ASA-2-109011: Authen Session Start: user ' user ', sid number

Explanation An authentication session started between the host and the ASA and has not yet completed.

Recommended Action None required.

109012

Error Message %ASA-5-109012: Authen Session End: user 'user', sid number, elapsed number seconds

Explanation The authentication cache has timed out. Users must reauthenticate on their next connection. You can change the duration of this timer with the timeout uauth command.

Recommended Action None required.

109013

Error Message %ASA-3-109013: User must authenticate before using this service

Explanation The user must be authenticated before using the service.

Recommended Action Authenticate using FTP, Telnet, or HTTP before using the service.

109014

Error Message %ASA-7-109014: A non-Telnet connection was denied to the configured virtual Telnet IP address.

Explanation A request to authenticate did not have a corresponding request for authorization.

Recommended Action Ensure that both the aaa authentication and aaa authorization command statements are included in the configuration.

109016

Error Message %ASA-3-109016: Can't find authorization ACL acl_ID for user ' user '

Explanation The specified on the AAA server for this user does not exist on the ASA. This error can occur if you configure the AAA server before you configure the ASA. The Vendor-Specific Attribute (VSA) on your AAA server might be one of the following values:

  • acl=acl_ID
  • shell:acl=acl_ID
  • ACS:CiscoSecured-Defined-ACL=acl_ID

Recommended Action Add the ACL to the ASA, making sure to use the same name specified on the AAA server.

109017

Error Message %ASA-4-109017: User at IP_address exceeded auth proxy connection limit (max)

Explanation A user has exceeded the user authentication proxy limit, and has opened too many connections to the proxy.

Recommended Action Increase the proxy limit by entering the proxy-limit proxy_limit command, or ask the user to close unused connections. If the error persists, it may indicate a possible DoS attack.

109018

Error Message %ASA-3-109018: Downloaded ACL acl_ID is empty

Explanation The downloaded authorization has no ACEs. This situation might be caused by misspelling the attribute string ip:inacl# or omitting the access-list command.

junk:junk# 1=permit tcp any any eq junk ip:inacl#1=”
 

Recommended Action Correct the ACL components that have the indicated error on the AAA server.

109019

Error Message %ASA-3-109019: Downloaded ACL acl_ID has parsing error; ACE string

Explanation An error occurred during parsing the sequence number NNN in the attribute string ip:inacl#NNN= of a downloaded authorization. The reasons include: - missing = - contains nonnumeric, nonpace characters between # and = - NNN is greater than 999999999.

ip:inacl# 1 permit tcp any any
ip:inacl# 1junk2=permit tcp any any
ip:inacl# 1000000000=permit tcp any any
 

Recommended Action Correct the ACL element that has the indicated error on the AAA server.

109020

Error Message %ASA-3-109020: Downloaded ACL has config error; ACE

Explanation One of the components of the downloaded authorization has a configuration error. The entire text of the element is included in the message. This message is usually caused by an invalid access-list command statement.

Recommended Action Correct the ACL component that has the indicated error on the AAA server.

109021

Error Message %ASA-7-109021: Uauth null proxy error

Explanation An internal user authentication error has occurred.

Recommended Action None required. However, if this error appears repeatedly, contact the Cisco TAC.

109022

Error Message %ASA-4-109022: exceeded HTTPS proxy process limit

Explanation For each HTTPS authentication, the ASA dedicates a process to service the authentication request. When the number of concurrently running processes exceeds the system-imposed limit, the ASA does not perform the authentication, and this message appears.

Recommended Action None required.

109023

Error Message %ASA-3-109023: User from source_address / source_port to dest_address / dest_port on interface outside_interface must authenticate before using this service.

Explanation Based on the configured policies, you need to be authenticated before you can use this service port.

Recommended Action Authenticate using Telnet, FTP, or HTTP before attempting to use this service port.

109024

Error Message %ASA-6-109024: Authorization denied from source_address / source_port to dest_address / dest_port (not authenticated) on interface interface_name using protocol

Explanation The ASA is configured for AAA and a user attempted to make a TCP connection across the ASA without prior authentication.

Recommended Action None required.

109025

Error Message %ASA-6-109025: Authorization denied (acl= acl_ID) for user ' user ' from source_address / source_port to dest_address / dest_port on interface interface_name using protocol

Explanation The check failed. The check either matched a deny or did not match anything, such as an implicit deny. The connection was denied by the user acl_ID, which was defined according to the AAA authorization policy on the Cisco Secure Access Control Server (ACS).

Recommended Action None required.

109026

Error Message %ASA-3-109026: [ aaa protocol ] Invalid reply digest received; shared server key may be mismatched.

Explanation The response from the AAA server cannot be validated. The configured server key is probably incorrect. This message may be generated during transactions with RADIUS or TACACS+ servers.

Recommended Action Verify that the server key, configured using the aaa-server command, is correct.

109027

Error Message %ASA-4-109027: [aaa protocol] Unable to decipher response message Server = server_IP_address, User = user

Explanation The response from the AAA server cannot be validated. The configured server key is probably incorrect. This message may be displayed during transactions with RADIUS or TACACS+ servers. The server_IP_address is the IP address of the relevant AAA server. The user is the user name associated with the connection.

Recommended Action Verify that the server key, configured using the aaa-server command, is correct.

109028

Error Message %ASA-4-109028: aaa bypassed for same-security traffic from ingress_ interface:source_address/source_port to egress_interface:dest_address/dest_port

Explanation AAA is being bypassed for same security traffic that matches a configured AAA rule. This can only occur when traffic passes between two interfaces that have the same configured security level, when the same security traffic is permitted, and if the AAA configuration uses the include or exclude syntax.

Recommended Action None required.

109029

Error Message %ASA-5-109029: Parsing downloaded ACL: string

Explanation A syntax error occurred while parsing an access list that was downloaded from a RADIUS server during user authentication.

  • string —An error message detailing the syntax error that prevented the access list from parsing correctly

Recommended Action Use the information presented in this message to identify and correct the syntax error in the access list definition within the RADIUS server configuration.

109030

Error Message %ASA-4-109030: Autodetect ACL convert wildcard did not convert ACL access_list source | dest netmask netmask.

Explanation A dynamic ACL that is configured on a RADIUS server is not converted by the mechanism for automatically detecting wildcard netmasks. The problem occurs because this mechanism cannot determine if the netmask is a wildcard or a normal netmask.

  • access_list— The access list that cannot be converted
  • source— The source IP address
  • dest— The destination IP address
  • netmask— The subnet mask for the destination or source address in dotted-decimal notation

Recommended Action Check the access list netmask on the RADIUS server for the wildcard configuration. If the netmask is supposed to be a wildcard, and if all access list netmasks on that server are wildcards, then use the wildcard setting for acl-netmask-convert for the AAA server. Otherwise, change the netmask to a normal netmask or to a wildcard netmask that does not contain holes (that is, where the netmask presents consecutive binary 1s. For example, 00000000.00000000.00011111.11111111 or hex 0.0.31.255). If the mask is supposed to be normal and all access list netmasks on that server are normal, then use the normal setting for acl-netmask-convert for the AAA server.

109031

Error Message %ASA-4-109031: NT Domain Authentication Failed: rejecting guest login for username.

Explanation A user has tried to authenticate to an NT domain that was configured for guest account access and the username is not a valid username on the NT server. The connection is denied.

Recommended Action If the user is a valid user, add an account to the NT server. If the user is not allowed access, no action is required.

109032

Error Message %ASA-3-109032: Unable to install ACL access_list, downloaded for user username ; Error in ACE: ace.

Explanation The ASA received an access control list from a RADIUS server to apply to a user connection, but an entry in the list contains a syntax error. Th euse of a list containing an error could result in the violation of a security policy, so the ASA failed to authenticate the user.

  • access_list —The name assigned to the dynamic access list as it would appear in the output of the show access-list command
  • username —The name of the user whose connection will be subject to this access list
  • ace —The access list entry that was being processed when the error was detected

Recommended Action Correct the access list definition in the RADIUS server configuration.

109033

Error Message %ASA-4-109033: Authentication failed for admin user user from src_IP. Interactive challenge processing is not supported for protocol connections

Explanation AAA challenge processing was triggered during authentication of an administrative connection, but the ASA cannot initiate interactive challenge processing with the client application. When this occurs, the authentication attempt will be rejected and the connection denied.

  • user —The name of the user being authenticated
  • src_IP —The IP address of the client host
  • protocol —The client connection protocol (SSH v1 or administrative HTTP)

Recommended Action Reconfigure AAA so that challenge processing does not occur for these connection types. This generally means to avoid authenticating these connection types to RSA SecurID servers or to any token-based AAA server via RADIUS.

109034

Error Message %ASA-4-109034: Authentication failed for network user user from src_IP/port to dst_IP/port. Interactive challenge processing is not supported for protocol connections

Explanation AAA challenge processing was triggered during authentication of a network connection, but the ASA cannot initiate interactive challenge processing with the client application. When this occurs, the authentication attempt will be rejected and the connection denied.

  • user —The name of the user being authenticated
  • src_IP/port —The IP address and port of the client host
  • dst_IP/port —The IP address and port of the server to which the client is attempting to connect
  • protocol —The client connection protocol (for example, FTP)

Recommended Action Reconfigure AAA so that challenge processing does not occur for these connection types. This generally means to avoid authenticating these connection types to RSA SecurID servers or to any token-based AAA server via RADIUS.

109036

Error Message %ASA-6-109036: Exceeded 1000 attribute values for the attribute name attribute for user username.

Explanation The LDAP response message contains an attribute that has more than 1000 values.

  • attribute_name —The LDAP attribute name
  • username —The username at login

Recommended Action None required.

109037

Error Message %ASA-3-109037: Exceeded 5000 attribute values for the attribute name attribute for user username.

Explanation The ASA supports multiple values of the same attribute received from a AAA server. If the AAA server sends a response containing more than 5000 values for the same attribute, then the ASA treats this response message as being malformed and rejects the authentication. This condition has only been seen in lab environments using specialized test tools. It is unlikely that the condition would occur in a real-world production network.

  • attribute_name —The LDAP attribute name
  • username —The username at login

Recommended Action Capture the authentication traffic between the ASA and AAA server using a protocol sniffer (such as WireShark), then forward the trace file to the Cisco TAC for analysis.

109038

Error Message %ASA-3-109038: Attribute internal-attribute-name value string-from-server from AAA server could not be parsed as a type internal-attribute-name string representation of the attribute name

Explanation The AAA subsystem tried to parse an attribute from the AAA server into an internal representation and failed.

  • string-from-server— String received from the AAA server, truncated to 40 characters.
  • type —The type of the specified attribute

Recommended Action Verify that the attribute is being generated correctly on the AAA server. For additional information, use the debug ldap and debug radius commands.

109039

Error Message %ASA-5-109039: AAA Authentication:Dropping an unsupported IPv6/IP46/IP64 packet from lifc : laddr to fifc : faddr

Explanation A packet containing IPv6 addresses or IPv4 addresses translated to IPv6 addresses by NAT requires AAA authentication or authorization. AAA authentication and authorization do not support IPv6 addresses. The packet is dropped.

  • lifc —The ingress interface
  • laddr —The source IP address
  • fifc —The egress interface
  • faddr —The destination IP address after NAT translation, if any

Recommended Action None required.

109100

Error Message %ASA-6-109100: Received CoA update from coa-source-ip for user username, with session ID: audit-session-id, changing authorization attributes

Explanation The ASA has successfully processed the CoA policy update request from coa-source-ip for user username with session id audit-session-id. This syslog message is generated after a change of authorization policy update has been received by the ASA, validated and applied. In a non-error case, this is the only syslog message that is generated when a change of authorization is received and processed.

  • coa-source-ip —Originating IP address of the change of authorization request
  • username —User whose session is being changed
  • audit-session-id —The global ID of the session being modified

Recommended Action None required.

109101

Error Message %ASA-6-109101: Received CoA disconnect request from coa-source-ip for user username, with audit-session-id: audit-session-id

Explanation The ASA has received a correctly formatted Disconnect-Request for an active VPN session and has successfully terminated the connection.

  • coa-source-ip —Originating IP address of the change of authorization request
  • username —User whose session is being changed
  • audit-session-id —The global ID of the session being modified

Recommended Action None required.

109102

Error Message %ASA-4-109102: Received CoA action-type from coa-source-ip, but cannot find named session audit-session-id

Explanation The ASA has received a valid change of authorization request, but the session ID specified in the request does not match any active sessions on the ASA. This could be the result of the change of authorization server attempting to issue a change of authorization on a session that has already been closed by the user.

  • action-type —The requested change of authorization action (update or disconnect)
  • coa-source-ip —Originating IP address of the change of authorization request
  • audit-session-id —The global ID of the session being modified

Recommended Action None required.

109103

Error Message %ASA-3-109103: CoA action-type from coa-source-ip failed for user username, with session ID: audit-session-id.

Explanation The ASA has received a correctly formatted change of authorization request, but was unable to process it successfully.

  • action-type —The requested change of authorization action (update or disconnect)
  • coa-source-ip —Originating IP address of the change of authorization request
  • username —User whose session is being changed
  • audit-session-id —The global ID of the session being modified

Recommended Action Investigate the relevant VPN subsystem logs to determine why the updated attributes could not be applied or why the session could not be terminated.

109104

Error Message %ASA-3-109104: CoA action-type from coa-source-ip failed for user username, session ID: audit-session-id. Action not supported.

Explanation The ASA has received a correctly formatted change of authorization request, but did not process it because the indicated action is not supported by the ASA.

  • action-type —The requested change of authorization action (update or disconnect)
  • coa-source-ip —Originating IP address of the change of authorization request
  • username —User whose session is being changed
  • audit-session-id —The global ID of the session being modified

Recommended Action None required.

110002

Error Message %ASA-6-110002: Failed to locate egress interface for protocol from src interface : src IP/src port to dest IP/dest port

Explanation.An error occurred when the ASA tried to find the interface through which to send the packet.

  • protocol —The protocol of the packet
  • src interface —The interface from which the packet was received
  • src IP —The source IP address of the packet
  • src port —The source port number
  • dest IP —The destination IP address of the packet
  • dest port —The destination port number

Recommended Action Copy the error message, the configuration, and any details about the events leading up to the error, and contact Cisco TAC.

110003

Error Message %ASA-6-110003: Routing failed to locate next-hop for protocol from src interface : src IP/src port to dest interface : dest IP/dest port

Explanation.An error occurred when the ASA tried to find the next hop on an interface routing table.

  • protocol —The protocol of the packet
  • src interface —The interface from which the packet was received
  • src IP —The source IP address of the packet
  • src port —The source port number
  • dest IP —The destination IP address of the packet
  • dest port —The destination port number

Recommended Action Copy the error message, the configuration, and any details about the events leading up to the error, and contact Cisco TAC. During debugging, use the show asp table routing command to view the routing table details.

110004

Error Message %ASA-6-110004: Egress interface changed from old_active_ifc to new_active_ifc on ip_protocol connection conn_id for outside_zone / parent_outside_ifc : outside_addr / outside_port ( mapped_addr / mapped_port) to inside_zone / parent_inside_ifc : inside_addr / inside_port ( mapped_addr / mapped_port)

Explanation A flow changed on the egress interface.

Recommended Action None required.

111001

Error Message %ASA-5-111001: Begin configuration: IP_address writing to device

Explanation You have entered the write command to store your configuration on a device (either floppy, flash memory, TFTP, the failover standby unit, or the console terminal). The IP_address indicates whether the login was made at the console port or with a Telnet connection.

Recommended Action None required.

111002

Error Message %ASA-5-111002: Begin configuration: IP_address reading from device

Explanation You have entered the read command to read your configuration from a device (either floppy disk, flash memory, TFTP, the failover standby unit, or the console terminal). The IP_address indicates whether the login was made at the console port or with a Telnet connection.

Recommended Action None required.

111003

Error Message %ASA-5-111003: IP_address Erase configuration

Explanation You have erased the contents of flash memory by entering the write erase command at the console. The IP_address value indicates whether the login was made at the console port or through a Telnet connection.

Recommended Action After erasing the configuration, reconfigure the ASA and save the new configuration. Alternatively, you can restore information from a configuration that was previously saved, either on a floppy disk or on a TFTP server elsewhere on the network.

111004

Error Message %ASA-5-111004: IP_address end configuration: {FAILED|OK}

Explanation You have entered the config floppy/memory/ network command or the write floppy/memory/network/standby command. The IP_address value indicates whether the login was made at the console port or through a Telnet connection.

Recommended Action None required if the message ends with OK. If the message indicates a failure, try to fix the problem. For example, if writing to a floppy disk, ensure that the floppy disk is not write protected; if writing to a TFTP server, ensure that the server is up.

111005

Error Message %ASA-5-111005: IP_address end configuration: OK

Explanation You have exited the configuration mode. The IP_address value indicates whether the login was made at the console port or through a Telnet connection.

Recommended Action None required.

111007

Error Message %ASA-5-111007: Begin configuration: IP_address reading from device.

Explanation You have entered the reload or configure command to read in a configuration. The device text can be floppy, memory, net, standby, or terminal. The IP_address value indicates whether the login was made at the console port or through a Telnet connection.

Recommended Action None required.

111008

Error Message %ASA-5-111008: User user executed the command string

Explanation The user entered any command, with the exception of a show command.

Recommended Action None required.

111009

Error Message %ASA-7-111009:User user executed cmd: string

Explanation The user entered a command that does not modify the configuration. This message appears only for show commands.

Recommended Action None required.

111010

Error Message %ASA-5-111010: User username, running application-name from IP ip addr, executed cmd

Explanation A user made a configuration change.

  • username —The user making the configuration change
  • application-name —The application that the user is running
  • ip addr —The IP address of the management station
  • cmd —The command that the user has executed

Recommended Action None required.

111111

Error Message %ASA-1-111111 error_message

Explanation A system or infrastructure error has occurred.

Recommended Action If the problem persists, contact the Cisco TAC.

112001

Error Message %ASA-2-112001: ( string : dec) Clear complete.

Explanation A request to clear the module configuration was completed. The source file and line number are identified.

Recommended Action None required.

113001

Error Message %ASA-3-113001: Unable to open AAA session. Session limit [ limit ] reached.

Explanation The AAA operation on an IPsec tunnel or WebVPN connection cannot be performed because of the unavailability of AAA resources. The limit value indicates the maximum number of concurrent AAA transactions.

Recommended Action Reduce the demand for AAA resources, if possible.

113003

Error Message %ASA-6-113003: AAA group policy for user user is being set to policy_name.

Explanation The group policy that is associated with the tunnel group is being overridden with a user-specific policy, policy_name. The policy_name is specified using the username command when LOCAL authentication is configured or is returned in the RADIUS CLASS attribute when RADIUS authentication is configured.

Recommended Action None required.

113004

Error Message %ASA-6-113004: AAA user aaa_type Successful: server = server_IP_address, User = user

Explanation The AAA operation on an IPsec or WebVPN connection has been completed successfully. The AAA types are authentication, authorization, or accounting. The server_IP_address is the IP address of the relevant AAA server. The user is the user name associated with the connection.

Recommended Action None required.

113006

Error Message %ASA-6-113006: User user locked out on exceeding number successive failed authentication attempts

Explanation A locally configured user is being locked out. This happens when a configured number of consecutive authentication failures have occurred for this user and indicates that all future authentication attempts by this user will be rejected until an administrator unlocks the user using the clear aaa local user lockout command. The user is the user that is now locked, and the number is the consecutive failure threshold configured using the aaa local authentication attempts max-fail command.

Recommended Action Try unlocking the user using the clear_aaa_local_user_lockout command or adjusting the maximum number of consecutive authentication failures that are tolerated.

113007

Error Message %ASA-6-113007: User user unlocked by administrator

Explanation A locally configured user that was locked out after exceeding the maximum number of consecutive authentication failures set by using the aaa local authentication attempts max-fail command has been unlocked by the indicated administrator.

Recommended Action None required.

113008

Error Message %ASA-6-113008: AAA transaction status ACCEPT: user = user

Explanation The AAA transaction for a user associated with an IPsec or WebVPN connection was completed successfully. The user is the username associated with the connection.

Recommended Action None required.

113009

Error Message %ASA-6-113009: AAA retrieved default group policy policy for user user

Explanation The authentication or authorization of an IPsec or WebVPN connection has occurred. The attributes of the group policy that were specified with the tunnel-group or webvpn commands have been retrieved.

Recommended Action None required.

113010

Error Message %ASA-6-113010: AAA challenge received for user user from server server_IP_address

Explanation The authentication of an IPsec connection has occurred with a SecurID server. The user will be prompted to provide further information before being authenticated.

  • user —The username associated with the connection
  • server _IP_address —The IP address of the relevant AAA server

Recommended Action None required.

113011

Error Message %ASA-6-113011: AAA retrieved user specific group policy policy for user user

Explanation The authentication or authorization of an IPsec or WebVPN connection has occurred. The attributes of the group policy that was specified with the tunnel-group or webvpn commands have been retrieved.

Recommended Action None required.

113012

Error Message %ASA-6-113012: AAA user authentication Successful: local database: user = user

Explanation The user associated with a IPsec or WebVPN connection has been successfully authenticated to the local user database.

  • user —The username associated with the connection

Recommended Action None required.

113013

Error Message %ASA-6-113013: AAA unable to complete the request Error: reason = reason : user = user

Explanation The AAA transaction for a user associated with an IPsec or WebVPN connection has failed because of an error or has been rejected because of a policy violation.

  • reason— The reason details
  • user —The username associated with the connection

Recommended Action None required.

113014

Error Message %ASA-6-113014: AAA authentication server not accessible: server = server_IP_address : user = user

Explanation The device was unable to communicate with the configured AAA server during the AAA transaction associated with an IPsec or WebVPN connection. This may or may not result in a failure of the user connection attempt depending on the backup servers configured in the aaa-server group and the availability of those servers.

Recommended Action Verify connectivity with the configured AAA servers.

113015

Error Message %ASA-6-113015: AAA user authentication Rejected: reason = reason : local database: user = user

Explanation A request for authentication to the local user database for a user associated with an IPsec or WebVPN connection has been rejected.

  • reason— The details of why the request was rejected
  • user —The username associated with the connection

Recommended Action None required.

113016

Error Message %ASA-6-113016: AAA credentials rejected: reason = reason : server = server_IP_address : user = user

Explanation The AAA transaction for a user associated with an IPsec or WebVPN connection has failed because of an error or rejected due to a policy violation.

  • reason— The details of why the request was rejected
  • server_IP_address —The IP address of the relevant AAA server
  • user —The username associated with the connection

Recommended Action None required.

113017

Error Message %ASA-6-113017: AAA credentials rejected: reason = reason : local database: user = user

Explanation The AAA transaction for a user associated with an IPsec or WebVPN connection has failed because of an error or rejected because of a policy violation. This event only appears when the AAA transaction is with the local user database rather than with an external AAA server.

  • reason— The details of why the request was rejected
  • user —The username associated with the connection

Recommended Action None required.

113018

Error Message %ASA-3-113018: User: user, Unsupported downloaded ACL Entry: ACL_entry, Action: action

Explanation An ACL entry in unsupported format was downloaded from the authentication server. The following list describes the message values:

  • user —User trying to log in
  • ACL_entry —Unsupported ACL entry downloaded from the authentication server
  • action —Action taken when encountering the unsupported ACL entry

Recommended Action The ACL entry on the authentication server has to be changed by the administrator to conform to the supported ACL entry formats.

113019

Error Message %ASA-4-113019: Group = group, Username = username, IP = peer_address, Session disconnected. Session Type: type, Duration: duration, Bytes xmt: count, Bytes rcv: count, Reason: reason

Explanation An indication of when and why the longest idle user is disconnected.

  • group —Group name
  • username —Username
  • IP —Peer address
  • Session Type —Session type (for example, IPsec or UDP)
  • duration —Connection duration in hours, minutes, and seconds
  • Bytes xmt —Number of bytes transmitted
  • Bytes rcv —Number of bytes received
  • reason —Reason for disconnection:

User Requested

Lost Carrier

Lost Service

Idle Timeout

Max time exceeded

Administrator Reset

Administrator Reboot

Administrator Shutdown

Port Error

NAS Error

NAS Request

NAS Reboot

Port unneeded

Connection preempted. Indicates that the allowed number of simultaneous (same user) logins has been exceeded. To resolve this problem, increase the number of simultaneous logins or have users only log in once with a given username and password.

Port Suspended

Service Unavailable

Callback

User error

Host Requested

SA Expired

IKE Delete

Bandwidth Management Error

Certificate Expired

Phase 2 Mismatch

Firewall Mismatch

Peer Address Changed

ACL Parse Error

Phase 2 Error

Configuration Error

Peer Reconnected

Internal Error

Crypto map policy not found

L2TP initiated

VLAN Mapping Error

NAC-Policy Error

Dynamic Access Policy terminate

Client type not supported

Unknown

Recommended Action Unless the reason indicates a problem, then no action is required.

113020

Error Message %ASA-3-113020: Kerberos error: Clock skew with server ip_address greater than 300 seconds

Explanation Authentication for an IPsec or WebVPN user through a Kerberos server has failed because the clocks on the ASA and the server are more than five minutes (300 seconds) apart. When this occurs, the connection attempt is rejected.

  • ip_address —The IP address of the Kerberos server

Recommended Action Synchronize the clocks on the ASA and the Kerberos server.

113021

Error Message %ASA-3-113021: Attempted console login failed. User username did NOT have appropriate Admin Rights.

Explanation A user has tried to access the management console and was denied.

  • username —The username entered by the user

Recommended Action If the user is a newly added admin rights user, check that the service type (LOCAL or RADIUS authentication server) for that user is set to allow access:

  • nas-prompt—Allows login to the console and exec privileges at the required level, but not enable (configuration modification) access
  • admin—Allows all access and can be further constrained by command privileges

Otherwise, the user is inappropriately trying to access the management console; the action to be taken should be consistent with company policy for these matters.

113022

Error Message %ASA-2-113022: AAA Marking RADIUS server servername in aaa-server group AAA-Using-DNS as FAILED

Explanation The ASA has tried an authentication, authorization, or accounting request to the AAA server and did not receive a response within the configured timeout window. The AAA server will be marked as failed and has been removed from service.

  • protocol —The type of authentication protocol, which can be one of the following:

- RADIUS

- TACACS+

- NT

- RSA SecurID

- Kerberos

- LDAP

  • ip-addr —The IP address of the AAA server
  • tag —The server group name

Recommended Action Verify that the AAA server is online and is accessible from the ASA.

113023

Error Message %ASA-2-113023: AAA Marking protocol server ip-addr in server group tag as ACTIVE

Explanation The ASA has reactivated the AAA server that was previously marked as failed. The AAA server is now available to service AAA requests.

  • protocol —The type of authentication protocol, which can be one of the following:

- RADIUS

- TACACS+

- NT

- RSA SecurID

- Kerberos

- LDAP

  • ip-addr —The IP address of the AAA server
  • tag —The server group name

Recommended Action None required.

113024

Error Message %ASA-5-113024: Group tg : Authenticating type connection from ip with username, user_name, from client certificate

Explanation The prefill username feature overrides the username with one derived from the client certificate for use in AAA.

  • tg —The tunnel group
  • type —The type of connection (ssl-client or clientless)
  • ip —The IP address of the connecting user
  • user_name —The name extracted from the client certificate for use in AAA

Recommended Action None required.

113025

Error Message %ASA-5-113025: Group tg : fields Could not authenticate connection type connection from ip

Explanation A username cannot be successfully extracted from the certificate.

  • tg —The tunnel group
  • fields —The DN fields being searched for
  • connection type —The type of connection (SSL client or clientless)
  • ip —The IP address of the connecting user

Recommended Action The administrator should check that the authentication aaa certificate, ssl certificate-authentication, and authorization-dn-attributes keywords have been set correctly.

113026

Error Message %ASA-4-113026: Error error while executing Lua script for group tunnel group

Explanation An error occurred while extracting a username from the client certificate for use in AAA. This message is only generated when the username-from-certificate use-script option is enabled.

  • error —Error string returned from the Lua environment
  • tunnel group —The tunnel group attempting to extract a username from a certificate

Recommended Action Examine the script being used by the username-from-certificate use-script option for errors.

113027

Error Message %ASA-2-113027: Error activating tunnel-group scripts

Explanation The script file cannot be loaded successfully. No tunnel groups using the username-from-certificate use-script option work correctly.

Recommended Action The administrator should check the script file for errors using ASDM. Use the debug aaa command to obtain a more detailed error message that may be useful.

113028

Error Message %ASA-7-113028: Extraction of username from VPN client certificate has string. [Request num ]

Explanation The processing request of a username from a certificate is running or has finished.

  • num —The ID of the request (the value of the pointer to the fiber), which is a monotonically increasing number.
  • string —The status message, which can one of the following:

- been requested

- started

- finished with error

- finished successfully

- completed

Recommended Action None required.

113029

Error Message %ASA-4-113029: Group group User user IP ipaddr Session could not be established: session limit of num reached

Explanation The user session cannot be established because the current number of sessions exceeds the maximum session load.

Recommended Action Increase the configured limit, if possible, to create a load-balanced cluster.

113030

Error Message %ASA-4-113030: Group group User user IP ipaddr User ACL acl from AAA doesn't exist on the device, terminating connection.

Explanation The specified ACL was not found on the ASA.

  • group— The name of the group
  • user— The name of the user
  • ipaddr— The IP address
  • acl— The name of the ACL

Recommended Action Modify the configuration to add the specified ACL or to correct the ACL name.

113031

Error Message %ASA-4-113031: Group group User user IP ipaddr AnyConnect vpn-filter filter is an IPv6 ACL; ACL not applied.

Explanation The type of ACL to be applied is incorrect. An IPv6 ACL has been configured as an IPv4 ACL through the vpn-filter command.

  • group —The group policy name of the user
  • user —The username
  • ipaddr —The public (not assigned) IP address of the user
  • filter —The name of the VPN filter

Recommended Action Validate the VPN filter and IPv6 VPN filter configurations on the ASA, and the filter parameters on the AAA (RADIUS) server. Make sure that the correct type of ACL is specified.

113032

Error Message %ASA-4-113032: Group group User user IP ipaddr AnyConnect ipv6-vpn-filter filter is an IPv4 ACL; ACL not applied.

Explanation The type of ACL to be applied is incorrect. An IPv4 ACL has been configured as an IPv6 ACL through the ipv6-vpn-filter command.

  • group —The group policy name of the user
  • user —The username
  • ipaddr —The public (not assigned) IP address of the user
  • filter —The name of the VPN filter

Recommended Action Validate the VPN filter and IPv6 VPN filter configurations on the ASA and the filter parameters on the AAA (RADIUS) server. Make sure that the correct type of ACL is specified.

113033

Error Message %ASA-6-113033: Group group User user IP ipaddr AnyConnect session not allowed. ACL parse error.

Explanation The WebVPN session for the specified user in this group is not allowed because the associated ACL did not parse. The user will not be allowed to log in via WebVPN until this error has been corrected.

  • group —The group policy name of the user
  • user —The username
  • ipaddr —The public (not assigned) IP address of the user

Recommended Action Correct the WebVPN ACL.

113034

Error Message %ASA-4-113034: Group group User user IP ipaddr User ACL acl from AAA ignored, AV-PAIR ACL used instead.

Explanation The specified ACL was not used because a Cisco AV-PAIR ACL was used.

  • group— The name of the group
  • user— The name of the user
  • ipaddr— The IP address
  • acl— The name of the ACL

Recommended Action Determine the correct ACL to use and correct the configuration.

113035

Error Message %ASA-4-113035: Group group User user IP ipaddr Session terminated: AnyConnect not enabled or invalid AnyConnect image on the ASA.

Explanation The user logged in via the AnyConnect client. The SVC service is not enabled globally, or the SVC image is invalid or corrupted. The session connection has been terminated.

  • group —The name of the group policy with which the user is trying to connect
  • user —The name of the user who is trying to connect
  • iaddrp —The IP address of the user who is trying to connect

Recommended Action Enable the SVC globally using the svc-enable command. Validate the integrity and versions of the SVC images by reloading new images using the svc image command.

113036

Error Message %ASA-4-113036: Group group User user IP ipaddr AAA parameter name value invalid.

Explanation The given parameter has a bad value. The value is not shown because it might be very long.

  • group— The name of the group
  • user— The name of the user
  • ipadddr— The IP address
  • name— The name of the parameter

Recommended Action Modify the configuration to correct the indicated parameter.

113037

Error Message %ASA-6-113037: Reboot pending, new sessions disabled. Denied user login.

Explanation A user was unable to log in to WebVPN because the ASA is in the process of rebooting.

Recommended Action None required.

113038

Error Message %ASA-4-113038: Group group User user IP ipaddr Unable to create AnyConnect parent session.

Explanation The AnyConnect session was not created for the user in the specified group because of resource issues. For example, the user may have reached the maximum login limit.

  • group— The name of the group
  • user— The name of the user
  • ipadddr— The IP address

Recommended Action None required.

113039

Error Message %ASA-6-113039: Group group User user IP ipaddr AnyConnect parent session started.

Explanation The AnyConnect session has started for the user in this group at the specified IP address. When the user logs in via the AnyConnect login page, the AnyConnect session starts.

  • group— The name of the group
  • user— The name of the user
  • ipadddr— The IP address

Recommended Action None required.

113040

Error Message %ASA-4-113040: Terminating the VPN connection attempt from attempted group. Reason: This connection is group locked to locked group.

Explanation The tunnel group over which the connection is attempted is not the same as the tunnel group set in the group lock.

  • attempted group —The tunnel group over which the connection came in
  • locked group —The tunnel group for which the connection is locked or restricted

Recommended Action Check the group-lock value in the group policy or the user attributes.

113041

Error Message %ASA-4-113041: Redirect ACL configured for assigned IP does not exist on the device.

Explanation An error occurred when the redirect URL was installed and the ACL was received from the ISE, but the redirect ACL does not exist on the ASA.

  • assigned IP —The IP address that is assigned to the client

Recommended Action Configure the redirect ACL on the ASA.

113042

Error Message %ASA-4-113042: CoA: Non-HTTP connection from src_if : src_ip / src_port to dest_if : dest_ip / dest_port for user username at client_IP denied by redirect filter; only HTTP connections are supported for redirection.

Explanation For the CoA feature, the redirect ACL filter drops the matching non-HTTP traffic during the redirect processing and provides information about the terminated traffic flow.

  • src_if, src_ip, src_port —The source interface, IP address, and port of the flow
  • dest_if, dest_ip, dest_port —The destination interface, IP address, and port of the flow
  • username —The name of the user
  • client_IP —The IP address of the client

Recommended Action Validate the redirect ACL configuration on the ASA. Make sure that the correct filter is used to match the traffic to redirect and does not block the flow that is intended to be allowed through.

114001

Error Message %ASA-1-114001: Failed to initialize 4GE SSM I/O card (error error_string).

Explanation The system failed to initialize a 4GE SSM I/O card because of an I2C error or a switch initialization error.

  • syslog_id —Message identifier
  • error_string —An I2C serial bus error or a switch access error, which is a decimal error code. The following are I2C serial bus errors:

- I2C_BUS_TRANSACTION_ERROR

- I2C_CHKSUM_ERROR

- I2C_TIMEOUT_ERROR

- I2C_BUS_COLLISION_ERROR

- I2C_HOST_BUSY_ERROR

- I2C_UNPOPULATED_ERROR

- I2C_SMBUS_UNSUPPORT

- I2C_BYTE_COUNT_ERROR

- I2C_DATA_PTR_ERROR

Recommended Action Perform the following steps:

1. Log and review the messages and the errors associated with the event.

2. Reboot the software running on the ASA.

3. Power cycle the device. When you turn off the power, make sure you wait several seconds before turning the power on.

4. If the problem persists, contact the Cisco TAC.

114002

Error Message %ASA-1-114002: Failed to initialize SFP in 4GE SSM I/O card (error error_string).

Explanation The system failed to initialize an SFP connector in a 4GE SSM I/O card because of an I2C error or a switch initialization error.

  • syslog_id —Message identifier
  • error_string —An I2C serial bus error or a switch access error, which is a decimal error code. The following are the I2C serial bus errors:

- I2C_BUS_TRANSACTION_ERROR

- I2C_CHKSUM_ERROR

- I2C_TIMEOUT_ERROR

- I2C_BUS_COLLISION_ERROR

- I2C_HOST_BUSY_ERROR

- I2C_UNPOPULATED_ERROR

- I2C_SMBUS_UNSUPPORT

- I2C_BYTE_COUNT_ERROR

- I2C_DATA_PTR_ERROR

Recommended Action Perform the following steps:

1. Log and review the messages and the errors associated with the event.

2. Reboot the software running on the ASA.

3. Power cycle the device. When you turn off the power, make sure you wait several seconds before turning the power on.

4. If the problem persists, contact the Cisco TAC.

114003

Error Message %ASA-1-114003: Failed to run cached commands in 4GE SSM I/O card (error error_string).

Explanation The system failed to run cached commands in a 4GE SSM I/O card because of an I2C error or a switch initialization error.

  • syslog_id —Message identifier
  • error_string —An I2C serial bus error or a switch access error, which is a decimal error code. The following are the I2C serial bus errors:

- I2C_BUS_TRANSACTION_ERROR

- I2C_CHKSUM_ERROR

- I2C_TIMEOUT_ERROR

- I2C_BUS_COLLISION_ERROR

- I2C_HOST_BUSY_ERROR

- I2C_UNPOPULATED_ERROR

- I2C_SMBUS_UNSUPPORT

- I2C_BYTE_COUNT_ERROR

- I2C_DATA_PTR_ERROR

Recommended Action Perform the following steps:

1. Log and review the messages and the errors associated with the event.

2. Reboot the software running on the ASA.

3. Power cycle the device. When you turn off the power, make sure you wait several seconds before turning the power on.

4. If the problem persists, contact the Cisco TAC.

114004

Error Message %ASA-6-114004: 4GE SSM I/O Initialization start.

Explanation he user has been notified that a 4GE SSM I/O initialization is starting.

  • syslog_id —Message identifier

Recommended Action None required.

114005

Error Message %ASA-6-114005: 4GE SSM I/O Initialization end.

Explanation The user has been notified that an 4GE SSM I/O initialization is finished.

  • syslog_id —Message identifier

Recommended Action None required.

114006

Error Message %ASA-3-114006: Failed to get port statistics in 4GE SSM I/O card (error error_string).

Explanation The ASA failed to obtain port statistics in a 4GE SSM I/O card because of an I2C error or a switch initialization error.

  • syslog_id —Message identifier
  • error_string —An I2C serial bus error or a switch access error, which is a decimal error code. The following are the I2C serial bus errors:

- I2C_BUS_TRANSACTION_ERROR

- I2C_CHKSUM_ERROR

- I2C_TIMEOUT_ERROR

- I2C_BUS_COLLISION_ERROR

- I2C_HOST_BUSY_ERROR

- I2C_UNPOPULATED_ERROR

- I2C_SMBUS_UNSUPPORT

- I2C_BYTE_COUNT_ERROR

- I2C_DATA_PTR_ERROR

Recommended Action Perform the following steps:

1. Log and review the messages and the errors associated with the event.

2. Reboot the software running on the ASA.

3. Power cycle the device. When you turn off the power, make sure you wait several seconds before turning the power on.

4. If the problem persists, contact the Cisco TAC.

114007

Error Message %ASA-3-114007: Failed to get current msr in 4GE SSM I/O card (error error_string).

Explanation The ASA failed to obtain the current module status register information in a 4GE SSM I/O card because of an I2C error or a switch initialization error.

  • syslog_id —Message identifier
  • error_string —An I2C serial bus error or a switch access error, which is a decimal error code. The following are the I2C serial bus errors:

- I2C_BUS_TRANSACTION_ERROR

- I2C_CHKSUM_ERROR

- I2C_TIMEOUT_ERROR

- I2C_BUS_COLLISION_ERROR

- I2C_HOST_BUSY_ERROR

- I2C_UNPOPULATED_ERROR

- I2C_SMBUS_UNSUPPORT

- I2C_BYTE_COUNT_ERROR

- I2C_DATA_PTR_ERROR

Recommended Action Perform the following steps:

1. Log and review the messages and the errors associated with the event.

2. Reboot the software running on the ASA.

3. Power cycle the device. When you turn off the power, make sure you wait several seconds before turning the power on.

4. If the problem persists, contact the Cisco TAC.

114008

Error Message %ASA-3-114008: Failed to enable port after link is up in 4GE SSM I/O card due to either I2C serial bus access error or switch access error.

Explanation The ASA failed to enable a port after the link transition to Up state is detected in a 4GE SSM I/O card because of either an I2C serial bus access error or a switch access error.

  • syslog_id —Message identifier
  • error_string —An I2C serial bus error or a switch access error, which is a decimal error code. The following are I2C serial bus errors:

- I2C_BUS_TRANSACTION_ERROR

- I2C_CHKSUM_ERROR

- I2C_TIMEOUT_ERROR

- I2C_BUS_COLLISION_ERROR

- I2C_HOST_BUSY_ERROR

- I2C_UNPOPULATED_ERROR

- I2C_SMBUS_UNSUPPORT

- I2C_BYTE_COUNT_ERROR

- I2C_DATA_PTR_ERROR

Recommended Action Perform the following steps:

1. Log and review the messages and the errors associated with the event.

2. Reboot the software running on the ASA.

3. Power cycle the device. When you turn off the power, make sure you wait several seconds before turning the power on.

4. If the problem persists, contact the Cisco TAC.

114009

Error Message %ASA-3-114009: Failed to set multicast address in 4GE SSM I/O card (error error_string).

Explanation The ASA failed to set the multicast address in a 4GE SSM I/O card because of an I2C error or a switch initialization error.

  • syslog_id —Message identifier
  • error_string —An I2C serial bus error or a switch access error, which is a decimal error code. The following are I2C serial bus errors:

- I2C_BUS_TRANSACTION_ERROR

- I2C_CHKSUM_ERROR

- I2C_TIMEOUT_ERROR

- I2C_BUS_COLLISION_ERROR

- I2C_HOST_BUSY_ERROR

- I2C_UNPOPULATED_ERROR

- I2C_SMBUS_UNSUPPORT

- I2C_BYTE_COUNT_ERROR

- I2C_DATA_PTR_ERROR

Recommended Action Perform the following steps:

1. Log and review the messages and the errors associated with the event.

2. Reboot the software running on the ASA.

3. Power cycle the device. When you turn off the power, make sure you wait several seconds before turning the power on.

4. If the problem persists, contact the Cisco TAC.

114010

Error Message %ASA-3-114010: Failed to set multicast hardware address in 4GE SSM I/O card (error error_string).

Explanation The ASA failed to set the multicast hardware address in a 4GE SSM I/O card because of an I2C error or a switch initialization error.

  • syslog_id —Message identifier
  • error_string —An I2C serial bus error or a switch access error, which is a decimal error code. The following are I2C serial bus errors:

- I2C_BUS_TRANSACTION_ERROR

- I2C_CHKSUM_ERROR

- I2C_TIMEOUT_ERROR

- I2C_BUS_COLLISION_ERROR

- I2C_HOST_BUSY_ERROR

- I2C_UNPOPULATED_ERROR

- I2C_SMBUS_UNSUPPORT

- I2C_BYTE_COUNT_ERROR

- I2C_DATA_PTR_ERROR

- I2C_DATA_PTR_ERROR

Recommended Action Perform the following steps:

1. Log and review the messages and the errors associated with the event.

2. Reboot the software running on the ASA.

3. Power cycle the device. When you turn off the power, make sure you wait several seconds before turning the power on.

4. If the problem persists, contact the Cisco TAC.

114011

Error Message %ASA-3-114011: Failed to delete multicast address in 4GE SSM I/O card (error error_string).

Explanation The ASA failed to delete the multicast address in a 4GE SSM I/O card because of either an I2C error or a switch initialization error.

  • syslog_id —Message identifier
  • error_string —An I2C serial bus error or a switch access error, which is a decimal error code. The following are I2C serial bus errors:

- I2C_BUS_TRANSACTION_ERROR

- I2C_CHKSUM_ERROR

- I2C_TIMEOUT_ERROR

- I2C_BUS_COLLISION_ERROR

- I2C_HOST_BUSY_ERROR

- I2C_UNPOPULATED_ERROR

- I2C_SMBUS_UNSUPPORT

- I2C_BYTE_COUNT_ERROR

- I2C_DATA_PTR_ERROR

Recommended Action Perform the following steps:

1. Log and review the messages and the errors associated with the event.

2. Reboot the software running on the ASA.

3. Power cycle the device. When you turn off the power, make sure you wait several seconds before turning the power on.

4. If the problem persists, contact the Cisco TAC.

114012

Error Message %ASA-3-114012: Failed to delete multicast hardware address in 4GE SSM I/O card (error error_string).

Explanation The ASA failed to delete the multicast hardware address in a 4GE SSM I/O card because of an I2C error or a switch initialization error.

  • syslog_id —Message identifier
  • error_string —An I2C serial bus error or a switch access error, which is a decimal error code. The following are I2C serial bus errors:

- I2C_BUS_TRANSACTION_ERROR

- I2C_CHKSUM_ERROR

- I2C_TIMEOUT_ERROR

- I2C_BUS_COLLISION_ERROR

- I2C_HOST_BUSY_ERROR

- I2C_UNPOPULATED_ERROR

- I2C_SMBUS_UNSUPPORT

- I2C_BYTE_COUNT_ERROR

- I2C_DATA_PTR_ERROR

Recommended Action Perform the following steps:

1. Log and review the messages and the errors associated with the event.

2. Reboot the software running on the ASA.

3. Power cycle the device. When you turn off the power, make sure you wait several seconds before turning the power on.

4. If the problem persists, contact the Cisco TAC.

114013

Error Message %ASA-3-114013: Failed to set mac address table in 4GE SSM I/O card (error error_string).

Explanation The ASA failed to set the MAC address table in a 4GE SSM I/O card because of an I2C error or a switch initialization error.

  • syslog_id —Message identifier
  • error_string —An I2C serial bus error or a switch access error, which is a decimal error code. The following are I2C serial bus errors:

- I2C_BUS_TRANSACTION_ERROR

- I2C_CHKSUM_ERROR

- I2C_TIMEOUT_ERROR

- I2C_BUS_COLLISION_ERROR

- I2C_HOST_BUSY_ERROR

- I2C_UNPOPULATED_ERROR

- I2C_SMBUS_UNSUPPORT

- I2C_BYTE_COUNT_ERROR

- I2C_DATA_PTR_ERROR

Recommended Action Perform the following steps:

1. Log and review the messages and the errors associated with the event.

2. Reboot the software running on the ASA.

3. Power cycle the device. When you turn off the power, make sure you wait several seconds before turning the power on.

4. If the problem persists, contact the Cisco TAC.

114014

Error Message %ASA-3-114014: Failed to set mac address in 4GE SSM I/O card (error error_string).

Explanation The ASA failed to set the MAC address in a 4GE SSM I/O card because of an I2C error or a switch initialization error.

  • syslog_id —Message identifier
  • error_string —An I2C serial bus error or a switch access error, which is a decimal error code. The following are I2C serial bus errors:

- I2C_BUS_TRANSACTION_ERROR

- I2C_CHKSUM_ERROR

- I2C_TIMEOUT_ERROR

- I2C_BUS_COLLISION_ERROR

- I2C_HOST_BUSY_ERROR

- I2C_UNPOPULATED_ERROR

- I2C_SMBUS_UNSUPPORT

- I2C_BYTE_COUNT_ERROR

- I2C_DATA_PTR_ERROR

Recommended Action Perform the following steps:

1. Log and review the messages and the errors associated with the event.

2. Reboot the software running on the ASA.

3. Power cycle the device. When you turn off the power, make sure you wait several seconds before turning the power on.

4. If the problem persists, contact the Cisco TAC.

114015

Error Message %ASA-3-114015: Failed to set mode in 4GE SSM I/O card (error error_string).

Explanation The ASA failed to set individual or promiscuous mode in a 4GE SSM I/O card because of an I2C error or a switch initialization error.

  • syslog_id —Message identifier
  • error_string —An I2C serial bus error or a switch access error, which is a decimal error code. The following are I2C serial bus errors:

- I2C_BUS_TRANSACTION_ERROR

- I2C_CHKSUM_ERROR

- I2C_TIMEOUT_ERROR

- I2C_BUS_COLLISION_ERROR

- I2C_HOST_BUSY_ERROR

- I2C_UNPOPULATED_ERROR

- I2C_SMBUS_UNSUPPORT

- I2C_BYTE_COUNT_ERROR

- I2C_DATA_PTR_ERROR

Recommended Action Perform the following steps:

1. Log and review the messages and the errors associated with the event.

2. Reboot the software running on the ASA.

3. Power cycle the device. When you turn off the power, make sure you wait several seconds before turning the power on.

4. If the problem persists, contact the Cisco TAC.

114016

Error Message %ASA-3-114016: Failed to set multicast mode in 4GE SSM I/O card (error error_string).

Explanation The ASA failed to set the multicast mode in a 4GE SSM I/O card because of an I2C error or a switch initialization error.

  • syslog_id —Message identifier
  • error_string —An I2C serial bus error or a switch access error, which is a decimal error code. The following are the I2C serial bus errors:

- I2C_BUS_TRANSACTION_ERROR

- I2C_CHKSUM_ERROR

- I2C_TIMEOUT_ERROR

- I2C_BUS_COLLISION_ERROR

- I2C_HOST_BUSY_ERROR

- I2C_UNPOPULATED_ERROR

- I2C_SMBUS_UNSUPPORT

- I2C_BYTE_COUNT_ERROR

- I2C_DATA_PTR_ERROR

Recommended Action Perform the following steps:

1. Log and review the messages and the errors associated with the event.

2. Reboot the software running on the ASA.

3. Power cycle the device. When you turn off the power, make sure you wait several seconds before turning the power on.

4. If the problem persists, contact the Cisco TAC.

114017

Error Message %ASA-3-114017: Failed to get link status in 4GE SSM I/O card (error error_string).

Explanation The ASA failed to obtain link status in a 4GE SSM I/O card because of an I2C serial bus access error or a switch access error.

  • syslog_id —Message identifier
  • error_string —An I2C serial bus error or a switch access error, which is a decimal error code. The following are the I2C serial bus errors:

- I2C_BUS_TRANSACTION_ERROR

- I2C_CHKSUM_ERROR

- I2C_TIMEOUT_ERROR

- I2C_BUS_COLLISION_ERROR

- I2C_HOST_BUSY_ERROR

- I2C_UNPOPULATED_ERROR

- I2C_SMBUS_UNSUPPORT

- I2C_BYTE_COUNT_ERROR

- I2C_DATA_PTR_ERROR

Recommended Action Perform the following steps:

1. Notify the system administrator.

2. Log and review the messages and the errors associated with the event.

3. Reboot the software running on the ASA.

4. Power cycle the device. When you turn off the power, make sure you wait several seconds before turning the power on.

5. If the problem persists, contact the Cisco TAC.

114018

Error Message %ASA-3-114018: Failed to set port speed in 4GE SSM I/O card (error error_string).

Explanation The ASA failed to set the port speed in a 4GE SSM I/O card because of an I2C error or a switch initialization error.

  • syslog_id —Message identifier
  • error_string —An I2C serial bus error or a switch access error, which is a decimal error code. The following are the I2C serial bus errors:

- I2C_BUS_TRANSACTION_ERROR

- I2C_CHKSUM_ERROR

- I2C_TIMEOUT_ERROR

- I2C_BUS_COLLISION_ERROR

- I2C_HOST_BUSY_ERROR

- I2C_UNPOPULATED_ERROR

- I2C_SMBUS_UNSUPPORT

- I2C_BYTE_COUNT_ERROR

- I2C_DATA_PTR_ERROR

Recommended Action Perform the following steps:

1. Log and review the messages and the errors associated with the event.

2. Reboot the software running on the ASA.

3. Power cycle the device. When you turn off the power, make sure you wait several seconds before turning the power on.

4. If the problem persists, contact the Cisco TAC.

114019

Error Message %ASA-3-114019: Failed to set media type in 4GE SSM I/O card (error error_string).

Explanation The ASA failed to set the media type in a 4GE SSM I/O card because of an I2C error or a switch initialization error.

  • syslog_id —Message identifier
  • error_string —An I2C serial bus error or a switch access error, which is a decimal error code. The following are the I2C serial bus errors:

- I2C_BUS_TRANSACTION_ERROR

- I2C_CHKSUM_ERROR

- I2C_TIMEOUT_ERROR

- I2C_BUS_COLLISION_ERROR

- I2C_HOST_BUSY_ERROR

- I2C_UNPOPULATED_ERROR

- I2C_SMBUS_UNSUPPORT

- I2C_BYTE_COUNT_ERROR

- I2C_DATA_PTR_ERROR

Recommended Action Perform the following steps:

1. Log and review the messages and the errors associated with the event.

2. Reboot the software running on the ASA.

3. Power cycle the device. When you turn off the power, make sure you wait several seconds before turning the power on.

4. If the problem persists, contact the Cisco TAC.

114020

Error Message %ASA-3-114020: Port link speed is unknown in 4GE SSM I/O card.

Explanation The ASA cannot detect the port link speed in a 4GE SSM I/O card.

Recommended Action Perform the following steps:

1. Log and review the messages associated with the event.

2. Reset the 4GE SSM I/O card and observe whether or not the software automatically recovers from the event.

3. If the software does not recover automatically, power cycle the device. When you turn off the power, make sure you wait several seconds before you turn the power on.

4. If the problem persists, contact the Cisco TAC.

114021

Error Message %ASA-3-114021: Failed to set multicast address table in 4GE SSM I/O card due to error.

Explanation The ASA failed to set the multicast address table in the 4GE SSM I/O card because of either an I2C serial bus access error or a switch access error.

  • error —A switch access error (a decimal error code) or an I2C serial bus error. Possible I2C serial bus errors include:

- I2C_BUS_TRANSACTION_ERROR

- I2C_CHKSUM_ERROR

- I2C_TIMEOUT_ERROR

- I2C_BUS_COLLISION_ERROR

- I2C_HOST_BUSY_ERROR

- I2C_UNPOPULATED_ERROR

- I2C_SMBUS_UNSUPPORT

- I2C_BYTE_COUNT_ERROR

- I2C_DATA_PTR_ERROR

Recommended Action Perform the following steps:

1. Log and review the messages associated with the event.

2. Try to reboot the ASA.

3. If the software does not recover automatically, power cycle the device. When you turn off the power, make sure you wait several seconds before you turn the power on.

4. If the problem persists, contact the Cisco TAC.

114022

Error Message %ASA-3-114022: Failed to pass broadcast traffic in 4GE SSM I/O card due to error_string

Explanation The ASA failed to pass broadcast traffic in the 4GE SSM I/O card because of a switch access error.

  • error_string —A switch access error, which will be a decimal error code

Recommended Action Perform the following steps:

1. Log the message and errors surrounding the event.

2. Retrieve the ssm4ge_dump file from the compact flash, and send it to Cisco TAC.

3. Contact Cisco TAC with the information collected in Steps 1 and 2.


Note The 4GE SSM will be automatically reset and recover.


114023

Error Message %ASA-3-114023: Failed to cache/flush mac table in 4GE SSM I/O card due to error_string.

Explanation A failure to cache or flush the MAC table in a 4GE SSM I/O card occurred because of an I2C serial bus access error or a switch access error. This message rarely occurs.

  • error_string — Either an I2C serial bus error (see the second bullet for possible values) or a switch access error (which is a decimal error code).
  • I2C serial bus errors are as follows:

I2C_BUS_TRANSACTION_ERROR

I2C_CHKSUM_ERROR

I2C_TIMEOUT_ERROR

I2C_BUS_COLLISION_ERROR

I2C_HOST_BUSY_ERROR

I2C_UNPOPULATED_ERROR

I2C_SMBUS_UNSUPPORT

I2C_BYTE_COUNT_ERROR

I2C_DATA_PTR_ERROR

Recommended Action Perform the following steps:

1. Log the syslog message and the errors surrounding the event.

2. Try to software reboot the ASA.

3. Power cycle the ASA.


Note When you turn off the power, make sure that you wait several seconds before powering on again. After you complete steps 1-3, if the problem persists, contact the Cisco TAC and provide the information described in step 1. You may need to RMA the ASA.


115000

Error Message %ASA-2-115000: Critical assertion in process: process name fiber: fiber name, component: component name, subcomponent: subcomponent name, file: filename, line: line number, cond: condition

Explanation The critical assertion has gone off and is used during development in checked builds only, but never in production builds.

  • process name — The name of the process
  • fiber name —The name of the fiber
  • component name —The name of the specified component
  • subcomponent name —The name of the specified subcomponent
  • filename —The name of the specified file
  • line number —The line number for the specified line
  • condition —The specified condition

Recommended Action A high priority defect should be filed, the reason for the assertion should be investigated, and the problem corrected.

115001

Error Message %ASA-3-115001: Error in process: process name fiber: fiber name, component: component name, subcomponent: subcomponent name, file: filename, line: line number, cond: condition

Explanation An error assertion has gone off and is used during development in checked builds only, but never in production builds.

  • process name — The name of the process
  • fiber name —The name of the fiber
  • component name —The name of the specified component
  • subcomponent name —The name of the specified subcomponent
  • filename —The name of the specified file
  • line number —The line number for the specified line
  • condition —The specified condition

Recommended Action A defect should be filed, the reason for the assertion should be investigated, and the problem fixed.

115002

Error Message %ASA-4-115002: Warning in process: process name fiber: fiber name, component: component name, subcomponent: subcomponent name, file: filename, line: line number, cond: condition

Explanation A warning assertion has gone off and is used during development in checked builds only, but never in production builds.

  • process name — The name of the process
  • fiber name —The name of the fiber
  • component name —The name of the specified component
  • subcomponent name —The name of the specified subcomponent
  • filename —The name of the specified file
  • line number —The line number for the specified line
  • condition —The specified condition

Recommended Action The reason for the assertion should be investigated and if a problem is found, a defect should be filed, and the problem corrected.

120001

Error Message %ASA-5-120001: Smart Call-Home Module is started.

Explanation The Smart Call-Home module started successfully after system bootup and failover in a stable state, and is ready to process Smart-Call Home events.

Recommended Action None required.

120002

Error Message %ASA-5-120002: Smart Call-Home Module is terminated.

Explanation When the Smart Call-Home module is disabled, it is then terminated.

Recommended Action None required.

120003

Error Message %ASA-6-120003: Process event group title

Explanation The Smart Call-Home module retrieved an event from the queue to process.

  • group —The event group, which may be the following: inventory, configuration, diagnostic, environment, snapshot, telemetry, threat, and test.
  • title —The event title

Recommended Action None required.

120004

Error Message %ASA-4-120004: Event group title is dropped. Reason reason

Explanation A Smart Call-Home event was dropped. The event may have been dropped because of an internal error, the event queue is full, or the Smart Call-Home module was disabled after the message was generated, but before it was processed.

  • group —The event group, which can be any of the following: inventory, configuration, diagnostic, environment, snapshot, telemetry, threat, and test.
  • title —The event title
  • reason —The drop reason, which can any of the following:

Internal Error—Various internal system errors occurred, such as being out of memory or parsing a CLI failed.

Queue Full—The number of events reached the configured limit.

Cancelled—The event was cancelled because the Smart Call-Home module is disabled.

Recommended Action If the drop reason is Queue Full, try to increase the event queue size and the rate-limit configuration to avoid event queue buildup. If the drop reason is Internal Error, turn on debugging by entering the debug sch fail command to obtain more detailed debugging information.

120005

Error Message %ASA-4-120005: Message group to destination is dropped. Reason reason

Explanation A Smart Call-Home message was dropped. The message may have been dropped because of an internal error, a network error, or the Smart Call-Home module was disabled after the message was generated, but before it was delivered.

  • group —The event group, which can be any of the following: inventory, configuration, diagnostic, environment, snapshot, telemetry, threat, and test.
  • destination— The e-mail or URL destination
  • reason —The drop reason, which can any of the following:

Internal Error—Various internal system errors occurred.

Delivery Failed—The packets cannot be delivered because a network error occurred.

Cancelled—The event was cancelled because the Smart Call-Home module is disabled.

Recommended Action If the drop reason is Delivery Failed, the message is dropped after three unsuccessful retransmissions, or because the error is local (such as no route to destination). Search message 120006 for the delivery failure reason, or turn on debugging by entering the debug sch fail command to obtain more detailed debugging information.

120006

Error Message %ASA-4-120006: Delivering message group to destination failed. Reason reason

Explanation An error occurred while the Smart Call Home module tried to deliver a message. The error may be transient. The message is not dropped when message 120006 is generated. The message may be queued for retransmission. The message is only dropped when message 120005 is generated.

  • group —The event group, which can be any of the following: inventory, configuration, diagnostic, environment, snapshot, telemetry, threat, and test
  • destination— The e-mail or URL destination
  • reason —The failure reason

Recommended Action Check the error reason in the message. If the reason is NO_ROUTE, INVALID_ADDRESS, or INVALID_URL, check the system configuration, DNS, and the name setting.

120007

Error Message %ASA-6-120007: Message group to destination delivered.

Explanation A Smart Call Home message was successfully delivered.

  • group —The event group, which can be any of the following: inventory, configuration, diagnostic, environment, snapshot, telemetry, threat, and test
  • destination— The e-mail or URL destination

Recommended Action None required.

120008

Error Message %ASA-5-120008: SCH client client is activated.

Explanation The Smart Call Home module is enabled, an event group is also enabled, and that event group is subscribed to by at least one active profile. If these conditions are met, then all clients of that group will be activated.

  • client —The name of the Smart Call Home client

Recommended Action None required.

120009

Error Message %ASA-5-120009: SCH client client is deactivated.

Explanation The Smart Call Home module is disabled, an event group is enabled, or an event group is no longer subscribed to by any active profile. If these conditions are met, clients of that event group will be deactivated.

  • client —The name of the Smart Call Home client

Recommended Action None required.

120010

Error Message %ASA-3-120010: Notify command command to SCH client client failed. Reason reason.

Explanation The Smart Call Home module notified Smart Call Home clients of certain events through the callback function. If the client does not interpret the command correctly, does not understand the command, or cannot process the command, an error will be returned.

  • command— ENABLE, DISABLE, or READY
  • client —The name of the Smart Call Home client
  • reason —The reason for failure

Recommended Action Turn on debugging by entering the debug sch fail command to obtain more detailed debugging information.

120012

Error Message %ASA-5-120012: User username chose to choice call-home anonymous reporting at the prompt.

Explanation The administrator was notified that a user has responded to the Smart Call Home prompt to enable, disable, or postpone anonymous reporting.

  • username —The user who responded to the prompt
  • choice —The available entries are enable, disable, or postpone

Recommended Action To enable anonymous reporting in the future, enter the call-home reporting anonymous command. To disable anonymous reporting, enter the no call-home reporting anonymous command.

199001

Error Message %ASA-5-199001: Reload command executed from Telnet (remote IP_address).

Explanation The address of the host that is initiating an ASA reboot with the reload command has been recorded.

Recommended Action None required.

199002

Error Message %ASA-6-199002: startup completed. Beginning operation.

Explanation The ASA finished its initial boot and the flash memory reading sequence, and is ready to begin operating normally.


Note You cannot block this message by using the no logging message command.


Recommended Action None required.

199003

Error Message %ASA-6-199003: Reducing link MTU dec.

Explanation The ASA received a packet from the outside network that uses a larger MTU than the inside network. The ASA then sent an ICMP message to the outside host to negotiate an appropriate MTU. The log message includes the sequence number of the ICMP message.

Recommended Action None required.

199005

Error Message %ASA-6-199005: Startup begin

Explanation The ASA started.

Recommended Action None required.

199010

Error Message %ASA-1-199010: Signal 11 caught in process/fiber(rtcli async executor process)/(rtcli async executor) at address 0xf132e03b, corrective action at 0xca1961a0

Explanation The system has recovered from a serious error.

Recommended Action Contact the Cisco TAC.

199011

Error Message %ASA-2-199011: Close on bad channel in process/fiber process/fiber, channel ID p, channel state s process/fiber name of the process/fiber that caused the bad channel close operation.

Explanation An unexpected channel close condition has been detected.

  • p —The channel ID
  • process/fiber —The name of the process/fiber that caused the bad channel close operation
  • s —The channel state

Recommended Action Contact the Cisco TAC and attach a log file.

199012

Error Message %ASA-1-1199012: Stack smash during new_stack_call in process/fiber process/fiber, call target f, stack size s, process/fiber name of the process/fiber that caused the stack smash

Explanation A stack smash condition has been detected.

  • f —The target of the new_stack_call
  • process/fiber —The name of the process/fiber that caused the stack smash
  • s —The new stack size specified in new_stack_call

Recommended Action Contact the Cisco TAC and attach a log file.

199013

Error Message %ASA-1-199013: syslog

Explanation A variable syslog was generated by an assistive process.

  • syslog —The alert syslog passed verbatim from an external process

Recommended Action Contact the Cisco TAC.

199014

Error Message %ASA-2-199014: syslog

Explanation A variable syslog was generated by an assistive process.

  • syslog —The critical syslog passed verbatim from an external process

Recommended Action Contact the Cisco TAC.

199015

Error Message %ASA-3-199015: syslog

Explanation A variable syslog was generated by an assistive process.

  • syslog —The error syslog passed verbatim from an external process

Recommended Action Contact the Cisco TAC.

199016

Error Message %ASA-4-199016: syslog

Explanation A variable syslog was generated by an assistive process.

  • syslog —The warning syslog passed verbatim from an external process

Recommended Action Contact the Cisco TAC.

199017

Error Message %ASA-5-199017: syslog

Explanation A variable syslog was generated by an assistive process.

  • syslog —The notification syslog passed verbatim from an external process

Recommended Action None required.

199018

Error Message %ASA-6-199018: syslog

Explanation A variable syslog was generated by an assistive process.

  • syslog —The informational syslog passed verbatim from an external process

Recommended Action None required.

199019

Error Message %ASA-7-199019: syslog

Explanation A variable syslog was generated by an assistive process.

  • syslog —The debugging syslog passed verbatim from an external process

Recommended Action None required.

199020

Error Message %ASA-2-199020: System memory utilization has reached X %. System will reload if memory usage reaches the configured trigger level of Y %.

Explanation The system memory utilization has reached 80% of the system memory watchdog facility's configured value.

Recommended Action Reduce system memory utilization by reducing traffic load, removing traffic inspections, reducing the number of ACL entries, and so on. If a memory leak is suspected, contact Cisco TAC.

199021

Error Message %ASA-1-199021: System memory utilization has reached the configured watchdog trigger level of Y %. System will now reload

Explanation.The system memory utilization has reached 100% of the system memory watchdog facility's configured value. The system will automatically reload.

Recommended Action Reduce system memory utilization by reducing traffic load, removing traffic inspections, reducing the number of ACL entries, and so on. If a memory leak is suspected, contact Cisco TAC.

Messages 201002 to 219002

This section includes messages from 201002 to 219002.

201002

Error Message %ASA-3-201002: Too many TCP connections on {static|xlate} global_address ! econns nconns

Explanation The maximum number of TCP connections to the specified global address was exceeded.

  • econns—The maximum number of embryonic connections
  • nconns—The maximum number of connections permitted for the static or xlate global address

Recommended Action Use the show static or show nat command to check the limit imposed on connections to a static address. The limit is configurable.

201003

Error Message %ASA-2-201003: Embryonic limit exceeded nconns/elimit for outside_address/outside_port ( global_address) inside_address / inside_port on interface interface_name

Explanation The number of embryonic connections from the specified foreign address with the specified static global address to the specified local address exceeds the embryonic limit. When the limit on embryonic connections to the ASA is reached, the ASA attempts to accept them anyway, but puts a time limit on the connections. This situation allows some connections to succeed even if the ASA is very busy. This message indicates a more serious overload than message 201002, which can be caused by a SYN attack, or by a very heavy load of legitimate traffic.

  • nconns—The maximum number of embryonic connections received
  • elimit —The maximum number of embryonic connections specified in the static or nat command

Recommended Action Use the show static command to check the limit imposed on embryonic connections to a static address.

201004

Error Message %ASA-3-201004: Too many UDP connections on {static|xlate} global_address!udp connections limit

Explanation The maximum number of UDP connections to the specified global address was exceeded.

  • udp conn limit—The maximum number of UDP connections permitted for the static address or translation

Recommended Action Use the show static or show nat command to check the limit imposed on connections to a static address. You can configure the limit.

201005

Error Message %ASA-3-201005: FTP data connection failed for IP_address IP_address

Explanation The ASA cannot allocate a structure to track the data connection for FTP because of insufficient memory.

Recommended Action Reduce the amount of memory usage or purchase additional memory.

201006

Error Message %ASA-3-201006: RCMD backconnection failed for IP_address/port .

Explanation The ASA cannot preallocate connections for inbound standard output for rsh commands because of insufficient memory.

Recommended Action Check the rsh client version; the ASA only supports the Berkeley rsh client version. You can also reduce the amount of memory usage, or purchase additional memory.

201008

Error Message %ASA-3-201008: Disallowing new connections.

Explanation You have enabled TCP system log messaging and the syslog server cannot be reached, or when using the ASA syslog server (PFSS) and the disk on the Windows NT system is full, or when the auto-update timeout is configured and the auto-update server is not reachable.

Recommended Action Disable TCP syslog messaging. If using PFSS, free up space on the Windows NT system where PFSS resides. Also, make sure that the syslog server is up and you can ping the host from the ASA console. Then restart TCP system message logging to allow traffic. If the Auto Update Server has not been contacted for a certain period of time, enter the [no] auto-update timeout period command to have it stop sending packets.

201009

Error Message %ASA-3-201009: TCP connection limit of number for host IP_address on interface_name exceeded

Explanation The maximum number of connections to the specified static address was exceeded.

  • number—The maximum of connections permitted for the host
  • IP_address —The host IP address
  • interface_name— The name of the interface to which the host is connected

Recommended Action Use the show static and show nat commands to check the limit imposed on connections to an address. The limit is configurable.

201010

Error Message %ASA-6-201010: Embryonic connection limit exceeded econns/limit for dir packet from source_address/source_port to dest_address/dest_port on interface interface_name

Explanation An attempt to establish a TCP connection failed because of an exceeded embryonic connection limit, which was configured with the set connection embryonic-conn-max MPC command for a traffic class.

  • econns —The current count of embryonic connections associated to the configured traffic class
  • limit —The configured embryonic connection limit for the traffic class
  • dir —input: The first packet that initiates the connection is an input packet on the interface interface_name output: The first packet that initiates the connection is an output packet on the interface interface_name
  • source_address/source_port —The source real IP address and the source port of the packet initiating the connection
  • dest_address/dest_port —The destination real IP address and the destination port of the packet initiating the connection
  • interface_name —The name of the interface on which the policy limit is enforced

Recommended Action None required.

201011

Error Message %ASA-3-201011: Connection limit exceeded cnt / limit for dir packet from sip / sport to dip / dport on interface if_name.

Explanation A new connection through the ASA resulted in exceeding at least one of the configured maximum connection limits. This message applies both to connection limits configured using a static command, or to those configured using Cisco Modular Policy Framework. The new connection will not be allowed through the ASA until one of the existing connections is torn down, which brings the current connection count below the configured maximum.

  • cnt —Current connection count
  • limit —Configured connection limit
  • dir —Direction of traffic, inbound or outbound
  • sip —Source real IP address
  • sport —Source port
  • dip —Destination real IP address
  • dpor t—Destination port
  • if_name —Name of the interface on which the traffic was received

Recommended Action None required.

201012

Error Message %ASA-6-201012: Per-client embryonic connection limit exceeded curr num / limit for [input|output] packet from IP_address / port to ip / port on interface interface_name

Explanation An attempt to establish a TCP connection failed because the per-client embryonic connection limit was exceeded. By default, this message is rate limited to 1 message every 10 seconds.

  • curr num —The current number
  • limit —The configured limit
  • [input|output]—Input or output packet on interface interface_name
  • IP_address —Real IP address
  • port —TCP or UDP port
  • interface_name —The name of the interface on which the policy is applied

Recommended Action When the limit is reached, any new connection request will be proxied by the ASA to prevent a SYN flood attack. The ASA will only connect to the server if the client is able to finish the three-way handshake. This usually does not affect the end user or the application. However, if this creates a problem for any application that has a legitimate need for a higher number of embryonic connections, you can adjust the setting by entering the set connection per-client-embryonic-max command.

201013

Error Message %ASA-3-201013: Per-client connection limit exceeded curr num / limit for [input|output] packet from ip / port to ip / port on interface interface_name

Explanation A connection was rejected because the per-client connection limit was exceeded.

  • curr num —The current number
  • limit —The configured limit
  • [input|output]—The input or output packet on interface interface_name
  • ip —The real IP address
  • port —The TCP or UDP port
  • interface_name —The name of the interface on which the policy is applied

Recommended Action When the limit is reached, any new connection request will be silently dropped. Normally an application will retry the connection, which will cause a delay or even a timeout if all retries also fail. If an application has a legitimate need for a higher number of concurrent connections, you can adjust the setting by entering the set connection per-client-max command.

202001

Error Message %ASA-3-202001: Out of address translation slots!

Explanation The ASA has no more address translation slots available.

Recommended Action Check the size of the global pool compared to the number of inside network clients. A PAT address may be necessary. Alternatively, shorten the timeout interval of translates and connections. This error message can also be caused by insufficient memory; reduce the amount of memory usage, or purchase additional memory, if possible.

202005

Error Message %ASA-3-202005: Non-embryonic in embryonic list outside_address/outside_port inside_address/inside_port

Explanation A connection object (xlate) is in the wrong list.

Recommended Action Contact the Cisco TAC.

202010

Error Message %ASA-3-202010: [NAT | PAT] pool exhausted for pool-name, port range [1-511 | 512-1023 | 1024-65535]. Unable to create protocol connection from in-interface : src-ip / src-port to out-interface : dst-ip / dst-port
  • pool-name —The name of the NAT or PAT pool
  • protocol —The protocol used to create the connection
  • in-interface —The ingress interface
  • src-ip —The source IP address
  • src-port —The source port
  • out-interface —The egress interface
  • dest-ip —The destination IP address
  • dst-port —The destination port

Explanation The ASA has no more address translation pools available.

Recommended Action Use the show nat pool and show nat detail commands to determine why all addresses and ports in the pool are used up. If this occurs under normal conditions, then add additional IP addresses to the NAT/PAT pool.

208005

Error Message %ASA-3-208005: (function:line_num) clear command return code

Explanation The ASA received a nonzero value (an internal error) when attempting to clear the configuration in flash memory. The message includes the reporting subroutine filename and line number.

Recommended Action For performance reasons, the end host should be configured not to inject IP fragments. This configuration change is probably because of NFS. Set the read and write size equal to the interface MTU for NFS.

209003

Error Message %ASA-4-209003: Fragment database limit of number exceeded: src = source_address, dest = dest_address, proto = protocol, id = number

Explanation Too many IP fragments are currently awaiting reassembly. By default, the maximum number of fragments is 200 (to raise the maximum, see the fragment size command in the command reference guide). The ASA limits the number of IP fragments that can be concurrently reassembled. This restriction prevents memory depletion at the ASA under abnormal network conditions. In general, fragmented traffic should be a small percentage of the total traffic mix. An exception is in a network environment with NFS over UDP where a large percentage is fragmented traffic; if this type of traffic is relayed through the ASA, consider using NFS over TCP instead. To prevent fragmentation, see the sysopt connection tcpmss bytes command in the command reference guide.

Recommended Action If this message persists, a denial of service (DoS) attack might be in progress. Contact the remote peer administrator or upstream provider.

209004

Error Message %ASA-4-209004: Invalid IP fragment, size = bytes exceeds maximum size = bytes : src = source_address, dest = dest_address, proto = protocol, id = number

Explanation An IP fragment is malformed. The total size of the reassembled IP packet exceeds the maximum possible size of 65,535 bytes.

Recommended Action A possible intrusion event may be in progress. If this message persists, contact the remote peer administrator or upstream provider.

209005

Error Message %ASA-4-209005: Discard IP fragment set with more than number elements: src = Too many elements are in a fragment set.

Explanation The ASA disallows any IP packet that is fragmented into more than 24 fragments. For more information, see the fragment command in the command reference guide.

Recommended Action A possible intrusion event may be in progress. If the message persists, contact the remote peer administrator or upstream provider. You can change the number of fragments per packet by using the fragment chain xxx interface_name command.

210001

Error Message %ASA-3-210001: LU sw_module_name error = number

Explanation A Stateful Failover error occurred.

Recommended Action If this error persists after traffic lessens through the ASA, report this error to the Cisco TAC.

210002

Error Message %ASA-3-210002: LU allocate block ( bytes) failed.

Explanation Stateful Failover cannot allocate a block of memory to transmit stateful information to the standby ASA.

Recommended Action Check the failover interface using the show interface command to make sure its transmit is normal. Also check the current block memory using the show block command. If current available count is 0 within any of the blocks of memory, then reload the ASA software to recover the lost blocks of memory.

210003

Error Message %ASA-3-210003: Unknown LU Object number

Explanation Stateful Failover received an unsupported Logical Update object and was unable to process it. This can be caused by corrupted memory, LAN transmissions, and other events.

Recommended Action If you see this error infrequently, then no action is required. If this error occurs frequently, check the Stateful Failover link LAN connection. If the error was not caused by a faulty failover link LAN connection, determine if an external user is trying to compromise the protected network. Also check for misconfigured clients.

210005

Error Message %ASA-3-210005: LU allocate secondary ( optional) connection failed for protocol [ TCP | UDP ] connection from ingress interface name : Real IP Address / Real Port to egress interface name : Real IP Address / Real Port

Explanation Stateful Failover cannot allocate a new connection on the standby unit. This may be caused by little or no RAM memory available within the ASA.


Note The secondary field in the syslog message is optional and appears only if the connection is a secondary connection.


Recommended Action Check the available memory using the show memory command to make sure that the ASA has free memory. If there is no available memory, add more physical memory to the ASA.

210006

Error Message %ASA-3-210006: LU look NAT for IP_address failed

Explanation Stateful Failover was unable to locate a NAT group for the IP address on the standby unit. The active and standby ASAs may be out-of-sync with each other.

Recommended Action Use the write standby command on the active unit to synchronize system memory with the standby unit.

210007

Error Message %ASA-3-210007: LU allocate xlate failed for type [ static | dynamic ]-[ NAT | PAT ] secondary(optional) protocol translation from ingress interface name : Real IP Address / real port ( Mapped IP Address / Mapped Port) to egress interface name : Real IP Address / Real Port ( Mapped IP Address / Mapped Port)

Explanation Stateful Failover failed to allocate a translation slot record.

Recommended Action Check the available memory by using the show memory command to make sure that the ASA has free memory available. If no memory is available, add more memory.

210008

Error Message %ASA-3-210008: LU no xlate for inside_address / inside_port outside_address / outside_port

Explanation The ASA cannot find a translation slot record for a Stateful Failover connection; as a result, the ASA cannot process the connection information.

Recommended Action Use the write standby command on the active unit to synchronize system memory between the active and standby units.

210010

Error Message %ASA-3-210010: LU make UDP connection for outside_address : outside_port inside_address : inside_port failed

Explanation Stateful Failover was unable to allocate a new record for a UDP connection.

Recommended Action Check the available memory by using the show memory command to make sure that the ASA has free memory available. If no memory is available, add more memory.

210020

Error Message %ASA-3-210020: LU PAT port port reserve failed

Explanation Stateful Failover is unable to allocate a specific PAT address that is in use.

Recommended Action Use the write standby command on the active unit to synchronize system memory between the active and standby units.

210021

Error Message %ASA-3-210021: LU create static xlate global_address ifc interface_name failed

Explanation Stateful Failover is unable to create a translation slot.

Recommended Action Enter the write standby command on the active unit to synchronize system memory between the active and standby units.

210022

Error Message %ASA-6-210022: LU missed number updates

Explanation Stateful Failover assigns a sequence number for each record sent to the standby unit. When a received record sequence number is out of sequence with the last updated record, the information in between is assumed to be lost, and this error message is sent as a result.

Recommended Action Unless LAN interruptions occur, check the available memory on both ASA units to ensure that enough memory is available to process the stateful information. Use the show failover command to monitor the quality of stateful information updates.

211001

Error Message %ASA-3-211001: Memory allocation Error

Explanation The ASA failed to allocate RAM system memory.

Recommended Action If this message occurs periodically, it can be ignored. If it repeats frequently, contact the Cisco TAC.

211003

Error Message %ASA-3-211003: Error in computed percentage CPU usage value

Explanation The percentage of CPU usage is greater than 100 percent.

Recommended Action If this message occurs periodically, it can be ignored. If it repeats frequently, contact the Cisco TAC.

211004

Error Message %ASA-1-211004: WARNING: Minimum Memory Requirement for ASA version ver not met for ASA image. min MB required, actual MB found.

Explanation The ASA does not meet the minimum memory requirements for this version. A memory upgrade is required. If a memory upgrade is not immediately available, then downgrade the ASA to Version 8.2(1) or lower. Continuing to run an 8.3 image without meeting the minimum memory requirements is not supported and may result in critical system failures.

  • ver —Running image version number
  • min —Minimum required amount of RAM to run the installed image. The available memory upgrade PID numbers are as follows:

ASA5505-MEM-512=

ASA5510-MEM-1GB=

ASA5520-MEM-2GB=

ASA5540-MEM-2GB=

  • actual —Amount of RAM currently installed in the system

Recommended Action Install the required amount of RAM. Use the memory upgrade PID numbers to order the required amount of RAM.

212001

Error Message %ASA-3-212001: Unable to open SNMP channel (UDP port port) on interface interface_number, error code = code

Explanation The ASA is unable to receive SNMP requests destined for the ASA from SNMP management stations located on this interface. The SNMP traffic passing through the ASA on any interface is not affected. The error codes are as follows:

  • An error code of -1 indicates that the ASA cannot open the SNMP transport for the interface. This can occur when the user attempts to change the port on which SNMP accepts queries to one that is already in use by another feature. In this case, the port used by SNMP will be reset to the default port for incoming SNMP queries (UDP 161).
  • An error code of -2 indicates that the ASA cannot bind the SNMP transport for the interface.

Recommended Action After the ASA reclaims some of its resources when traffic is lighter, reenter the snmp-server host command for that interface.

212002

Error Message %ASA-3-212002: Unable to open SNMP trap channel (UDP port port) on interface interface_number, error code = code

Explanation The ASA is unable to send its SNMP traps from the ASA to SNMP management stations located on this interface. The SNMP traffic passing through the ASA on any interface is not affected. The error codes are as follows:

  • An error code of -1 indicates that the ASA cannot open the SNMP trap transport for the interface.
  • An error code of -2 indicates that the ASA cannot bind the SNMP trap transport for the interface.
  • An error code of -3 indicates that the ASA cannot set the trap channel as write-only.

Recommended Action After the ASA reclaims some of its resources when traffic is lighter, reenter the snmp-server host command for that interface.

212003

Error Message %ASA-3-212003: Unable to receive an SNMP request on interface interface_number, error code = code, will try again.

Explanation An internal error occurred in receiving an SNMP request destined for the ASA on the specified interface. The error codes are as follows:

  • An error code of -1 indicates that the ASA cannot find a supported transport type for the interface.
  • An error code of -5 indicates that the ASA received no data from the UDP channel for the interface.
  • An error code of -7 indicates that the ASA received an incoming request that exceeded the supported buffer size.
  • An error code of -14 indicates that the ASA cannot determine the source IP address from the UDP channel.
  • An error code of -22 indicates that the ASA received an invalid parameter.

Recommended Action None required. The ASA SNMP agent goes back to wait for the next SNMP request.

212004

Error Message %ASA-3-212004: Unable to send an SNMP response to IP Address IP_address Port port interface interface_number, error code = code

Explanation An internal error occurred in sending an SNMP response from the ASA to the specified host on the specified interface. The error codes are as follows:

  • An error code of -1 indicates that the ASA cannot find a supported transport type for the interface.
  • An error code of -2 indicates that the ASA sent an invalid parameter.
  • An error code of -3 indicates that the ASA was unable to set the destination IP address in the UDP channel.
  • An error code of -4 indicates that the ASA sent a PDU length that exceeded the supported UDP segment size.
  • An error code of -5 indicates that the ASA was unable to allocate a system block to construct the PDU.

Recommended Action None required.

212005

Error Message %ASA-3-212005: incoming SNMP request ( number bytes) on interface interface_name exceeds data buffer size, discarding this SNMP request.

Explanation The length of the incoming SNMP request that is destined for the ASA exceeds the size of the internal data buffer (512 bytes) used for storing the request during internal processing. The ASA is unable to process this request. The SNMP traffic passing through the ASA on any interface is not affected.

Recommended Action Have the SNMP management station resend the request with a shorter length. For example, instead of querying multiple MIB variables in one request, try querying only one MIB variable in a request. You may need to modify the configuration of the SNMP manager software.

212006

Error Message %ASA-3-212006: Dropping SNMP request from src_addr / src_port to ifc : dst_addr / dst_port because: reason username

Explanation The ASA cannot process the SNMP request being sent to it for the following reasons:

  • user not found—The username cannot be located in the local SNMP user database.
  • username exceeds maximum length—The username embedded in the PDU exceeds the maximum length allowed by the SNMP RFCs.
  • authentication algorithm failure—An authentication failure caused by an invalid password or a packet authenticated using the incorrect algorithm.
  • privacy algorithm failure—A privacy failure caused by an invalid password or a packet encrypted using the incorrect algorithm.
  • error decrypting request—An error occurred in the platform crypto module decrypting the user request.
  • error encrypting response—An error occurred in the platform crypto module encrypting the user response or trap notification.
  • engineBoots has reached maximum value—The engineBoots variable has reached the maximum allowed value. For more information, see message 212011.

Note The username appears after each reason listed.


Recommended Action Check the ASA SNMP server settings and confirm that the NMS configuration is using the expected user, authentication, and encryption settings. Enter the show crypto accelerator statistics command to isolate errors in the platform crypto module.

212009

Error Message %ASA-5-212009: Configuration request for SNMP group groupname failed. User username, reason.

Explanation A user has tried to change the SNMP server group configuration. One or more users that refer to the group have insufficient settings to comply with the requested group changes.

  • groupname —A string that represents the group name
  • username —A string that represents the username
  • reason —A string that represents one of the following reasons:

- missing auth-password —A user has tried to add authentication to the group, and the user has not specified an authentication password

- missing priv-password —A user has tried to add privacy to the group, and the user has not specified an encryption password

- reference group intended for removal —A user has tried to remove a group that has users belonging to it

Recommended Action The user must update the indicated user configurations before changing the group or removing indicated users, and then add them again after making changes to the group.

212010

Error Message %ASA-3-212010: Configuration request for SNMP user % s failed. Host % s reason.

Explanation A user has tried to change the SNMP server user configuration by removing one or more hosts that reference the user. One message is generated per host.

  • %s —A string that represents the username or hostname
  • reason —A string the represents the following reason:

- references user intended for removal— The name of the user to be removed from the host.

Recommended Action The user must either update the indicated host configuration before changing a user or remove the indicated hosts, then add them again after making changes to the user.

212011

Error Message %ASA-3-212011: SNMP engineBoots is set to maximum value. Reason : %s User intervention necessary.

For example:

%ASA-3-212011: SNMP engineBoots is set to maximum value. Reason: error accessing persistent data. User intervention necessary.
 

Explanation The device has rebooted 214783647 times, which is the maximum allowed value of the engineBoots variable, or an error reading the persistent value from flash memory has occurred. The engineBoots value is stored in flash memory in the flash:/snmp/ ctx-name file, where ctx-name is the name of the context. In single mode, the name of this file is flash:/snmp/single_vf. In multi-mode, the name of the file for the admin context is flash:/snmp/admin. During a reboot, if the device is unable to read from the file or write to the file, the engineBoots value is set to the maximum.

  • %s —A string that represents the reason that the engineBoots value is set to the maximum allowed value. The two valid strings are “device reboots” and “error accessing persistent data.”

Recommended Action For the first string, the administrator must delete all SNMP Version 3 users and add them again to reset the engineBoots variable to 1. All subsequent Version 3 queries will fail until all users have been removed. For the second string, the administrator must delete the context-specific file, then delete all SNMP Version users, and add them again to reset the engineBoots variable to 1. All subsequent Version 3 queries will fail until all users have been removed.

212012

Error Message %ASA-3-212012: Unable to write SNMP engine data to persistent storage.

Explanation The SNMP engine data is written to the file, flash:/snmp/ context-name. For example: in single mode, the data is written to the file, flash:/snmp/single_vf. In the admin context in multi-mode, the file is written to the directory, flash:/snmp/admin. The error may be caused by a failure to create the flash:/snmp directory or the flash:/snmp/ context-name file. The error may also be caused by a failure to write to the file.

Recommended Action The system administrator should remove the flash:/snmp/ context-name file, then remove all SNMP Version 3 users, and add them again. This procedure should recreate the flash:/snmp/ context-name file. If the problem persists, the system administrator should try reformatting the flash.

213001

Error Message %ASA-3-213001: PPTP control daemon socket io string, errno = number.

Explanation An internal TCP socket I/O error occurred.

Recommended Action Contact the Cisco TAC.

213002

Error Message %ASA-3-213002: PPTP tunnel hashtable insert failed, peer = IP_address.

Explanation An internal software error occurred while creating a new PPTP tunnel.

Recommended Action Contact the Cisco TAC.

213003

Error Message %ASA-3-213003: PPP virtual interface interface_number isn't opened.

Explanation An internal software error occurred while closing a PPP virtual interface.

Recommended Action Contact the Cisco TAC.

213004

Error Message %ASA-3-213004: PPP virtual interface interface_number client ip allocation failed.

Explanation An internal software error occurred while allocating an IP address to the PPTP client when the IP local address pool was depleted.

Recommended Action Consider allocating a larger pool with the ip local pool command.

213005

Error Message %ASA-3-213005%: Dynamic-Access-Policy action (DAP) action aborted

Explanation The DAP is dynamically created by selecting configured access policies based on the authorization rights of the user and the posture assessment results of the remote endpoint device. The resulting dynamic policy indicates that the session should be terminated.

Recommended Action None required.

213006

Error Message %ASA-3-213006%: Unable to read dynamic access policy record.

Explanation There was either an error in retrieving the DAP policy record data, or the action configuration was missing.

Recommended Action A configuration change might have resulted in deleting a DAP record. Use ASDM to recreate the DAP record.

213007

Error Message %ASA-4-213007: L2TP: Failed to install Redirect URL: redirect URL Redirect ACL: non_exist for assigned IP.

Explanation An error occurred for an L2TP connection when the redirect URL was installed and the ACL was received from the ISE, but the redirect ACL does not exist on the ASA.

  • redirect URL —The URL for the HTTP traffic redirection
  • assigned IP —The IP address that is assigned to the user

Recommended Action Configure the redirect ACL on the ASA.

214001

Error Message %ASA-2-214001: Terminating manager session from IP_address on interface interface_name. Reason: incoming encrypted data ( number bytes) longer than number bytes

Explanation An incoming encrypted data packet destined for the ASA management port indicates a packet length exceeding the specified upper limit. This may be a hostile event. The ASA immediately terminates this management connection.

Recommended Action Ensure that the management connection was initiated by Cisco Secure Policy Manager.

215001

Error Message %ASA-2-215001:Bad route_compress() call, sdb = number

Explanation An internal software error occurred.

Recommended Action Contact the Cisco TAC.

217001

Error Message %ASA-2-217001: No memory for string in string

Explanation An operation failed because of low memory.

Recommended Action If sufficient memory exists, then send the error message, the configuration, and any details about the events leading up to the error to the Cisco TAC.

216001

Error Message %ASA- n -216001: internal error in: function : message

Explanation Various internal errors have occurred that should not appear during normal operation. The severity level varies depending on the cause of the message.

  • n— The message severity
  • function— The affected component
  • message— A message describing the cause of the problem

Recommended Action Search the Bug Toolkit for the specific text message and try to use the Output Interpreter to resolve the problem. If the problem persists, contact the Cisco TAC.

216002

Error Message ASA-3-216002: Unexpected event (major: major_id, minor: minor_id) received by task_string in function at line: line_num

Explanation A task registers for event notification, but the task cannot handle the specific event. Events that can be watched include those associated with queues, booleans, and timer services. If any of the registered events occur, the scheduler wakes up the task to process the event. This message is generated if an unexpected event woke up the task, but it does not know how to handle the event.

If an event is left unprocessed, it can wake up the task very often to make sure that it is processed, but this should not occur under normal conditions. If this message appears, it does not necessarily mean the device is unusable, but something unusual has occurred and needs to be investigated.

  • major_id —Event identifier
  • minor_id — Event identifier
  • task_string —Custom string passed by the task to identify itself
  • function —The function that received the unexpected event
  • line_num —Line number in the code

Recommended Action If the problem persists, contact the Cisco TAC.

216003

Error Message %ASA-3-216003: Unrecognized timer timer_ptr, timer_id received by task_string in function at line: line_num

Explanation An unexpected timer event woke up the task, but the task does not know how to handle the event. A task can register a set of timer services with the scheduler. If any of the timers expire, the scheduler wakes up the task to take action. This message is generated if the task is awakened by an unrecognized timer event.

An expired timer, if left unprocessed, wakes up the task continuously to make sure that it is processed, and this is undesirable. This should not occur under normal conditions. If this message appears, it does not necessarily mean the device is unusable, but something unusual has occurred and needs to be investigated.

  • timer_ptr —Pointer to the timer
  • timer_id —Timer identifier
  • task_string —Custom string passed by the task to identify itself
  • function —The function that received the unexpected event
  • line_num —Line number in the code

Recommended Action If the problem persists, contact the Cisco TAC.

216004

Error Message %ASA-4-216004:prevented: error in function at file ( line) - stack trace

Explanation An internal logic error has occurred, which should not occur during normal operation.

  • error —Internal logic error. Possible errors include the following:

- Exception

- Dereferencing null pointer

- Array index out of bounds

- Invalid buffer size

- Writing from input

- Source and destination overlap

- Invalid date

- Access offset from array indices

  • function —The calling function that generated the error
  • file(line) —The file and line number that generated the error
  • stack trace —Full call stack traceback, starting with the calling function. For example: (“0x001010a4 0x00304e58 0x00670060 0x00130b04”)

Recommended Action If the problem persists, contact the Cisco TAC.

216005

Error Message %ASA-1-216005: ERROR: Duplex-mismatch on interface_name resulted in transmitter lockup. A soft reset of the switch was performed.

Explanation A duplex mismatch on the port caused a problem in which the port can no longer transmit packets. This condition was detected, and the switch was reset to autorecover. This message applies only to the ASA 5505.

  • interface_name —The interface name that was locked up

Recommended Action A duplex mismatch exists between the specified port and the ASA 5505 that is connected to it. Correct the duplex mismatch by either setting both devices to autorecover, or hard coding the duplex mismatch for both devices to be the same.

218001

Error Message %ASA-2-218001: Failed Identification Test in slot# [ fail #/ res ].

Explanation The module in slot# of the ASA cannot be identified as a genuine Cisco product. Cisco warranties and support programs apply only to genuine Cisco products. If Cisco determines that the cause of a support issue is related to non-Cisco memory, SSM modules, SSC modules, or other modules, Cisco may deny support under your warranty or under a Cisco support program such as SmartNet.

Recommended Action If this message recurs, copy it exactly as it appears on the console or in the system log. Research and try to resolve the error using the Output Interpreter. Also perform a search with the Bug Toolkit. If the problem persists, contact the Cisco TAC.

218002

Error Message %ASA-2-218002: Module ( slot#) is a registered proto-type for Cisco Lab use only, and not certified for live network operation.

Explanation The hardware in the specified location is a prototype module that came from a Cisco lab.

Recommended Action If this message reoccurs, copy it exactly as it appears on the console or in the system log. Research and try to resolve the error using the Output Interpreter. Also perform a search with the Bug Toolkit. If the problem persists, contact the Cisco TAC.

218003

Error Message %ASA-2-218003: Module Version in slot# is obsolete. The module in slot = slot# is obsolete and must be returned via RMA to Cisco Manufacturing. If it is a lab unit, it must be returned to Proto Services for upgrade.

Explanation Obsolete hardware has been detected or the show module command has been run for the module. This message is generated once per minute after it first appears.

Recommended Action If this message recurs, copy it exactly as it appears on the console or in the system log. Research and try to resolve the error using the Output Interpreter. Also perform a search with the Bug Toolkit. If the problem persists, contact the Cisco TAC.

218004

Error Message %ASA-2-218004: Failed Identification Test in slot# [ fail# / res ]

Explanation Aproblem occurred while identifying hardware in the specified location.

Recommended Action If this message recurs, copy it exactly as it appears on the console or in the system log. Research and try to resolve the error using the Output Interpreter. Also perform a search with the Bug Toolkit. If the problem persists, contact the Cisco TAC.

219002

Error Message %ASA-3-219002: I2C_API_name error, slot = slot_number, device = device_number, address = address, byte count = count. Reason: reason_string

Explanation The I2C serial bus API has failed because of a hardware or software problem.

  • I2C_API_name —The I2C API that failed, which can be one of the following:

I2C_read_byte_w_wait()

I2C_read_word_w_wait()

I2C_read_block_w_wait()

I2C_write_byte_w_wait()

I2C_write_word_w_wait()

I2C_write_block_w_wait()

I2C_read_byte_w_suspend()

I2C_read_word_w_suspend()

I2C_read_block_w_suspend()

I2C_write_byte_w_suspend()

I2C_write_word_w_suspend()

I2C_write_block_w_suspend()

  • slot_number —The hexadecimal number of the slot where the I/O operation that generated the message occurred. The slot number cannot be unique to a slot in the chassis. Depending on the chassis, two different slots might have the same I2C slot number. Also, the value is not necessarily less than or equal to the number of slots. The value depends on the way the I2C hardware is wired.
  • device_number —The hexadecimal number of the device on the slot for which the I/O operation was performed
  • address —The hexadecimal address of the device on which the I/O operation occurred
  • byte_count —The byte count in decimal format of the I/O operation
  • error_string —The reason for the error, which can be one of the following:

I2C_BUS_TRANSACTION_ERROR

I2C_CHKSUM_ERROR

I2C_TIMEOUT_ERROR

I2C_BUS_COLLISION_ERROR

I2C_HOST_BUSY_ERROR

I2C_UNPOPULATED_ERROR

I2C_SMBUS_UNSUPPORT

I2C_BYTE_COUNT_ERROR

I2C_DATA_PTR_ERROR

Recommended Action Perform the following steps:

1. Log and review the messages and the errors associated with the event. If the message does not occur continuously and disappears after a few minutes, it might be because the I2C serial bus is busy.

2. Reboot the software running on the ASA.

3. Power cycle the device. When you turn off the power, make sure that you wait several seconds before turning the power on.

4. If the problem persists, contact the Cisco TAC.

Messages 302003 to 342001

This section includes messages from 302003 to 342001.

302003

Error Message %ASA-6-302003: Built H245 connection for foreign_address outside_address / outside_port local_address inside_address / inside_port

Explanation An H.245 connection has been started from the outside_address to the inside_address. The ASA has detected the use of an Intel Internet Phone. The foreign port ( outside_port) only appears on connections from outside the ASA. The local port value ( inside_port) only appears on connections that were started on an internal interface.

Recommended Action None required.

302004

Error Message %ASA-6-302004: Pre-allocate H323 UDP backconnection for foreign_address outside_address / outside_port to local_address inside_address / inside_port

Explanation An H.323 UDP back connection has been preallocated to the foreign address ( outside_address) from the local address ( inside_address). The ASA has detected the use of an Intel Internet Phone. The foreign port ( outside_port) only appears on connections from outside the ASA. The local port value ( inside_port) only appears on connections that were started on an internal interface.

Recommended Action None required.

302010

Error Message %ASA-6-302010: connections in use, connections most used

Explanation A TCP connection has restarted.

  • connections —The number of connections

Recommended Action None required.

302012

Error Message %ASA-6-302012: Pre-allocate H225 Call Signalling Connection for faddr IP_address / port to laddr IP_address

Explanation An H.225 secondary channel has been preallocated.

Recommended Action None required.

302013

Error Message %ASA-6-302013: Built {inbound|outbound} TCP connection_id for interface : real-address / real-port ( mapped-address/mapped-port) [( idfw_user)] to interface : real-address / real-port ( mapped-address/mapped-port) [( idfw_user)] [( user)]

Explanation A TCP connection slot between two hosts was created.

  • connection_id —A unique identifier
  • interface, real-address, real-port— The actual sockets
  • mapped-address, mapped-port —The mapped sockets
  • user —The AAA name of the user
  • idfw_user— The name of the identity firewall user

If inbound is specified, the original control connection was initiated from the outside. For example, for FTP, all data transfer channels are inbound if the original control channel is inbound. If outbound is specified, the original control connection was initiated from the inside.

Recommended Action None required.

302014

Error Message %ASA-6-302014: Teardown TCP connection id for interface : real-address / real-port [( idfw_user)] to interface : real-address / real-port [( idfw_user)] duration hh:mm:ss bytes bytes [ reason ] [( user)]

Explanation A TCP connection between two hosts was deleted. The following list describes the message values:

  • id —A unique identifier
  • interface, real-address, real-port —The actual socket
  • duration —The lifetime of the connection
  • bytes The data transfer of the connection
  • user —The AAA name of the user
  • idfw_user —The name of the identity firewall user
  • reason —The action that causes the connection to terminate. Set the reason variable to one of the TCP termination reasons listed in Table 1-3 .
  • Table 1-3 TCP Termination Reasons

    Reason
    Description

    Conn-timeout

    The connection ended when a flow is closed because of the expiration of its inactivity timer.

    Deny Terminate

    Flow was terminated by application inspection.

    Failover primary closed

    The standby unit in a failover pair deleted a connection because of a message received from the active unit.

    FIN Timeout

    Force termination after 10 minutes awaiting the last ACK or after half-closed timeout.

    Flow closed by inspection

    Flow was terminated by the inspection feature.

    Flow terminated by IPS

    Flow was terminated by IPS.

    Flow reset by IPS

    Flow was reset by IPS.

    Flow terminated by TCP Intercept

    Flow was terminated by TCP Intercept.

    Flow timed out

    Flow has timed out.

    Flow timed out with reset

    Flow has timed out, but was reset.

    Flow is a loopback

    Flow is a loopback.

    Free the flow created as result of packet injection

    The connection was built because the packet tracer feature sent a simulated packet through the ASA.

    Invalid SYN

    The SYN packet was not valid.

    Idle Timeout

    The connection timed out because it was idle longer than the timeout value.

    IPS fail-close

    Flow was terminated because the IPS card is down.

    No interfaces associated with zone

    Flows were torn down after the “no nameif” or “no zone-member” leaves a zone with no interface members.

    No valid adjacency

    This counter is incremented when the ASA tried to obtain an adjacency and could not obtain the MAC address for the next hop. The packet is dropped.

    Pinhole Timeout

    The counter is incremented to report that the ASA opened a secondary flow, but no packets passed through this flow within the timeout interval, and so it was removed. An example of a secondary flow is the FTP data channel that is created after successful negotiation on the FTP control channel.

    Route change

    When the ASA adds a lower cost (better metric) route, packets arriving that match the new route cause their existing connection to be torn down after the user-configured timeout (floating-conn) value. Subsequent packets rebuild the connection out of the interface with the better metric. To prevent the addition of lower cost routes from affecting active flows, you can set the floating-conn configuration timeout value to 0:0:0.

    SYN Control

    A back channel initiation occurred from the wrong side.

    SYN Timeout

    Force termination after 30 seconds, awaiting three-way handshake completion.

    TCP bad retransmission

    The connection was terminated because of a bad TCP retransmission.

    TCP FINs

    A normal close-down sequence occurred. The IP address follows the reason.

    TCP Invalid SYN

    Invalid TCP SYN packet.

    TCP Reset - APPLIANCE

    The flow is closed when a TCP reset is generated by the ASA.

    TCP Reset - I

    Reset was from the inside.

    TCP Reset - O

    Reset was from the outside.

    TCP segment partial overlap

    A partially overlapping segment was detected.

    TCP unexpected window size variation

    A connection was terminated due to variation in the TCP window size.

    Tunnel has been torn down

    Flow was terminated because the tunnel is down.

    Unauth Deny

    An authorization was denied by a URL filter.

    Unknown

    An unknown error has occurred.

    Xlate Clear

    A command line was removed.

Recommended Action None required.

302015

Error Message %ASA-6-302015: Built {inbound|outbound} UDP connection number for interface_name : real_address / real_port ( mapped_address / mapped_port) [( idfw_user)] to interface_name : real_address / real_port ( mapped_address / mapped_port)[( idfw_user)] [( user)]

Explanation A UDP connection slot between two hosts was created. The following list describes the message values:

  • number —A unique identifier
  • interface, real_address, real_port —The actual sockets
  • mapped_address and mapped_port —The mapped sockets
  • user —The AAA name of the user
  • idfw_user —The name of the identity firewall user

If inbound is specified, then the original control connection is initiated from the outside. For example, for UDP, all data transfer channels are inbound if the original control channel is inbound. If outbound is specified, then the original control connection is initiated from the inside.

Recommended Action None required.

302016

Error Message %ASA-6-302016: Teardown UDP connection number for interface : real-address / real-port [( idfw_user)] to interface : real-address / real-port [( idfw_user)] duration hh : mm : ss bytes bytes [( user)]

Explanation A UDP connection slot between two hosts was deleted. The following list describes the message values:

  • number —A unique identifier
  • interface, real_address, real_port —The actual sockets
  • time —The lifetime of the connection
  • bytes —The data transfer of the connection
  • id —A unique identifier
  • interface, real-address, real-port —The actual sockets
  • duration The lifetime of the connection
  • bytes —The data transfer of the connection
  • user —The AAA name of the user
  • idfw_user —The name of the identity firewall user

Recommended Action None required.

302017

Error Message %ASA-6-302017: Built {inbound|outbound} GRE connection id from interface : real_address ( translated_address) [( idfw_user)] to interface : real_address / real_cid ( translated_address / translated_cid) [( idfw_user)] [( user)

Explanation A GRE connection slot between two hosts was created. The id is an unique identifier. The interface, real_address, real_cid tuple identifies the one of the two simplex PPTP GRE streams. The parenthetical translated_address, translated_cid tuple identifies the translated value with NAT.

If inbound is indicated, then the connection can only be used inbound. If outbound is indicated, then the connection can only be used for outbound. The following list describes the message values:

  • id —Unique number identifying the connection
  • inbound —Control connection is for inbound PPTP GRE flow
  • outbound —Control connection is for outbound PPTP GRE flow
  • interface_name —The interface name
  • real_address —IP address of the actual host
  • real_cid —Untranslated call ID for the connection
  • translated_address —IP address after translation
  • translated_cid —Translated call
  • user —AAA user name
  • idfw_user —The name of the identity firewall user

Recommended Action None required.

302018

Error Message %ASA-6-302018: Teardown GRE connection id from interface : real_address ( translated_address) [( idfw_user)] to interface : real_address / real_cid ( translated_address / translated_cid) [( idfw_user)] duration hh : mm : ss bytes bytes [( user)]

Explanation A GRE connection slot between two hosts was deleted. The interface, real_address, real_port tuples identify the actual sockets. Duration identifies the lifetime of the connection. The following list describes the message values:

  • id —Unique number identifying the connection
  • interface —The interface name
  • real_address —IP address of the actual host
  • real_port —Port number of the actual host.
  • hh:mm:ss —Time in hour:minute:second format
  • bytes —Number of PPP bytes transferred in the GRE session
  • reason —Reason why the connection was terminated
  • user —AAA user name
  • idfw_user —The name of the identity firewall user

Recommended Action None required.

302019

Error Message %ASA-3-302019: H.323 library_name ASN Library failed to initialize, error code number

Explanation The specified ASN library that the ASA uses for decoding the H.323 messages failed to initialize; the ASA cannot decode or inspect the arriving H.323 packet. The ASA allows the H.323 packet to pass through without any modification. When the next H.323 message arrives, the ASA tries to initialize the library again.

Recommended Action If this message is generated consistently for a particular library, contact the Cisco TAC and provide them with all log messages (preferably with timestamps).

302020

Error Message %ASA-6-302020: Built {in | out}bound ICMP connection for faddr { faddr | icmp_seq_num } [( idfw_user)] gaddr { gaddr | cmp_type } laddr laddr [( idfw_user)]

Explanation An ICMP session was established in the fast-path when stateful ICMP was enabled using the inspect icmp command.

Recommended Action None required.

302021

Error Message %ASA-6-302021: Teardown ICMP connection for faddr { faddr | icmp_seq_num } [( idfw_user)] gaddr { gaddr | cmp_type } laddr laddr [( idfw_user)]

Explanation An ICMP session is removed in the fast-path when stateful ICMP is enabled using the inspect icmp command.

Recommended Action None required.

302022

Error Message %ASA-6-302022: Built role stub TCP connection for interface : real-address / real-port ( mapped-address / mapped-port) to interface : real-address / real-port ( mapped-address / mapped-port)

Explanation A TCP director/backup/forwarder flow has been created.

Recommended Action None required.

302023

Error Message %ASA-6-302023: Teardown stub TCP connection for interface : real-address / real-port to interface : real-address / real-port duration hh:mm:ss forwarded bytes bytes reason

Explanation A TCP director/backup/forwarder flow has been torn down.

Recommended Action None required.

302024

Error Message %ASA-6-302024: Built role stub UDP connection for interface : real-address / real-port ( mapped-address / mapped-port) to interface : real-address / real-port ( mapped-address / mapped-port)

Explanation A UDP director/backup/forwarder flow has been created.

Recommended Action None required.

302025

Error Message %ASA-6-302025: Teardown stub UDP connection for interface : real-address / real-port to interface : real-address / real-port duration hh:mm:ss forwarded bytes bytes reason

Explanation A UDP director/backup/forwarder flow has been torn down.

Recommended Action None required.

302026

Error Message %ASA-6-302026: Built role stub ICMP connection for interface : real-address / real-port ( mapped-address) to interface : real-address / real-port ( mapped-address)

Explanation An ICMP director/backup/forwarder flow has been created.

Recommended Action None required.

302027

Error Message %ASA-6-302027: Teardown stub ICMP connection for interface : real-address / real-port to interface : real-address / real-port duration hh:mm:ss forwarded bytes bytes reason

Explanation An ICMP director/backup/forwarder flow has been torn down.

Recommended Action None required.

302033

Error Message %ASA-6-302033:Pre-allocated H323 GUP Connection for faddr interface : foreign address / foreign-port to laddr interface : local-address / local-port

Explanation A GUP connection was started from the foreign address to the local address. The foreign port (outside port) only appears on connections from outside the security device. The local port value (inside port) only appears on connections started on an internal interface.

  • interface —The interface name
  • foreign-address —IP address of the foreign host
  • foreign-port —Port number of the foreign host
  • local-address —IP address of the local host
  • local-port —Port number of the local host

Recommended Action None required.

302034

Error Message %ASA-4-302034: Unable to pre-allocate H323 GUP Connection for faddr interface : foreign address / foreign-port to laddr interface : local-address / local-port

Explanation The module failed to allocate RAM system memory while starting a connection or has no more address translation slots available.

  • interface —The interface name
  • foreign-address —IP address of the foreign host
  • foreign-port —Port number of the foreign host
  • local-address —IP address of the local host
  • local-port —Port number of the local host

Recommended Action If this message occurs periodically, it can be ignored. If it repeats frequently, contact the Cisco TAC. You can check the size of the global pool compared to the number of inside network clients. Alternatively, shorten the timeout interval of translations and connections. This message may also be caused by insufficient memory; try reducing the amount of memory usage, or purchasing additional memory.

302302

Error Message %ASA-3-302302: ACL = deny; no sa created

Explanation IPsec proxy mismatches have occurred. Proxy hosts for the negotiated SA correspond to a deny access-list command policy.

Recommended Action Check the access-list command statement in the configuration. Contact the administrator for the peer.

302303

Error Message %ASA-6-302303: Built TCP state-bypass connection conn_id from initiator_interface : real_ip / real_port ( mapped_ip / mapped_port) to responder_interface : real_ip / real_port ( mapped_ip / mapped_port)

Explanation A new TCP connection has been created, and this connection is a TCP-state-bypass connection. This type of connection bypasses all the TCP state checks and additional security checks and inspections.

Recommended Action If you need to secure TCP traffic with all the normal TCP state checks as well as all other security checks and inspections, you can use the no set connection advanced-options tcp-state-bypass command to disable this feature for TCP traffic.

302304

Error Message %ASA-6-302304: Teardown TCP state-bypass connection conn_id from initiator_interface :ip/port to responder_interface :ip/port duration, bytes, teardown reason.

Explanation A new TCP connection has been torn down, and this connection is a TCP-state-bypass connection. This type of connection bypasses all the TCP state checks and additional security checks and inspections.

  • duration —The duration of the TCP connection
  • bytes —The total number of bytes transmitted over the TCP connection
  • teardown reason —The reason for the teardown of the TCP connection

Recommended Action If you need to secure TCP traffic with all the normal TCP state checks as well as all other security checks and inspections, you can use the no set connection advanced-options tcp-state-bypass command to disable this feature for TCP traffic.

303002

Error Message %ASA-6-303002: FTP connection from src_ifc : src_ip / src_port to dst_ifc : dst_ip / dst_port, user username action file filename

Explanation A client has uploaded or downloaded a file from the FTP server.

  • src_ifc —The interface where the client resides.
  • src_ip —The IP address of the client.
  • src_port —The client port.
  • dst_ifc —The interface where the server resides.
  • dst_ip —The IP address of the FTP server.
  • dst_port —The server port.
  • username —The FTP username.
  • action —The stored or retrieved actions.
  • filename —The file stored or retrieved.

Recommended Action None required.

303004

Error Message %ASA-5-303004: FTP cmd_string command unsupported - failed strict inspection, terminating connection from source_interface : source_address / source_port to dest_interface : dest_address/dest_interface

Explanation Strict FTP inspection on FTP traffic has been used, and an FTP request message contains a command that is not recognized by the device.

Recommended Action None required.

303005

Error Message %ASA-5-303005: Strict FTP inspection matched match_string in policy-map policy-name, action_string from src_ifc : sip / sport to dest_ifc : dip / dport

Explanation When FTP inspection matches any of the following configured values: filename, file type, request command, server, or username, then the action specified by the action_string in this message occurs.

  • match_string —The match clause in the policy map
  • policy-name —The policy map that matched
  • action_string —The action to take; for example, Reset Connection
  • src_ifc —The source interface name
  • sip —The source IP address
  • sport —The source port
  • dest_ifc —The destination interface name
  • dip —The destination IP address
  • dport —The destination port

Recommended Action None required.

304001

Error Message %ASA-5-304001: user@source_address [( idfw_user)] Accessed URL dest_address : url.

Explanation The specified host tried to access the specified URL.

Recommended Action None required.

304002

Error Message %ASA-5-304002: Access denied URL chars SRC IP_address [( idfw_user)] DEST IP_address : chars

Explanation Access from the source address to the specified URL or FTP site was denied.

Recommended Action None required.

304003

Error Message %ASA-3-304003: URL Server IP_address timed out URL url

Explanation A URL server timed out.

Recommended Action None required.

304004

Error Message %ASA-6-304004: URL Server IP_address request failed URL url

Explanation A Websense server request failed.

Recommended Action None required.

304005

Error Message %ASA-7-304005: URL Server IP_address request pending URL url

Explanation A Websense server request is pending.

Recommended Action None required.

304006

Error Message %ASA-3-304006: URL Server IP_address not responding

Explanation The Websense server is unavailable for access, and the ASA attempts to either try to access the same server if it is the only server installed, or another server if there is more than one.

Recommended Action None required.

304007

Error Message %ASA-2-304007: URL Server IP_address not responding, ENTERING ALLOW mode.

Explanation You used the allow option of the filter command, and the Websense servers are not responding. The ASA allows all web requests to continue without filtering while the servers are not available.

Recommended Action None required.

304008

Error Message %ASA-2-304008: LEAVING ALLOW mode, URL Server is up.

Explanation You used the allow option of the filter command, and the ASA receives a response message from a Websense server that previously was not responding. With this response message, the ASA exits the allow mode, which enables the URL filtering feature again.

Recommended Action None required.

304009

Error Message %ASA-7-304009: Ran out of buffer blocks specified by url-block command

Explanation The URL pending buffer block is running out of space.

Recommended Action Change the buffer block size by entering the url-block block block_size command.

305005

Error Message %ASA-3-305005: No translation group found for protocol src interface_name : source_address / source_port [( idfw_user)] dst interface_name : dest_address / dest_port [( idfw_user)]

Explanation A packet does not match any of the outbound nat command rules. If NAT is not configured for the specified source and destination systems, the message will be generated frequently.

Recommended Action This message indicates a configuration error. If dynamic NAT is desired for the source host, ensure that the nat command matches the source IP address. If static NAT is desired for the source host, ensure that the local IP address of the static command matches. If no NAT is desired for the source host, check the ACL bound to the NAT 0 ACL.

305006

Error Message %ASA-3-305006: {outbound static|identity|portmap|regular) translation creation failed for protocol src interface_name : source_address / source_port [( idfw_user)] dst interface_name : dest_address / dest_port [( idfw_user)]

Explanation A protocol (UDP, TCP, or ICMP) failed to create a translation through the ASA. The ASA does not allow packets through that are destined for network or broadcast addresses. The ASA provides this checking for addresses that are explicitly identified with static commands. For inbound traffic, the ASA denies translations for an IP address identified as a network or broadcast address.

The ASA does not apply PAT to all ICMP message types; it only applies PAT ICMP echo and echo-reply packets (types 8 and 0). Specifically, only ICMP echo or echo-reply packets create a PAT translation. As a result, when the other ICMP messages types are dropped, this message is generated.

The ASA uses the global IP address and mask from configured static commands to differentiate regular IP addresses from network or broadcast IP addresses. If the global IP address is a valid network address with a matching network mask, then the ASA does not create a translation for network or broadcast IP addresses with inbound packets.

For example:

static (inside,outside) 10.2.2.128 10.1.1.128 netmask 255.255.255.128
 

The ASA responds to global address 10.2.2.128 as a network address and to 10.2.2.255 as the broadcast address. Without an existing translation, the ASA denies inbound packets destined for 10.2.2.128 or 10.2.2.255, and logs this message.

When the suspected IP address is a host IP address, configure a separate static command with a host mask in front of the subnet static command (the first match rule for static commands). The following static commands cause the ASA to respond to 10.2.2.128 as a host address:

static (inside,outside) 10.2.2.128 10.2.2.128 netmask 255.255.255.255
static (inside,outside) 10.2.2.128 10.2.2.128 netmask 255.255.255.128
 

The translation may be created by traffic started from the inside host with the IP address in question. Because the ASA views a network or broadcast IP address as a host IP address with an overlapped subnet static configuration, the network address translation for both static commands must be the same.

Recommended Action None required.

305007

Error Message %ASA-6-305007: addrpool_free(): Orphan IP IP_address on interface interface_number

Explanation The ASA has attempted to translate an address that it cannot find in any of its global pools. The ASA assumes that the address was deleted and drops the request.

Recommended Action None required.

305008

Error Message %ASA-3-305008: Free unallocated global IP address.

Explanation The ASA kernel detected an inconsistency condition when trying to free an unallocated global IP address back to the address pool. This abnormal condition may occur if the ASA is running a Stateful Failover setup, and some of the internal states are momentarily out of sync between the active unit and the standby unit. This condition is not catastrophic, and the synchronization recovers automatically.

Recommended Action If the problem persists, contact the Cisco TAC.

305009

Error Message %ASA-6-305009: Built {dynamic|static} translation from interface_name [(acl-name)]:real_address [( idfw_user)] to interface_name : mapped_address

Explanation An address translation slot was created. The slot translates the source address from the local side to the global side. In reverse, the slot translates the destination address from the global side to the local side.

Recommended Action None required.

305010

Error Message %ASA-6-305010: Teardown {dynamic|static} translation from interface_name : real_address [( idfw_user)] to interface_name : mapped_address duration time

Explanation The address translation slot was deleted.

Recommended Action None required.

305011

Error Message %ASA-6-305011: Built {dynamic|static} {TCP|UDP|ICMP} translation from interface_name : real_address / real_port [( idfw_user)] to interface_name : mapped_address / mapped_port

Explanation A TCP, UDP, or ICMP address translation slot was created. The slot translates the source socket from the local side to the global side. In reverse, the slot translates the destination socket from the global side to the local side.

Recommended Action None required.

305012

Error Message %ASA-6-305012: Teardown {dynamic|static} {TCP|UDP|ICMP} translation from interface_name [( acl-name)]: real_address /{ real_port | real_ICMP_ID } [( idfw_user)] to interface_name : mapped_address /{ mapped_port | mapped_ICMP_ID } duration time

Explanation The address translation slot was deleted.

Recommended Action None required.

305013

Error Message %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection protocol src interface_name : source_address / source_port [( idfw_user)] dst interface_name : dst_address / dst_port [( idfw_user)] denied due to NAT reverse path failure.

Explanation An attempt to connect to a mapped host using its actual address was rejected.

Recommended Action When not on the same interface as the host using NAT, use the mapped address instead of the actual address to connect to the host. In addition, enable the inspect command if the application embeds the IP address.

308001

Error Message %ASA-6-308001: console enable password incorrect for number tries (from IP_address)

Explanation This is a ASA management message. This message appears after the specified number of times a user incorrectly types the password to enter privileged mode. The maximum is three attempts.

Recommended Action Verify the password and try again.

308002

Error Message %ASA-4-308002: static global_address inside_address netmask netmask overlapped with global_address inside_address

Explanation The IP addresses in one or more static command statements overlap. global_address is the global address, which is the address on the lower security interface, and inside_address is the local address, which is the address on the higher security-level interface.

Recommended Action Use the show static command to view the static command statements in your configuration and fix the commands that overlap. The most common overlap occurs if you specify a network address such as 10.1.1.0, and in another static command you specify a host within that range, such as 10.1.1.5.

311001

Error Message %ASA-6-311001: LU loading standby start

Explanation Stateful Failover update information was sent to the standby ASA when the standby ASA is first to be online.

Recommended Action None required.

311002

Error Message %ASA-6-311002: LU loading standby end

Explanation Stateful Failover update information stopped sending to the standby ASA.

Recommended Action None required.

311003

Error Message %ASA-6-311003: LU recv thread up

Explanation An update acknowledgment was received from the standby ASA.

Recommended Action None required.

311004

Error Message %ASA-6-311004: LU xmit thread up

Explanation A Stateful Failover update was transmitted to the standby ASA.

Recommended Action None required.

312001

Error Message %ASA-6-312001: RIP hdr failed from IP_address : cmd= string, version= number domain= string on interface interface_name

Explanation The ASA received a RIP message with an operation code other than reply, the message has a version number different from what is expected on this interface, and the routing domain entry was nonzero. Another RIP device may not be configured correctly to communicate with the ASA.

Recommended Action None required.

313001

Error Message %ASA-3-313001: Denied ICMP type= number, code= code from IP_address on interface interface_name

Explanation When using the icmp command with an access list, if the first matched entry is a permit entry, the ICMP packet continues processing. If the first matched entry is a deny entry, or an entry is not matched, the ASA discards the ICMP packet and generates this message. The icmp command enables or disables pinging to an interface. With pinging disabled, the ASA cannot be detected on the network. This feature is also referred to as configurable proxy pinging.

Recommended Action Contact the administrator of the peer device.

313004

Error Message %ASA-4-313004:Denied ICMP type= icmp_type, from source_address on interface interface_name to dest_address :no matching session

Explanation ICMP packets were dropped by the ASA because of security checks added by the stateful ICMP feature that are usually either ICMP echo replies without a valid echo request already passed across the ASA or ICMP error messages not related to any TCP, UDP, or ICMP session already established in the ASA.

Recommended Action None required.

313005

Error Message %ASA-4-313005: No matching connection for ICMP error message: icmp_msg_info on interface_name interface. Original IP payload: embedded_frame_info icmp_msg_info = icmp src src_interface_name : src_address [([ idfw_user | FQDN_string ], sg_info)] dst dest_interface_name : dest_address [([ idfw_user | FQDN_string ], sg_info)] (type icmp_type, code icmp_code) embedded_frame_info = prot src source_address / source_port [([ idfw_user | FQDN_string ], sg_info)] dst dest_address / dest_port [( idfw_user | FQDN_string), sg_info ]

Explanation ICMP error packets were dropped by the ASA because the ICMP error messages are not related to any session already established in the ASA.

Recommended Action If the cause is an attack, you can deny the host by using ACLs.

313008

Error Message %ASA-3-313008: Denied ICMPv6 type= number, code= code from IP_address on interface interface_name

Explanation When using the icmp command with an access list, if the first matched entry is a permit entry, the ICMPv6 packet continues processing. If the first matched entry is a deny entry, or an entry is not matched, the ASA discards the ICMPv6 packet and generates this message.

The icmp command enables or disables pinging to an interface. When pinging is disabled, the ASA is undetectable on the network. This feature is also referred to as “configurable proxy pinging.”

Recommended Action Contact the administrator of the peer device.

313009

Error Message %ASA-4-313009: Denied invalid ICMP code icmp-code, for src-ifc : src-address / src-port (mapped-src-address/mapped-src-port) to dest-ifc : dest-address / dest-port (mapped-dest-address/mapped-dest-port) [ user ], ICMP id icmp-id, ICMP type icmp-type

Explanation An ICMP echo request/reply packet was received with a malformed code(non-zero).

Recommended Action If it is an intermittent event, no action is required. If the cause is an attack, you can deny the host using the ACLs.

314001

Error Message %ASA-6-314001: Pre-allocated RTSP UDP backconnection for src_intf : src_IP to dst_intf : dst_IP / dst_port.

Explanation The ASA opened a UDP media channel for the RTSP client that was receiving data from the server.

  • src_intf —Source interface name
  • src_IP —Source interface IP address
  • dst_intf —Destination interface name
  • dst_IP —Destination IP address
  • dst_port —Destination port

Recommended Action None required.

314002

Error Message %ASA-6-314002: RTSP failed to allocate UDP media connection from src_intf : src_IP to dst_intf : dst_IP / dst_port : reason_string.

Explanation The ASA cannot open a new pinhole for the media channel.

  • src_intf —Source interface name
  • src_IP —Source interface IP address
  • dst_intf —Destination interface name
  • dst_IP —Destination IP address
  • dst_port —Destination port
  • reason_string —Pinhole already exists/Unknown

Recommended Action If the reason is unknown, check the free memory available by running the show memory command, or the number of connections used by running the show conn command, because the ASA is low on memory.

314003

Error Message %ASA-6-314003: Dropped RTSP traffic from src_intf : src_ip due to: reason .

Explanation The RTSP message violated the user-configured RTSP security policy, either because it contains a port from the reserve port range, or it contains a URL with a length greater than the maximum limit allowed.

  • src_intf —Source interface name
  • src_IP —Source interface IP address
  • reason —The reasons may be one of the following:

- Endpoint negotiating media ports in the reserved port range from 0 to 1024

- URL length of url length bytes exceeds the maximum url length limit bytes

Recommended Action Investigate why the RTSP client sends messages that violate the security policy. If the requested URL is legitimate, you can relax the policy by specifying a longer URL length limit in the RTSP policy map.

314004

Error Message %ASA-6-314004: RTSP client src_intf:src_IP accessed RTSP URL RTSP URL

Explanation An RTSP client tried to access an RTSP server.

  • src_intf —Source interface name
  • src_IP —Source interface IP address
  • RTSP URL —RTSP server URL

Recommended Action None required.

314005

Error Message %ASA-6-314005: RTSP client src_intf:src_IP denied access to URL RTSP_URL.

Explanation An RTSP client tried to access a prohibited site.

  • src_intf —Source interface name
  • src_IP —Source interface IP address
  • RTSP_URL —RTSP server URL

Recommended Action None required.

314006

Error Message %ASA-6-314006: RTSP client src_intf:src_IP exceeds configured rate limit of rate for request_method messages.

Explanation A specific RTSP request message exceeded the configured rate limit of RTSP policy.

  • src_intf —Source interface name
  • src_IP —Source interface IP address
  • rate —Configured rate limit
  • request_method —Type of request message

Recommended Action Investigate why the specific RTSP request message from the client exceeded the rate limit.

315004

Error Message %ASA-3-315004: Fail to establish SSH session because RSA host key retrieval failed.

Explanation The ASA cannot find the RSA host key, which is required for establishing an SSH session. The ASA host key may be absent because it was not generated or because the license for this ASA does not allow DES or 3DES encryption.

Recommended Action From the ASA console, enter the show crypto key mypubkey rsa command to verify that the RSA host key is present. If the host key is not present, enter the show version command to verify that DES or 3DES is allowed. If an RSA host key is present, restart the SSH session. To generate the RSA host key, enter the crypto key mypubkey rsa command.

315011

Error Message %ASA-6-315011: SSH session from IP_address on interface interface_name for user user disconnected by SSH server, reason: reason

Explanation An SSH session has ended. If a user enters quit or exit, the terminated normally message appears. If the session disconnected for another reason, the text describes the reason. Table 1-4 lists the possible reasons why a session disconnected.

 

Table 1-4 SSH Disconnect Reasons

Text String
Explanation
Action

Bad checkbytes

A mismatch was detected in the check bytes during an SSH key exchange.

Restart the SSH session.

CRC check failed

The CRC value computed for a particular packet does not match the CRC value embedded in the packet; the packet is bad.

None required. If this message persists, call Cisco TAC.

Decryption failure

Decryption of an SSH session key failed during an SSH key exchange.

Check the RSA host key and try again.

Format error

A nonprotocol version message was received during an SSH version exchange.

Check the SSH client, to ensure it is a supported version.

Internal error

This message indicates either an error internal to SSH on the ASA or an RSA key may not have been entered on the ASA or cannot be retrieved.

From the ASA console, enter the show crypto key mypubkey rsa command to verify that the RSA host key is present. If the host key is not present, enter the show version command to verify that DES or 3DES is allowed. If an RSA host key is present, restart the SSH session. To generate the RSA host key, enter the crypto key mypubkey rsa command.

Invalid cipher type

The SSH client requested an unsupported cipher.

Enter the show version command to determine which features your license supports, then reconfigure the SSH client to use the supported cipher.

Invalid message length

The length of SSH message arriving at the ASA exceeds 262,144 bytes or is shorter than 4096 bytes. The data may be corrupted.

None required.

Invalid message type

The ASA received a non-SSH message, or an unsupported or unwanted SSH message.

Check whether the peer is an SSH client. If it is a client supporting SSHv1, and this message persists, from the ASA serial console enter the debug ssh command and capture the debugging messages. Then contact the Cisco TAC.

Out of memory

This message appears when the ASA cannot allocate memory for use by the SSH server, probably when the ASA is busy with high traffic.

Restart the SSH session later.

Rejected by server

User authentication failed.

Ask the user to verify username and password.

Reset by client

An SSH client sent the SSH_MSG_DISCONNECT message to the ASA.

None required.

status code: hex ( hex)

Users closed the SSH client window (running on Windows) instead of entering quit or exit at the SSH console.

None required. Encourage users to exit the client gracefully instead of just exiting.

Terminated by operator

The SSH session was terminated by entering the ssh disconnect command at the ASA console.

None required.

Time-out activated

The SSH session timed out because the duration specified by the ssh timeout command was exceeded.

Restart the SSH connection. You can use the ssh timeout command to increase the default value of 5 minutes up to 60 minutes if required.

Recommended Action None required.

316001

Error Message %ASA-3-316001: Denied new tunnel to IP_address. VPN peer limit ( platform_vpn_peer_limit) exceeded

Explanation If more VPN tunnels (ISAKMP/IPsec) are concurrently trying to be established than are supported by the platform VPN peer limit, then the excess tunnels are aborted.

Recommended Action None required.

316002

Error Message %ASA-3-316002: VPN Handle error: protocol= protocol, src in_if_num : src_addr, dst out_if_num : dst_addr

Explanation The ASA cannot create a VPN handle, because the VPN handle already exists.

  • protocol —The protocol of the VPN flow
  • in_if_num —The ingress interface number of the VPN flow
  • src_addr —The source IP address of the VPN flow
  • out_if_num —The egress interface number of the VPN flow
  • dst_addr —The destination IP address of the VPN flow

Recommended Action This message may occur during normal operation; however, if the message occurs repeatedly and a major malfunction of VPN-based applications occurs, a software defect may be the cause. Enter the following commands to collect more information and contact the Cisco TAC to investigate the issue further:

capture name type asp-drop vpn-handle-error
show asp table classify crypto detail
show asp table vpn-context
 

317001

Error Message %ASA-3-317001: No memory available for limit_slow

Explanation The requested operation failed because of a low-memory condition.

Recommended Action Reduce other system activity to ease memory demands. If conditions warrant, upgrade to a larger memory configuration.

317002

Error Message %ASA-3-317002: Bad path index of number for IP_address, number max

Explanation A software error occurred.

Recommended Action If the problem persists, contact the Cisco TAC.

317003

Error Message %ASA-3-317003: IP routing table creation failure - reason

Explanation An internal software error occurred, which prevented the creation of a new IP routing table.

Recommended Action Copy the message exactly as it appears, and report it to Cisco TAC.

317004

Error Message %ASA-3-317004: IP routing table limit warning

Explanation The number of routes in the named IP routing table has reached the configured warning limit.

Recommended Action Reduce the number of routes in the table, or reconfigure the limit.

317005

Error Message %ASA-3-317005: IP routing table limit exceeded - reason, IP_address netmask

Explanation Additional routes will be added to the table.

Recommended Action Reduce the number of routes in the table, or reconfigure the limit.

317006

Error Message %ASA-3-317006: Pdb index error pdb, pdb_index, pdb_type

Explanation The index into the PDB is out of range.

  • pdb —Protocol Descriptor Block, the descriptor of the PDB index error
  • pdb_index —The PDB index identifier
  • pdb_type —The type of the PDB index error

Recommended Action If the problem persists, copy the error message exactly as it appears on the console or in the system log, contact the Cisco TAC, and provide the representative with the collected information.

317007

Error Message %ASA-6-317007: Added route_type route dest_address netmask via gateway_address [ distance / metric ] on interface_name route_type

Explanation A new route has been added to the routing table.

Routing protocol type:

C – connected, S – static, I – IGRP, R – RIP, M – mobile

B – BGP, D – EIGRP, EX - EIGRP external, O - OSPF

IA - OSPF inter area, N1 - OSPF NSSA external type 1

N2 - OSPF NSSA external type 2, E1 - OSPF external type 1

E2 - OSPF external type 2, E – EGP, i - IS-IS, L1 - IS-IS level-1

L2 - IS-IS level-2, ia - IS-IS inter area

  • dest_address —The destination network for this route
  • netmask —The netmask for the destination network
  • gateway_address —The address of the gateway by which the destination network is reached
  • distance —Administrative distance for this route
  • metric —Metric for this route
  • interface_name —Network interface name through which the traffic is routed

Recommended Action None required.

317008

Error Message %ASA-6-317007: Deleted route_type route dest_address netmask via gateway_address [ distance / metric ] on interface_name route_type

Explanation A new route has been deleted from the routing table.

Routing protocol type:

C – connected, S – static, I – IGRP, R – RIP, M – mobile

B – BGP, D – EIGRP, EX - EIGRP external, O - OSPF

IA - OSPF inter area, N1 - OSPF NSSA external type 1

N2 - OSPF NSSA external type 2, E1 - OSPF external type 1

E2 - OSPF external type 2, E – EGP, i - IS-IS, L1 - IS-IS level-1

L2 - IS-IS level-2, ia - IS-IS inter area

  • dest_address —The destination network for this route
  • netmask —The netmask for the destination network
  • gateway_address —The address of the gateway by which the destination network is reached
  • distance —Administrative distance for this route
  • metric —Metric for this route
  • interface_name —Network interface name through which the traffic is routed

Recommended Action None required.

318001

Error Message %ASA-3-318001: Internal error: reason

Explanation An internal software error occurred. This message occurs at five-second intervals.

Recommended Action Copy the message exactly as it appears, and report it to the Cisco TAC.

318002

Error Message %ASA-3-318002: Flagged as being an ABR without a backbone area

Explanation The router was flagged as an area border router without a backbone area configured in the router. This message occurs at five-second intervals.

Recommended Action Restart the OSPF process.

318003

Error Message %ASA-3-318003: Reached unknown state in neighbor state machine

Explanation An internal software error occurred. This message occurs at five-second intervals.

Recommended Action Copy the message exactly as it appears, and report it to the Cisco TAC.

318004

Error Message %ASA-3-318004: area string lsid IP_address mask netmask adv IP_address type number

Explanation The OSPF process had a problem locating the link state advertisement, which might lead to a memory leak.

Recommended Action If the problem persists, contact the Cisco TAC.

318005

Error Message %ASA-3-318005: lsid ip_address adv IP_address type number gateway gateway_address metric number network IP_address mask netmask protocol hex attr hex net-metric number

Explanation OSPF found an inconsistency between its database and the IP routing table.

Recommended Action If the problem persists, contact the Cisco TAC.

318006

Error Message %ASA-3-318006: if interface_name if_state number

Explanation An internal error occurred.

Recommended Action Copy the message exactly as it appears, and report it to the Cisco TAC.

318007

Error Message %ASA-3-318007: OSPF is enabled on interface_name during idb initialization

Explanation An internal error occurred.

Recommended Action Copy the message exactly as it appears, and report it to the Cisco TAC.

318008

Error Message %ASA-3-318008: OSPF process number is changing router-id. Reconfigure virtual link neighbors with our new router-id

Explanation The OSPF process is being reset, and it is going to select a new router ID. This action will bring down all virtual links.

Recommended Action Change the virtual link configuration on all of the virtual link neighbors to reflect the new router ID.

318009

Error Message %ASA-3-318009: OSPF: Attempted reference of stale data encountered in function, line: line_num

Explanation OSPF is running and has tried to reference some related data structures that have been removed elsewhere. Clearing interface and router configurations may resolve the problem. However, if this message appears, some sequence of steps caused premature deletion of data structures and this needs to be investigated.

  • function —The function that received the unexpected event
  • line_num —Line number in the code

Recommended Action If the problem persists, contact the Cisco TAC.

318101

Error Message %ASA-3-318101: Internal error: REASON

Explanation An internal software error has occurred.

  • REASON —The detailed cause of the event

Recommended Action None required.

318102

Error Message %ASA-3-318102: Flagged as being an ABR without a backbone area

Explanation The router was flagged as an Area Border Router (ABR) without a backbone area in the router.

Recommended Action Restart the OSPF process.

318103

Error Message %ASA-3-318103: Reached unknown state in neighbor state machine

Explanation An internal software error has occurred.

Recommended Action None required.

318104

Error Message %ASA-3-318104: DB already exist: area AREA_ID_STR lsid i adv i type 0x x

Explanation OSPF has a problem locating the LSA, which could lead to a memory leak.

  • AREA_ID_STR —A string representing the area
  • i —An integer value
  • x —A hexadecimal representation of an integer value

Recommended Action None required.

318105

Error Message %ASA-3-318105: lsid i adv i type 0x x gateway i metric d network i mask i protocol #x attr #x net-metric d

Explanation OSPF found an inconsistency between its database and the IP routing table.

  • i —An integer value
  • x —A hexadecimal representation of an integer value
  • d —A number

Recommended Action None required.

318106

Error Message %ASA-3-318106: if IF_NAME if_state d

Explanation An internal error has occurred.

  • IF_NAME— The name of the affected interface
  • d —A number

Recommended Action None required.

318107

Error Message %ASA-3-318107: OSPF is enabled on IF_NAME during idb initialization

Explanation An internal error has occurred.

  • IF_NAME— The name of the affected interface

Recommended Action None required.

318108

Error Message %ASA-3-318108: OSPF process d is changing router-id. Reconfigure virtual link neighbors with our new router-id

Explanation The OSPF process is being reset, and it is going to select a new router ID, which brings down all virtual links. To make them work again, you need to change the virtual link configuration on all virtual link neighbors.

  • d —A number representing the process ID

Recommended Action Change the virtual link configuration on all the virtual link neighbors to include the new router ID.

318109

Error Message %ASA-3-318109: OSPFv3 has received an unexpected message: 0 x / 0 x

Explanation OSPFv3 has received an unexpected interprocess message.

  • x —A hexadecimal representation of an integer value

Recommended Action None required.

318110

Error Message %ASA-3-318110: Invalid encrypted key s.

Explanation The specified encrypted key is not valid.

  • s —A string representing the encrypted key

Recommended Action Either specify a clear text key and enter the service password-encryption command for encryption, or ensure that the specified encrypted key is valid. If the specified encrypted key is not valid, an error message appears during system configuration.

318111

Error Message %ASA-3-318111: SPI u is already in use with ospf process d

Explanation An attempt was made to use a SPI that has already been used.

  • u —A number representing the SPI
  • d —A number representing the process ID

Recommended Action Choose a different SPI.

318112

Error Message %ASA-3-318112: SPI u is already in use by a process other than ospf process d.

Explanation An attempt was made to use a SPI that has already been used.

  • u —A number representing the SPI
  • d —A number representing the process ID

Recommended Action Choose a different SPI. Enter the show crypto ipv6 ipsec sa command to view a list of SPIs that are already being used.

318113

Error Message %ASA-3-318113: s s is already configured with SPI u.

Explanation An attempt was made to use a SPI that has already been used.

  • s— A string representing an interface
  • u —A number representing the SPI

Recommended Action Unconfigure the SPI first, or choose a different one.

318114

Error Message %ASA-3-318114: The key length used with SPI u is not valid

Explanation The key length was incorrect.

  • u —A number representing the SPI

Recommended Action Choose a valid IPsec key. An IPsec authentication key must be 32 (MD5) or 40 (SHA-1) hexidecimal digits long.

318115

Error Message %ASA-3-318115: s error occured when attempting to create an IPsec policy for SPI u

Explanation An IPsec API (internal) error has occurred.

  • s— A string representing the error
  • u —A number representing the SPI

Recommended Action None required.

318116

Error Message %ASA-3-318116: SPI u is not being used by ospf process d.

Explanation An attempt was made to unconfigure a SPI that is not being used with OSPFv3.

  • u —A number representing the SPI
  • d —A number representing the process ID

Recommended Action Enter a show command to see which SPIs are used by OSPFv3.

318117

Error Message %ASA-3-318117: The policy for SPI u could not be removed because it is in use.

Explanation An attempt was made to remove the policy for the indicated SPI, but the policy was still being used by a secure socket.

  • u —A number representing the SPI

Recommended Action None required.

318118

Error Message %ASA-3-318118: s error occured when attemtping to remove the IPsec policy with SPI u

Explanation An IPsec API (internal) error has occurred.

  • s —A string representing the specified error
  • u —A number representing the SPI

Recommended Action None required.

318119

Error Message %ASA-3-318119: Unable to close secure socket with SPI u on interface s

Explanation An IPsec API (internal) error has occurred.

  • u —A number representing the SPI
  • s —A string representing the specified interface

Recommended Action None required.

318120

Error Message %ASA-3-318120: OSPFv3 was unable to register with IPsec

Explanation An internal error has occurred.

Recommended Action None required.

318121

Error Message %ASA-3-318121: IPsec reported a GENERAL ERROR: message s, count d

Explanation An internal error has occurred.

  • s —A string representing the specified message
  • d —A number representing the total number of generated messages

Recommended Action None required.

318122

Error Message %ASA-3-318122: IPsec sent a s message s to OSPFv3 for interface s. Recovery attempt d

Explanation An internal error has occurred. The system is trying to reopen the secure socket and to recover.

  • s —A string representing the specified message and specified interface
  • d —A number representing the total number of recovery attempts

Recommended Action None required.

318123

Error Message %ASA-3-318123: IPsec sent a s message s to OSPFv3 for interface IF_NAME. Recovery aborted

Explanation An internal error has occurred. The maximum number of recovery attempts has been exceeded.

  • s —A string representing the specified message
  • IF_NAME —The specified interface

Recommended Action None required.

318125

Error Message %ASA-3-318125: Init failed for interface IF_NAME

Explanation The interface initialization failed. Possible reasons include the following:

  • The area to which the interface is being attached is being deleted.
  • It was not possible to create the link scope database.
  • It was not possible to create a neighbor datablock for the local router.

Recommended Action Remove the configuration command that initializes the interface and then try it again.

318126

Error Message %ASA-3-318126: Interface IF_NAME is attached to more than one area

Explanation The interface is on the interface list for an area other than the one to which the interface links.

  • IF_NAME —The specified interface

Recommended Action None required.

318127

Error Message %ASA-3-318127: Could not allocate or find the neighbor

Explanation An internal error has occurred.

Recommended Action None required.

319001

Error Message %ASA-3-319001: Acknowledge for arp update for IP address dest_address not received ( number).

Explanation The ARP process in the ASA lost internal synchronization because the ASA was overloaded.

Recommended Action None required. The failure is only temporary. Check the average load of the ASA and make sure that it is not used beyond its capabilities.

319002

Error Message %ASA-3-319002: Acknowledge for route update for IP address dest_address not received ( number).

Explanation The routing module in the ASA lost internal synchronization because the ASA was overloaded.

Recommended Action None required. The failure is only temporary. Check the average load of the ASA and make sure that it is not used beyond its capabilities.

319003

Error Message %ASA-3-319003: Arp update for IP address address to NPn failed.

Explanation When an ARP entry has to be updated, a message is sent to the network processor (NP) in order to update the internal ARP table. If the module is experiencing high utilization of memory or if the internal table is full, the message to the NP may be rejected and this message generated.

Recommended Action Verify if the ARP table is full. If it is not full, check the load of the module by reviewing the CPU utilization and connections per second. If CPU utilization is high and/or there is a large number of connections per second, normal operations will resume when the load returns to normal.

319004

Error Message %ASA-3-319004: Route update for IP address dest_address failed ( number).

Explanation The routing module in the ASA lost internal synchronization because the system was overloaded.

Recommended Action None required. The failure is only temporary. Check the average load of the system and make sure that it is not used beyond its capabilities.

320001

Error Message %ASA-3-320001: The subject name of the peer cert is not allowed for connection

Explanation When the ASA is an easy VPN remote device or server, the peer certificate includes asubject name that does not match the output of the ca verifycertdn command. A man-in-the-middle attack might be occurring, where a device spoofs the peer IP address and tries to intercept a VPN connection from the ASA.

Recommended Action None required.

321001

Error Message %ASA-5-321001: Resource var1 limit of var2 reached.

Explanation A configured resource usage or rate limit for the indicated resource was reached.

Recommended Action None required.

321002

Error Message %ASA-5-321002: Resource var1 rate limit of var2 reached.

Explanation A configured resource usage or rate limit for the indicated resource was reached.

Recommended Action None required.

321003

Error Message %ASA-6-321003: Resource var1 log level of var2 reached.

Explanation A configured resource usage or rate logging level for the indicated resource was reached.

Recommended Action None required.

321004

Error Message %ASA-6-321004: Resource var1 rate log level of var2 reached

Explanation A configured resource usage or rate logging level for the indicated resource was reached.

Recommended Action None required.

321005

Error Message %ASA-2-321005: System CPU utilization reached utilization %

Explanation The system CPU utilization has reached 95 percent or more and remains at this level for five minutes.

  • utilization % —The percentage of CPU being used

Recommended Action If this message occurs periodically, you can ignore it. If it repeats frequently, check the output of the show cpu command and verify the CPU usage. If it is high, contact the Cisco TAC.

321006

Error Message %ASA-2-321006: System memory usage reached utilization %

Explanation The system memory usage has reached 80 percent or more and remains at this level for five minutes.

  • utilization % —The percentage of CPU being used

Recommended Action If this message occurs periodically, you can ignore it. If it repeats frequently, check the output of the show memory command and verify the memory usage. If it is high, contact the Cisco TAC.

321007

Error Message %ASA-3-321007: System is low on free memory blocks of size block_size ( free_blocks CNT out of max_blocks MAX)

Explanation The system is low on free blocks of memory. Running out of blocks may result in traffic disruption.

  • block_size —The block size of memory (for example, 4, 1550, 8192)
  • free_blocks —The number of free blocks, as shown in the CNT column after using the show blocks command
  • max_blocks —The maximum number of blocks that the system can allocate, as shown in the MAX column after using the show blocks command

Recommended Action Use the show blocks command to monitor the amount of free blocks in the CNT column of the output for the indicated block size. If the CNT column remains zero, or very close to it for an extended period of time, then the ASA may be overloaded or running into another issue that needs additional investigation.

322001

Error Message %ASA-3-322001: Deny MAC address MAC_address, possible spoof attempt on interface interface

Explanation The ASA received a packet from the offending MAC address on the specified interface, but the source MAC address in the packet is statically bound to another interface in the configuration. Either a MAC-spoofing attack or a misconfiguration may be the cause.

Recommended Action Check the configuration and take appropriate action by either finding the offending host or correcting the configuration.

322002

Error Message %ASA-3-322002: ARP inspection check failed for arp {request|response} received from host MAC_address on interface interface. This host is advertising MAC Address MAC_address_1 for IP Address IP_address, which is {statically|dynamically} bound to MAC Address MAC_address_2.

Explanation If the ARP inspection module is enabled, it checks whether a new ARP entry advertised in the packet conforms to the statically configured or dynamically learned IP-MAC address binding before forwarding ARP packets across the ASA. If this check fails, the ARP inspection module drops the ARP packet and generates this message. This situation may be caused by either ARP spoofing attacks in the network or an invalid configuration (IP-MAC binding).

Recommended Action If the cause is an attack, you can deny the host using the ACLs. If the cause is an invalid configuration, correct the binding.

322003

Error Message %ASA-3-322003:ARP inspection check failed for arp {request|response} received from host MAC_address on interface interface. This host is advertising MAC Address MAC_address_1 for IP Address IP_address, which is not bound to any MAC Address.

Explanation If the ARP inspection module is enabled, it checks whether a new ARP entry advertised in the packet conforms to the statically configured IP-MAC address binding before forwarding ARP packets across the ASA. If this check fails, the ARP inspection module drops the ARP packet and generates this message. This situation may be caused by either ARP spoofing attacks in the network or an invalid configuration (IP-MAC binding).

Recommended Action If the cause is an attack, you can deny the host using the ACLs. If the cause is an invalid configuration, correct the binding.

322004

Error Message %ASA-6-322004: No management IP address configured for transparent firewall. Dropping protocol protocol packet from interface_in : source_address / source_port to interface_out : dest_address / dest_port

Explanation The ASA dropped a packet because no management IP address was configured in the transparent mode.

  • protocol —Protocol string or value
  • interface_in —Input interface name
  • source_address —Source IP address of the packet
  • source_port —Source port of the packet
  • interface_out —Output interface name
  • dest_address —Destination IP address of the packet
  • dest_port —Destination port of the packet

Recommended Action Configure the device with the management IP address and mask values.

323001

Error Message %ASA-3-323001: Module module_id experienced a control channel communications failure. Error Message %ASA-3-323001: Module in slot slot_num experienced a control channel communications failure.

Explanation The ASA is unable to communicate via control channel with the module installed (in the specified slot).

  • module_id —For a software services module, specifies the services module name.
  • slot_num— For a hardware services module, specifies the slot in which the failure occurred. Slot 0 indicates the system main board, and slot 1 indicates the module installed in the expansion slot.

Recommended Action If the problem persists, contact the Cisco TAC.

323002

Error Message %ASA-3-323002: Module module_id is not able to shut down, shut down request not answered. Error Message %ASA-3-323002: Module in slot slot_num is not able to shut down, shut down request not answered.

Explanation The module installed did not respond to a shutdown request.

  • module_id —For a software services module, specifies the service module name.
  • slot_num— For a hardware services module, specifies the slot in which the failure occurred. Slot 0 indicates the system main board, and slot 1 indicates the module installed in the expansion slot.

Recommended Action If the problem persists, contact the Cisco TAC.

323003

Error Message %ASA-3-323003: Module module_id is not able to reload, reload request not answered. Error Message %ASA-3-323003: Module in slot slotnum is not able to reload, reload request not answered.

Explanation The module installed did not respond to a reload request.

  • module_id —For a software services module, specifies the service module name.
  • slot_num— For a hardware services module, specifies the slot in which the failure occurred. Slot 0 indicates the system main board, and slot 1 indicates the module installed in the expansion slot.

Recommended Action If the problem persists, contact the Cisco TAC.

323004

Error Message %ASA-3-323004: Module string one failed to write software newver (currently ver), reason. Hw-module reset is required before further use.

Explanation The module failed to accept a software version, and will be transitioned to an UNRESPONSIVE state. The module is not usable until the software is updated.

  • string one —The text string that specifies the module
  • newver —The new version number of software that was not successfully written to the module (for example, 1.0(1)0)
  • ver —The current version number of the software on the module (for example, 1.0(1)0)
  • reason —The reason the new version cannot be written to the module. The possible values for reason include the following:

- write failure

- failed to create a thread to write the image

Recommended Action If the module software cannot be updated, it will not be usable. If the problem persists, contact the Cisco TAC.

323005

Error Message %ASA-3-323005: Module module_id can not be started completely Error Message %ASA-3-323005: Module in slot slot_num can not be started completely

Explanation This message indicates that the module can not be started completely. The module will remain in the UNRESPONSIVE state until this condition is corrected. A module that is not fully seated in the slot is the most likely cause.

  • module_id —For a software services module, specifies the service module name.
  • slot_num— For a hardware services module, specifies the slot number that contains the module.

Recommended Action Verify that the module is fully seated and check to see if any status LEDs on the module are on. It may take a minute after fully reseating the module for the ASA to recognize that it is powered up. If this message appears after verifying that the module is seated and after resetting the module using either the sw-module module service-module-name reset command or the hw-module module slotnum reset command, contact the Cisco TAC.

323006

Error Message %ASA-1-323006: Module ips experienced a data channel communication failure, data channel is DOWN.

Explanation A data channel communication failure occurred and the ASA was unable to forward traffic to the services module. This failure triggers a failover when the failure occurs on the active ASA in an HA configuration. The failure also results in the configured fail open or fail closed policy being enforced on traffic that would normally be sent to the services module. This message is generated whenever a communication problem over the ASA dataplane occurs between the system module and the services module, which can be caused when the services module stops, resets, is removed or disabled.

Recommended Action For software services modules such as IPS, recover the module using the sw-module module ips recover command. For hardware services modules, if this message is not the result of the SSM reloading or resetting and the corresponding syslog message 505010 is not seen after the SSM returns to an UP state, reset the module using the hw-module module 1 reset command.

323007

Error Message %ASA-3-323007: Module in slot slot experienced a firware failure and the recovery is in progress.

Explanation An ASA with a 4GE-SSM installed experienced a short power surge, then rebooted. As a result, the 4GE-SSM may come online in an unresponsive state. The ASA has detected that the 4GE-SSM is unresponsive, and automatically restarts the 4GE-SSM.

Recommended Action None required.

324000

Error Message %ASA-3-324000: Drop GTPv version message msg_type from source_interface : source_address / source_port to dest_interface:dest_address/dest_port Reason: reason

Explanation The packet being processed did not meet the filtering requirements as described in the reason variable and is being dropped.

Recommended Action None required.

324001

Error Message %ASA-3-324001: GTPv0 packet parsing error from source_interface : source_address / source_port to dest_interface : dest_address / dest_port, TID: tid_value, Reason: reason

Explanation There was an error processing the packet. The following are possible reasons:

  • Mandatory IE is missing
  • Mandatory IE incorrect
  • IE out of sequence
  • Invalid message format.
  • Optional IE incorrect
  • Invalid TEID
  • Unknown IE
  • Bad length field
  • Unknown GTP message.
  • Message too short
  • Unexpected message seen
  • Null TID
  • Version not supported

Recommended Action If this message is seen periodically, it can be ignored. If it is seen frequently, then the endpoint may be sending out bad packets as part of an attack.

324002

Error Message %ASA-3-324002: No PDP[MCB] exists to process GTPv0 msg_type from source_interface : source_address / source_port to dest_interface : dest_address / dest_port, TID: tid_value

Explanation If this message was preceded by message 321100, memory allocation error, the message indicates that there were not enough resources to create the PDP context. If not, it was not preceded by message 321100. For version 0, it indicates that the corresponding PDP context cannot be found. For version 1, if this message was preceded by message 324001, then a packet processing error occurred, and the operation stopped.

Recommended Action If the problem persists, determine why the source is sending packets without a valid PDP context.

324003

Error Message %ASA-3-324003: No matching request to process GTPv version msg_type from source_interface:source_address/source_port to source_interface:dest_address/dest_port

Explanation The response received does not have a matching request in the request queue and should not be processed further.

Recommended Action If this message is seen periodically, it can be ignored. But if it is seen frequently, then the endpoint may be sending out bad packets as part of an attack.

324004

Error Message %ASA-3-324004: GTP packet with version%d from source_interface : source_address / source_port to dest_interface : dest_address / dest_port is not supported

Explanation The packet being processed has a version other than the currently supported version, which is 0 or 1. If the version number printed out is an incorrect number and is seen frequently, then the endpoint may be sending out bad packets as part of an attack.

Recommended Action None required.

324005

Error Message %ASA-3-324005: Unable to create tunnel from source_interface : source_address / source_port to dest_interface : dest_address / dest_port

Explanation An error occurred while trying to create the tunnel for the transport protocol data units.

Recommended Action If this message occurs periodically, it can be ignored. If it repeats frequently, contact the Cisco TAC.

324006

Error Message %ASA-3-324006:GSN IP_address tunnel limit tunnel_limit exceeded, PDP Context TID tid failed

Explanation The GPRS support node sending the request has exceeded the maximum allowed tunnels created, so no tunnel will be created.

Recommended Action Check to see whether the tunnel limit should be increased or if there is a possible attack on the network.

324007

Error Message %ASA-3-324007: Unable to create GTP connection for response from source_address / 0 to dest_address / dest_port

Explanation An error occurred while trying to create the tunnel for the transport protocol data units for a differentsServicing GPRS support node or gateway GPRS support node.

Recommended Action Check debugging messages to see why the connection was not created correctly. If the problem persists, contact the Cisco TAC.

324008

Error Message %ASA-3-324008: No PDP exists to update the data sgsn [ggsn] PDPMCB Info REID: teid_value, Request TEID; teid_value, Local GSN: IPaddress ( VPIfNum), Remove GSN: IPaddress ( VPIfNum)

Explanation When a GTP HA message is received on the standby unit to update the PDP with data sgsn/ggsn PDPMCB information, the PDP is not found because of a previous PDP update message that was not successfully delivered or successfully processed on the standby unit.

Recommended Action If this message occurs periodically, you can ignore it. If it occurs frequently, contact the Cisco TAC.

324300

Error Message %ASA-3-324300: Radius Accounting Request from from_addr has an incorrect request authenticator

Explanation When a shared secret is configured for a host, the request authenticator is verified with that secret. If it fails, it is logged and packet processing stops.

  • from_addr —The IP address of the host sending the RADIUS accounting request

Recommended Action Check to see that the correct shared secret was configured. If it is, double-check the source of the packet to make sure that it was not spoofed.

324301

Error Message %ASA-3-324301: Radius Accounting Request has a bad header length hdr_len, packet length pkt_len

Explanation The accounting request message has a header length that is not the same as the actual packet length, so packet processing stops.

  • hdr_len —The length indicated in the request header
  • pkt_len —The actual packet length

Recommended Action Make sure the packet was not spoofed. If the packet is legitimate, then capture the packet and make sure the header length is incorrect, as indicated by the message. If the header length is correct, and if the problem persists, contact the Cisco TAC.

325001

Error Message %ASA-3-325001: Router ipv6_address on interface has conflicting ND (Neighbor Discovery) settings

Explanation Another router on the link sent router advertisements with conflicting parameters.

  • ipv6_address —IPv6 address of the other router
  • interface —Interface name of the link with the other router

Recommended Action Verify that all IPv6 routers on the link have the same parameters in the router advertisement for hop_limit, managed_config_flag, other_config_flag, reachable_time and ns_interval, and that preferred and valid lifetimes for the same prefix, advertised by several routers, are the same. To list the parameters per interface, enter the show ipv6 interface command.

325002

Error Message %ASA-4-325002: Duplicate address ipv6_address/MAC_address on interface

Explanation Another system is using your IPv6 address.

  • ipv6_address— The IPv6 address of the other router
  • MAC_address— The MAC address of the other system, if known; otherwise, it is considered unknown.
  • interface— The interface name of the link with the other system

Recommended Action Change the IPv6 address of one of the two systems.

325004

Error Message %ASA-4-325004: IPv6 Extension Header hdr_type action configuration. protocol from src_int : src_ipv6_addr / src_port to dst_interface : dst_ipv6_addr / dst_port.

Explanation A user has configured one or multiple actions over the specified IPv6 header extension.

  • hdr_type —Can be one of the following values:

ah—Configured action over the AH extension header

count—Configured action over the number of extension headers

destination-option—Configured action over the destination option extension header

esp—Configured action over the ESP extension header

fragment—Configured action over the fragment extension header

hop-by-hop—Configured action over the hop-by-hop extension header

routing-address count—Configured action over the number of addresses in the routing extension header

routing-type—Configured action over the routing type extension header

  • action —Can be one of the following values:

denied—The packet is denied.

denied/logged—The packet is denied and logged.

logged—The packet is logged.

Recommended Action If the configured action is not expected, under the policy-map command, check the action in the match header extension_header_type command and the parameters command, and make the correct changes. For example:

ciscoasa (config)# policy-map type inspect ipv6 pname
ciscoasa (config-pmap)# parameters
ciscoasa (config-pmap-p)# no match header extension_header_type ! to remove the configuration
ciscoasa (config-pmap-p)# no drop ! so packets with the specified extension_header_type are not dropped
ciscoasa (config-pmap-p)# no log ! so packets with the specified extension_header_type are not logged
ciscoasa (config-pmap-p)# no drop log ! so packets with the specified extension_header_type are not dropped or logged

325005

Error Message %ASA-4-325005: Invalid IPv6 Extension Header Content: string. detail regarding protocol, ingress and egress interface

Explanation An IPv6 packet with a bad extension header has been detected.

  • string —Can be one of the following values:

- wrong extension header order

- duplicate extension header

- routing extension header

Recommended Action Configure the capture command to record the dropped packet, then analyze the cause of the dropped packet. If the validity check of the IPv6 extension header can be ignored, disable the validity check in the IPv6 policy map by entering the following commands:

ciscoasa (config)# policy-map type inspect ipv6 policy_name
ciscoasa (config-pmap)# parameters
ciscoasa (config-pmap-p)# no verify-header type
 

325006

Error Message %ASA-4-325006: IPv6 Extension Header not in order: Type hdr_type occurs after Type hdr_type. TCP prot from inside src_int : src_ipv6_addr / src_port to dst_interface : dst_ipv6_addr / dst_port

Explanation An IPv6 packet with out-of-order extension headers has been detected.

Recommended Action Configure the capture command to record the dropped packet, then analyze the extension header order of the dropped packet. If out-of-order header extensions are allowed, disable the out-of-order check in the IPv6 type policy map by entering the following commands:

ciscoasa (config)# policy-map type inspect ipv6 policy_name
ciscoasa (config-pmap)# parameters
ciscoasa (config-pmap-p)# no verify-header order
 

326001

Error Message %ASA-3-326001: Unexpected error in the timer library: error_message

Explanation A managed timer event was received without a context or a correct type, or no handler exists. Alternatively, if the number of events queued exceeds a system limit, an attempt to process them will occur at a later time.

Recommended Action If the problem persists, contact the Cisco TAC.

326002

Error Message %ASA-3-326002: Error in error_message : error_message

Explanation The IGMP process failed to shut down upon request. Events that are performed in preparation for this shutdown may be out-of-sync.

Recommended Action If the problem persists, contact the Cisco TAC.

326004

Error Message %ASA-3-326004: An internal error occurred while processing a packet queue

Explanation The IGMP packet queue received a signal without a packet.

Recommended Action If the problem persists, contact the Cisco TAC.

326005

Error Message %ASA-3-326005: Mrib notification failed for ( IP_address , IP_address)

Explanation A packet triggering a data-driven event was received, and the attempt to notify the MRIB failed.

Recommended Action If the problem persists, contact the Cisco TAC.

326006

Error Message %ASA-3-326006: Entry-creation failed for ( IP_address , IP_address)

Explanation The MFIB received an entry update from the MRIB, but failed to create the entry related to the addresses displayed. The probable cause is insufficient memory.

Recommended Action If the problem persists, contact the Cisco TAC.

326007

Error Message %ASA-3-326007: Entry-update failed for ( IP_address , IP_address)

Explanation The MFIB received an interface update from the MRIB, but failed to create the interface related to the addresses displayed. The probable cause is insufficient memory.

Recommended Action If the problem persists, contact the Cisco TAC.

326008

Error Message %ASA-3-326008: MRIB registration failed

Explanation The MFIB failed to register with the MRIB.

Recommended Action If the problem persists, contact the Cisco TAC.

326009

Error Message %ASA-3-326009: MRIB connection-open failed

Explanation The MFIB failed to open a connection to the MRIB.

Recommended Action If the problem persists, contact the Cisco TAC.

326010

Error Message %ASA-3-326010: MRIB unbind failed

Explanation The MFIB failed to unbind from the MRIB.

Recommended Action If the problem persists, contact the Cisco TAC.

326011

Error Message %ASA-3-326011: MRIB table deletion failed

Explanation The MFIB failed to retrieve the table that was supposed to be deleted.

Recommended Action If the problem persists, contact the Cisco TAC.

326012

Error Message %ASA-3-326012: Initialization of string functionality failed

Explanation The initialization of a specified functionality failed. This component might still operate without the functionality.

Recommended Action If the problem persists, contact the Cisco TAC.

326013

Error Message %ASA-3-326013: Internal error: string in string line %d ( %s)

Explanation A fundamental error occurred in the MRIB.

Recommended Action If the problem persists, contact the Cisco TAC.

326014

Error Message %ASA-3-326014: Initialization failed: error_message error_message

Explanation The MRIB failed to initialize.

Recommended Action If the problem persists, contact the Cisco TAC.

326015

Error Message %ASA-3-326015: Communication error: error_message error_message

Explanation The MRIB received a malformed update.

Recommended Action If the problem persists, contact the Cisco TAC.

326016

Error Message %ASA-3-326016: Failed to set un-numbered interface for interface_name ( string)

Explanation The PIM tunnel is not usable without a source address. This situation occurs because a numbered interface cannot be found, or because of an internal error.

Recommended Action If the problem persists, contact the Cisco TAC.

326017

Error Message %ASA-3-326017: Interface Manager error - string in string : string

Explanation An error occurred while creating a PIM tunnel interface.

Recommended Action If the problem persists, contact the Cisco TAC.

326019

Error Message %ASA-3-326019: string in string : string

Explanation An error occurred while creating a PIM RP tunnel interface.

Recommended Action If the problem persists, contact the Cisco TAC.

326020

Error Message %ASA-3-326020: List error in string : string

Explanation An error occurred while processing a PIM interface list.

Recommended Action If the problem persists, contact the Cisco TAC.

326021

Error Message %ASA-3-326021: Error in string : string

Explanation An error occurred while setting the SRC of a PIM tunnel interface.

Recommended Action If the problem persists, contact the Cisco TAC.

326022

Error Message %ASA-3-326022: Error in string : string

Explanation The PIM process failed to shut down upon request. Events that are performed in preparation for this shutdown may be out-of-sync.

Recommended Action If the problem persists, contact the Cisco TAC.

326023

Error Message %ASA-3-326023: string - IP_address : string

Explanation An error occurred while processing a PIM group range.

Recommended Action If the problem persists, contact the Cisco TAC.

326024

Error Message %ASA-3-326024: An internal error occurred while processing a packet queue.

Explanation The PIM packet queue received a signal without a packet.

Recommended Action If the problem persists, contact the Cisco TAC.

326025

Error Message %ASA-3-326025: string

Explanation An internal error occurred while trying to send a message. Events scheduled to occur on the receipt of a message, such as deletion of the PIM tunnel IDB, may not occur.

Recommended Action If the problem persists, contact the Cisco TAC.

326026

Error Message %ASA-3-326026: Server unexpected error: error_message

Explanation The MRIB failed to register a client.

Recommended Action If the problem persists, contact the Cisco TAC.

326027

Error Message %ASA-3-326027: Corrupted update: error_message

Explanation The MRIB received a corrupt update.

Recommended Action If the problem persists, contact the Cisco TAC.

326028

Error Message %ASA-3-326028: Asynchronous error: error_message

Explanation An unhandled asynchronous error occurred in the MRIB API.

Recommended Action If the problem persists, contact the Cisco TAC.

327001

Error Message %ASA-3-327001: IP SLA Monitor: Cannot create a new process

Explanation The IP SLA monitor was unable to start a new process.

Recommended Action Check the system memory. If memory is low, then this is probably the cause. Try to reenter the commands when memory is available. If the problem persists, contact the Cisco TAC.

327002

Error Message %ASA-3-327002: IP SLA Monitor: Failed to initialize, IP SLA Monitor functionality will not work

Explanation The IP SLA monitor failed to initialize. This condition is caused by either the timer wheel function failing to initialize or a process not being created. Sufficient memory is probably not available to complete the task.

Recommended Action Check the system memory. If memory is low, then this is probably the cause. Try to reenter the commands when memory is available. If the problem persists, contact the Cisco TAC.

327003

Error Message %ASA-3-327003: IP SLA Monitor: Generic Timer wheel timer functionality failed to initialize

Explanation The IP SLA monitor cannot initialize the timer wheel.

Recommended Action Check the system memory. If memory is low, then the timer wheel function did not initialize. Try to reenter the commands when memory is available. If the problem persists, contact the Cisco TAC.

328001

Error Message %ASA-3-328001: Attempt made to overwrite a set stub function in string.

Explanation A single function can be set as a callback for when a stub with a check registry is invoked. An attempt to set a new callback failed because a callback function has already been set.

  • string —The name of the function

Recommended Action If the problem persists, contact the Cisco TAC.

328002

Error Message %ASA-3-328002: Attempt made in string to register with out of bounds key

Explanation In the FASTCASE registry, the key has to be smaller than the size specified when the registry was created. An attempt was made to register with a key out-of-bounds.

Recommended Action Copy the error message exactly as it appears, and report it to the Cisco TAC.

329001

Error Message %ASA-3-329001: The string0 subblock named string1 was not removed

Explanation A software error has occurred. IDB subblocks cannot be removed.

  • string0 —SWIDB or HWIDB
  • string1 —The name of the subblock

Recommended Action If the problem persists, contact the Cisco TAC.

331001

Error Message ASA-3-331001: Dynamic DNS Update for ' fqdn_name ' = ip_address failed

Explanation The dynamic DNS subsystem failed to update the resource records on the DNS server. This failure might occur if the ASA is unable to contact the DNS server or the DNS service is not running on the destination system.

  • fqdn_name —The fully qualified domain name for which the DNS update was attempted
  • ip_address —The IP address of the DNS update

Recommended Action Make sure that a DNS server is configured and reachable by the ASA. If the problem persists, contact the Cisco TAC.

331002

Error Message ASA-5-331002: Dynamic DNS type RR for (' fqdn_name ' - ip_address | ip_address - ' fqdn_name ') successfully updated in DNS server dns_server_ip

Explanation A dynamic DNS update succeeded in the DNS server.

  • type —The type of resource record, which may be A or PTR
  • fqdn_name —The fully qualified domain name for which the DNS update was attempted
  • ip_address —The IP address of the DNS update
  • dns_server_ip —The IP address of the DNS server

Recommended Action None required.

332001

Error Message %ASA-3-332001: Unable to open cache discovery socket, WCCP V2 closing down.

Explanation An internal error that indicates the WCCP process was unable to open the UDP socket used to listen for protocol messages from caches.

Recommended Action Ensure that the IP configuration is correct and that at least one IP address has been configured.

332002

Error Message %ASA-3-332002: Unable to allocate message buffer, WCCP V2 closing down.

Explanation An internal error that indicates the WCCP process was unable to allocate memory to hold incoming protocol messages.

Recommended Action Ensure that enough memory is available for all processes.

332003

Error Message %ASA-5-332003: Web Cache IP_address / service_ID acquired

Explanation A service from the web cache of the ASA was acquired.

  • IP_address —The IP address of the web cache
  • service_ID —The WCCP service identifier

Recommended Action None required.

332004

Error Message %ASA-1-332004: Web Cache IP_address / service_ID lost

Explanation A service from the web cache of the ASA was lost.

  • IP_address —The IP address of the web cache
  • service_ID —The WCCP service identifier

Recommended Action Verify operation of the specified web cache.

333001

Error Message %ASA-6-333001: EAP association initiated - context: EAP-context

Explanation An EAP association has been initiated with a remote host.

  • EAP-context —A unique identifier for the EAP session, displayed as an eight-digit hexadecimal number (for example, 0x2D890AE0)

Recommended Action None required.

333002

Error Message %ASA-5-333002: Timeout waiting for EAP response - context: EAP-context

Explanation A timeout occurred while waiting for an EAP response.

  • EAP-context —A unique identifier for the EAP session displayed as an eight-digit hexadecimal number (for example, 0x2D890AE0)

Recommended Action None required.

333003

Error Message %ASA-6-333003: EAP association terminated - context: EAP-context

Explanation The EAP association has been terminated with the remote host.

  • EAP-context —A unique identifier for the EAP session displayed as an eight-digit hexadecimal number (for example, 0x2D890AE0)

Recommended Action None required.

333004

Error Message %ASA-7-333004: EAP-SQ response invalid - context: EAP-context

Explanation The EAP-Status Query response failed basic packet validation.

  • EAP-context —A unique identifier for the EAP session displayed as an eight-digit hexadecimal number (for example, 0x2D890AE0)

Recommended Action If the problem persists, contact the Cisco TAC.

333005

Error Message %ASA-7-333005: EAP-SQ response contains invalid TLV(s) - context: EAP-context

Explanation The EAP-Status Query response has one or more invalid TLVs.

  • EAP-context —A unique identifier for the EAP session displayed as an eight-digit hexadecimal number (for example, 0x2D890AE0)

Recommended Action If the problem persists, contact the Cisco TAC.

333006

Error Message %ASA-7-333006: EAP-SQ response with missing TLV(s) - context: EAP-context

Explanation The EAP-Status Query response is missing one or more mandatory TLVs.

  • EAP-context —A unique identifier for the EAP session displayed as an eight-digit hexadecimal number (for example, 0x2D890AE0)

Recommended Action If the problem persists, contact the Cisco TAC.

333007

Error Message %ASA-7-333007: EAP-SQ response TLV has invalid length - context: EAP-context

Explanation The EAP-Status Query response includes a TLV with an invalid length.

  • EAP-context —A unique identifier for the EAP session displayed as an eight-digit hexadecimal number (for example, 0x2D890AE0)

Recommended Action If the problem persists, contact the Cisco TAC.

333008

Error Message %ASA-7-333008: EAP-SQ response has invalid nonce TLV - context: EAP-context

Explanation The EAP-Status Query response includes an invalid nonce TLV.

  • EAP-context —A unique identifier for the EAP session displayed as an eight-digit hexadecimal number (for example, 0x2D890AE0)

Recommended Action If the problem persists, contact the Cisco TAC.

333009

Error Message %ASA-6-333009: EAP-SQ response MAC TLV is invalid - context: EAP-context

Explanation The EAP-Status Query response includes a MAC that does not match the calculated MAC.

  • EAP-context —A unique identifier for the EAP session displayed as an eight-digit hexadecimal number (for example, 0x2D890AE0)

Recommended Action If the problem persists, contact the Cisco TAC.

333010

Error Message %ASA-5-333010: EAP-SQ response Validation Flags TLV indicates PV request - context: EAP-context

Explanation The EAP-Status Query response includes a validation flags TLV, which indicates that the peer requested a full posture validation.

Recommended Action None required.

334001

Error Message %ASA-6-334001: EAPoUDP association initiated - host-address

Explanation An EAPoUDP association has been initiated with a remote host.

  • host-address —The IP address of the host in dotted decimal format (for example, 10.86.7.101)

Recommended Action None required.

334002

Error Message %ASA-5-334002: EAPoUDP association successfully established - host-address

Explanation An EAPoUDP association has been successfully established with the host.

  • host-address —The IP address of the host in dotted decimal format (for example, 10.86.7.101)

Recommended Action None required.

334003

Error Message %ASA-5-334003: EAPoUDP association failed to establish - host-address

Explanation An EAPoUDP association has failed to establish with the host.

  • host-address —The IP address of the host in dotted decimal format (for example, 10.86.7.101)

Recommended Action Verify the configuration of the Cisco Secure Access Control Server.

334004

Error Message %ASA-6-334004: Authentication request for NAC Clientless host - host-address

Explanation An authentication request was made for a NAC clientless host.

  • host-address —The IP address of the host in dotted decimal format (for example, 10.86.7.101)

Recommended Action None required.

334005

Error Message %ASA-5-334005: Host put into NAC Hold state - host-address

Explanation The NAC session for the host was put into the Hold state.

  • host-address —The IP address of the host in dotted decimal format (for example, 10.86.7.101)

Recommended Action None required.

334006

Error Message %ASA-5-334006: EAPoUDP failed to get a response from host - host-address

Explanation An EAPoUDP response was not received from the host.

  • host-address —The IP address of the host in dotted decimal format (for example, 10.86.7.101)

Recommended Action None required.

334007

Error Message %ASA-6-334007: EAPoUDP association terminated - host-address

Explanation An EAPoUDP association has terminated with the host.

  • host-address —The IP address of the host in dotted decimal format (for example, 10.86.7.101)

Recommended Action None required.

334008

Error Message %ASA-6-334008: NAC EAP association initiated - host-address, EAP context: EAP-context

Explanation EAPoUDP has initiated EAP with the host.

  • host-address —The IP address of the host in dotted decimal format (for example, 10.86.7.101)
  • EAP-context —A unique identifier for the EAP session displayed as an eight-digit, hexadecimal number (for example, 0x2D890AE0)

Recommended Action None required.

334009

Error Message %ASA-6-334009: Audit request for NAC Clientless host - Assigned_IP.

Explanation An audit request is being sent for the specified assigned IP address.

  • Assigned_IP —The IP address assigned to the client

Recommended Action None required.

335001

Error Message %ASA-6-335001: NAC session initialized - host-address

Explanation A NAC session has started for a remote host.

  • host-address —The IP address of the host in dotted decimal format (for example, 10.86.7.101)

Recommended Action None required.

335002

Error Message %ASA-5-335002: Host is on the NAC Exception List - host-address, OS: oper-sys

Explanation The client is on the NAC Exception List and is therefore not subject to posture validation.

  • host-address —The IP address of the host in dotted decimal format (for example, 10.1.1.1)
  • oper-sys —The operating system (for example, Windows XP) of the host

Recommended Action None required.

335003

Error Message %ASA-5-335003: NAC Default ACL applied, ACL: ACL-name - host-address

Explanation The NAC default ACL has been applied for the client.

  • ACL-name —The name of the ACL being applied
  • host-address —The IP address of the host in dotted decimal format (for example, 10.1.1.1)

Recommended Action None required.

335004

Error Message %ASA-6-335004: NAC is disabled for host - host-address

Explanation NAC is disabled for the remote host.

  • host-address —The IP address of the host in dotted decimal format (for example, 10.1.1.1)

Recommended Action None required.

335004

Error Message %ASA-6-335004: NAC is disabled for host - host-address

Explanation NAC is disabled for the remote host.

  • host-address —The IP address of the host in dotted decimal format (for example, 10.1.1.1)

Recommended Action None required.

335005

Error Message %ASA-4-335005: NAC Downloaded ACL parse failure - host-address

Explanation Parsing of a downloaded ACL failed.

  • host-address —The IP address of the host in dotted decimal format (for example, 10.1.1.1)

Recommended Action Verify the configuration of the Cisco Secure Access Control Server.

335006

Error Message %ASA-6-335006: NAC Applying ACL: ACL-name - host-address

Explanation The name of the ACL that is being applied as a result of NAC posture validation.

  • ACL-name —The name of the ACL being applied
  • host-address —The IP address of the host in dotted decimal format (for example, 10.1.1.1)

Recommended Action None required.

335007

Error Message %ASA-7-335007: NAC Default ACL not configured - host-address

Explanation A NAC default ACL has not been configured.

  • host-address —The IP address of the host in dotted decimal format (for example, 10.1.1.1)

Recommended Action None required.

335008

Error Message %ASA-5-335008: NAC IPsec terminate from dynamic ACL: ACL-name - host-address

Explanation A dynamic ACL obtained as a result of PV requires IPsec termination.

  • ACL-name —The name of the ACL being applied
  • host-address —The IP address of the host in dotted decimal format (for example, 10.1.1.1)

Recommended Action None required.

335009

Error Message %ASA-6-335009: NAC Revalidate request by administrative action - host-address

Explanation A NAC Revalidate action was requested by the administrator.

  • host-address —The IP address of the host in dotted decimal format (for example, 10.1.1.1)

Recommended Action None required.

335010

Error Message %ASA-6-335010: NAC Revalidate All request by administrative action - num sessions

Explanation A NAC Revalidate All action was requested by the administrator.

  • num —A decimal integer that indicates the number of sessions to be revalidated

Recommended Action None required.

335011

Error Message %ASA-6-335011: NAC Revalidate Group request by administrative action for group-name group - num sessions

Explanation A NAC Revalidate Group action was requested by the administrator.

  • group-name —The VPN group name
  • num —A decimal integer that indicates the number of sessions to be revalidated

Recommended Action None required.

335012

Error Message %ASA-6-335012: NAC Initialize request by administrative action - host-address

Explanation A NAC Initialize action was requested by the administrator.

  • host-address —The IP address of the host in dotted decimal format (for example, 10.1.1.1)

Recommended Action None required.

335013

Error Message %ASA-6-335013: NAC Initialize All request by administrative action - num sessions

Explanation A NAC Initialize All action was requested by the administrator.

  • num —A decimal integer that indicates the number of sessions to be revalidated

Recommended Action None required.

335014

Error Message %ASA-6-335014: NAC Initialize Group request by administrative action for group-name group - num sessions

Explanation A NAC Initialize Group action was requested by the administrator.

  • group-name —The VPN group name
  • num —A decimal integer that indicates the number of sessions to be revalidated

Recommended Action None required.

336001

Error Message %ASA-3-336001 Route desination_network stuck-in-active state in EIGRP- ddb_name as_num. Cleaning up

Explanation The SIA state means that an EIGRP router has not received a reply to a query from one or more neighbors within the time allotted (approximately three minutes). When this happens, EIGRP clears the neighbors that did not send a reply and logs an error message for the route that became active.

  • destination_network —The route that became active
  • ddb_name —IPv4
  • as_num —The EIGRP router

Recommended Action Check to see why the router did not get a response from all of its neighbors and why the route disappeared.

336002

Error Message %ASA-3-336002: Handle handle_id is not allocated in pool.

Explanation The EIGRP router is unable to find the handle for the next hop.

  • handle_id —The identity of the missing handle

Recommended Action If the problem persists, contact the Cisco TAC.

336003

Error Message %ASA-3-336003: No buffers available for bytes byte packet

Explanation The DUAL software was unable to allocate a packet buffer. The ASA may be out of memory.

  • bytes —Number of bytes in the packet

Recommended Action Check to see if the ASA is out of memory by entering the show mem or show tech command. If the problem persists, contact the Cisco TAC.

336004

Error Message %ASA-3-336004: Negative refcount in pakdesc pakdesc.

Explanation The reference count packet count became negative.

  • pakdesc —Packet identifier

Recommended Action If the problem persists, contact the Cisco TAC.

336005

Error Message %ASA-3-336005: Flow control error, error, on interface_name.

Explanation The interface is flow blocked for multicast. Qelm is the queue element, and in this case, the last multicast packet on the queue for this particular interface.

  • error —Error statement: Qelm on flow ready
  • interface_name —Name of the interface on which the error occurred

Recommended Action If the problem persists, contact the Cisco TAC.

336006

Error Message %ASA-3-336006: num peers exist on IIDB interface_name.

Explanation Peers still exist on a particular interface during or after cleanup of the IDB of the EIGRP.

  • num —The number of peers
  • interface_name —The interface name

Recommended Action If the problem persists, contact the Cisco TAC.

336007

Error Message %ASA-3-336007: Anchor count negative

Explanation An error occurred and the count of the anchor became negative when it was released.

Recommended Action If the problem persists, contact the Cisco TAC.

336008

Error Message %ASA-3-336008: Lingering DRDB deleting IIDB, dest network, nexthop address (interface), origin origin_str

Explanation An interface is being deleted and some lingering DRDB exists.

  • network—The destination network
  • address—The nexthop address
  • interface—The nexthop interface
  • origin_str—String defining the origin

Recommended Action If the problem persists, contact the Cisco TAC.

336009

Error Message %ASA-3-336009 ddb_name as_id: Internal Error

Explanation An internal error occurred.

  • ddb_name —PDM name (for example, IPv4 PDM)
  • as_id —Autonomous system ID

Recommended Action If the problem persists, contact the Cisco TAC.

336010

Error Message %ASA-5-336010 EIGRP- ddb_name tableid as_id: Neighbor address (%interface) is event_msg: msg

Explanation A neighbor went up or down.

  • ddb_name —IPv4
  • tableid — Internal ID for the RIB
  • as_id —Autonomous system ID
  • address —IP address of the neighbor
  • interface —Name of the interface
  • event_msg — Event that is occurring for the neighbor (that is, up or down)
  • msg —Reason for the event. Possible event_msg and msg value pairs include:

- resync: peer graceful-restart

- down: holding timer expired

- up: new adjacency

- down: Auth failure

- down: Stuck in Active

- down: Interface PEER-TERMINATION received

- down: K-value mismatch

- down: Peer Termination received

- down: stuck in INIT state

- down: peer info changed

- down: summary configured

- down: Max hopcount changed

- down: metric changed

- down: [No reason]

Recommended Action Check to see why the link on the neighbor is going down or is flapping. This may be a sign of a problem, or a problem may occur because of this.

336011

Error Message %ASA-6-336011: event event

Explanation A dual event occurred. The events can be one of the following:

  • Redist rt change
  • SIA Query while Active

Recommended Action If the problem persists, contact the Cisco TAC.

336012

Error Message %ASA-3-336012: Interface interface_names going down and neighbor_links links exist

Explanation An interface is going down or is being removed from routing through IGRP, but not all links (neighbors) have been removed from the topology table.

Recommended Action If the problem persists, contact the Cisco TAC.

336013

Error Message %ASA-3-336013: Route iproute, iproute_successors successors, db_successors rdbs

Explanation A hardware or software error occurred.

Recommended Action If the problem persists, contact the Cisco TAC.

336014

Error Message %ASA-3-336014: “EIGRP_PDM_Process_name, event_log”

Explanation A hardware or software error occurred.

Recommended Action If the problem persists, contact the Cisco TAC.

336015

Error Message %ASA-3-336015: “Unable to open socket for AS as_number”

Explanation A hardware or software error occurred.

Recommended Action If the problem persists, contact the Cisco TAC.

336016

Error Message %ASA-3-336016: Unknown timer type timer_type expiration

Explanation A hardware or software error occurred.

Recommended Action If the problem persists, contact the Cisco TAC.

336019

Error Message %ASA-3-336019: process_name as_number: prefix_source threshold prefix level (prefix_threshold) reached

Explanation The number of prefixes in the topology database has reached the configured or default threshold level. The prefix source may be any of the following:

  • Neighbor
  • Redistributed
  • Aggregate

Recommended Action Use the show eigrp accounting command to obtain details about the source of the prefixes and take corrective action.

337001

Error Message %ASA-3-337001: Phone Proxy SRTP: Encryption failed on packet from in_ifc : src_ip / src_port to out_ifc : dest_ip / dest_port

Explanation The crypto hardware was unable to do SRTP encryption.

  • in_ifc —The input interface
  • src_ip —The source IP address of the packet
  • src_port —The source port of the packet output interface
  • dest_ip —The destination IP address of the packet
  • dest_port —The destination port of the packet

Recommended Action If this message persists, call the Cisco TAC to debug the crypto hardware to determine why SRTP encryption is failing.

337002

Error Message %ASA-3-337002: Phone Proxy SRTP: Decryption failed on packet from in_ifc : src_ip / src_port to out_ifc : dest_ip / dest_port

Explanation The crypto hardware was unable to do SRTP decryption.

  • in_ifc —The input interface
  • src_ip —The source IP address of the packet
  • src_port —The source port of the packet output interface
  • dest_ip —The destination IP address of the packet
  • dest_port —The destination port of the packet

Recommended Action If this message persists, call the Cisco TAC to debug the crypto hardware to determine why SRTP decryption is failing.

337003

Error Message %ASA-3-337003: Phone Proxy SRTP: Authentication tag generation failed on packet from in_ifc : src_ip / src_port to out_ifc : dest_ip / dest_port

Explanation The authentication tag generation failed in the crypto hardware.

  • in_ifc —The input interface
  • src_ip —The source IP address of the packet
  • src_port —The source port of the packet output interface
  • dest_ip —The destination IP address of the packet
  • dest_port —The destination port of the packet

Recommended Action If this message persists, call the Cisco TAC to debug the crypto hardware to determine why SRTP generation of the authentication tag is failing.

337004

Error Message %ASA-3-337004: Phone Proxy SRTP: Authentication tag validation failed on packet from in_ifc : src_ip / src_port to out_ifc : dest_ip / dest_port

Explanation The computed authentication tag is not the same as the authentication tag in the packet.

  • in_ifc —The input interface
  • src_ip —The source IP address of the packet
  • src_port —The source port of the packet output interface
  • dest_ip —The destination IP address of the packet
  • dest_port —The destination port of the packet

Recommended Action Check to see whether an attack is underway.

337005

Error Message %ASA-4-337005: Phone Proxy SRTP: Media session not found for media_term_ip / media_term_port for packet from in_ifc : src_ip / src_port to out_ifc : dest_ip / dest_port

Explanation The ASA received an SRTP or RTP packet that was destined to go to the media termination IP address and port, but the corresponding media session to process this packet was not found.

  • in_ifc —The input interface
  • src_ip —The source IP address of the packet
  • src_port —The source port of the packet
  • out_ifc —The output interface
  • dest_ip —The destination IP address of the packet
  • dest_port —The destination port of the packet

Recommended Action If this message occurs at the end of the call, it is considered normal because the signaling messages may have released the media session, but the endpoint is continuing to send a few SRTP or RTP packets. If this message occurs for an odd-numbered media termination port, the endpoint is sending RTCP, which must be disabled from the CUCM. If this message happens continuously for a call, debug the signaling message transaction either using phone proxy debug commands or capture commands to determine if the signaling messages are being modified with the media termination IP address and port.

337006

Error Message %ASA-3-337006: Phone Proxy SRTP: Failed to sign file filename requested by UDP client cifc:caddr/cport for sifc : saddr / sport

Explanation The crypto hardware was unable to perform encryption and create a signature for a file.

  • filename— The name of the file
  • sifc —The server interface
  • saddr —The server IP address
  • sport —The server port
  • cifc —The client interface
  • caddr —The client IP address
  • cport —The client port

Recommended Action If this message persists, check associated messages for other errors related to the crypto hardware engine.

337007

Error Message %ASA-3-337007: Phone Proxy SRTP: Failed to find configuration file filename for UDP client cifc:caddr/cport by server sifc : saddr / sport

Explanation The CUCM returns the File Not Found error when a phone requests its configuration file.

  • filename— The name of the file
  • sifc —The server interface
  • saddr —The server IP address
  • sport —The server port
  • cifc —The client interface
  • caddr —The client IP address
  • cport —The client port

Recommended Action Check to make sure that this phone has been configured on the CUCM.

337008

Error Message %ASA-3-337008: Phone Proxy: Unable to allocate media port from media-termination address phone_proxy_ifc : media_term_IP for client_ifc : client_IP / client_port ; call failed.

Explanation The ASA cannot find a port to allocate for media when creating a new media session. This message may occur because the user has not provided a large enough range of ports for phone proxy use, which is determined in the media-termination address command, or that all available ports are already being used.

  • media-termination address— The media termination address
  • phone_proxy_ifc— The media termination interface name (identity)
  • media_term_ip —The media termination IP address
  • client_ifc —The client interface name
  • client_ip —The client IP address
  • client_port —The client port

Recommended Action Check the phone-proxy configuration to see the range of media ports specified and allocate a larger range of media ports if the range was too small, provided the security policy allows it. The default port range is 16384-32767.

337009

Error Message %ASA-3-337009: Unable to create secure phone entry, interface : IPaddr is already configured for the same MAC mac_addr.

Explanation You tried to register the same secure phone with a different IP address. Because an entry for the MAC address with the old IP address was already made, you cannot have multiple entries with the same MAC address and different IP addresses.

  • interface— The interface name from which the previous entry is registered
  • ipaddr —The IP address of the existing secure phone entry
  • mac_addr —The MAC address of the phone

Recommended Action Check the output of the show phone-proxy secure-phones command. Use the clear command to clear the entry that is causing the issue, then register the phone with the new IP address.

338001

Error Message %ASA-4-338001: Dynamic filter monitored blacklisted protocol traffic from in_interface : src_ip_addr / src_port ( mapped-ip / mapped-port) to out_interface : dest_ip_addr / dest_port, ( mapped-ip / mapped-port), source malicious address resolved from local or dynamic list: domain name, threat-level: level_value, category: category_name

Explanation Traffic from a blacklisted domain in the dynamic filter database has appeared. The threat level is a string that shows one of the following values: none, very-low, low, moderate, high, and very-high. The category is a string that shows the reason why a domain name is blacklisted (for example, botnet, Trojan, and spyware).

Recommended Action Access to a malicious site has been logged. Use the internal IP address to trace the infected machine, or enter the dynamic-filter drop blacklist command to automatically drop such traffic.

338002

Error Message %ASA-4-338002: Dynamic filter monitored blacklisted protocol traffic from in_interface : src_ip_addr / src_port ( mapped-ip / mapped-port) to out_interface : dest_ip_addr / dest_port ( mapped-ip / mapped-port), destination malicious address resolved from local or dynamic list: domain name, threat-level: level_value, category: category_name

Explanation Traffic to a blacklisted domain name in the dynamic filter database has appeared. The threat level is a string that shows one of the following values: none, very-low, low, moderate, high, and very-high. The category is a string that shows the reason why a domain name is blacklisted (for example, botnet, Trojan, and spyware).

Recommended Action Access to a malicious site has been logged. Use the internal IP address to trace the infected machine, or enter the dynamic-filter drop blacklist command to automatically drop such traffic.

338003

Error Message %ASA-4-338003: Dynamic filter monitored blacklisted protocol traffic from in_interface : src_ip_addr / src_port ( mapped-ip / mapped-port) to out_interface : dest_ip_addr / dest_port, ( mapped-ip / mapped-port), source malicious address resolved from local or dynamic list: ip address/netmask, threat-level: level_value, category: category_name

Explanation Traffic from a blacklisted IP address in the dynamic filter database has appeared. The threat level is a string that shows one of the following values: none, very-low, low, moderate, high, and very-high. The category is a string that shows the reason why a domain name is blacklisted (for example, botnet, Trojan, and spyware).

Recommended Action Access to a malicious site has been logged. Use the internal IP address to trace the infected machine, or enter the dynamic-filter drop blacklist command to automatically drop such traffic.

338004

Error Message %ASA-4-338004: Dynamic filter monitored blacklisted protocol traffic from in_interface : src_ip_addr / src_port ( mapped-ip / mapped-port) to out_interface : dest_ip_addr / dest_port ( mapped-ip / mapped-port), destination malicious address resolved from local or dynamic list: ip address/netmask, threat-level: level_value, category: category_name

Explanation Traffic to a blacklisted IP address in the dynamic filter database has appeared. The threat level is a string that shows one of the following values: none, very-low, low, moderate, high, and very-high. The category is a string that shows the reason why a domain name is blacklisted (for example, botnet, Trojan, and spyware).

Recommended Action Access to a malicious site has been logged. Use the internal IP address to trace the infected machine, or enter the dynamic-filter drop blacklist command to automatically drop such traffic.

338005

Error Message %ASA-4-338005: Dynamic filter dropped blacklisted protocol traffic from in_interface : src_ip_addr / src_port ( mapped-ip / mapped-port) to out_interface : dest_ip_addr / dest_port ( mapped-ip / mapped-port), source malicious address resolved from local or dynamic list: domain name, threat-level: level_value, category: category_name

Explanation Traffic from a black-listed domain name in the dynamic filter database was denied. The threat level is a string that shows one of the following values: none, very-low, low, moderate, high, and very-high. The category is a string that shows the reason why a domain name is blacklisted (for example, botnet, Trojan, and spyware).

Recommended Action None required.

338006

Error Message %ASA-4-338006: Dynamic filter dropped blacklisted protocol traffic from in_interface : src_ip_addr / src_port ( mapped-ip / mapped-port) to out_interface : dest_ip_addr / dest_port ( mapped-ip / mapped-port), destination malicious address resolved from local or dynamic list: domain name, threat-level: level_value, category: category_name

Explanation Traffic to a blacklisted domain name in the dynamic filter database was denied. The threat level is a string that shows one of the following values: none, very-low, low, moderate, high, and very-high. The category is a string that shows the reason why a domain name is blacklisted (for example, botnet, Trojan, and spyware).

Recommended Action None required.

338007

Error Message %ASA-4-338007: Dynamic filter dropped blacklisted protocol traffic from in_interface : src_ip_addr / src_port ( mapped-ip / mapped-port) to out_interface : dest_ip_addr / dest_port ( mapped-ip / mapped-port), source malicious address resolved from local or dynamic list: ip address/netmask, threat-level: level_value, category: category_name

Explanation Traffic from a blacklisted IP address in the dynamic filter database was denied. The threat level is a string that shows one of the following values: none, very-low, low, moderate, high, and very-high. The category is a string that shows the reason why a domain name is blacklisted (for example, botnet, Trojan, and spyware).

Recommended Action None required.

338008

Error Message %ASA-4-338008: Dynamic filter dropped blacklisted protocol traffic from in_interface : src_ip_addr / src_port ( mapped-ip / mapped-port) to out_interface : dest_ip_addr / dest_port ( mapped-ip / mapped-port), destination malicious address resolved from local or dynamic list: ip address/netmask, threat-level: level_value, category: category_name

Explanation Traffic to a blacklisted IP address in the dynamic filter database was denied. The threat level is a string that shows one of the following values: none, very-low, low, moderate, high, and very-high. The category is a string that shows the reason why a domain name is blacklisted (for example, botnet, Trojan, and spyware).

Recommended Action None required.

338101

Error Message %ASA-4-338101: Dynamic filter action whitelisted protocol traffic from in_interface : src_ip_addr / src_port ( mapped-ip / mapped-port) to out_interface : dest_ip_addr / dest_port, ( mapped-ip / mapped-port), source malicious address resolved from local or dynamic list: domain name

Explanation Traffic from a whitelisted domain in the dynamic filter database has appeared.

Recommended Action None required.

338102

Error Message %ASA-4-338102: Dynamic filter action whitelisted protocol traffic from in_interface : src_ip_addr / src_port ( mapped-ip / mapped-port) to out_interface : dest_ip_addr / dest_port ( mapped-ip / mapped-port), destination malicious address resolved from local or dynamic list: domain name

Explanation Traffic to a whitelisted domain name in the dynamic filter database has appeared.

Recommended Action None required.

338103

Error Message %ASA-4-338103: Dynamic filter action whitelisted protocol traffic from in_interface : src_ip_addr / src_port ( mapped-ip / mapped-port) to out_interface : dest_ip_addr / dest_port, ( mapped-ip / mapped-port), source malicious address resolved from local or dynamic list: ip address/netmask

Explanation Traffic from a whitelisted IP address in the dynamic filter database has appeared.

Recommended Action None required.

338104

Error Message %ASA-4-338104: Dynamic filter action whitelisted protocol traffic from in_interface : src_ip_addr / src_port ( mapped-ip / mapped-port) to out_interface : dest_ip_addr / dest_port ( mapped-ip / mapped-port), destination malicious address resolved from local or dynamic list: ip address/netmask

Explanation Traffic to a whitelisted IP address in the dynamic filter database has appeared.

Recommended Action None required.

338201

Error Message %ASA-4-338201: Dynamic filter monitored greylisted protocol traffic from in_interface : src_ip_addr / src_port ( mapped-ip / mapped-port) to out_interface : dest_ip_addr / dest_port, ( mapped-ip / mapped-port), source malicious address resolved from local or dynamic list: domain name, threat-level: level_value, category: category_name

Explanation Traffic from a greylisted domain in the dynamic filter database has appeared. The threat level is a string that shows one of the following values: none, very-low, low, moderate, high, and very-high. The category is a string that shows the reason why a domain name is blacklisted (for example, botnet, Trojan, and spyware).

Recommended Action Access to a malicious site has been logged. Use the internal IP address to trace the infected machine, or enter the dynamic-filter drop blacklist command and the dynamic-filter ambiguous-is-black command to automatically drop such traffic.

338202

Error Message %ASA-4-338202: Dynamic filter monitored greylisted protocol traffic from in_interface : src_ip_addr / src_port ( mapped-ip / mapped-port) to out_interface : dest_ip_addr / dest_port ( mapped-ip / mapped-port), destination malicious address resolved from local or dynamic list: domain name, threat-level: level_value, category: category_name

Explanation Traffic to a greylisted domain name in the dynamic filter database has appeared. The threat level is a string that shows one of the following values: none, very-low, low, moderate, high, and very-high. The category is a string that shows the reason why a domain name is blacklisted (for example, botnet, Trojan, and spyware).

Recommended Action Access to a malicious site has been logged. Use the internal IP address to trace the infected machine, or enter the dynamic-filter drop blacklist command and the dynamic-filter ambiguous-is-black command to automatically drop such traffic.

338203

Error Message %ASA-4-338203: Dynamic filter dropped greylisted protocol traffic from in_interface : src_ip_addr / src_port ( mapped-ip / mapped-port) to out_interface : dest_ip_addr / dest_port ( mapped-ip / mapped-port), source malicious address resolved from local or dynamic list: domain name, threat-level: level_value, category: category_name

Explanation Traffic from a greylisted domain name in the dynamic filter database was denied; however, the malicious IP address was also resolved to domain names that are unknown to the dynamic filter database. The threat level is a string that shows one of the following values: none, very-low, low, moderate, high, and very-high. The category is a string that shows the reason why a domain name is blacklisted (for example, botnet, Trojan, and spyware).

Recommended Action Access to a malicious site was dropped. If you do not want to automatically drop greylisted traffic whose IP address matches both blacklisted domain names and unknown domain names, disable the dynamic-filter ambiguous-is-black command.

338204

Error Message %ASA-4-338204: Dynamic filter dropped greylisted protocol traffic from in_interface : src_ip_addr / src_port ( mapped-ip / mapped-port) to out_interface : dest_ip_addr / dest_port ( mapped-ip / mapped-port), destination malicious address resolved from local or dynamic list: domain name, threat-level: level_value, category: category_name

Explanation Traffic to a greylisted domain name in the dynamic filter database was denied; however, the malicious IP address was also resolved to domain names that are unknown to the dynamic filter database. The threat level is a string that shows one of the following values: none, very-low, low, moderate, high, and very-high. The category is a string that shows the reason why a domain name is blacklisted (for example, botnet, Trojan, and spyware).

Recommended Action Access to a malicious site was dropped. If you do not want to automatically drop greylisted traffic whose IP address matches both blacklisted domain names and unknown domain names, disable the dynamic-filter ambiguous-is-black command.

338301

Error Message %ASA-4-338301: Intercepted DNS reply for domain name from in_interface : src_ip_addr / src_port to out_interface : dest_ip_addr / dest_port, matched list

Explanation A DNS reply that was present in an administrator whitelist, blacklist, or IronPort list was intercepted.

  • name— The domain name
  • list —The list that includes the domain name, administrator whitelist, blacklist, or IronPort list

Recommended Action None required.

338302

Error Message %ASA-5-338302: Address ipaddr discovered for domain name from list, Adding rule

Explanation An IP address that was discovered from a DNS reply to the dynamic filter rule table was added.

  • ipaddr— The IP address from the DNS reply
  • name— The domain name
  • list —The list that includes the domain name, administrator blacklist, or IronPort list

Recommended Action None required.

338303

Error Message %ASA-5-338303: Address ipaddr ( name) timed out, Removing rule

Explanation An IP address that was discovered from the dynamic filter rule table was removed.

  • ipaddr— The IP address from the DNS reply
  • name— The domain name

Recommended Action None required.

338304

Error Message %ASA-6-338304: Successfully downloaded dynamic filter data file from updater server url

Explanation A new version of the data file has been downloaded.

  • url —The URL of the updater server

Recommended Action None required.

338305

Error Message %ASA-3-338305: Failed to download dynamic filter data file from updater server url

Explanation The dynamic filter database has failed to download.

  • url —The URL of the updater server

Recommended Action Make sure that you have a DNS configuration on the ASA so that the updater server URL can be resolved. If you cannot ping the server from the ASA, check with your network administrator for the correct network connection and routing configuration. If you are still having problems, contact the Cisco TAC.

338306

Error Message %ASA-3-338306: Failed to authenticate with dynamic filter updater server url

Explanation The ASA failed to authenticate with the dynamic filter updater server.

  • url —The URL of the updater server

Recommended Action Contact the Cisco TAC.

338307

Error Message %ASA-3-338307: Failed to decrypt downloaded dynamic filter database file

Explanation The downloaded dynamic filter database file failed to decrypt.

Recommended Action Contact the Cisco TAC.

338308

Error Message %ASA-5-338308: Dynamic filter updater server dynamically changed from old_server_host : old_server_port to new_server_host : new_server_port

Explanation The ASA was directed to a new updater server host or port.

  • old_server_host : old_server_port —The previous updater server host and port
  • new_server_host : new_server_port —The new updater server host and port

Recommended Action None required.

338309

Error Message %ASA-3-338309: The license on this ASA does not support dynamic filter updater feature.

Explanation The dynamic filter updater is a licensed feature; however, the license on the ASA does not support this feature.

Recommended Action None required.

338310

Error Message %ASA-3-338310: Failed to update from dynamic filter updater server url, reason: reason string

Explanation The ASA failed to receive an update from the dynamic filter updater server.

  • url— The URL of the updater server
  • reason string —The reason for the failure, which can be one of the following:

- Failed to connect to updater server

- Received invalid server response

- Received invalid server manifest

- Error in stored update file information

- Script error

- Function call error

- Out of memory

Recommended Action Check the network connection to the server. Try to ping the server URL, which is shown in the output of the show dynamic-filter updater-client command. Make sure that the port is allowed through your network. If the network connection is not the problem, contact your network administrator.

339001

Error Message %ASA-3-339001: UC-IME-SIG: Ticket not found in SIP %s from %s : %A / %d to % s : %A/%d, packet dropped

Explanation For UC-IME SIP signaling, all dialog-forming SIP messages received from the outside must include the X-Cisco-ViPR-Ticket header. If this header is missing from the message, the message will be dropped during SIP inspection. This header is only required when an existing SIP session (as determined by current SIP inspection rules) cannot be found for the message being inspected.

  • %s —SIP message name (INVITE or REFER)
  • %s —Source interface name (inside or outside)
  • %A —Source IP address
  • %d —Source port
  • %s —Destination interface name (inside or outside)
  • %A —Destination IP address
  • %d —Destination port

Recommended Action Check to see if UC-IME calls are being spoofed.

339002

Error Message %ASA-3-339002: UC-IME-SIG: Invalid ticket in SIP %s from %s : %A / %d to %s : %A / %d, packet dropped, %s

Explanation When UC-IME ticket inspection and validation are performed, several data checks for timestamp validity and epoch matching, among others, are performed. If any of these checks fail, the SIP message or packet will be dropped.

  • %s —SIP message name (INVITE or REFER)
  • %s —Source interface name (inside or outside)
  • %A —Source IP address
  • %d —Source port
  • %s —Destination interface name (inside or outside)
  • %A —Destination IP address
  • %d —Destination port
  • %s —Additional description or data about the error condition

Recommended Action Check to see if UC-IME calls are being spoofed. Turn on UC-IME debug tracing to obtain more details about the error condition.

339003

Error Message %ASA-3-339003: UC-IME-SIG: Non-dialog forming SIP %s received from %s : %A / %d to %s : %A / %d, packet dropped

Explanation When a SIP message is inspected by the UC-IME feature, checks are performed to see if the message belongs to an existing SIP session. In a non-UC-IME scenario, a SIP request received will create a SIP session (if permitted by a configured policy). However, for the UC-IME feature, nondialog-creating SIP messages are not permitted to create a SIP session in the ASA and are dropped.

  • %s —SIP message name (INVITE or REFER)
  • %s —Source interface name (inside or outside)
  • %A —Source IP address
  • %d —Source port
  • %s —Destination interface name (inside or outside)
  • %A —Destination IP address
  • %d —Destination port

Recommended Action Check to see if UC-IME calls are being spoofed.

339004

Error Message %ASA-3-339004: UC-IME-SIG: Dropping SIP %s received from %s : %A / %d to %s : %A / %d, route header validation failed, %s

Explanation When an outbound SIP message is inspected by the UC-IME feature, the domain name included in the SIP route header is compared to the TLS certificate domain name. This comparison allows the UC-IME feature on the ASA to determine whether or not the SIP message is actually terminating at the intended enterprise. If a mismatch occurs, it implies that the remote end is not serving that domain, and the SIP session should be terminated.

  • %s —SIP message name (INVITE or REFER)
  • %s —Source interface name (inside or outside)
  • %A —Source IP address
  • %d —Source port
  • %s —Destination interface name (inside or outside)
  • %A —Destination IP address
  • %d —Destination port
  • %s —Additional description or data about the error condition (for example, the domain names received)

Recommended Action Check to see if the remote enterprise is attempting to hijack UC-IME calls.

339005

Error Message %ASA-3-339005: UC-IME-SIG: Message received from %s : %A / %d to %s : %A / %d does not contain SRTP, message dropped

Explanation For UC-IME SIP signaling, SIP messages received that have media content from the outside need to be SRTP. If this content is not SRTP, the message will be dropped during SIP inspection.

  • %s —Source interface name (inside or outside)
  • %A —Source IP address
  • %d —Source port
  • %s —Destination interface name (inside or outside)
  • %A —Destination IP address
  • %d —Destination port

Recommended Action None required.

339006

Error Message %ASA-3-339006: UC-IME-Offpath: Failed to map remote UCM address %A : %d on %s interface, request from local UCM %A : %d on %s interface, reason %s

Explanation For the UC-IME mapping service to work correctly, a correct configuration of global NAT must be in place. If a misconfiguration is detected, a message will be generated to inform the administrator. At the same time, all requests from UCM clients must conform to the mapping service stun message format. All nonconforming requests will be dropped silently, and a message will be generated to notify the administrator about this occurrence.

  • %A —Remote UCM IP address
  • %d —Remote UCM port
  • %s —Interface for the remote UCM IP address or port address
  • %A —Local UCM IP address (used for the mapping service connection)
  • %d —Local UCM port (used for the mapping service connection)
  • %s —Interface for the local UCM IP address or port address
  • %s —Failure reason

Recommended Action Check to see if the UC-IME Offpath and the UCM Offpath are configured correctly.

339007

Error Message %ASA-6-339007: UC-IME-Offpath: Mapped address %A : %d on %s interface for remote UCM %A : %d on %s interface, request from local UCM %A : %d on %s interface

Explanation UC-IME mapping service calls are tracked based on the mapping service client (UCM) address (IP:port) and remote UCM address (IP:port). The administrator may use this information to help debug an offpath UC-IME call.

  • %A —Mapped IP address
  • %d —Mapped port
  • %s —Interface for the mapped IP address or port address
  • %A —Remote UCM IP address
  • %d —Remote UCM port
  • %s —Interface for the remote UCM IP address or port address
  • %A —Local UCM IP address (used for the mapping-service connection)
  • %d —Local UCM port (used for the mapping-service connection)
  • %s —Interface for the local UCM IP address or port address

Recommended Action None required.

339008

Error Message %ASA-6-339008: UC-IME-Media: Media session with Call-ID %s and Session-ID %s terminated. RTP monitoring parameters: Failover state: %s, Refer msgs sent: %d, Codec payload format: %s, RTP ptime (ms): %d, Max RBLR pct( x100): %d, Max ITE count in 8 secs: %d, Max BLS (ms): %d, Max span PDV (usec): %d, Min span PDV (usec): %d, Mov avg span PDV (usec): %d, Total ITE count: %d, Total sec count: %d, Concealed sec count: %d, Severely concealed sec count: %d, Max call interval (ms): %d

Explanation UC-IME media session termination is tracked based on the Call ID or Session ID. This message is triggered at the end of a media session. The parameters returned by the RTP monitoring algorithm are included so that an administrator can adjust sensitivity parameters to improve the quality of service for a call.

  • %s —Failover state, which can be one of the following:

- No error, for an active session

- No media at startup timer expired

- Error in received sequence numbering

- Both ITE and BLS thresholds exceeded

- BLS threshold exceeded within Burst Interval

- RBLR threshold exceeded within last 8 sec

- Combination (> 3/4 RBLR + > 3/4 BLS) failover

- No media since last received packet exceeded

- ITE threshold exceeded

  • %s —Codec payload format:, which can be one of the following:

- UNKNOWN

- G722

- PCMU

- PCMA

- iLBC

- iSAC

Recommended Action None required.

339009

Error Message %ASA-6-339009: UC-IME: Ticket Password changed. Please update the same on UC-IME server.

Explanation The ASA administrator is allowed to change the ticket password without knowing the old password. This message is generated to ensure that the administrator is aware of this change. The message also serves as a reminder to the administrator that if the UC-IME password is changed on the ASA, it should also be changed on the UC-IME server for everything to function correctly.

Recommended Action Verify that the ticket password has been changed on the UC-IME server to match the value configured on the ASA.

340001

Error Message %ASA-3-340001: Loopback-proxy error: error_string context id context_id, context type = version / request_type / address_type client socket (internal)= client_address_internal / client_port_internal server socket (internal)= server_address_internal / server_port_internal server socket (external)= server_address_external / server_port_external remote socket (external)= remote_address_external / remote_port_external

Explanation Loopback proxy allows third-party applications running on the ASA to access the network. The loopback proxy encountered an error.

  • context_id— A unique, 32-bit context ID that is generated for each loopback client proxy request
  • version —The protocol version
  • request_type —The type of request, which can be one of the following: TC (TCP connection), TB (TCP bind), or UA (UDP association)
  • address_type —The types of addresses, which can be one of the following: IP4 (IPv4), IP6 (IPv6), or DNS (domain name service)
  • client_address_internal/server_address_internal— The addresses that the loopback client and the loopback server used for communication
  • client_port_internal / server_port_internal— The ports that the loopback client and the loopback server used for communication
  • server_address_external / remote_address_external —The addresses that the loopback server and the remote host used for communication
  • server_port_external / remote_port_external —The ports that the loopback server and the remote host used for communication
  • error_string —The error string that may help troubleshoot the problem

Recommended Action Copy the syslog message and contact the Cisco TAC.

340002

Error Message %ASA-6-340002: Loopback-proxy info: error_string context id context_id, context type = version / request_type / address_type client socket (internal)= client_address_internal / client_port_internal server socket (internal)= server_address_internal / server_port_internal server socket (external)= server_address_external / server_port_external remote socket (external)= remote_address_external / remote_port_external

Explanation Loopback proxy allows third-party applications running on the ASA to access the network. The loopback proxy generated debugging information for use in troubleshooting.

  • context_id— A unique, 32-bit context ID that is generated for each loopback client proxy request
  • version —The protocol version
  • request_type —The type of request, which can be one of the following: TC (TCP connection), TB (TCP bind), or UA (UDP association)
  • address_type —The types of addresses, which can be one of the following: IP4 (IPv4), IP6 (IPv6), or DNS (domain name service)
  • client_address_internal/server_address_internal— The addresses that the loopback client and the loopback server used for communication
  • client_port_internal / server_port_internal— The ports that the loopback client and the loopback server used for communication
  • server_address_external / remote_address_external —The addresses that the loopback server and the remote host used for communication
  • server_port_external / remote_port_external —The ports that the loopback server and the remote host used for communication
  • error_string —The error string that may help troubleshoot the problem

Recommended Action Copy the syslog message and contact the Cisco TAC.

341001

Error Message %ASA-6-341001: Policy Agent started successfully for VNMC vnmc_ip_addr

Explanation The policy agent processes (DME, ducatiAG, and commonAG) started successfully.

  • vnmc_ip_addr —-The IP address of the VNMC server

Recommended Action None.

341002

Error Message %ASA-6-341002: Policy Agent stopped successfully for VNMC vnmc_ip_addr

Explanation The policy agent processes (DME, ducatiAG, and commonAG) were stopped.

  • vnmc_ip_addr —-The IP address of the VNMC server

Recommended Action None.

341003

Error Message %ASA-3-341003: Policy Agent failed to start for VNMC vnmc_ip_addr

Explanation The policy agent failed to start.

  • vnmc_ip_addr —-The IP address of the VNMC server

Recommended Action Check for console history and the disk0:/pa/log/vnm_pa_error_status for error messages. To retry starting the policy agent, issue the registration host command again.

341004

Error Message %ASA-3-341004: Storage device not available: Attempt to shutdown module %s failed.

Explanation All SSDs have failed or been removed with the system in Up state. The system has attempted to shut down the software module, but that attempt has failed.

  • %s —The software module (for example, cxsc)

Recommended Action Replace the remved or failed drive and reload the ASA.

341005

Error Message %ASA-3-341005: Storage device not available. Shutdown issued for module %s.

Explanation All SSDs have failed or been removed with the system in Up state. The system is shutting down the software module.

  • %s —The software module (for example, cxsc)

Recommended Action Replace the removed or failed drive and reload the software module.

341006

Error Message %ASA-3-341006: Storage device not available. Failed to stop recovery of module %s.

Explanation All SSDs have failed or been removed with the system in recorvery state. The system attempted to stop the recover, but that attempt failed.

  • %s —The software module (for example, cxsc)

Recommended Action Replace the removed or failed drive and reload the ASA.

341007

Error Message %ASA-3-341007: Storage device not available. Further recovery of module %s was stopped. This may take several minutes to complete.

Explanation All SSDs have failed or been removed with the system in recovery state. The system is stopping the recovery of the softwaremodule.

  • %s —The software module (for example, cxsc)

Recommended Action Replace the removed or failed drive and reload the software module.

341008

Error Message %ASA-3-341008: Storage device not found. Auto-boot of module %s cancelled. Install drive and reload to try again.

Explanation After getting the system into Up state, all SSDs have failed or been removed before reloading the system. Because the default action during boot is to auto-boot the software module, that action is blocked because there is no storage device available.

Recommended Action Replace the removed or failed drive and reload the software module.

341010

Error Message %ASA-6-341010: Storage device with serial number ser_no [inserted into | removed from] bay bay_no

Explanation The ASA has detected insertion or removal events and generates this syslog message immediately.

Recommended Action None required.

341011

Error Message %ASA-3-341011: Storage device with serial number ser_no in bay bay_no faulty.

Explanation The ASA polls the hard disk drive (HDD) health status every 10 minutes and generates this syslog message if the HDD is in a failed state.

Recommended Action None required.

342001

Error Message %ASA-7-342001: REST API Agent started successfully.

Explanation The REST API Agent must be successfully started before a REST API Client can configure the ASA.

Recommended Action None.

342002

Error Message %ASA-3-342002: REST API Agent failed, reason: reason

Explanation The REST API Agent could fail to start or crash for various reasons, and the reason is specified.

  • reason —The cause for the REST API failure

Recommended Action The actions taken to resolve the issue vary depending on the reason logged. For example, the REST API Agent crashes when the Java process runs out of memory. If this occurs, you need to restart the REST API Agent. If the restart is not successful, contact the Cisco TAC to identify the root cause fix.

342003

Error Message %ASA-3-342003: REST API Agent failure notification received. Agent will be restarted automatically.

Explanation A failure notification from the REST API Agent has been received and a restart of the Agent is being attempted.

Recommended Action None.

342004

Error Message %ASA-3-342004: Failed to automatically restart the REST API Agent after 5 unsuccessful attempts. Use the 'no rest-api agent' and 'rest-api agent' commands to manually restart the Agent.

Explanation The REST API Agent has failed to start after many attempts.

Recommended Action See syslog %ASA-3-342002 (if logged) to better understand the reason behind the failure. Try to disable the REST API Agent by entering the no rest-api agent command and re-enable the REST API Agent using the rest-api agent command.

Messages 400000 to 450001

This section includes messages from 400000 to 450001.

4000nn

Error Message %ASA-4-4000nn: IPS: number string from IP_address to IP_address on interface interface_name

Explanation Messages 400000 through 400051 are Cisco Intrusion Prevention Service signature messages.

Recommended Action See the Cisco Intrusion Prevention Service User Guide on Cisco.com.

Not all signature messages are supported by the ASA in this release. IPS messages all start with 4-4000nn and have the following format:

 

number

The signature number. For more information, see the Cisco Intrusion Prevention Service User Guide on Cisco.com.

string

The signature message—approximately the same as the NetRanger signature message.

IP_address

The local to remote address to which the signature applies.

interface_name

The name of the interface on which the signature originated.

For example:

%ASA-4-400013 IPS:2003 ICMP redirect from 10.4.1.2 to 10.2.1.1 on interface dmz
%ASA-4-400032 IPS:4051 UDP Snork attack from 10.1.1.1 to 192.168.1.1 on interface outside
 

Table 1-5 lists the supported signature messages.

 

Table 1-5 IPS Syslog Messages

Message Number
Signature ID
Signature Title
Signature Type

400000

1000

IP options-Bad Option List

Informational

400001

1001

IP options-Record Packet Route

Informational

400002

1002

IP options-Timestamp

Informational

400003

1003

IP options-Security

Informational

400004

1004

IP options-Loose Source Route

Informational

400005

1005

IP options-SATNET ID

Informational

400006

1006

IP options-Strict Source Route

Informational

400007

1100

IP Fragment Attack

Attack

400008

1102

IP Impossible Packet

Attack

400009

1103

IP Fragments Overlap

Attack

400010

2000

ICMP Echo Reply

Informational

400011

2001

ICMP Host Unreachable

Informational

400012

2002

ICMP Source Quench

Informational

400013

2003

ICMP Redirect

Informational

400014

2004

ICMP Echo Request

Informational

400015

2005

ICMP Time Exceeded for a Datagram

Informational

400016

2006

ICMP Parameter Problem on Datagram

Informational

400017

2007

ICMP Timestamp Request

Informational

400018

2008

ICMP Timestamp Reply

Informational

400019

2009

ICMP Information Request

Informational

400020

2010

ICMP Information Reply

Informational

400021

2011

ICMP Address Mask Request

Informational

400022

2012

ICMP Address Mask Reply

Informational

400023

2150

Fragmented ICMP Traffic

Attack

400024

2151

Large ICMP Traffic

Attack

400025

2154

Ping of Death Attack

Attack

400026

3040

TCP NULL flags

Attack

400027

3041

TCP SYN+FIN flags

Attack

400028

3042

TCP FIN only flags

Attack

400029

3153

FTP Improper Address Specified

Informational

400030

3154

FTP Improper Port Specified

Informational

400031

4050

UDP Bomb attack

Attack

400032

4051

UDP Snork attack

Attack

400033

4052

UDP Chargen DoS attack

Attack

400034

6050

DNS HINFO Request

Informational

400035

6051

DNS Zone Transfer

Informational

400036

6052

DNS Zone Transfer from High Port

Informational

400037

6053

DNS Request for All Records

Informational

400038

6100

RPC Port Registration

Informational

400039

6101

RPC Port Unregistration

Informational

400040

6102

RPC Dump

Informational

400041

6103

Proxied RPC Request

Attack

400042

6150

ypserv (YP server daemon) Portmap Request

Informational

400043

6151

ypbind (YP bind daemon) Portmap Request

Informational

400044

6152

yppasswdd (YP password daemon) Portmap Request

Informational

400045

6153

ypupdated (YP update daemon) Portmap Request

Informational

400046

6154

ypxfrd (YP transfer daemon) Portmap Request

Informational

400047

6155

mountd (mount daemon) Portmap Request

Informational

400048

6175

rexd (remote execution daemon) Portmap Request

Informational

400049

6180

rexd (remote execution daemon) Attempt

Informational

400050

6190

statd Buffer Overflow

Attack

401001

Error Message %ASA-4-401001: Shuns cleared

Explanation The clear shun command was entered to remove existing shuns from memory. An institution to keep a record of shunning activity was allowed.

Recommended Action None required.

401002

Error Message %ASA-4-401002: Shun added: IP_address IP_address port port

Explanation A shun command was entered, where the first IP address is the shunned host. The other addresses and ports are optional and are used to terminate the connection if available. An institution to keep a record of shunning activity was allowed.

Recommended Action None required.

401003

Error Message %ASA-4-401003: Shun deleted: IP_address

Explanation A single shunned host was removed from the shun database. An institution to keep a record of shunning activity was allowed.

Recommended Action None required.

401004

Error Message %ASA-4-401004: Shunned packet: IP_address = IP_address on interface interface_name

Explanation A packet was dropped because the host defined by IP SRC is a host in the shun database. A shunned host cannot pass traffic on the interface on which it is shunned. For example, an external host on the Internet can be shunned on the outside interface. A record of the activity of shunned hosts was provided. This message and message %ASA-4-401005 can be used to evaluate further risk concerning this host.

Recommended Action None required.

401005

Error Message %ASA-4-401005: Shun add failed: unable to allocate resources for IP_address IP_address port port

Explanation The ASA is out of memory; a shun cannot be applied.

Recommended Action The Cisco IPS should continue to attempt to apply this rule. Try to reclaim memory and reapply a shun manually, or wait for the Cisco IPS to do this.

402114

Error Message %ASA-4-402114: IPSEC: Received an protocol packet (SPI= spi, sequence number= seq_num) from remote_IP to local_IP with an invalid SPI.
  • protocol— IPsec protocol
  • spi— IPsec Security Parameter Index
  • seq_num IPsec sequence number
  • remote_IP IP address of the remote endpoint of the tunnel
  • username— Username associated with the IPsec tunnel
  • local_IP IP address of the local endpoint of the tunnel

Explanation An IPsec packet was received that specifies an SPI that does not exist in the SA database. This may be a temporary condition caused by slight differences in aging of SAs between the IPsec peers, or it may be because the local SAs have been cleared. It may also indicate incorrect packets sent by the IPsec peer, which may be part of an attack. This message is rate limited to no more than one message every five seconds.

Recommended Action The peer may not acknowledge that the local SAs have been cleared. If a new connection is established from the local router, the two peers may then reestablish connection successfully. Otherwise, if the problem occurs for more than a brief period, either attempt to establish a new connection or contact the peer administrator.

402115

Error Message %ASA-4-402115: IPSEC: Received a packet from remote_IP to local_IP containing act_prot data instead of exp_prot data.

Explanation An IPsec packet was received that is missing the expected ESP header. The peer is sending packets that do not match the negotiated security policy, which may indicate an attack. This message is rate limited to no more than one message every five seconds.

  • remote_IP IP address of the remote endpoint of the tunnel
  • local_IP IP address of the local endpoint of the tunnel
  • act_prot— Received IPsec protocol
  • exp_prot— Expected IPsec protocol

Recommended Action Contact the administrator of the peer.

402116

Error Message %ASA-4-402116: IPSEC: Received an protocol packet (SPI= spi, sequence number= seq_num) from remote_IP ( username) to local_IP. The decapsulated inner packet doesn’t match the negotiated policy in the SA. The packet specifies its destination as pkt_daddr, its source as pkt_saddr, and its protocol as pkt_prot. The SA specifies its local proxy as id_daddr / id_dmask / id_dprot / id_dport and its remote proxy as id_saddr / id_smask / id_sprot / id_sport.

Explanation A decapsulated IPsec packet does not match the negotiated identity. The peer is sending other traffic through this security association, which may be caused by a security association selection error by the peer, or it may be part of an attack. This message is rate limited to no more than one message every five seconds.

  • protocol— IPsec protocol
  • spi— IPsec Security Parameter Index
  • seq_num IPsec sequence number
  • remote_IP IP address of the remote endpoint of the tunnel
  • username— Username associated with the IPsec tunnel
  • local_IP IP address of the local endpoint of the tunnel
  • pkt_daddr Destination address from the decapsulated packet
  • pkt_saddr Source address from the decapsulated packet
  • pkt_prot Transport protocol from the decapsulated packet
  • id_daddr Local proxy IP address
  • id_dmask Local proxy IP subnet mask
  • id_dprot Local proxy transport protocol
  • id_dport Local proxy port
  • id_saddr Remote proxy IP address
  • id_smask Remote proxy IP subnet mask
  • id_sprot Remote proxy transport protocol
  • id_sport Remote proxy port

Recommended Action Contact the administrator of the peer and compare policy settings.

402117

Error Message %ASA-4-402117: IPSEC: Received a non-IPsec ( protocol) packet from remote_IP to local_IP.

Explanation The received packet matched the crypto map ACL, but it is not IPsec-encapsulated. The IPsec peer is sending unencapsulated packets. This error can occur because of a policy setup error on the peer. For example, the firewall may be configured to only accept encrypted Telnet traffic to the outside interface port 23. If you attempt to use Telnet without IPsec encryption to access the outside interface on port 23, this message appears, but not with Telnet or traffic to the outside interface on ports other than 23. This error can also indicate an attack. This message is not generated except under these conditions (for example, it is not generated for traffic to the ASA interfaces themselves). See messages 710001, 710002, and 710003, which track TCP and UDP requests. This message is rate limited to no more than one message every five seconds.

  • protocol— IPsec protocol
  • remote_IP IP address of the remote endpoint of the tunnel
  • local_IP IP address of the local endpoint of the tunnel

Recommended Action Contact the administrator of the peer to compare policy settings.

402118

Error Message %ASA-4-402118: IPSEC: Received an protocol packet (SPI= spi, sequence number seq_num) from remote_IP ( username) to local_IP containing an illegal IP fragment of length frag_len with offset frag_offset.

Explanation A decapsulatd IPsec packet included an IP fragment with an offset less than or equal to 128 bytes. The latest version of the security architecture for IP RFC recommends 128 bytes as the minimum IP fragment offset to prevent reassembly attacks. This may be part of an attack. This message is rate limited to no more than one message every five seconds.

  • protocol— IPsec protocol
  • spi— IPsec Security Parameter Index
  • seq_num IPsec sequence number
  • remote_IP IP address of the remote endpoint of the tunnel
  • username— Username associated with the IPsec tunnel
  • local_IP IP address of the local endpoint of the tunnel
  • frag_len IP fragment length
  • frag_offset IP fragment offset in bytes

Recommended Action Contact the administrator of the remote peer to compare policy settings.

402119

Error Message %ASA-4-402119: IPSEC: Received an protocol packet (SPI= spi, sequence number= seq_num) from remote_IP ( username) to local_IP that failed anti-replay checking.

Explanation An IPsec packet was received with an invalid sequence number. The peer is sending packets including sequence numbers that may have been previously used. This message indicates that an IPsec packet has been received with a sequence number outside of the acceptable window. This packet will be dropped by IPsec as part of a possible attack. This message is rate limited to no more than one message every five seconds.

  • protocol— IPsec protocol
  • spi— IPsec Security Parameter Index
  • seq_num IPsec sequence number
  • remote_IP IP address of the remote endpoint of the tunnel
  • username— Username associated with the IPsec tunnel
  • local_IP IP address of the local endpoint of the tunnel

Recommended Action Contact the administrator of the peer.

402120

Error Message %ASA-4-402120: IPSEC: Received an protocol packet (SPI= spi, sequence number= seq_num) from remote_IP ( username) to local_IP that failed authentication.

Explanation An IPsec packet was received and failed authentication. The packet is dropped. The packet may have been corrupted in transit, or the peer may be sending invalid IPsec packets, which may indicate an attack if many of these packets were received from the same peer. This message is rate limited to no more than one message every five seconds.

  • protocol— IPsec protocol
  • spi— IPsec Security Parameter Index
  • seq_num IPsec sequence number
  • remote_IP IP address of the remote endpoint of the tunnel
  • username— Username associated with the IPsec tunnel
  • local_IP IP address of the local endpoint of the tunnel

Recommended Action Contact the administrator of the remote peer if many failed packets were received.

402121

Error Message %ASA-4-402121: IPSEC: Received an protocol packet (SPI= spi, sequence number= seq_num) from peer_addr ( username) to lcl_addr that was dropped by IPsec ( drop_reason).

Explanation An IPsec packet to be decapsulated was received and subsequently dropped by the IPsec subsystem. This may indicate a problem with the ASA configuration or with the ASA itself.

  • protocol— IPsec protocol
  • spi— IPsec Security Parameter Index
  • seq_num IPsec sequence number
  • peer_addr IP address of the remote endpoint of the tunnel
  • username— Username associated with the IPsec tunnel
  • lcl_addr IP address of the local endpoint of the tunnel
  • drop_reason Reason that the packet was dropped

Recommended Action If the problem persists, contact the Cisco TAC.

402122

Error Message %ASA-4-402122: Received a cleartext packet from src_addr to dest_addr that was to be encapsulated in IPsec that was dropped by IPsec ( drop_reason).

Explanation A packet to be encapsulated in IPsec was received and subsequently dropped by the IPsec subsystem. This may indicate a problem with the ASA configuration or with the ASA itself.

  • src_addr Source IP address
  • dest_addr Destination IP address
  • drop_reason Reason that the packet was dropped

Recommended Action If the problem persists, contact the Cisco TAC.

402123

Error Message %ASA-4-402123: CRYPTO: The accel_type hardware accelerator encountered an error (code= error_string) while executing crypto command command.

Explanation An error was detected while running a crypto command with a hardware accelerator, which may indicate a problem with the accelerator. This type of error may occur for a variety of reasons, and this message supplements the crypto accelerator counters to help determine the cause.

  • accel_type—Hardware accelerator type
  • error_string— Code indicating the type of error
  • command—Crypto command that generated the error

Recommended Action If the problem persists, contact the Cisco TAC.

402124

Error Message %ASA-4-402124: CRYPTO: The ASA hardware accelerator encountered an error (Hardware error address, Core, Hardware error code, IstatReg, PciErrReg, CoreErrStat, CoreErrAddr, Doorbell Size, DoorBell Outstanding, SWReset).

Explanation The crypto hardware chip has reported a fatal error, indicating that the chip is inoperable. The information from this message captures the details to allow further analysis of the problem. The crypto chip is reset when this condition is detected to unobtrusively allow the ASA to continue functioning. Also, the crypto environment at the time this issue is detected is written to a crypto archive directory on flash to provide further debugging information. Various parameters related to the crypto hardware are included in this message, as follows:

  • HWErrAddr Hardware address (set by crypto chip)
  • Core Crypto core experiencing the error
  • HwErrCode Hardware error code (set by crypto chip)
  • IstatReg Interrupt status register (set by crypto chip)
  • PciErrReg PCI error register (set by crypto chip)
  • CoreErrStat Core error status (set by crypto chip)
  • CoreErrAddr Core error address (set by crypto chip)
  • Doorbell Size Maximum crypto commands allowed
  • DoorBell Outstanding Crypto commands outstanding
  • SWReset Number of crypto chip resets since boot

Recommended Action Forward the message information to the Cisco TAC for further analysis.

402125

Error Message %ASA-4-402125: The ASA hardware accelerator ring timed out ( parameters).

Explanation The crypto driver has detected that either the IPSEC descriptor ring or SSL/Admin descriptor ring is no longer progressing, meaning the crypto chip no longer appears to be functioning. The crypto chip is reset when this condition is detected to unobtrusively allow the ASA to continue functioning. Also, the crypto environment at the time this issue was detected was written to a crypto archive directory on flash to provide further debugging information.

  • ring— IPSEC or Admin ring
  • parameters Include the following:

- Desc Descriptor address

- CtrlStat Control/status value

- ResultP Success pointer

- ResultVal Success value

- Cmd Crypto command

- CmdSize Command size

- Param Command parameters

- Dlen Data length

- DataP Data pointer

- CtxtP VPN context pointer

- SWReset Number of crypto chip resets since boot

Recommended Action Forward the message information to the Cisco TAC for further analysis.

402126

Error Message %ASA-4-402126: CRYPTO: The ASA created Crypto Archive File Archive Filename as a Soft Reset was necessary. Please forward this archived information to Cisco.

Explanation A functional problem with the hardware crypto chip was detected (see syslog messages 402124 and 402125). To further debug the crypto problem, a crypto archive file was generated that included the current crypto hardware environment (hardware registers and crypto description entries). At boot time, a crypto_archive directory was automatically created on the flash file system (if it did not exist previously). A maximum of two crypto archive files are allowed to exist in this directory.

  • Archive Filename— The name of the crypto archive file name. The crypto archive file names are of the form, crypto_arch_x.bin, where x = (1 or 2).

Recommended Action Forward the crypto archive files to the Cisco TAC for further analysis.

402127

Error Message %ASA-4-402127: CRYPTO: The ASA is skipping the writing of latest Crypto Archive File as the maximum # of files, max_number, allowed have been written to archive_directory. Please archive & remove files from Archive Directory if you want more Crypto Archive Files saved.

Explanation A functional problem with the hardware crypto chip was detected (see messages 4402124 and 4402125). This message indicates a crypto archive file was not written, because the maximum number of crypto archive files already existed.

  • max_number Maximum number of files allowed in the archive directory; currently set to two
  • archive_directory— Name of the archive directory

Recommended Action Forward previously generated crypto archive files to the Cisco TAC. Remove the previously generated archive file(s) so that more can be written (if deemed necessary).

402128

Error Message %ASA-5-402128: CRYPTO: An attempt to allocate a large memory block failed, size: size, limit: limit

Explanation An SSL connection is attempting to use more memory than allowed. The request has been denied.

  • size —The size of the memory block being allocated
  • limit —The maximum size of allocated memory permitted

Recommended Action If this message persists, an SSL denial of service attack may be in progress. Contact the remote peer administrator or upstream provider.

402129

Error Message %ASA-6-402129: CRYPTO: An attempt to release a DMA memory block failed, location: address

Explanation An internal software error has occurred.

  • address —The address being freed

Recommended Action Contact the Cisco TAC for assistance.

402130

Error Message %ASA-6-402130: CRYPTO: Received an ESP packet (SPI = 0x54A5C634, sequence number=0x7B) from 75.2.96.101 (user=user) to 85.2.96.10 with incorrect IPsec padding.

Explanation The ASA crypto hardware accelerator detected an IPsec packet with invalid padding. The ATT VPN client sometimes pads IPsec packets incorrectly.

  • SPI —The SPI associated with the packet
  • sequence number —The sequence number associated with the packet
  • user —Username string
  • padding —Padding data from the packet

Recommended Action While this message is None required and does not indicate a problem with the ASA, customers using the ATT VPN client may wish to upgrade their VPN client software.

402131

Error Message %ASA-4-402131: CRYPTO: status changing the accel_instance hardware accelerator's configuration bias from old_config_bias to new_config_bias.

Explanation The hardware accelerator configuration has been changed on the ASA. Some ASA platforms have multiple hardware accelerators. One syslog message is generated for each hardware accelerator change.

  • status —Indicates success or failure
  • accel_instance —The instance of the hardware accelerator
  • old_config_bias —The old configuration
  • new_config_bias —The new configuration

Recommended Action If any of the accelerators fails when attempting to change its configuration, collect logging information and contact the Cisco TAC. If a failure occurs, the software will retry the configuration change multiple times. The software will fall back to the original configuration bias if the retry attempts fail. If multiple attempts to reconfigure the hardware accelerator fail, it may indicate a hardware failure.

402140

Error Message %ASA-3-402140: CRYPTO: RSA key generation error: modulus len len

Explanation An error occurred during an RSA public key pair generation.

  • len —The prime modulus length in bits

Recommended Action Contact the Cisco TAC for assistance.

402141

Error Message %ASA-3-402141: CRYPTO: Key zeroization error: key set type, reason reason

Explanation An error occurred during an RSA public key pair generation.

  • type —The key set type, which can be any of the following: DH, RSA, DSA, or unknown
  • reason —The unexpected crypto session type

Recommended Action Contact the Cisco TAC for assistance.

402142

Error Message %ASA-3-402142: CRYPTO: Bulk data op error: algorithm alg, mode mode

Explanation An error occurred during a symmetric key operation.

  • op —The operation, which can be either encryption or decryption
  • alg —The encryption algorithm, which can be any of the following: DES, 3DES, AES, or RC4
  • mode —The mode, which can be any of the following: CBC, CTR, CFB, ECB, stateful-RC4, or stateless-RC4

Recommended Action Contact the Cisco TAC for assistance.

402143

Error Message %ASA-3-402143: CRYPTO: alg type key op

Explanation An error occurred during an asymmetric key operation.

  • alg —The encryption algorithm, which can be either RSA or DSA
  • type —The key type, which can be either public or private
  • op —The operation, which can be either encryption or decryption

Recommended Action Contact the Cisco TAC for assistance.

402144

Error Message %ASA-3-402144: CRYPTO: Digital signature error: signature algorithm sig, hash algorithm hash

Explanation An error occurred during digital signature generation.

  • sig —The signature algorithm, which can be either RSA or DSA
  • hash —The hash algorithm, which can be any of the following: MD5, SHA1, SHA256, SHA384, or SHA512

Recommended Action Contact the Cisco TAC for assistance.

402145

Error Message %ASA-3-402145: CRYPTO: Hash generation error: algorithm hash

Explanation A hash generation error occurred.

  • hash —The hash algorithm, which can be any of the following: MD5, SHA1, SHA256, SHA384, or SHA512

Recommended Action Contact the Cisco TAC for assistance.

402146

Error Message %ASA-3-402146: CRYPTO: Keyed hash generation error: algorithm hash, key len len

Explanation A keyed hash generation error occurred.

  • hash —The hash algorithm, which can be any of the following: MD5, SHA1, SHA256, SHA384, or SHA512
  • len —The key length in bits

Recommended Action Contact the Cisco TAC for assistance.

402147

Error Message %ASA-3-402147: CRYPTO: HMAC generation error: algorithm alg

Explanation An HMAC generation error occurred.

  • alg —The HMAC algorithm, which can be any of the following: HMAC-MD5, HMAC-SHA1, HMAC-SHA2, or AES-XCBC

Recommended Action Contact the Cisco TAC for assistance.

402148

Error Message %ASA-3-402148: CRYPTO: Random Number Generator error

Explanation A random number generator error occurred.

Recommended Action Contact the Cisco TAC for assistance.

403101

Error Message %ASA-4-403101: PPTP session state not established, but received an XGRE packet, tunnel_id= number, session_id= number

Explanation The ASA received a PPTP XGRE packet without a corresponding control connection session.

Recommended Action If the problem persists, contact the Cisco TAC.

403102

Error Message %ASA-4-403102: PPP virtual interface interface_name rcvd pkt with invalid protocol: protocol, reason: reason.

Explanation The module received an XGRE encapsulated PPP packet with an invalid protocol field.

Recommended Action If the problem persists, contact the Cisco TAC.

403103

Error Message %ASA-4-403103: PPP virtual interface max connections reached.

Explanation The module cannot accept additional PPTP connections.Connections are allocated as soon as they are available.

Recommended Action None required.

403104

Error Message %ASA-4-403104: PPP virtual interface interface_name requires mschap for MPPE.

Explanation The MPPE was configured, but MS-CHAP authentication was not.

Recommended Action Add MS-CHAP authentication with the vpdn group group_name ppp authentication command.

403106

Error Message %ASA-4-403106: PPP virtual interface interface_name requires RADIUS for MPPE.

Explanation The MPPE was configured, but RADIUS authentication was not.

Recommended Action Add RADIUS authentication with the vpdn group group_name ppp authentication command.

403107

Error Message %ASA-4-403107: PPP virtual interface interface_name missing aaa server group info

Explanation The AAA server configuration information cannot be found.

Recommended Action Add the AAA server information with the vpdn group group_name client authentication aaa aaa_server_group command.

403108

Error Message %ASA-4-403108: PPP virtual interface interface_name missing client ip address option

Explanation The client IP address pool information is missing.

Recommended Action Add IP address pool information with the vpdn group group_name client configuration address local address_pool_name command.

403109

Error Message %ASA-4-403109: Rec'd packet not an PPTP packet. ( ip) dest_address = dest_address , src_addr = source_address , data: string.

Explanation The module received a spoofed PPTP packet, which may indicate a hostile event.

Recommended Action Contact the administrator of the peer to check the PPTP configuration settings.

403110

Error Message %ASA-4-403110: PPP virtual interface interface_name, user: user missing MPPE key from aaa server.

Explanation The AAA server was not returning the MPPE key attributes required to set up the MPPE encryption policy.

Recommended Action Check the AAA server configuration. If the AAA server cannot return MPPE key attributes, use local authentication instead by entering the vpdn group group_name client authentication local command.

403500

Error Message %ASA-6-403500: PPPoE - Service name 'any' not received in PADO. Intf: interface_name AC: ac_name.

Explanation The ASA requested the PPPoE service any from the access controller at the Internet service provider. The response from the service provider includes other services, but does not include the service any. This is a discrepancy in the implementation of the protocol. The PADO packet is processed normally, and connection negotiations continue.

Recommended Action None required.

403501

Error Message %ASA-3-403501: PPPoE - Bad host-unique in PADO - packet dropped. Intf: interface_name AC: ac_name

Explanation The ASA sent an identifier called the host-unique value to the access controller. The access controller responded with a different host-unique value. The ASA was unable to identify the corresponding connection request for this response. The packet was dropped, and connection negotiations were discontinued.

Recommended Action Contact the Internet service provider. Either the access controller at the service provider is mishandling the host-unique value, or the PADO packet is being forged.

403502

Error Message %ASA-3-403502: PPPoE - Bad host-unique in PADS - dropping packet. Intf: interface_name AC: ac_name

Explanation The ASA sent an identifier called the host-unique value to the access controller. The access controller responded with a different host-unique value. The ASA was unable to identify the corresponding connection request for this response. The packet was dropped, and connection negotiations were discontinued.

Recommended Action Contact the Internet service provider. Either the access controller at the service provider is mishandling the host-unique value, or the PADO packet is being forged.

403503

Error Message %ASA-3-403503: PPPoE:PPP link down: reason

Explanation The PPP link has gone down. There are many reasons why this can happen. The first format will display a reason if PPP provides one.

Recommended Action Check the network link to ensure that the link is connected. The access concentrator may be down. Make sure that your authentication protocol matches the access concentrator and that your name and password are correct. Verify this information with your ISP or network support person.

403504

Error Message %ASA-3-403504: PPPoE:No 'vpdn group group_name ' for PPPoE is created

Explanation PPPoE requires a dial-out configuration before starting a PPPoE session. In general, the configuration should specify a dialing policy, the PPP authentication, the username, and a password. The following example configures the ASA for PPPoE dialout. The my-username and my-password commands are used to authenticate the access concentrator, using PAP if necessary.

For example:

ciscoasa# vpdn group my-pppoe request dialout pppoe
ciscoasa# vpdn group my-pppoe ppp authentication pap
ciscoasa# vpdn group my-pppoe localname my-username
ciscoasa# vpdn username my-username password my-password
ciscoasa# ip address outside pppoe setroute
 

Recommended Action Configure a VPDN group for PPPoE.

403505

Error Message %ASA-4-403505: PPPoE:PPP - Unable to set default route to IP_address at interface_name

Explanation This message is usually followed by the message, default route already exists.

Recommended Action Remove the current default route or remove the setroute parameter so that there is no conflict between PPPoE and the manually configured route.

403506

Error Message %ASA-4-403506: PPPoE:failed to assign PPP IP_address netmask netmask at interface_name

Explanation This message is followed by one of the followings messages: subnet is the same as interface, or on failover channel.

Recommended Action In the first case, change the address causing the conflict. In the second case, configure the PPPoE on an interface other than the failover interface.

403507

Error Message %ASA-3-403507: PPPoE:PPPoE client on interface interface failed to locate PPPoE vpdn group group_name

Explanation You can configure the PPPoE client on an interface to use a particular VPDN group by entering the pppoe client vpdn group group_name command. If a PPPoE VPDN group of the configured name was not located during system startup, this message is generated.

  • interface —The interface on which the PPPoE client failed
  • group_name —The VPDN group name of the PPPoe client on the interface

Recommended Action Perform the following steps:

1. Add the required VPDN group by entering the vpdn group group_name command. Request dialout PPPoE in global configuration mode, and add all the group properties.

2. Remove the pppoe client vpdn group group_name command from the interface indicated. In this case, the PPPoE client will attempt to use the first PPPoE VPDN group defined.


Note All changes take effect only after the PPPoE client on the interface is restarted by entering the ip address pppoe command.


405001

Error Message %ASA-4-405001: Received ARP {request | response} collision from IP_address / MAC_address on interface interface_name to IP_address / MAC_address on interface interface_name

Explanation The ASA received an ARP packet, and the MAC address in the packet differs from the ARP cache entry.

Recommended Action This traffic might be legitimate, or it might indicate that an ARP poisoning attack is in progress. Check the source MAC address to determine where the packets are coming from and to see if they belong to a valid host.

405002

Error Message %ASA-4-405002: Received mac mismatch collision from IP_address / MAC_address for authenticated host

Explanation This packet appears for one of the following conditions:

  • The ASA received a packet with the same IP address, but a different MAC address from one of its uauth entries.
  • You configured the vpnclient mac-exempt command on the ASA, and the ASA received a packet with an exempt MAC address, but a different IP address from the corresponding uauth entry.

Recommended Action This traffic might be legitimate, or it might indicate that a spoofing attack is in progress. Check the source MAC address and IP address to determine where the packets are coming from and if they belong to a valid host.

405003

Error Message %ASA-4-405003: IP address collision detected between host IP_address at MAC_address and interface interface_name, MAC_address.

Explanation A client IP address in the network is the same as the ASA interface IP address.

Recommended Action Change the IP address of the client.

405101

Error Message %ASA-4-405101: Unable to Pre-allocate H225 Call Signalling Connection for foreign_address outside_address [/ outside_port ] to local_address inside_address [/ inside_port ]

Explanation The module failed to allocate RAM system memory while starting a connection or has no more address translation slots available.

Recommended Action If this message occurs periodically, it can be ignored. You can check the size of the global pool compared to the number of inside network clients. A PAT address may be necessary. Alternatively, shorten the timeout interval of translates and connections. This error message may also be caused by insufficient memory; try reducing the amount of memory usage, or purchasing additional memory. If the problem persists, contact the Cisco TAC.

405102

Error Message %ASA-4-405102: Unable to Pre-allocate H245 Connection for foreign_address outside_address [/ outside_port ] to local_address inside_address [/ inside_port ]

Explanation The ASA failed to allocate RAM system memory while starting a connection or has no more address translation slots available.

Recommended Action Check the size of the global pool compared to the number of inside network clients. A PAT address may be necessary. Alternatively, shorten the timeout interval of translations and connections. In addition, reduce the amount of memory usage, or purchase additional memory. If this message occurs periodically, it can be ignored. If the problem persists, contact the Cisco TAC.

405103

Error Message %ASA-4-405103: H225 message from source_address/source_port to dest_address / dest_port contains bad protocol discriminator hex

Explanation The ASA is expecting the protocol discriminator, 0x08, but it received something other than 0x08. The endpoint may be sending a bad packet, or received a message segment other than the first segment. The packet is allowed through.

Recommended Action None required.

405104

Error Message %ASA-4-405104: H225 message received from outside_address / outside_port to inside_address / inside_port before SETUP

Explanation An H.225 message was received out of order, before the initial SETUP message, which is not allowed. The ASA must receive an initial SETUP message for that H.225 call signalling channel before accepting any other H.225 messages.

Recommended Action None required.

405105

Error Message %ASA-4-405105: H323 RAS message AdmissionConfirm received from source_address / source_port to dest_address / dest_port without an AdmissionRequest

Explanation A gatekeeper has sent an ACF, but the ASA did not send an ARQ to the gatekeeper.

Recommended Action Check the gatekeeper with the specified source_address to determine why it sent an ACF without receiving an ARQ from the ASA.

405106

Error Message %ASA-4-405106: H323 num channel is not created from %I/%d to %I/%d %s

Explanation The ASA tried to create a match condition on the H.323 media-type channel. See the match media-type command for more information.

Recommended Action None required.

405107

Error Message %ASA-4-405107: H245 Tunnel is detected and connection dropped from %I/%d to %I/%d %s

Explanation An H.323 connection has been dropped because of an attempted H.245 tunnel control during call setup. See the h245-tunnel-block command for more information.

Recommended Action None required.

405201

Error Message %ASA-4-405201: ILS ILS_message_type from inside_interface:source_IP_address to outside_interface:/destination_IP_address has wrong embedded address embedded_IP_address

Explanation The embedded address in the ILS packet payload was not the same as the source IP address of the IP packet header.

Recommended Action Check the host specified with the source_IP_address to determine why it sent an ILS packet with an incorrect embedded IP address.

405300

Error Message %ASA-4-405300: Radius Accounting Request received from from_addr is not allowed

Explanation The accounting request came from a host that was not configured in the policy map. The message is logged and processing stops.

  • from_addr —The IP address of the host sending the request

Recommended Action If the host was configured to send RADIUS accounting messages to the ASA, make sure that it was configured in the correct policy map that was applied to the service policy. If the host was not configured to send RADIUS accounting messages to the ASA, then check to see why the messages are being sent. If the messages are illegitimate, then create the proper ACLs to drop the packets.

405301

Error Message %ASA-4-405301: Attribute attribute_number does not match for user user_ip

Explanation When the validate-attribute command was entered, the attribute values stored in the accounting request start received do not match those stored in the entry, if it exists.

  • attribute_number —The RADIUS attribute to be validated with RADIUS accounting. Values range from 1 to 191. Vendor-specific attributes are not supported.
  • user_ip —The IP address (framed IP attribute) of the user.

Recommended Action None required.

406001

Error Message %ASA-4-406001: FTP port command low port: IP_address / port to IP_address on interface interface_name

Explanation A client entered an FTP port command and supplied a port less than 1024 (in the well-known port range usually devoted to server ports). This is indicative of an attempt to avert the site security policy. The ASA drops the packet, terminates the connection, and logs the event.

Recommended Action None required.

406002

Error Message %ASA-4-406002: FTP port command different address: IP_address( IP_address) to IP_address on interface interface_name

Explanation A client entered an FTP port command and supplied an address other than the address used in the connection. An attempt to avert the site security policy occurred. For example, an attacker might attempt to hijack an FTP session by changing the packet on the way, and putting different source information instead of the correct source information. The ASA drops the packet, terminates the connection, and logs the event. The address in parentheses is the address from the port command.

Recommended Action None required.

407001

Error Message %ASA-4-407001: Deny traffic for local-host interface_name : inside_address, license limit of number exceeded

Explanation The host limit was exceeded. An inside host is counted toward the limit when one of the following conditions is true:

  • The inside host has forwarded traffic through the ASA within the last five minutes.
  • The inside host has reserved an xlate connection or user authentication at the ASA.

Recommended Action The host limit is enforced on the low-end platforms. Use the show version command to view the host limit. Use the show local-host command to view the current active hosts and the inside users that have sessions at the ASA. To forcefully disconnect one or more users, use the clear local-host command. To expire the inside users more quickly from the limit, set the xlate, connection, and uauth timeouts to the recommended values or lower. (See Table 1-6 .)

 

Table 1-6 Timeouts and Recommended Values

Timeout
Recommended Value

xlate

00:05:00 (five minutes)

conn

00:01:00 (one hour)

uauth

00:05:00 (five minutes)

407002

Error Message %ASA-4-407002: Embryonic limit nconns / elimit for through connections exceeded. outside_address / outside_port to global_address ( inside_address)/ inside_port on interface interface_name

Explanation The number of connections from a specified foreign address over a specified global address to the specified local address exceeded the maximum embryonic limit for that static. The ASA tries to accept the connection if it can allocate memory for that connection. It proxies on behalf of the local host and sends a SYN_ACK packet to the foreign host. The ASA retains pertinent state information, drops the packet, and waits for the acknowledgment from the client. The message might indicate legitimate traffic or that a DoS attack is in progress.

Recommended Action Check the source address to determine where the packets are coming from and whether or not a valid host is sending them.

407003

Error Message %ASA-4-407003: Established limit for RPC services exceeded number

Explanation The ASA tried to open a new hole for a pair of RPC servers or services that have already been configured after the maximum number of holes has been met.

Recommended Action Wait for other holes to be closed (through associated timeout expiration), or limit the number of active pairs of servers or services.

408001

Error Message %ASA-4-408001: IP route counter negative - reason, IP_address Attempt: number

Explanation An attempt to decrement the IP route counter into a negative value failed.

Recommended Action Enter the clear ip route command to reset the route counter. If the problem persists, contact the Cisco TAC.

408002

Error Message %ASA-4-408002: ospf process id route type update address1 netmask1 [ distance1/metric1 ] via source IP : interface1 address2 netmask2 [ distance2 / metric2 ] interface2

Explanation A network update was received from a different interface with the same distance and a better metric than the existing route. The new route overrides the existing route that was installed through another interface. The new route is for redundancy purposes only and means that a path has shifted in the network. This change must be controlled through topology and redistribution. Any existing connections affected by this change are probably disabled and will time out. This path shift only occurs if the network topology has been specifically designed to support path redundancy, in which case it is expected.

Recommended Action None required.

408003

Error Message %ASA-4-408003: can't track this type of object hex

Explanation A component of the tracking system has encountered an object type that is not supported by the component. A STATE object was expected.

  • hex —A hexidecimal value(s) depicting variable value(s) or addresses in memory

Recommended Action Reconfigure the track object to make it a STATE object.

409001

Error Message %ASA-4-409001: Database scanner: external LSA IP_address netmask is lost, reinstalls

Explanation The software detected an unexpected condition. The router will take corrective action and continue.

Recommended Action None required.

409002

Error Message %ASA-4-409002: db_free: external LSA IP_address netmask

Explanation An internal software error occurred.

Recommended Action None required.

409003

Error Message %ASA-4-409003: Received invalid packet: reason from IP_address, interface_name

Explanation An invalid OSPF packet was received. Details are included in the error message. The cause might be an incorrect OSPF configuration or an internal error in the sender.

Recommended Action Check the OSPF configuration of the receiver and the sender configuration for inconsistency.

409004

Error Message %ASA-4-409004: Received reason from unknown neighbor IP_address

Explanation The OSPF hello, database description, or database request packet was received, but the router cannot identify the sender.

Recommended Action None required.

409005

Error Message %ASA-4-409005: Invalid length number in OSPF packet from IP_address (ID IP_address), interface_name

Explanation The ASA received an OSPF packet with a field length of less than normal header size or that was inconsistent with the size of the IP packet in which it arrived. This indicates a configuration error in the sender of the packet.

Recommended Action From a neighboring address, locate the problem router and reboot it.

409006

Error Message %ASA-4-409006: Invalid lsa: reason Type number, LSID IP_address from IP_address, IP_address, interface_name

Explanation The router received an LSA with an invalid LSA type. The cause is either memory corruption or unexpected behavior on a router.

Recommended Action From a neighboring address, locate the problem router and reboot it. If the problem persists, contact the Cisco TAC.

409007

Error Message %ASA-4-409007: Found LSA with the same host bit set but using different mask LSA ID IP_address netmask New: Destination IP_address netmask

Explanation An internal software error occurred.

Recommended Action Copy the message exactly as it appears, and report it to the Cisco TAC.

409008

Error Message %ASA-4-409008: Found generating default LSA with non-zero mask LSA type: number Mask: netmask metric: number area: string

Explanation The router tried to generate a default LSA with an incorrect mask and possibly incorrect metric because an internal software error occurred.

Recommended Action Copy the message exactly as it appears, and report it to the Cisco TAC.

409009

Error Message %ASA-4-409009: OSPF process number cannot start. There must be at least one up IP interface, for OSPF to use as router ID

Explanation OSPF failed while attempting to allocate a router ID from the IP address of one of its interfaces.

Recommended Action Make sure that there is at least one interface that is up and has a valid IP address. If there are multiple OSPF processes running on the router, each requires a unique router ID. You must have enough interfaces up so that each of them can obtain a router ID.

409010

Error Message %ASA-4-409010: Virtual link information found in non-backbone area: string

Explanation An internal error occurred.

Recommended Action Copy the message exactly as it appears, and report it to the Cisco TAC.

409011

Error Message %ASA-4-409011: OSPF detected duplicate router-id IP_address from IP_address on interface interface_name

Explanation OSPF received a hello packet from a neighbor that has the same router ID as this routing process. A full adjacency cannot be established.

Recommended Action The OSPF router ID should be unique. Change the neighbor router ID.

409012

Error Message %ASA-4-409012: Detected router with duplicate router ID IP_address in area string

Explanation OSPF received a hello packet from a neighbor that has the same router ID as this routing process. A full adjacency cannot be established.

Recommended Action The OSPF router ID should be unique. Change the neighbor router ID.

409013

Error Message %ASA-4-409013: Detected router with duplicate router ID IP_address in Type-4 LSA advertised by IP_address

Explanation OSPF received a hello packet from a neighbor that has the same router ID as this routing process. A full adjacency cannot be established.

Recommended Action The OSPF router ID should be unique. Change the neighbor router ID.

409023

Error Message %ASA-4-409023: Attempting AAA Fallback method method_name for request_type request for user user : Auth-server group server_tag unreachable

Explanation An authentication or authorization attempt to an external server has failed and will be performed using the local user database.

  • aaa_operation —Either authentication or authorization
  • username —The user associated with the connection
  • server_group —The name of the AAA server whose servers were unreachable

Recommended Action Investigate any connectivity problems with the AAA servers configured in the first method. Ping the authentication servers from the ASA. Make sure that the daemons are running on the AAA server.

409101

Error Message %ASA-4-409101: Received invalid packet: s from P, s

Explanation An invalid OSPF packet was received. Details are included in the error message. The cause might be a misconfigured OSPF or an internal error in the sender.

Recommended Action Check the OSPF configuration of the receiver and the sender for inconsistencies.

409102

Error Message %ASA-4-409102: Received packet with incorrect area from P, s, area AREA_ID_STR, packet area AREA_ID_STR

Explanation An OSPF packet was received with an area ID in its header that does not match the area of this interface.

Recommended Action Check the OSPF configuration of the receiver and the sender for inconsistencies.

409103

Error Message %ASA-4-409103: Received s from unknown neighbor i

Explanation An OSPF hello, database description, or database request packet was received, but the router could not identify the sender.

Recommended Action None required.

409104

Error Message %ASA-4-409104: Invalid length d in OSPF packet type d from P (ID i), s

Explanation The system received an OSPF packet with a length field of less than normal header size or inconsistent with the size of the IP packet in which it arrived. An error in the sender of the packet has occurred.

Recommended Action None required.

409105

Error Message %ASA-4-409105: Invalid lsa: s : Type 0x x, Length 0x x, LSID u from i

Explanation The router received an LSA with invalid data. The LSA includes an invalid LSA type, incorrect checksum, or incorrect length, which is caused by either memory corruption or unexpected behavior on a router.

Recommended Action From a neighboring address, locate the problem routerand do the following:

  • Collect a running configuration of the router by entering the show running-config command.
  • Enter the show ipv6 ospf database command to gather data that may help identify the nature of the error.
  • Enter the show ipv6 ospf database link-state-id command. The link-state-id argument is the IP address of the invalid LSA.
  • Enter the show logging command to gather data that may help identify the nature of the error.
  • Reboot the router.

If you cannot determine the nature of the error from the collected information, contact the Cisco TAC and provide the gathered information.

409106

Error Message %ASA-4-409106: Found generating default LSA with non-zero mask LSA type: 0x x Mask: i metric: lu area: AREA_ID_STR

Explanation The router tried to generate the default LSA with the incorrect mask and possibly an incorrect metric because of an internal software error.

Recommended Action None required.

409107

Error Message %ASA-4-409107: OSPFv3 process d could not pick a router-id, please configure manually

Explanation OSPFv3 failed while attempting to allocate a router ID from the IP address of one of its interfaces.

Recommended Action Make sure that there is at least one interface that is up and has a valid IP address. If there are multiple OSPF processes running on the router, each requires a unique router ID. You must have enough up interfaces so that each of them can obtain a router ID.

409108

Error Message %ASA-4-409108: Virtual link information found in non-backbone area: AREA_ID_STR

Explanation An internal error has occurred.

Recommended Action None required.

409109

Error Message %ASA-4-409109: OSPF detected duplicate router-id i from P on interface IF_NAME

Explanation OSPF received a hello packet from a neighbor that has the same router ID as this routing process. A full adjacency cannot be established. The OSPF router ID should be unique.

Recommended Action Change the neighbor router ID.

409110

Error Message %ASA-4-409110: Detected router with duplicate router ID i in area AREA_ID_STR

Explanation OSPF received a hello packet from a neighbor that has the same router ID as this routing process. A full adjacency cannot be established. The OSPF router ID should be unique.

Recommended Action Change the neighbor router ID.

409111

Error Message %ASA-4-409111: Multiple interfaces ( IF_NAME / IF_NAME) on a single link detected.

Explanation OSPFv3 enabled on multiple interfaces that are on the same link is not supported.

Recommended Action OSPFv3 should be disabled or made passive on all except one of the interfaces.

409112

Error Message %ASA-4-409112: Packet not written to the output queue

Explanation An internal error has occurred.

Recommended Action None required.

409113

Error Message %ASA-4-409113: Doubly linked list linkage is NULL

Explanation An internal error has occurred.

Recommended Action None required.

409114

Error Message %ASA-4-409114: Doubly linked list prev linkage is NULL x

Explanation An internal error has occurred.

Recommended Action None required.

409115

Error Message %ASA-4-409115: Unrecognized timer d in OSPF s

Explanation An internal error has occurred.

Recommended Action None required.

409116

Error Message %ASA-4-409116: Error for timer d in OSPF process s

Explanation An internal error has occurred.

Recommended Action None required.

409117

Error Message %ASA-4-409117: Can't find LSA database type x, area AREA_ID_STR, interface x

Explanation An internal error has occurred.

Recommended Action None required.

409118

Error Message %ASA-4-409118: Could not allocate DBD packet

Explanation An internal error has occurred.

Recommended Action None required.

409119

Error Message %ASA-4-409119: Invalid build flag x for LSA i, type 0x x

Explanation An internal error has occurred.

Recommended Action None required.

409120

Error Message %ASA-4-409120: Router-ID i is in use by ospf process d

Explanation The ASA attempted to assign a router ID that is in use by another process.

Recommended Action Configure another router ID for one of the processes.

409121

Error Message %ASA-4-409121: Router is currently an ASBR while having only one area which is a stub area

Explanation An ASBR must be attached to an area that can carry AS External or NSSA LSAs.

Recommended Action Make the area to which the router is attached into an NSSA or regular area.

409122

Error Message %ASA-4-409122: Could not select a global IPv6 address. Virtual links require at least one global IPv6 address.

Explanation A virtual link was configured. For the virtual link to function, a global IPv6 address must be available. However, no global IPv6 address could be found on the router.

Recommended Action Configure a global IPv6 address on an interface on this router.

409123

Error Message %ASA-4-409123: Neighbor command allowed only on NBMA networks

Explanation The neighbor command is allowed only on NBMA networks.

Recommended Action Check the configuration options for the neighbor command, and correct the options or the network type for the neighbor interface.

409125

Error Message %ASA-4-409125: Can not use configured neighbor: poll and priority options are allowed only for a NBMA network

Explanation The configured neighbor was found on a point-to-multipoint network and either the poll or priority option was configured. These options are only allowed on NBMA type networks.

Recommended Action Check the configuration options for the neighbor command, and correct the options or the network type for the neighbor interface.

409128

Error Message %ASA-4-409128: OSPFv3- d Area AREA_ID_STR : Router i originating invalid type 0x x LSA, ID u, Metric d on Link ID d Link Type d

Explanation The router indicated in this message has originated an LSA with an invalid metric. If this is a router LSA and the link metric is zero, a risk of routing loops and traffic loss exists in the network.

Recommended Action Configure a valid metric for the given LSA type and link type on the router that originated the reported LSA.

410001

Error Message %ASA-4-410001: UDP DNS request from source_interface : source_address / source_port to dest_interface : dest_address / dest_port ; (label length | domain-name length) 52 bytes exceeds remaining packet length of 44 bytes.

Explanation The domain-name length exceeds 255 bytes in a UDP DNS packet. See RFC 1035, Section 3.1 for more information.

Recommended Action None required.

410002

Error Message %ASA-2-410002: Dropped num DNS responses with mis-matched id in the past sec second(s): from src_ifc : sip / sport to dest_ifc : dip / dport

Explanation The ASA detects an excess number of DNS responses with a mismatched DNS identifier. A high rate of mismatched DNS identifiers might indicate an attack on the cache. The threshold is set by the id-mismatch DNS policy-map parameter submode command.

  • num —The number of ID mismatch instances as configured by the id-mismatch command
  • sec —The duration in seconds as configured by the id-mismatch command
  • src_ifc —The source interface name at which the DNS message is received with a mismatched DNS identifier
  • sip —The source IP address
  • sport —The source port
  • dest_ifc —The destination interface name
  • dip —The destination IP address
  • dport —The destination port

Recommended Action Check the IP address and port in the message to trace the source of the attack. You can configure ACLs to block traffic permanently from the source.

410003

Error Message %ASA-4-410003: action_class : action DNS query_response from src_ifc : sip / sport to dest_ifc : dip / dport ; further_info

Explanation A DNS classification was performed on a DNS message and the specified criteria were satisfied. As a result, the configured action occurs.

  • action_class —The DNS Classification action class
  • action —The action taken: Dropped, Dropped (no TSIG), or Masked header flags for
  • query_response —Either query or response
  • src_ifc —The source interface name
  • sip —The source IP address
  • sport —The source port
  • dest_ifc —The destination interface name
  • dip —The destination IP address
  • dport —The destination port
  • further_info —One of the following: matched Class id: class_name, matched Class id: match_command (for a standalone match command), or TSIG resource record not present (for messages generated by the tsig enforced command)

Recommended Action None required.

410004

Error Message %ASA-6-410004: action_class : action DNS query_response from src_ifc : sip / sport to dest_ifc : dip / dport ; further_info

Explanation A DNS classification was performed on a DNS message and the specified criteria were satisfied.

  • action_class —The DNS Classification action class
  • action —The action taken: Received or Received (no TSIG)
  • query_response —Either query or response
  • src_ifc —The source interface name
  • sip —The source IP address
  • sport —The source port
  • dest_ifc —The destination interface name
  • dip —The destination IP address
  • dport —The destination port
  • further_info —One of the following: matched Class id: class_name, matched Class id: match_command (for a standalone match command), or TSIG resource record not present (for messages generated by the tsig enforced command)

Recommended Action None required.

411001

Error Message %ASA-4-411001: Line protocol on interface interface_name changed state to up

Explanation The status of the line protocol has changed from down to up. If interface_name is a logical interface name such as inside and outside, this message indicates that the logical interface line protocol has changed from down to up. If interface_name is a physical interface name such as Ethernet0 and GigabitEthernet0/1, this message indicates that the physical interface line protocol has changed from down to up.

Recommended Action None required.

411002

Error Message %ASA-4-411002:Line protocol on interface interface_name changed state to down

Explanation The status of the line protocol has changed from up to down. If interface_name is a logical interface name such as inside and outside, this message indicates that the logical interface line protocol has changed from up to down. In this case, the physical interface line protocol status is not affected. If interface_name is a physical interface name such as Ethernet0 and GigabitEthernet0/1, this message indicates that the physical interface line protocol has changed from up to down.

Recommended Action If this is an unexpected event on the interface, check the physical line.

411003

Error Message %ASA-4-411003: Configuration status on interface interface_name changed state to downup

Explanation The configuration status of the interface has changed from down to up.

Recommended Action If this is an unexpected event, check the physical line.

411004

Error Message %ASA-4-411004: Configuration status on interface interface_name changed state to up

Explanation The configuration status of the interface has changed from down to up.

Recommended Action None required.

411005

Error Message %ASA-4-411005: Interface variable 1 experienced a hardware transmit hang. The interface has been reset.

Explanation The interface experienced a hardware transmit freeze that required a reset of the Ethernet controller to restore the interface to full operation. This is a known issue with Gigabit interfaces on ASA 5510, ASA 5520, ASA 5540, and ASA 5550 ASAs.

  • variable 1 —The interface name, such as GigabitEthernet0/0

Recommended Action None required.

412001

Error Message %ASA-4-412001:MAC MAC_address moved from interface_1 to interface_2

Explanation A host move was detected from one module interface to another. In a transparent ASA, mapping between the host (MAC) and ASA port is maintained in a Layer 2 forwarding table. The table dynamically binds packet source MAC addresses to an ASA port. In this process, whenever movement of a host from one interface to another interface is detected, this message is generated.

Recommended Action The host move might be valid or might be an attempt to spoof host MACs on other interfaces. If it is a MAC spoof attempt, you can either locate vulnerable hosts on your network and remove them or configure static MAC entries, which will not allow MAC address and port binding to change. If it is a genuine host move, no action is required.

412002

Error Message %ASA-4-412002:Detected bridge table full while inserting MAC MAC_address on interface interface. Number of entries = num

Explanation The bridge table was full and an attempt was made to add one more entry. The ASA maintains a separate Layer 2 forwarding table per context and the message is generated whenever a context exceeds its size limit. The MAC address will be added, but it will replace the oldest existing dynamic entry (if available) in the table. This might be an attempted attack.

Recommended Action Make sure that the new bridge table entries are valid. In case of attack, use EtherType ACLs to control access to vulnerable hosts.

413001

Error Message %ASA-4-413001: Module module_id is not able to shut down. Module Error: errnum message

Explanation The module identified by module_id was not able to comply with a request from the ASA system module to shut down. It may be performing a task that cannot be interrupted, such as a software upgrade. The errnum and message text describes the reason why the module cannot shut down, and the recommended corrective action.

Recommended Action Wait for the task on the module to complete before shutting down the module, or use the session command to access the CLI on the module, and stop the task that is preventing the module from shutting down.

413002

Error Message %ASA-4-413002: Module module_id is not able to reload. Module Error: errnum message

Explanation The module identified by module_id was not able to comply with a request from the ASA module to reload. It may be performing a task that cannot be interrupted, such as a software upgrade. The errnum and message text describes the reason why the module cannot reload, and the recommended corrective action.

Recommended Action Wait for the task on the module to complete before reloading the module, or use the session command to access the CLI on the module and stop the task that is preventing the module from reloading.

413003

Error Message %ASA-4-413003: Module string one is not a recognized type

Explanation A module was detected that is not recognized as a valid module type.

Recommended Action Upgrade to a version of ASA software that supports the module type installed.

413004

Error Message %ASA-4-413004: Module string one failed to write software newver (currently ver), reason. Trying again.

Explanation The module failed to accept a software version, and will be transitioned to an UNRESPONSIVE state. Another attempt will be made to update the module software.

  • string one— The text string that specifies the module
  • newver —The new version number of software that was not successfully written to the module (for example, 1.0(1)0)
  • ver —The current version number of the software on the module (for example, 1.0(1)0)
  • reason —The reason the new version cannot be written to the module. The possible values for reason include the following:

- write failure

- failed to create a thread to write the image

Recommended Action None required. Subsequent attempts will either generate a message indicating a successful update or failure. You may verify the module transitions to UP after a subsequent update attempt by using the show module command.

413005

Error Message %ASA-4-413005: Module module_id, application is not supported app_name version app_vers type app_type Error Message %ASA-4-413005: Module prod_id in slot slot_num, application is not supported app_name version app_vers type app_type

Explanation The module installed in slot slot_num was running an unsupported application version or type.

  • module_id— The name of the software services module
  • prod_id —Product ID string
  • slot_num —The slot number in which the module is installed. Slot 0 indicates the system main board, and slot 1 indicates the module installed in the expansion slot.
  • app_name —Application name (string)
  • app_vers —Application version (string)
  • app_type —Application type (decimal)

Recommended Action If the problem persists, contact the Cisco TAC.

413006

Error Message %ASA-4-413006: prod-id Module software version mismatch; slot slot is prod-id version running-vers. Slot slot prod-id requires required-vers.

Explanation The version of software running on the module in slot slot was not the version required by another module.

  • slot —Slot 0 indicates the system main board. Slot 1 indicates the module installed in the expansion slot.
  • prod_id —Product ID string for the device installed in slot slot
  • running_vers —Version of software currently running on the module installed in slot slot
  • required_vers —Version of software required by the module in slot slot

Recommended Action If the problem persists, contact the Cisco TAC.

413007

Error Message %ASA-1-413007: An unsupported ASA and IPS configuration is installed. mpc_description with ips_description is not supported.

Explanation An unsupported ASA and IPS configuration has been detected during IPS SSP setup for slot 1. The ASA should continue to function normally with an unsupported configuration.

  • mpc_description —A description string for the ASA model, which can be one of the following: ASA5585-SSP-10, ASA5585-SSP-20, ASA5585-SSP-40, ASA5585-SSP-60, ASA5585-SSP-10-K7, ASA5585-SSP-20-K7, ASA5585-SSP-40-K7, ASA5585-SSP-60-K7.
  • ips_description —A description string for the IPS SSP model, which can be one of the following: ASA5585-SSP-IPS10, ASA5585-SSP-IPS20, ASA5585-SSP-IPS40, ASA5585-SSP-IPS60, ASA5585-SSP-P10K7, ASA5585-SSP-P20K7, ASA5585-SSP-P40K7, ASA5585-SSP-P60K7.

Recommended Action None required.

413008

Error Message %ASA-1-413008: An unsupported combination of the power supply module and the fan module is detected. Two power supply modules are recommended when using ASA 10G and IPS 10G SSPs simultaneously

Explanation Only one power supply and one fan module are inserted when an ASA 10G SSP and IPS 10G SSP are present.

Recommended Action When using an ASA 10G SSP and IPS 10G SSP, insert two power supplies instead of one fan module and one power supply module.

414001

Error Message %ASA-3-414001: Failed to save logging buffer using file name filename to FTP server ftp_server_address on interface interface_name : [ fail_reason ]

Explanation The logging module failed to save the logging buffer to an external FTP server.

Recommended Action Take applicable actions based on the failed reason:

  • Protocol error—Make sure no connectivity issue exists between the FTP server and ASA, and that the FTP sever can accept the FTP port command and PUT requests.
  • Invalid username or password—Make sure that the configured FTP client username and password are correct.
  • All other errors—If the problem persists, contact the Cisco TAC.

414002

Error Message %ASA-3-414002: Failed to save logging buffer to flash:/syslog directory using file name: filename : [ fail_reason ]

Explanation The logging module failed to save the logging buffer to system flash.

Recommended Action If the failed reason is caused by insufficient space, check the flash free space, and make sure that the configured limits of the logging flash-size command are set correctly. If the error is a flash file system I/O error, then contact the Cisco TAC for assistance.

414003

Error Message %ASA-3-414003: TCP Syslog Server intf : IP_Address / port not responding. New connections are [permitted|denied] based on logging permit-hostdown policy.

Explanation The TCP syslog server for remote host logging was successful, is connected to the server, and new connections are permitted or denied based on the logging permit-hostdown policy. If the logging permit-hostdown policy is configured, a new connection is permitted. If not configured, a new connection is denied.

  • intf —Interface of the ASA to which the server is connected
  • IP_Address —IP address of the remote TCP syslog server
  • port —Port of the remote TCP syslog server

Recommended Action Validate that the configured TCP syslog server is up. To permit new connections, configure the logging permit-hostdown policy. To deny new connections, do not configure the logging permit-hostdown policy.

414004

Error Message %ASA-6-414004: TCP Syslog Server intf : IP_Address / port - Connection restored

Explanation A retry to the TCP syslog server has been successful, and the connection has been established. This message is the first to reach the syslog server after a successful connection.

  • intf —Interface of the ASA to which the server is connected
  • IP_Address —IP address of the remote TCP syslog server
  • port —Port of the remote TCP syslog server

Recommended Action None required.

414005

Error Message %ASA-3-414005: TCP Syslog Server intf : IP_Address / port connected, New connections are permitted based on logging permit-hostdown policy

Explanation The TCP syslog server for remote host logging was successful, is connected to the server, and new connections are permitted based on the logging permit-hostdown policy. If the logging permit-hostdown policy is configured, a new connection is permitted.

  • intf —Interface of the ASA to which the server is connected
  • IP_Address —IP address of the remote TCP syslog server
  • port —Port of the remote TCP syslog server

Recommended Action None required.

414006

Error Message %ASA-3-414006: TCP Syslog Server configured and logging queue is full. New connections denied based on logging permit-hostdown policy.

Explanation The logging queue is close to reaching the configured limit, so there is a risk that syslog messages will be discarded.

Recommended Action See the "Configuring the Logging Queue" section in the CLI configuration guide for information about how to tune the queue size to avoid this situation. If you want to deny new connections in this case, use the no logging permit-hostdown command. If you want to allow new connections in this case, use the logging permit-hostdown command.

414007

Error Message %ASA-6-414007: TCP Syslog Server connection restored. New connections are allowed.

Explanation The TCP syslog server for remote host logging was successfully connected and new connections are permitted.

Recommended Action None required.

414008

Error Message %ASA-6-414008: New connections are now allowed due to change of logging permit-hostdown policy.

Explanation An administrator changed the logging permit-hostdown policy by entering the logging permit-hostdown command at a time when new connections are being denied. Due to this change of policy, new connections will be allowed.

Recommended Action None required.

415001

Error Message %ASA-6-415001: HTTP - matched matched_string in policy-map map_name, header field count exceeded connection_action from int_type : IP_address / port_num to int_type : IP_address / port_num

Explanation This message is generated when one of the following occurs:

  • The total number of fields in the HTTP header exceeds the user-configured number of header fields. The relevant command is: match { request | response } header count num.
  • The appearance of a specified field in the HTTP header exceeds the user-configured number for this header field. The relevant command is: match { request | response } header header-name count num.
  • matched_string —The matched string is one of the following:

- The class map ID, followed by the name of the class map. This string appears when the class map is user configured.

- The actual match command that initiated the message. This string appears when the class map is internal.

  • map_name —The name of the policy map
  • connection_action —Dropping the connection or resetting the connection
  • interface_type —The type of interface (for example, DMZ or outside)
  • IP_address —The IP address of the interface
  • port_num —The port number

Recommended Action Enter the match { request | response } header command to reconfigure the HTTP header field value.

415002

Error Message %ASA-6-415002: HTTP - matched matched_string in policy-map map_name, header field length exceeded connection_action from int_type : IP_address / port_num to int_type : IP_address / port_num

Explanation The specified HTTP header field length exceeded the user-configured length.

  • matched_string —The matched string is one of the following:

- The class map ID, followed by the name of the class map. This string appears when the class map is user configured.

- The actual match command that initiated the message. This string appears when the class map is internal.

  • map_name —The name of the policy map
  • connection_action —Dropping connection or Resetting connection
  • interface_type —The type of interface (for example, DMZ or outside)
  • IP_address —The IP address of the interface
  • port_num —The port number

Recommended Action Enter the match { request | response } header header_name length gt num command to change the HTTP header field length.

415003

Error Message %ASA-6-415003: HTTP - matched matched_string in policy-map map_name, body length exceeded connection_action from int_type : IP_address / port_num to int_type : IP_address / port_num

Explanation The length of the message body exceeded the user-configured length.

  • matched_string —The matched string is one of the following:

- The class map ID, followed by the name of the class map. This string appears when the class map is user configured.

- The actual match command that initiated the message. This string appears when the class map is internal.

  • map_name —The name of the policy map
  • connection_action —Dropping the connection or resetting the connection
  • interface_type —The type of interface (for example, DMZ or outside)
  • IP_address —The IP address of the interface
  • port_num —The port number

Recommended Action Enter the match { request | response } body length gt num command to change the length of the message body.

415004

Error Message %ASA-5-415004: HTTP - matched matched_string in policy-map map_name, content-type verification failed connection_action from int_type : IP_address / port_num to int_type : IP_address / port_num

Explanation The magic number in the body of the HTTP message is not the correct magic number for the MIME-type specified in the content-type field in the HTTP message header.

  • matched_string —The matched string is one of the following:

- The class map ID, followed by the name of the class map. This string appears when the class map is user configured.

- The actual match command that initiated the message. This string appears when the class map is internal.

  • map_name —The name of the policy map
  • connection_action —Dropping the connection or resetting the connection
  • interface_type —The type of interface (for example, DMZ or outside)
  • IP_address —The IP address of the interface
  • port_num —The port number

Recommended Action Enter the match {request | response} header content-type violation command to correct the error.

415005

Error Message %ASA-5-415005: HTTP - matched matched_string in policy-map map_name, URI length exceeded connection_action from int_type : IP_address / port_num to int_type : IP_address / port_num

Explanation The length of the URI exceeded the user-configured length.

  • matched_string —The matched string is one of the following:

- The class map ID, followed by the name of the class map. This string appears when the class map is user configured.

- The actual match command that initiated the message. This string appears when the class map is internal.

  • map_name —The name of the policy map
  • connection_action —Dropping the connection or resetting the connection
  • interface_type —The type of interface (for example, DMZ or outside)
  • IP_address —The IP address of the interface
  • port_num —The port number

Recommended Action Enter the match request uri length gt num command to change the length of the URI.

415006

Error Message %ASA-5-415006: HTTP - matched matched_string in policy-map map_name, URI matched connection_action from int_type : IP_address / port_num to int_type : IP_address / port_num

Explanation The URI matched the regular expression that the user configured. See the match request uri regex { regex-name | class class-name } command for more information.

  • matched_string —The matched string is one of the following:

- The class map ID, followed by the name of the class map. This string appears when the class map is user configured.

- The actual match command that initiated the message. This string appears when the class map is internal.

  • map_name —The name of the policy map
  • connection_action —Dropping the connection or resetting the connection
  • interface_type —The type of interface (for example, DMZ or outside)
  • IP_address —The IP address of the interface
  • port_num —The port number

Recommended Action None required.

415007

Error Message %ASA-5-415007: HTTP - matched matched_string in policy-map map_name, Body matched connection_action from int_type : IP_address / port_num to int_type : IP_address / port_num

Explanation The message body matched the regular expression that the user configured. See the match { request | response } body regex { regex-name | class class-name } command for more information.

  • matched_string —The matched string is one of the following:

- The class map ID, followed by the name of the class map. This string appears when the class map is user configured.

- The actual match command that initiated the message. This string appears when the class map is internal.

  • map_name —The name of the policy map
  • connection_action —Dropping the connection or resetting the connection
  • interface_type —The type of interface (for example, DMZ or outside)
  • IP_address —The IP address of the interface
  • port_num —The port number

Recommended Action None required.

415008

Error Message %ASA-5-415008: HTTP - matched matched_string in policy-map map_name, header matched connection_action from int_type : IP_address / port_num to int_type : IP_address / port_num

Explanation A value in a user-specified field in the message header matched the regular expression that the user configured. See the match { request | response } header header-field-name { regex-name | class class-name } command for more information.

  • matched_string —The matched string is one of the following:

- The class map ID, followed by the name of the class map. This string appears when the class map is user configured.

- The actual match command that initiated the message. This string appears when the class map is internal.

  • map_name —The name of the policy map
  • connection_action —Dropping the connection or resetting the connection
  • interface_type —The type of interface (for example, DMZ or outside)
  • IP_address —The IP address of the interface
  • port_num —The port number

Recommended Action None required.

415009

Error Message %ASA-5-415009: HTTP - matched matched_string in policy-map map_name, method matched connection_action from int_type : IP_address / port_num to int_type : IP_address / port_num

Explanation The HTTP method matched the user-configured regular expression. See the match request method { regex-name | class class-name } command for more information.

  • matched_string —The matched string is one of the following:

- The class map ID, followed by the name of the class map. This string appears when the class map is user configured.

- The actual match command that initiated the message. This string appears when the class map is internal.

  • map_name —The name of the policy map
  • connection_action —Dropping the connection or resetting the connection
  • interface_type —The type of interface (for example, DMZ or outside)
  • IP_address —The IP address of the interface
  • port_num —The port number

Recommended Action None required.

415010

Error Message %ASA-5-415010: matched matched_string in policy-map map_name, transfer encoding matched connection_action from int_type : IP_address / port_num to int_type : IP_address / port_num

Explanation The value in the transfer encoding field matched the user-configured regular expression or keyword. See the match { request | response } header transfer-encoding {{ regex-name | class class-name } | keyword } command for more information.

  • matched_string —The matched string is one of the following:

- The class map ID, followed by the name of the class map. This string appears when the class map is user configured.

- The actual match command that initiated the message. This string appears when the class map is internal.

  • map_name —The name of the policy map
  • connection_action —Dropping the connection or resetting the connection
  • interface_type —The type of interface (for example, DMZ or outside)
  • IP_address —The IP address of the interface
  • port_num —The port number

Recommended Action None required.

415011

Error Message %ASA-5-415011: HTTP - policy-map map_name :Protocol violation connection_action from int_type : IP_address / port_num to int_type : IP_address / port_num

Explanation The HTTP parser cannot detect a valid HTTP message in the first few bytes of an HTTP message.

  • map_name —The name of the policy map
  • connection_action —Dropping the connection or resetting the connection
  • interface_type —The type of interface (for example, DMZ or outside)
  • IP_address —The IP address of the interface
  • port_num —The port number

Recommended Action Enter the protocol-violation action { drop | reset } log command to correct the problem.

415012

Error Message %ASA-5-415012: HTTP - matched matched_string in policy-map map_name, Unknown mime-type connection_action from int_type : IP_address / port_num to int_type : IP_address / port_num

Explanation The content-type field did not contain a MIME type that matches a built-in MIME type.

  • matched_string —The matched string is one of the following:

- The class map ID, followed by the name of the class map. This string appears when the class map is user configured.

- The actual match command that initiated the message. This string appears when the class map is internal.

  • map_name —The name of the policy map
  • connection_action —Dropping the connection or resetting the connection
  • interface_type —The type of interface (for example, DMZ or outside)
  • IP_address —The IP address of the interface
  • port_num —The port number

Recommended Action Enter the match { request | response } header content-type unknown command to correct the problem.

415013

Error Message %ASA-5-415013: HTTP - policy-map map-name :Malformed chunked encoding connection_action from int_type : IP_address / port_num to int_type : IP_address / port_num

Explanation A chunked encoding was malformed, and the HTTP message cannot be parsed. In addition, logging for the protocol-violation command was configured.

  • map-name — The name of the policy map
  • connection_action —Dropping the connection or resetting the connection
  • interface_type —The type of interface (for example, DMZ or outside)
  • IP_address —The IP address of the interface
  • port_num —The port number

Recommended Action Enter the protocol-violation action { drop | reset } log command to correct the problem.

415014

Error Message %ASA-5-415014: HTTP - matched matched_string in policy-map map_name, Mime-type in response wasn't found in the accept-types of the request connection_action from int_type : IP_address / port_num to int_type : IP_address / port_num

Explanation The MIME type in an HTTP response was not in the accept field of the request.

  • matched_string —The matched string is one of the following:

- The class map ID, followed by the name of the class map. This string appears when the class map is user configured.

- The actual match command that initiated the message. This string appears when the class map is internal.

  • map_name —The name of the policy map
  • connection_action —Dropping the connection or resetting the connection
  • interface_type —The type of interface (for example, DMZ or outside)
  • IP_address —The IP address of the interface
  • port_num —The port number

Recommended Action Enter the match req-resp content-type mismatch command to correct the problem.

415015

Error Message %ASA-5-415015: HTTP - matched matched_string in policy-map map_name, transfer-encoding unknown connection_action from int_type : IP_address / port_num to int_type : IP_address / port_num

Explanation An empty transfer encoding occurred.

  • matched_string —The matched string is one of the following:

- The class map ID, followed by the name of the class map. This string appears when the class map is user configured.

- The actual match command that initiated the message. This string appears when the class map is internal.

  • map_name —The name of the policy map
  • connection_action —Dropping the connection or resetting the connection
  • interface_type —The type of interface (for example, DMZ or outside)
  • IP_address —The IP address of the interface
  • port_num —The port number

Recommended Action Enter the match { request | response } header transfer-encoding empty command to correct the problem.

415016

Error Message %ASA-4-415016: policy-map map_name :Maximum number of unanswered HTTP requests exceeded connection_action from int_type : IP_address / port_num to int_type : IP_address / port_num

Explanation The number of unanswered HTTP requests exceeded the internal number of requests allowed.

  • map_name —The name of the policy map
  • connection_action —Dropping the connection or resetting the connection
  • interface_type —The type of interface (for example, DMZ or outside)
  • IP_address —The IP address of the interface
  • port_num —The port number

Recommended Action Enter the protocol-violation action { drop | reset } log command to correct the problem.

415017

Error Message %ASA-6-415017: HTTP - matched_string in policy-map map_name, arguments matched connection_action from int_type : IP_address / port_num to int_type : IP_address / port_num

Explanation A pattern in the arguments matches the user-configured regular expression or keyword. See the match request args regex { regex-name | class class-name } command for more information.

  • matched_string —The matched string is one of the following:

- The class map ID, followed by the name of the class map. This string appears when the class map is user configured.

- The actual match command that initiated the message. This string appears when the class map is internal.

  • map_name —The name of the policy map
  • connection_action —Dropping the connection or resetting the connection
  • interface_type —The type of interface (for example, DMZ or outside)
  • IP_address —The IP address of the interface
  • port_num —The port number

Recommended Action None required.

415018

Error Message %ASA-5-415018: HTTP - matched matched_string in policy-map map_name, Header length exceeded connection_action from int_type : IP_address / port_num to int_type : IP_address / port_num

Explanation The total header length exceeded the user-configured length for the header.

  • matched_string —The matched string is one of the following:

- The class map ID, followed by the name of the class map. This string appears when the class map is user configured.

- The actual match command that initiated the message. This string appears when the class map is internal.

  • map_name —The name of the policy map
  • connection_action —Dropping the connection or resetting the connection
  • interface_type —The type of interface (for example, DMZ or outside)
  • IP_address —The IP address of the interface
  • port_num —The port number

Recommended Action Enter the match { request | response } header length gt num command to reduce the length of the header.

415019

Error Message %ASA-5-415019: HTTP - matched matched_string in policy-map map_name, status line matched connection_action from int_type : IP_address / port_num to int_type : IP_address / port_num

Explanation The status line in a response matched a user-configured regular expression. See the match response status-line regex { regex-name | class class-name } command for more information.

  • matched_string —The matched string is one of the following:

- The class map ID, followed by the name of the class map. This string appears when the class map is user configured.

- The actual match command that initiated the message. This string appears when the class map is internal.

  • map_name —The name of the policy map
  • connection_action —Dropping the connection or resetting the connection
  • interface_type —The type of interface (for example, DMZ or outside)
  • IP_address —The IP address of the interface
  • port_num —The port number

Recommended Action None required.

415020

Error Message %ASA-5-415020: HTTP - matched matched_string in policy-map map_name, a non-ASCII character was matched connection_action from int_type : IP_address / port_num to int_type : IP_address / port_num

Explanation A non-ASCII character was found.

  • matched_string —The matched string is one of the following:

- The class map ID, followed by the name of the class map. This string appears when the class map is user configured.

- The actual match command that initiated the message. This string appears when the class map is internal.

  • map_name —The name of the policy map
  • connection_action —Dropping the connection or resetting the connection
  • interface_type —The type of interface (for example, DMZ or outside)
  • IP_address —The IP address of the interface
  • port_num —The port number

Recommended Action Enter the match { request | response } header non-ascii command to correct the problem.

416001

Error Message %ASA-4-416001: Dropped UDP SNMP packet from source_interface : source_IP / source_port to dest_interface : dest_address / dest_port ; version ( prot_version) is not allowed through the firewall

Explanation An SNMP packet was denied passage through the ASA because of a bad packet format or because the prot_version is not allowed through the ASA. The prot_version parameter can be one of the following values: 1, 2, 2c, or 3.

Recommended Action Change the settings for SNMP inspection using the snmp-map command, which allows the user to permit or deny specific protocol versions.

417001

Error Message %ASA-4-417001: Unexpected event received: number

Explanation A process received a signal, but no handler was found for the event.

Recommended Action If the problem persists, contact the Cisco TAC.

417004

Error Message %ASA-4-417004: Filter violation error: conn number ( string : string) in string

Explanation A client tried to modify a route attribute that the client does not own.

Recommended Action If the problem persists, contact the Cisco TAC.

417006

Error Message %ASA-4-417006: No memory for string) in string. Handling: string

Explanation An operation failed because of low memory, but will be handled with another mechanism.

Recommended Action If the problem persists, contact the Cisco TAC.

418001

Error Message %ASA-4-418001: Through-the-device packet to/from management-only network is denied: protocol_string from interface_name IP_address (port) [([ idfw_user | FQDN_string ], sg_info)] to interface_name IP_address (port) [( idfw_user | FQDN_string), sg_info ]

Explanation A packet from the specified source to the destination was dropped because it is traversing the ASA to and from the management-only network.

  • protocol_string —TCP, UDP, ICMP, or protocol ID as a number in decimal
  • interface_name — Interface name
  • IP_address —IP address
  • port —Port number
  • sg_info —Security group name or tag for the specified IP address

Recommended Action Determine who is generating this packet and why.

419001

Error Message %ASA-4-419001: Dropping TCP packet from src_ifc : src_IP / src_port to dest_ifc : dest_IP / dest_port, reason : MSS exceeded, MSS size, data size

Explanation The length of the TCP packet exceeded the MSS advertised in the three-way handshake.

  • src_ifc— Input interface name
  • src_IP— The source IP address of the packet
  • src_port— The source port of the packet
  • dest_ifc— The output interface name
  • dest_IP— The destination IP address of the packet
  • dest_port— The destination port of the packet

Recommended Action If there is a need to allow packets that exceed the MSS, create a TCP map using the exceed-mss command, as in the following example:

ciscoasa# access-list http-list permit tcp any host server_ip eq 80

ciscoasa# class-map http
ciscoasa# match access-list http-list

ciscoasa# tcp-map tmap
ciscoasa# exceed-mss allow

ciscoasa# policy-map global_policy
ciscoasa# class http
ciscoasa# set connection advanced-options tmap
 

419002

Error Message %ASA-4-419002: Received duplicate TCP SYN from in_interface : src_address / src_port to out_interface : dest_address / dest_port with different initial sequence number.

Explanation A duplicate TCP SYN was received during the three-way-handshake that has a different initial sequence number from the SYN that opened the embryonic connection. This may indicate that SYNs are being spoofed. This message occurs in Release 7.0.4.1 and later.

  • in_interface —The input interface
  • src_address —The source IP address of the packet
  • src_port —The source port of the packet
  • out_interface —The output interface
  • dest_address —The destination IP address of the packet
  • dest_port —The destination port of the packet

Recommended Action None required.

419003

Error Message %ASA-4-419003: Cleared TCP urgent flag from out_ifc : src_ip / src_port to in_ifc : dest_ip / dest_port.

Explanation A duplicate TCP SYN was received during the three-way-handshake that has a different initial sequence number from the SYN that opened the embryonic connection. This may indicate that SYNs are being spoofed. This message occurs in Release 7.0.4.1 and later.

  • in_ifc —The input interface
  • src_ip —The source IP address of the packet
  • src_port —The source port of the packet
  • out_ifc —The output interface
  • dest_ip —The destination IP address of the packet
  • dest_port —The destination port of the packet

Recommended Action If you need to keep the urgent flag in TCP headers, use the urgent-flag allow command in TCP map configuration mode.

420001

Error Message %ASA-3-420001: IPS card not up and fail-close mode used, dropping ICMP packet ifc_in : SIP to ifc_out : DIP (type ICMP_TYPE, code ICMP_CODE)

For example:

%ASA-3-420001: IPS card not up and fail-close mode used, dropping TCP packet from ifc_in:SIP/SPORT to ifc_out:DIP/DPORT\n
%ASA-3-420001: IPS card not up and fail-close mode used, dropping UDP packet from ifc_in:SIP/SPORT to ifc_out:DIP/DPORT\n
%ASA-3-420001: IPS card not up and fail-close mode used, dropping protocol protocol packet from ifc_in:SIP to ifc_out:DIP\n
 

Explanation Packets are dropped when the IPS fail-close mode is used, and the IPS card is not up. This message is rate limited.

  • ifc_in —Input interface name
  • ifc_out —Output interface name
  • SIP —Source IP of the packet
  • SPORT —Source port of the packet
  • DIP —Destination IP of the packet
  • DPORT —Destination port of the packet
  • ICMP_TYPE —Type of the ICMP packet
  • ICMP_CODE —Code of the ICMP packet

Recommended Action Bring up the IPS card.

420002

Error Message %ASA-4-420002: IPS requested to drop ICMP packets ifc_in : SIP to ifc_out : DIP (type ICMP_TYPE, code ICMP_CODE)

For example:

%ASA-4-420002: IPS requested to drop TCP packet from ifc_in:SIP/SPORT to ifc_out:DIP/DPORT\n
%ASA-4-420002: IPS requested to drop UDP packet from ifc_in:SIP/SPORT to ifc_out:DIP/DPORT\n
%ASA-4-420002: IPS requested to drop protocol packet from ifc_in:SIP to ifc_out:DIP\n
 

Explanation IPS requested that the packet be dropped.

  • ifc_in —Input interface name
  • ifc_out —Output interface name
  • SIP —Source IP of the packet
  • SPORT —Source port of the packet
  • DIP —Destination IP of the packet
  • DPORT —Destination port of the packet
  • ICMP_TYPE —Type of the ICMP packet
  • ICMP_CODE —Code of the ICMP packet

Recommended Action None required.

420003

Error Message %ASA-4-420003: IPS requested to reset TCP connection from ifc_in : SIP / SPORT to ifc_out : DIP / DPORT

Explanation IPS requested a reset of a TCP connection.

  • ifc_in —Input interface name
  • ifc_out —Output interface name
  • SIP —Source IP of the packet
  • SPORT —Source port of the packet
  • DIP —Destination IP of the packet
  • DPORT —Destination port of the packet

Recommended Action None required.

420004

Error Message %ASA-6-420004: Virtual Sensor sensor_name was added on the AIP SSM

Explanation A virtual sensor was added on the AIP SSM card.

  • n —Card number

Recommended Action None required.

420005

Error Message %ASA-6-420005: Virtual Sensor sensor_name was deleted from the AIP SSM

Explanation A virtual sensor was deleted from the AIP SSM card.

  • n —Card number

Recommended Action None required.

420006

Error Message %ASA-3-420006: Virtual Sensor not present and fail-close mode used, dropping protocol packet from ifc_in:SIP/SPORT to ifc_out:DIP/DPORT

Explanation Packets are dropped when the IPS fail-close mode is used, and the virtual sensor used for the packet is not present.

  • protocol— Protocol used to send the packet
  • ifc_in —Input interface name
  • ifc_out —Output interface name
  • SIP —Source IP address of the packet
  • SPORT —Source port of the packet
  • DIP —Destination IP address of the packet
  • DPORT —Destination port of the packet

Recommended Action Add the virtual sensor.

420007

Error Message %ASA-4-420007: application-string cannot be enabled for the module in slot slot_id. The module’s current software version does not support this feature. Please upgrade the software on the module in slot slot_id to support this feature. Received backplane header version version_number, required backplane header version version_number or higher.

Explanation This message is generated by any new feature in the ASA that needs a corresponding software version in the SSM or SSC hardware module. The message is sent each time that the ASA module manager detects state changes in the SSM or SSC hardware module.

  • application-string —The name of the application (for example, Promiscuous IDS)
  • slot_id —The module identifier, which is 1 for the current ASA
  • version_number —The version number of the message header between the ASA and the IPS application

Recommended Action Load the SSM or SSC hardware module with the correct software images that support the designated application.

420008

Error Message %ASA-3-420008: IPS module license disabled and fail-close mode used, dropping packet.

Explanation The IPS module license has been disabled and when the fail-close mode is configured, all traffic destined for the IPS module will be dropped. You can check the status of the license by using the show activation-key command.

Recommended Action Use the activation-key command to apply an activation key that has the IPS license enabled.

421001

Error Message %ASA-3-421001: TCP|UDP flow from interface_name : IP_address/port to interface_name : IP_address / port is dropped because application has failed.

Explanation A packet was dropped because the CSC SSM application failed. By default, this message is rate limited to 1 message every 10 seconds.

  • interface_name —The interface name
  • IP_address —The IP address
  • port —The port number
  • application —The CSC SSM is the only application supported in the current release

Recommended Action Determine the problem with the service module.

421002

Error Message %ASA-6-421002: TCP|UDP flow from interface_name : IP_address / port to interface_name : IP_address / port bypassed application checking because the protocol is not supported.

Explanation The connection bypassed service module security checking because the protocol that it is using cannot be scanned by the service module. For example, the CSC SSM is not capable of scanning Telnet traffic. If the user configures Telnet traffic to be scanned, the traffic will bypass the scanning service. By default, this message is rate limited to 1 message every 10 seconds.

  • IP_address —The IP address
  • port —The port number
  • interface_name —The name of the interface on which the policy is applied
  • application —The CSC SSM is the only application supported in the current release

Recommended Action The configuration should be modified to only include protocols that are supported by the service module.

421003

Error Message %ASA-3-421003: Invalid data plane encapsulation.

Explanation A packet injected by the service module did not have the correct data plane header. Packets exchanged on the data backplane adhere to a Cisco proprietary protocol called ASDP. Any packet that does not have the proper ASDP header is dropped.

Recommended Action Use the capture name type asp-drop [ ssm-asdp-invalid-encap ] command to capture the offending packets and contact the Cisco TAC.

421004

Error Message %ASA-7-421004: Failed to inject {TCP|UDP} packet from IP_address / port to IP_address / port

Explanation The ASA has failed to inject a packet as instructed by the service module. This may happen if the ASA tries to inject a packet into a flow that has already been released or when the ASA maintains its connection table independently from the service module. Normally it will not cause any problem.

  • IP_address —The IP address
  • port —The port number

Recommended Action If ASA performance is affected, or if the problem persists, contact the Cisco TAC.

421005

Error Message %ASA-6-421005: interface_name : IP_address is counted as a user of application

Explanation A host has been counted toward the license limit. The specified host was counted as a user of application. The total number of users in 24 hours is calculated at midnight for license validation.

  • interface_name —The interface name
  • IP_address —The IP address
  • application —The CSC SSM

Recommended Action None required. However, if the overall count exceeds the user license that you have purchased, contact the Cisco TAC to upgrade your license.

421006

Error Message %ASA-6-421006: There are number users of application accounted during the past 24 hours.

Explanation The total number of users who have used an application for the past 24 hours have been identified. This message is generated every 24 hours to give the total number of hosts that have used services provided by the service module.

  • application —The CSC SSM

Recommended Action None required. However, if the overall count exceeds the user license that you have purchased, contact the Cisco TAC to upgrade your license.

421007

Error Message %ASA-3-421007: TCP|UDP flow from interface_name : IP_address / port to interface_name : IP_address / port is skipped because application has failed.

Explanation A flow was skipped because the service module application has failed. By default, this message is rate limited to 1 message every 10 seconds.

  • IP_address —The IP address
  • port —The port number
  • interface_name —The name of the interface on which the policy is applied
  • application —The CSC SSM

Recommended Action Determine the problem with the service module.

422004

Error Message %ASA-4-422004: IP SLA Monitor number0 : Duplicate event received. Event number number1

Explanation The IP SLA monitor process has received a duplicate event. Currently, this message applies to destroy events. Only one destroy request will be applied. This is only a warning message.

  • number0 —The SLA operation number
  • number1 —The SLA operation event ID

Recommended Action If this recurs, enter the show sla monitor configuration SLA_operation_id command and copy the output of the command. Copy the message as it appears on the console or in the system log. Then contact the Cisco TAC and provide the representative with the information that you have, along with information about the application that is configuring and polling the SLA probes.

422005

Error Message %ASA-4-422005: IP SLA Monitor Probe(s) could not be scheduled because clock is not set.

Explanation One or more IP SLA monitor probes cannot be scheduled because the system clock was not set.

Recommended Action Make sure that the system clock is functional by using NTP or another mechanism.

422006

Error Message %ASA-4-422006: IP SLA Monitor Probe number : string

Explanation The IP SLA monitor probe cannot be scheduled. Either the configured starting time has already occurred or the starting time is invalid.

  • number —The SLA operation ID
  • string —A string describing the error

Recommended Action Reschedule the failed probe with a valid start time.

423001

Error Message %ASA-4-423001: {Allowed | Dropped} invalid NBNS pkt_type_name with error_reason_str from ifc_name : ip_address / port to ifc_name : ip_address / port.

Explanation The NBNS packet format is incorrect.

Recommended Action None required.

423002

Error Message %ASA-4-423002: {Allowed | Dropped} mismatched NBNS pkt_type_name with error_reason_str from ifc_name : ip_address / port to ifc_name : ip_address / port.

Explanation An NBNS ID mismatch occurred.

Recommended Action None required.

423003

Error Message %ASA-4-423003: {Allowed | Dropped} invalid NBDGM pkt_type_name with error_reason_str from ifc_name : ip_address / port to ifc_name : ip_address / port.

Explanation The NBDGM packet format is incorrect.

Recommended Action None required.

423004

Error Message %ASA-4-423004: {Allowed | Dropped} mismatched NBDGM pkt_type_name with error_reason_str from ifc_name : ip_address / port to ifc_name : ip_address / port.

Explanation An NBDGM ID mismatch occurred.

Recommended Action None required.

423005

Error Message %ASA-4-423005: {Allowed | Dropped} NBDGM pkt_type_name fragment with error_reason_str from ifc_name : ip_address / port to ifc_name : ip_address / port.

Explanation The NBDGM fragment format is incorrect.

Recommended Action None required.

424001

Error Message %ASA-4-424001: Packet denied protocol_string intf_in : src_ip / src_port [([ idfw_user | FQDN_string ], sg_info)] intf_out : dst_ip / dst_port [([ idfw_user | FQDN_string ], sg_info)]. [Ingress|Egress] interface is in a backup state.

Explanation A packet was dropped because it was traversing the ASA to or from a redundant interface. Interface functionality is limited on low-end platforms. The interface specified by the backup interface command can only be a backup for the primary interface configured. If the default route to the primary interface is up, any traffic through the ASA from the backup interface will be denied. Conversely, if the default route to the primary interface is down, traffic through the ASA from the primary interface will be denied.

  • protocol_string —The protocol string; for example, TCP or protocol ID (a decimal number)
  • intf_in —The input interface name
  • src_ip —The source IP address of the packet
  • src_port —The source port of the packet
  • intf_out —The output interface name
  • dst_ip —The destination IP address of the packet
  • dst_port —The destination port of the packet
  • sg_info —The security group name or tag for the specified IP address

Recommended Action Determine the source of the denied packet.

424002

Error Message %ASA-4-424002: Connection to the backup interface is denied: protocol_string intf : src_ip / src_port intf : dst_ip / dst_port

Explanation A connection was dropped because it is in a backup state. Interface functionality is limited on low-end platforms. The backup interface can only be a backup for the primary interface specified by the backup interface command. If the default route to the primary interface is up, any connection to the ASA through the backup interface will be denied. Conversely, if the default route to the primary interface is down, connections to the ASA through the primary interface will be denied.

  • protocol_string —The protocol string; for example, TCP or protocol ID (a decimal number)
  • intf_in —The input interface name
  • src_ip —The source IP address of the packet
  • src_port —The source port of the packet
  • intf_out —The output interface name
  • dst_ip —The destination IP address of the packet
  • dst_port —The destination port of the packet

Recommended Action Determine the source of the denied packet.

425001

Error Message %ASA-6-425001 Redundant interface redundant _ interface_name created.

Explanation The specified redundant interface was created in the configuration.

  • redundant_interface_name —Redundant interface name

Recommended Action None required.

425002

Error Message %ASA-6-425002 Redundant interface redundant _ interface_name removed.

Explanation The specified redundant interface was removed from the configuration.

  • redundant_interface_name —Redundant interface name

Recommended Action None required.

425003

Error Message %ASA-6-425003 Interface interface_name added into redundant interface redundant _ interface_name.

Explanation The specified physical interface was added to the specified redundant interface as a member interface.

  • interface_name —An interface name
  • redundant_interface_name —Redundant interface name

Recommended Action None required.

425004

Error Message %ASA-6-425004 Interface interface_name removed from redundant interface redundant _ interface_name.

Explanation The specified redundant interface was removed from the specified redundant interface.

  • interface_name —An interface name
  • redundant_interface_name —Redundant interface name

Recommended Action None required.

425005

Error Message %ASA-5-425005 Interface interface_name become active in redundant interface redundant _ interface_name

Explanation Within a redundant interface, one member interface is the active member. Traffic only passes through the active member interface. The specified physical interface became the active member of the specified redundant interface. Member interface switchover occurs when one of the following is true:

The redundant-interface interface-name active-member interface-name command was executed.

The active member interface is down, while the standby member interface is up.

The standby member interface comes up (from down), while the active member interface remains down.

  • interface_name —An interface name
  • redundant_interface_name —Redundant interface name

Recommended Action Check the status of the member interfaces.

425006

Error Message %ASA-3-425006 Redundant interface redundant _ interface_name switch active member to interface_name failed.

Explanation An error occurred when member interface switchover was attempted.

  • redundant_interface_name —Redundant interface name
  • interface_name —An interface name

Recommended Action If the problem persists, contact the Cisco TAC.

426001

Error Message %ASA-6-426001: PORT-CHANNEL:Interface ifc_name bundled into EtherChannel interface Port-channel num

Explanation The interface port-channel num or the channel-group num mode mode command has been used on a nonexistent port channel.

  • ifc_name —The EtherChannel interface name
  • num —The port channel number

Recommended Action None required.

426002

Error Message %ASA-6-426002: PORT-CHANNEL:Interface ifc_name unbundled from EtherChannel interface Port-channel num

Explanation The no interface port-channel num command has been used.

  • ifc_name —The EtherChannel interface name
  • num— The port channel number

Recommended Action None required.

426003

Error Message %ASA-6-426003: PORT-CHANNEL:Interface ifc_name1 has become standby in EtherChannel interface Port-channel num

Explanation The channel-group num mode mode command has been used.

  • ifc_name1 —The EtherChannel interface name
  • num —The port channel number

Recommended Action None required.

426004

Error Message %ASA-4-426004: PORT-CHANNEL: Interface ifc_name1 is not compatible with ifc_name and will be suspended (speed of ifc_name1 is X Mbps, Y is 1000 Mbps). Error Message %ASA-4-426004: Interface ifc_name1 is not compatible with ifc_name1 and will be suspended ( ifc_name1 is Full-duplex, ifc_name1 is Half-duplex)

Explanation The channel-group num mode mode command is executed on a physical interface and there is a speed or duplex mismatch of this physical interface with that of the port channel.

  • ifc_name —The interface that is being added to the port channel
  • ifc_name1 —The interface that is already in the port channel and in a bundled state

Recommended Action Do one of the following:

  • Change the speed of the physical interface to that of the port channel and execute the channel-group num mode mode command again.
  • Leave the member interface in a suspended state. When the last active member is removed, then that member will try to reestablish LACP on the suspended member.

426101

Error Message %ASA-6-426101: PORT-CHANNEL:Interface ifc_name is allowed to bundle into EtherChannel interface port-channel id by CLACP

Explanation A port has been bundled in a span-cluster channel group.

Recommended Action None required.

426102

Error Message %ASA-6-426102: PORT-CHANNEL:Interface ifc_name is moved to standby in EtherChannel interface port-channel id by CLACP

Explanation A port has been moved to hot-standby state in a span-cluster channel group.

Recommended Action None required.

426103

Error Message %ASA-6-426103: PORT-CHANNEL:Interface ifc_name is selected to move from standby to bundle in EtherChannel interface port-channel id by CLACP

Explanation A standby port has been selected to move to bundled state in a span-cluster channel group.

Recommended Action None required.

426104

Error Message %ASA-6-426104: PORT-CHANNEL:Interface ifc_name is unselected in EtherChannel interface port-channel id by CLACP

Explanation A bundled port has been unbundled in a span-cluster channel group to obtain space for other ports to be bundled.

Recommended Action None required.

428002

Error Message %ASA-6-428002: WAAS confirmed from in_interface : src_ip_addr/src_port to out_interface : dest_ip_addr/dest_port, inspection services bypassed on this connection.

Explanation WAAS optimization was detected on a connection. All layer 7 inspection services, including IPS, are bypassed on WAAS-optimized connections.

Recommended Action No action is required if the network includes WAE devices; otherwise, the network administrator should investigate the use of the WAAS option on this connection.

429001

Error Message %ASA-3-429001: CXSC card not up and fail-close mode used. Dropping protocol packet from interface_name : ip_address / port to interface_name : ip_address / port

Explanation Data has been dropped because an SSP is down and a fail-close policy exists.

Recommended Action Check the status of the service module and contact the Cisco TAC for assistance, if necessary.

429002

Error Message %ASA-4-429002: CXSC service card requested to drop protocol packet from interface_name : ip_address / port to interface_name : ip_address / port

Explanation The CXSC SSP requested that the ASA drop a packet of a connection.

Recommended Action None.

429003

Error Message %ASA-4-429003: CXSC service card requested to reset TCP connection from interface_name : ip_addr / port to interface_name : ip_addr / port

Explanation The CXSC SSP requested that the ASA reset a TCP connection.

Recommended Action None required.

429004

Error Message %ASA-3-429004: Unable to set up authentication-proxy rule for the cx action on interface interface_name for policy_type service-policy.