Cisco ASA Series Syslog Messages
Syslog Messages 602101-780004
Downloads: This chapterpdf (PDF - 1.94MB) The complete bookPDF (PDF - 4.7MB) | The complete bookePub (ePub - 425.0KB) | The complete bookMobi (Mobi - 1.09MB) | Feedback

Table of Contents

Syslog Messages 602101-802006

Messages 602101 to 634001

602101

602103

602104

602303

602304

602305

603101

603102

603103

603104

603105

603106

603107

603108

603109

603110

604101

604102

604103

604104

604105

605004

605005

606001

606002

606003

606004

607001

607002

607003

607004

608001

608002

608003

608004

608005

608006

609001

609002

610001

610002

610101

611101

611102

611103

611104

611301

611302

611303

611304

611305

611306

611307

611308

611309

611310

611311

611312

611313

611314

611315

611316

611317

611318

611319

611320

611321

611322

611323

612001

612002

612003

613001

613002

613003

613004

613005

613006

613007

613008

613011

613013

613014

613015

613016

613017

613018

613019

613021

613022

613023

613024

613025

613026

613027

613028

613029

613030

613031

613032

613033

613034

613035

613036

613037

613038

613039

613040

613041

613042

613043

613101

613102

613103

613104

614001

614002

615001

615002

616001

617001

617002

617003

617004

617100

620001

620002

621001

621002

621003

621006

621007

622001

622101

622102

634001

Messages 701001 to 802006

701001

701002

702305

702307

703001

703002

709001, 709002

709003

709004

709005

709006

709007

709008

710001

710002

710003

710004

710005

710006

710007

711001

711002

711003

711004

711005

711006

713004

713201

713202

713006

713008

713009

713010

713012

713014

713016

713017

713018

713020

713022

713024

713025

713028

713029

713032

713033

713034

713035

713039

713040

713041

713042

713043

713048

713049

713050

713052

713056

713060

713061

713062

713063

713065

713066

713068

713072

713073

713074

713075

713076

713078

713081

713082

713083

713084

713085

713086

713088

713092

713094

713098

713099

713102

713103

713104

713105

713107

713109

713112

713113

713114

713115

713117

713118

713119

713120

713121

713122

713123

713124

713127

713128

713129

713130

713131

713132

713133

713134

713135

713136

713137

713138

713139

713140

713141

713142

713143

713144

713145

713146

713147

713148

713149

713152

713154

713155

713156

713157

713158

713159

713160

713161

713162

713163

713164

713165

713166

713167

713168

713169

713170

713171

713172

713174

713176

713177

713178

713179

713182

713184

713185

713186

713187

713189

713190

713191

713193

713194

713195

713196

713197

713198

713199

713203

713204

713205

713206

713208

713209

713210

713211

713212

713213

713214

713215

713216

713217

713218

713219

713220

713221

713222

713223

713224

713225

713226

713227

713228

713229

713230

713231

713232

713233

713234

713235

713236

713237

713238

713239

713240

713241

713242

713243

713244

713245

713246

713247

713248

713249

713250

713251

713252

713253

713254

713255

713256

713257

713258

713259

713260

713261

713262

713263

713264

713265

713266

713267

713268

713269

713270

713271

713272

713273

713274

713900

713901

713902

713903

713904

713905

713906

714001

714002

714003

714004

714005

714006

714007

714011

715001

715004

715005

715006

715007

715008

715009

715013

715019

715020

715021

715022

715027

715028

715033

715034

715035

715036

715037

715038

715039

715040

715041

715042

715044

715045

715046

715047

715048

715049

715050

715051

715052

715053

715054

715055

715056

715057

715058

715059

715060

715061

715062

715063

715064

715065

715066

715067

715068

715069

715070

715071

715072

715074

715075

715076

715077

715080

716001

716002

716003

716004

716005

716006

716007

716008

716009

716010

716011

716012

716013

716014

716015

716016

716017

716018

716019

716020

716021

716022

716023

716024

716025

716026

716027

716028

716029

716030

716031

716032

716033

716034

716035

716036

716037

716038

716039

716040

716041

716042

716043

716044

716045

716046

716047

716048

716049

716050

716051

716052

716053

716054

716055

716056

716057

716058

716059

716060

716061

716500

716501

716502

716503

716504

716505

716506

716507

716508

716509

716510

716512

716513

716515

716516

716517

716518

716519

716520

716521

716522

716525

716526

716527

716528

716600

716601

716602

716603

717001

717002

717003

717004

717005

717006

717007

717008

717009

717010

717011

717012

717013

717014

717015

717016

717017

717018

717019

717020

717021

717022

717023

717024

717025

717026

717027

717028

717029

717030

717031

717033

717034

717035

717036

717037

717038

717039

717040

717041

717042

717043

717044

717045

717046

717047

717048

717049

717050

717051

718001

718002

718003

718004

718005

718006

718007

718008

718009

718010

718011

718012

718013

718014

718015

718016

718017

718018

718019

718020

718021

718022

718023

718024

718025

718026

718027

718028

718029

718030

718031

718032

718033

718034

718035

718036

718037

718038

718039

718040

718041

718042

718043

718044

718045

718046

718047

718048

718049

718050

718051

718052

718053

718054

718055

718056

718057

718058

718059

718060

718061

718062

718063

718064

718065

718066

718067

718068

718069

718070

718071

718072

718073

718074

718075

718076

718077

718078

718079

718080

718081

718082

718083

718084

718085

718086

718087

718088

719001

719002

719003

719004

719005

719006

719007

719008

719009

719010

719011

719012

719013

719014

719015

719016

719017

719018

719019

719020

719021

719022

719023

719024

719025

719026

720001

720002

720003

720004

720005

720006

720007

720008

720009

720010

720011

720012

720013

720014

720015

720016

720017

720018

720019

720020

720021

720022

720023

720024

720025

720026

720027

720028

720029

720030

720031

720032

720033

720034

720035

720036

720037

720038

720039

720040

720041

720042

720043

720044

720045

720046

720047

720048

720049

720050

720051

720052

720053

720054

720055

720056

720057

720058

720059

720060

720061

720062

720063

720064

720065

720066

720067

720068

720069

720070

720071

720072

720073

721001

721002

721003

721004

721005

721006

721007

721008

721009

721010

721011

721012

721013

721014

721015

721016

721017

721018

721019

722001

722002

722003

722004

722005

722006

722007

722008

722009

722010

722011

722012

722013

722014

722015

722016

722017

722018

722019

722020

722021

722022

722023

722024

722025

722026

722027

722028

722029

722030

722031

722032

722033

722034

722035

722036

722037

722038

722039

722040

722041

722042

722043

722044

722045

722046

722047

722048

722049

722050

722051

722053

722054

722055

723001

723002

723003

723004

723005

723006

723007

723008

723009

723010

723011

723012

723013

723014

724001

724002

725001

725002

725003

725004

725005

725006

725007

725008

725009

725010

725011

725012

725013

725014

725015

725016

726001

730001

730002

730003

730004

730005

730006

730007

730008

730009

730010

731001

731002

731003

732001

732002

732003

733100

733101

733102

733103

733104

733105

734001

734002

734003

734004

734005

735001

735002

735003

735004

735005

735006

735007

735008

735009

735010

735011

735012

735013

735014

735015

735016

735017

735018

735019

735020

735021

735022

735023

735024

735025

735026

735027

735028

735029

736001

737001

737002

737003

737004

737005

737006

737007

737008

737009

737010

737011

737012

737013

737014

737015

737016

737017

737018

737019

737023

737024

737025

737026

737027

737028

737029

737030

737031

737032

737033

741000

741001

741002

741003

741004

741005

741006

742001

742002

742003

742004

742005

742006

742007

742008

742009

742010

743000

743001

743002

743004

743010

743011

746001

746002

746003

746004

746005

746006

746007

746008

746009

746010

746011

746012

746013

746014

746015

746016

746017

746018

746019

747001

747002

747003

747004

747005

747006

747007

747008

747009

747010

747011

747012

747013

747014

747015

747016

747017

747018

747019

747020

747021

747022

747023

747024

747025

747026

747027

747028

747029

747030

747031

747032

747033

750001

750002

750003

750004

750005

750006

750007

750008

750009

750010

750011

750012

751001

751002

751003

751004

751005

751006

751007

751008

751009

751010

751011

751012

751013

751014

751015

751016

751017

751018

751019

751020

751021

751022

751023

751024

751025

751026

752001

752002

752003

752004

752005

752006

752007

752008

752009

752010

752011

752012

752013

752014

752015

752016

752017

766001

766002

766003

766004

766005

766006

766007

766008

766009

766010

766011

766012

766013

766014

766015

766016

766017

766018

766019

766020

766201

766202

766203

766204

766251

766252

766253

766254

766301

766302

766303

766304

766305

766307

766308

766309

766310

766311

766312

766313

767001

768001

768002

768003

769001

769002

769003

769004

770001

770002

770003

770001

770002

770003

771001

771002

772002

772003

772004

772005

772006

774001

774002

775001

775002

775003

775004

775005

775006

775007

778001

778002

778003

778004

778005

778006

778007

779001

779002

779003

779004

779005

779006

779007

780001

780002

780003

780004

802001

802002

802003

802004

802005

802006

Syslog Messages 602101-802006

This chapter lists syslog messages 602101 through 802006 in numerical order. See Chapter 1 for syslog messages 101001 through 520025.

This chapter includes the following sections:

Messages 602101 to 634001

This section includes messages from 602101 to 634001.

602101

Error Message %ASA-6-602101: PMTU-D packet number bytes greater than effective mtu number dest_addr= dest_address , src_addr= source_address , prot= protocol

Explanation The ASA sent an ICMP destination unreachable message and fragmentation is needed.

Recommended Action Make sure that the data is sent correctly.

602103

Error Message %ASA-6-602103: IPSEC: Received an ICMP Destination Unreachable from src_addr with suggested PMTU of rcvd_mtu; PMTU updated for SA with peer peer_addr, SPI spi, tunnel name username, old PMTU old_mtu, new PMTU new_mtu.

Explanation The MTU of an SA was changed. When a packet is received for an IPsec tunnel, the corresponding SA is located and the MTU is updated based on the MTU suggested in the ICMP packet. If the suggested MTU is greater than 0 but less than 256, then the new MTU is set to 256. If the suggested MTU is 0, the old MTU is reduced by 256 or it is set to 256—whichever value is greater. If the suggested MTU is greater than 256, then the new MTU is set to the suggested value.

  • src_addr—IP address of the PMTU sender
  • rcvd_mtu—Suggested MTU received in the PMTU message
  • peer_addr—IP address of the IPsec peer
  • spi—IPsec Security Parameter Index
  • username—Username associated with the IPsec tunnel
  • old_mtu—Previous MTU associated with the IPsec tunnel
  • new_mtu—New MTU associated with the IPsec tunnel

Recommended Action None required.

602104

Error Message %ASA-6-602104: IPSEC: Received an ICMP Destination Unreachable from src_addr , PMTU is unchanged because suggested PMTU of rcvd_mtu is equal to or greater than the current PMTU of curr_mtu , for SA with peer peer_addr , SPI spi , tunnel name username .

Explanation An ICMP message was received indicating that a packet sent over an IPsec tunnel exceeded the path MTU, and the suggested MTU was greater than or equal to the current MTU. Because the MTU value is already correct, no MTU adjustment is made. This may happen when multiple PMTU messages are received from different intermediate stations, and the MTU is adjusted before the current PMTU message is processed.

  • src_addr —IP address of the PMTU sender
  • rcvd_mtu —Suggested MTU received in the PMTU message
  • curr_mtu —Current MTU associated with the IPsec tunnel
  • peer_addr —IP address of the IPsec peer
  • spi —IPsec Security Parameter Index
  • username —Username associated with the IPsec tunnel

Recommended Action None required.

602303

Error Message %ASA-6-602303: IPSEC: An direction tunnel_type SA (SPI= spi ) between local_IP and remote_IP ( username ) has been created.

Explanation A new SA was created.

  • direction—SA direction (inbound or outbound)
  • tunnel_type—SA type (remote access or L2L)
  • spi—IPsec Security Parameter Index
  • local_IP—IP address of the tunnel local endpoint
  • remote_IP—IP address of the tunnel remote endpoint
  • username —Username associated with the IPsec tunnel

Recommended Action None required.

602304

Error Message %ASA-6-602304: IPSEC: An direction tunnel_type SA (SPI= spi ) between local_IP and remote_IP ( username ) has been deleted.

Explanation An SA was deleted.

  • direction—SA direction (inbound or outbound)
  • tunnel_type—SA type (remote access or L2L)
  • spi—IPsec Security Parameter Index
  • local_IP—IP address of the tunnel local endpoint
  • remote_IP—IP address of the tunnel remote endpoint
  • username —Username associated with the IPsec tunnel

Recommended Action None required.

602305

Error Message %ASA-3-602305: IPSEC: SA creation error, source source address , destination destination address , reason error string

Explanation An error has occurred while creating an IPsec security association.

Recommended Action This is typically a transient error condition. If this message occurs consistently, contact the Cisco TAC.

603101

Error Message %ASA-6-603101: PPTP received out of seq or duplicate pkt, tnl_id= number , sess_id= number , seq= number .

Explanation The ASA received a PPTP packet that was out of sequence or duplicated.

Recommended Action If the packet count is high, contact the peer administrator to check the client PPTP configuration.

603102

Error Message %ASA-6-603102: PPP virtual interface interface_name - user: user aaa authentication started.

Explanation The ASA sent an authentication request to the AAA server.

Recommended Action None required.

603103

Error Message %ASA-6-603103: PPP virtual interface interface_name - user: user aaa authentication status

Explanation The ASA received an authentication response from the AAA server.

Recommended Action None required.

603104

Error Message %ASA-6-603104: PPTP Tunnel created, tunnel_id is number , remote_peer_ip is remote_address , ppp_virtual_interface_id is number , client_dynamic_ip is IP_address , username is user , MPPE_key_strength is string

Explanation A PPTP tunnel was created.

Recommended Action None required.

603105

Error Message %ASA-6-603105: PPTP Tunnel deleted, tunnel_id = number , remote_peer_ip= remote_address

Explanation A PPTP tunnel was deleted.

Recommended Action None required.

603106

Error Message %ASA-6-603106: L2TP Tunnel created, tunnel_id is number , remote_peer_ip is remote_address , ppp_virtual_interface_id is number , client_dynamic_ip is IP_address , username is user

Explanation An L2TP tunnel was created.

Recommended Action None required.

603107

Error Message %ASA-6-603107: L2TP Tunnel deleted, tunnel_id = number , remote_peer_ip = remote_address

Explanation An L2TP tunnel was deleted.

Recommended Action None required.

603108

Error Message %ASA-6-603108: Built PPTP Tunnel at interface_name , tunnel-id = number , remote-peer = IP_address , virtual-interface = number , client-dynamic-ip = IP_address , username = user , MPPE-key-strength = number

Explanation A new PPPoE tunnel was created.

Recommended Action None required.

603109

Error Message %ASA-6-603109: Teardown PPPOE Tunnel at interface_name , tunnel-id = number , remote-peer = IP_address

Explanation A new PPPoE tunnel was deleted.

Recommended Action None required.

603110

Error Message %ASA-4-603110: Failed to establish L2TP session, tunnel_id = tunnel_id , remote_peer_ip = peer_ip , user = username . Multiple sessions per tunnel are not supported

Explanation An attempt to establish a second session was detected and denied. Cisco does not support multiple L2TP sessions per tunnel.

  • tunnel_id —The L2TP tunnel ID
  • peer_ip —The peer IP address
  • username —The name of the authenticated user

Recommended Action None required.

604101

Error Message %ASA-6-604101: DHCP client interface interface_name : Allocated ip = IP_address , mask = netmask , gw = gateway_address

Explanation The ASA DHCP client successfully obtained an IP address from a DHCP server. The dhcpc command statement allows the ASA to obtain an IP address and network mask for a network interface from a DHCP server, as well as a default route. The default route statement uses the gateway address as the address of the default router.

Recommended Action None required.

604102

Error Message %ASA-6-604102: DHCP client interface interface_name : address released

Explanation The ASA DHCP client released an allocated IP address back to the DHCP server.

Recommended Action None required.

604103

Error Message %ASA-6-604103: DHCP daemon interface interface_name : address granted MAC_address ( IP_address )

Explanation The ASA DHCP server granted an IP address to an external client.

Recommended Action None required.

604104

Error Message %ASA-6-604104: DHCP daemon interface interface_name : address released build_number ( IP_address )

Explanation An external client released an IP address back to the ASA DHCP server.

Recommended Action None required.

604105

Error Message %ASA-4-604105: DHCPD: Unable to send DHCP reply to client hardware_address on interface interface_name . Reply exceeds options field size ( options_field_size ) by number_of_octets octets.

Explanation An administrator can configure the DHCP options to return to the DHCP client. Depending on the options that the DHCP client requests, the DHCP options for the offer could exceed the message length limits. A DHCP offer cannot be sent, because it will not fit within the message limits.

  • hardware_address —The hardware address of the requesting client.
  • interface_name— The interface to which server messages are being sent and received
  • options_field_size —The maximum options field length. The default is 312 octets, which includes 4 octets to terminate.
  • number_of_octets —The number of exceeded octets.

Recommended Action Reduce the size or number of configured DHCP options.

605004

Error Message %ASA-6-605004: Login denied from source-address/source-port to interface:destination/service for user “ username

The following form of the message appears when the user attempts to log in to the console:

Login denied from serial to console for user “username”
 

Explanation An incorrect login attempt or a failed login to the ASA occurred. For all logins, three attempts are allowed per session, and the session is terminated after three incorrect attempts. For SSH and Telnet logins, this message is generated after the third failed attempt or if the TCP session is terminated after one or more failed attempts. For other types of management sessions, this message is generated after every failed attempt.

  • source-address— Source address of the login attempt
  • source-port— Source port of the login attempt
  • interface— Destination management interface
  • destination— Destination IP address
  • service— Destination service
  • username Destination management interface

Recommended Action If this message appears infrequently, no action is required. If this message appears frequently, it may indicate an attack. Communicate with the user to verify the username and password.

605005

Error Message %ASA-6-605005: Login permitted from source-address / source-port to interface:destination / service for user “ username

The following form of the message appears when the user logs in to the console:

Login permitted from serial to console for user “username”
 

Explanation A user was authenticated successfully, and a management session started.

  • source-address— Source address of the login attempt
  • source-port— Source port of the login attempt
  • interface— Destination management interface
  • destination— Destination IP address
  • service— Destination service
  • username— Destination management interface

Recommended Action None required.

606001

Error Message %ASA-6-606001: ASDM session number number from IP_address started

Explanation An administrator has been authenticated successfully, and an ASDM session started.

Recommended Action None required.

606002

Error Message %ASA-6-606002: ASDM session number number from IP_address ended

Explanation An ASDM session ended.

Recommended Action None required.

606003

Error Message %ASA-6-606003: ASDM logging session number id from IP_address started id session ID assigned

Explanation An ASDM logging connection was started by a remote management client.

  • IP_address— IP address of the remote management client

Recommended Action None required.

606004

Error Message %ASA-6-606004: ASDM logging session number id from IP_address ended

Explanation An ASDM logging connection was terminated.

  • id —Session ID assigned
  • IP_address —IP address of remote management client

Recommended Action None required.

607001

Error Message %ASA-6-607001: Pre-allocate SIP connection_type secondary channel for interface_name:IP_address/port to interface_name:IP_address from string message

Explanation The fixup sip command preallocated a SIP connection after inspecting a SIP message . The connection_type is one of the following strings:

  • SIGNALLING UDP
  • SIGNALLING TCP
  • SUBSCRIBE UDP
  • SUBSCRIBE TCP
  • Via UDP
  • Route
  • RTP
  • RTCP

Recommended Action None required.

607002

Error Message %ASA-4-607002: action_class : action SIP req_resp req_resp_info from src_ifc : sip / sport to dest_ifc : dip / dport ; further_info

Explanation A SIP classification was performed on a SIP message, and the specified criteria were satisfied. As a result, the configured action occurs.

  • action_class —The class of the action: SIP Classification for SIP match commands or SIP Parameter for parameter commands
  • action —The action taken: Dropped, Dropped connection for, Reset connection for, or Masked header flags for
  • req_resp —Request or Response
  • req_resp_info —The SIP method name if the type is Request: INVITE or CANCEL. The SIP response code if the type is Response: 100, 183, 200.
  • src_ifc —The source interface name
  • sip —The source IP address
  • sport —The source port
  • dest_ifc —The destination interface name
  • dip —The destination IP address
  • dport —The destination port
  • further_info —More information appears for SIP match and SIP parameter commands, as follows:

For SIP match commands:

matched Class id : class-name

For example:

matched Class 1234: my_class
 

For SIP parameter commands:

parameter-command : descriptive-message

For example:

strict-header-validation: Mandatory header field Via is missing
state-checking: Message CANCEL is not permitted to create a Dialog.
 

Recommended Action None required.

607003

Error Message %ASA-6-607003: action_class : Received SIP req_resp req_resp_info from src_ifc : sip / sport to dest_ifc : dip / dport ; further_info

Explanation A SIP classification was performed on a SIP message, and the specified criteria were satisfied. As a result, the standalone log action occurs.

  • action_class —SIP classification for SIP match commands or SIP parameter for parameter commands
  • req_resp —Request or Response
  • req_resp_info —The SIP method name if the type is Request: INVITE or CANCEL. The SIP response code if the type is Response: 100, 183, 200.
  • src_ifc —The source interface name
  • sip —The source IP address
  • sport —The source port
  • dest_ifc —The destination interface name
  • dip —The destination IP address.
  • dport —The destination port.
  • further_info —More information appears for SIP match and SIP parameter commands, as follows:

For SIP match commands:

matched Class id : class-name

For example:

matched Class 1234: my_class
 

For SIP parameter commands:

parameter-command : descriptive-message

For example:

strict-header-validation: Mandatory header field Via is missing
state-checking: Message CANCEL is not permitted to create a Dialog.
 

Recommended Action None required.

607004

Error Message %ASA-4-607004: Phone Proxy: Dropping SIP message from src_if:src_ip / src_port to dest_if : dest_ip / dest_port with source MAC mac_address due to secure phone database mismatch.

Explanation The MAC address in the SIP message is compared with the secure database entries in addition to the IP address and interface. If they do not match, then the particular message is dropped.

Recommended Action None required.

608001

Error Message %ASA-6-608001: Pre-allocate Skinny connection_type secondary channel for interface_name:IP_address to interface_name:IP_address from string message

Explanation The inspect skinny command preallocated a Skinny connection after inspecting a Skinny message . The connection_type is one of the following strings:

  • SIGNALLING UDP
  • SIGNALLING TCP
  • SUBSCRIBE UDP
  • SUBSCRIBE TCP
  • Via UDP
  • Route
  • RTP
  • RTCP

Recommended Action None required.

608002

Error Message %ASA-4-608002: Dropping Skinny message for in_ifc : src_ip / src_port to out_ifc : dest_ip / dest_port , SCCP Prefix length value too small

Explanation A Skinny (SSCP) message was received with an SCCP prefix length less than the minimum length configured.

  • in_ifc —The input interface
  • src_ip —The source IP address of the packet
  • src_port —The source port of the packet
  • out_ifc —The output interface
  • dest_ip —The destination IP address of the packet
  • dest_port —The destination port of the packet
  • value —The SCCP prefix length of the packet

Recommended Action If the SCCP message is valid, then customize the Skinny policy map to increase the minimum length value of the SSCP prefix.

608003

Error Message %ASA-4-608003: Dropping Skinny message for in_ifc : src_ip / src_port to out_ifc : dest_ip / dest_port , SCCP Prefix length value too large

Explanation A Skinny (SSCP) message was received with an SCCP prefix length greater than the maximum length configured.

  • in_ifc —The input interface
  • src_ip —The source IP address of the packet
  • src_port —The source port of the packet
  • out_ifc —The output interface
  • dest_ip —The destination IP address of the packet
  • dest_port —The destination port of the packet
  • value —The SCCP prefix length of the packet

Recommended Action If the SCCP message is valid, then customize the Skinny policy map to increase the maximum length value of the SCCP prefix.

608004

Error Message %ASA-4-608004: Dropping Skinny message for in_ifc : src_ip / src_port to out_ifc : dest_ip / dest_port , message id value not allowed

Explanation This SCCP message ID is not allowed.

  • in_ifc —The input interface
  • src_ip —The source IP address of the packet
  • src_port —The source port of the packet
  • out_ifc —The output interface
  • dest_ip —The destination IP address of the packet
  • dest_port —The destination port of the packet
  • value —The SCCP prefix length of the packet

Recommended Action If the SCCP messages should be allowed, then customize the Skinny policy map to allow them.

608005

Error Message %ASA-4-608005: Dropping Skinny message for in_ifc : src_ip / src_port to out_ifc : dest_ip / dest_port , message id value registration not complete

Explanation This SCCP message ID is not allowed, because the endpoint did not complete registration.

  • in_ifc —The input interface
  • src_ip —The source IP address of the packet
  • src_port —The source port of the packet
  • out_ifc —The output interface
  • dest_ip —The destination IP address of the packet
  • dest_port —The destination port of the packet
  • value —The SCCP prefix length of the packet

Recommended Action If the SCCP messages that are being dropped are valid, then customize the Skinny policy map to disable registration enforcement.

608006

Error Message %ASA-4-608006: Phone Proxy: Dropping Skinny message from src_if : src_ip / src_port to dest_if : dest_ip / dest_port with source MAC mac_address due to secure phone database mismatch.

Explanation The MAC address in the Skinny message is compared with the secure database entries in addition to the IP address and interface. If they do not match, then the particular message is dropped.

Recommended Action None required.

609001

Error Message %ASA-7-609001: Built local-host zone-name/* : ip-address

Explanation A network state container was reserved for host ip-address connected to zone zone-name . The zone-name/* parameter is used if the interface on which the host is created is part of a zone. The asterisk symbolizes all interfaces because hosts do not belong to any one interface.

Recommended Action None required.

609002

Error Message %ASA-7-609002: Teardown local-host zone-name/* : ip-address duration time

Explanation A network state container for host ip-address connected to zone zone-name was removed. The zone-name/* parameter is used if the interface on which the host is created is part of a zone. The asterisk symbolizes all interfaces because hosts do not belong to any one interface.

Recommended Action None required.

610001

Error Message %ASA-3-610001: NTP daemon interface interface_name : Packet denied from IP_address

Explanation An NTP packet was received from a host that does not match one of the configured NTP servers. The ASA is only an NTP client; it is not a time server and does not respond to NTP requests.

Recommended Action None required.

610002

Error Message %ASA-3-610002: NTP daemon interface interface_name : Authentication failed for packet from IP_address

Explanation The received NTP packet failed the authentication check.

Recommended Action Make sure that both the ASA and the NTP server are set to use authentication, and the same key number and value.

610101

Error Message %ASA-6-610101: Authorization failed: Cmd: command Cmdtype: command_modifier

Explanation Command authorization failed for the specified command. The command_modifier is one of the following strings:

cmd (this string means the command has no modifier)

clear

no

show

Explanation If the ASA encounters any other value other than the four command types listed, the message “ unknown command type ” appears.

Recommended Action None required.

611101

Error Message %ASA-6-611101: User authentication succeeded: Uname: user

Explanation User authentication succeeded when accessing the ASA.

Recommended Action None required.

611102

Error Message %ASA-6-611102: User authentication failed: IP = IP address

Explanation User authentication failed when attempting to access the ASA.

  • IP address — The IP address of the client that failed user authentication

Recommended Action None required.

611103

Error Message %ASA-5-611103: User logged out: Uname: user

Explanation The specified user logged out.

Recommended Action None required.

611104

Error Message %ASA-5-611104: Serial console idle timeout exceeded

Explanation The configured idle timeout for the ASA serial console was exceeded because of no user activity.

Recommended Action None required.

611301

Error Message %ASA-6-611301: VPNClient: NAT configured for Client Mode with no split tunneling: NAT address: mapped_address

Explanation The VPN client policy for client mode with no split tunneling was installed.

Recommended Action None required.

611302

Error Message %ASA-6-611302: VPNClient: NAT exemption configured for Network Extension Mode with no split tunneling

Explanation The VPN client policy for network extension mode with no split tunneling was installed.

Recommended Action None required.

611303

Error Message %ASA-6-611303: VPNClient: NAT configured for Client Mode with split tunneling: NAT address: mapped_address Split Tunnel Networks: IP_address / netmask IP_address / netmask

Explanation The VPN client policy for client mode with split tunneling was installed.

Recommended Action None required.

611304

Error Message %ASA-6-611304: VPNClient: NAT exemption configured for Network Extension Mode with split tunneling: Split Tunnel Networks: IP_address / netmask IP_address / netmask

Explanation The VPN client policy for network extension mode with split tunneling was installed.

Recommended Action None required.

611305

Error Message %ASA-6-611305: VPNClient: DHCP Policy installed: Primary DNS: IP_address Secondary DNS: IP_address Primary WINS: IP_address Secondary WINS: IP_address

Explanation The VPN client policy for DHCP was installed.

Recommended Action None required.

611306

Error Message %ASA-6-611306: VPNClient: Perfect Forward Secrecy Policy installed

Explanation Perfect forward secrecy was configured as part of the VPN client download policy.

Recommended Action None required.

611307

Error Message %ASA-6-611307: VPNClient: Head end: IP_address

Explanation The VPN client is connected to the specified headend.

Recommended Action None required.

611308

Error Message %ASA-6-611308: VPNClient: Split DNS Policy installed: List of domains: string string

Explanation A split DNS policy was installed as part of the VPN client downloaded policy.

Recommended Action None required.

611309

Error Message %ASA-6-611309: VPNClient: Disconnecting from head end and uninstalling previously downloaded policy: Head End: IP_address

Explanation A VPN client is disconnecting and uninstalling a previously installed policy.

Recommended Action None required.

611310

Error Message %ASA-6-611310: VNPClient: XAUTH Succeeded: Peer: IP_address

Explanation The VPN client Xauth succeeded with the specified headend.

Recommended Action None required.

611311

Error Message %ASA-6-611311: VNPClient: XAUTH Failed: Peer: IP_address

Explanation The VPN client Xauth failed with the specified headend.

Recommended Action None required.

611312

Error Message %ASA-6-611312: VPNClient: Backup Server List: reason

Explanation When the ASA is an Easy VPN remote device, the Easy VPN server downloaded a list of backup servers to the ASA. This list overrides any backup servers that you have configured locally. If the downloaded list is empty, then the ASA uses no backup servers. The reason is one of the following messages:

  • A list of backup server IP addresses
  • Received NULL list. Deleting current backup servers

Recommended Action None required.

611313

Error Message %ASA-3-611313: VPNClient: Backup Server List Error: reason

Explanation When the ASA is an Easy VPN remote device, and the Easy VPN server downloads a backup server list to the ASA, the list includes an invalid IP address or a hostname. The ASA does not support DNS, and therefore does not support hostnames for servers, unless you manually map a name to an IP address using the name command.

Recommended Action On the Easy VPN server, make sure that the server IP addresses are correct, and configure the servers as IP addresses instead of hostnames. If you must use hostnames on the server, use the name command on the Easy VPN remote device to map the IP addresses to names.

611314

Error Message %ASA-6-611314: VPNClient: Load Balancing Cluster with Virtual IP: IP_address has redirected the to server IP_address

Explanation When the ASA is an Easy VPN remote device, the master server of the load balancing cluster redirected the ASA to connect to a particular server.

Recommended Action None required.

611315

Error Message %ASA-6-611315: VPNClient: Disconnecting from Load Balancing Cluster member IP_address

Explanation When the ASA is an Easy VPN remote device, it disconnected from a load balancing cluster server.

Recommended Action None required.

611316

Error Message %ASA-6-611316: VPNClient: Secure Unit Authentication Enabled

Explanation When the ASA is an Easy VPN remote device, the downloaded VPN policy enabled SUA.

Recommended Action None required.

611317

Error Message %ASA-6-611317: VPNClient: Secure Unit Authentication Disabled

Explanation When the ASA is an Easy VPN remote device, the downloaded VPN policy disabled SUA.

Recommended Action None required.

611318

Error Message %ASA-6-611318: VPNClient: User Authentication Enabled: Auth Server IP: IP_address Auth Server Port: port Idle Timeout: time

Explanation When the ASA is an Easy VPN remote device, the downloaded VPN policy enabled IUA for users on the ASA inside network.

  • IP_address —The server IP address to which the ASA sends authentication requests.
  • port —The server port to which the ASA sends authentication requests
  • time —The idle timeout value for authentication credentials

Recommended Action None required.

611319

Error Message %ASA-6-611319: VPNClient: User Authentication Disabled

Explanation When the ASA is an Easy VPN remote device, the downloaded VPN policy disabled IUA for users on the ASA inside network.

Recommended Action None required.

611320

Error Message %ASA-6-611320: VPNClient: Device Pass Thru Enabled

Explanation When the ASA is an Easy VPN remote device, the downloaded VPN policy enabled device pass-through. The device pass-through feature allows devices that cannot perform authentication (such as an IP phone) to be exempt from authentication when IUA is enabled. If the Easy VPN server enabled this feature, you can specify the devices that should be exempt from authentication (IUA) using the vpnclient mac-exempt command on the ASA.

Recommended Action None required.

611321

Error Message %ASA-6-611321: VPNClient: Device Pass Thru Disabled

Explanation When the ASA is an Easy VPN remote device, the downloaded VPN policy disabled device pass-through.

Recommended Action None required.

611322

Error Message %ASA-6-611322: VPNClient: Extended XAUTH conversation initiated when SUA disabled

Explanation When the ASA is an Easy VPN remote device and the downloaded VPN policy disabled SUA, the Easy VPN server uses two-factor/SecurID/cryptocard-based authentication mechansims to authenticate the ASA using XAUTH.

Recommended Action If you want the Easy VPN remote device to be authenticated using two-factor/SecureID/cryptocard-based authentication mechanisms, enable SUA on the server.

611323

Error Message %ASA-6-611323: VPNClient: Duplicate split nw entry

Explanation When the ASA is an Easy VPN remote device, the downloaded VPN policy included duplicate split network entries. An entry is considered a duplicate if it matches both the network address and the network mask.

Recommended Action Remove duplicate split network entries from the VPN policy on the Easy VPN server.

612001

Error Message %ASA-5-612001: Auto Update succeeded: filename , version: number

Explanation An update from an Auto Update server was successful. The filename variable is image, ASDM file, or configuration. The version number variable is the version number of the update.

Recommended Action None required.

612002

Error Message %ASA-4-612002: Auto Update failed: filename , version: number , reason: reason

Explanation An update from an Auto Update server failed.

  • filename —Either an image file, an ASDM file, or a configuration file.
  • number —The version number of the update.
  • reason —The failure reason, which may be one of the following:

- Failover module failed to open stream buffer

- Failover module failed to write data to stream buffer

- Failover module failed to perform control operation on stream buffer

- Failover module failed to open flash file

- Failover module failed to write data to flash

- Failover module operation timeout

- Failover command link is down

- Failover resource is not available

- Invalid failover state on mate

- Failover module encountered file transfer data corruption

- Failover active state change

- Failover command EXEC failed

- The image cannot run on current system

- Unsupported file type

Recommended Action Check the configuration of the Auto Update server. Check to see if the standby unit is in the failed state. If the Auto Update server is configured correctly, and the standby unit is not in the failed state, contact the Cisco TAC.

612003

Error Message %ASA-4-612003:Auto Update failed to contact: url , reason: reason

Explanation The Auto Update daemon was unable to contact the specified URL url , which can be the URL of the Auto Update server or one of the file server URLs returned by the Auto Update server. The reason field describes why the contact failed. Possible reasons for the failure include no response from the server, authentication failed, or a file was not found.

Recommended Action Check the configuration of the Auto Update server.

613001

Error Message %ASA-6-613001: Checksum Failure in database in area string Link State Id IP_address Old Checksum number New Checksum number

Explanation OSPF has detected a checksum error in the database because of memory corruption.

Recommended Action Restart the OSPF process.

613002

Error Message %ASA-6-613002: interface interface_name has zero bandwidth

Explanation The interface reported its bandwidth as zero.

Recommended Action Copy the message exactly as it appears, and report it to the Cisco TAC.

613003

Error Message %ASA-6-613003: IP_address netmask changed from area string to area string

Explanation An OSPF configuration change has caused a network range to change areas.

Recommended Action Reconfigure OSPF with the correct network range.

613004

Error Message %ASA-3-613004: Internal error: memory allocation failure

Explanation An internal software error occurred.

Recommended Action Copy the error message exactly as it appears, and report it to Cisco TAC.

613005

Error Message %ASA-3-613005: Flagged as being an ABR without a backbone area

Explanation The router was flagged as an Area Border Router (ABR) without a backbone area in the router.

Recommended Action Restart the OSPF process.

613006

Error Message %ASA-3-613006: Reached unknown state in neighbor state machine

Explanation An internal software error in this router has resulted in an invalid neighbor state during database exchange.

Recommended Action Copy the error message, the configuration and any details about the events leading up to this error and submit them to Cisco TAC.

613007

Error Message %ASA-3-613007: area string lsid IP_address mask netmask type number

Explanation OSPF is trying to add an existing LSA to the database.

Recommended Action Copy the error message, the configuration and any details about the events leading up to this error and submit them to Cisco TAC.

613008

Error Message %ASA-3-613008: if inside if_state number

Explanation An internal error occurred.

Recommended Action Copy the error message, the configuration and any details about the events leading up to this error and submit them to Cisco TAC.

613011

Error Message %ASA-3-613011: OSPF process number is changing router-id. Reconfigure virtual link neighbors with our new router-id

Explanation An OSPF process is being reset, and it is going to select a new router ID. This action brings down all virtual links. To make them work again, the virtual link configuration needs to be changed on all virtual link neighbors.

Recommended Action Change the virtual link configuration on all the virtual link neighbors to reflect the new router ID.

613013

Error Message %ASA-3-613013: OSPF LSID IP_address adv IP_address type number gateway IP_address metric number forwarding addr route IP_address/mask type number has no corresponding LSA

Explanation OSPF found inconsistency between its database and the IP routing table.

Recommended Action Copy the error message, the configuration and any details about the events leading up to this error, and submit them to Cisco TAC.

613014

Error Message %ASA-6-613014: Base topology enabled on interface string attached to MTR compatible mode area string

Explanation OSPF interfaces attached to MTR-compatible OSPF areas require the base topology to be enabled.

Recommended Action None.

613015

Error Message %ASA-4-613015: Process 1 flushes LSA ID IP_address type-number adv-rtr IP_address in area mask

Explanation A router is extensively re-originating or flushing the LSA reported by this error message.

Recommended Action If this router is flushing the network LSA, it means the router received a network LSA whose LSA ID conflicts with the IP address of one of the router's interfaces and flushed the LSA out of the network. For OSPF to function correctly, the IP addresses of transit networks must be unique. Conflicting routers are the router reporting this error message and the router with the OSPF router ID reported as adv-rtr in this message. If this router is re-originating an LSA, it is highly probable that some other router is flushing this LSA out of the network. Find that router and avoid the conflict. The conflict for a Type-2 LSA may be due to a duplicate LSA ID. For a Type-5 LSA, it may be a duplicate router ID on the router reporting this error message and on the routers connected to a different area. In an unstable network, this message may also warn of extensive re-origination of the LSA for some other reason. Contact Cisco TAC to investigate this type of case.

613016

Error Message %ASA-3-613016: Area string router-LSA of length number bytes plus update overhead bytes is too large to flood.

Explanation The router tried to build a router-LSA that is larger than the huge system buffer size or the OSPF protocol imposed maximum.

Recommended Action If the reported total length (LSA size plus overhead) is larger than the huge system buffer size but less than 65535 bytes (the OSPF protocol imposed maximum), you may increase the huge system buffer size. If the reported total length is greater than 65535, you need to decrease the number of OSPF interfaces in the reported area.

613017

Error Message %ASA-4-613017: Bad LSA mask: Type number, LSID IP_address Mask mask from IP_address

Explanation The router received an LSA with an invalid LSA mask because of an incorrect configuration from the LSA originator. As a result, this route is not installed in the routing table.

Recommended Action Find the originating router of the LSA with the bad mask, then correct any misconfiguration of this LSA's network. For further debugging, call Cisco TAC for assistance.

613018

Error Message %ASA-4-613018: Maximum number of non self-generated LSA has been exceeded “OSPF number” - number LSAs

Explanation The maximum number of non self-generated LSAs has been exceeded.

Recommended Action Check whether or not a router in the network is generating a large number of LSAs as a result of a misconfiguration.

613019

Error Message %ASA-4-613019: Threshold for maximum number of non self-generated LSA has been reached "OSPF number" - number LSAs

Explanation The threshold for the maximum number of non self-generated LSAs has been reached.

Recommended Action Check whether or not a router in the network is generating a large number of LSAs as a result of a misconfiguration.

613021

Error Message %ASA-4-613021: Packet not written to the output queue

Explanation An internal error occurred.

Recommended Action Copy the error message, the configuration and any details about the events leading up to this error, and submit them to Cisco TAC.

613022

Error Message %ASA-4-613022: Doubly linked list linkage is NULL

Explanation An internal error occurred.

Recommended Action Copy the error message, the configuration and any details about the events leading up to this error, and submit them to Cisco TAC.

613023

Error Message %ASA-4-613023: Doubly linked list prev linkage is NULL number

Explanation An internal error occurred.

Recommended Action Copy the error message, the configuration and any details about the events leading up to this error, and submit them to Cisco TAC.

613024

Error Message %ASA-4-613024: Unrecognized timer number in OSPF string

Explanation An internal error occurred.

Recommended Action Copy the error message, the configuration and any details about the events leading up to this error, and submit them to Cisco TAC.

613025

Error Message %ASA-4-613025: Invalid build flag number for LSA IP_address, type number

Explanation An internal error occurred.

Recommended Action Copy the error message, the configuration and any details about the events leading up to this error, and submit them to Cisco TAC.

613026

Error Message %ASA-4-613026: Can not allocate memory for area structure

Explanation An internal error occurred.

Recommended Action Copy the error message, the configuration and any details about the events leading up to this error, and submit them to Cisco TAC.

613027

Error Message %ASA-6-613027: OSPF process number removed from interface interface_name

Explanation The OSPF process was removed from the interface because of an IP VRF.

Recommended Action None.

613028

Error Message %ASA-6-613028: Unrecognized virtual interface intetface_name. Treat it as loopback stub route

Explanation The virtual interface type was not recognized by OSPF, so it is treated as a loopback interface stub route.

Recommended Action None.

613029

Error Message %ASA-3-613029: Router-ID IP_address is in use by ospf process number

Explanation The ASA attempted to assign a router ID that is in use by another process.

Recommended Action Configure another router ID for one of the processes.

613030

Error Message %ASA-4-613030: Router is currently an ASBR while having only one area which is a stub area

Explanation An ASBR must be attached to an area that can carry AS external or NSSA LSAs.

Recommended Action Make the area to which the router is attached into an NSSA or regular area.

613031

Error Message %ASA-4-613031: No IP address for interface inside

Explanation The interface is not point-to-point and is unnumbered.

Recommended Action Change the interface type or give the interface an IP address.

613032

Error Message %ASA-3-613032: Init failed for interface inside, area is being deleted. Try again.

Explanation The interface initialization failed. The possible reasons include the following:

  • The area to which the interface is being attached is being deleted.
  • It was not possible to create a neighbor datablock for the local router.

Recommended Action Remove the configuration command that covers the interface and then try it again.

613033

Error Message %ASA-3-613033: Interface inside is attached to more than one area

Explanation The interface is on the interface list for an area other than the one to which the interface links.

Recommended Action Copy the error message, the configuration and any details about the events leading up to this error, and submit them to Cisco TAC.

613034

Error Message %ASA-3-613034: Neighbor IP_address not configured

Explanation The configured neighbor options are not valid.

Recommended Action Check the configuration options for the neighbor command and correct the options or the network type for the neighbor's interface.

613035

Error Message %ASA-3-613035: Could not allocate or find neighbor IP_address

Explanation An internal error occurred.

Recommended Action Copy the error message exactly as it appears, and report it to Cisco TAC.

613036

Error Message %ASA-4-613036: Can not use configured neighbor: cost and database-filter options are allowed only for a point-to-multipoint network

Explanation The configured neighbor was found on an NBMA network and either the cost or database-filter option was configured. These options are only allowed on point-to-multipoint type networks.

Recommended Action Check the configuration options for the neighbor command and correct the options or the network type for the neighbor's interface.

613037

Error Message %ASA-4-613037: Can not use configured neighbor: poll and priority options are allowed only for a NBMA network

Explanation The configured neighbor was found on a point-to-multipoint network and either the poll or priority option was configured. These options are only allowed on NBMA-type networks.

Recommended Action Check the configuration options for the neighbor command and correct the options or the network type for the neighbor's interface.

613038

Error Message %ASA-4-613038: Can not use configured neighbor: cost or database-filter option is required for point-to-multipoint broadcast network

Explanation The configured neighbor was found on a point-to-multipoint broadcast network. Either the cost or database-filter option needs to be configured.

Recommended Action Check the configuration options for the neighbor command and correct the options or the network type for the neighbor's interface.

613039

Error Message %ASA-4-613039: Can not use configured neighbor: neighbor command is allowed only on NBMA and point-to-multipoint networks

Explanation The configured neighbor was found on a network for which the network type was neither NBMA nor point-to-multipoint.

Recommended Action None.

613040

Error Message %ASA-4-613040: OSPF-1 Area string: Router IP_address originating invalid type number LSA, ID IP_address, Metric number on Link ID IP_address Link Type number

Explanation The router indicated in this message has originated an LSA with an invalid metric. If this is a router LSA and the link metric is zero, a risk of routing loops and traffic loss in the network exists.

Recommended Action Configure a valid metric for the given LSA type and link type on the router originating on the reported LSA.

613041

Error Message %ASA-6-613041: OSPF-100 Areav string: LSA ID IP_address, Type number, Adv-rtr IP_address, LSA counter DoNotAge

Explanation An internal error has corrected itself. There is no operational effect related to this error message.

Recommended Action Check the system memory. If memory is low, then the timer wheel functionality did not initialize. Try to reenter the commands when memory is available. If there is sufficient memory, then contact the Cisco TAC and provide output from the show memory , show processes , and show tech-support ospf commands.

613042

Error Message %ASA-4-613042: OSPF process number lacks forwarding address for type 7 LSA IP_address in NSSA string - P-bit cleared

Explanation There is no viable forwarding address in the NSSA area. As a result, the P-bit must be cleared and the Type 7 LSA is not translated into a Type 5 LSA by the NSSA translator. See RFC 3101.

Recommended Action Configure at least one interface in the NSSA with an advertised IP address. A loopback is preferable because an advertisement does not depend on the underlying layer 2 state.

613043

Error Message %ASA-6-613043:

Explanation A negative database reference count occurred.

Recommended Action Check the system memory. If memory is low, then the timer wheel functionality did not initialize. Try to reenter the commands when memory is available. If there is sufficient memory, then contact the Cisco TAC and provide output from the show memory , show processes , and show tech-support ospf commands.

613101

Error Message %ASA-6-613101: Checksum Failure in database in area s \n Link State Id i Old Checksum #x New Checksum #x \n

Explanation OSPF has detected a checksum error in the database because of memory corruption.

Recommended Action Restart the OSPF process.

613102

Error Message %ASA-6-613102: interface s has zero bandwidth

Explanation The interface reports its bandwidth as zero.

Recommended Action None required.

613103

Error Message %ASA-6-613103: i m changed from area AREA_ID_STR to area AREA_ID_STR

Explanation An OSPF configuration change has caused a network range to change areas.

Recommended Action None required.

613104

Error Message %ASA-6-613104: Unrecognized virtual interface IF_NAME .

Explanation The virtual interface type was not recognized by OSPFv3, so it is treated as a loopback interface stub route.

Recommended Action None required.

614001

Error Message %ASA-6-614001: Split DNS: request patched from server: IP_address to server: IP_address

Explanation Split DNS is redirecting DNS queries from the original destination server to the primary enterprise DNS server.

Recommended Action None required.

614002

Error Message %ASA-6-614002: Split DNS: reply from server: IP_address reverse patched back to original server: IP_address

Explanation Split DNS is redirecting DNS queries from the enterprise DNS server to the original destination server.

Recommended Action None required.

615001

Error Message %ASA-6-615001: vlan number not available for firewall interface

Explanation The switch removed the VLAN from the ASA.

Recommended Action None required.

615002

Error Message %ASA-6-615002: vlan number available for firewall interface

Explanation The switch added the VLAN to the ASA.

Recommended Action None required.

616001

Error Message %ASA-6-616001:Pre-allocate MGCP data_channel connection for inside_interface : inside_address to outside_interface : outside_address / port from message_type message

Explanation An MGCP data channel connection, RTP, or RTCP was preallocated. The message text also specifies which message has triggered the connection preallocation.

Recommended Action None required.

617001

Error Message %ASA-6-617001: GTPv version msg_type from source_interface : source_address / source_port not accepted by source_interface : dest_address / dest_port

Explanation A request was not accepted by the peer, which is usually seen with a Create PDP Context request.

Recommended Action None required.

617002

Error Message %ASA-6-617002: Removing v1 PDP Context with TID tid from GGSN IP_address and SGSN IP_address , Reason: reason or Removing v1 primary | secondary PDP Context with TID tid from GGSN IP_address and SGSN IP_address , Reason: reason

Explanation A PDP context was removed from the database either because it expired, a Delete PDP Context Request/Response was exchanged, or a user removed it using the CLI.

Recommended Action None required.

617003

Error Message %ASA-6-617003: GTP Tunnel created from source_interface : source_address / source_port to source_interface : dest_address / dest_port

Explanation A GTP tunnel was created after receiving a Create PDP Context Response that accepted the request.

Recommended Action None required.

617004

Error Message %ASA-6-617004: GTP connection created for response from source_interface : source_address / 0 to source_interface : dest_address / dest_port

Explanation The SGSN or GGSN signaling address in the Create PDP Context Request or Response, respectively, was different from the SGSN/GGSN sending it.

Recommended Action None required.

617100

Error Message ASA-6-617100: Teardown num_conns connection(s) for user user_ip

Explanation The connections for this user were torn down because either a RADIUS accounting stop or RADIUS accounting start was received, which includes attributes that were configured in the policy map for a match. The attributes did not match those stored for the user entry, if the user entry exists.

  • num_conns —The number of connections torn down
  • user_ip —The IP address (framed IP attribute) of the user

Recommended Action None required.

620001

Error Message %ASA-6-620001: Pre-allocate CTIQBE {RTP | RTCP} secondary channel for interface_name : outside_address [/ outside_port ] to interface_name : inside_address [/ inside_port ] from CTIQBE_message_name message

Explanation The ASA preallocated a connection object for the specified CTIQBE media traffic. This message is rate limited to one message every 10 seconds.

Recommended Action None required.

620002

Error Message %ASA-4-620002: Unsupported CTIQBE version: hex : from interface_name : IP_address / port to interface_name : IP_address / port

Explanation The ASA received a CTIQBE message with an unsupported version number, and dropped the packet. This message is rate limited to one message every 10 seconds.

Recommended Action If the version number captured in the log message is unreasonably large (greater than 10), the packet may be malformed, a non-CTIQBE packet, or corrupted before it arrives at the ASA. We recommend that you determine the source of the packets. If the version number is reasonably small (less than or equal to 10), then contact the Cisco TAC to see if a new ASA image that supports this CTIQBE version is available.

621001

Error Message %ASA-6-621001: Interface interface_name does not support multicast, not enabled

Explanation An attempt was made to enable PIM on an interface that does not support multicast.

Recommended Action If the problem persists, contact the Cisco TAC.

621002

Error Message %ASA-6-621002: Interface interface_name does not support multicast, not enabled

Explanation An attempt was made to enable IGMP on an interface that does not support multicast.

Recommended Action If the problem persists, contact the Cisco TAC.

621003

Error Message %ASA-6-621003: The event queue size has exceeded number

Explanation The number of event managers created has exceeded the expected amount.

Recommended Action If the problem persists, contact the Cisco TAC.

621006

Error Message %ASA-6-621006: Mrib disconnected, ( IP_address , IP_address ) event cancelled

Explanation A packet triggering a data-driven event was received, but the connection to the MRIB was down. The notification was canceled.

Recommended Action If the problem persists, contact the Cisco TAC.

621007

Error Message %ASA-6-621007: Bad register from interface_name : IP_address to IP_address for ( IP_address , IP_address )

Explanation A PIM router configured as a rendezvous point or with NAT has received a PIM register packet from another PIM router. The data encapsulated in this packet is invalid.

Recommended Action The sending router is erroneously sending non-RFC registers. Upgrade the sending router.

622001

Error Message %ASA-6-622001: string tracked route network mask address , distance number , table string , on interface interface-name

Explanation A tracked route has been added to or removed from a routing table, which means that the state of the tracked object has changed from up or down.

  • string —Adding or Removing
  • network —The network address
  • mask —The network mask
  • address —The gateway address
  • number —The route administrative distance
  • string —The routing table name
  • interface-name —The interface name as specified by the nameif command

Recommended Action None required.

622101

Error Message %ASA-6-622101: Starting regex table compilation for match_command ; table entries = regex_num entries

Explanation Information on the background activities of regex compilation appear.

  • match_command —The match command to which the regex table is associated
  • regex_num —The number of regex entries to be compiled

Recommended Action None required.

622102

Error Message %ASA-6-622102: Completed regex table compilation for match_command ; table size = num bytes

Explanation Information on the background activities of the regex compilation appear.

  • match_command —The match command to which the regex table is associated
  • num —The size, in bytes, of the compiled table

Recommended Action None required.

634001

Error Message %ASA-6-634001: DAP: User user , Addr ipaddr , Connection connection ; The following DAP records were selected for this connection: DAP Record names

Explanation The DAP records selected for the connection appear.

  • user —The authenticated username
  • ipaddr —The IP address of the remote client
  • connection —The type of client connection:

- IPsec—IPsec connection

- AnyConnect—AnyConnect connection

- Clientless—Web browser connection

- Cut-Through-Proxy—Cut-Through-Proxy connection

- L2TP—L2TP client connection

  • DAP record names —The comma-separated list of the DAP record names

Recommended Action None required.

Messages 701001 to 802006

This section includes messages from 701001 to 802006.

Most of the ISAKMP messages have a common set of prepended objects to help identify the tunnel. These objects precede the descriptive text of a message when available. If the object is not known at the time the message is generated, the specific heading = value combination will not be displayed.

The objects will be prepended as follows:

Group = groupname , Username = user , IP = IP_address ,...

Where the Group identifies the tunnel group, the Username is the username from the local database or AAA server, and the IP address is the public IP address of the remote access client or L2L peer.

701001

Error Message %ASA-7-701001: alloc_user() out of Tcp_user objects

Explanation A AAA message that appears if the user authentication rate is too high for the module to handle new AAA requests.

Recommended Action Enable Flood Defender with the floodguard enable command.

701002

Error Message %ASA-7-701002: alloc_user() out of Tcp_proxy objects

Explanation A AAA message that appears if the user authentication rate is too high for the module to handle new AAA requests.

Recommended Action Enable Flood Defender with the floodguard enable command.

702305

Error Message %ASA-3-702305: IPSEC: An direction tunnel_type SA (SPI= spi ) between local_IP and remote_IP ( username ) is rekeying due to sequence number rollover.

Explanation More than four billion packets have been received in the IPsec tunnel, and a new tunnel is being negotiated.

  • direction—SA direction (inbound or outbound)
  • tunnel_type—SA type (remote access or L2L)
  • spi—IPsec Security Parameter Index
  • local_IP—IP address of the tunnel local endpoint
  • remote_IP—IP address of the tunnel remote endpoint
  • username —Username associated with the IPsec tunnel

Recommended Action Contact the peer administrator to compare the SA lifetime setting.

702307

Error Message %ASA-7-702307: IPSEC: An direction tunnel_type SA (SPI= spi ) between local_IP and remote_IP ( username ) is rekeying due to data rollover.

Explanation An SA data life span expired. An IPsec SA is rekeying as a result of the amount of data transmitted with that SA. This information is useful for debugging rekeying issues.

  • direction—SA direction (inbound or outbound)
  • tunnel_type—SA type (remote access or L2L)
  • spi—IPsec Security Parameter Index
  • local_IP—IP address of the tunnel local endpoint
  • remote_IP—IP address of the tunnel remote endpoint
  • username —Username associated with the IPsec tunnel

Recommended Action None required.

703001

Error Message %ASA-7-703001: H.225 message received from interface_name : IP_address / port to interface_name : IP_address / port is using an unsupported version number

Explanation The ASA received an H.323 packet with an unsupported version number. The ASA might reencode the protocol version field of the packet to the highest supported version.

Recommended Action Use the version of H.323 that the ASA supports in the VoIP network.

703002

Error Message %ASA-7-703002: Received H.225 Release Complete with newConnectionNeeded for interface_name : IP_address to interface_name : IP_address / port

Explanation The ASA received the specified H.225 message, and the ASA opened a new signaling connection object for the two specified H.323 endpoints.

Recommended Action None required.

709001, 709002

Error Message %ASA-7-709001: FO replication failed: cmd= command returned= code Error Message %ASA-7-709002: FO unreplicable: cmd= command

Explanation Failover messages that only appear during the development debugging and testing phases.

Recommended Action None required.

709003

Error Message %ASA-1-709003: (Primary) Beginning configuration replication: Sending to mate.

Explanation A failover message that appears when the active unit starts replicating its configuration to the standby unit. Primary can also be listed as Secondary for the secondary unit.

Recommended Action None required.

709004

Error Message %ASA-1-709004: (Primary) End Configuration Replication (ACT)

Explanation A failover message that appears when the active unit completes replication of its configuration on the standby unit. Primary can also be listed as Secondary for the secondary unit.

Recommended Action None required.

709005

Error Message %ASA-1-709005: (Primary) Beginning configuration replication: Receiving from mate.

Explanation The standby ASA received the first part of the configuration replication from the active ASA. Primary can also be listed as Secondary for the secondary unit.

Recommended Action None required.

709006

Error Message %ASA-1-709006: (Primary) End Configuration Replication (STB)

Explanation A failover message that appears when the standby unit completes replication of a configuration sent by the active unit. Primary can also be listed as Secondary for the secondary unit.

Recommended Action None required.

709007

Error Message %ASA-2-709007: Configuration replication failed for command command

Explanation A failover message that appears when the standby unit is unable to complete replication of a configuration sent by the active unit. The command that caused the failure appears at the end of the message.

Recommended Action If the problem persists, contact the Cisco TAC.

709008

Error Message %ASA-4-709008: (Primary | Secondary) Configuration sync in progress. Command: ‘ command ’ executed from (terminal/http) will not be replicated to or executed by the standby unit.

Explanation A command was issued during the configuration sync, which triggered an interactive prompt to indicate that this command would not be issued on the standby unit. To continue, note that the command will be issued on the active unit only and will not be replicated on the standby unit.

  • Primary | Secondary—The device is either primary or secondary
  • command —The command issued while the configuration sync is in progress
  • terminal/http—Issued from the terminal or via HTTP.

Recommended Action None.

710001

Error Message %ASA-7-710001: TCP access requested from source_address / source_port to interface_name : dest_address / service

Explanation The first TCP packet destined to the ASA requests to establish a TCP session. This packet is the first SYN packet of the three-way handshake. This message appears when the respective (Telnet, HTTP, or SSH) has permitted the packet. However, the SYN cookie verification is not yet completed and no state is reserved.

Recommended Action None required.

710002

Error Message %ASA-7-710002: {TCP|UDP} access permitted from source_address / source_port to interface_name : dest_address / service

Explanation For a TCP connection, the second TCP packet destined for the ASA requested to establish a TCP session. This packet is the final ACK of the three-way handshake. The respective (Telnet, HTTP, or SSH) has permitted the packet. Also, the SYN cookie verification was successful and the state is reserved for the TCP session.

For a UDP connection, the connection was permitted. For example, the module received an SNMP request from an authorized SNMP management station, and the request has been processed. This message is rate limited to one message every 10 seconds.

Recommended Action None required.

710003

Error Message %ASA-3-710003: {TCP|UDP} access denied by ACL from source_IP/source_port to interface_name : dest_IP/service

Explanation The ASA denied an attempt to connect to the interface service. For example, the ASA received an SNMP request from an unauthorized SNMP management station. If this message appears frequently, it can indicate an attack.

For example:

%ASA-3-710003: UDP access denied by ACL from 95.1.1.14/5000 to outside:95.1.1.13/1005
 

Recommended Action Use the show run http , show run ssh , or show run telnet commands to verify that the ASA is configured to permit the service access from the host or network.

710004

Error Message %ASA-7-710004: TCP connection limit exceeded from Src_ip / Src_port to In_name : Dest_ip / Dest_port ( current connections/connection limit = Curr_conn/Conn_lmt)

Explanation The maximum number of ASA management connections for the service was exceeded. The ASA permits at most five concurrent management connections per management service. Alternatively, an error may have occurred in the to-the-box connection counter.

  • Src_ip —The source IP address of the packet
  • Src_por t—The source port of the packet
  • In_ifc —The input interface
  • Dest_ip —The destination IP address of the packet
  • Dest_port —The destination port of the packet
  • Curr_conn —The number of current to-the-box admin connections
  • Conn_lmt —The connection limit

Recommended Action From the console, use the kill command to release the unwanted session. If the message was generated because of an error in the to-the-box counter, run the show conn all command to display connection details.

710005

Error Message %ASA-7-710005: {TCP|UDP} request discarded from source_address / source_port to interface_name : dest_address / service

Explanation The ASA does not have a UDP server that services the UDP request. Also, a TCP packet that does not belong to any session on the ASA may have been discarded. In addition, this message appears (with the SNMP service) when the ASA receives an SNMP request with an empty payload, even if it is from an authorized host. When the service is SNMP, this message occurs a maximum of once every 10 seconds so that the log receiver is not overwhelmed.

Recommended Action In networks that use broadcasting services such as DHCP, RIP, or NetBIOS extensively, the frequency of this message can be high. If this message appears in excessive numbers, it may indicate an attack.

710006

Error Message %ASA-7-710006: protocol request discarded from source_address to interface_name : dest_address

Explanation The ASA does not have an IP server that services the IP protocol request; for example, the ASA receives IP packets that are not TCP or UDP, and the ASA cannot service the request.

Recommended Action In networks that use broadcasting services such as DHCP, RIP, or NetBIOS extensively, the frequency of this message can be high. If this message appears in excessive numbers, it may indicate an attack.

710007

Error Message %ASA-7-710007: NAT-T keepalive received from 86.1.161.1/1028 to outside:86:1.129.1/4500

Explanation The ASA received NAT-T keepalive messages.

Recommended Action None required.

711001

Error Message %ASA-7-711001: debug_trace_msg

Explanation You have entered the logging debug-trace command for the logging feature. When the logging debug-trace command is enabled, all debugging messages will be redirected to the message for processing. For security reasons, the message output must be encrypted or sent over a secure out-of-band network.

Recommended Action None required.

711002

Error Message %ASA-4-711002: Task ran for elapsed_time msecs, process = process_name , PC = PC Tracebeback = traceback

Explanation A process used the CPU for more than 100 milliseconds. This message is used for debugging CPU purposes, and can appear once every five seconds for each offending process.

  • PC —Instruction pointer of the CPU hogging process
  • traceback —Stack trace of the CPU hogging process, which can include up to 12 addresses

Recommended Action None required.

711003

Error Message ASA-7-711003: Unknown/Invalid interface identifier( vpifnum ) detected.

Explanation An internal inconsistency that should not occur during normal operation has occurred. However, this message is not harmful if it rarely occurs. If it occurs frequently, it might be worthwhile debugging.

  • vpifnum —The 32-bit value corresponding to the interface

Recommended Action If the problem persists, contact the Cisco TAC.

711004

Error Message %ASA-4-711004: Task ran for msec msec, Process = process_name , PC = pc , Call stack = call stack

Explanation A process used the CPU for more than 100 milliseconds. This message is used for debugging CPU purposes, and can appear once every five seconds for each offending process.

  • msec— Length of the detected CPU hog in milliseconds
  • process_name —Name of the hogging process
  • pc —Instruction pointer of the CPU hogging process
  • call stack —Stack trace of the CPU hogging process, which can include up to 12 addresses

Recommended Action None required.

711005

Error Message %ASA-5-711005: Traceback: call_stack

Explanation An internal software error that should not occur has occurred. The device can usually recover from this error, and no harmful effect to the device results.

  • call_stack —The EIPs of the call stack

Recommended Action Contact the Cisco TAC.

711006

Error Message %ASA-7-711006: CPU profiling has started for n-samples samples. Reason: reason-string .

Explanation CPU profiling has started.

  • n-samples —The specified number of CPU profiling samples
  • reason-string —The possible values are:

“CPU utilization passed cpu-utilization %”

“Process process-name CPU utilization passed cpu-utilization %”

“None specified”

Recommended Action Collect CPU profiling results and provide them to Cisco TAC.

713004

Error Message %ASA-3-713004: device scheduled for reboot or shutdown, IKE key acquire message on interface interface num , for Peer IP_address ignored

Explanation The ASA has received an IKE packet from a remote entity trying to initiate a tunnel. Because the ASA is scheduled for a reboot or shutdown, it does not allow any more tunnels to be established. The IKE packet is ignored and dropped.

Recommended Action None required.

713201

Error Message %ASA-5-713201: Duplicate Phase Phase packet detected. Action

Explanation The ASA has received a duplicate of a previous Phase 1 or Phase 2 packet, and will transmit the last message. A network performance or connectivity issue may have occurred, in which the peer is not receiving sent packets in a timely manner.

  • Phase —Phase 1 or 2
  • Action —Retransmitting last packet, or No last packet to transmit.

Recommended Action Verify network performance or connectivity.

713202

Error Message %ASA-6-713202: Duplicate IP_addr packet detected.

Explanation The ASA has received a duplicate first packet for a tunnel that the ASA is already aware of and negotiating, which indicates that the ASA probably received a retransmission of a packet from the peer.

  • IP_addr —The IP address of the peer from which the duplicate first packet was received

Recommended Action None required, unless the connection attempt is failing. If this is the case, debug further and diagnose the problem.

713006

Error Message %ASA-5-713006: Failed to obtain state for message Id message_number , Peer Address: IP_address

Explanation The ASA does not know about the received message ID. The message ID is used to identify a specific IKE Phase 2 negotiation. An error condition on the ASA may have occurred, and may indicate that the two IKE peers are out-of-sync.

Recommended Action None required.

713008

Error Message %ASA-3-713008: Key ID in ID payload too big for pre-shared IKE tunnel

Explanation A key ID value was received in the ID payload, which was longer than the maximum allowed size of a group name for this IKE session using preshared keys authentication. This is an invalid value, and the session is rejected. Note that the key ID specified would never work because a group name of that size cannot be created in the ASA.

Recommended Action Make sure that the client peer (most likely an Altiga remote access client) specifies a valid group name. Notify the user to change the incorrect group name on the client. The current maximum length for a group name is 32 characters.

713009

Error Message %ASA-3-713009: OU in DN in ID payload too big for Certs IKE tunnel

Explanation An OU value in the DN was received in the ID payload, which was longer than the maximum allowed size of a group name for this IKE session using Certs authentication. This OU is skipped, and another OU or other criteria may find a matching group.

Recommended Action For the client to be able to use an OU to find a group in the ASA, the group name must be a valid length. The current maximum length of a group name is 32 characters.

713010

Error Message %ASA-5-713010: IKE area: failed to find centry for message Id message_number

Explanation An attempt was made to locate a conn_entry (IKE phase 2 structure that corresponds to an IPsec SA) using the unique message ID, which failed. The internal structure was not found, which may occur if a session was terminated in a nonstandard way, but it is more likely that an internal error occurred.

Recommended Action If this problem persists, investigate the peer.

713012

Error Message %ASA-3-713012: Unknown protocol ( protocol ). Not adding SA w/spi=SPI value

Explanation An illegal or unsupported IPsec protocol has been received from the peer.

Recommended Action Check the ISAKMP Phase 2 configuration on the peer(s) to make sure it is compatible with the ASA.

713014

Error Message %ASA-3-713014: Unknown Domain of Interpretation (DOI): DOI value

Explanation The ISAKMP DOI received from the peer is unsupported.

Recommended Action Check the ISAKMP DOI configuration on the peer.

713016

Error Message %ASA-3-713016: Unknown identification type, Phase 1 or 2, Type ID_Type

Explanation The ID received from the peer is unknown. The ID can be an unfamiliar valid ID or an invalid or corrupted ID.

Recommended Action Check the configuration on the headend and peer.

713017

Error Message %ASA-3-713017: Identification type not supported, Phase 1 or 2, Type ID_Type

Explanation The Phase 1 or Phase 2 ID received from the peer is legal, but not supported.

Recommended Action Check the configuration on the headend and peer.

713018

Error Message %ASA-3-713018: Unknown ID type during find of group name for certs, Type ID_Type

Explanation Tn internal software error has occurred.

Recommended Action If the problem persists, contact the Cisco TAC.

713020

Error Message %ASA-3-713020: No Group found by matching OU(s) from ID payload: OU_value

Explanation Tn internal software error has occurred.

Recommended Action If the problem persists, contact the Cisco TAC.

713022

Error Message %ASA-3-713022: No Group found matching peer_ID or IP_address for Pre-shared key peer IP_address

Explanation No group exists in the group database with the same name as the value (key ID or IP address) specified by the peer.

Recommended Action Verify the configuration on the peer.

713024

Error Message %ASA-7-713024: Group group IP ip Received local Proxy Host data in ID Payload: Address IP_address , Protocol protocol , Port port

Explanation The ASA has received the Phase 2 local proxy ID payload from the remote peer.

Recommended Action None required.

713025

Error Message %ASA-7-713025: Received remote Proxy Host data in ID Payload: Address IP_address , Protocol protocol , Port port

Explanation The ASA has received the Phase 2 local proxy ID payload from the remote peer.

Recommended Action None required.

713028

Error Message %ASA-7-713028: Received local Proxy Range data in ID Payload: Addresses IP_address - IP_address , Protocol protocol , Port port

Explanation The ASA has received the Phase 2 local proxy ID payload of the remote peer, which includes an IP address range.

Recommended Action None required.

713029

Error Message %ASA-7-713029: Received remote Proxy Range data in ID Payload: Addresses IP_address - IP_address , Protocol protocol , Port port

Explanation The ASA has received the Phase 2 local proxy ID payload of the remote peer, which includes an IP address range.

Recommended Action None required.

713032

Error Message %ASA-3-713032: Received invalid local Proxy Range IP_address - IP_address

Explanation The local ID payload included the range ID type, and the specified low address was not less than the high address. A configuration problem may exist.

Recommended Action Check the configuration of ISAKMP Phase 2 parameters.

713033

Error Message %ASA-3-713033: Received invalid remote Proxy Range IP_address - IP_address

Explanation The remote ID payload included the range ID type, and the specified low address was not less than the high address. A configuration problem may exist.

Recommended Action Check the configuration of ISAKMP Phase 2 parameters.

713034

Error Message %ASA-7-713034: Received local IP Proxy Subnet data in ID Payload: Address IP_address , Mask netmask , Protocol protocol , Port port

Explanation The local IP proxy subnet data has been received in the Phase 2 ID payload.

Recommended Action None required.

713035

Error Message %ASA-7-713035: Group group IP ip Received remote IP Proxy Subnet data in ID Payload: Address IP_address , Mask netmask , Protocol protocol , Port port

Explanation The remote IP proxy subnet data has been received in the Phase 2 ID payload.

Recommended Action None required.

713039

Error Message %ASA-7-713039: Send failure: Bytes ( number ), Peer: IP_address

Explanation An internal software error has occurred, and the ISAKMP packet cannot be transmitted.

Recommended Action If the problem persists, contact the Cisco TAC.

713040

Error Message %ASA-7-713040: Could not find connection entry and can not encrypt: msgid message_number

Explanation An internal software error has occurred, and a Phase 2 data structure cannot be found.

Recommended Action If the problem persists, contact the Cisco TAC.

713041

Error Message %ASA-5-713041: IKE Initiator: new or rekey Phase 1 or 2, Intf interface_number , IKE Peer IP_address local Proxy Address IP_address , remote Proxy Address IP_address , Crypto map ( crypto map tag )

Explanation The ASA is negotiating a tunnel as the initiator.

Recommended Action None required.

713042

Error Message %ASA-3-713042: IKE Initiator unable to find policy: Intf interface_number , Src: source_address , Dst: dest_address

Explanation The IPsec fast path processed a packet that triggered IKE, but the IKE policy lookup failed. This error may be timing related. The ACLs that triggered IKE might have been deleted before IKE processed the initiation request. This problem will most likely correct itself.

Recommended Action If the condition persists, check the L2L configuration, paying special attention to the type of ACL associated with crypto maps.

713043

Error Message %ASA-3-713043: Cookie/peer address IP_address session already in progress

Explanation IKE has been triggered again while the original tunnel is in progress.

Recommended Action None required.

713048

Error Message %ASA-3-713048: Error processing payload: Payload ID: id

Explanation A packet has been received with a payload that cannot be processed.

Recommended Action If this problem persists, a misconfiguration may exist on the peer.

713049

Error Message %ASA-5-713049: Security negotiation complete for tunnel_type type ( group_name ) Initiator / Responder , Inbound SPI = SPI , Outbound SPI = SPI

Explanation An IPsec tunnel has been started.

Recommended Action None required.

713050

Error Message %ASA-5-713050: Connection terminated for peer IP_address . Reason: termination reason Remote Proxy IP_address , Local Proxy IP_address

Explanation An IPsec tunnel has been terminated. Possible termination reasons include:

  • IPsec SA Idle Timeout
  • IPsec SA Max Time Exceeded
  • Administrator Reset
  • Administrator Reboot
  • Administrator Shutdown
  • Session Disconnected
  • Session Error Terminated
  • Peer Terminate

Recommended Action None required.

713052

Error Message %ASA-7-713052: User ( user ) authenticated.

Explanation The remote access user was authenticated.

Recommended Action None required.

713056

Error Message %ASA-3-713056: Tunnel rejected: SA ( SA_name ) not found for group ( group_name )!

Explanation The IPsec SA was not found.

Recommended Action If this is a remote access tunnel, check the group and user configuration, and verify that a tunnel group and group policy have been configured for the specific user group. For externally authenticated users and groups, check the returned authentication attributes.

713060

Error Message %ASA-3-713060: Tunnel Rejected: User ( user ) not member of group ( group_name ), group-lock check failed.

Explanation The user is configured for a different group than what was sent in the IPsec negotiation.

Recommended Action If you are using the Cisco VPN client and preshared keys, make sure that the group configured on the client is the same as the group associated with the user on the ASA. If you are using digital certificates, the group is dictated either by the OU field of the certificate, or the user automatically defaults to the remote access default group.

713061

Error Message %ASA-3-713061: Tunnel rejected: Crypto Map Policy not found for Src: source_address , Dst: dest_address !

Explanation The ASA was not able to find security policy information for the private networks or hosts indicated in the message. These networks or hosts were sent by the initiator and do not match any crypto ACLs at the ASA. This is most likely a misconfiguration.

Recommended Action Check the protected network configuration in the crypto ACLs on both sides and make sure that the local net on the initiator is the remote net on the responder and vice-versa. Pay special attention to wildcard masks, and host addresses versus network addresses. Non-Cisco implementations may have the private addresses labeled as proxy addresses or red networks.

713062

Error Message %ASA-3-713062: IKE Peer address same as our interface address IP_address

Explanation The IP address configured as the IKE peer is the same as the IP address configured on one of the ASA IP interfaces.

Recommended Action Check the L2L and IP interface configurations.

713063

Error Message %ASA-3-713063: IKE Peer address not configured for destination IP_address

Explanation The IKE peer address is not configured for an L2L tunnel.

Recommended Action Check the L2L configuration.

713065

Error Message %ASA-3-713065: IKE Remote Peer did not negotiate the following: proposal attribute

Explanation An internal software error has occurred.

Recommended Action If the problem persists, contact the Cisco TAC.

713066

Error Message %ASA-7-713066: IKE Remote Peer configured for SA: SA_name

Explanation The crypto policy settings of the peer have been configured.

Recommended Action None required.

713068

Error Message %ASA-5-713068: Received non-routine Notify message: notify_type (notify_value)

Explanation Notification messages that caused this event are not explicitly handled in the notify processing code.

Recommended Action Examine the specific reason to determine the action to take. Many notification messages indicate a configuration mismatch between the IKE peers.

713072

Error Message %ASA-3-713072: Password for user ( user ) too long, truncating to number characters

Explanation The password of the user is too long.

Recommended Action Correct password lengths on the authentication server.

713073

Error Message %ASA-5-713073: Responder forcing change of Phase 1 / Phase 2 rekeying duration from larger_value to smaller_value seconds

Explanation Rekeying durations are always set to the lower of the values proposed by IKE peers. The value of the initiator is the lower one.

Recommended Action None required.

713074

Error Message %ASA-5-713074: Responder forcing change of IPsec rekeying duration from larger_value to smaller_value Kbs

Explanation Rekeying durations are always set to the lower of the values proposed by IKE peers. The value of the initiator is the lower one.

Recommended Action None required.

713075

Error Message %ASA-5-713075: Overriding Initiator's IPsec rekeying duration from larger_value to smaller_value seconds

Explanation Rekeying durations are always set to the lower of the values proposed by IKE peers. The value of the responder is the lower one.

Recommended Action None required.

713076

Error Message %ASA-5-713076: Overriding Initiator's IPsec rekeying duration from larger_value to smaller_value Kbs

Explanation Rekeying durations are always set to the lower of the values proposed by IKE peers. The value of the responder is the lower one.

Recommended Action None required.

713078

Error Message %ASA-2-713078: Temp buffer for building mode config attributes exceeded: bufsize available_size , used value

Explanation An internal software error has occurred while processing modecfg attributes.

Recommended Action Disable any unnecessary tunnel group attributes, or shorten any text messages that are excessively long. If the problem persists, contact the Cisco TAC.

713081

Error Message %ASA-3-713081: Unsupported certificate encoding type encoding_type

Explanation One of the loaded certificates is unreadable, and may be an unsupported encoding scheme.

Recommended Action Check the configuration of digital certificates and trustpoints.

713082

Error Message %ASA-3-713082: Failed to retrieve identity certificate

Explanation The identity certificate for this tunnel cannot be found.

Recommended Action Check the configuration of digital certificates and trustpoints.

713083

Error Message %ASA-3-713083: Invalid certificate handle

Explanation The identity certificate for this tunnel cannot be found.

Recommended Action Check the configuration of digital certificates and trustpoints.

713084

Error Message %ASA-3-713084: Received invalid phase 1 port value ( port ) in ID payload

Explanation The port value received in the IKE phase 1 ID payload was incorrect. Acceptable values are 0 or 500 (ISAKMP is also known as IKE).

Recommended Action Make sure that a peer conforms to the IKE standards to avoid a network problem resulting in corrupted packets.

713085

Error Message %ASA-3-713085: Received invalid phase 1 protocol ( protocol ) in ID payload

Explanation The protocol value received in the IKE phase 1 ID payload was incorrect. Acceptable values are 0 or 17 (UDP).

Recommended Action Make sure that a peer conforms to the IKE standards to avoid a network problem resulting in corrupted packets.

713086

Error Message %ASA-3-713086: Received unexpected Certificate payload Possible invalid Auth Method (Auth method (auth numerical value))

Explanation A certificate payload was received, but our internal certificate handle indicates that we do not have an identity certificate. The certificate handle was not obtained through a normal enrollment method. One likely reason this can happen is that the authentication method is not made through RSA or DSS signatures, although the IKE SA negotiation should fail if each side is misconfigured.

Recommended Action Check the trustpoint and ISAKMP configuration settings on the ASA and its peer.

713088

Error Message %ASA-3-713088: Set Cert filehandle failure: no IPsec SA in group group_name

Explanation The tunnel group cannot be found, based on the digital certificate information.

Recommended Action Verify that the tunnel group is set up correctly to handle the certificate information of the peer.

713092

Error Message %ASA-5-713092: Failure during phase 1 rekeying attempt due to collision

Explanation An internal software error has occurred. This is often a benign event.

Recommended Action If the problem persists, contact the Cisco TAC.

713094

Error Message %ASA-7-713094: Cert validation failure: handle invalid for Main / Aggressive Mode Initiator / Responder !

Explanation An internal software error has occurred.

Recommended Action You may have to reenroll the trustpoint. If the problem persists, contact the Cisco TAC.

713098

Error Message %ASA-3-713098: Aborting: No identity cert specified in IPsec SA ( SA_name )!

Explanation An attempt was made to establish a certificate-based IKE session, but no identity certificate has been specified in the crypto policy.

Recommended Action Specify the identity certificate or trustpoint that you want to transmit to peers.

713099

Error Message %ASA-7-713099: Tunnel Rejected: Received NONCE length number is out of range!

Explanation An internal software error has occurred.

Recommended Action If the problem persists, contact the Cisco TAC.

713102

Error Message %ASA-3-713102: Phase 1 ID Data length number too long - reject tunnel!

Explanation IKE has received an ID payload that includes an identification data field of 2 K or larger.

Recommended Action None required.

713103

Error Message %ASA-7-713103: Invalid (NULL) secret key detected while computing hash

Explanation An internal software error has occurred.

Recommended Action If the problem persists, contact the Cisco TAC.

713104

Error Message %ASA-7-713104: Attempt to get Phase 1 ID data failed while hash computation

Explanation An internal software error has occurred.

Recommended Action If the problem persists, contact the Cisco TAC.

713105

Error Message %ASA-3-713105: Zero length data in ID payload received during phase 1 or 2 processing

Explanation A peer sent an ID payload without including any ID data, which is invalid.

Recommended Action Check the configuration of the peer.

713107

Error Message %ASA-3-713107: IP_Address request attempt failed!

Explanation An internal software error has occurred.

Recommended Action If the problem persists, contact the Cisco TAC.

713109

Error Message %ASA-3-713109: Unable to process the received peer certificate

Explanation The ASA was unable to process the certificate received from the remote peer, which can occur if the certificate data was malformed (for example, if the public key size is larger than 4096 bits) or if the data in the certificate cannot be stored by the ASA.

Recommended Action Try to reestablish the connection using a different certificate on the remote peer.

713112

Error Message %ASA-3-713112: Failed to process CONNECTED notify (SPI SPI_value )!

Explanation The ASA was unable to successfully process the notification payload that included the CONNECTED notify type. This may occur if the IKE phase 2 structure cannot be found using the SPI to locate it, or the commit bit had not been set in the received ISAKMP header. The latter case may indicate a nonconforming IKE peer.

Recommended Action If the problem persists, check the configuration of the peer and/or disable commit bit processing.

713113

Error Message %ASA-7-713113: Deleting IKE SA with associated IPsec connection entries. IKE peer: IP_address , SA address: internal_SA_address , tunnel count: count

Explanation An IKE SA is being deleted with a nonzero tunnel count, which means that either the IKE SA tunnel count has lost synchronization with the associated connection entries or the associated connection cookie fields for the entries have lost synchronization with the cookie fields of the IKE SA to which the connection entry points. If this occurs, the IKE SA and its associated data structures will not be freed, so that the entries that may point to it will not have a stale pointer.

Recommended Action None required. Error recovery is built-in.

713114

Error Message %ASA-7-713114: Connection entry (conn entry internal address) points to IKE SA ( SA_internal_address ) for peer IP_address , but cookies don't match

Explanation An internal software error has occurred.

Recommended Action If the problem persists, contact the Cisco TAC.

713115

Error Message %ASA-5-713115: Client rejected NAT enabled IPsec request, falling back to standard IPsec

Explanation The client rejected an attempt by the ASA to use IPsec over UDP. IPsec over UDP is used to allow multiple clients to establish simultaneous tunnels to the ASA through a NAT device. The client may have rejected the request, either because it does not support this feature or because it is configured not to use it.

Recommended Action Verify the configuration on the headend and peer.

713117

Error Message %ASA-7-713117: Received Invalid SPI notify (SPI SPI_Value )!

Explanation The IPsec SA identified by the SPI value is no longer active on the remote peer, which might indicate that the remote peer has rebooted or been reset.

Recommended Action This problem should correct itself once DPDs recognize that the peer no longer has the appropriate SAs established. If DPD is not enabled, this may require you to manually reestablish the affected tunnel.

713118

Error Message %ASA-3-713118: Detected invalid Diffie-Helmann group_descriptor group_number , in IKE area

Explanation The group_descriptor field included an unsupported value. Currently we support only groups 1, 2, 5, and 7. In the case of a centry, the group_descriptor field may also be set to 0 to indicate that perfect forward secrecy is disabled.

Recommended Action Check the peer Diffie-Hellman configuration.

713119

Error Message %ASA-5-713119: Group group IP ip PHASE 1 COMPLETED

Explanation IKE Phase 1 has completed successfully.

Recommended Action None required.

713120

Error Message %ASA-5-713120: PHASE 2 COMPLETED (msgid= msg_id )

Explanation IKE Phase 2 has completed successfully.

Recommended Action None required.

713121

Error Message %ASA-7-713121: Keep-alive type for this connection: keepalive_type

Explanation The type of keepalive mechanism that is being used for this tunnel is specified.

Recommended Action None required.

713122

Error Message %ASA-3-713122: Keep-alives configured keepalive_type but peer IP_address support keep-alives (type = keepalive_type )

Explanation Keepalives were configured on or off for this device, but the IKE peer does or does not support keepalives.

Recommended Action No action is required if this configuration is intentional. If it is not intentional, change the keepalive configuration on both devices.

713123

Error Message %ASA-3-713123: IKE lost contact with remote peer, deleting connection (keepalive type: keepalive_type )

Explanation The remote IKE peer did not respond to keepalives within the expected window of time, so the connection to the IKE peer was terminated. The message includes the keepalive mechanism used.

Recommended Action None required.

713124

Error Message %ASA-3-713124: Received DPD sequence number rcv_sequence_# in DPD Action, description expected seq #

Explanation The remote IKE peer sent a DPD with a sequence number that did not match the expected sequence number. The packet is discarded. This might indicate a packet loss problem with the network.

Recommended Action None required.

713127

Error Message %ASA-3-713127: Xauth required but selected Proposal does not support xauth, Check priorities of ike xauth proposals in ike proposal list

Explanation The peer wanted to perform a XAUTH, but the ASA did not choose the XAUTH IKE proposal.

Recommended Action Check the priorities of the IKE xauth proposals in the IKE proposal list.

713128

Error Message %ASA-6-713128: Connection attempt to VCPIP redirected to VCA peer IP_address via load balancing

Explanation A connection attempt has been made to the VCPIP and has been redirected to a less loaded peer using load balancing.

Recommended Action None required.

713129

Error Message %ASA-3-713129: Received unexpected Transaction Exchange payload type: payload_id

Explanation An unexpected payload has been received during XAUTH or Mode Cfg, which may indicate that the two peers are out-of-sync, that the XAUTH or Mode Cfg versions do not match, or that the remote peer is not complying with the appropriate RFCs.

Recommended Action Verify the configuration between peers.

713130

Error Message %ASA-5-713130: Received unsupported transaction mode attribute: attribute id

Explanation The device received a request for a valid transaction mode attribute (XAUTH or Mode Cfg) that is currently not supported. This is generally a benign condition.

Recommended Action None required.

713131

Error Message %ASA-5-713131: Received unknown transaction mode attribute: attribute_id

Explanation The ASA has received a request for a transaction mode attribute (XAUTH or Mode Cfg) that is outside the range of known attributes. The attribute may be valid but only supported in later versions of configuration mode, or the peer may be sending an illegal or proprietary value. This should not cause connectivity problems, but may affect the functionality of the peer.

Recommended Action None required.

713132

Error Message %ASA-3-713132: Cannot obtain an IP_address for remote peer

Explanation A request for an IP address for a remote access client from the internal utility that provides these addresses cannot be satisfied.

Recommended Action Check the configuration of IP address assignment methods.

713133

Error Message %ASA-3-713133: Mismatch: Overriding phase 2 DH Group(DH group DH group_id ) with phase 1 group(DH group DH group_number

Explanation The configured Phase 2 PFS Group differed from the DH group that was negotiated for Phase 1.

Recommended Action None required.

713134

Error Message %ASA-3-713134: Mismatch: P1 Authentication algorithm in the crypto map entry different from negotiated algorithm for the L2L connection

Explanation The configured LAN-to-LAN proposal is different from the one accepted for the LAN-to-LAN connection. Depending on which side is the initiator, different proposals will be used.

Recommended Action None required.

713135

Error Message %ASA-5-713135: message received, redirecting tunnel to IP_address .

Explanation The tunnel is being redirected because of load balancing on the remote ASA. A REDIRECT_CONNECTION notify packet was received.

Recommended Action None required.

713136

Error Message %ASA-5-713136: IKE session establishment timed out [ IKE_state_name ], aborting!

Explanation The Reaper has detected an ASA stuck in an inactive state. The Reaper will try to remove the inactive ASA.

Recommended Action None required.

713137

Error Message %ASA-5-713137: Reaper overriding refCnt [ref_count] and tunnelCnt [tunnel_count] -- deleting SA!

Explanation An internal software error has occurred.

Recommended Action If the problem persists, contact the Cisco TAC.

713138

Error Message %ASA-3-713138: Group group_name not found and BASE GROUP default preshared key not configured

Explanation No group exists in the group database with the same name as the IP address of the peer. In Main Mode, the ASA will fall back and try to use the default preshared key configured in one of the default groups. The default preshared key is not configured.

Recommended Action Verify the configuration of the preshared keys.

713139

Error Message %ASA-5-713139: group_name not found, using BASE GROUP default preshared key

Explanation No tunnel group exists in the group database with the same name as the IP address of the peer. In Main Mode, the ASA will fall back and use the default preshared key configured in the default group.

Recommended Action None required.

713140

Error Message %ASA-3-713140: Split Tunneling Policy requires network list but none configured

Explanation The split tunneling policy is set to either split tunneling or to allow local LAN access. A split tunneling ACL must be defined to represent the information required by the VPN client.

Recommended Action Check the configuration of the ACLs.

713141

Error Message %ASA-3-713141: Client-reported firewall does not match configured firewall: action tunnel. Received -- Vendor: vendor(id) , Product product(id) , Caps: capability_value . Expected -- Vendor: vendor(id) , Product: product(id) , Caps: capability_value

Explanation The ASA installed on the client does not match the configured required ASA. This message lists the actual and expected values, and whether the tunnel is terminated or allowed.

Recommended Action You may need to install a different personal ASA on the client or change the configuration on the ASA.

713142

Error Message %ASA-3-713142: Client did not report firewall in use, but there is a configured firewall: action tunnel. Expected -- Vendor: vendor(id) , Product product(id) , Caps: capability_value

Explanation The client did not report an ASA in use using ModeCfg, but one is required. The event lists the expected values and whether the tunnel is terminated or allowed. Note that the number following the product string is a bitmask of all of the allowed products.

Recommended Action You may need to install a different personal ASA on the client or change the configuration on the ASA.

713143

Error Message %ASA-7-713143: Processing firewall record. Vendor: vendor(id) , Product: product(id) , Caps: capability_value , Version Number: version_number , Version String: version_text

Explanation Debugging information about the ASA installed on the client appears.

Recommended Action None required.

713144

Error Message %ASA-5-713144: Ignoring received malformed firewall record; reason - error_reason TLV type attribute_value correction

Explanation Bad ASA information was received from the client.

Recommended Action Check the personal configuration on the client and the ASA.

713145

Error Message %ASA-6-713145: Detected Hardware Client in network extension mode, adding static route for address: IP_address , mask: netmask

Explanation A tunnel with a hardware client in network extension mode has been negotiated, and a static route is being added for the private network behind the hardware client. This configuration enables the ASA to make the remote network known to all the routers on the private side of the headend.

Recommended Action None required.

713146

Error Message %ASA-3-713146: Could not add route for Hardware Client in network extension mode, address: IP_address , mask: netmask

Explanation An internal software error has occurred. A tunnel with a hardware client in network extension mode has been negotiated, and an attempt to add the static route for the private network behind the hardware client failed. The routing table may be full, or a possible addressing error has occurred.

Recommended Action If the problem persists, contact the Cisco TAC.

713147

Error Message %ASA-6-713147: Terminating tunnel to Hardware Client in network extension mode, deleting static route for address: IP_address , mask: netmask

Explanation A tunnel to a hardware client in network extension mode is being removed, and the static route for the private network is being deleted behind the hardware client.

Recommended Action None required.

713148

Error Message %ASA-5-713148: Terminating tunnel to Hardware Client in network extension mode, unable to delete static route for address: IP_address , mask: netmask

Explanation While a tunnel to a hardware client in network extension mode was being removed, a route to the private network behind the hardware client cannot be deleted. This might indicate an addressing or software problem.

Recommended Action Check the routing table to ensure that the route is not there. If it is, it may have to be removed manually, but only if the tunnel to the hardware client has been completely removed.

713149

Error Message %ASA-3-713149: Hardware client security attribute attribute_name was enabled but not requested.

Explanation The headend ASA has the specified hardware client security attribute enabled, but the attribute was not requested by the VPN 3002 hardware client.

Recommended Action Check the configuration on the hardware client.

713152

Error Message %ASA-3-713152: Unable to obtain any rules from filter ACL_tag to send to client for CPP, terminating connection.

Explanation The client is required to use CPP to provision its ASA, but the headend device was unable to obtain any ACLs to send to the client. This is probably due to a misconfiguration.

Recommended Action Check the ACLs specified for CPP in the group policy for the client.

713154

Error Message %ASA-4-713154: DNS lookup for peer_description Server [ server_name ] failed!

Explanation This message appears when a DNS lookup for the specified server has not been resolved.

Recommended Action Check the DNS server configuration on the ASA. Also check the DNS server to ensure that it is operational and has hostname to IP address mapping.

713155

Error Message %ASA-5-713155: DNS lookup for Primary VPN Server [ server_name ] successfully resolved after a previous failure. Resetting any Backup Server init.

Explanation A previous DNS lookup failure for the primary server might have caused the ASA to initialize a backup peer. This message indicates that a later DNS lookup on the primary server finally succeeded and is resetting any backup server initializations. A tunnel initiated after this point will be aimed at the primary server.

Recommended Action None required.

713156

Error Message %ASA-5-713156: Initializing Backup Server [ server_name or IP_address ]

Explanation The client is failing over to a backup server, or a failed DNS lookup for the primary server caused the ASA to initialize a backup server. A tunnel initiated after this point will be aimed at the specified backup server.

Recommended Action None required.

713157

Error Message %ASA-4-713157: Timed out on initial contact to server [ server_name or IP_address ] Tunnel could not be established.

Explanation The client tried to initiate a tunnel by sending out IKE MSG1, but did not receive a response from the ASA on the other end. If backup servers are available, the client will attempt to connect to one of them.

Recommended Action Verify connectivity to the headend ASA.

713158

Error Message %ASA-5-713158: Client rejected NAT enabled IPsec Over UDP request, falling back to IPsec Over TCP

Explanation The client is configured to use IPsec over TCP. The client rejected the attempt by the ASA to use IPsec over UDP.

Recommended Action If TCP is desired, no action is required. Otherwise, check the client configuration.

713159

Error Message %ASA-3-713159: TCP Connection to Firewall Server has been lost, restricted tunnels are now allowed full network access

Explanation The TCP connection to the ASA server was lost for a certain reason, such as the server has rebooted, a network problem has occurred, or an SSL mismatch has occurred.

Recommended Action If the server connection was lost after the initial connection was made, then the server and network connections must be checked. If the initial connection is lost immediately, this might indicate an SSL authentication problem.

713160

Error Message %ASA-7-713160: Remote user (session Id - id ) has been granted access by the Firewall Server

Explanation Normal authentication of the remote user to the ASA server has occurred.

Recommended Action None required.

713161

Error Message %ASA-3-713161: Remote user (session Id - id ) network access has been restricted by the Firewall Server

Explanation The ASA server has sent the ASA a message indicating that this user must be restricted. There are several reasons for this, including ASA software upgrades or changes in permissions. The ASA server will transition the user back into full access mode as soon as the operation has been completed.

Recommended Action No action is required unless the user is never transitioned back into full access state. If this does not happen, refer to the ASA server for more information on the operation that is being performed and the state of the ASA software running on the remote machine.

713162

Error Message %ASA-3-713162: Remote user (session Id - id ) has been rejected by the Firewall Server

Explanation The ASA server has rejected this user.

Recommended Action Check the policy information on the ASA server to make sure that the user is configured correctly.

713163

Error Message %ASA-3-713163: Remote user (session Id - id ) has been terminated by the Firewall Server

Explanation The ASA server has terminated this user session, which can occur if the integrity agent stops running on the client machine or if the security policy is modified by the remote user in any way.

Recommended Action Verify that the ASA software on the client machine is still running and that the policy is correct.

713164

Error Message %ASA-7-713164: The Firewall Server has requested a list of active user sessions

Explanation The ASA server will request the session information if it detects that it has stale data or if it loses the session data (because of a reboot).

Recommended Action None required.

713165

Error Message %ASA-3-713165: Client IKE Auth mode differs from the group's configured Auth mode

Explanation The client negotiated with preshared keys while its tunnel group points to a policy that is configured to use digital certificates.

Recommended Action Check the client configuration.

713166

Error Message %ASA-3-713166: Headend security gateway has failed our user authentication attempt - check configured username and password

Explanation The hardware client has failed extended authentication. This is most likely a username and password problem or an authentication server issue.

Recommended Action Verify that the configured username and password values on each side match. Also verify that the authentication server at the headend is operational.

713167

Error Message %ASA-3-713167: Remote peer has failed user authentication - check configured username and password

Explanation The remote user has failed to extend authentication. This is most likely a username or password problem, or an authentication server issue.

Recommended Action Verify that the configured username and password values on each side match. Also verify that the authentication server being used to authenticate the remote user is operational.

713168

Error Message %ASA-3-713168: Re-auth enabled, but tunnel must be authenticated interactively!

Explanation Reauthentication on rekeying has been enabled, but the tunnel authentication requires manual intervention.

Recommended Action If manual intervention is desired, no action is required. Otherwise, check the interactive authentication configuration.

713169

Error Message %ASA-7-713169: IKE Received delete for rekeyed SA IKE peer: IP_address , SA address: internal_SA_address , tunnelCnt: tunnel_count

Explanation IKE has received a delete message from the remote peer to delete its old IKE SA after a rekey has completed.

Recommended Action None required.

713170

Error Message %ASA- 7-713170: Group group IP ip IKE Received delete for rekeyed centry IKE peer: IP_address , centry address: internal_address , msgid: id

Explanation IKE has received a delete message from the remote peer to delete its old centry after Phase 2 rekeying is completed.

Recommended Action None required.

713171

Error Message %ASA- 7-713171: NAT-Traversal sending NAT-Original-Address payload

Explanation UDP-Encapsulated-Transport was either proposed or selected during Phase 2. Send this payload for NAT-Traversal in this case.

Recommended Action None required.

713172

Error Message %ASA- 6-713172: Automatic NAT Detection Status: Remote end is | is not behind a NAT device This end is | is not behind a NAT device

Explanation NAT-Traversal auto-detected NAT.

Recommended Action None required.

713174

Error Message %ASA- 3-713174: Hardware Client connection rejected! Network Extension Mode is not allowed for this group!

Explanation A hardware client is attempting to tunnel in using network extension mode, but network extension mode is not allowed.

Recommended Action Verify the configuration of the network extension mode versus PAT mode.

713176

Error Message %ASA- 2-713176: Device_type memory resources are critical, IKE key acquire message on interface interface_number , for Peer IP_address ignored

Explanation The ASA is processing data intended to trigger an IPsec tunnel to the indicated peer. Because memory resources are at a critical state, it is not initiating any more tunnels. The data packet has been ignored and dropped.

Recommended Action If condition persists, verify that the ASA is efficiently configured. An ASA with increased memory may be required for this application.

713177

Error Message %ASA- 6-713177: Received remote Proxy Host FQDN in ID Payload: Host Name: host_name Address IP_address , Protocol protocol , Port port

Explanation A Phase 2 ID payload containing an FQDN has been received from the peer.

Recommended Action None required.

713178

Error Message %ASA- 5-713178: IKE Initiator received a packet from its peer without a Responder cookie

Explanation An internal software error has occurred.

Recommended Action If the problem persists, contact the Cisco TAC.

713179

Error Message %ASA- 5-713179: IKE AM Initiator received a packet from its peer without a payload_type payload

Explanation An internal software error has occurred.

Recommended Action If the problem persists, contact the Cisco TAC.

713182

Error Message %ASA- 3-713182: IKE could not recognize the version of the client! IPsec Fragmentation Policy will be ignored for this connection!

Explanation An internal software error has occurred.

Recommended Action If the problem persists, contact the Cisco TAC.

713184

Error Message %ASA- 6-713184: Client Type: Client_type Client Application Version: Application_version_string

Explanation The client operating system and application version appear. If the information is not available, then N/A will be indicated.

Recommended Action None required.

713185

Error Message %ASA- 3-713185: Error: Username too long - connection aborted

Explanation The client returned an invalid length username, and the tunnel was torn down.

Recommended Action Check the username and make changes, if necessary.

713186

Error Message %ASA- 3-713186: Invalid secondary domain name list received from the authentication server. List Received: list_text Character index ( value ) is illegal

Explanation An invalid secondary domain name list was received from an external RADIUS authentication server. When split tunnelling is used, this list identifies the domains that the client should resolve through the tunnel.

Recommended Action Correct the specification of the Secondary-Domain-Name-List attribute (vendor-specific attribute 29) on the RADIUS server. The list must be specified as a comma-delimited list of domain names. Domain names may include only alphanumeric characters, a hyphen, an underscore, and a period.

713187

Error Message %ASA- 7-713187: Tunnel Rejected: IKE peer does not match remote peer as defined in L2L policy IKE peer address: IP_address , Remote peer address: IP_address

Explanation The IKE peer that is attempting to bring up this tunnel is not the one that is configured in the ISAKMP configuration that is bound to the received remote subnet.

Recommended Action Verify that L2L settings are correct on the headend and peer.

713189

Error Message %ASA- 3-713189: Attempted to assign network or broadcast IP_address , removing ( IP_address ) from pool.

Explanation The IP address from the pool is either the network or broadcast address for this subnet. This address will be marked as unavailable.

Recommended Action This error is generally benign, but the IP address pool configuration should be checked.

713190

Error Message %ASA- 7-713190: Got bad refCnt ( ref_count_value ) assigning IP_address ( IP_address )

Explanation The reference counter for this SA is invalid.

Recommended Action None required.

713191

Error Message %ASA-3-713191: Maximum concurrent IKE negotiations exceeded!

Explanation To minimize CPU-intensive cryptographic calculations, the ASA limits the number of connection negotiations in progress. When a new negotiation is requested and the ASA is already at its limit, the new negotiation is rejected. When an existing connection negotiation completes, new connection negotiation will again be permitted.

Recommended Action See the crypto ikev1 limit max-in-negotiation-sa command. Increasing the limit can degrade performance..

713193

Error Message %ASA- 3-713193: Received packet with missing payload, Expected payload: payload_id

Explanation The ASA received an encrypted or unencrypted packet of the specified exchange type that had one or more missing payloads. This usually indicates a problem on the peer.

Recommended Action Verify that the peer is sending valid IKE messages.

713194

Error Message %ASA- 3-713194: Sending IKE | IPsec Delete With Reason message: termination_reason

Explanation A delete message with a termination reason code was received.

Recommended Action None required.

713195

Error Message %ASA- 3-713195: Tunnel rejected: Originate-Only: Cannot accept incoming tunnel yet!

Explanation The originate-only peer can accept incoming connections only after it brings up the first P2 tunnel. At that point, data from either direction can initiate additional Phase 2 tunnels.

Recommended Action If a different behavior is desired, the originate-only configuration needs to be revised.

713196

Error Message %ASA- 5-713196: Remote L2L Peer IP_address initiated a tunnel with same outer and inner addresses. Peer could be Originate Only - Possible misconfiguration!

Explanation The remote L2L peer has initiated a public-public tunnel. The remote L2L peer expects a response from the peer at the other end, but does not receive one, because of a possible misconfiguration.

Recommended Action Check the L2L configuration on both sides.

713197

Error Message %ASA- 5-713197: The configured Confidence Interval of number seconds is invalid for this tunnel_type connection. Enforcing the second default.

Explanation The configured confidence interval in the group is outside of the valid range.

Recommended Action Check the confidence setting in the group to make sure it is within the valid range.

713198

Error Message %ASA- 3-713198: User Authorization failed: user User authorization failed. Username could not be found in the certificate

Explanation A reason string that states that a username cannot be found in the certificate appears.

Recommended Action Check the group configuration and client authorization.

713199

Error Message %ASA- 5-713199: Reaper corrected an SA that has not decremented the concurrent IKE negotiations counter ( counter_value )!

Explanation The Reaper corrected an internal software error.

Recommended Action If the problem persists, contact the Cisco TAC.

713203

Error Message %ASA-3-713203: IKE Receiver: Error reading from socket.

Explanation An error occurred while reading a received IKE packet. This is generally an internal error and might indicate a software problem.

Recommended Action This problem is usually benign, and the system will correct itself. If the problem persists, contact the Cisco TAC.

713204

Error Message %ASA-7-713204: Adding static route for client address: IP_address

Explanation This message indicates that a route to the peer-assigned address or to the networks protected by a hardware client was added to the routing table.

Recommended Action None required.

713205

Error Message %ASA-3-713205: Could not add static route for client address: IP_address

Explanation An attempt to add a route to the client-assigned address or to the networks protected by a hardware client failed. This might indicate duplicate routes in the routing table or a corrupted network address. The duplicate routes might be caused by routes that were not cleaned up correctly or by having multiple clients sharing networks or addresses.

Recommended Action Check the IP local pool configuration as well as any other IP address-assigning mechanism being used (for example, DHCP or RADIUS). Make sure that routes are being cleared from the routing table. Also check the configuration of networks and/or addresses on the peer.

713206

Error Message %ASA-3-713206: Tunnel Rejected: Conflicting protocols specified by tunnel-group and group-policy

Explanation A tunnel was dropped because the allowed tunnel specified in the group policy was different from the allowed tunnel in the tunnel group configuration.

Recommended Action Check the tunnel group and group policy configuration.

713208

Error Message %ASA-3-713208: Cannot create dynamic rule for Backup L2L entry rule rule_id

Explanation A failure occurred in creating the ACLs that trigger IKE and allow IPsec data to be processed properly. The failure was specific to the backup L2L configuration, which may indicate a configuration error, a capacity error, or an internal software error.

Recommended Action If the ASA is running the maximum number of connections and VPN tunnels, there may be a memory issue. If not, check the backup L2L and crypto map configurations, specifically the ACLs associated with the crypto maps.

713209

Error Message %ASA-3-713209: Cannot delete dynamic rule for Backup L2L entry rule id

Explanation A failure occurred in deleting the ACLs that trigger IKE and allow IPsec data to be processed correctly. The failure was specific to the backup L2L configuration. This may indicate an internal software error.

Recommended Action If the problem persists, contact the Cisco TAC.

713210

Error Message %ASA-3-713210: Cannot create dynamic map for Backup L2L entry rule_id

Explanation A failure occurred in creating a run-time instance of the dynamic crypto map associated with backup L2L configuration. This may indicate a configuration error, a capacity error, or an internal software error.

Recommended Action If the ASA is running the maximum number of connections and VPN tunnels, there may be a memory issue. If not, check the backup L2L and crypto map configurations, and specifically the ACLs associated with the crypto maps.

713211

Error Message %ASA-6-713211: Adding static route for L2L peer coming in on a dynamic map. address: IP_address , mask: netmask

Explanation The ASA is adding a route for the private address or networks of the peer. In this case, the peer is either a client or a L2L peer with an unknown address. Both of these cases use dynamic crypto maps to allow the tunnel.

Recommended Action None required.

713212

Error Message %ASA-3-713212: Could not add route for L2L peer coming in on a dynamic map. address: IP_address , mask: netmask

Explanation The ASA failed while attempting to add a route for the private address or networks of the peer. In this case, the peer is either a client or a L2L peer with an unknown address. Both of these cases use dynamic crypto maps to allow the tunnel. This might indicate duplicate routes, a full routing table, or a failure of the ASA to remove previously used routes.

Recommended Action Check the routing table to make sure there is room for additional routes and that obsolete routes are not present. If the table is full or includes obsolete routes, remove the routes and try again. If the problem persists, contact the Cisco TAC.

713213

Error Message %ASA-6-713213: Deleting static route for L2L peer that came in on a dynamic map. address: IP_address , mask: netmask

Explanation The ASA is deleting a route for the private address or networks of the peer. In this case, the peer is either a client or a L2L peer with an unknown address. Both of these cases use dynamic crypto maps to allow the tunnel.

Recommended Action None required.

713214

Error Message %ASA-3-713214: Could not delete route for L2L peer that came in on a dynamic map. address: IP_address , mask: netmask

Explanation The ASA experienced a failure while deleting a route for the private address or networks of the peer. In this case, the peer is either a client or a L2L peer with an unknown address. Both of these cases use dynamic crypto maps to allow the tunnel. The route may have already been deleted,or an internal software error has occurred.

Recommended Action If the route has already been deleted, the condition is benign and the device will function normally. If the problem persists or can be linked to routing issues over VPN tunnels, then check the routing and addressing portions of the VPN L2L configuration. Check the reverse route injection and the ACLs associated with the appropriate crypto map. If the problem persists, contact the Cisco TAC.

713215

Error Message %ASA-6-713215: No match against Client Type and Version rules. Client: type version is / is not allowed by default

Explanation The client type and the version of a client did not match any of the rules configured on the ASA. The default action appears.

Recommended Action Determine what the default action and deployment requirements are, and make the applicable changes.

713216

Error Message %ASA-5-713216: Rule: action [Client type]: version Client: type version allowed/not allowed

Explanation The client type and the version of a client have matched one of the rules. The results of the match and the rule are displayed.

Recommended Action Determine what the deployment requirements are, and make the appropriate changes.

713217

Error Message %ASA-3-713217: Skipping unrecognized rule: action: action client type: client_type client version: client_version

Explanation A malformed client type and version rule exist. The required format is action client type | client version action. Either permit or deny client type and client version are displayed under Session Management. Only one wildcard per parameter (*) is supported.

Recommended Action Correct the rule.

713218

Error Message %ASA-3-713218: Tunnel Rejected: Client Type or Version not allowed.

Explanation The client was denied access according to the configured rules.

Recommended Action None required.

713219

Error Message %ASA-6-713219: Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Explanation Phase 2 messages are being enqueued after Phase 1 completes.

Recommended Action None required.

713220

Error Message %ASA-6-713220: De-queuing KEY-ACQUIRE messages that were left pending.

Explanation Queued Phase 2 messages are being processed.

Recommended Action None required.

713221

Error Message %ASA-7-713221: Static Crypto Map check, checking map = crypto_map_tag , seq = seq_number...

Explanation The ASA is iterating through the crypto maps looking for configuration information.

Recommended Action None required.

713222

Error Message %ASA-7-713222: Group group Username username IP ip Static Crypto Map check, map = crypto_map_tag , seq = seq_number , ACL does not match proxy IDs src: source_address dst: dest_address

Explanation While iterating through the configured crypto maps, the ASA cannot match any of the associated ACLs. This generally means that an ACL was misconfigured.

Recommended Action Check the ACLs associated with this tunnel peer, and make sure that they specify the appropriate private networks from both sides of the VPN tunnel.

713223

Error Message %ASA-7-713223: Static Crypto Map check, map = crypto_map_tag , seq = seq_number , no ACL configured

Explanation The crypto map associated with this peer is not linked to an ACL.

Recommended Action Make sure an ACL associated with this crypto map exists, and that the ACL includes the appropriate private addresses or network from both sides of the VPN tunnel.

713224

Error Message %ASA-7-713224: Static Crypto Map Check by-passed: Crypto map entry incomplete!

Explanation The crypto map associated with this VPN tunnel is missing critical information.

Recommended Action Verify that the crypto map is configured correctly with both the VPN peer, a transform set, and an associated ACL.

713225

Error Message %ASA-7-713225: [IKEv1], Static Crypto Map check, map map_name , seq = sequence_number is a successful match

Explanation The ASA found a valid matching crypto map for this VPN tunnel.

Recommended Action None required.

713226

Error Message %ASA-3-713226: Connection failed with peer IP_address , no trust-point defined in tunnel-group tunnel_group

Explanation When the device is configured to use digital certificates, a trustpoint must be specified in the configuration. When the trustpoint is missing from the configuration, this message is generated to flag an error.

  • IP_address —IP address of the peer
  • tunnel_group —Tunnel group for which the trustpoint was missing in the configuration

Recommended Action The administrator of the device has to specify a trustpoint in the configuration.

713227

Error Message %ASA-3-713227: Rejecting new IPsec SA negotiation for peer Peer_address . A negotiation was already in progress for local Proxy Local_address / Local_netmask , remote Proxy Remote_address / Remote_netmask

Explanation When establishing a Phase SA, the ASA will reject a new Phase 2 matching this proxy.

Recommended Action None required.

713228

Error Message %ASA-6-713228: Group = group , Username = uname , IP = remote_IP_address Assigned private IP address assigned_private_IP to remote user

Explanation IKE obtained a private IP address for the client from DHCP or from the address pool.

  • group— The name of the group
  • uname —The name of the user
  • remote_IP_address —The IP address of the remote client
  • assigned_private_IP —The client IP address assigned by DHCP or from the local address pool

Recommended Action None required.

713229

Error Message %ASA-5-713229: Auto Update - Notification to client client_ip of update string: message_string .

Explanation A VPN remote access client is notified that updated software is available for download. The remote client user is responsible for choosing to update the client access software.

  • client_ip —The IP address of the remote client
  • message_string —The message text sent to the remote client

Recommended Action None required.

713230

Error Message %ASA-3-713230 Internal Error, ike_lock trying to lock bit that is already locked for type type

Explanation An internal error occurred, which is reporting that the IKE subsystem is attempting to lock memory that has already been locked. This indicates errors on semaphores that are used to protect memory violations for IKE SAs. This message does not indicate that anything is seriously wrong. However, an unexpected event has occurred, and steps are automatically being taken for recovery.

  • type —String that describes the type of semaphore that had a locking issue

Recommended Action If the problem persists, contact the Cisco TAC.

713231

Error Message %ASA-3-713231 Internal Error, ike_lock trying to unlock bit that is not locked for type type

Explanation An internal error has occurred, which is reporting that the IKE subsystem is attempting to unlock memory that is not currently locked. This indicates errors on semaphores that are used to protect memory violations for IKE SAs. This message does not indicate that anything is seriously wrong. However, an unexpected event has occurred, and steps are automatically being taken for recovery.

  • type —String that describes the type of semaphore that had a locking issue

Recommended Action If the problem persists, contact the Cisco TAC.

713232

Error Message %ASA-3-713232 SA lock refCnt = value , bitmask = hexvalue , p1_decrypt_cb = value , qm_decrypt_cb = value , qm_hash_cb = value , qm_spi_ok_cb = value , qm_dh_cb = value , qm_secret_key_cb = value , qm_encrypt_cb = value

Explanation All the IKE SA are locked, and a possible error has been detected. This message reports errors on semaphores that are used to protect memory violations for IKE SAs.

  • value —Decimal value
  • hexvalue —Hexadecimal value

Recommended Action If the problem persists, contact the Cisco TAC.

713233

Error Message %ASA-7-713233: (VPN- unit ) Remote network ( remote network ) validated for network extension mode.

Explanation The remote network received during the Phase 2 negotiation was validated. The message indicates the results of the remote network check during Phase 2 negotiations for Network Extension Mode clients. This is part of an existing feature that prevents users from misconfiguring their hardware client network (for example, configuring overlapping networks or the same network on multiple clients).

  • remote network —Subnet address and subnet mask from Phase 2 proxy

Recommended Action None required.

713234

Error Message %ASA-7-713234: (VPN- unit ) Remote network ( remote network ) from network extension mode client mismatches AAA configuration ( aaa network ).

Explanation The remote network received during the Phase 2 negotiation does not match the framed-ip-address and framed-subnet-mask that were returned from the AAA server for this session.

  • remote network —Subnet address and subnet mask from Phase 2 proxy
  • aaa network —Subnet address and subnet mask configured through AAA

Recommended Action Do one of the following:

  • Check the address assignment for this user and group, then check the network configuration on the HW client, and correct any inconsistencies.
  • Disable address assignment for this user and group.

713235

Error Message %ASA-6-713235: Attempt to send an IKE packet from standby unit. Dropping the packet!

Explanation Normally, IKE packets should never be sent from the standby unit to the remote peer. If such an attempt is made, an internal logic error may have occurred. The packet never leaves the standby unit because of protective code. This message facilitates debugging.

Recommended Action None required.

713236

Error Message %ASA-7-713236: IKE_DECODE tx/rx Message (msgid=msgid) with payloads:payload1 (payload1_len) + payload2 (payload2_len)...total length: tlen

Explanation IKE sent or received various messages.

The following example shows the output when IKE receives a message with an 8-byte hash payload, an 11-byte notify payload, and two 13-byte vendor-specific payloads:

%ASA-7-713236: IKE_DECODE RECEIVED Message msgid=0) with payloads: HDR + HASH (8) + NOTIFY (11) + VENDOR (13) + VENDOR (13) + NONE (0)
 

Recommended Action None required.

713237

Error Message %ASA-5-713237: ACL update ( access_list ) received during re-key re-authentication will not be applied to the tunnel.

Explanation The Phase 1 rekey of a remote access IPsec tunnel appears under the following conditions:

  • The tunnel is configured to reauthenticate the user when the tunnel is rekeyed.
  • The RADIUS server returns an access list or a reference to a locally configured access list that is different from the one that was returned when the tunnel was first established.

Under these conditions, the ASA ignores the new access list and this message is generated.

  • access_list —Name associated with the static or dynamic access list, as displayed in the output of the show access-list command

Recommended Action IPsec users must reconnect for new user-specific access lists to take effect.

713238

Error Message %ASA-3-713238: Invalid source proxy address: 0.0.0.0! Check private address on remote client

Explanation The private side address of a network extension mode client came across as 0.0.0.0. This usually indicates that no IP address was set on the private interface of the hardware client.

Recommended Action Verify the configuration of the remote client.

713239

Error Message %ASA-4-713239: IP_Address : Tunnel Rejected: The maximum tunnel count allowed has been reached

Explanation An attempt to create a tunnel has occurred after the maximum number of tunnels allowed has been reached.

  • IP_Address —The IP address of the peer

Recommended Action None required.

713240

Error Message %ASA-4-713240: Received DH key with bad length: received length= rlength expected length= elength

Explanation A Diffie-Hellman key with the incorrect length was received from the peer.

  • rlength—The length of the DH key that was received
  • elength—The expected length (based on the DH key size)

Recommended Action None required.

713241

Error Message %ASA-4-713241: IE Browser Proxy Method setting_number is Invalid

Explanation An invalid proxy setting was found during ModeCfg processing. P1 negotiation will fail.

Recommended Action Check the msie-proxy method command settings (a subcommand of the group-policy command), which should conform to one of the following: [ auto-detect | no-modify | no-proxy | use-server ] . Any other value or no value is incorrect. Try resetting the msie-proxy method command settings. If the problem persists, contact the Cisco TAC.

713242

Error Message %ASA-4-713242: Remote user is authenticated using Hybrid Authentication. Not starting IKE rekey.

Explanation The ASA has detected a request to start an IKE rekey for a tunnel configured to use Hybrid Xauth, but the rekey was not started. The ASA will wait for the client to detect and initiate an IKE rekey.

Recommended Action None required.

713243

Error Message %ASA-4-713243: META-DATA Unable to find the requested certificate

Explanation The IKE peer requested a certificate from the cert-req payload. However, no valid identity certificate issued by the requested DN was found.

Recommended Action Perform the following steps:

1. Check the identity certificates.

2. Enroll or import the desired certificate.

3. Enable certificate debugging for more details.

713244

Error Message %ASA-4-713244: META-DATA Received Legacy Authentication Method(LAM) type type is different from the last type received type .

Explanation The LAM attribute type received differs from the last type received. The type must be consistent throughout the user authentication process. The user authentication process cannot proceed, and the VPN connection will not be established.

  • type —The LAM type

Recommended Action If the problem persists, contact the Cisco TAC.

713245

Error Message %ASA-4-713245: META-DATA Unknown Legacy Authentication Method(LAM) type type received.

Explanation An unsupported LAM type was received during the CRACK challenge or response user authentication process. The user authentication process cannot proceed, and the VPN connection will not be established.

  • type —The LAM type

Recommended Action If the problem persists, contact the Cisco TAC.

713246

Error Message %ASA-4-713246: META-DATA Unknown Legacy Authentication Method(LAM) attribute type type received.

Explanation The ASA received an unknown LAM attribute type, which should not cause connectivity problems, but might affect the functionality of the peer.

  • type —The LAM attribute type

Recommended Action None required.

713247

Error Message %ASA-4-713247: META-DATA Unexpected error: in Next Card Code mode while not doing SDI.

Explanation An unexpected error occurred during state processing.

Recommended Action If the problem persists, contact the Cisco TAC.

713248

Error Message %ASA-5-713248: META-DATA Rekey initiation is being disabled during CRACK authentication.

Explanation When an IKE SA is negotiated using the CRACK authentication method, the Phase 1 SA rekey timer at the headend expired before a successful rekey. Because the remote client is always the initiator of the exchange when using the CRACK authentication method, the headend will not initiate the rekey. Unless the remote peer initiates a successful rekey before the IKE SA expires, the connection will come down upon IKE SA expiration.

Recommended Action None required.

713249

Error Message %ASA-4-713249: META-DATA Received unsupported authentication results: result

Explanation While negotiating an IKE SA using the CRACK authentication method, the IKE subsystem received a result that is not supported during CRACK authentication from the authentication subsystem. The user authentication fails, and the VPN connection is torn down.

  • result —The result returned from the authentication subsystem

Recommended Action If the problem persists, contact the Cisco TAC.

713250

Error Message %ASA-5-713250: META-DATA Received unknown Internal Address attribute: attribute

Explanation The ASA received a request for an internal address attribute that is not recognizable. The attribute might be valid, but not currently supported, or the peer might be sending an illegal value. This should not cause connectivity problems, but might affect the functionality of the peer.

Recommended Action None required.

713251

Error Message %ASA-4-713251: META-DATA Received authentication failure message

Explanation The ASA received a notification message that indicated an authentication failure while an IKE SA is negotiated using the CRACK authentication method. The connection is torn down.

Recommended Action None required.

713252

Error Message %ASA-5-713252: Group = group , Username = user , IP = ip , Integrity Firewall Server is not available. VPN Tunnel creation rejected for client.

Explanation When the group policy is configured to require the client to authenticate with a Zonelab Integrity Server, the server might need to be connected to the concentrator depending on the failure policy configured. If the fail policy is to reject the client connection, this message is generated when a Zonelab Integrity Server is not connected to the ASA at the time the client is connecting.

  • group —The tunnel group to which the remote access user is connecting
  • user —The remote access user
  • ip —The IP address of the remote access user

Recommended Action Check that the configurations on the concentrator and the Zonelab Integrity Server match. Then verify that communication exists between the concentrator and the Zonelab Integrity Server.

713253

Error Message %ASA-5-713253: Group = group , Username = user , IP = ip , Integrity Firewall Server is not available. Entering ALLOW mode. VPN Tunnel created for client.

Explanation When the group policy is configured to require a client to authenticate with a Zonelab Integrity Server, the server might need to be connected to the concentrator, depending on the failure policy configured. If the failure policy is to accept the client connection, and provide unrestricted network access, this message is generated when a Zonelab Integrity Server is not connected to the ASA at the time the client is connecting.

  • group —The tunnel group to which the remote access user is connecting
  • user —The remote access user
  • ip —The IP address of the remote access user

Recommended Action Check that the configurations on the ASA and the Zonelab Integrity Server match, and verify that communication exists between the ASA and the Zonelab Integrity Server.

713254

Error Message %ASA-3-713254: Group = groupname , Username = username , IP = peerip , Invalid IPsec/UDP port = portnum , valid range is minport - maxport , except port 4500, which is reserved for IPsec/NAT-T

Explanation You cannot use UDP port 4500 for IPsec/UDP connections, because it is reserved for IPsec or NAT-T connections. The CLI does not allow this configuration for local groups. This message should only occur for externally defined groups.

  • groupname —The name of the user group
  • username —The name of the user
  • peerip —The IP address of the client
  • portnum —The IPsec/UDP port number on the external server
  • minport —The minimum valid port number for a user-configurable port, which is 4001
  • maxport —The maximum valid port number for a user-configurable port, which is 49151

Recommended Action Change the IPsec or UDP port number on the external server to another port number. Valid port numbers are 4001 to 49151.

713255

Error Message %ASA-4-713255: IP = peer-IP , Received ISAKMP Aggressive Mode message 1 with unknown tunnel group name group-name

Explanation An unknown tunnel group was specified in ISAKMP Aggressive Mode message 1.

  • peer-ip —The address of the peer
  • group-name —The group name specified by the peer

Recommended Action Check the tunnel group and client configurations to make sure that they are valid.

713256

Error Message %ASA-6-713256: IP = peer-IP , Sending spoofed ISAKMP Aggressive Mode message 2 due to receipt of unknown tunnel group. Aborting connection.

Explanation When the peer specifies an invalid tunnel group, the ASA will still send message 2 to prevent the peer from gleaning tunnel group information.

  • peer-ip —The address of the peer

Recommended Action None required.

713257

Error Message %ASA-5-713257: Phase var1 failure: Mismatched attribute types for class var2 : Rcv'd: var3 Cfg'd: var4

Explanation An ASA has acted as the responder in a LAN-to-LAN connection. It indicates that the ASA crypto configuration does not match the configuration of the initiator. The message specifies during which phase the mismatch occurred, and which attributes both the responder and the initiator had that were different.

  • var1 —The phase during which the mismatch occurred
  • var2 —The class to which the attributes that do not match belong
  • var3 —The attribute received from the initiator
  • var4 —The attribute configured

Recommended Action Check the crypto configuration on both of the LAN-to-LAN devices for inconsistencies. In particular, if a mismatch between UDP-Tunnel (NAT-T) and something else is reported, check the crypto maps. If one configuration has NAT-T disabled on the matched crypto map and the other does not, this will cause a failure.

713258

Error Message %ASA-3-713258: IP = var1 , Attempting to establish a phase2 tunnel on var2 interface but phase1 tunnel is on var3 interface. Tearing down old phase1 tunnel due to a potential routing change.

Explanation The ASA tries to establish a Phase 2 tunnel on an interface, and a Phase 1 tunnel already exists on a different interface. The existing Phase 1 tunnel is torn down to allow the establishment of a new tunnel on the new interface.

  • var1 —The IP address of the peer
  • var2 —The interface on which the ASA is trying to establish a Phase 2 tunnel
  • var3 —The interface on which the Phase 1 tunnel exists

Recommended Action Check whether or not the route of the peer has changed. If the route has not changed, a possible misconfiguration may exist.

713259

Error Message %ASA-5-713259: Group = groupname , Username = username , IP = peerIP , Session is being torn down. Reason: reason

Explanation The termination reason for the ISAKMP session appears, which occurs when the session is torn down through session management.

  • groupname —The tunnel group of the session being terminated
  • username —The username of the session being terminated
  • peerIP —The peer address of the session being terminated
  • reason —The RADIUS termination reason of the session being terminated. Reasons include the following:

- Port Preempted (simultaneous logins)

- Idle Timeout

- Max Time Exceeded

- Administrator Reset

Recommended Action None required.

713260

Error Message %ASA-3-713260: Output interface %d to peer was not found

Explanation When trying to create a Phase 1 SA, the interface database could not be found for the interface ID.

Recommended Action If the problem persists, contact the Cisco TAC.

713261

Error Message %ASA-3-713261: IPV6 address on output interface %d was not found

Explanation When trying to create a Phase 1 SA, no IPv6 address is specified on the local interface.

Recommended Action For information about how to set up an IPv6 address on a desired interface, see the “Configuring IPv6 Addressing” section in the CLI configuration guide.

713262

Error Message %ASA-3-713262: Rejecting new IPSec SA negotiation for peer Peer_address . A negotiation was already in progress for local Proxy Local_address / Local_prefix_len , remote Proxy Remote_address / Remote_prefix_len

Explanation When establishing a Phase SA, the ASA will reject a new Phase 2 SA matching this proxy.

  • Peer_address —The new address attempting to intiate Phase 2 with a proxy matching an existing negotiation
  • Local_address —The address of the previous local peer currently negotiating Phase 2
  • Local_prefix_len —The length of the subnet prefix according to CIDR notation
  • Remote_address —The address of the proxy
  • Remote_prefix_len —The length of the subnet prefix according to CIDR notation

Recommended Action None required.

713263

Error Message %ASA-7-713263: Received local IP Proxy Subnet data in ID Payload: Address IP_address , Mask / prefix_len , Protocol protocol , Port port

Explanation The ASA is adding a route for the private address or networks of the peer. In this case, the peer is either a client or a L2L peer with an unknown address. Both of these cases use dynamic crypto maps to allow the tunnel.

  • IP_address —The base IP address of the destination network of the peer
  • prefix_len —The length of the subnet prefix according to CIDR notation
  • protocol — The proxy protocol
  • port —The proxy port

Recommended Action None required.

713264

Error Message %ASA-7-713264: Received local IP Proxy Subnet data in ID Payload: Address IP_address , Mask/ prefix_len , Protocol protocol , Port port {“Received remote IP Proxy Subnet data in ID Payload: Address %a , Mask/ %d , Protocol %u , Port %u ”}

Explanation The ASA is adding a route for the private address or networks of the peer. In this case, the peer is either a client or a L2L peer with an unknown address. Both of these cases use dynamic crypto maps to allow the tunnel.

  • IP_address —The base IP address of the destination network of the peer
  • prefix_len —The length of the subnet prefix according to CIDR notation
  • protocol — The proxy protocol
  • port —The proxy port

Recommended Action None required.

713265

Error Message %ASA-6-713265: Adding static route for L2L peer coming in on a dynamic map. address: IP_address , mask: / prefix_len

Explanation The ASA is adding a route for the private address or networks of the peer. In this case, the peer is either a client or a L2L peer with an unknown address. Both of these cases use dynamic crypto maps to allow the tunnel.

  • IP_address —The base IP address of the destination network of the peer
  • prefix_len —The length of the subnet prefix according to CIDR notation

Recommended Action None required.

713266

Error Message %ASA-3-713266: Could not add route for L2L peer coming in on a dynamic map. address: IP_address , mask: / prefix_len

Explanation The ASA failed while attempting to add a route for the private address or networks of the peer. In this case, the peer is either a client or a L2L peer with an unknown address. Both of these cases use dynamic crypto maps to allow the tunnel. This might indicate duplicate routes, a full IPv6 routing table, or a failure of the ASA to remove previously used routes.

  • IP_address —The base IP address of the destination network of the peer
  • prefix_len —The length of the subnet prefix according to CIDR notation

Recommended Action Check the IPv6 routing table to make sure there is room for additional routes, and that obsolete routes are not present. If the table is full or includes obsolete routes, remove the routes and try again. If the problem persists, contact the Cisco TAC.

713267

Error Message %ASA-6-713267: Deleting static route for L2L peer that came in on a dynamic map. address: IP_address , mask: / prefix_len

Explanation The ASA failed while attempting to add a route for the private address or networks of the peer. In this case, the peer is either a client or a L2L peer with an unknown address. Both of these cases use dynamic crypto maps to allow the tunnel.

  • IP_address —The base IP address of the destination network of the peer
  • prefix_len —The length of the subnet prefix according to CIDR notation

Recommended Action None required.

713268

Error Message %ASA-3-713268: Could not delete route for L2L peer that came in on a dynamic map. address: IP_address , mask: / prefix_len

Explanation The ASA experienced a failure while deleting a route for the private address or networks of the peer. In this case, the peer is either a client or a L2L peer with an unknown address. Both of these cases use dynamic crypto maps to allow the tunnel. The route may have already been deleted, or an internal software error has occurred.

  • IP_address —The base IP address of the destination network of the peer
  • prefix_len —The length of the subnet prefix according to CIDR notation

Recommended Action If the route has already been deleted, the condition is benign and the device will function normally. If the problem persists or can be linked to routing issues over VPN tunnels, then check the routing and addressing portions of the VPN L2L configuration. Also check the reverse route injection and the ACLs associated with the appropriate crypto map. If the problem persists, contact the Cisco TAC.

713269

Error Message %ASA-6-713269: Detected Hardware Client in network extension mode, adding static route for address: IP_address , mask: / prefix_len

Explanation A tunnel with a hardware client in network extension mode has been negotiated, and a static route is being added for the private network behind the hardware client. This configuration enables the ASA to make the remote network known to all the routers on the private side of the headend.

  • IP_address —The base IP address of the destination network of the peer
  • prefix_len —The length of the subnet prefix according to CIDR notation

Recommended Action None required.

713270

Error Message %ASA-3-713270: Could not add route for Hardware Client in network extension mode, address: IP_address , mask: / prefix_len

Explanation An internal software error has occurred. A tunnel with a hardware client in network extension mode has been negotiated, and an attempt to add the static route for the private network behind the hardware client failed. The IPv6 routing table may be full, or a possible addressing error has occurred.

  • IP_address —The base IP address of the destination network of the peer
  • prefix_len —The length of the subnet prefix according to CIDR notation

Recommended Action If the problem persists, contact the Cisco TAC.

713271

Error Message %ASA-6-713271: Terminating tunnel to Hardware Client in network extension mode, deleting static route for address: IP_address , mask:/ prefix_len

Explanation A tunnel to a hardware client in network extension mode is being removed, and the static route for the private network is being deleted behind the hardware client.

  • IP_address —The base IP address of the destination network of the peer
  • prefix_len —The length of the subnet prefix according to CIDR notation

Recommended Action None required.

713272

Error Message %ASA-3-713272: Terminating tunnel to Hardware Client in network extension mode, unable to delete static route for address: IP_address , mask: / prefix_len

Explanation While a tunnel to a hardware client in network extension mode was being removed, a route to the private network behind the hardware client cannot be deleted. This might indicate an addressing or software problem.

  • IP_address —The base IP address of the destination network of the peer
  • prefix_len —The length of the subnet prefix according to CIDR notation

Recommended Action Check the IPv6 routing table to ensure that the route is not there. If it is, it may have to be removed manually, but only if the tunnel to the hardware client has been completely removed.

713273

Error Message %ASA-7-713273: Deleting static route for client address: IP_Address IP_Address address of client whose route is being removed

Explanation A route to the peer-assigned address or the networks protected by a hardware client were removed from the routing table.

Recommended Action None required.

713274

Error Message %ASA-3-713274: Could not delete static route for client address: IP_Address IP_Address address of client whose route is being removed

Explanation While a tunnel to an IPsec client was being removed, its entry in the routing table could not be removed. This condition may indicate a networking or software problem.

Recommended Action Check the routing table to make sure that the route does not exist. If it does, it may need to be removed manually, but only if the tunnel has been closed successfully.

713900

Error Message %ASA-1-713900: Descriptive_event_string.

Explanation A serious event or failure has occurred. For example, the ASA is trying to generate a Phase 2 deletion, but the SPI did not match any of the existing Phase 2 SAs.

Recommended Action In the example described, both peers are deleting Phase 2 SAs at the same time. In this case, it is a benign error and can be ignored. If the error is persistent and results in negative side effects such as dropped tunnels or device reboots, it may reflect a software failure. In this case, copy the error message exactly as it appears on the console or in the system log, and then contact the Cisco TAC for further assistance.

713901

Error Message %ASA-2-713901: Descriptive_event_string .

Explanation An error has occurred, which may be the result of a configuration error on the headend or remote access client. The event string provides details about the error that occurred.

Recommended Action You may need to troubleshoot the message to determine what caused the error. Check the ISAKMP and crypto map configuration on both peers.

713902

Error Message %ASA-3-713902: Descriptive_event_string.

Explanation An error has occurred, which may be the result of a configuration error either on the headend or remote access client.

Recommended Action It might be necessary to troubleshoot the configuration to determine the cause of the error. Check the ISAKMP and crypto map configuration on both peers.

713903

Error Message %ASA-4-713903: Group = group policy , Username = user name , IP = remote IP , ERROR: Failed to install Redirect URL: redirect URL Redirect ACL: non_exist for assigned IP .

Explanation An error occurred for an IPsec/IKEv1 VPN connection when a redirect URL was installed, and the ACL was received from the ISE, but the redirect ACL does not exist on the ASA.

  • group policy —The group policy that allowed the user to gain access
  • user name —Username of the requester for the remote access
  • remote IP — Remote IP address that the connection request is coming from
  • redirect URL —The URL for the HTTP traffic redirection
  • assigned IP —The IP address that is assigned to the user

Recommended Action None required.

713904

Error Message %ASA-5-713904: Descriptive_event_string .

Explanation Notification status information appears, which is used to track events that have occurred.

Recommended Action None required.

713905

Error Message %ASA-6-713905: Descriptive_event_string .

Explanation Information status details appear, which are used to track events that have occurred.

Recommended Action None required.

713906

Error Message %ASA-7-713906: Descriptive_event_string .

Explanation Debugging status information appears, which is used to track events that have occurred.

Recommended Action None required.

714001

Error Message %ASA-7-714001: description_of_event_or_packet

Explanation A description of an IKE protocol event or packet was provided.

Recommended Action None required.

714002

Error Message %ASA-7-714002: IKE Initiator starting QM: msg id = message_number

Explanation The ASA has sent the first packet of the Quick mode exchange as the Phase 2 initiator.

Recommended Action None required.

714003

Error Message %ASA-7-714003: IKE Responder starting QM: msg id = message_number

Explanation The ASA has received the first packet of the Quick mode exchange as the Phase 2 responder.

Recommended Action None required.

714004

Error Message %ASA-7-714004: IKE Initiator sending 1st QM pkt: msg id = message_number

Explanation The protocol of the first Quick Mode packet was decoded.

Recommended Action None required.

714005

Error Message %ASA-7-714005: IKE Responder sending 2nd QM pkt: msg id = message_number

Explanation The protocol of the second Quick Mode packet was decoded.

Recommended Action None required.

714006

Error Message %ASA-7-714006: IKE Initiator sending 3rd QM pkt: msg id = message_number

Explanation The protocol of the third Quick Mode packet was decoded.

Recommended Action None required.

714007

Error Message %ASA-7-714007: IKE Initiator sending Initial Contact

Explanation The ASA is building and sending the initial contact payload.

Recommended Action None required.

714011

Error Message %ASA-7-714011: Description of received ID values

Explanation The ASA received the displayed ID information during the negotiation.

Recommended Action None required.

715001

Error Message %ASA-7-715001: Descriptive statement

Explanation A description of an event or problem encountered by the ASA appears.

Recommended Action The action depends on the description.

715004

Error Message %ASA-7-715004: subroutine name () Q Send failure: RetCode ( return_code )

Explanation An internal error occurred when attempting to put messages in a queue.

Recommended Action This is often a benign condition. If the problem persists, contact the Cisco TAC.

715005

Error Message %ASA-7-715005: subroutine name () Bad message code: Code ( message_code )

Explanation An internal subroutine received a bad message code.

Recommended Action This is often a benign condition. If the problem persists, contact the Cisco TAC.

715006

Error Message %ASA-7-715006: IKE got SPI from key engine: SPI = SPI_value

Explanation The IKE subsystem received an SPI value from IPsec.

Recommended Action None required.

715007

Error Message %ASA-7-715007: IKE got a KEY_ADD msg for SA: SPI = SPI_value

Explanation IKE has completed tunnel negotiation and has successfully loaded the appropriate encryption and hashing keys for IPsec use.

Recommended Action None required.

715008

Error Message %ASA-7-715008: Could not delete SA SA_address, refCnt = number , caller = calling_subroutine_address

Explanation The calling subroutine cannot delete the IPsec SA. This might indicate a reference count problem.

Recommended Action If the number of stale SAs grows as a result of this event, contact the Cisco TAC.

715009

Error Message %ASA-7-715009: IKE Deleting SA: Remote Proxy IP_address , Local Proxy IP_address

Explanation SA is being deleted with the listed proxy addresses.

Recommended Action None required.

715013

Error Message %ASA-7-715013: Tunnel negotiation in progress for destination IP_address , discarding data

Explanation IKE is in the process of establishing a tunnel for this data. All packets to be protected by this tunnel will be dropped until the tunnel is fully established.

Recommended Action None required.

715019

Error Message %ASA-7-715019: Group group Username username IP ip IKEGetUserAttributes: Attribute name = name

Explanation The modecfg attribute name and value pair being processed by the ASA appear.

Recommended Action None required.

715020

Error Message %ASA-7-715020: construct_cfg_set: Attribute name = name

Explanation The modecfg attribute name and value pair being transmitted by the ASA appear.

Recommended Action None required.

715021

Error Message %ASA-7-715021: Delay Quick Mode processing, Cert/Trans Exch/RM DSID in progress

Explanation Quick mode processing is being delayed until all Phase 1 processing has been completed (for transaction mode).

Recommended Action None required.

715022

Error Message %ASA-7-715022: Resume Quick Mode processing, Cert/Trans Exch/RM DSID completed

Explanation Phase 1 processing has completed, and quick mode is being resumed.

Recommended Action None required.

715027

Error Message %ASA-7-715027: IPsec SA Proposal # chosen_proposal , Transform # chosen_transform acceptable Matches global IPsec SA entry # crypto_map_index

Explanation The indicated IPsec SA proposal and transform were selected from the payloads that the responder received. This data can be useful when attempting to debug IKE negotiation issues.

Recommended Action None required.

715028

Error Message %ASA-7-715028: IKE SA Proposal # 1, Transform # chosen_transform acceptable Matches global IKE entry # crypto_map_index

Explanation The indicated IKE SA transform was selected from the payloads that the responder received. This data can be useful when attempting to debug IKE negotiation issues.

Recommended Action None required.

715033

Error Message %ASA-7-715033: Processing CONNECTED notify (MsgId message_number )

Explanation The ASA is processing a message containing a notify payload with the notify type CONNECTED (16384). The CONNECTED notify type is used to complete the commit bit processing and should be included in the fourth overall quick mode packet, which is sent from the responder to the initiator.

Recommended Action None required.

715034

Error Message %ASA-7-715034: action IOS keep alive payload: proposal= time 1 / time 2 sec.

Explanation Processing for sending or receiving a keepalive payload message is being performed.

Recommended Action None required.

715035

Error Message %ASA-7-715035: Starting IOS keepalive monitor: seconds sec.

Explanation The keepalive timer will monitor for a variable number of seconds for keepalive messages.

Recommended Action None required.

715036

Error Message %ASA-7-715036: Sending keep-alive of type notify_type (seq number number )

Explanation Processing for sending a keepalive notify message is being performed.

Recommended Action None required.

715037

Error Message %ASA-7-715037: Unknown IOS Vendor ID version: major.minor.variance

Explanation The capabilities of this version of the Cisco IOS are not known.

Recommended Action There may be interoperability issues with features such as IKE keepalives. If the problem persists, contact the Cisco TAC.

715038

Error Message %ASA-7-715038: action Spoofing_information Vendor ID payload (version: major.minor.variance , capabilities: value )

Explanation Processing for the Cisco IOS vendor ID payload has been performed. The action being performed might be Altiga spoofing the Cisco IOS.

Recommended Action None required.

715039

Error Message %ASA-7-715039: Unexpected cleanup of tunnel table entry during SA delete.

Explanation An entry in the IKE tunnel table was never removed when the SA was freed. This indicates a defect in the state machine.

Recommended Action If the problem persists, contact the Cisco TAC.

715040

Error Message %ASA-7-715040: Deleting active auth handle during SA deletion: handle = internal_authentication_handle

Explanation The authentication handle was still active during SA deletion. This is part of cleanup recovery during the error condition.

Recommended Action None required.

715041

Error Message %ASA-7-715041: Received keep-alive of type keepalive_type , not the negotiated type

Explanation A keepalive of the type indicated in the message was received unexpectedly.

Recommended Action Check the keepalive configuration on both peers.

715042

Error Message %ASA-7-715042: IKE received response of type failure_type to a request from the IP_address utility

Explanation A request for an IP address for a remote access client from the internal utility that provides these addresses cannot be satisfied. Variable text in the message string indicates more specifically what went wrong.

Recommended Action Check the IP address assignment configuration and adjust accordingly.

715044

Error Message %ASA-7-715044: Ignoring Keepalive payload from vendor not support KeepAlive capability

Explanation A Cisco IOS keepalive payload from a vendor was received without keepalive capabilities being set. The payload is ignored.

Recommended Action None required.

715045

Error Message %ASA-7-715045: ERROR: malformed Keepalive payload

Explanation A malformed keepalive payload has been received. The payload is ignored.

Recommended Action None required.

715046

Error Message %ASA-7-715046: Group = groupname , Username = username , IP = IP_address , constructing payload_description payload

Explanation An IP address from a remote client for a specific group and user shows details about the IKE payload being constructed.

Recommended Action None required.

715047

Error Message %ASA-7-715047: processing payload_description payload

Explanation Details of the IKE payload received and being processed appear.

Recommended Action None required.

715048

Error Message %ASA-7-715048: Send VID_type VID

Explanation The type of vendor ID payload being sent appears.

Recommended Action None required.

715049

Error Message %ASA-7-715049: Received VID_type VID

Explanation The type of vendor ID payload received appears.

Recommended Action None required.

715050

Error Message %ASA-7-715050: Claims to be IOS but failed authentication

Explanation The vendor ID received looks like a Cisco IOS VID, but does not match hmac_sha .

Recommended Action Check the vendor ID configuration on both peers. If this issue affects interoperability and the problem persists, contact the Cisco TAC.

715051

Error Message %ASA-7-715051: Received unexpected TLV type TLV_type while processing FWTYPE ModeCfg Reply

Explanation An unknown TLV was received in an ASA record while an FWTYPE ModeCfg Reply was being processed. The TLV will be discarded. This might occur either because of packet corruption or because the connecting client supports a later version of the ASA protocol.

Recommended Action Check the personal FW installed on the Cisco VPN client and the personal firewall configuration on the ASA. This may also indicate a version mismatch between the VPN client and the ASA.

715052

Error Message %ASA-7-715052: Old P1 SA is being deleted but new SA is DEAD, cannot transition centries

Explanation The old P1 SA is being deleted, but has no new SA to transition to because it was marked for deletion as well. This generally indicates that the two IKE peers are out-of-sync with each other and may be using different rekey times. The problem should correct itself, but there may be some small amount of data loss until a fresh P1 SA is reestablished.

Recommended Action None required.

715053

Error Message %ASA-7-715053: MODE_CFG: Received request for attribute_info !

Explanation The ASA received a mode configuration message requesting the specified attribute.

Recommended Action None required.

715054

Error Message %ASA-7-715054: MODE_CFG: Received attribute_name reply: value

Explanation The ASA received a mode configuration reply message from the remote peer.

Recommended Action None required.

715055

Error Message %ASA-7-715055: Send attribute_name

Explanation The ASA sent a mode configuration message to the remote peer.

Recommended Action None required.

715056

Error Message %ASA-7-715056: Client is configured for TCP_transparency

Explanation Because the remote end (client) is configured for IPsec over TCP, the headend ASA must not negotiate IPsec over UDP or IPsec over NAT-T with the client.

Recommended Action The NAT transparency configuration may require adjustment of one of the peers if the tunnel does not come up.

715057

Error Message %ASA-7-715057: Auto-detected a NAT device with NAT-Traversal. Ignoring IPsec-over-UDP configuration.

Explanation IPsec-over-UDP mode configuration information will not be exchanged because NAT-Traversal was detected.

Recommended Action None required.

715058

Error Message %ASA-7-715058: NAT-Discovery payloads missing. Aborting NAT-Traversal.

Explanation The remote end did not provide NAT-Discovery payloads required for NAT-Traversal after exchanging NAT-Traversal VIDs. At least two NAT-Discovery payloads must be received.

Recommended Action This may indicate a nonconforming NAT-T implementation. If the offending peer is a Cisco product and the problem persists, contact the Cisco TAC. If the offending peer is not a Cisco product, then contact the manufacturer support team.

715059

Error Message %ASA-7-715059: Proposing/Selecting only UDP-Encapsulated-Tunnel and UDP-Encapsulated-Transport modes defined by NAT-Traversal

Explanation You need to use these modes instead of the usual transport and tunnel modes defined in the SA to successfully negotiate NAT-Traversal.

Recommended Action None required.

715060

Error Message %ASA-7-715060: Dropped received IKE fragment. Reason: reason

Explanation The reason for dropping the fragment appears.

Recommended Action The recommended action depends on the drop reason, but might indicate a problem with an intervening NAT device or a nonconforming peer.

715061

Error Message %ASA-7-715061: Rcv'd fragment from a new fragmentation set. Deleting any old fragments.

Explanation A resend of the same packet occurred, but fragmented to a different MTU, or another packet altogether.

Recommended Action None required.

715062

Error Message %ASA-7-715062: Error assembling fragments! Fragment numbers are non-continuous.

Explanation There is a gap in fragment numbers.

Recommended Action This might indicate a network problem. If the condition persists and results in dropped tunnels or prevents certain peers from negotiating with the ASA, contact the Cisco TAC.

715063

Error Message %ASA-7-715063: Successfully assembled an encrypted pkt from rcv'd fragments!

Explanation Assembly for a fragmented packet that was received was successful.

Recommended Action None required.

715064

Error Message %ASA-7-715064 -- IKE Peer included IKE fragmentation capability flags: Main Mode: true / false Aggressive Mode: true / false

Explanation The peer supports IKE fragmentation based on the information provided in the message.

Recommended Action None required.

715065

Error Message %ASA-7-715065: IKE state_machine subtype FSM error history (struct data_structure_address ) state , event : state / event pairs

Explanation A Phase 1 error occurred and the state , event history pairs will be displayed in reverse chronological order.

Recommended Action Most of these errors are benign. If the problem persists, contact the Cisco TAC.

715066

Error Message %ASA-7-715066: Can't load an IPsec SA! The corresponding IKE SA contains an invalid logical ID.

Explanation The logical ID in the IKE SA is NULL. The Phase II negotiation will be torn down.

Recommended Action An internal error has occurred. If the problem persists, contact the Cisco TAC.

715067

Error Message %ASA-7-715067: QM IsRekeyed: existing sa from different peer, rejecting new sa

Explanation The LAN-TO-LAN SA that is being established already exists, that is, an SA with the same remote network, but is sourced from a different peer. This new SA will be deleted, because this is not a legal configuration.

Recommended Action Check the LAN-TO-LAN configuration on all associated peers. Specifically, multiple peers should not be sharing private networks.

715068

Error Message %ASA-7-715068: QM IsRekeyed: duplicate sa found by address , deleting old sa

Explanation The remote access SA that is being established already exists, that is, an SA with the same remote network, but is sourced from a different peer. The old SA will be deleted, because the peer may have changed its IP address.

Recommended Action This may be a benign condition, especially if a client tunnel was terminated abruptly. If the problem persists, contact the Cisco TAC.

715069

Error Message %ASA-7-715069: Invalid ESP SPI size of SPI_size

Explanation The ASA received an IPsec SA proposal with an invalid ESP SPI size. This proposal will be skipped.

Recommended Action Generally, this is a benign condition but might indicate that a peer may be nonconforming. If the problem persists, contact the Cisco TAC.

715070

Error Message %ASA-7-715070: Invalid IPComp SPI size of SPI_size

Explanation The ASA received an IPsec SA proposal with an invalid IPComp SPI size. This proposal will be skipped.

Recommended Action Generally, this is a benign condition but might indicate that a peer is nonconforming. If the problem persists, contact the Cisco TAC.

715071

Error Message %ASA-7-715071: AH proposal not supported

Explanation The IPsec AH proposal is not supported. This proposal will be skipped.

Recommended Action None required.

715072

Error Message %ASA-7-715072: Received proposal with unknown protocol ID protocol_ID

Explanation The ASA received an IPsec SA proposal with an unknown protocol ID. This proposal will be skipped.

Recommended Action Generally, this is a benign condition, but might indicate that a peer is nonconforming. If the problem persists, contact the Cisco TAC.

715074

Error Message %ASA-7-715074: Could not retrieve authentication attributes for peer IP_address

Explanation The ASA cannot get authorization information for the remote user.

Recommended Action Make sure that authentication and authorization settings have been configured correctly. If the problem persists, contact the Cisco TAC.

715075

Error Message %ASA-7-715075: Group = group_name , IP = IP_address Received keep-alive of type message_type (seq number number )

Explanation This message is paired with DPD R-U-THERE message 715036, which logs the DPD sending messages.

  • group_name —The VPN group name of the peer
  • IP_address —IP address of the VPN peer
  • message_type —The message type (DPD R-U-THERE or DPD R-U-THERE-ACK)
  • number —The DPD sequence number

Two possible cases:

  • Received peer sending DPD R-U-THERE message
  • Received peer reply DPD R-U-THERE-ACK message

Be aware of the following:

  • The DPD R-U-THERE message is received and its sequence number matches the outgoing DPD reply messages.

If the ASA sends a DPD R-U-THERE-ACK message without first receiving a DPD R-U-THERE message from the peer, it is likely experiencing a security breech.

  • The received DPD R-U-THERE-ACK message's sequence number is matched with previously sent DPD messages.

If the ASA did not receive a DPD R-U-THERE-ACK message within a reasonable amount of time after sending a DPD R-U-THERE message to the peer, the tunnel is most likely down.

Recommended Action None required.

715076

Error Message %ASA-7-715076: Computing hash for ISAKMP

Explanation IKE computed various hash values.

This object will be prepended as follows:

Group = groupname , Username = username , IP = ip_address ...

Recommended Action None required.

715077

Error Message %ASA-7-715077: Pitcher: msg string , spi spi

Explanation Various messages have been sent to IKE.

msg_string can be one of the following:

  • Received a key acquire message
  • Received SPI for nonexistent SA
  • Received key delete msg
  • Received KEY_UPDATE
  • Received KEY_REKEY_IB
  • Received KEY_REKEY_OB
  • Received KEY_SA_ACTIVE
  • Could not find IKE SA to activate IPSEC (OB)
  • Could not find IKE SA to rekey IPSEC (OB)
  • KEY_SA_ACTIVE no centry found
  • KEY_ADD centry not found
  • KEY_UPDATE centry not found

This object will be prepended as follows:

Group = groupname , Username = username , IP = ip_address ,...

Recommended Action None required.

715080

Error Message %ASA-7-715080: VPN: Starting P2 rekey timer: 28800 seconds.

Explanation An IKE rekey timer has started.

Recommended Action None required.

716001

Error Message %ASA-6-716001: Group group User user IP ip WebVPN session started.

Explanation The WebVPN session has started for the user in this group at the specified IP address. When the user logs in via the WebVPN login page, the WebVPN session starts.

Recommended Action None required.

716002

Error Message %ASA-6-716002: Group GroupPolicy User username IP ip WebVPN session terminated: User requested.

Explanation The WebVPN session has been terminated by a user request. Possible reasons include:

  • Lost carrier
  • Lost service
  • Idle timeout
  • Max time exceeded
  • Administrator reset
  • Administrator reboot
  • Administrator shutdown
  • Port error
  • NAS error
  • NAS request
  • NAS reboot
  • Port unneeded
  • Port preempted. This reason indicates that the allowed number of simultaneous (same user) logins has been exceeded. To resolve this problem, increase the number of simultaneous logins or have users only log in once with a given username and password.
  • Port suspended
  • Service unavailable
  • Callback
  • User error
  • Host requested
  • Bandwidth management error
  • ACL parse error
  • VPN simultaneous logins limit specified in the group policy
  • Unknown

Recommended Action Unless the reason indicates a problem, then no action is required.

716003

Error Message %ASA-6-716003: Group group User user IP ip WebVPN access “GRANTED: url

Explanation The WebVPN user in this group at the specified IP address has been granted access to this URL. The user access to various locations can be controlled using WebVPN-specific ACLs.

Recommended Action None required.

716004

Error Message %ASA-6-716004: Group group User user WebVPN access DENIED to specified location: url

Explanation The WebVPN user in this group has been denied access to this URL. The WebVPN user access to various locations can be controlled using WebVPN-specific ACLs. In this case, a particular entry is denying access to this URL.

Recommended Action None required.

716005

Error Message %ASA-6-716005: Group group User user WebVPN ACL Parse Error: reason

Explanation The ACL for the WebVPN user in the specified group failed to parse correctly.

Recommended Action Correct the WebVPN ACL.

716006

Error Message %ASA-6-716006: Group name User user WebVPN session terminated. Idle timeout.

Explanation The WebVPN session was not created for the user in the specified group because the VPN tunnel protocol is not set to WebVPN.

Recommended Action None required.

716007

Error Message %ASA-4-716007: Group group User user WebVPN Unable to create session.

Explanation The WebVPN session was not created for the user in the specified group because of resource issues. For example, the user may have reached the maximum login limit.

Recommended Action None required.

716008

Error Message %ASA-7-716008: WebVPN ACL: action

Explanation The WebVPN ACL has begun performing an action (for example, begin parsing).

Recommended Action None required.

716009

Error Message %ASA-6-716009: Group group User user WebVPN session not allowed. WebVPN ACL parse error.

Explanation The WebVPN session for the specified user in this group is not allowed because the associated ACL did not parse. The user will not be allowed to log in via WebVPN until this error has been corrected.

Recommended Action Correct the WebVPN ACL.

716010

Error Message %ASA-7-716010: Group group User user Browse network.

Explanation The WebVPN user in the specified group browsed the network.

Recommended Action None required.

716011

Error Message %ASA-7-716011: Group group User user Browse domain domain .

Explanation The WebVPN specified user in this group browsed the specified domain.

Recommended Action None required.

716012

Error Message %ASA-7-716012: Group group User user Browse directory directory .

Explanation The specified WebVPN user browsed the specified directory.

Recommended Action None required.

716013

Error Message %ASA-7-716013: Group group User user Close file filename .

Explanation The specified WebVPN user closed the specified file.

Recommended Action None required.

716014

Error Message %ASA-7-716014: Group group User user View file filename .

Explanation The specified WebVPN user viewed the specified file.

Recommended Action None required.

716015

Error Message %ASA-7-716015: Group group User user Remove file filename .

Explanation The WebVPN user in the specified group removed the specified file.

Recommended Action None required.

716016

Error Message %ASA-7-716016: Group group User user Rename file old_filename to new_filename .

Explanation The specified WebVPN user renamed the specified file.

Recommended Action None required.

716017

Error Message %ASA-7-716017: Group group User user Modify file filename .

Explanation The specified WebVPN user modified the specified file.

Recommended Action None required.

716018

Error Message %ASA-7-716018: Group group User user Create file filename .

Explanation The specified WebVPN user created the specified file.

Recommended Action None required.

716019

Error Message %ASA-7-716019: Group group User user Create directory directory .

Explanation The specified WebVPN user created the specified directory.

Recommended Action None required.

716020

Error Message %ASA-7-716020: Group group User user Remove directory directory .

Explanation The specified WebVPN user removed the specified directory.

Recommended Action None required.

716021

Error Message %ASA-7-716021: File access DENIED, filename .

Explanation The specified WebVPN user was denied access to the specified file.

Recommended Action None required.

716022

Error Message %ASA-4-716022: Unable to connect to proxy server reason .

Explanation The WebVPN HTTP/HTTPS redirect failed for the specified reason.

Recommended Action Check the HTTP/HTTPS proxy configuration.

716023

Error Message %ASA-4-716023: Group name User user Session could not be established: session limit of maximum_sessions reached.

Explanation The user session cannot be established because the current number of sessions exceeds the maximum session load.

Recommended Action Increase the configured limit, if possible, to create a load-balanced cluster.

716024

Error Message %ASA-7-716024: Group name User user Unable to browse the network.Error: description

Explanation The user was unable to browse the Windows network using the CIFS protocol, as indicated by the description. For example, “Unable to contact necessary server” indicates that the remote server is unavailable or unreachable. This might be a transient condition or may require further troubleshooting.

Recommended Action Check the connectivity between the WebVPN device and the server being accessed by the CIFS protocol. Also check the NetBIOS name server configuration on the ASA.

716025

Error Message %ASA-7-716025: Group name User user Unable to browse domain domain . Error: description

Explanation The user was unable to browse the remote domain using the CIFS protocol.

Recommended Action Check the connectivity between the WebVPN device and the server being accessed by the CIFS protocol. Check the NetBIOS name server configuration on the ASA.

716026

Error Message %ASA-7-716026: Group name User user Unable to browse directory directory . Error: description

Explanation The user was unable to browse the remote directory using the CIFS protocol.

Recommended Action Check the connectivity between the WebVPN device and the server being accessed by the CIFS protocol. Also check the NetBIOS name server configuration on the ASA.

716027

Error Message %ASA-7-716027: Group name User user Unable to view file filename . Error: description

Explanation The user was unable to view the remote file using the CIFS protocol.

Recommended Action Check the connectivity between the WebVPN device and the server being accessed by the CIFS protocol. Also check the NetBIOS name server configuration on the ASA.

716028

Error Message %ASA-7-716028: Group name User user Unable to remove file filename . Error: description

Explanation The user was unable to remove the remote file using the CIFS protocol, probably caused by a lack of file permissions.

Recommended Action Check the connectivity between the WebVPN device and the server being accessed by the CIFS protocol. Also check the NetBIOS name server configuration on the ASA and the file permissions.

716029

Error Message %ASA-7-716029: Group name User user Unable to rename file filename . Error: description

Explanation The user was unable to rename the remote file using the CIFS protocol, probably caused by lack of file permissions.

Recommended Action Check the connectivity between the WebVPN device and the server being accessed by the CIFS protocol. Also check the NetBIOS name server configuration on the ASA and the file permissions.

716030

Error Message %ASA-7-716030: Group name User user Unable to modify file filename . Error: description

Explanation A problem occurred when a user attempted to modify an existing file using the CIFS protocol, probably caused by a lack of file permissions.

Recommended Action Check the connectivity between the WebVPN device and the server being accessed by the CIFS protocol. Also check the NetBIOS name server configuration on the ASA and the file permissions.

716031

Error Message %ASA-7-716031: Group name User user Unable to create file filename . Error: description

Explanation A problem occurred when a user attempted to create a file using the CIFS protocol, probably caused by a file permissions problem.

Recommended Action Check the connectivity between the WebVPN device and the server being accessed by the CIFS protocol. Also check the NetBIOS name server configuration on the ASA and the file permissions.

716032

Error Message %ASA-7-716032: Group name User user Unable to create folder folder . Error: description

Explanation A problem occurred when a user attempted to create a folder using the CIFS protocol, probably caused by a file permissions problem.

Recommended Action Check the connectivity between the WebVPN device and the server being accessed by the CIFS protocol. Also check the NetBIOS name server configuration on the ASA and the file permissions.

716033

Error Message %ASA-7-716033: Group name User user Unable to remove folder folder . Error: description

Explanation A problem occurred when a user of the CIFS protocol attempted to remove a folder, which probably occurred because of a permissions problem or a problem communicating with the server on which the file resides.

Recommended Action Check the connectivity between the WebVPN device and the server being accessed by the CIFS protocol. Also check the NetBIOS name server configuration on the ASA.

716034

Error Message %ASA-7-716034: Group name User user Unable to write to file filename .

Explanation A problem occurred when a user attempted to write to a file using the CIFS protocol, probably caused by a permissions problem or a problem communicating with the server on which the file resides.

Recommended Action None required.

716035

Error Message %ASA-7-716035: Group name User user Unable to read file filename .

Explanation A problem occurred when a user of the CIFS protocol tried to read a file, probably caused by a file permissions problem.

Recommended Action Check the file permissions.

716036

Error Message %ASA-7-716036: Group name User user File Access: User user logged into the server server.

Explanation A user successfully logged into the server using the CIFS protocol

Recommended Action None required.

716037

Error Message %ASA-7-716037: Group name User user File Access: User user failed to login into the server server.

Explanation A user attempted to log in to a server using the CIFS protocol, but was unsuccessful.

Recommended Action Verify that the user entered the correct username and password.

716038

Error Message %ASA-6-716038: Group group User user IP ip Authentication: successful, Session Type: WebVPN.

Explanation Before a WebVPN session can start, the user must be authenticated successfully by a local or remote server (for example, RADIUS or TACACS+).

Recommended Action None required.

716039

Error Message %ASA-6-716039: Authentication: rejected, group = name user = user , Session Type: %s

Explanation Before a WebVPN session starts, the user must be authenticated successfully by a local or remote server (for example, RADIUS or TACACS+). In this case, the user credentials (username and password) either did not match, or the user does not have permission to start a WebVPN session.

  • %s —The session type, which can be either WebVPN or admin

Recommended Action Verify the user credentials on the local or remote server and that WebVPN is configured for the user.

716040

Error Message %ASA-6-716040: Reboot pending, new sessions disabled. Denied user login.

Explanation A user was unable to log in to WebVPN because the ASA is in the process of rebooting.

  • user —The session user

Recommended Action None required.

716041

Error Message %ASA-6-716041: access-list acl_ID action url url hit_cnt count

Explanation The WebVPN URL named acl_ID has been hit count times for location url, whose action is permitted or denied.

  • acl_ID —The WebVPN URL ACL
  • count —The number of times the URL was accessed
  • url —The URL that was accessed
  • action —The user action

Recommended Action None required.

716042

Error Message %ASA-6-716042: access-list acl_ID action tcp source_interface / source_address ( source_port ) - dest_interface / dest_address ( dest_port ) hit-cnt count

Explanation The WebVPN TCP named acl_ID has been hit count times for packet received on the source interface source_interface / source_address and source port source_port forwarded to dest_interface / dest_address destination dest_port, whose action is permitted or denied.

  • count —The number of times the ACL was accessed
  • source_interface —The source interface
  • source_address —The source IP address
  • source_port —The source port
  • dest_interface —The destination interface
  • dest_address —The destination IP address
  • action —The user action

Recommended Action None required.

716043

Error Message %ASA-6-716043 Group group-name , User user-name , IP IP_address : WebVPN Port Forwarding Java applet started. Created new hosts file mappings.

Explanation The user has launched a TCP port-forwarding applet from a WebVPN session.

  • group-name —Group name associated with the session
  • user-name —Username associated with the session
  • IP_address —Source IP address associated with the session

Recommended Action None required.

716044

Error Message %ASA-4-716044: Group group-name User user-name IP IP_address AAA parameter param-name value param-value out of range.

Explanation The given parameter has a bad value.

  • group-name— The name of the group
  • user-name— The name of the user
  • IP_address— The IP address
  • param-name— The name of the parameter
  • param-value— The value of the parameter

Recommended Action Modify the configuration to correct the indicated parameter. If the parameter is vlan or nac-settings, verify that it is correctly configured on the AAA server and the ASA.

716045

Error Message %ASA-4-716045: Group group-name User user-name IP IP_address AAA parameter param-name value invalid.

Explanation The given parameter has a bad value. The value is not shown because it might be very long.

  • group-name— The name of the group
  • user-name— The name of the user
  • IP_address— The IP address
  • param-name— The name of the parameter

Recommended Action Modify the configuration to correct the indicated parameter.

716046

Error Message %ASA-4-716046: Group group-name User user-name IP IP_address User ACL access-list-name from AAA doesn't exist on the device, terminating connection.

Explanation The specified ACL was not found on the ASA.

  • group-name— The name of the group
  • user-name— The name of the user
  • IP_address— The IP address
  • access-list-name— The name of the ACL

Recommended Action Modify the configuration to add the specified ACL or to correct the ACL name.

716047

Error Message %ASA-4-716047: Group group-name User user-name IP IP_address User ACL access-list-name from AAA ignored, AV-PAIR ACL used instead.

Explanation The specified ACL was not used because a Cisco AV-PAIR ACL was used.

  • group-name— The name of the group
  • user-name— The name of the user
  • IP_address— The IP address
  • access-list-name— The name of the ACL

Recommended Action Determine the correct ACL to use and correct the configuration.

716048

Error Message %ASA-4-716048: Group group-name User user-name IP IP_address No memory to parse ACL.

Explanation There was not enough memory to parse the ACL.

  • group-name— The name of the group
  • user-name— The name of the user
  • IP_address— The IP address

Recommended Action Purchase more memory, upgrade the ASA, or reduce the load on it.

716049

Error Message %ASA-6-716049: Group group-name User user-name IP IP_address Empty SVC ACL.

Explanation The ACL to be used by the client was empty.

  • group-name— The name of the group
  • user-name— The name of the user
  • IP_address— The IP address

Recommended Action Determine the correct ACL to use and modify the configuration.

716050

Error Message %ASA-6-716050: Error adding to ACL: ace_command_line

Explanation The ACL entry had a syntax error.

  • ace_command_line —The ACL entry that is causing the error

Recommended Action Correct the downloadable ACL configuration.

716051

Error Message %ASA-6-716051: Group group-name User user-name IP IP_address Error adding dynamic ACL for user.

Explanation There is not enough memory to perform the action.

  • group-name— The name of the group
  • user-name— The name of the user
  • IP_address— The IP address

Recommended Action Purchase more memory, upgrade the ASA, or reduce the load on it.

716052

Error Message %ASA-4-716052: Group group-name User user-name IP IP_address Pending session terminated.

Explanation A user did not complete login and the pending session was terminated. This may be due to an SVC that was unable to connect.

  • group-name— The name of the group
  • user-name— The name of the user
  • IP_address— The IP address

Recommended Action Check the user PC for SVC compatibility.

716053

Error Message %ASA-5-716053: SSO Server added: name: name Type: type

Explanation The SSO server name of the specified type has been configured.

  • name —The name of the server
  • type —The type of the server (the only server type is SiteMinder)

Recommended Action None required.

716054

Error Message %ASA-5-716054: SSO Server deleted: name: name Type: type

Explanation The SSO server name of the specified type has been removed from the configuration.

  • name —The name of the server
  • type —The type of server (the only server type is SiteMinder)

Recommended Action None required.

716055

Error Message %ASA-6-716055: Group group-name User user-name IP IP_address Authentication to SSO server name: name type type succeeded

Explanation The WebVPN user has been successfully authenticated to the SSO server.

  • group-name —The group name
  • user-name —The username
  • IP_address —The IP address of the server
  • name —The name of the server
  • type —The type of server (the only server type is SiteMinder)

Recommended Action None required.

716056

Error Message %ASA-3-716056: Group group-name User user-name IP IP_address Authentication to SSO server name: name type type failed reason: reason

Explanation The WebVPN user failed to authenticate to the SSO server.

  • group-name —The group name
  • user-name —The username
  • IP_address —The IP address of the server
  • name —The name of the server
  • type —The type of server (the only server type is SiteMinder)
  • reason —The reason for the authentication failure

Recommended Action Either the user or the ASA administrator needs to correct the problem, depending on the reason for the failure.

716057

Error Message %ASA-3-716057: Group group User user IP ip Session terminated, no type license available.

Explanation A user has attempted to connect to the ASA using a client that is not licensed. This message may also occur if a temporary license has expired.

  • group —The group policy that the user logged in with
  • user —The name of the user
  • IP —The IP address of the user
  • type —The type of license requested, which can be one of the following:

- AnyConnect Mobile

- LinkSys Phone

- The type of license requested by the client (if other than the AnyConnect Mobile or LinkSys Phone)

- Unknown

Recommended Action A permanent license with the appropriate feature should be purchased and installed.

716058

Error Message %ASA-6-716058: Group group User user IP ip AnyConnect session lost connection. Waiting to resume.

Explanation The SSL tunnel was dropped and the AnyConnect session enters the inactive state, which can be caused by a hibernating host, a standby host, or a loss of network connectivity.

  • group —The tunnel group name associated with the AnyConnect session
  • user —The name of the user associated with the session
  • ip —The source IP address of the session

Recommended Action None required.

716059

Error Message %ASA-6-716059: Group group User user IP ip AnyConnect session resumed. Connection from ip2 .

Explanation An AnyConnect session resumed from the inactive state.

  • group —The tunnel group name associated with the AnyConnect session
  • user —The name of the user associated with the session
  • ip —The source IP address of the session
  • ip2 —The source IP address of the host on which the session is resumed

Recommended Action None required.

716060

Error Message %ASA-6-716060: Group group User user IP ip Terminated AnyConnect session in inactive state to accept a new connection. License limit reached.

Explanation An AnyConnect session in the inactive state was logged out to allow a new incoming SSL VPN (AnyConnect or clientless) connection.

  • group —The tunnel group name associated with the AnyConnect session
  • user —The name of the user associated with the session
  • ip —The source IP address of the session

Recommended Action None required.

716061

Error Message %ASA-3-716061: Group DfltGrpPolicy User user IP ip addr IPv6 User Filter tempipv6 configured for AnyConnect. This setting has been deprecated, terminating connection

Explanation The IPv6 VPN filter has been deprecated and if it is configured instead of a unified filter for IPv6 traffic access control, the connection will be terminated.

Recommended Action Configure a unified filter with IPv6 entries to control IPv6 traffic for the user.

716500

Error Message %ASA-2-716500: internal error in: function : Fiber library cannot locate AK47 instance

Explanation The fiber library cannot locate the application kernel layer 4 to 7 instance.

Recommended Action To determine the cause of the problem, contact the Cisco TAC.

716501

Error Message %ASA-2-716501: internal error in: function : Fiber library cannot attach AK47 instance

Explanation The fiber library cannot attach the application kernel layer 4 to 7 instance.

Recommended Action To determine the cause of the problem, contact the Cisco TAC.

716502

Error Message %ASA-2-716502: internal error in: function : Fiber library cannot allocate default arena

Explanation The fiber library cannot allocate the default arena.

Recommended Action To determine the cause of the problem, contact the Cisco TAC.

716503

Error Message %ASA-2-716503: internal error in: function : Fiber library cannot allocate fiber descriptors pool

Explanation The fiber library cannot allocate the fiber descriptors pool.

Recommended Action To determine the cause of the problem, contact the Cisco TAC.

716504

Error Message %ASA-2-716504: internal error in: function : Fiber library cannot allocate fiber stacks pool

Explanation The fiber library cannot allocate the fiber stack pool.

Recommended Action To determine the cause of the problem, contact the Cisco TAC.

716505

Error Message %ASA-2-716505: internal error in: function : Fiber has joined fiber in unfinished state

Explanation The fiber has joined fiber in an unfinished state.

Recommended Action To determine the cause of the problem, contact the Cisco TAC.

716506

Error Message %ASA-2-716506: UNICORN_SYSLOGID_JOINED_UNEXPECTED_FIBER

Explanation An internal fiber library was generated.

Recommended Action Contact the Cisco TAC.

716507

Error Message %ASA-1-716507: Fiber scheduler has reached unreachable code. Cannot continue, terminating.

Explanation The ASA has experienced an unexpected error and has recovered.

Recommended Action Check for high CPU usage or CPU hogs, and potential memory leaks. If the problem persists, contact the Cisco TAC.

716508

Error Message %ASA-1-716508: internal error in: function : Fiber scheduler is scheduling rotten fiber. Cannot continuing terminating

Explanation The fiber scheduler is scheduling rotten fiber, so it cannot continue terminating.

Recommended Action To determine the cause of the problem, contact the Cisco TAC.

716509

Error Message %ASA-1-716509:internal error in: function : Fiber scheduler is scheduling alien fiber. Cannot continue terminating

Explanation The fiber scheduler is scheduling alien fiber, so it cannot continue terminating.

Recommended Action To determine the cause of the problem, contact the Cisco TAC.

716510

Error Message %ASA-1-716510:internal error in: function : Fiber scheduler is scheduling finished fiber. Cannot continue terminating

Explanation The fiber scheduler is scheduling finished fiber, so it cannot continue terminating.

Recommended Action To determine the cause of the problem, contact the Cisco TAC.

716512

Error Message %ASA-2-716512:internal error in: function : Fiber has joined fiber waited upon by someone else

Explanation The fiber has joined fiber that is waited upon by someone else.

Recommended Action To determine the cause of the problem, contact the Cisco TAC.

716513

Error Message %ASA-2-716513: internal error in: function : Fiber in callback blocked on other channel

Explanation The fiber in the callback was blocked on the other channel.

Recommended Action To determine the cause of the problem, contact the Cisco TAC.

716515

Error Message %ASA-2-716515:internal error in: function : OCCAM failed to allocate memory for AK47 instance

Explanation The OCCAM failed to allocate memory for the AK47 instance.

Recommended Action To determine the cause of the problem, contact the Cisco TAC.

716516

Error Message %ASA-1-716516: internal error in: function : OCCAM has corrupted ROL array. Cannot continue terminating

Explanation The OCCAM has a corrupted ROL array, so it cannot continue terminating.

Recommended Action To determine the cause of the problem, contact the Cisco TAC.

716517

Error Message %ASA-2-716517: internal error in: function : OCCAM cached block has no associated arena

Explanation The OCCAM cached block has no associated arena.

Recommended Action To determine the cause of the problem, contact the Cisco TAC.

716518

Error Message %ASA-2-716518: internal error in: function : OCCAM pool has no associated arena

Explanation The OCCAM pool has no associated arena.

Recommended Action To determine the cause of the problem, contact the Cisco TAC.

716519

Error Message %ASA-1-716519: internal error in: function : OCCAM has corrupted pool list. Cannot continue terminating

Explanation The OCCAM has a corrupted pool list, so it cannot continue terminating.

Recommended Action To determine the cause of the problem, contact the Cisco TAC.

716520

Error Message %ASA-2-716520:internal error in: function : OCCAM pool has no block list

Explanation The OCCAM pool has no block list.

Recommended Action To determine the cause of the problem, contact the Cisco TAC.

716521

Error Message %ASA-2-716521: internal error in: function : OCCAM no realloc allowed in named pool

Explanation The OCCAM did not allow reallocation in the named pool.

Recommended Action To determine the cause of the problem, contact the Cisco TAC.

716522

Error Message %ASA-2-716522: internal error in: function : OCCAM corrupted standalone block

Explanation The OCCAM has a corrupted standalone block.

Recommended Action To determine the cause of the problem, contact the Cisco TAC.

716525

Error Message %ASA-2-716525: UNICORN_SYSLOGID_SAL_CLOSE_PRIVDATA_CHANGED

Explanation An internal SAL error has occurred.

Recommended Action Contact the Cisco TAC.

716526

Error Message %ASA-2-716526: UNICORN_SYSLOGID_PERM_STORAGE_SERVER_LOAD_FAIL

Explanation A failure in the mounting of the permanent storage server directory occurred.

Recommended Action Contact the Cisco TAC.

716527

Error Message %ASA-2-716527: UNICORN_SYSLOGID_PERM_STORAGE_SERVER_STORE_FAIL

Explanation A failure in the mounting of the permanent storage file occurred.

Recommended Action Contact the Cisco TAC.

716528

Error Message %ASA-1-716528: Unexpected fiber scheduler error; possible out-of-memory condition

Explanation The ASA has experienced an unexpected error and has recovered.

Recommended Action Check for high CPU usage or CPU hogs, and potential memory leaks. If the problem persists, contact the Cisco TAC.

716600

Error Message %ASA-3-716600: Rejected size-recv KB Hostscan data from IP src-ip . Hostscan results exceed default | configured limit of size-conf KB.

Explanation When the size of the received Hostscan data exceeds the limit configured on the ASA, the data is discarded.

  • size-recv —Size of received Hostscan data in kilobytes
  • src-ip —Source IP address
  • default | configured —Keyword specifying whether the value of the Hostscan data limit is the default or configured by the administrator
  • size-conf —Configured upper limit on the size of the Hostscan data that the ASA accepts from clients

Recommended Action Contact Cisco TAC to increase the upper limit on the size of Hostscan data that the ASA accepts from clients.

716601

Error Message %ASA-3-716601: Rejected size-recv KB Hostscan data from IP src-ip . System-wide limit on the amount of Hostscan data stored on ASA exceeds the limit of data-max KB.

Explanation When the amount of Hostscan data stored on the ASA exceeds the limit, new Hostscan results are rejected.

  • size-recv —Size of received Hostscan data in kilobytes
  • src-ip —Source IP address
  • data-max —Limit on the amount of Hostscan results to be stored by the ASA in kilobytes

Recommended Action Contact Cisco TAC to change the limit on stored Hostscan data.

716602

Error Message %ASA-3-716602: Memory allocation error. Rejected size-recv KB Hostscan data from IP src-ip .

Explanation An error occurred while memory was being allocated for Hostscan data.

  • size-recv —Size of received Hostscan data in kilobytes
  • src-ip —Source IP address

Recommended Action Set the Hostscan limit to the default value if it is configured. If the problem persists, contact Cisco TAC.

716603

Error Message %ASA-7-716603: Received size-recv KB Hostscan data from IP src-ip .

Explanation The Hostscan data of a specified size was successfully received.

  • size-recv —Size of received Hostscan data in kilobytes
  • src-ip —Source IP address

Recommended Action None required.

717001

Error Message %ASA-3-717001: Querying keypair failed.

Explanation A required keypair was not found during an enrollment request.

Recommended Action Verify that a valid keypair exists in the trustpoint configuration, then resubmit the enrollment request.

717002

Error Message %ASA-3-717002: Certificate enrollment failed for trustpoint trustpoint_name . Reason: reason_string .

Explanation An enrollment request for this trustpoint has failed.

  • trustpoint name —Trustpoint name that the enrollment request was for
  • reason_string —The reason the enrollment request failed

Recommended Action Check the CA server for the failure reason.

717003

Error Message %ASA-6-717003: Certificate received from Certificate Authority for trustpoint trustpoint_name .

Explanation A certificate was successfully received from the CA for this trustpoint.

  • trustpoint_name —Trustpoint name

Recommended Action None required

717004

Error Message %ASA-6-717004: PKCS #12 export failed for trustpoint trustpoint_name .

Explanation The trustpoint failed to export, because of one of the following: only a CA certificate exists, and an identity certificate does not exist for the trustpoint, or a required keypair is missing.

  • trustpoint_name —Trustpoint name

Recommended Action Make sure that required certificates and keypairs are present for the given trustpoint.

717005

Error Message %ASA-6-717005: PKCS #12 export succeeded for trustpoint trustpoint_name .

Explanation The trustpoint was successfully exported.

  • trustpoint_name —Trustpoint name

Recommended Action None required

717006

Error Message %ASA-6-717006: PKCS #12 import failed for trustpoint trustpoint_name .

Explanation Import of the requested trustpoint failed to be processed.

  • trustpoint_name —Trustpoint name

Recommended Action Verify the integrity of the imported data. Then make sure that the entire pkcs12 record is correctly pasted, and reimport the data.

717007

Error Message %ASA-6-717007: PKCS #12 import succeeded for trustpoint trustpoint_name .

Explanation Import of the requested trustpoint was successfully completed.

  • trustpoint_name —Trustpoint name

Recommended Action None required.

717008

Error Message %ASA-2-717008: Insufficient memory to process_requiring_memory .

Explanation An internal error occurred while attempting to allocate memory for the process that reqires memory. Other processes may experience problems allocating memory and prevent further processing.

  • process_requiring_memory —The specified process that requires memoryr

Recommended Action Collect memory statistics and logs for further debugging and reload the ASA.

717009

Error Message %ASA-3-717009: Certificate validation failed. Reason: reason_string .

Explanation A certificate validation failed, which might be caused by a validation attempt of a revoked certificate, invalid certificate attributes, or configuration issues.

  • reason_string —The reason that the certificate validation failed

Recommended Action Make sure the configuration has a valid trustpoint configured for validation if the reason indicates that no suitable trustpoints were found. Check the ASA time to ensure that it is accurate relative to the certificate authority time. Check the reason for the failure and correct any issues that are indicated.

717010

Error Message %ASA-3-717010: CRL polling failed for trustpoint trustpoint_name .

Explanation .CRL polling has failed and may cause connections to be denied if CRL checking is required.

  • trustpoint_name —The name of the trustpoint that requested the CRL

Recommended Action Verify that connectivity exists with the configured CRL distribution point and make sure that manual CRL retrieval also functions correctly.

717011

Error Message %ASA-2-717011: Unexpected event event event_ID

Explanation An event that is not expected under normal conditions has occurred.

Recommended Action If the problem persists, contact the Cisco TAC.

717012

Error Message %ASA-3-717012: Failed to refresh CRL cache entry from the server for trustpoint trustpoint_name at time_of_failure

Explanation An attempt to refresh a cached CRL entry has failed for the specified trustpoint at the indicated time of failure. This may result in obsolete CRLs on the ASA, which may cause connections that require a valid CRL to be denied.

  • trustpoint_name —The name of the trustpoint
  • time_of_failure —The time of failure

Recommended Action Check connectivity issues to the server, such as a downed network or server. Try to retrieve the CRL manually using the crypto ca crl retrieve command.

717013

Error Message %ASA-5-717013: Removing a cached CRL to accommodate an incoming CRL. Issuer: issuer

Explanation When the device is configured to authenticate IPsec tunnels using digital certificates, CRLs may be cached in memory to avoid requiring a CRL download during each connection. If the cache fills to the point where an incoming CRL cannot be accommodated, older CRLs will be removed until the required space is made available. This message is generated for each purged CRL.

  • issuer —The name of the device that removes cached CRLs

Recommended Action None required.

717014

Error Message %ASA-5-717014: Unable to cache a CRL received from CDP due to size limitations (CRL size = size , available cache space = space )

Explanation When the device is configured to authenticate IPsec tunnels using digital certificates, CRLs may be cached in memory to avoid requiring a CRL download during each connection. This message is generated if a received CRL is too large to fit in the cache. Large CRLs are still supported even though they are not cached. This means that the CRL will be downloaded with each IPsec connection, which may affect performance during IPsec connection bursts.

Recommended Action None required.

717015

Error Message %ASA-3-717015: CRL received from issuer is too large to process (CRL size = crl_size , maximum CRL size = max_crl_size )

Explanation An IPsec connection caused a CRL that is larger than the maximum permitted CRL size to be downloaded. This error condition causes the connection to fail. This message is rate limited to one message every 10 seconds.

Recommended Action Scalability is perhaps the most significant drawback to the CRL method of revocation checking. To solve this problem, the only options are to investigate a CA-based solution to reduce the CRL size or configure the ASA not to require CRL validation.

717016

Error Message %ASA-6-717016: Removing expired CRL from the CRL cache. Issuer: issuer

Explanation When the ASA is configured to authenticate IPsec tunnels using digital certificates, CRLs may be cached in memory to avoid requiring a CRL download during each connection. This message is generated when either the CA specified expiration time or the configured cache time has lapsed and the CRL is removed from the cache.

Recommended Action None required.

717017

Error Message %ASA-3-717017: Failed to query CA certificate for trustpoint trustpoint_name from enrollment_url

Explanation An error occurred when an attempt was made to authenticate a trustpoint by requesting a CA certificate from a certificate authority.

Recommended Action Make sure that an enrollment URL is configured with this trustpoint, ensure connectivity with the CA server, then retry the request.

717018

Error Message %ASA-3-717018: CRL received from issuer has too many entries to process (number of entries = number_of_entries , maximum number allowed = max_allowed )

Explanation An IPsec connection caused a CRL that includes more revocation entries than can be supported to be downloaded. This is an error condition that will cause the connection to fail. This message is rate limited to one message every 10 seconds.

  • issuer —The X.500 name of the CRLs issuer
  • number_of_entries —The number of revocation entries in the received CRL
  • max_allowed —The maximum number of CRL entries that the ASA supports

Recommended Action Scalability is perhaps the most significant drawback to the CRL method of revocation checking. The only options to solve this problem are to investigate a CA-based solution to reduce the CRL size or configure the ASA not to require CRL validation.

717019

Error Message %ASA-3-717019: Failed to insert CRL for trustpoint trustpoint_name . Reason: failure_reason .

Explanation A CRL is retrieved, but found to be invalid and cannot be inserted into the cache because of the failure_reason .

  • trustpoint_name —The name of the trustpoint that requested the CRL
  • failure_reason —The reason that the CRL failed to be inserted into cache

Recommended Action Make sure that the current ASA time is correct relative to the CA time. If the NextUpdate field is missing, configure the trustpoint to ignore the NextUpdate field.

717020

Error Message %ASA-3-717020: Failed to install device certificate for trustpoint label . Reason: reason string .

Explanation A failure occurred while trying to enroll or import an enrolled certificate into a trustpoint.

  • label —Label of the trustpoint that failed to install the enrolled ASA certificate
  • reason_string —The reason that the certificate cannot be verified

Recommended Action Use the failure reason to remedy the cause of failure and retry the enrollment. Common failures are due to invalid certificates being imported into the ASA or a mismatch of the public key included in the enrolled certificate with the keypair referenced in the trustpoint.

717021

Error Message %ASA-3-717021: Certificate data could not be verified. Locate Reason: reason_string serial number: serial number , subject name: subject name , key length key length bits.

Explanation An attempt to verify the certificate that is identified by the serial number and subject name was unsuccessful for the specified reason. When verifying certificate data using the signature, several errors can occur that should be logged, including invalid key types and unsupported key size.

  • reason_string —The reason that the certificate cannot be verified
  • serial number —Serial number of the certificate that is being verified
  • subject name —Subject name included in the certificate that is being verified
  • key length —The number of bits in the key used to sign this certificate

Recommended Action Check the specified certificate to ensure that it is valid, that it includes a valid key type, and that it does not exceed the maximum supported key size.

717022

Error Message %ASA-6-717022: Certificate was successfully validated. certificate_identifiers

Explanation The identified certificate was successfully validated.

  • certificate_identifiers —Information to identify the certificate that was validated successfully, which might include a reason, serial number, subject name, and additional information

Recommended Action None required.

717023

Error Message %ASA-3-717023: SSL failed to set device certificate for trustpoint trustpoint name . Reason: reason_string .

Explanation A failure occurred while trying to set an ASA certificate for the given trustpoint for authenticating the SSL connection.

  • trustpoint name —Name of the trustpoint for which SSL failed to set an ASA certificate
  • reason_string —Reason indicating why the ASA certificate cannot be set

Recommended Action Resolve the issue indicated by the reason reported for the failure by doing the following:

  • Make sure that the specified trustpoint is enrolled and has an ASA certificate.
  • Make sure the ASA certificate is valid.
  • Reenroll the trustpoint, if required.

717024

Error Message %ASA-7-717024: Checking CRL from trustpoint: trustpoint name for purpose

Explanation A CRL is being retrieved.

  • trustpoint name —Name of the trustpoint for which the CRL is being retrieved
  • purpose —Reason that the CRL is being retrieved

Recommended Action None required.

717025

Error Message %ASA-7-717025: Validating certificate chain containing number of certs certificate(s).

Explanation A certificate chain is being validated.

  • number of certs— Number of certificates in the chain

Recommended Action None required.

717026

Error Message %ASA-4-717026: Name lookup failed for hostname hostname during PKI operation.

Explanation The given hostname cannot be resolved while attempting a PKI operation.

  • hostname —The hostname that failed to resolve

Recommended Action Check the configuration and the DNS server entries for the given hostname to make sure that it can be resolved. Then retry the operation.

717027

Error Message %ASA-3-717027: Certificate chain failed validation. reason_string .

Explanation A certificate chain cannot be validated.

  • reason_string —Reason for the failure to validate the certificate chain

Recommended Action Resolve the issue noted by the reason and retry the validation attempt by performing any of the following actions:

  • Make sure that connectivity to a CA is available if CRL checking is required.
  • Make sure that a trustpoint is authenticated and available for validation.
  • Make sure that the identity certificate within the chain is valid based on the validity dates.
  • Make sure that the certificate is not revoked.

717028

Error Message %ASA-6-717028: Certificate chain was successfully validated additional info .

Explanation A certificate chain was successfully validated.

  • additional info —More information for how the certificate chain was validated (for example, “with warning” indicates that a CRL check was not performed)

Recommended Action None required.

717029

Error Message %ASA-7-717029: Identified client certificate within certificate chain. serial number: serial_number , subject name: subject_name .

Explanation The certificate specified as the client certificate is identified.

  • serial_number —Serial number of the certificate that is identified as the client certificate
  • subject_name —Subject name included in the certificate that is identified as the client certificate

Recommended Action None required.

717030

Error Message %ASA-7-717030: Found a suitable trustpoint trustpoint name to validate certificate.

Explanation A suitable or usable trustpoint is found that can be used to validate the certificate.

  • trustpoint name —Trustpoint that will be used to validate the certificate

Recommended Action None required.

717031

Error Message %ASA-4-717031: Failed to find a suitable trustpoint for the issuer: issuer Reason: reason_string

Explanation A usable trustpoint cannot be found. During certificate validation, a suitable trustpoint must be available in order to validate a certificate.

  • issuer —Issuer of the certificate that was being validated
  • reason_string —The reason that a suitable trustpoint cannot be found

Recommended Action Resolve the issue indicated in the reason by checking the configuration to make sure that a trustpoint is configured, authenticated, and enrolled. Also make sure that the configuration allows for specific types of certificates, such as identity certificates.

717033

Error Message %ASA-6-717033: OCSP response status - Successful.

Explanation An OCSP status check response was received successfully.

Recommended Action None required.

717034

Error Message %ASA-7-717034: No-check extension found in certificate. OCSP check bypassed.

Explanation An OCSP responder certificate was received that includes an “id-pkix-ocsp-nocheck” extension, which allows this certificate to be validated without an OCSP status check.

Recommended Action None required.

717035

Error Message %ASA-4-717035: OCSP status is being checked for certificate. certificate_identifier.

Explanation The certificate for which an OCSP status check occurs is identified.

  • certificate_identifier —Information that identifies the certificate being processed by the certificate map rules

Recommended Action None required.

717036

Error Message ASA-7-717036: Looking for a tunnel group match based on certificate maps for peer certificate with certificate_identifier .

Explanation The peer certificate identified by the certificate identifier is being processed through the configured certificate maps to attempt a possible tunnel group match.

  • certificate_identifier —Information that identifies the certificate being processed by the certificate map rules

Recommended Action None required.

717037

Error Message %ASA-4-717037: Tunnel group search using certificate maps failed for peer certificate: certificate_identifier .

Explanation The peer certificate identified by the certificate identifier was processed through the configured certificate maps to attempt a possible tunnel group match, but no match can be found.

  • certificate_identifier —Information that identifies the certificate being processed by the certificate map rules

Recommended Action Make sure that the warning is expected based on the received peer certificate and the configured crypto CA certificate map rules.

717038

Error Message %ASA-7-717038: Tunnel group match found. Tunnel Group: tunnel_group_name , Peer certificate: certificate_identifier .

Explanation The peer certificate identified by the certificate identifier was processed by the configured certificate maps, and a match was found to the tunnel group.

  • certificate_identifier —Information that identifies the certificate being processed by the certificate map rules
  • tunnel_group_name —The name of the tunnel group matched by the certificate map rules

Recommended Action None required.

717039

Error Message %ASA-3-717039: Local CA Server internal error detected: error.

Explanation An internal processing error has occurred with the local CA server.

  • error —Error string

Recommended Action Based on the error , take the necessary steps to resolve the issue. Currently, the possible errors include:

  • CA key does not exist—Make sure that the CA key is present, or restore the key from a backup, if necessary.
  • Failed to rollover expired CA certificate—Make sure that the clock is correct and that the CA certificate is expired, then restart the CA server to try to reissue the certificate.
  • Failed to generate self-signed certificate for Local CA Server certificate rollover upon expiration—Make sure that the clock is correct and that the CA certificate is about to expire, then restart the CA server to try to reissue the certificate.
  • Failed to configure Local CA Server—Turn on debugging and try to configure the CA server again to determine the cause of the failure.
  • Invalid issuer name configured—Change the issuer name DN to a valid DN string.

717040

Error Message %ASA-2-717040: Local CA Server has failed and is being disabled. Reason: reason.

Explanation The local CA server is being disabled because of an error.

  • reason —Reason string

Currently, the possible errors include:

  • Storage down—Make sure that storage is accessible, and reenable the CA server by using the no shut command.

Recommended Action Based on the reason , take the necessary steps to resolve the issue.

717041

Error Message %ASA-7-717041: Local CA Server event: event info .

Explanation Event details that have occurred on the CA server are reported to allow you to track or debug the CA server health, including when the CA server is created, enabled, or disabled, or when the CA server certificate is rolled over.

  • event info —Details of the event that occurred

Recommended Action None required.

717042

Error Message %ASA-3-717042: Failed to enable Local CA Server.Reason: reason .

Explanation Errors occurred when an attempt was made to enable the local CA server.

  • reason —Reason that the local CA server failed to enable

Recommended Action Resolve the issue encountered that is reported in the reason string. Currently, the possible reasons include:

  • Failed to create server trustpoint
  • Failed to create server keypair
  • Time has not been set
  • Failed to init storage
  • Storage not accessible
  • Failed to validate self-signed CA certificate
  • Failed to generate self-signed CA certificate
  • CA certificate has expired
  • Failed to generate CRL
  • Failed to archive CA key and certificate
  • Failed to generate empty user or certificate database file
  • Failed to load user or certificate database file

717043

Error Message %ASA-6-717043: Local CA Server certificate enrollment related info for user: user . Info: info .

Explanation Enrollment-related activities for a user are being monitored. The username and specific enrollment information are reported so that enrollments, e-mail invitation generation, and renewal reminder generation can be monitored.

  • user —Username about whom the enrollment information log is being generated
  • info —Enrollment information string

Recommended Action None required.

717044

Error Message %ASA-3-717044: Local CA server certificate enrollment related error for user: user . Error: error .

Explanation Errors that occur in the processing of certificate enrollment are reported, which may include errors in notifying users via e-mail for renewal reminders, errors during issuance of a certificate to complete enrollment, invalid username or OTP, and expired enrollment attempts.

  • user —Username for whom the enrollment error log is being generated
  • error —Enrollment error

Recommended Action If the error does not provide enough information to diagnose and resolve the issue, turn on debugging and try enrollment again.

717045

Error Message %ASA-7-717045:Local CA Server CRL info: info

Explanation The CRL file is monitored when it is generated and regenerated.

  • info —Informational string of the CRL event

Recommended Action None required.

717046

Error Message %ASA-3-717046: Local CA Server CRL error: error .

Explanation Errors that are encountered while trying to generate and reissue the local CA server CRL file are reported.

  • error —Error string

Recommended Action Take appropriate action to resolve the reported issue, which may include verifying that storage is accessible, and that the CRL file is valid in storage and signed by the existing local CA server.

717047

Error Message %ASA-6-717047: Revoked certificate issued to user: username, with serial number serial number .

Explanation Any certificates issued by the local CA server that have been revoked are being monitored.

  • username —Username of the owner of the certificate that is being revoked
  • serial number —Serial number of the certificate that has been revoked

Recommended Action None required.

717048

Error Message %ASA-6-717048: Unrevoked certificate issued to user: username, with serial number serial number .

Explanation Any certificates that were issued by the local CA server that were previously revoked, and that are now being unrevoked and removed from the CRL are being monitored.

  • username —Username of the owner of the certificate that is being unrevoked
  • serial number —Serial number of the certificate that has been unrevoked

Recommended Action None required.

717049

Error Message %ASA-1-717049: Local CA Server certificate is due to expire in number days and a replacement certificate is available for export.

Explanation The administrator is alerted to an upcoming CA certificate expiration so that the administrator can take action to export the replacement certificate to all ASAs that will require the new certificate.

  • number —The number of days before the local CA server certificate expires

Recommended Action To avoid certificate validation failures on any ASAs that require the local CA server certificate, action should be taken before the actual expiration of the current local CA server certificate, which is indicated by the number value. Note that the local CA server does not require any action because the CA certificate will be replaced automatically. Use the show crypto ca server certificate command to view the replacement or rollover local CA server certificate and copy it for import into any ASA that will require the new certificate.

717050

Error Message %ASA-5-717050: SCEP Proxy: Processed request type type from IP client ip address , User username , TunnelGroup tunnel_group name , GroupPolicy group-policy name to CA IP ca ip address

Explanation The SCEP proxy received a message and relayed it to the CA. The response from the CA is relayed back to the client.

  • type —The request type string that is received by the SCEP proxy, which can be one of the following SCEP message types: PKIOperation, GetCACaps, GetCACert, GetNextCACert, and GetCACertChain.
  • client ip address —The source IP address of the request received
  • username —The username that is associated with the VPN session in which the SCEP request is received
  • tunnel-group name —The tunnel group that is associated with the VPN session in which the SCEP request is received
  • group-policy name —The group policy that is associated with the VPN session in which the SCEP request is received
  • ca ip address —The IP address of the CA that is configured in the group policy

Recommended Action None required.

717051

Error Message %ASA-3-717051: SCEP Proxy: Denied processing the request type type received from IP client ip address , User username , TunnelGroup tunnel group name , GroupPolicy group policy name to CA ca ip address . Reason: msg

Explanation The SCEP proxy denied processing of the request, which may be caused by a misconfiguration, an error condition in the proxy, or an invalid request.

  • type —The request type string that is received by the SCEP proxy, which can be one of the following SCEP message types: PKIOperation, GetCACaps, GetCACert, GetNextCACert, and GetCACertChain.
  • client ip address —The source IP address of the request received
  • username —The username that is associated with the VPN session in which the SCEP request is received
  • tunnel-group name —The tunnel group that is associated with the VPN session in which the SCEP request is received
  • group-policy name —The group policy that is associated with the VPN session in which the SCEP request is received
  • ca ip address —The IP address of the CA that is configured in the group policy
  • msg —The reason string that explains the reason or error for why the request processing is denied

Recommended Action Identify the cause from the reason printed. If the reason indicates that the request is invalid, check the CA URL configuration. Otherwise, confirm that the tunnel group is enabled for SCEP enrollment and debug further by using the debug crypto ca scep-proxy command.

718001

Error Message %ASA-7-718001: Internal interprocess communication queue send failure: code error_code

Explanation An internal software error has occurred while attempting to enqueue a message on the VPN load balancing queue.

Recommended Action This is generally a benign condition. If the problem persists, contact the Cisco TAC.

718002

Error Message %ASA-5-718002: Create peer IP_address failure, already at maximum of number_of_peers

Explanation The maximum number of load-balancing peers has been exceeded. The new peer is ignored.

Recommended Action Check your load balancing and network configuration to ensure that the number of load-balancing peers does not exceed the maximum allowed.

718003

Error Message %ASA-6-718003: Got unknown peer message message_number from IP_address , local version version_number , remote version version_number

Explanation An unrecognized load-balancing message was received from one of the load-balancing peers. This may indicate a version mismatch between peers, but is most likely caused by an internal software error.

Recommended Action Verify that all load-balancing peers are compatible. If they are and this condition persists or is linked to undesirable behavior, contact the Cisco TAC.

718004

Error Message %ASA-6-718004: Got unknown internal message message_number

Explanation An internal software error occurred.

Recommended Action This is generally a benign condition. If the problem persists, contact the Cisco TAC.

718005

Error Message %ASA-5-718005: Fail to send to IP_address , port port

Explanation An internal software error occurred during packet transmission on the load-balancing socket. This mght indicate a network problem.

Recommended Action Check the network-based configuration on the ASA and verify that interfaces are active and protocol data is flowing through the ASA. If the problem persists, contact the Cisco TAC.

718006

Error Message %ASA-5-718006: Invalid load balancing state transition [cur= state_number ][event= event_number ]

Explanation A state machine error has occurred. This might indicate an internal software error.

Recommended Action This is generally a benign condition. If the problem persists, contact the Cisco TAC.

718007

Error Message %ASA-5-718007: Socket open failure failure_code

Explanation An error occurred when the load-balancing socket tried to open. This might indicate a network problem or an internal software error.

Recommended Action Check the network-based configuration on the ASA and verify that interfaces are active and protocol data is flowing through the ASA. If the problem persists, contact the Cisco TAC.

718008

Error Message %ASA-5-718008: Socket bind failure failure_code

Explanation An error occurred when the ASA tried to bind to the load-balancing socket. This might indicate a network problem or an internal software error.

Recommended Action Check the network-based configuration on the ASA and verify that interfaces are active and protocol data is flowing through the ASA. If the problem persists, contact the Cisco TAC.

718009

Error Message %ASA-5-718009: Send HELLO response failure to IP_address

Explanation An error occurred when the ASA tried to send a hello response message to one of the load-balancing peers. This might indicate a network problem or an internal software error.

Recommended Action Check the network-based configuration on the ASA and verify that interfaces are active and protocol data is flowing through the ASA. If the problem persists, contact the Cisco TAC.

718010

Error Message %ASA-5-718010: Sent HELLO response to IP_address

Explanation The ASA transmitted a hello response message to a load-balancing peer.

Recommended Action None required.

718011

Error Message %ASA-5-718011: Send HELLO request failure to IP_address

Explanation An error occurred when the ASA tried to send a hello request message to one of the load-balancing peers. This may indicate a network problem or an internal software error.

Recommended Action Check the network-based configuration on the ASA and verify that interfaces are active and protocol data is flowing through the ASA. If the problem persists, contact the Cisco TAC.

718012

Error Message %ASA-5-718012: Sent HELLO request to IP_address

Explanation The ASA transmitted a hello request message to a load-balancing peer.

Recommended Action None required.

718013

Error Message %ASA-6-718013: Peer IP_address is not answering HELLO

Explanation The load-balancing peer is not answering a hello request message.

Recommended Action Check the status of the load-balancing SSF peer and the network connections.

718014

Error Message %ASA-5-718014: Master peer IP_address is not answering HELLO

Explanation The load balancing master peer is not answering the hello request message.

Recommended Action Check the status of the load balancing SSF master peer and the network connections.

718015

Error Message %ASA-5-718015: Received HELLO request from IP_address

Explanation The ASA received a hello request message from the load balancing peer.

Recommended Action None required.

718016

Error Message %ASA-5-718016: Received HELLO response from IP_address

Explanation The ASA received a Hello Response packet from a load balancing peer.

Recommended Action None required.

718017

Error Message %ASA-7-718017: Got timeout for unknown peer IP_address msg type message_type

Explanation The ASA processed a timeout for an unknown peer. The message was ignored because the peer may have already been removed from the active list.

Recommended Action If the message persists or is linked to undesirable behavior, check the load balancing peers and verify that all are configured correctly.

718018

Error Message %ASA-7-718018: Send KEEPALIVE request failure to IP_address

Explanation An error has occurred while attempting to send a Keepalive Request message to one of the load balancing peers. This t indicate a network problem or an internal software error.

Recommended Action Check the network-based configuration on the ASA and verify that interfaces are active and protocol data is flowing through the ASA. If the problem persists, contact the Cisco TAC.

718019

Error Message %ASA-7-718019: Sent KEEPALIVE request to IP_address

Explanation The ASA transmitted a Keepalive Request message to a load balancing peer.

Recommended Action None required.

718020

Error Message %ASA-7-718020: Send KEEPALIVE response failure to IP_address

Explanation An error has occurred while attempting to send a Keepalive Response message to one of the load balancing peers. This may indicate a network problem or an internal software error.

Recommended Action Check the network-based configuration on the ASA and verify that interfaces are active and protocol data is flowing through the ASA. If the problem persists, contact the Cisco TAC.

718021

Error Message %ASA-7-718021: Sent KEEPALIVE response to IP_address

Explanation The ASA transmitted a Keepalive Response message to a load balancing peer.

Recommended Action None required.

718022

Error Message %ASA-7-718022: Received KEEPALIVE request from IP_address

Explanation The ASA received a Keepalive Request message from a load balancing peer.

Recommended Action None required.

718023

Error Message %ASA-7-718023: Received KEEPALIVE response from IP_address

Explanation The ASA received a Keepalive Response message from a load balancing peer.

Recommended Action None required.

718024

Error Message %ASA-5-718024: Send CFG UPDATE failure to IP_address

Explanation An error has occurred while attempting to send a Configuration Update message to one of the load balancing peers. This might indicate a network problem or an internal software error.

Recommended Action Check the network-based configuration on the ASA and verify that interfaces are active and protocol data is flowing through the ASA. If the problem persists, contact the Cisco TAC.

718025

Error Message %ASA-7-718025: Sent CFG UPDATE to IP_address

Explanation The ASA transmitted a Configuration Update message to a load balancing peer.

Recommended Action None required.

718026

Error Message %ASA-7-718026: Received CFG UPDATE from IP_address

Explanation The ASA received a Configuration Update message from a load balancing peer.

Recommended Action None required.

718027

Error Message %ASA-6-718027: Received unexpected KEEPALIVE request from IP_address

Explanation The ASA received an unexpected Keepalive request message from a load balancing peer.

Recommended Action If the problem persists or is linked with undesirable behavior, verify that all load balancing peers are configured and discovered correctly.

718028

Error Message %ASA-5-718028: Send OOS indicator failure to IP_address

Explanation An error has occurred while attempting to send an OOS indicator message to one of the load balancing peers. This might indicate a network problem or an internal software error.

Recommended Action Check the network-based configuration on the ASA and verify that interfaces are active and protocol data is flowing through the ASA. If the problem persists, contact the Cisco TAC.

718029

Error Message %ASA-7-718029: Sent OOS indicator to IP_address

Explanation The ASA transmitted an OOS indicator message to a load balancing peer.

Recommended Action None required.

718030

Error Message %ASA-6-718030: Received planned OOS from IP_address

Explanation The ASA received a planned OOS message from a load balancing peer.

Recommended Action None required.

718031

Error Message %ASA-5-718031: Received OOS obituary for IP_address

Explanation The ASA received an OOS obituary message from a load balancing peer.

Recommended Action None required.

718032

Error Message %ASA-5-718032: Received OOS indicator from IP_address

Explanation The ASA received an OOS indicator message from a load balancing peer.

Recommended Action None required.

718033

Error Message %ASA-5-718033: Send TOPOLOGY indicator failure to IP_address

Explanation An error has occurred while attempting to send a Topology indicator message to one of the load balancing peers. This might indicate a network problem or an internal software error.

Recommended Action Check the network-based configuration on the ASA. and verify that interfaces are active, and protocol data is flowing through the ASA. If the problem persists, contact the Cisco TAC.

718034

Error Message %ASA-7-718034: Sent TOPOLOGY indicator to IP_address

Explanation The ASA sent a Topology indicator message to a load balancing peer.

Recommended Action None required.

718035

Error Message %ASA-7-718035: Received TOPOLOGY indicator from IP_address

Explanation The ASA received a Topology indicator message from a load balancing peer.

Recommended Action None required.

718036

Error Message %ASA-7-718036: Process timeout for req-type type_value , exid exchange_ID , peer IP_address

Explanation The ASA processed a peer timeout.

Recommended Action Verify that the peer should have been timed out. If not, check the load balancing peer configuration and the network connection between the peer and the ASA.

718037

Error Message %ASA-6-718037: Master processed number_of_timeouts timeouts

Explanation The ASA in the master role processed the specified number of peer timeouts.

Recommended Action Verify that the timeouts are legitimate. If not, check the peer load balancing configuration and the network connection between the peer and the ASA.

718038

Error Message %ASA-6-718038: Slave processed number_of_timeouts timeouts

Explanation The ASA in the slave role processed the specified number of peer timeouts.

Recommended Action Verify that the timeouts are legitimate. If not, check the peer load balancing configuration and the network connection between the peer and the ASA.

718039

Error Message %ASA-6-718039: Process dead peer IP_address

Explanation The ASA has detected a dead peer.

Recommended Action Verify that the dead peer detection is legitimate. If not, check the peer load balancing configuration and the network connection between the peer and the ASA.

718040

Error Message %ASA-6-718040: Timed-out exchange ID exchange_ID not found

Explanation The ASA has detected a dead peer, but the exchange ID is not recognized.

Recommended Action None required.

718041

Error Message %ASA-7-718041: Timeout [msgType= type ] processed with no callback

Explanation The ASA has detected a dead peer, but a call back was not used in the processing.

Recommended Action None required.

718042

Error Message %ASA-5-718042: Unable to ARP for IP_address

Explanation The ASA experienced an ARP failure when attempting to contact a peer.

Recommended Action Verify that the network is operational and that all peers can communicate with each other.

718043

Error Message %ASA-5-718043: Updating/removing duplicate peer entry IP_address

Explanation The ASA found and is removing a duplicate peer entry.

Recommended Action None required.

718044

Error Message %ASA-5-718044: Deleted peer IP_address

Explanation The ASA is deleting a load balancing peer.

Recommended Action None required.

718045

Error Message %ASA-5-718045: Created peer IP_address

Explanation The ASA has detected a load balancing peer.

Recommended Action None required.

718046

Error Message %ASA-7-718046: Create group policy policy_name

Explanation The ASA has created a group policy to securely communicate with the load balancing peers.

Recommended Action None required.

718047

Error Message %ASA-7-718047: Fail to create group policy policy_name

Explanation The ASA experienced a failure when attempting to create a group policy for securing the communication between load balancing peers.

Recommended Action Verify that the load balancing configuration is correct.

718048

Error Message %ASA-5-718048: Create of secure tunnel failure for peer IP_address

Explanation The ASA experienced a failure when attempting to establish an IPsec tunnel to a load balancing peer.

Recommended Action Verify that the load balancing configuration is correct and that the network is operational.

718049

Error Message %ASA-7-718049: Created secure tunnel to peer IP_address

Explanation The ASA successfully established an IPsec tunnel to a load balancing peer.

Recommended Action None required.

718050

Error Message %ASA-5-718050: Delete of secure tunnel failure for peer IP_address

Explanation The ASA experienced a failure when attempting to terminate an IPsec tunnel to a load balancing peer.

Recommended Action Verify that the load balancing configuration is correct and that the network is operational.

718051

Error Message %ASA-6-718051: Deleted secure tunnel to peer IP_address

Explanation The ASA successfully terminated an IPsec tunnel to a load balancing peer.

Recommended Action None required.

718052

Error Message %ASA-5-718052: Received GRAT-ARP from duplicate master MAC_address

Explanation The ASA received a gratuitous ARP from a duplicate master.

Recommended Action Check the load balancing configuration and verify that the network is operational.

718053

Error Message %ASA-5-718053: Detected duplicate master, mastership stolen MAC_address

Explanation The ASA detected a duplicate master and a stolen master.

Recommended Action Check the load balancing configuration and verify that the network is operational.

718054

Error Message %ASA-5-718054: Detected duplicate master MAC_address and going to SLAVE

Explanation The ASA detected a duplicate master and is switching to slave mode.

Recommended Action Check the load balancing configuration and verify that the network is operational.

718055

Error Message %ASA-5-718055: Detected duplicate master MAC_address and staying MASTER

Explanation The ASA detected a duplicate master and is staying in slave mode.

Recommended Action Check the load balancing configuration and verify that the network is operational.

718056

Error Message %ASA-7-718056: Deleted Master peer, IP IP_address

Explanation The ASA deleted the load balancing master from its internal tables.

Recommended Action None required.

718057

Error Message %ASA-5-718057: Queue send failure from ISR, msg type failure_code

Explanation An internal software error has occurred while attempting to enqueue a message on the VPN load balancing queue from an Interrupt Service Routing.

Recommended Action This is generally a benign condition. If the problem persists, contact the Cisco TAC.

718058

Error Message %ASA-7-718058: State machine return code: action_routine , return_code

Explanation The return codes of action routines belonging to the load balancing finite state machine are being traced.

Recommended Action None required.

718059

Error Message %ASA-7-718059: State machine function trace: state= state_name , event= event_name , func= action_routine

Explanation The events and states of the load balancing finite state machine are being traced.

Recommended Action None required.

718060

Error Message %ASA-5-718060: Inbound socket select fail: context= context_ID .

Explanation The socket select call returned an error and the socket cannot be read. This might indicate an internal software error.

Recommended Action If the problem persists, contact the Cisco TAC.

718061

Error Message %ASA-5-718061: Inbound socket read fail: context= context_ID .

Explanation The socket read failed after data was detected through the select call. This might indicate an internal software error.

Recommended Action If the problem persists, contact the Cisco TAC.

718062

Error Message %ASA-5-718062: Inbound thread is awake (context= context_ID ).

Explanation The load balancing process is awakened and begins processing.

Recommended Action None required.

718063

Error Message %ASA-5-718063: Interface interface_name is down.

Explanation The load balancing process found the interface down.

Recommended Action Check the interface configuration to make sure that the interface is operational.

718064

Error Message %ASA-5-718064: Admin. interface interface_name is down.

Explanation The load balancing process found the administrative interface down.

Recommended Action Check the administrative interface configuration to make sure that the interface is operational.

718065

Error Message %ASA-5-718065: Cannot continue to run (public= up / down , private= up / down , enable= LB_state , master= IP_address , session= Enable / Disable ).

Explanation The load balancing process can not run because all prerequisite conditions have not been met. The prerequisite conditions are two active interfaces and load balancing enabled.

Recommended Action Check the interface configuration to make sure at least two interfaces are operational and load balancing is enabled.

718066

Error Message %ASA-5-718066: Cannot add secondary address to interface interface_name , ip IP_address .

Explanation Load balancing requires a secondary address to be added to the outside interface. A failure occurred in adding that secondary address.

Recommended Action Check the address being used as the secondary address and make sure that it is valid and unique. Check the configuration of the outside interface.

718067

Error Message %ASA-5-718067: Cannot delete secondary address to interface interface_name , ip IP_address .

Explanation The deletion of the secondary address failed, which might indicate an addressing problem or an internal software error.

Recommended Action Check the addressing information of the outside interface and make sure that the secondary address is valid and unique. If the problem persists, contact the Cisco TAC.

718068

Error Message %ASA-5-718068: Start VPN Load Balancing in context context_ID .

Explanation The load balancing process has been started and initialized.

Recommended Action None required.

718069

Error Message %ASA-5-718069: Stop VPN Load Balancing in context context_ID .

Explanation The load balancing process has been stopped.

Recommended Action None required.

718070

Error Message %ASA-5-718070: Reset VPN Load Balancing in context context_ID .

Explanation The LB process has been reset.

Recommended Action None required.

718071

Error Message %ASA-5-718071: Terminate VPN Load Balancing in context context_ID .

Explanation The LB process has been terminated.

Recommended Action None required.

718072

Error Message %ASA-5-718072: Becoming master of Load Balancing in context context_ID .

Explanation The ASA has become the LB master.

Recommended Action None required.

718073

Error Message %ASA-5-718073: Becoming slave of Load Balancing in context context_ID .

Explanation The ASA has become the LB slave.

Recommended Action None required.

718074

Error Message %ASA-5-718074: Fail to create access list for peer context_ID .

Explanation ACLs are used to create secure tunnels over which the LB peers can communicate. The ASA was unable to create one of these ACLs. This might indicate an addressing problem or an internal software problem.

Recommended Action Check the addressing information of the inside interface on all peers and ensure that all peers are discovered correctly. If the problem persists, contact the Cisco TAC.

718075

Error Message %ASA-5-718075: Peer IP_address access list not set.

Explanation While removing a secure tunnel, the ASA detected a peer entry that did not have an associated ACL.

Recommended Action None required.

718076

Error Message %ASA-5-718076: Fail to create tunnel group for peer IP_address .

Explanation The ASA experienced a failure when trying to create a tunnel group for securing the communication between load balancing peers.

Recommended Action Verify that the load balancing configuration is correct.

718077

Error Message %ASA-5-718077: Fail to delete tunnel group for peer IP_address .

Explanation The ASA experienced a failure when attempting to delete a tunnel group for securing the communication between load balancing peers.

Recommended Action None required.

718078

Error Message %ASA-5-718078: Fail to create crypto map for peer IP_address .

Explanation The ASA experienced a failure when attempting to create a crypto map for securing the communication between load balancing peers.

Recommended Action Verify that the load balancing configuration is correct.

718079

Error Message %ASA-5-718079: Fail to delete crypto map for peer IP_address .

Explanation The ASA experienced a failure when attempting to delete a crypto map for securing the communication between load balancing peers.

Recommended Action None required.

718080

Error Message %ASA-5-718080: Fail to create crypto policy for peer IP_address .

Explanation The ASA experienced a failure when attempting to create a transform set to be used in securing the communication between load balancing peers. This might indicate an internal software problem.

Recommended Action If the problem persists, contact the Cisco TAC.

718081

Error Message %ASA-5-718081: Fail to delete crypto policy for peer IP_address .

Explanation The ASA experienced a failure when attempting to delete a transform set used in securing the communication between load balancing peers.

Recommended Action None required.

718082

Error Message %ASA-5-718082: Fail to create crypto ipsec for peer IP_address .

Explanation When cluster encryption for VPN load balancing is enabled, the VPN load balancing device creates a set of site-to-site tunnels for every other device in the load balancing cluster. For each tunnel, a set of crypto parameters (access list, crypto maps, and transform set) is created dynamically. One or more crypto parameters failed to be created or configured.

  • IP_address —The IP address of the remote peer

Recommended Action Examine the message for other entries specific to the type of crypto parameters that failed to be created.

718083

Error Message %ASA-5-718083: Fail to delete crypto ipsec for peer IP_address .

Explanation When the local VPN load balancing device is removed from the cluster, crypto parameters are removed. One or more crypto parameters failed to be deleted.

  • IP_address —The IP address of the remote peer

Recommended Action Examine the message for other entries specific to the type of crypto parameters that failed to be deleted.

718084

Error Message %ASA-5-718084: Public/cluster IP not on the same subnet: public IP_address , mask netmask , cluster IP_address

Explanation The cluster IP address is not on the same network as the outside interface of the ASA.

Recommended Action Make sure that both the cluster (or virtual) IP address and the outside interface address are on the same network.

718085

Error Message %ASA-5-718085: Interface interface_name has no IP address defined.

Explanation The interface does not have an IP address configured.

Recommended Action Configure an IP address for the interface.

718086

Error Message %ASA-5-718086: Fail to install LB NP rules: type rule_type , dst interface_name , port port .

Explanation The ASA experienced a failure when attempting to create a SoftNP ACL rule to be used in securing the communication between load balancing peers. This may indicate an internal software problem.

Recommended Action If the problem persists, contact the Cisco TAC.

718087

Error Message %ASA-5-718087: Fail to delete LB NP rules: type rule_type , rule rule_ID .

Explanation The ASA experienced a failure when attempting to delete the SoftNP ACL rule used in securing the communication between load balancing peers.

Recommended Action None required.

718088

Error Message %ASA-7-718088: Possible VPN LB misconfiguration. Offending device MAC MAC_address .

Explanation The presence of a duplicate master indicates that one of the load balancing peers may be misconfigured.

Recommended Action Check the load balancing configuration on all peers, but pay special attention to the peer identified.

719001

Error Message %ASA-6-719001: Email Proxy session could not be established: session limit of maximum_sessions has been reached.

Explanation The incoming e-mail proxy session cannot be established because the maximum session limit has been reached.

  • maximum_sessions —The maximum session number

Recommended Action None required.

719002

Error Message %ASA-3-719002: Email Proxy session pointer from source_address has been terminated due to reason error.

Explanation The session has been terminated because of an error. The possible errors are failure to add a session to the session database, failure to allocate memory, and failure to write data to a channel.

  • pointer —The session pointer
  • source_address— The e-mail proxy client IP address
  • reason— The error type

Recommended Action None required.

719003

Error Message %ASA-6-719003: Email Proxy session pointer resources have been freed for source_address .

Explanation The dynamic allocated session structure has been freed and set to NULL after the session terminated.

  • pointer —The session pointer
  • source_address —The e-mail proxy client IP address

Recommended Action None required.

719004

Error Message %ASA-6-719004: Email Proxy session pointer has been successfully established for source_address .

Explanation A new incoming e-mail client session has been established.

Recommended Action None required.

719005

Error Message %ASA-7-719005: FSM NAME has been created using protocol for session pointer from source_address .

Explanation The FSM has been created for an incoming new session.

  • NAME—The FSM instance name for the session
  • protocol —The e-mail protocol type (for example, POP3, IMAP, and SMTP)
  • pointer —The session pointer
  • source_address —The e-mail proxy client IP address

Recommended Action None required.

719006

Error Message %ASA-7-719006: Email Proxy session pointer has timed out for source_address because of network congestion.

Explanation Network congestion is occurring, and data cannot be sent to either an e-mail client or an e-mail server. This condition starts the block timer. After the block timer is timed out, the session expires.

  • pointer —The session pointer
  • source_address —The e-mail proxy client IP address

Recommended Action Retry the operation after a few minutes.

719007

Error Message %ASA-7-719007: Email Proxy session pointer cannot be found for source_address .

Explanation A matching session cannot be found in the session database. The session pointer is bad.

  • pointer —The session pointer
  • source_address —The e-mail proxy client IP address

Recommended Action None required.

719008

Error Message %ASA-3-719008: Email Proxy service is shutting down.

Explanation The e-mail proxy is disabled. All resources are cleaned up, and all threads are terminated.

Recommended Action None required.

719009

Error Message %ASA-7-719009: Email Proxy service is starting.

Explanation The e-mail proxy is enabled.

Recommended Action None required.

719010

Error Message %ASA-6-719010: protocol Email Proxy feature is disabled on interface interface_name .

Explanation The e-mail proxy feature is disabled on a specific entry point, invoked from the CLI. This is the main off switch for the user. When all protocols are turned off for all interfaces, the main shut-down routine is invoked to clean up global resources and threads.

  • protocol —The e-mail proxy protocol type (for example, POP3, IMAP, and SMTP)
  • interface_name —The ASA interface name

Recommended Action None required.

719011

Error Message %ASA-6-719011: Protocol Email Proxy feature is enabled on interface interface_name .

Explanation The e-mail proxy feature is enabled on a specific entry point, invoked from the CLI. This is the main on switch for the user. When it is first used, the main startup routine is invoked to allocate global resources and threads. Subsequent calls only need to start listening threads for the particular protocol.

  • protocol —The e-mail proxy protocol type (for example, POP3, IMAP, and SMTP)
  • interface_name —The ASA interface name

Recommended Action None required.

719012

Error Message %ASA-6-719012: Email Proxy server listening on port port for mail protocol protocol .

Explanation A listening channel is opened for a specific protocol on a configured port and has added it to a TCP select group.

  • port— The configured port number
  • protocol —The e-mail proxy protocol type (for example, POP3, IMAP, and SMTP)

Recommended Action None required.

719013

Error Message %ASA-6-719013: Email Proxy server closing port port for mail protocol protocol .

Explanation A listening channel is closed for a specific protocol on a configured port and has removed it from the TCP select group.

  • port— The configured port number
  • protocol —The e-mail proxy protocol type (for example, POP3, IMAP, and SMTP)

Recommended Action None required.

719014

Error Message %ASA-5-719014: Email Proxy is changing listen port from old_port to new_port for mail protocol protocol .

Explanation A change is signaled in the listening port for the specified protocol. All enabled interfaces for that port have their listening channels closed and have restarted listening on the new port. This action is invoked from the CLI.

  • old_port— The previously configured port number
  • new_port —The newly configured port number
  • protocol —The e-mail proxy protocol type (for example, POP3, IMAP, and SMTP)

Recommended Action None required.

719015

Error Message %ASA-7-719015: Parsed emailproxy session pointer from source_address username: mailuser = mail_user , vpnuser = VPN_user , mailserver = server

Explanation The username string is received from the client in the format vpnuser (name delimiter) mailuser (server delimiter) mailserver (for example: xxx:yyy@cisco.com). The name delimiter is optional. When the delimiter is not there, the VPN username and mail username are the same. The server delimiter is optional. When it is not present, the default configured mail server will be used.

  • pointer —The session pointer
  • source_address —The e-mail proxy client IP address
  • mail_user—The e-mail account username
  • VPN_user —The WebVPN username
  • server —The e-mail server

Recommended Action None required.

719016

Error Message %ASA-7-719016: Parsed emailproxy session pointer from source_address password: mailpass = ******, vpnpass= ******

Explanation The password string is received from the client in the format, vpnpass (name delimiter) mailpass (for example: xxx:yyy). The name delimiter is optional. When it is not present, the VPN password and mail password are the same.

  • pointer —The session pointer
  • source_address —The e-mail proxy client IP address

Recommended Action None required.

719017

Error Message %ASA-6-719017: WebVPN user: vpnuser invalid dynamic ACL.

Explanation The WebVPN session is aborted because the ACL has failed to parse for this user. The ACL determines what the user restrictions are on e-mail account access. The ACL is downloaded from the AAA server. Because of this error, it is unsafe to proceed with login.

  • vpnuser —The WebVPN username

Recommended Action Check the AAA server and fix the dynamic ACL for this user.

719018

Error Message %ASA-6-719018: WebVPN user: vpnuser ACL ID acl_ID not found

Explanation The ACL cannot be found at the local maintained ACL list. The ACL determines what the user restrictions are on e-mail account access. The ACL is configured locally. Because of this error, you cannot be authorized to proceed.

  • vpnuser —The WebVPN username
  • acl_ID —The local configured ACL identification string

Recommended Action Check the local ACL configuration.

719019

Error Message %ASA-6-719019: WebVPN user: vpnuser authorization failed.

Explanation The ACL determines what the user restrictions are on e-mail account access. The user cannot access the e-mail account because the authorization check fails.

  • vpnuser —The WebVPN username

Recommended Action None required.

719020

Error Message %ASA-6-719020: WebVPN user vpnuser authorization completed successfully.

Explanation The ACL determines what the user restrictions are on e-mail account access. The user is authorized to access the e-mail account.

  • vpnuser —The WebVPN username

Recommended Action None required.

719021

Error Message %ASA-6-719021: WebVPN user: vpnuser is not checked against ACL.

Explanation The ACL determines what the user restrictions are on e-mail account access. The authorization checking using the ACL is not enabled.

  • vpnuser —The WebVPN username

Recommended Action Enable the ACL checking feature, if necessary.

719022

Error Message %ASA-6-719022: WebVPN user vpnuser has been authenticated.

Explanation The username is authenticated by the AAA server.

  • vpnuser —The WebVPN username

Recommended Action None required.

719023

Error Message %ASA-6-719023: WebVPN user vpnuser has not been successfully authenticated. Access denied.

Explanation The username is denied by the AAA server. The session will be aborted. The user is not allowed to access the e-mail account.

  • vpnuser —The WebVPN username

Recommended Action None required.

719024

Error Message %ASA-6-719024: Email Proxy piggyback auth fail: session = pointer user= vpnuser addr= source_address

Explanation The Piggyback authentication is using an established WebVPN session to verify the username and IP address matching in the WebVPN session database. This is based on the assumption that the WebVPN session and e-mail proxy session are initiated by the same user, and a WebVPN session is already established. Because the authentication has failed, the session will be aborted. The user is not allowed to access the e-mail account.

  • pointer —The session pointer
  • vpnuser —The WebVPN username
  • source_address —The client IP address

Recommended Action None required.

719025

Error Message %ASA-6-719025: Email Proxy DNS name resolution failed for hostname .

Explanation The hostname cannot be resolved with the IP address because it is not valid, or no DNS server is available.

  • hostname —The hostname that needs to be resolved

Recommended Action Check DNS server availability and whether or not the configured mail server name is valid.

719026

Error Message %ASA-6-719026: Email Proxy DNS name hostname resolved to IP_address .

Explanation The hostname has successfully been resolved with the IP address.

  • hostname —The hostname that needs to be resolved
  • IP_address —The IP address resolved from the configured mail server name

Recommended Action None required.

720001

Error Message %ASA-4-720001: (VPN- unit ) Failed to initialize with Chunk Manager.

Explanation The VPN failover subsystem fails to initialize with the memory buffer management subsystem. A system-wide problem has occurred, and the VPN failover subsystem cannot be started.

  • unit —Either Primary or Secondary

Recommended Action Examine the messages for any sign of system-level initialization problems.

720002

Error Message %ASA-6-720002: (VPN- unit ) Starting VPN Stateful Failover Subsystem...

Explanation The VPN failover subsystem is starting and booting up.

  • unit —Either Primary or Secondary

Recommended Action None required.

720003

Error Message %ASA-6-720003: (VPN- unit ) Initialization of VPN Stateful Failover Component completed successfully

Explanation The VPN failover subsystem initialization is completed at boot time.

  • unit —Either Primary or Secondary

Recommended Action None required.

720004

Error Message %ASA-6-720004: (VPN- unit ) VPN failover main thread started.

Explanation The VPN failover main processing thread is started at boot time.

  • unit —Either Primary or Secondary

Recommended Action None required.

720005

Error Message %ASA-6-720005: (VPN- unit ) VPN failover timer thread started.

Explanation The VPN failover timer processing thread is started at boot time.

  • unit —Either Primary or Secondary

Recommended Action None required.

720006

Error Message %ASA-6-720006: (VPN- unit ) VPN failover sync thread started.

Explanation The VPN failover bulk synchronization processing thread is started at boot time.

  • unit —Either Primary or Secondary

Recommended Action None required.

720007

Error Message %ASA-4-720007: (VPN- unit ) Failed to allocate chunk from Chunk Manager.

Explanation The set of preallocated memory buffers is running out. The ASA has a resource issue. The ASA may be under heavy load when too many messages are being processed.

  • unit —Either Primary or Secondary

Recommended Action This condition may be improved later when the VPN failover subsystem processes outstanding messages and frees up previously allocated memory.

720008

Error Message %ASA-4-720008: (VPN- unit ) Failed to register to High Availability Framework.

Explanation The VPN failover subsystem failed to register to the core failover subsystem. The VPN failover subsystem cannot be started, which may be caused by initialization problems of other subsystems.

  • unit —Either Primary or Secondary

Recommended Action Search the message for any sign of system-wide initialization problems.

720009

Error Message %ASA-4-720009: (VPN- unit ) Failed to create version control block.

Explanation The VPN failover subsystem failed to create a version control block. This step is required for the VPN failover subsystem to find out the backward compatible firmware versions for the current release. The VPN failover subsystem cannot be started, which may be caused by initialization problems of other subsystems.

  • unit —Either Primary or Secondary

Recommended Action Search the message for any sign of system-wide initialization problems.

720010

Error Message %ASA-6-720010: (VPN- unit ) VPN failover client is being disabled

Explanation An operator enabled failover without defining a failover key. In order to use a VPN failover, a failover key must be defined.

  • unit —Either Primary or Secondary

Recommended Action Use the failover key command to define a shared secret key between the active and standby units.

720011

Error Message %ASA-4-720011: (VPN- unit ) Failed to allocate memory

Explanation The VPN failover subsystem cannot allocate a memory buffer, which indicates a system-wide resource problem. The ASA may be under heavy load.

  • unit —Either Primary or Secondary

Recommended Action This condition may be improved later when you reduce the load on the ASA by reducing incoming traffic. By reducing incoming traffic, memory allocated for processing the existing work load will be available, and the ASA may return to normal operation.

720012

Error Message %ASA-6-720012: (VPN- unit ) Failed to update IPsec failover runtime data on the standby unit.

Explanation The VPN failover subsystem cannot update IPsec-related runtime data because the corresponding IPsec tunnel has been deleted on the standby unit.

  • unit —Either Primary or Secondary

Recommended Action None required.

720013

Error Message %ASA-4-720013: (VPN- unit ) Failed to insert certificate in trustpoint trustpoint_name

Explanation The VPN failover subsystem tried to insert a certificate in the trustpoint.

  • unit —Either Primary or Secondary
  • trustpoint_name —The name of the trustpoint

Recommended Action Check the certificate content to determine if it is invalid.

720014

Error Message %ASA-6-720014: (VPN- unit ) Phase 2 connection entry (msg_id= message_number , my cookie= mine , his cookie= his ) contains no SA list.

Explanation No security association is linked to the Phase 2 connection entry.

  • unit —Either Primary or Secondary
  • message_number— The message ID of the Phase 2 connection entry
  • mine —The My Phase 1 cookie
  • his —The peer Phase 1 cookie

Recommended Action None required.

720015

Error Message %ASA-6-720015: (VPN- unit ) Cannot found Phase 1 SA for Phase 2 connection entry (msg_id= message_number ,my cookie= mine , his cookie= his ).

Explanation The corresponding Phase 1 security association for the given Phase 2 connection entry cannot be found.

  • unit —Either Primary or Secondary
  • message_number— The message ID of the Phase 2 connection entry
  • mine —The My Phase 1 cookie
  • his —The peer Phase 1 cookie

Recommended Action None required.

720016

Error Message %ASA-5-720016: (VPN-unit) Failed to initialize default timer #index .

Explanation The VPN failover subsystem failed to initialize the given timer event. The VPN failover subsystem cannot be started at boot time.

  • unit —Either Primary or Secondary
  • index —The internal index of the timer event

Recommended Action Search the message for any sign of system-wide initialization problems.

720017

Error Message %ASA-5-720017: (VPN- unit ) Failed to update LB runtime data

Explanation The VPN failover subsystem failed to update the VPN load balancing runtime data.

  • unit —Either Primary or Secondary

Recommended Action None required.

720018

Error Message %ASA-5-720018: (VPN- unit ) Failed to get a buffer from the underlying core high availability subsystem. Error code code.

Explanation The ASA may be under heavy load. The VPN failover subsystem failed to obtain a failover buffer.

  • unit —Either Primary or Secondary
  • code —The error code returned by the high-availability subsystem

Recommended Action Decrease the amount of incoming traffic to improve the current load condition. With decreased incoming traffic, the ASA will free up memory allocated for processing the incoming load.

720019

Error Message %ASA-5-720019: (VPN- unit ) Failed to update cTCP statistics.

Explanation The VPN failover subsystem failed to update the IPsec/cTCP-related statistics.

  • unit —Either Primary or Secondary

Recommended Action None required. Updates are sent periodically, so the standby unit IPsec/cTCP statistics should be updated with the next update message.

720020

Error Message %ASA-5-720020: (VPN- unit ) Failed to send type timer message.

Explanation The VPN failover subsystem failed to send a periodic timer message to the standby unit.

  • unit —Either Primary or Secondary
  • type —The type of timer message

Recommended Action None required. The periodic timer message will be resent during the next timeout.

720021

Error Message %ASA-5-720021: (VPN- unit ) HA non-block send failed for peer msg message_number . HA error code .

Explanation The VPN failover subsystem failed to send a nonblock message. This is a temporary condition caused by the ASA being under load or out of resources.

  • unit —Either Primary or Secondary
  • message_number —The ID number of the peer message
  • code —The error return code

Recommended Action The condition will improve as more resources become available to the ASA.

720022

Error Message %ASA-4-720022: (VPN- unit ) Cannot find trustpoint trustpoint

Explanation An error occurred when the VPN failover subsystem tried to look up a trustpoint by name.

  • unit —Either Primary or Secondary
  • trustpoint —The name of the trustpoint.

Recommended Action The trustpoint may be deleted by an operator.

720023

Error Message %ASA-6-720023: (VPN- unit ) HA status callback: Peer is not present.

Explanation The VPN failover subsystem is notified by the core failover subsystem when the local ASA detected that a peer is available or becomes unavailable.

  • unit —Either Primary or Secondary
  • not —Either “not” or left blank

Recommended Action None required.

720024

Error Message %ASA-6-720024: (VPN- unit ) HA status callback: Control channel is status .

Explanation The failover control channel is either up or down. The failover control channel is defined by the failover link and show failover commands, which indicate whether the failover link channel is up or down.

  • unit —Either Primary or Secondary
  • status — Up or Down

Recommended Action None required.

720025

Error Message %ASA-6-720025: (VPN- unit ) HA status callback: Data channel is status .

Explanation The failover data channel is up or down.

  • unit —Either Primary or Secondary
  • status —Up or Down

Recommended Action None required.

720026

Error Message %ASA-6-720026: (VPN- unit ) HA status callback: Current progression is being aborted.

Explanation An operator or other external condition has occurred and has caused the current failover progression to abort before the failover peer agrees on the role (either active or standby). For example, when the failover active command is entered on the standby unit during the negotiation, or when the active unit is being rebooted.

  • unit —Either Primary or Secondary

Recommended Action None required.

720027

Error Message %ASA-6-720027: (VPN- unit ) HA status callback: My state state .

Explanation The state of the local failover device is changed.

  • unit —Either Primary or Secondary
  • state —Current state of the local failover device

Recommended Action None required.

720028

Error Message %ASA-6-720028: (VPN- unit ) HA status callback: Peer state state .

Explanation The current state of the failover peer is reported.

  • unit —Either Primary or Secondary
  • state —Current state of the failover peer

Recommended Action None required.

720029

Error Message %ASA-6-720029: (VPN- unit ) HA status callback: Start VPN bulk sync state.

Explanation The active unit is ready to send all the state information to the standby unit.

  • unit —Either Primary or Secondary

Recommended Action None required.

720030

Error Message %ASA-6-720030: (VPN- unit ) HA status callback: Stop bulk sync state.

Explanation The active unit finished sending all the state information to the standby unit.

  • unit —Either Primary or Secondary

Recommended Action None required.

720031

Error Message %ASA-7-720031: (VPN- unit ) HA status callback: Invalid event received. event= event_ID .

Explanation The VPN failover subsystem received an invalid callback event from the underlying failover subsystem.

  • unit —Either Primary or Secondary
  • event_ID —The invalid event ID received

Recommended Action None required.

720032

Error Message %ASA-6-720032: (VPN- unit ) HA status callback: id= ID , seq= sequence_# , grp= group , event= event , op= operand , my= my_state , peer= peer_state .

Explanation The VPN failover subsystem indicated that a status update was notified by the underlying failover subsystem.

  • unit —Either Primary or Secondary
  • ID —Client ID number
  • sequence_# —Sequence number
  • group —Group ID
  • event —Current event
  • operand —Current operand
  • my_state —The system current state
  • peer_state —The current state of the peer

Recommended Action None required.

720033

Error Message %ASA-4-720033: (VPN- unit ) Failed to queue add to message queue.

Explanation System resources may be running low. An error occurred when the VPN failover subsystem tried to queue an internal message. This may be a temporary condition indicating that the ASA is under heavy load, and the VPN failover subsystem cannot allocate resource to handle incoming traffic.

  • unit —Either Primary or Secondary

Recommended Action This error condition may disappear if the current load of the ASA is reduced, and additional system resources become available for processing new messages again.

720034

Error Message %ASA-7-720034: (VPN- unit ) Invalid type ( type ) for message handler.

Explanation An error occurred when the VPN failover subsystem tried to process an invalid message type.

  • unit —Either Primary or Secondary
  • type —Message type

Recommended Action None required.

720035

Error Message %ASA-5-720035: (VPN- unit ) Fail to look up CTCP flow handle

Explanation The cTCP flow may be deleted on the standby unit before the VPN failover subsystem tries to do a lookup.

  • unit —Either Primary or Secondary

Recommended Action Look for any sign of cTCP flow deletion in the message to determine the reason (for example, idle timeout) why the flow was deleted.

720036

Error Message %ASA-5-720036: (VPN- unit ) Failed to process state update message from the active peer.

Explanation An error occurred when the VPN failover subsystem tried to process a state update message received by the standby unit.

  • unit - Either Primary or Secondary

Recommended Action None required. This may be a temporary condition because of the current load or low system resources.

720037

Error Message %ASA-6-720037: (VPN- unit ) HA progression callback: id= id ,seq= sequence_number ,grp= group ,event= event ,op= operand , my= my_state ,peer= peer_state .

Explanation The status of the current failover progression is reported.

  • unit —Either Primary or Secondary
  • id —Client ID
  • sequence_number —Sequence number
  • group —Group ID
  • event —Current event
  • operand —Current operand
  • my_state —Current state of the ASA
  • peer_state —Current state of the peer

Recommended Action None required.

720038

Error Message %ASA-4-720038: (VPN- unit ) Corrupted message from active unit.

Explanation The standby unit received a corrupted message from the active unit. Messages from the active unit are corrupted, which may be caused by incompatible firmware running between the active and standby units. The local unit has become the active unit of the failover pair.

  • unit —Either Primary or Secondary

Recommended Action None required.

720039

Error Message %ASA-6-720039: (VPN- unit ) VPN failover client is transitioning to active state

Explanation The local unit has become the active unit of the failover pair.

  • unit —Either Primary or Secondary

Recommended Action None required.

720040

Error Message %ASA-6-720040: (VPN- unit ) VPN failover client is transitioning to standby state.

Explanation The local unit has become the standby unit of the failover pair.

  • unit —Either Primary or Secondary

Recommended Action None required.

720041

Error Message %ASA-7-720041: (VPN- unit ) Sending type message id to standby unit

Explanation A message has been sent from the active unit to the standby unit.

  • unit —Either Primary or Secondary
  • type —Message type
  • id —Identifier for the message

Recommended Action None required.

720042

Error Message %ASA-7-720042: (VPN- unit ) Receiving type message id from active unit

Explanation A message has been received from the active unit by the standby unit.

  • unit —Either Primary or Secondary
  • type —Message type
  • id —Identifier for the message

Recommended Action None required.

720043

Error Message %ASA-4-720043: (VPN- unit ) Failed to send type message id to standby unit

Explanation An error occurred when the VPN failover subsystem tried to send a message from the active unit to the standby unit. The error may be caused by message 720018, in which the core failover subsystem runs out of failover buffer or the failover LAN link is down.

  • unit —Either Primary or Secondary
  • type —Message type
  • id —Identifier for the message

Recommended Action Use the show failover command to see if the failover pair is running correctly and the failover LAN link is up.

720044

Error Message %ASA-4-720044: (VPN- unit ) Failed to receive message from active unit

Explanation An error occurred when the VPN failover subsystem tried to receive a message on the standby unit. The error may be caused by a corrupted message or an inadequate amount of memory allocated for storing the incoming message.

  • unit —Either Primary or Secondary

Recommended Action Use the show failover command and look for receive errors to determine if this is a VPN failover-specific problem or a general failover issue. Corrupted messages may be caused by incompatible firmware versions running on the active and standby units. Use the show memory command to determine if a low memory condition exists.

720045

Error Message %ASA-6-720045: (VPN- unit ) Start bulk syncing of state information on standby unit.

Explanation The standby unit has been notified to start receiving bulk synchronization information from the active unit.

  • unit —Either Primary or Secondary

Recommended Action None required.

720046

Error Message %ASA-6-720046: (VPN- unit ) End bulk syncing of state information on standby unit

Explanation The standby unit has been notified that bulk synchronization from the active unit is completed.

  • unit —Either Primary or Secondary

Recommended Action None required.

720047

Error Message %ASA-4-720047: (VPN- unit ) Failed to sync SDI node secret file for server IP_address on the standby unit.

Explanation An error occurred when the VPN failover subsystem tried to synchronize a node secret file for the SDI server on the standby unit. The SDI node secret file is stored in flash. The error may indicate that the flash file system is full or corrupted.

  • unit —Either Primary or Secondary
  • IP_address —IP address of the server

Recommended Action Use the dir command to display the flash contents. The node secret file has the filename, ip .sdi.

720048

Error Message %ASA-7-720048: (VPN- unit ) FSM action trace begin: state= state , last event= event , func= function .

Explanation A VPN failover subsystem finite state machine function has started.

  • unit —Either Primary or Secondary
  • state —Current state
  • event —Last event
  • function —Current executing function

Recommended Action None required.

720049

Error Message %ASA-7-720049: (VPN- unit ) FSM action trace end: state= state , last event= event , return= return , func= function .

Explanation A VPN failover subsystem finite state machine function has finished.

  • unit —Either Primary or Secondary
  • state —Current state
  • event —Last event
  • return —Return code
  • function —Current executing function

Recommended Action None required.

720050

Error Message %ASA-7-720050: (VPN- unit ) Failed to remove timer. ID = id .

Explanation A timer cannot be removed from the timer processing thread.

  • unit —Either Primary or Secondary
  • id —Timer ID

Recommended Action None required.

720051

Error Message %ASA-4-720051: (VPN- unit ) Failed to add new SDI node secret file for server id on the standby unit.

Explanation An error occurred when the VPN failover subsystem tried to add a node secret file for the SDI server on the standby unit. The SDI node secret file is stored in flash. The error may indicate that the flash file system is full or corrupted.

  • unit —Either Primary or Secondary
  • id —IP address of the SDI server

Recommended Action Use the dir command to display the flash contents. The node secret file has the filename, ip .sdi.

720052

Error Message %ASA-4-720052: (VPN- unit ) Failed to delete SDI node secret file for server id on the standby unit.

Explanation An error occurred when the VPN failover subsystem tried to delete a node secret file on the active unit. The node secret file being deleted may not exist in the flash file system, or there was problem reading the flash file system.

  • unit —Either Primary or Secondary
  • IP_address —IP address of the SDI server

Recommended Action Use the dir command to display the flash contents. The node secret file has the filename, ip .sdi.

720053

Error Message %ASA-4-720053: (VPN- unit ) Failed to add cTCP IKE rule during bulk sync, peer= IP_address , port= port

Explanation An error occurred when the VPN failover subsystem tried to load a cTCP IKE rule on the standby unit during bulk synchronization. The standby unit may be under heavy load, and the new IKE rule request may time out before completion.

  • unit —Either Primary or Secondary
  • IP_address —Peer IP address
  • port —Peer port number

Recommended Action None required.

720054

Error Message %ASA-4-720054: (VPN- unit ) Failed to add new cTCP record, peer= IP_address , port= port .

Explanation A cTCP record is replicated to the standby unit and cannot be updated. The corresponding IPsec over cTCP tunnel may not be functioning after failover. The cTCP database may be full, or a record with the same peer IP address and port number exists already.

  • unit —Either Primary or Secondary
  • IP_address —Peer IP address
  • port —Peer port number

Recommended Action This may be a temporary condition and may improve when the existing cTCP tunnel is restored.

720055

Error Message %ASA-4-720055: (VPN- unit ) VPN Stateful failover can only be run in single/non-transparent mode.

Explanation The VPN subsystem does not start unless it is running in single (nontransparent) mode.

  • unit —Either Primary or Secondary

Recommended Action Configure the ASA for the appropriate mode to support VPN failover and restart the ASA.

720056

Error Message %ASA-6-720056: (VPN- unit ) VPN Stateful failover Message Thread is being disabled.

Explanation The VPN failover subsystem main message processing thread is disabled when you have tried to enable failover, but a failover key is not defined. A failover key is required for VPN failover.

  • unit —Either Primary or Secondary

Recommended Action None required.

720057

Error Message %ASA-6-720057: (VPN- unit ) VPN Stateful failover Message Thread is enabled.

Explanation The VPN failover subsystem main message processing thread is enabled when failover is enabled and a failover key is defined.

  • unit —Either Primary or Secondary

Recommended Action None required.

720058

Error Message %ASA-6-720058: (VPN- unit ) VPN Stateful failover Timer Thread is disabled.

Explanation The VPN failover subsystem main timer processing thread is disabled when the failover key is not defined and failover is enabled.

  • unit —Either Primary or Secondary

Recommended Action None required.

720059

Error Message %ASA-6-720059: (VPN- unit ) VPN Stateful failover Timer Thread is enabled.

Explanation The VPN failover subsystem main timer processing thread is enabled when the failover key is defined and failover is enabled.

  • unit —Either Primary or Secondary

Recommended Action None required.

720060

Error Message %ASA-6-720060: (VPN- unit ) VPN Stateful failover Sync Thread is disabled.

Explanation The VPN failover subsystem main bulk synchronization processing thread is disabled when failover is enabled, but the failover key is not defined.

  • unit —Either Primary or Secondary.

Recommended Action None required.

720061

Error Message %ASA-6-720061: (VPN- unit ) VPN Stateful failover Sync Thread is enabled.

Explanation The VPN failover subsystem main bulk synchronization processing thread is enabled when failover is enabled and the failover key is defined.

  • unit —Either Primary or Secondary

Recommended Action None required.

720062

Error Message %ASA-6-720062: (VPN- unit ) Active unit started bulk sync of state information to standby unit.

Explanation The VPN failover subsystem active unit has started bulk synchronization of state information to the standby unit.

  • unit —Either Primary or Secondary

Recommended Action None required.

720063

Error Message %ASA-6-720063: (VPN- unit ) Active unit completed bulk sync of state information to standby.

Explanation The VPN failover subsystem active unit has completed bulk synchronization of state information to the standby unit.

  • unit —Either Primary or Secondary

Recommended Action None required.

720064

Error Message %ASA-4-720064: (VPN- unit ) Failed to update cTCP database record for peer= IP_address , port= port during bulk sync.

Explanation An error occurred while the VPN failover subsystem attempted to update an existing cTCP record during bulk synchronization. The cTCP record may have been deleted from the cTCP database on the standby unit and cannot be found.

  • unit —Either Primary or Secondary
  • IP_address —Peer IP address
  • port —Peer port number

Recommended Action Search in the message.

720065

Error Message %ASA-4-720065: (VPN- unit ) Failed to add new cTCP IKE rule, peer= peer , port= port .

Explanation An error occurred when the VPN failover subsystem tried to add a new IKE rule for the cTCP database entry on the standby unit. The ASA may be under heavy load, and the request for adding a cTCP IKE rule timed out and was never completed.

  • unit —Either Primary or Secondary
  • IP_address —Peer IP address
  • port —Peer port number

Recommended Action This may be a temporary condition.

720066

Error Message %ASA-4-720066: (VPN- unit ) Failed to activate IKE database.

Explanation An error occurred when the VPN failover subsystem tried to activate the IKE security association database while the standby unit was transitioning to the active state. There may be resource-related issues on the standby unit that prevent the IKE security association database from activating.

  • unit —Either Primary or Secondary

Recommended Action Use the show failover command to see if the failover pair is still working correctly and/or look for other IKE-related errors in the message.

720067

Error Message %ASA-4-720067: (VPN- unit ) Failed to deactivate IKE database.

Explanation An error occurred when the VPN failover subsystem tried to deactivate the IKE security association database while the active unit was transitioning to the standby state. There may be resource-related issues on the active unit that prevent the IKE security association database from deactivating.

  • unit —Either Primary or Secondary

Recommended Action Use the show failover command to see if the failover pair is still working correctly and/or look for IKE-related errors in the message.

720068

Error Message %ASA-4-720068: (VPN- unit ) Failed to parse peer message.

Explanation An error occurred when the VPN failover subsystem tried to parse a peer message received on the standby unit. The peer message received on the standby unit cannot be parsed.

  • unit —Either Primary or Secondary

Recommended Action Make sure that both active and standby units are running the same version of firmware. Also, use the show failover command to ensure that the failover pair is still working correctly.

720069

Error Message %ASA-4-720069: (VPN- unit ) Failed to activate cTCP database.

Explanation An error occurred when the VPN failover subsystem tried to activate the cTCP database while the standby unit was transitioning to the active state. There may be resource-related issues on the standby unit that prevent the cTCP database from activating.

  • unit —Either Primary or Secondary

Recommended Action Use the show failover command to see if the failover pair is still working correctly and/or look for other cTCP related errors in the message.

720070

Error Message %ASA-4-720070: (VPN- unit ) Failed to deactivate cTCP database.

Explanation An error occurred when the VPN failover subsystem tried to deactivate the cTCP database while the active unit was transitioning to the standby state. There may be resource-related issues on the active unit that prevent the cTCP database from deactivating.

  • unit —Either Primary or Secondary.

Recommended Action Use the show failover command to see if the failover pair is still working correctly and/or look for cTCP related errors in the message.

720071

Error Message %ASA-5-720071: (VPN- unit ) Failed to update cTCP dynamic data.

Explanation An error occurred while the VPN failover subsystem tried to update cTCP dynamic data.

  • unit —Either Primary or Secondary.

Recommended Action This may be a temporary condition. Because this is a periodic update, wait to see if the same error recurs. Also, look for other failover-related messages in the message.

720072

Error Message %ASA-5-720072: Timeout waiting for Integrity Firewall Server [ interface , ip ] to become available.

Explanation The Zonelab Integrity Server cannot reestablish a connection before timeout. In an active/standby failover setup, the SSL connection between a Zonelab Integrity Server and the ASA needs to be reestablished after a failover.

  • interface —The interface to which the Zonelab Integrity Server is connected
  • ip —The IP address of the Zonelab Integrity Server

Recommended Action Check that the configuration on the ASA and the Zonelab Integrity Server match, and verify communication between the ASA and the Zonelab Integrity Server.

720073

Error Message %ASA-4-720073: VPN Session failed to replicate - ACL acl_name not found

Explanation When replicating VPN sessions to the standby unit, the standby unit failed to find the associated filter ACL.

  • acl_name —The name of the ACL that was not found

Recommended Action Verify that the configuration on the standby unit has not been modified while in standby state. Resynchronize the standby unit by issuing the write standby command on the active unit.

721001

Error Message %ASA-6-721001: ( device ) WebVPN Failover SubSystem started successfully.( device ) either WebVPN-primary or WebVPN-secondary.

Explanation The WebVPN failover subsystem in the current failover unit, either primary or secondary, has been started successfully.

  • (device) —Either the WebVPN primary or the WebVPN secondary device

Recommended Action None required.

721002

Error Message %ASA-6-721002: ( device ) HA status change: event event , my state my_state , peer state peer .

Explanation The WebVPN failover subsystem receives status notification from the core HA component periodically. The incoming event, the new state of the local ASA, and the new state of the failover peer are reported.

  • (device) —Either the WebVPN primary or the WebVPN secondary ASA
  • event —New HA event
  • my_state —The new state of the local ASA
  • peer —The new state of the peer

Recommended Action None required.

721003

Error Message %ASA-6-721003: ( device ) HA progression change: event event , my state my_state , peer state peer .

Explanation The WebVPN failover subsystem transitions from one state to another state based on the event notified by the core HA component. The incoming event, the new state of the local ASA, and the new state of the failover peer are being reported.

  • (device) —Either the WebVPN primary or the WebVPN secondary ASA
  • event —New HA event
  • my_state —The new state of the local ASA
  • peer —The new state of the peer

Recommended Action None required.

721004

Error Message %ASA-6-721004: ( device ) Create access list list_name on standby unit.

Explanation A WebVPN-specific access list is replicated from the active unit to the standby unit. A successful installation of the WebVPN access list on the standby unit has occurred.

  • (device) —Either the WebVPN primary or the WebVPN secondary ASA
  • list_name —The access list name

Recommended Action None required.

721005

Error Message %ASA-6-721005: ( device ) Fail to create access list list_name on standby unit.

Explanation When a WebVPN-specific access list is installed on the active unit, a copy is installed on the standby unit. The access list failed to be installed on the standby unit. The access list may have existed on the standby unit already.

  • (device) —Either the WebVPN primary or the WebVPN secondary ASA
  • list_name —Name of the access list that failed to install on the standby unit

Recommended Action Use the show access-list command on both the active and standby units. Compare the content of the output and determine whether there is any discrepancy. Resynchronize the standby unit, if needed, by using the write standby command on the active unit.

721006

Error Message %ASA-6-721006: ( device ) Update access list list_name on standby unit.

Explanation The content of the access list has been updated on the standby unit.

  • (device) —Either the WebVPN primary or the WebVPN- econdary ASA
  • list_name —Name of the access list that was updated

Recommended Action None required.

721007

Error Message %ASA-4-721007: ( device ) Fail to update access list list_name on standby unit.

Explanation An error occurred while the standby unit tried to update a WebVPN-specific access list. The access list cannot be located on the standby unit.

  • (device) —Either the WebVPN primary or the WebVPN-= secondary ASA
  • list_name —Name of the access list that was not updated

Recommended Action Use a show access-list command on both the active and standby units. Compare the content of the output and determine whether or not there is any discrepancy. Resynchronize the standby unit, if needed, by using the write standby command on the active unit.

721008

Error Message %ASA-6-721008: ( device ) Delete access list list_name on standby unit.

Explanation When a WebVPN-specific access list is removed from the active unit, a message is sent to the standby unit requesting that the same access list be removed. As a result, a WebVPN-specific access list has been removed from the standby unit.

  • (device) —Either the WebVPN primary or the WebVPN secondary ASA
  • list_name —Name of the access list that was removed

Recommended Action None required.

721009

Error Message %ASA-6-721009: ( device ) Fail to delete access list list_name on standby unit.

Explanation When a WebVPN-specific access list is removed on the active unit, a message is sent to the standby unit requesting the same access list be removed. An error condition occurred when an attempt was made to remove the corresponding access list on the standby unit. The access list did not exist on the standby unit.

  • (device) —Either the WebVPN primary or the WebVPN secondary ASA
  • list_name —Name of the access list that was deleted

Recommended Action Use a show access-list command on both the active and standby units. Compare the content of the output and determine whether there is any discrepancy. Resynchronize the standby unit, if needed, by using the write standby command on the active unit.

721010

Error Message %ASA-6-721010: ( device ) Add access list rule list_name , line line_no on standby unit.

Explanation When an access list rule is added to the active unit, the same rule is added on the standby unit. A new access list rule was added successfully on the standby unit.

  • (device) —Either the WebVPN primary or the WebVPN secondary ASA
  • list_name —Name of the access list that was deleted
  • line_no —Line number of the rule added to the access list

Recommended Action None required.

721011

Error Message %ASA-4-721011: ( device ) Fail to add access list rule list_name , line line_no on standby unit.

Explanation When an access list rule is added to the active unit, an attempt is made to add the same access list rule to the standby unit. An error occurred when an attempt is made to add a new access list rule to the standby unit. The same access list rule may exist on the standby unit.

  • (device) —Either the WebVPN primary or the WebVPN secondary ASA
  • list_name —Name of the access list that was deleted
  • line_no —Line number of the rule added to the access list

Recommended Action Use a show access-list command on both the active and standby units. Compare the content of the output and determine if there is any discrepancy. Resynchronize the standby unit, if needed, by using the write standby command on the active unit.

721012

Error Message %ASA-6-721012: ( device ) Enable APCF XML file file_name on the standby unit.

Explanation When an APCF XML file is installed on the active unit, an attempt is made to install the same file on the standby unit. An APCF XML file was installed successfully on the standby unit. Use the dir command on the standby unit to show that the XML file exists in the flash file system.

  • (device) —Either the WebVPN primary or the WebVPN secondary ASA
  • file_name —Name of the XML file on the flash file system

Recommended Action None required.

721013

Error Message %ASA-4-721013: ( device ) Fail to enable APCF XML file file_name on the standby unit.

Explanation When an APCF XML file is installed on the active unit, an attempt is made to install the same file on the standby unit. An APCF XML file failed to install on the standby unit.

  • (device) —Either the WebVPN primary or the WebVPN secondary ASA
  • file_name —Name of the XML file on the flash file system

Recommended Action Use a dir command on both the active and standby unit. Compare the directory listing and determine if there is any discrepancy. Resynchronize the standby unit, if needed, by using the write standby command on the active unit.

721014

Error Message %ASA-6-721014: ( device ) Disable APCF XML file file_name on the standby unit.

Explanation When an APCF XML file is removed on the active unit, an attempt is made to remove the same file on the standby unit. An APCF XML file was removed from the standby unit successfully.

  • (device) —Either the WebVPN primary or the WebVPN secondary ASA
  • file_name —Name of the XML file on the flash file system

Recommended Action None required.

721015

Error Message %ASA-4-721015: ( device ) Fail to disable APCF XML file file_name on the standby unit.

Explanation When an APCF XML file is removed on the active unit, an attempt is made to remove the same file on the standby unit. An error occurred when an attempt was made to remove an APCF XML file from the standby unit. The file may not be installed on the standby unit.

  • (device) —Either the WebVPN primary or the WebVPN secondary ASA
  • file_name —Name of the XML file on the flash file system

Recommended Action Use a show running-config webvpn command to make sure the APCF XML file of interest is not enabled. As long as it is not enabled, you may ignore this message. Otherwise, try to disable the file by using the no apcf file_name command in the webvpn configuration submode.

721016

Error Message %ASA-6-721016: ( device ) WebVPN session for client user user_name , IP ip_address has been created.

Explanation A remote WebVPN user has logged in successfully and the login information has been installed on the standby unit.

  • (device) —Either the WebVPN primary or the WebVPN secondary ASA
  • user_name —Name of the user
  • ip_address —IP address of the remote user

Recommended Action None required.

721017

Error Message %ASA-4-721017: ( device ) Fail to create WebVPN session for user user_name , IP ip_address .

Explanation When a WebVPN user logs in to the active unit, the login information is replicated to the standby unit. An error occurred while replicating the login information to the standby unit.

  • (device) —Either the WebVPN primary or the WebVPN secondary ASA
  • user_name —Name of the user
  • ip_address —IP address of the remote user

Recommended Action Use the show vpn-sessiondb detail webvpn command for a regular WebVPN user, or the show vpn-sessiondb detail svc command for a WebVPN SVC user on both the active and standby units. Compare the entries and determine whether the same user session record appears on both ASAs. Resynchronize the standby unit, if needed, by using the write standby command on the active unit.

721018

Error Message %ASA-6-721018: ( device ) WebVPN session for client user user_name , IP ip_address has been deleted.

Explanation When a WebVPN user logs out on the active unit, a logout message is sent to the standby unit to remove the user session from the standby unit. A WebVPN user record was removed from the standby unit successfully.

  • (device) —Either the WebVPN primary or the WebVPN secondary ASA
  • user_name —Name of the user
  • ip_address —IP address of the remote user

Recommended Action None required.

721019

Error Message %ASA-4-721019: ( device ) Fail to delete WebVPN session for client user user_name , IP ip_address .

Explanation When a WebVPN user logs out on the active unit, a logout message is sent to the standby unit to remove the user session from the standby unit. An error occurred when an attempt was made to remove a WebVPN user record from the standby unit.

  • (device) —Either the WebVPN primary or the WebVPN secondary ASA
  • user_name —Name of the user
  • ip_address —IP address of the remote user

Recommended Action Use the show vpn-sessiondb detail webvpn command for a regular WebVPN user, or the show vpn-sessiondb detail svc command for a WebVPN SVC user on both the active and standby units. Check whether there is any discrepancy. Resynchronize the standby unit, if needed, by using the write standby command on the active unit.

722001

Error Message %ASA-4-722001: IP IP_address Error parsing SVC connect request.

Explanation The request from the SVC was invalid.

Recommended Action Research as necessary to determine if this error was caused by a defect in the SVC, an incompatible SVC version, or an attack against the device.

722002

Error Message %ASA-4-722002: IP IP_address Error consolidating SVC connect request.

Explanation There is not enough memory to perform the action.

Recommended Action Purchase more memory, upgrade the device, or reduce the load on the device.

722003

Error Message %ASA-4-722003: IP IP_address Error authenticating SVC connect request.

Explanation The user took too long to download and connect.

Recommended Action Increase the timeouts for session idle and maximum connect time.

722004

Error Message %ASA-4-722004: Group group User user-name IP IP_address Error responding to SVC connect request.

Explanation There is not enough memory to perform the action.

Recommended Action Purchase more memory, upgrade the device, or reduce the load on the device.

722005

Error Message %ASA-5-722005: Group group User user-name IP IP_address Unable to update session information for SVC connection.

Explanation There is not enough memory to perform the action.

Recommended Action Purchase more memory, upgrade the device, or reduce the load on the device.

722006

Error Message %ASA-5-722006: Group group User user-name IP IP_address Invalid address IP_address assigned to SVC connection.

Explanation An invalid address was assigned to the user.

Recommended Action Verify and correct the address assignment, if possible. Otherwise, notify your network administrator or escalate this issue according to your security policy. For additional assistance, contact the Cisco TAC.

722007

Error Message %ASA-3-722007: Group group User user-name IP IP_address SVC Message: type-num /ERROR: message

Explanation The SVC issued a message.

  • type-num — A number from 0 to 31 indicating a message type. Message types are as follows:

- 0—Normal

- 16—Logout

- 17—Closed due to error

- 18—Closed due to rekey

- 1-15, 19-31—Reserved and unused

  • message —A text message from the SVC

Recommended Action None required.

722008

Error Message %ASA-3-722008: Group group User user-name IP IP_address SVC Message: type-num /ERROR: message

Explanation The SVC issued a message.

  • type-num — A number from 0 to 31 indicating a message type. Message types are as follows:

- 0—Normal

- 16—Logout

- 17—Closed due to error

- 18—Closed due to rekey

- 1-15, 19-31—Reserved and unused

  • message —A text message from the SVC

Recommended Action None required.

722009

Error Message %ASA-3-722009: Group group User user-name IP IP_address SVC Message: type-num /ERROR: message

Explanation The SVC issued a message.

  • type-num — A number from 0 to 31 indicating a message type. Message types are as follows:

- 0—Normal

- 16—Logout

- 17—Closed due to error

- 18—Closed due to rekey

- 1-15, 19-31—Reserved and unused

  • message —A text message from the SVC

Recommended Action None required.

722010

Error Message %ASA-5-722010: Group group User user-name IP IP_address SVC Message: type-num /NOTICE: message

Explanation The SVC issued a message.

  • type-num — A number from 0 to 31 indicating a message type. Message types are as follows:

- 0—Normal

- 16—Logout

- 17—Closed due to error

- 18—Closed due to rekey

- 1-15, 19-31—Reserved and unused

  • message —A text message from the SVC

Recommended Action None required.

722011

Error Message %ASA-5-722011: Group group User user-name IP IP_address SVC Message: type-num /NOTICE: message

Explanation The SVC issued a message.

  • type-num — A number from 0 to 31 indicating a message type. Message types are as follows:

- 0—Normal

- 16—Logout

- 17—Closed due to error

- 18—Closed due to rekey

- 1-15, 19-31—Reserved and unused

  • message —A text message from the SVC

Recommended Action None required.

722012

Error Message %ASA-5-722012: Group group User user-name IP IP_address SVC Message: type-num /INFO: message

Explanation The SVC issued a message.

  • type-num — A number from 0 to 31 indicating a message type. Message types are as follows:

- 0—Normal

- 16—Logout

- 17—Closed due to error

- 18—Closed due to rekey

- 1-15, 19-31—Reserved and unused

  • message —A text message from the SVC

Recommended Action None required.

722013

Error Message %ASA-6-722013: Group group User user-name IP IP_address SVC Message: type-num /INFO: message

Explanation The SVC issued a message.

  • type-num — A number from 0 to 31 indicating a message type. Message types are as follows:

- 0—Normal

- 16—Logout

- 17—Closed due to error

- 18—Closed due to rekey

- 1-15, 19-31—Reserved and unused

  • message —A text message from the SVC

Recommended Action None required.

722014

Error Message %ASA-6-722014: Group group User user-name IP IP_address SVC Message: type-num /INFO: message

Explanation The SVC issued a message.

  • type-num — A number from 0 to 31 indicating a message type. Message types are as follows:

- 0—Normal.

- 16—Logout

- 17—Closed due to error

- 18—Closed due to rekey

- 1-15, 19-31—Reserved and unused

  • message —A text message from the SVC

Recommended Action None required.

722015

Error Message %ASA-4-722015: Group group User user-name IP IP_address Unknown SVC frame type: type-num

Explanation The SVC sent an invalid frame type to the device, which might be caused by an SVC version incompatibility.

  • type-num— The number identifier of the frame type

Recommended Action Verify the SVC version.

722016

Error Message %ASA-4-722016: Group group User user-name IP IP_address Bad SVC frame length: length expected: expected-length

Explanation The expected amount of data was not available from the SVC, which might be caused by an SVC version incompatibility.

Recommended Action Verify the SVC version.

722017

Error Message %ASA-4-722017: Group group User user-name IP IP_address Bad SVC framing: 525446, reserved: 0

Explanation The SVC sent a badly framed datagram, which might be caused by an SVC version incompatibility.

Recommended Action Verify the SVC version.

722018

Error Message %ASA-4-722018: Group group User user-name IP IP_address Bad SVC protocol version: version , expected: expected - version

Explanation The SVC sent a version unknown to the device, which might be caused by an SVC version incompatibility.

Recommended Action Verify the SVC version.

722019

Error Message %ASA-4-722019: Group group User user-name IP IP_address Not enough data for an SVC header: length

Explanation The expected amount of data was not available from the SVC, which might be caused by an SVC version incompatibility.

Recommended Action Verify the SVC version.

722020

Error Message %ASA-3-722020: TunnelGroup tunnel_group GroupPolicy group_policy User user-name IP IP_address No address available for SVC connection

Explanation Address assignment failed for the AnyConnect session. No IP addresses are available.

  • tunnel_group— The name of the tunnel group that the user was assigned to or used to log in
  • group_policy —The name of the group policy that the user was assigned to
  • user-name —The name of the user with which this message is associated
  • IP_address —The public IP (Internet) address of the client machine

Recommended Action Check the configuration listed in the ip local ip command to see if enough addresses exist in the pools that have been assigned to the tunnel group and the group policy. Check the DHCP configuration and status. Check the address assignment configuration. Enable IPAA syslog messages to determine why the AnyConnect client cannot obtain an IP address.

722021

Error Message %ASA-3-722021: Group group User user-name IP IP_address Unable to start compression due to lack of memory resources

Explanation There is not enough memory to perform the action.

Recommended Action Purchase more memory, upgrade the device, or reduce the load on the device.

722022

Error Message %ASA-6-722022: Group group-name User user-name IP addr (TCP | UDP) connection established (with | without) compression

Explanation The TCP or UDP connection was established with or without compression.

Recommended Action None required.

722023

Error Message %ASA-6-722023: Group group User user-name IP IP_address SVC connection terminated {with|without} compression

Explanation The SVC terminated either with or without compression.

Recommended Action None required.

722024

Error Message %ASA-6-722024: SVC Global Compression Enabled

Explanation Subsequent SVC connections will be allowed to perform tunnel compression if SVC compression is enabled in the corresponding user or group configuration.

Recommended Action None required.

722025

Error Message %ASA-6-722025: SVC Global Compression Disabled

Explanation Subsequent SVC connections will not be allowed to perform tunnel compression.

Recommended Action None required.

722026

Error Message %ASA-6-722026: Group group User user-name IP IP_address SVC compression history reset

Explanation A compression error occurred. The SVC and the ASA corrected it.

Recommended Action None required.

722027

Error Message %ASA-6-722027: Group group User user-name IP IP_address SVC decompression history reset

Explanation A decompression error occurred. The SVC and the ASA corrected it.

Recommended Action None required.

722028

Error Message %ASA-5-722028: Group group User user-name IP IP_address Stale SVC connection closed.

Explanation An unused SVC connection was closed.

Recommended Action None required. However, the client may be having trouble connecting if multiple connections are established. The SVC log should be examined.

722029

Error Message %ASA-7-722029: Group group User user-name IP IP_address SVC Session Termination: Conns: connections , DPD Conns: DPD_conns , Comp resets: compression_resets , Dcmp resets: decompression_resets

Explanation The number of connections, reconnections, and resets that have occurred are reported. If connections is greater than 1 or the number of DPD_conns , compression_resets, or decompression_resets is greater than 0, it may indicate network reliability problems, which may be beyond the control of the ASA administrator. If there are many connections or DPD connections, the user may be having problems connecting and may experience poor performance.

  • connections— The total number of connections during this session (one is normal)
  • DPD_conns— The number of reconnections due to DPD
  • compression_resets— The number of compression history resets
  • decompression_resets— The number of decompression history resets

Recommended Action The SVC log should be examined. You may want to research and take appropriate action to resolve possible network reliability problems.

722030

Error Message %ASA-7-722030: Group group User user-name IP IP_address SVC Session Termination: In: data_bytes (+ ctrl_bytes ) bytes, data_pkts (+ ctrl_pkts ) packets, drop_pkts drops

Explanation End-of-session statistics are being recorded.

  • data_bytes— The number of inbound (from SVC) data bytes
  • ctrl_bytes— The number of inbound control bytes
  • data_pkts— The number of inbound data packets
  • ctrl_pkts— The number of inbound control packets
  • drop_pkts— The number of inbound packets that were dropped

Recommended Action None required.

722031

Error Message %ASA-7-722031: Group group User user-name IP IP_address SVC Session Termination: Out: data_bytes (+ ctrl_bytes ) bytes, data_pkts (+ ctrl_pkts ) packets, drop_pkts drops.

Explanation End-of-session statistics are being recorded.

  • data_bytes— The number of outbound (to SVC) data bytes
  • ctrl_bytes— The number of outbound control bytes
  • data_pkts— The number of outbound data packets
  • ctrl_pkts— The number of outbound control packets
  • ctrl_pkts— The number of outbound packets that were dropped

Recommended Action None required.

722032

Error Message %ASA-5-722032: Group group User user-name IP IP_address New SVC connection replacing old connection.

Explanation A new SVC connection is replacing an existing one. You may be having trouble connecting.

Recommended Action Examine the SVC log.

722033

Error Message %ASA-5-722033: Group group User user-name IP IP_address First SVC connection established for SVC session.

Explanation The first SVC connection was established for the SVC session.

Recommended Action None required.

722034

Error Message %ASA-5-722034: Group group User user-name IP IP_address New SVC connection, no existing connection.

Explanation A reconnection attempt has occurred. An SVC connection is replacing a previously closed connection. There is no existing connection for this session because the connection was already dropped by the SVC or the ASA. You may be having trouble connecting.

Recommended Action Examine the ASA log and SVC log.

722035

Error Message %ASA-3-722035: Group group User user-name IP IP_address Transmitting large packet length (threshold + num ).

Explanation A large packet was sent to the client. The source of the packet may not be aware of the MTU of the client.

  • length— The length of the large packet
  • +num— The threshold

Recommended Action None required.

722036

Error Message %ASA-3-722036: Group group User user-name IP IP_address Received large packet length (threshold + num ).

Explanation A large packet was sent to the client. The packets that were arriving on the ASA had the DF bit set, and the ASA was unable to fragment it.

  • length— The length of the large packet
  • +num— The threshold

Recommended Action Enter the anyconnect ssl df-bit-ignore enable command under the group policy to allow the ASA to fragment the packets arriving with the DF bit set.

722037

Error Message %ASA-5-722037: Group group User user-name IP IP_address SVC closing connection: reason .

Explanation An SVC connection was terminated for the given reason. This behavior may be normal, or you may be having trouble connecting.

  • reason— The reason that the SVC connection was terminated

Recommended Action Examine the SVC log.

722038

Error Message %ASA-5-722038: Group group - name User user-name IP IP_address SVC terminating session: reason .

Explanation An SVC session was terminated for the given reason. This behavior may be normal, or you may be having trouble connecting.

  • reason— The reason that the SVC session was terminated

Recommended Action Examine the SVC log if the reason for termination was unexpected.

722039

Error Message %ASA-4-722039: Group group, User user, IP ip, SVC vpn-filter acl is an IPv6 ACL; ACL not applied.

Explanation The type of ACL to be applied is incorrect. An IPv6 ACL has been configured as an IPv4 ACL through the vpn-filter command.

  • group —The group policy name of the user
  • user —The username
  • ip —The public (not assigned) IP address of the user
  • acl —The name of the invalid ACL

Recommended Action Validate the VPN filter and IPv6 VPN filter configurations on the ASA, and the filter parameters on the AAA (RADIUS) server. Make sure that the correct type of ACL is specified.

722040

Error Message %ASA-4-722040: Group group, User user, IP ip, SVC 'ipv6-vpn-filter acl' is an IPv4 ACL; ACL not applied

Explanation The type of ACL to be applied is incorrect. An IPv4 ACL has been configured as an IPv6 ACL through the ipv6-vpn-filter command.

  • group —The group policy name of the user
  • user —The username
  • ip —The public (not assigned) IP address of the user
  • acl —The name of the invalid ACL

Recommended Action Validate the VPN filter and IPv6 VPN filter configurations on the ASA and the filter parameters on the AAA (RADIUS) server. Make sure that the correct type of ACL is specified.

722041

Error Message %ASA-4-722041: TunnelGroup tunnel_group GroupPolicy group_policy User username IP peer_address No IPv6 address available for SVC connection.

Explanation An IPv6 address was not available for assignment to the remote SVC client.

  • n —The SVC connection identifier

Recommended Action Augment or create an IPv6 address pool, if desired.

722042

Error Message %ASA-4-722042: Group group User user IP ip Invalid Cisco SSL Tunneling Protocol version.

Explanation An invalid SVC or AnyConnect client is trying to connect.

  • group —The name of the group policy with which the user is trying to connect
  • user —The name of the user who is trying to connect
  • ip —The IP address of the user who is trying to connect

Recommended Action Validate that the SVC or AnyConnect client is compatible with the ASA.

722043

Error Message %ASA-5-722043: Group group User user IP ip DTLS disabled: unable to negotiate cipher.

Explanation The DTLS (UDP transport) cannot be established. The SSL encryption configuration was probably changed.

  • group —The name of the group policy with which the user is trying to connect
  • user —The name of the user who is trying to connect
  • ip —The IP address of the user who is trying to connect

Recommended Action Revert the SSL encryption configuration. Make sure there is at least one block cipher (AES, DES, or 3DES) in the SSL encryption configuration.

722044

Error Message %ASA-5-722044: Group group User user IP ip Unable to request ver address for SSL tunnel.

Explanation An IP address cannot be requested because of low memory on the ASA.

  • group —The name of the group policy with which the user is trying to connect
  • user —The name of the user who is trying to connect
  • ip —The IP address of the user who is trying to connect
  • ver —Either IPv4 or IPv6, based on the IP address version being requested

Recommended Action Reduce the load on the ASA or add more memory.

722045

Error Message %ASA-3-722045: Connection terminated: no SSL tunnel initialization data.

Explanation Data to establish a connection is missing. This is a defect in the ASA software.

Recommended Action Contact the Cisco TAC for assistance.

722046

Error Message %ASA-3-722046: Group group User user IP ip Session terminated: unable to establish tunnel.

Explanation The ASA cannot set up connection parameters. This is a defect in the ASA software.

  • group —The name of the group policy with which the user is trying to connect
  • user —The name of the user who is trying to connect
  • ip —The IP address of the user who is trying to connect

Recommended Action Contact the Cisco TAC for assistance.

722047

Error Message %ASA-4-722047: Group group User user IP ip Tunnel terminated: SVC not enabled or invalid SVC image on the ASA.

Explanation The user logged in via the web browser and tried to start the SVC or AnyConnect client. The SVC service is not enabled globally, or the SVC image is invalid or corrupted. The tunnel connection has been terminated, but the clientless connection remains.

  • group —The name of the group policy with which the user is trying to connect
  • user —The name of the user who is trying to connect
  • ip —The IP address of the user who is trying to connect

Recommended Action Enable the SVC globally using the svc enable command. Validate the integrity of versions of the SVC images by reloading new images using the svc image command.

722048

Error Message %ASA-4-722048: Group group User user IP ip Tunnel terminated: SVC not enabled for the user.

Explanation The user logged in via the web browser, and tried to start the SVC or AnyConnect client. The SVC service is not enabled for this user. The tunnel connection has been terminated, but the clientless connection remains.

  • group —The name of the group policy with which the user is trying to connect
  • user —The name of the user who is trying to connect
  • ip —The IP address of the user who is trying to connect

Recommended Action Enable the service for this user using the group-policy and username commands.

722049

Error Message %ASA-4-722049: Group group User user IP ip Session terminated: SVC not enabled or invalid image on the ASA.

Explanation The user logged in via the AnyConnect client. The SVC service is not enabled globally, or the SVC image is invalid or corrupted. The session connection has been terminated.

  • group —The name of the group policy with which the user is trying to connect
  • user —The name of the user who is trying to connect
  • ip —The IP address of the user who is trying to connect

Recommended Action Enable the SVC globally using the svc-enable command. Validate the integrity and versions of the SVC images by reloading new images using the svc image command.

722050

Error Message %ASA-4-722050: Group group User user IP ip Session terminated: SVC not enabled for the user.

Explanation The user logged in through the AnyConnect client. The SVC service is not enabled for this user. The session connection has been terminated.

  • group —The name of the group policy with which the user is trying to connect
  • user —The name of the user who is trying to connect
  • ip —The IP address of the user who is trying to connect

Recommended Action Enable the service for this user using the group-policy and username commands.

722051

Error Message %ASA-6-722051: Group group-policy User username IP public-ip IPv4 Address assigned-ip IPv6 Address assigned-ip assigned to session

Explanation The specified address has been assigned to the given user.

  • group-policy —The group policy that allowed the user to gain access
  • username —The name of the user
  • public-ip —The public IP address of the connected client
  • assigned-ip —The IPv4 or IPv6 address that is assigned to the client

Recommended Action None required.

722053

Error Message %ASA-6-722053: Group g User u IP ip Unknown client user-agent connection.

Explanation An unknown or unsupported SSL VPN client has connected to the ASA. Older clients include the Cisco SVC and the Cisco AnyConnect client earlier than Version 2.3.1.

  • g —The group policy under which the user logged in
  • u —The name of the user
  • ip —The IP address of the client
  • user-agent —The user agent (usually includes the version) received from the client

Recommended Action Upgrade to a supported Cisco SSL VPN client.

722054

Error Message %ASA-4-722054: Group group policy User user name IP remote IP SVC terminating connection: Failed to install Redirect URL: redirect URL Redirect ACL: non_exist for assigned IP

Explanation An error occurred for an AnyConnect VPN connection when a redirect URL was installed, and the ACL was received from the ISE, but the redirect ACL does not exist on the ASA.

  • group policy —The group policy that allowed the user to gain access
  • user name —Username of the requester for the remote access
  • remote IP — Remote IP address that the connection request is coming from
  • redirect URL —The URL for the HTTP traffic redirection
  • assigned IP —The IP address that is assigned to the user

Recommended Action Configure the redirect ACL on the ASA.

722055

Error Message %ASA-6-722055: Group group-policy User username IP public-ip Client Type: user-agent

Explanation The indicated user is attempting to connect with the given user-agent.

  • group-policy —The group policy that allowed the user to gain access
  • username —The name of the user
  • public-ip —The public IP address of the connected client
  • user-agent —The user-agent string provided by the connecting client. Usually includes the AnyConnect version and host operating system for AnyConnect clients.

Recommended Action None required.

723001

Error Message %ASA-6-723001: Group group-name , User user-name , IP IP_address : WebVPN Citrix ICA connection connection is up.

Explanation The Citrix connection is up.

  • group-name —The name of the Citrix group
  • user-name —The name of the Citrix user
  • IP_address —The IP address of the Citrix user
  • connection— The Citrix connection identifier

Recommended Action None required.

723002

Error Message %ASA-6-723002: Group group-name , User user-name , IP IP_address : WebVPN Citrix ICA connection connection is down.

Explanation The Citrix connection is down.

  • group-name —The name of the Citrix group
  • user-name —The name of the Citrix user
  • IP_address —The IP address of the Citrix user
  • connection— The Citrix connection identifier

Recommended Action No action is required when the Citrix ICA connection is terminated intentionally by the client, the server, or the ASA administrator. However, if this is not the case, verify that the WebVPN session in which the Citrix ICA connection is set up is still active. If it is inactive, then receiving this message is normal. If the WebVPN session is still active, verify that the ICA client and Citrix server both work correctly and that there is no error displayed. If not, bring either or both up or respond to any error. If this message is still received, contact the Cisco TAC and provide the following information:

  • Network topology
  • Delay and packet loss
  • Citrix server configuration
  • Citrix ICA client information
  • Steps to reproduce the problem
  • Complete text of all associated messages

723003

Error Message %ASA-7-723003: No memory for WebVPN Citrix ICA connection connection .

Explanation The ASA is running out of memory. The Citrix connection was rejected.

  • connection— The Citrix connection identifier

Recommended Action Verify that the ASA is working correctly. Pay special attention to memory and buffer usage. If the ASA is under heavy load, buy more memory and upgrade the ASA or reduce the load on the ASA. If the problem persists, contact the Cisco TAC.

723004

Error Message %ASA-7-723004: WebVPN Citrix encountered bad flow control flow .

Explanation The ASA encountered an internal flow control mismatch, which can be caused by massive data flow, such as might occur during stress testing or with a high volume of ICA connections.

Recommended Action Reduce ICA connectivity to the ASA. If the problem persists, contact the Cisco TAC.

723005

Error Message %ASA-7-723005: No channel to set up WebVPN Citrix ICA connection.

Explanation The ASA was unable to create a new channel for Citrix.

Recommended Action Verify that the Citrix ICA client and the Citrix server are still alive. If not, bring them back up and retest. Check the ASA load, paying special attention to memory and buffer usage. If the ASA is under heavy load, upgrade the ASA, add memory, or reduce the load. If the problem persists, contact the Cisco TAC.

723006

Error Message %ASA-7-723006: WebVPN Citrix SOCKS errors.

Explanation An internal Citrix SOCKS error has occurred on the ASA.

Recommended Action Verify that the Citrix ICA client is working correctly. In addition, check the network connection status between the Citrix ICA client and the ASA, paying attention to packet loss. Resolve any abnormal network conditions. If the problem persists, contact the Cisco TAC.

723007

Error Message %ASA-7-723007: WebVPN Citrix ICA connection connection list is broken.

Explanation The ASA internal Citrix connection list is broken.

  • connection— The Citrix connection identifier

Recommended Action Verify that the ASA is working correctly, paying special attention to memory and buffer usage. If the ASA is under heavy load, upgrade the ASA, add memory, or reduce the load. If the problem persists, contact the Cisco TAC.

723008

Error Message %ASA-7-723008: WebVPN Citrix ICA SOCKS Server server is invalid.

Explanation An attempt was made to access a Citrix Socks server that does not exist.

  • server —The Citrix server identifier

Recommended Action Verify that the ASA is working correctly. Note whether or not there is any memory or buffer leakage. If this issue occurs frequently, capture information about memory usage, network topology, and the conditions during which this message is received. Send this information to the Cisco TAC for review. Make sure that the WebVPN session is still up while this message is being received. If not, determine the reason that the WebVPN session is down. If the ASA is under heavy load, upgrade the ASA, add memory, or reduce the load. If the problem persists, contact the Cisco TAC.

723009

Error Message %ASA-7-723009: Group group-name , User user-name , IP IP_address : WebVPN Citrix received data on invalid connection connection .

Explanation Data was received on a Citrix connection that does not exist.

  • group-name —The name of the Citrix group
  • user-name —The name of the Citrix user
  • IP_address —The IP address of the Citrix user
  • connection— The Citrix connection identifier

Recommended Action The original published Citrix application connection was probably terminated, and the remaining active published applications lost connectivity. Restart all published applications to generate a new Citrix ICA tunnel. If the ASA is under heavy load, upgrade the ASA, add memory, or reduce the load. If the problem persists, contact the Cisco TAC.

723010

Error Message %ASA-7-723010: Group group-name , User user-name , IP IP_address : WebVPN Citrix received closing channel channel for invalid connection connection .

Explanation An abort was received on a nonexistent Citrix connection, which can be caused by massive data flow (such as stress testing) or a high volume of ICA connections, especially during network delay or packet loss.

  • group-name —The name of the Citrix group
  • user-name —The name of the Citrix user
  • IP_address —The IP address of the Citrix user
  • channel—The Citrix channel identifier
  • connection— The Citrix connection identifier

Recommended Action Reduce the number of ICA connections to the ASA, obtain more memory for the ASA, or resolve the network problems.

723011

Error Message %ASA-7-723011: Group group-name , User user-name , IP IP_address : WebVPN Citrix receives bad SOCKS socks message length msg-length. Expected length is exp-msg-length .

Explanation The Citrix SOCKS message length is incorrect.

  • group-name —The name of the Citrix group
  • user-name —The name of the Citrix user
  • IP_address —The IP address of the Citrix user

Recommended Action Verify that the Citrix ICA client is working correctly. In addition, check the network connection status between the ICA client and the ASA, paying attention to packet loss. After resolving any abnormal network conditions, if the problem still exists, contact the Cisco TAC.

723012

Error Message %ASA-7-723012: Group group-name , User user-name , IP IP_address : WebVPN Citrix received bad SOCKS socks message format.

Explanation The Citrix SOCKS message format is incorrect.

  • group-name —The name of the Citrix group
  • user-name —The name of the Citrix user
  • IP_address —The IP address of the Citrix user

Recommended Action Verify that the Citrix ICA client is working correctly. In addition, check the network connection status between the ICA client and the ASA, paying attention to packet loss. After resolving any abnormal network conditions, if the problem still exists, contact the Cisco TAC.

723013

Error Message %ASA-7-723013: WebVPN Citrix encountered invalid connection connection during periodic timeout.

Explanation The ASA internal Citrix timer has expired, and the Citrix connection is invalid.

  • connection— The Citrix connection identifier

Recommended Action Check the network connection between the Citrix ICA client and the ASA, and between the ASA and the Citrix server. Resolve any abnormal network conditions, especially delay and packet loss. Verify that the ASA works correctly, paying special attention to memory or buffer problems. If the ASA is under heavy load, obtain more memory, upgrade the ASA, or reduce the load. If the problem persists, contact the Cisco TAC.

723014

Error Message %ASA-7-723014: Group group-name , User user-name , IP IP_address : WebVPN Citrix TCP connection connection to server server on channel channel initiated.

Explanation The ASA internal Citrix Secure Gateway is connected to the Citrix server.

  • group-name —The name of the Citrix group
  • user-name —The name of the Citrix user
  • IP_address —The IP address of the Citrix user
  • connection— The connection name
  • server—The Citrix server identifier
  • channel—The Citrix channel identifier (hexadecimal)

Recommended Action None required.

724001

Error Message %ASA-4-724001: Group group-name User user-name IP IP_address WebVPN session not allowed. Unable to determine if Cisco Secure Desktop was running on the client's workstation.

Explanation The session was not allowed because an error occurred during processing of the CSD Host Integrity Check results on the ASA.

  • group-name —The name of the group
  • user-name —The name of the user
  • IP_address —The IP address

Recommended Action Determine whether the client firewall is truncating long URLs. Uninstall CSD from the client and reconnect to the ASA.

724002

Error Message %ASA-4-724002: Group group-name User user-name IP IP_address WebVPN session not terminated. Cisco Secure Desktop was not running on the client's workstation.

Explanation CSD is not running on the client machine.

  • group-name —The name of the group
  • user-name —The name of the user
  • IP_address —The IP address

Recommended Action Verify that the end user can install and run CSD on the client machine.

725001

Error Message %ASA-6-725001: Starting SSL handshake with peer-type interface : src-ip / src-port to dst-ip / dst-port for protocol session.

Explanation The SSL handshake has started with the remote device, which can be a client or server.

  • peer-type— Either the server or the client, depending on the device that initiated the connection
  • interface —The interface name that the SSL session is using
  • source-ip —The source IPv4 or IPv6 address
  • src-port —The source port number
  • dst-ip —The destination IP address
  • dst-port —The destination port number
  • protocol —The SSL version used for the SSL handshake

Recommended Action None required.

725002

Error Message %ASA-6-725002: Device completed SSL handshake with peer-type interface : src-ip / src-port to dst-ip / dst-port for protocol-version session

Explanation The SSL handshake has completed successfully with the remote device.

  • peer-type— Either the server or the client, depending on the device that initiated the connection
  • interface —The interface name that the SSL session is using
  • source-ip —The source IPv4 or IPv6 address
  • src-port —The source port number
  • dst-ip —The destination IP address
  • dst-port —The destination port number
  • protocol-version —The version of the SSL protocol being used: SSLv3, TLSv1, DTLSv1, TLSv1.1 or TLSv1.2

Recommended Action None required.

725003

Error Message %ASA-6-725003: SSL peer-type interface : src-ip / src-port to dst-ip / dst-port request to resume previous session.

Explanation The remote device is trying to resume a previous SSL session.

  • peer-type— Either the server or the client, depending on the device that initiated the connection
  • interface —The interface name that the SSL session is using
  • source-ip —The source IPv4 or IPv6 address
  • src-port —The source port number
  • dst-ip —The destination IP address
  • dst-port —The destination port number

Recommended Action None required.

725004

Error Message %ASA-6-725004: Device requesting certificate from SSL peer-type interface : src-ip / src-port to dst-ip / dst-port for authentication.

Explanation The ASA has requested a client certificate for authentication.

  • peer-type— Either the server or the client, depending on the device that initiated the connection
  • interface —The interface name that the SSL session is using
  • source-ip —The source IPv4 or IPv6 address
  • src-port —The source port number
  • dst-ip —The destination IP address
  • dst-port —The destination port number

Recommended Action None required.

725005

Error Message %ASA-6-725005: SSL peer-type interface : src-ip / src-port to dst-ip / dst-port requesting our device certificate for authentication.

Explanation The server has requested the certificate of the ASA for authentication.

  • peer-type— Either the server or the client, depending on the device that initiated the connection
  • interface —The interface name that the SSL session is using
  • source-ip —The source IPv4 or IPv6 address
  • src-port —The source port number
  • dst-ip —The destination IP address
  • dst-port —The destination port number

Recommended Action None required.

725006

Error Message %ASA-6-725006: Device failed SSL handshake with peer-type interface : src-ip / src-port to dst-ip / dst-port

Explanation The SSL handshake with the remote device has failed.

  • peer-type— Either the server or the client, depending on the device that initiated the connection
  • interface —The interface name that the SSL session is using
  • source-ip —The source IPv4 or IPv6 address
  • src-port —The source port number
  • dst-ip —The destination IP address
  • dst-port —The destination port number

Recommended Action Look for syslog message 725014, which indicates the reason for the failure.

725007

Error Message %ASA-6-725007: SSL session with peer-type interface : src-ip / src-port to dst-ip / dst-port terminated.

Explanation The SSL session has terminated.

  • peer-type— Either the server or the client, depending on the device that initiated the connection
  • interface —The interface name that the SSL session is using
  • source-ip —The source IPv4 or IPv6 address
  • src-port —The source port number
  • dst-ip —The destination IP address
  • dst-port —The destination port number

Recommended Action None required.

725008

Error Message %ASA-7-725008: SSL peer-type interface : src-ip / src-port to dst-ip / dst-port proposes the following n cipher(s).

Explanation The number of ciphers proposed by the remote SSL device are listed.

  • peer-type— Either the server or the client, depending on the device that initiated the connection
  • interface —The interface name that the SSL session is using
  • source-ip —The source IPv4 or IPv6 address
  • src-port —The source port number
  • dst-ip —The destination IP address
  • dst-port —The destination port number
  • n —The number of supported ciphers

Recommended Action None required.

725009

Error Message %ASA-7-725009 Device proposes the following n cipher(s) peer-type interface : src-ip / src-port to dst-ip / dst-port .

Explanation The number of ciphers proposed to the SSL server are listed.

  • peer-type— Either the server or the client, depending on the device that initiated the connection
  • interface —The interface name that the SSL session is using
  • source-ip —The source IPv4 or IPv6 address
  • src-port —The source port number
  • dst-ip —The destination IP address
  • dst-port —The destination port number
  • n —The number of supported ciphers

Recommended Action None required.

725010

Error Message %ASA-7-725010: Device supports the following n cipher(s).

Explanation The number of ciphers supported by the ASA for an SSL session are listed.

  • n —The number of supported ciphers

Recommended Action None required.

725011

Error Message %ASA-7-725011 Cipher[ order ]: cipher_name

Explanation Always following messages 725008, 725009, and 725010, this message indicates the cipher name and its order of preference.

  • order —The order of the cipher in the cipher list
  • cipher_name— The name of the OpenSSL cipher from the cipher list

Recommended Action None required.

725012

Error Message %ASA-7-725012: Device chooses cipher cipher for the SSL session with peer-type interface : src-ip / src-port to dst-ip / dst-port.

Explanation The cipher that was chosen by the Cisco device for the SSL session is listed.

  • cipher— The name of the OpenSSL cipher from the cipher list
  • peer-type— Either the server or the client, depending on the device that initiated the connection
  • interface —The interface name that the SSL session is using
  • source-ip —The source IPv4 or IPv6 address
  • src-port —The source port number
  • dst-ip —The destination IP address
  • dst-port —The destination port number

Recommended Action None required.

725013

Error Message %ASA-7-725013 SSL peer-type interface : src-ip / src-port to dst-ip / dst-port chooses cipher cipher

Explanation The cipher that was chosen by the server for the SSL session is identified.

  • peer-type— Either the server or the client, depending on the device that initiated the connection
  • interface —The interface name that the SSL session is using
  • source-ip —The source IPv4 or IPv6 address
  • src-port —The source port number
  • dst-ip —The destination IP address
  • dst-port —The destination port number
  • cipher— The name of the OpenSSL cipher from the cipher list

Recommended Action None required.

725014

Error Message %ASA-7-725014 SSL lib error. Function: function Reason: reason

Explanation The reason for failure of the SSL handshake is indicated.

  • function —The function name where the failure is reported
  • reason —The description of the failure condition

Recommended Action Include this message when reporting any SSL-related issue to the Cisco TAC.

725015

Error Message %ASA-3-725015 Error verifying client certificate. Public key size in client certificate exceeds the maximum supported key size.

Explanation The verification of an SSL client certificate failed because of an unsupported (large) key size.

Recommended Action Use client certificates with key sizes that are less than or equal to 4096 bits.

725016

Error Message %ASA-6-725016: Device selects trust-point trustpoint for peer-type interface : src-ip / src-port to dst-ip / dst-port

Explanation With server-name indication (SNI), the certificate used for a given connection may not be the certificate configured on the interface. There is also no indication of which certificate trustpoint has been selected. This syslog gives an indication of the trustpoint used by the connection (given by interface : src-ip / src-port ).

  • trustpoint —The name of the configured trustpoint that is being used for the specified connection
  • interface —The name of the interface on the ASA
  • src-ip —The IP address of the peer
  • src-port —The port number of the peer
  • dst-ip —The IP address of the destination
  • dst-port —The port number of the destination

Recommended Action None required.

726001

Error Message %ASA-6-726001: Inspected im_protocol im_service Session between Client im_client_1 and im_client_2 Packet flow from src_ifc :/ sip / sport to dest_ifc :/ dip / dport Action: action Matched Class class_map_id class_map_name

Explanation An IM inspection was performed on an IM message and the specified criteria were satisfied. The configured action is taken.

  • im_protocol —MSN IM or Yahoo IM
  • im_service —The IM services, such as chat, conference, file transfer, voice, video, games, or unknown
  • im_client_1 , im_client_2 —The client peers that are using the IM service in the session: client_login_name or “?”
  • src_ifc —The source interface name
  • sip —The source IP address
  • sport —The source port
  • dest_ifc —The destination interface name
  • dip —The destination IP address
  • dport —The destination port
  • action —The action taken: reset connection, dropped connection, or received
  • class_map_id —The matched class-map ID
  • class_map_name —The matched class-map name

Recommended Action None required.

730001

Error Message %ASA-7-730001 Group groupname , User username , IP ipaddr : VLAN MAPPING to VLAN vlanid

Explanation VLAN mapping succeeded.

  • groupname —The group name
  • username —The username
  • ipaddr —The IP address of this session
  • vlanid — The VLAN ID that is used for the VLAN mapping session

Recommended Action None required.

730002

Error Message %ASA-7-730002 Group groupname , User username , IP ipaddr : VLAN MAPPING to VLAN vlanid failed

Explanation VLAN mapping failed.

  • groupname —The group name
  • username —The username
  • ipaddr —The IP address of this session
  • vlanid — The VLAN ID that is used for the VLAN mapping session

Recommended Action Verify that all the VLAN mapping-related configurations are correct, and that the VLAN ID is valid.

730003

Error Message %ASA-7-730003: NACApp sets IP ipaddr VLAN to vlanid

Explanation ASA receives an SNMP set message from NACApp to set the new VLAN ID for the session.

  • ipaddr —The IP address of this session
  • vlanid — The VLAN ID that is used for the VLAN mapping session

Recommended Action None required

730004

Error Message %ASA-6-730004: Group groupname User username IP ipaddr VLAN ID vlanid from AAA ignored.

Explanation The VLAN ID received from AAA is different from the current one in use, and it is ignored for the current session.

  • groupname —The group name
  • username —The username
  • ipaddr —The IP address of this session
  • vlanid — The VLAN ID that is used for the VLAN mapping session

Recommended Action If the newly received VLAN ID must be used, then the current session needs to be torn down. Otherwise, no action is required.

730005

Error Message %ASA-6-730005: Group groupname User username IP ipaddr VLAN ID vlanid from AAA is invalid.

Explanation The VLAN ID received from AAA is invalid.

  • groupname —The group name
  • username —The username
  • ipaddr —The IP address of this session
  • vlanid — The VLAN ID that is used for the VLAN mapping session

Recommended Action Verify the VLAN ID configurations on the AAA server and ASA are both correct.

730006

Error Message %ASA-7-730006: Group groupname , User username , IP ipaddr : is on NACApp AUTH VLAN vlanid .

Explanation The session is under NACApp posture assessment.

  • groupname —The group name
  • username —The username
  • ipaddr —The IP address of this session
  • vlanid — The VLAN ID that is used for the VLAN mapping session

Recommended Action None required.

730007

Error Message %ASA-7-73007: Group groupname , User username , IP ipaddr : changed VLAN to < %s > ID vlanid

Explanation NACApp (Cisco NAC appliance) posture assessment is done with the session, the VLAN is changed from AUTH VLAN to a new VLAN.

  • groupname —The group name
  • username —The username
  • ipaddr —The IP address of this session
  • %s —A string
  • vlanid — The VLAN ID that is used for the VLAN mapping session

Recommended Action None required.

730008

Error Message %ASA-6-730008: Group groupname, User username, IP ipaddr , VLAN MAPPING timeout waiting NACApp.

Explanation NACApp (Cisco NAC appliance) posture assessment takes longer than the timeout value configured.

  • groupname —The group name
  • username —The username
  • ipaddr —The IP address of this session

Recommended Action Check the status of the NACApp setup.

730009

Error Message %ASA-5-730009: Group groupname , User username, IP ipaddr , CAS casaddr , capacity exceeded, terminating connection.

Explanation The load capacity of the NACApp (Cisco NAC appliance) CAS is execeeded, the new incoming session that uses it is terminating.

  • groupname —The group name
  • username —The username
  • ipaddr —The IP address of this session
  • casaddr —The IP Address of CAS (Clean Access Server)

Recommended Action Review and revise planning for how many groups, and which groups, are associated with the CAS to ensure that its load capacity is not exceeded.

730010

Error Message %ASA-7-730010: Group groupname , User username, IP ipaddr , VLAN Mapping is enabled on VLAN vlanid .

Explanation VLAN mapping is enabled in the session.

  • groupname —The group name
  • username —The username
  • ipaddr —The IP address of this session
  • vlanid —The VLAN ID that is used for the VLAN mapping session

Recommended Action None required.

731001

Error Message %ASA-6-731001: NAC policy added: name: policyname Type: policytype .

Explanation A new NAC-policy has been added to the ASA.

  • policyname —The NAC policy name
  • policytype —The type of NAC policy

Recommended Action None required.

731002

Error Message %ASA-6-731002: NAC policy deleted: name: policyname Type: policytype .

Explanation A NAC policy has been removed from the ASA.

  • policyname —The NAC policy name
  • policytype —The type of NAC policy

Recommended Action None required.

731003

Error Message %ASA-6-731003: nac-policy unused: name: policyname Type: policytype .

Explanation The NAC policy is unused because there is an existing NAC policy with the same name, but a different type.

  • policyname —The NAC policy name
  • policytype —The type of NAC policy

Recommended Action If the new NAC policy must be used, the existing NAC policy must be removed first. Otherwise, no action is required.

732001

Error Message %ASA-6-732001: Group groupname, User username, IP ipaddr, Fail to parse NAC-SETTINGS nac-settings-id , terminating connection.

Explanation The ASA cannot apply the NAC settings because no memory is available.

  • groupname —The group name
  • username —The username
  • ipaddr —The IP address of this session
  • nac-settings-id — The ID that is used for the NAC filter

Recommended Action Upgrade the ASA memory. Resolve any errors in the log before this problem occurs. If the problem persists, contact the Cisco TAC.

732002

Error Message %ASA-6-732002: Group groupname, User username, IP ipaddr, NAC-SETTINGS settingsid from AAA ignored, existing NAC-SETTINGS settingsid_inuse used instead.

Explanation The NAC settings ID cannot be applied because there is a different one for the session.

  • groupname —The group name
  • username —The username
  • ipaddr —The IP address of this session
  • settingsid — The settings ID, which should be a NAC policy name
  • settingsid_inuse — The NAC settings ID that is currently in use

Recommended Action If the new NAC settings ID must be applied, then all the active sessions that use it must be torn down first. Otherwise, no action is required.

732003

Error Message %ASA-6-732003: Group groupname, User username, IP ipaddr, NAC-SETTINGS nac-settings-id from AAA is invalid, terminating connection.

Explanation The NAC settings received from AAA are invalid.

  • groupname —The group name
  • username —The username
  • ipaddr —The IP address of this session
  • nac-settings-id — The ID that is used for the NAC filter

Recommended Action Verify that the NAC settings configurations on the AAA server and ASA are both correct.

733100

Error Message %ASA-4-733100: Object drop rate rate_ID exceeded. Current burst rate is rate_val per second, max configured rate is rate_val ; Current average rate is rate_val per second, max configured rate is rate_val ; Cumulative total count is total_cnt

Explanation The specified object in the message has exceeded the specified burst threshold rate or average threshold rate. The object can be a drop activity of a host, TCP/UDP port, IP protocol, or various drops caused by potential attacks. The ASA may be under attack.

  • Object —The general or particular source of a drop rate count, which might include the following:

- Firewall

- Bad pkts

- Rate limit

- DoS attck

- ACL drop

- Conn limit

- ICMP attk

- Scanning

- SYN attck

- Inspect

- Interface

(A citation of a particular interface object might take a number of forms. For example, you might see 80/HTTP , which would signify port 80, with the well-known protocol HTTP.)

  • rate_ID —The configured rate that is being exceeded. Most objects can be configured with up to three different rates for different intervals.
  • rate_val —A particular rate value.
  • total_cnt —The total count since the object was created or cleared.

The following three examples show how these variables occur:

For an interface drop caused by a CPU or bus limitation:

%ASA-4-733100: [Interface] drop rate 1 exceeded. Current burst rate is 1 per second, max configured rate is 8000; Current average rate is 2030 per second, max configured rate is 2000; Cumulative total count is 3930654.”
 

For a scanning drop caused by potential attacks:

ASA-4-733100: [Scanning] drop rate-1 exceeded. Current burst rate is 10 per second_max configured rate is 10; Current average rate is 245 per second_max configured rate is 5; Cumulative total count is 147409 (35 instances received)
 

For bad packets caused by potential attacks:

%ASA-4-733100: [Bad pkts] drop rate 1 exceeded. Current burst rate is 0 per second, max configured rate is 400; Current average rate is 760 per second, max configured rate is 100; Cumulative total count is 1938933
 

Because of the scanning rate configured and the threat-detection rate scanning-rate 3600 average-rate 15 command:

%ASA-4-733100: [144.60.88.2] drop rate-2 exceeded. Current burst rate is 0 per second, max configured rate is 8; Current average rate is 5 per second, max configured rate is 4; Cumulative total count is 38086
 

Recommended Action Perform the following steps according to the specified object type that appears in the message:

1. If the object in the message is one of the following:

Firewall

Bad pkts

Rate limit

DoS attck

ACL drop

Conn limit

ICMP attck

Scanning

SYN attck

Inspect

Interface

Check whether the drop rate is acceptable for the running environment.

2. Adjust the threshold rate of the particular drop to an appropriate value by using the threat-detection rate xxx command, where xxx is one of the following:

acl-drop

bad-packet-drop

conn-limit-drop

dos-drop

fw-drop

icmp-drop

inspect-drop

interface-drop

scanning-threat

syn-attack

3. If the object in the message is a TCP or UDP port, an IP address, or a host drop, check whether or not the drop rate is acceptable for the running environment.

4. Adjust the threshold rate of the particular drop to an appropriate value by using the threat-detection rate bad-packet-drop command.


Note If you do not want the drop rate exceed warning to appear, you can disable it by using the no threat-detection basic-threat command.


733101

Error Message %ASA-4-733101: Object objectIP (is targeted|is attacking). Current burst rate is rate_val per second, max configured rate is rate_val ; Current average rate is rate_val per second, max configured rate is rate_val ; Cumulative total count is total_cnt.

Explanation The ASA detected that a specific host (or several hosts in the same 1024-node subnet) is either scanning the network (attacking), or is being scanned (targeted).

  • object —Attacker or target (a specific host or several hosts in the same 1024-node subnet)
  • objectIP —The IP address of the scanning attacker or scanned target
  • rate_val —A particular rate value
  • total_cnt —The total count

The following two examples show how these variables occur:

%ASA-4-733101: Subnet 100.0.0.0 is targeted. Current burst rate is 200 per second, max configured rate is 0; Current average rate is 0 per second, max configured rate is 0; Cumulative total count is 2028.
 
%ASA-4-733101: Host 175.0.0.1 is attacking. Current burst rate is 200 per second, max configured rate is 0; Current average rate is 0 per second, max configured rate is 0; Cumulative total count is 2024

Recommended Action For the specific host or subnet, use the show threat-detection statistics host ip-address ip-mask command to check the overall situation and then adjust the threshold rate of the scanning threat to the appropriate value. After the appropriate value is determined, an optional action can be taken to shun those host attackers (not subnet attacker) by configuring the threat-detection scanning-threat shun-host command. You may specify certain hosts or object groups in the shun-host except list. For more information, see the CLI configuration guide. If scanning detection is not desirable, you can disable this feature by using the no threat-detection scanning command.

733102

Error Message %ASA-4-733102:Threat-detection adds host %I to shun list

Explanation A host has been shunned by the threat detection engine. When the threat-detection scanning-threat shun command is configured, the attacking hosts will be shunned by the threat detection engine.

  • %I —A particular hostname

The following message shows how this command was implemented:

%ASA-4-733102: Threat-detection add host 11.1.1.40 to shun list

Recommended Action To investigate whether the shunned host is an actual attacker, use the threat-detection statistics host ip-address command. If the shunned host is not an attacker, you can remove the shunned host from the threat detection engine by using the clear threat-detection shun ip address command. To remove all shunned hosts from the threat detection engine, use the clear shun command.

If you receive this message because an inappropriate threshold rate has been set to trigger the threat detection engine, then adjust the threshold rate by using the threat-detection rate scanning-threat rate-interval x average-rate y burst-rate z command.

733103

Error Message %ASA-4-733103: Threat-detection removes host %I from shun list

Explanation A host has been shunned by the threat detection engine. When you use the clear-threat-detection shun command, the specified host will be removed from the shunned list.

  • %I —A particular hostname

The following message shows how this command is implemented:

%ASA-4-733103: Threat-detection removes host 11.1.1.40 from shun list

Recommended Action None required.

733104

Error Message %ASA-4-733104: TD_SYSLOG_TCP_INTERCEPT_AVERAGE_RATE_EXCEED

Explanation The ASA is under Syn flood attack and protected by the TCP intercept mechanism, if the average rate for intercepted attacks exceeds the configured threshold. The message is showing which server is under attack and where the attacks are coming from.

Recommended Action Write an ACL to filter out the attacks.

733105

Error Message %ASA-4-733105: TD_SYSLOG_TCP_INTERCEPT_BURST_RATE_EXCEED

Explanation The ASA is under Syn flood attack and protected by the TCP intercept mechanism, if the burst rate for intercepted attacks exceeds the configured threshold. The message is showing which server is under attack and where the attacks are coming from.

Recommended Action Write an ACL to filter out the attacks.

734001

Error Message %ASA-6-734001: DAP: User user, Addr ipaddr , Connection connection : The following DAP records were selected for this connection: DAP record names

Explanation The DAP records that were selected for the connection are listed.

  • user —The authenticated username
  • ipaddr —The IP address of the remote client
  • connection —The type of client connection, which can be one of the following:

- IPsec

- AnyConnect

- Clientless (web browser)

- Cut-Through-Proxy

- L2TP

  • DAP record names —The comma-separated list of the DAP record names

Recommended Action None required.

734002

Error Message %ASA-5-734002: DAP: User user, Addr ipaddr : Connection terrminated by the following DAP records: DAP record names

Explanation The DAP records that terminated the connection are listed.

  • user —The authenticated username
  • ipaddr —The IP address of the remote client
  • DAP record names —The comma-separated list of the DAP record names

Recommended Action None required.

734003

Error Message %ASA-7-734003: DAP: User name , Addr ipaddr : Session Attribute: attr name/value

Explanation The AAA and endpoint session attributes that are associated with the connection are listed.

  • user —The authenticated username
  • ipaddr —The IP address of the remote client
  • attr/value —The AAA or endpoint attribute name and value

Recommended Action None required.

734004

Error Message %ASA-3-734004: DAP: Processing error: error string

Explanation A DAP processing error occurred.

  • number —The internal error string

Recommended Action Provide the Cisco TAC with the message and information about the conditions that generated the error.

734005

Error Message %ASA-6-734005: DAP: User user , Addr ip : Administrative Message: custom message

Explanation DAP CheckAndMsg is configured to generate a custom message that is configured by the ASA administrator.

  • user —The username being used for the connection
  • ip —The IP address of the endpoint
  • custom message —The custom message configured in CheckAndMsg

Recommended Action None required.

735001

Error Message %ASA-1-735001 IPMI: Cooling Fan var1 : OK

Explanation A cooling fan has been restored to normal operation.

  • var1 —The device number markings

Recommended Action None required.

735002

Error Message %ASA-1-735002 IPMI: Cooling Fan var1 : Failure Detected

Explanation A cooling fan has failed.

  • var1 —The device number markings

Recommended Action Perform the following steps:

1. Check for obstructions that would prevent the fan from rotating.

2. Replace the cooling fan.

3. If the problem persists, record the message as it appears and contact the Cisco TAC.

735003

Error Message %ASA-1-735003 IPMI: Power Supply var1 : OK

Explanation A power supply has been restored to normal operation.

  • var1 —The device number markings

Recommended Action None required.

735004

Error Message %ASA-1-735004 IPMI: Power Supply var1 : Failure Detected

Explanation AC power has been lost, or the power supply has failed.

  • var1 —The device number markings

Recommended Action Perform the following steps:

1. Check for AC power failure.

2. Replace the power supply.

3. If the problem persists, record the message as it appears and contact the Cisco TAC.

735005

Error Message %ASA-1-735005 IPMI: Power Supply Unit Redundancy OK

Explanation Power supply unit redundancy has been restored.

Recommended Action None required.

735006

Error Message %ASA-1-735006 IPMI: Power Supply Unit Redundancy Lost

Explanation A power supply failure occurred. Power supply unit redundancy has been lost, but the ASA is functioning normally with minimum resources. Any further failures will result in an ASA shutdown.

Recommended Action To regain full redundancy, perform the following steps:

1. Check for AC power failure.

2. Replace the power supply.

3. If the problem persists, record the message as it appears and contact the Cisco TAC.

735007

Error Message %ASA-1-735007 IPMI: CPU var1 : Temp: var2 var3 , Critical

Explanation The CPU has reached a critical temperature.

  • var1 —The device number markings
  • var2 —The temperature value
  • var3 —Temperature value units (C, F)

Recommended Action Record the message as it appears and contact the Cisco TAC.

735008

Error Message %ASA-1-735008 IPMI: Chassis Ambient var1 : Temp: var2 var3 , Critical

Explanation A chassis ambient temperature sensor has reached a critical level.

  • var1 —The device number markings
  • var2 —The temperature value
  • var3 —Temperature value units (C, F)

Recommended Action Record the message as it appears and contact the Cisco TAC.

735009

Error Message %ASA-2-735009: IPMI: Environment Monitoring has failed initialization and configuration. Environment Monitoring is not running.

Explanation Environment monitoring has experienced a fatal error during initialization and was unable to continue.

Recommended Action Collect the output of the show environment and debug ipmi commands. Record the message as it appears and contact the Cisco TAC.

735010

Error Message %ASA-3-735010: IPMI: Environment Monitoring has failed to update one or more of its records.

Explanation Environment monitoring has experienced an error that temporarily prevented it from updating one or more of its records.

Recommended Action If this message appears repeatedly, collect the output from the show environment driver and debug ipmi commands. Record the message as it appears and contact the Cisco TAC.

735011

Error Message %ASA-1-735011: Power Supply var1 : Fan OK

Explanation The power supply fan has returned to a working operating state.

  • var1 — Fan number

Recommended Action None required.

735012

Error Message %ASA-1-735012: Power Supply var1 : Fan Failure Detected

Explanation The power supply fan has failed.

  • var1 — Fan number

Recommended Action Contact Cisco TAC to troubleshoot the failure. Power down the unit until this failure is resolved.

735013

Error Message %ASA-1-735013: Voltage Channel var1 : Voltage OK

Explanation A voltage channel has returned to a normal operating level.

  • var1 — Voltage channel number

Recommended Action None required.

735014

Error Message %ASA-1-735014: Voltage Channel var1: Voltage Critical

Explanation A voltage channel has changed to a critical level.

  • var1 — Voltage channel number

Recommended Action Contact Cisco TAC to troubleshoot the failure. Power down the unit until this failure is resolved.

735015

Error Message %ASA-4-735015: CPU var1 : Temp: var2 var3 , Warm

Explanation The CPU temperature is warmer than the normal operating range.

  • var1 —CPU Number
  • var2 —Temperature Value
  • var3 —Units

Recommended Action Continue to monitor this component to ensure that it does not reach a critical temperature.

735016

Error Message %ASA-4-735016: Chassis Ambient var1 : Temp: var2 var3 , Warm

Explanation The chassis temperature is warmer than the normal operating range.

  • var1 —Chassis Sensor Number
  • var2 —Temperature Value
  • var3 —Units

Recommended Action Continue to monitor this component to ensure that it does not reach a critical temperature.

735017

Error Message %ASA-1-735017: Power Supply var1 : Temp: var2 var3 , OK

Explanation The power supply temperature has returned to a normal operating temperature.

  • var1 —Power Supply Number
  • var2 —Temperature Value
  • var3 —Units

Recommended Action None required.

735018

Error Message %ASA-4-735018: Power Supply var1 : Temp: var2 var3 , Critical

Explanation The power supply has reached a critical operating temperature.

  • var1 —Power Supply Number
  • var2 —Temperature Value
  • var3 —Units

Recommended Action Contact Cisco TAC to troubleshoot the failure. Power down the unit until this failure is resolved.

735019

Error Message %ASA-4-735019: Power Supply var1 : Temp: var2 var3 , Warm

Explanation The power supply temperature is warmer than the normal operating range.

  • var1 —Power Supply Number
  • var2 —Temperature Value
  • var3 —Units

Recommended Action Continue to monitor this component to ensure that it does not reach a critical temperature.

735020

Error Message %ASA-1-735020: CPU var1: Temp: var2 var3 OK

Explanation The CPU temperature has returned to the normal operating temperature.

  • var1 —CPU Number
  • var2 —Temperature Value
  • var3 —Units

Recommended Action None required.

735021

Error Message %ASA-1-735021: Chassis var1: Temp: var2 var3 OK

Explanation The chassis temperature has returned to the normal operating temperature.

  • var1 —Chassis Sensor Number
  • var2 —Temperature Value
  • var3 —Units

Recommended Action None required.

735022

Error Message %ASA-1-735022: CPU# is running beyond the max thermal operating temperature and the device will be shutting down immediately to prevent permanent damage to the CPU.

Explanation The ASA has detected a CPU running beyond the maximum thermal operating temperature, and will shut down immediately after detection.

Recommended Action The chassis and CPU need to be inspected immediately for ventilation issues.

735023

Error Message %ASA-2-735023: ASA was previously shutdown due to the CPU complex running beyond the maximum thermal operating temperature. The chassis needs to be inspected immediately for ventilation issues.

Explanation At boot time, the ASA detected a shutdown that occurred because a CPU was running beyond the maximum safe operating temperature. Using the show environment command will indicate that this event has occurred.

Recommended Action The chassis need to be inspected immediately for ventilation issues.

735024

Error Message %ASA-1-735024: IO Hub var1 : Temp: var2 var3 , OK

Explanation The IO hub temperature has returned to the normal operating temperature.

  • ar1 - IO hub number
  • var2 - Temperature value
  • var3 – Units

Recommended Action None required.

735025

Error Message %ASA-1-735025: IO Hub var1 : Temp: var2 var3 , Critical

Explanation The IO hub temperature has a critical temperature.

  • ar1 - IO hub number
  • var2 - Temperature value
  • var3 – Units

Recommended Action Record the message as it appears and contact the Cisco TAC.

735026

Error Message %ASA-4-735026: IO Hub var1 : Temp: var2 var3 , Warm

Explanation The IO hub temperature is warmer than the normal operating range.

  • ar1 - IO hub number
  • var2 - Temperature value
  • var3 – Units

Recommended Action Continue to monitor this component to ensure that it does not reach a critical temperature.

735027

Error Message %ASA-1-735027: CPU cpu_num Voltage Regulator is running beyond the max thermal operating temperature and the device will be shutting down immediately. The chassis and CPU need to be inspected immediately for ventilation issues.

Explanation The ASA has detected a CPU voltage regulator running beyond the maximum thermal operating temperature, and shuts down immediately after detection.

  • cpu_num —The number to identify which CPU voltage regulator experienced the thermal event

Recommended Action The chassis and CPU need to be inspected immediately for ventilation issues.

735028

Error Message %ASA-2-735028: ASA was previously shutdown due to a CPU Voltage Regulator running beyond the max thermal operating temperature. The chassis and CPU need to be inspected immediately for ventilation issues.

Explanation At boot time, the ASA detected a shutdown that occurred because of a CPU voltage regulator running beyond the maximum safe operating temperature. Enter the show environment command to indicate that this event has occurred.

Recommended Action The chassis and CPU need to be inspected immediately for ventilation issues.

735029

Error Message %ASA-1-735029: IO Hub is running beyond the max thermal operating temperature and the device will be shutting down immediately to prevent permanent damage to the circuit.

Explanation The ASA has detected that the IO hub is running beyond the maximum thermal operating temperature, and will shut down immediately after detection.

Recommended Action The chassis and IO hub need to be inspected immediately for ventilation issues.

736001

Error Message %ASA-2-736001: Unable to allocate enough memory at boot for jumbo-frame reservation. Jumbo-frame support has been disabled.

Explanation Insufficient memory has been detected when jumbo frame support was being configured. As a result, jumbo-frame support was disabled.

Recommended Action Try reenabling jumbo frame support using the jumbo-frame reservation command. Save the running configuration and reboot the ASA. If the problem persists, contact the Cisco TAC.

737001

Error Message %ASA-7-737001: IPAA: Received message message-type

Explanation The IP address assignment process received a message.

  • message-type —The message received by the IP address assignment process

Recommended Action None required.

737002

Error Message %ASA-3-737002: IPAA: Received unknown message num variables

Explanation The IP address assignment process received a message.

  • num —The identifier of the message received by the IP address assignment process

Recommended Action None required.

737003

Error Message %ASA-5-737003: IPAA: DHCP configured, no viable servers found for tunnel-group tunnel-group

Explanation The DHCP server configuration for the given tunnel group is not valid.

  • tunnel-group —The tunnel group that IP address assignment is using for configuration

Recommended Action Validate the DHCP configuration for the tunnel group. Make sure that the DHCP server is online.

737004

Error Message %ASA-5-737004: IPAA: DHCP configured, request failed for tunnel-group 'tunnel-group'

Explanation The DHCP server configuration for the given tunnel group is not valid.

  • tunnel-group —The tunnel group that IP address assignment is using for configuration

Recommended Action Validate the DHCP configuration for the tunnel group. Make sure that the DHCP server is online.

737005

Error Message %ASA-6-737005: IPAA: DHCP configured, request succeeded for tunnel-group tunnel-group

Explanation The DHCP server request has succeeded.

  • tunnel-group —The tunnel group that IP address assignment is using for configuration

Recommended Action None required.

737006

Error Message %ASA-6-737006: IPAA: Local pool request succeeded for tunnel-group tunnel-group

Explanation The local pool request has succeeded.

  • tunnel-group —The tunnel group that IP address assignment is using for configuration

Recommended Action None required.

737007

Error Message %ASA-5-737007: IPAA: Local pool request failed for tunnel-group tunnel-group

Explanation The local pool request has failed. The pool assigned to the tunnel group may be exhausted.

  • tunnel-group —The tunnel group that IP address assignment is using for configuration

Recommended Action Validate the IP local pool configuration by using the show ip local pool command.

737008

Error Message %ASA-5-737008: IPAA: 'tunnel-group' not found

Explanation The tunnel group was not found when trying to acquire an IP address for configuration. A software defect may cause this message to be generated.

  • tunnel-group —The tunnel group that IP address assignment is using for configuration

Recommended Action Check the tunnel group configuration. Contact the Cisco TAC and report the issue.

737009

Error Message %ASA-6-737009: IPAA: AAA assigned address ip-address , request failed

Explanation The remote access client software requested the use of a particular address. The request to the AAA server to use this address failed. The address may be in use.

  • ip-address —The IPv4 or IPv6 address that the client requested

Recommended Action Check the AAA server status and the status of IP local pools.

737010

Error Message %ASA-6-737010: IPAA: AAA assigned address ip-address , request succeeded

Explanation The remote access client software requested the use of a particular address and successfully received this address.

  • ip-address —The IPv4 or IPv6 address that the client requested

Recommended Action None required.

737011

Error Message %ASA-5-737011: IPAA: AAA assigned ip-address , not permitted, retrying

Explanation The remote access client software requested the use of a particular address. The vpn-addr-assign aaa command is not configured. An alternatively configured address assignment method will be used.

  • ip-address —The IPv4 or IPv6 address that the client requested

Recommended Action If you want to permit clients to specify their own address, enable the vpn-addr-assign aaa command.

737012

Error Message %ASA-4-737012: IPAA: Address assignment failed

Explanation The remote access client software request of a particular address failed.

  • ip-address —The IP address that the client requested

Recommended Action If using IP local pools, validate the local pool configuration. If using AAA, validate the configuration and status of the AAA server. If using DHCP, validate the configuration and status of the DHCP server. Increase the logging level (use notification or informational) to obtain additional messages to identify the reason for the failure.

737013

Error Message %ASA-4-737013: IPAA: Error freeing address ip-address , not found

Explanation The ASA tried to free an address, but it was not on the allocated list because of a recent configuration change.

  • ip-address —The IPv4 or IPv6 address to be released

Recommended Action Validate your address assignment configuration. If this message recurs, it might be due to a software defect. Contact the Cisco TAC and report the issue.

737014

Error Message %ASA-6-737014: IPAA: Freeing AAA address ip-address

Explanation The ASA successfully released the IP address assigned through AAA.

  • ip-address —The IPv4 or IPv6 address to be released

Recommended Action None required.

737015

Error Message %ASA-6-737015: IPAA: Freeing DHCP address ip-address

Explanation The ASA successfully released the IP address assigned through DHCP.

  • ip-address —The IP address to be released

Recommended Action None required.

737016

Error Message %ASA-6-737016: IPAA: Freeing local pool address ip-address

Explanation The ASA successfully released the IP address assigned through local pools.

  • ip-address —The IPv4 or IPv6 address to be released

Recommended Action None required.

737017

Error Message %ASA-6-737017: IPAA: DHCP request attempt num succeeded

Explanation The ASA successfully sent a request to a DHCP server.

  • num —The attempt number

Recommended Action None required.

737018

Error Message %ASA-5-737018: IPAA: DHCP request attempt num failed

Explanation The ASA failed to send a request to a DHCP server.

  • num —The attempt number

Recommended Action Validate the DHCP configuration and connectivity to the DHCP server.

737019

Error Message %ASA-4-737019: IPAA: Unable to get address from group-policy or tunnel-group local pools

Explanation The ASA failed to acquire an address from the local pools configured on the group policy or tunnel group. The local pools may be exhausted.

Recommended Action Validate the local pool configuration and status. Validate the group policy and tunnel group configuration of local pools.

737023

Error Message %ASA-5-737023: IPAA: Unable to allocate memory to store local pool address ip-address

Explanation The ASA is low on memory.

  • ip-address —The IP address that was acquired

Recommended Action The ASA may be overloaded and need more memory, or there may be a memory leak caused by a software defect. Contact the Cisco TAC and report the issue.

737024

Error Message %ASA-5-737024: IPAA : Client requested address ip-address , already in use, retrying

Explanation The client requested an IP address that is already in use. The request will be tried using a new IP address.

  • ip-address —The IP address that the client requested

Recommended Action None required.

737025

Error Message %ASA-5-737025: IPAA: Duplicate local pool address found, ip-address in quarantine

Explanation The IP address that was to be given to the client is already in use. The IP address has been removed from the pool and will not be reused.

  • ip-address —The IP address that was acquired

Recommended Action Validate the local pool configuration; there may be an overlap caused by a software defect. Contact the Cisco TAC and report the issue.

737026

Error Message %ASA-6-737026: IPAA: Client assigned ip-address from local pool

Explanation The client has assigned the given address from a local pool.

  • ip-address —The IP address that was assigned to the client

Recommended Action None required.

737027

Error Message %ASA-3-737027: IPAA: No data for address request

Explanation A software defect has been found.

Recommended Action Contact the Cisco TAC and report the issue.

737028

Error Message %ASA-4-737028: IPAA: Unable to send ip-address to standby: communication failure

Explanation The active ASA was unable to communicate with the standby ASA. The failover pair may be out-of-sync.

  • ip-address —The IP address that was assigned to the client

Recommended Action Validate the failover configuration and status.

737029

Error Message %ASA-6-737029: IPAA: Added ip-address to standby

Explanation The standby ASA accepted the IP address assignment.

  • ip-address —The IP address that was assigned to the client

Recommended Action None required.

737030

Error Message %ASA-4-737030: IPAA: Unable to send ip-address to standby: address in use

Explanation The standby ASA has the given address already in use when the active ASA attempted to acquire it. The failover pair may be out-of-sync.

  • ip-address —The IP address that was assigned to the client

Recommended Action Validate the failover configuration and status.

737031

Error Message %ASA-6-737031: IPAA: Removed ip-address from standby

Explanation The standby ASA cleared the IP address assignment.

  • ip-address —The IP address that was assigned to the client

Recommended Action None required.

737032

Error Message %ASA-4-737032: IPAA: Unable to remove ip-address from standby: address not found

Explanation The standby ASA did not have an IP address in use when the active ASA attempted to release it. The failover pair may be out-of-sync.

  • ip-address —The IP address that was assigned to the client

Recommended Action Validate the failover configuration and status.

737033

Error Message %ASA-4-737033: IPAA: Unable to assign addr_allocator provided IP address ip_addr to client. This IP address has already been assigned by previous_addr_allocator

Explanation The address assigned by the AAA/DHCP/local pool is already in use.

  • addr_allocator —The DHCP/AAA/local pool
  • ip_addr —The IP address allocated by the DHCP/AAA/local pool
  • previous_ addr_allocator —The address allocater that already assigned the IP address (local pool, AAA, or DHCP)

Recommended Action Validate the AAA/DHCP/local pool address configurations. Overlap may occur.

741000

Error Message %ASA-6-741000: Coredump filesystem image created on variable 1 -size variable 2 MB

Explanation A core dump file system was successfully created. The file system is used to manage core dumps by capping the amount of disk space that core dumps may use.

  • variable 1 —The file system on which the core dumps are placed (for example, disk0:, disk1:, and flash:)
  • variable 2 —The size of the created core dump file system in MB

Recommended Action Make sure that you save your configuration after creating the core dump file system.

741001

Error Message %ASA-6-741001: Coredump filesystem image on variable 1 - resized from variable 2 MB to variable 3 MB

Explanation The core dump file system has been successfully resized.

  • variable 1 —The file system on which the core dumps are placed
  • variable 2 —The size of the previous core dump file system in MB
  • variable 3 —The size of the current, newly resized core dump file system in MB

Recommended Action Make sure that you save your configuration after resizing the core dump file system. Resizing the core dump file system deletes the contents of the existing core dump file system. As a result, make sure that you archive any information before you resize the core dump file system.

741002

Error Message %ASA-6-741002: Coredump log and filesystem contents cleared on variable 1

Explanation All core dumps have been deleted from the core dump file system, and the core dump log has been cleared. The core dump file system and coredump log are always synchronized with each other.

  • variable 1 —The file system on which the core dumps are placed (for example, disk0:, disk1:,and flash:)

Recommended Action None required. You can clear the core dump file system to reset it to a known state using the clear coredump command.

741003

Error Message %ASA-6-741003: Coredump filesystem and its contents removed on variable 1

Explanation The core dump file system and its contents have been removed, and the core dump feature has been disabled.

  • variable 1 —The file system on which the core dumps are placed (for example, disk0:, disk1:,and flash:)

Recommended Action Make sure that you save your configuration after the core dump feature has been disabled.

741004

Error Message %ASA-6-741004: Coredump configuration reset to default values

Explanation The core dump configuration has been reset to its default value, which is disabled.

Recommended Action Make sure that you save your configuration after the core dump feature has been disabled.

741005

Error Message %ASA-4-741005: Coredump operation variable 1 failed with error variable 2 variable 3

Explanation An error occurred during the performance of a core dump-related operation.

  • variable 1 —This variable may have the following values:

- CREATE_FSYS—An error occurred when creating the core dump file system.

- CLEAR_LOG—An error occurred when clearing the core dump log.

- DELETE_FSYS—An error occurred when deleting the core dump file system.

- CLEAR_FSYS—An error occurred when removing the contents of the core dump file system.

- MOUNT_FSYS—An error occurred when mounting the core dump file system.

  • variable 2 —The decimal number that provides additional information about the cause of the error specified in variable 1 .
  • variable 3 —The descriptive ASCII string associated with variable 2. The ASCII string can have the following values:

- coredump files already exist

- unable to create coredump filesystem

- unable to create loopback device

- filesystem type not supported

- unable to delete the coredump filesystem

- unable to delete loopback device

- unable to unmount coredump filesystem

- unable to mount coredump filesystem

- unable to mount loopback device

- unable to clear coredump filesystem

- coredump filesystem not found

- requested coredump filesystem too big

- coredump operation aborted by administrator

- coredump command execution failed

- coredump IFS error encountered

- coredump, unidentified error encountered

Recommended Action Make sure that the core dump feature is disabled in the configuration, and send the message to the Cisco TAC for further analysis.

741006

Error Message %ASA-4-741006: Unable to write Coredump Helper configuration, reason variable 1

Explanation An error occurred when writing to the coredump helper configuration file. This error occurs only if disk0: is full. The configuration file is located in disk0:.coredumpinfo/coredump.cfg.

  • variable 1 —This variable includes a basic file system-related string that indicates why the writing of the core dump helper configuration file failed.

Recommended Action Disable the core dump feature, remove unneeded items from disk0:, and then reenable core dumps, if desired.

742001

Error Message %ASA-3-742001: failed to read master key for password encryption from persistent store

Explanation An attempt to read the master password encryption key from the nonvolatile memory after bootup failed. Encrypted passwords in the configuration are not decrypted unless the master key is set to the correct value using the key config-key password encryption command.

Recommended Action If there are encrypted passwords in the configuration that must be used, set the master key to the previous value used to encrypt the password using the key config-key password encryption command. If there are no encrypted passwords or they can be discarded, set a new master key. If password encryption is not used, no action is required.

742002

Error Message %ASA-3-742002: failed to set master key for password encryption

Explanation An attempt to read the key config-key password encryption command failed. The error may be caused by the following reasons:

  • Configuration from a nonsecure terminal (for example, over a Telnet connection) was made.
  • Failover is enabled, but it does not use an encrypted link.
  • Another user is setting the key at the same time.
  • When trying to change the key, the old key is incorrect.
  • The key is too small to be secure.

Other reasons for the error may be valid. In these cases, the actual error is printed in response to the command.

Recommended Action Correct the problem indicated in the command response.

742003

Error Message %ASA-3-742003: failed to save master key for password encryption, reason reason_text

Explanation An attempt to save the master key to nonvolatile memory failed. The actual reason is specified by the reason_text parameter. The reason can be an out-of-memory condition, or the nonvolatile store can be inconsistent.

Recommended Action If the problem persists, reformat the nonvolatile store that is used to save the key by using the write erase command. Before performing this step, make sure that you back up the out-of-the-box configuration. Then reenter the write erase command.

742004

Error Message %ASA-3-742004: failed to sync master key for password encryption, reason reason_text

Explanation An attempt to synchronize the master key to the peer failed. The actual reason is specified by the reason_text parameter.

Recommended Action Try to correct the problem specified in the reason_text parameter.

742005

Error Message %ASA-3-742005: cipher text enc_pass is not compatible with the configured master key or the cipher text has been tampered with

Explanation An attempt to decrypt a password failed. The password may have been encrypted using a master key that is different from the current master key, or the encrypted password has been changed from its original form.

Recommended Action If the correct master key is not being used, correct the problem. If the encrypted password has been modified, reapply the configuration in question with a new password.

742006

Error Message %ASA-3-742006: password decryption failed due to unavailable memory

Explanation An attempt to decrypt a password failed because no memory was available. Features using this password will not work as desired.

Recommended Action Correct the memory problem.

742007

Error Message %ASA-3-742007: password encryption failed due to unavailable memory

Explanation An attempt to encrypt a password failed because no memory was available. Passwords may be left in clear text form in the configuration.

Recommended Action Correct the memory problem, and reapply the configuration that failed password encryption.

742008

Error Message %ASA-3-742008: password enc_pass decryption failed due to decoding error

Explanation Password decryption failed because of decoding errors, which may occur if the encrypted password has been modified after being encrypted.

Recommended Action Reapply the configuration in question with a clear text password.

742009

Error Message %ASA-3-742009: password encryption failed due to decoding error

Explanation Password encryption failed because of decoding errors, which may be an internal software error.

Recommended Action Reapply the configuration in question with a clear text password. If the problem persists, contact the Cisco TAC.

742010

Error Message %ASA-3-742010: encrypted password enc_pass is not well formed

Explanation The encrypted password provided in the command is not well formed. The password may not be a valid, encrypted password, or it may have been modified since it was encrypted.

  • reason_text —A string that represents the actual cause of the failure
  • enc_pass —The encrypted password that is related to the issue

Recommended Action Reapply the configuration in question with a clear text password.

743000

Error Message %ASA-1-743000: The PCI device with vendor ID: vendor_id device ID: device_id located at bus:device.function bus_num:dev_num, func_num has a link link_attr_name of actual_link_attr_val when it should have a link link_attr_name of expected_link_attr_val .

Explanation A PCI device in the system is not configured correctly, which may result in the system not performing at its optimum level.

Recommended Action Collect the output of the show controller pci detail command, and contact the Cisco TAC.

743001

Error Message %ASA-1-743001: Backplane health monitoring detected link failure

Explanation A hardware failure has probably occurred and has been detected on one of the links between the ASA Services Module and the switch chassis.

Recommended Action Contact the Cisco TAC.

743002

Error Message %ASA-1-743002: Backplane health monitoring detected link OK

Explanation A link has been restored between the ASA Services Module and the switch chassis. However, the failure and subsequent recovery probably indicates a hardware failure.

Recommended Action Contact the Cisco TAC.

743004

Error Message %ASA-1-743004: System is not fully operational - PCI device with vendor ID vendor_id ( vendor_name ), device ID device_id ( device_name ) not found

Explanation A PCI device in the system that is needed for it to be fully operational was not found.

  • vendor_id —Hexadecimal value that identifies the device vendor
  • vendor_name —Text string that identifies the vendor name
  • device_id —Hexadecimal value that identifies the vendor device
  • device_name —Text string that identifies the device name

Recommended Action Collect the output of the show controller pci detail command and contact the Cisco TAC.

743010

Error Message %ASA-3-743010: EOBC RPC server failed to start for client module client name .

Explanation The service failed to start for a particular client of the EOBC RPC service on the server.

Recommended Action Call the Cisco TAC.

743011

Error Message %ASA-3-743011: EOBC RPC call failed, return code code string.

Explanation The EOBC RPC client failed to make an RPC to the intended server.

Recommended Action Call the Cisco TAC.

746001

Error Message %ASA-6-746001: user-identity: activated import user groups | activated host names | user-to-IP address databases download started

Explanation A database (user groups, hostnames, or IP addresses) download has started.

Recommended Action None required.

746002

Error Message %ASA-6-746002: user-identity: activated import user groups | activated host names | user-to-IP address databases download complete

Explanation A database (user groups, hostnames, or IP addresses) download has completed.

Recommended Action None required.

746003

Error Message %ASA-3-746003: user-identity: activated import user groups | activated host names | user-to-IP address databases download failed - reason

Explanation A database (user groups, hostnames, or IP addresses) download has failed because of a timeout.

Recommended Action Check the off-box AD agent status. If the AD agent is down, resolve that issue first. If the AD agent is up and running, try to download the database again. If the problem persists, contact the Cisco TAC.

746004

Error Message %ASA-4-746004: user identity: Total number of activated user groups exceeds the max_groups groups for this platform.

Explanation The total number of activated user groups exceeds the maximum number of 256 user groups for this platform.

Recommended Action Too many user groups have been configured and activated. Reduce the number of configured user groups. Run the clear user-identity user no-policy-activated command to release user records that have not been activated in any policy. Run the show user-identity user all command to check the total number of users in the database.

746005

Error Message %ASA-3-746005: user-identity: The AD Agent AD agent IP address cannot be reached - reason [ action ]

Explanation The ASA cannot reach the AD agent. There has been no response from the AD agent, or the RADIUS registration failed because the buffer was too small.

Recommended Action Check the network connection between the AD agent and the ASA. Try to reach another AD agent, if one is configured and available. If the problem persists, contact the Cisco TAC.

746006

Error Message %ASA-4-746006: user-identity: Out of sync with AD Agent, start bulk download

Explanation The AD agent cannot update the IP-user mapping events on the ASA and the AD agent event log overflows, which causes inconsistency between the AD agent and the ASA IP-user database.

Recommended Action None required. If this message persists, check the connection between the AD agent and the ASA.

746007

Error Message %ASA-5-746007: user-identity: NetBIOS response failed from User user_name at user_ip

Explanation No NetBIOS response was received for the number of retries made.

Recommended Action None required.

746008

Error Message %ASA-6-746008: user-identity: NetBIOS Probe Process started

Explanation The NetBIOS process has started.

Recommended Action None required.

746009

Error Message %ASA-6-746009: user-identity: NetBIOS Probe Process stopped

Explanation The NetBIOS process has stopped.

Recommended Action None required.

746010

Error Message %ASA-3-746010: user-identity: update import-user domain_name \\ group_name - Import Failed [ reason ]

Explanation Entering the user-identity update import-user username command failed to update a user element. Reasons for failure include the following: timeout, partial update, import aborted, group does not exist, or no reason given.

Recommended Action If the reason for failure does not exist, verify that the group name is correct in the policy. Otherwise, check the connectivity between the ASA and the AD server.

746011

Error Message %ASA-4-746011: Total number of users created exceeds the maximum number of max_users for this platform.

Explanation The AD group has more than the hard-coded maximum number (64000) of levels. Too many users have been configured in the activated policy.

Recommended Action Change your policies so that the number of configured users and users under configured groups does not exceed the limit.

746012

Error Message %ASA-5-746012: user-identity: Add IP-User mapping IP Address - domain_name \ user_name result - reason

Explanation A new user-IP mapping has been added to the user-to-IP address mapping database. The status of the operation (success or failure) is indicated. The success reason is VPN user. The failure reasons include the following: Maximum user limit reached and Duplicated address.

Recommended Action None required.

746013

Error Message %ASA-5-746013: user-identity: Delete IP-User mapping IP Address - domain_name \ user_name result - reason

Explanation A change has been made to the user-to-IP address mapping database. The status of the operation (success or failure) is indicated. The success reasons include the following: Inactive timeout, NetBIOS probing failed, PIP notification, VPN user logout, Cut-through-proxy user logout, and MAC address mismatch. The failure reason is PIP notification.

Recommended Action None required.

746014

Error Message %ASA-5-746014: user-identity: [FQDN] fqdn address IP Address obsolete.

Explanation A fully qualified domain name has become obsolete.

Recommended Action None required.

746015

Error Message %ASA-5-746015: user-identity: FQDN] fqdn resolved IP address .

Explanation A fully qualified domain name lookup has succeeded.

Recommended Action None required.

746016

Error Message %ASA-3-746016: user-identity: DNS lookup failed, reason: reason

Explanation A DNS lookup has failed. Failure reasons include timeout, unresolvable, and no memory.

Recommended Action Verify that the FQDN is valid, and that the DNS server is reachable from the ASA. If the problem persists, contact the Cisco TAC.

746017

Error Message %ASA-6-746017: user-identity: Update import-user domain_name \\ group_name

Explanation The user-identity update import-user command has been issued.

Recommended Action None required.

746018

Error Message %ASA-6-746018: user-identity: Update import-user domain_name \\ group_name done

Explanation The user-identity update import-user command has been issued, and the import has been completed successfully.

Recommended Action None requried.

746019

Error Message %ASA-3-746019: user-identity: Update | Remove AD Agent AD agent IP Address IP-user mapping user_IP - domain_name \ user_name failed

Explanation The ASA failed to update or remove an IP-user mapping on the AD agent.

Recommended Action Check the status of the AD agent and the connectivity between the ASA and the AD agent. If the problem persists, contact the Cisco TAC.

747001

Error Message %ASA-3-747001: Clustering: Recovered from state machine event queue depleted. Event ( event-id , ptr-in-hex , ptr-in-hex ) dropped. Current state state-name , stack ptr-in-hex , ptr-in-hex , ptr-in-hex , ptr-in-hex , ptr-in-hex , ptr-in-hex

Explanation The cluster FSM event queue is full, and a new event has been dropped.

Recommended Action None.

747002

Error Message %ASA-5-747002: Clustering: Recovered from state machine dropped event ( event-id , ptr-in-hex , ptr-in-hex ). Intended state: state-name . Current state: state-name .

Explanation The cluster FSM received an event that is incompatible with the current state.

Recommended Action None.

747003

Error Message %ASA-5-747003: Clustering: Recovered from state machine failure to process event ( event-id , ptr-in-hex , ptr-in-hex ) at state state-name .

Explanation The cluster FSM failed to process an event for all reasons given.

Recommended Action None.

747004

Error Message %ASA-6-747004: Clustering: state machine changed from state state-name to state-name .

Explanation The cluster FSM has progressed to a new state.

Recommended Action None.

747005

Error Message %ASA-7-747005: Clustering: State machine notify event event-name ( event-id , ptr-in-hex , ptr-in-hex )

Explanation The cluster FSM has notified clients about an event.

Recommended Action None.

747006

Error Message %ASA-7-747006: Clustering: State machine is at state state-name

Explanation The cluster FSM moved to a stable state; that is, Disabled, Slave, or Master.

Recommended Action None.

747007

Error Message %ASA-5-747007: Clustering: Recovered from finding stray config sync thread, stack ptr-in-hex , ptr-in-hex , ptr-in-hex , ptr-in-hex , ptr-in-hex , ptr-in-hex .

Explanation Astray configuration sync thread has been detected.

Recommended Action None.

747008

Error Message %ASA-4-747008: Clustering: New cluster member name with serial number serial-number-A rejected due to name conflict with existing unit with serial number serial-number-B .

Explanation The same unit name has been configured on multiple units.

Recommended Action None.

747009

Error Message %ASA-2-747009: Clustering: Fatal error due to failure to create RPC server for module module name .

Explanation The ASA failed to create an RPC server.

Recommended Action Disable clustering on this unit and try to re-enable it. Contact the Cisco TAC if the problem persists.

747010

Error Message %ASA-3-747010: Clustering: RPC call failed, message message-name , return code code-value .

Explanation An RPC call failure has occurred. The system tries to recover from the failure.

Recommended Action None.

747011

Error Message %ASA-2-747011: Clustering: Memory allocation error.

Explanation A memory allocation failure occurred in clustering.

Recommended Action Disable clustering on this unit and try to re-enable it. If the problem persists, check the memory usage on the ASA.

747012

Error Message %ASA-3-747012: Clustering: Failed to replicate global object id hex-id-value in domain domain-name to peer unit-name , continuing operation.

Explanation A global object ID replication failure has occurred.

Recommended Action None.

747013

Error Message %ASA-3-747013: Clustering: Failed to remove global object id hex-id-value in domain domain-name from peer unit-name , continuing operation.

Explanation A global object ID removal failure has occurred.

Recommended Action None.

747014

Error Message %ASA-3-747014: Clustering: Failed to install global object id hex-id-value in domain domain-name , continuing operation.

Explanation A global object ID installation failure has occurred.

Recommended Action None.

747015

Error Message %ASA-4-747015: Clustering: Forcing stray member unit-name to leave the cluster.

Explanation A stray cluster member has been found.

Recommended Action None.

747016

Error Message %ASA-4-747016: Clustering: Found a split cluster with both unit-name-A and unit-name-B as master units. Master role retained by unit-name-A , unit-name-B will leave, then join as a slave.

Explanation A split cluster has been found.

Recommended Action None.

747017

Error Message %ASA-4-747017: Clustering: Failed to enroll unit unit-name due to maximum member limit limit-value reached.

Explanation The ASA failed to enroll a new unit because the maximum member limit has been reached.

Recommended Action None.

747018

Error Message %ASA-3-747018: Clustering: State progression failed due to timeout in module module-name .

Explanation The cluster FSM progression has timed out.

Recommended Action None.

747019

Error Message %ASA-4-747019: Clustering: New cluster member name rejected due to Cluster Control Link IP subnet mismatch ( ip-address / ip-mask on new unit, ip-address / ip-mask on local unit).

Explanation The master unit found that a new joining unit has an incompatible cluster interface IP address.

Recommended Action None.

747020

Error Message %ASA-4-747020: Clustering: New cluster member unit-name rejected due to encryption license mismatch.

Explanation The master unit found that a new joining unit has an incompatible encryption license.

Recommended Action None.

747021

Error Message %ASA-3-747021: Clustering: Master unit unit-name is quitting due to interface health check failure on interface-name .

Explanation The master unit has disabled clustering because of an interface health check failure.

Recommended Action None.

747022

Error Message %ASA-3-747022: Clustering: Asking slave unit unit-name to quit because it failed interface health check x times, rejoin will be attempted after y min. Failed interface: interface-name .

Explanation This syslog message occurs when the maximum number of rejoin attempts has not been exceeded. A slave unit has disabled clustering because of an interface health check failure for the specified amount of time. This unit will re-enable itself automatically after the specified amount of time (ms).

Recommended Action None.

747023

Error Message %ASA-3-747023: Clustering: Master unit unit-name is quitting due to card name card health check failure, and master Security Service Card state is state-name .

Explanation The master unit has disabled clustering because of a Security Service Card health check failure.

Recommended Action None.

747024

Error Message %ASA-3-747024: Clustering: Asking slave unit unit-name to quit due to card name card health check failure, and its Security Service Card state is state-name .

Explanation A slave unit has disabled clustering because of a Security Service Card health check failure.

Recommended Action None.

747025

Error Message %ASA-4-747025: Clustering: New cluster member unit-name rejected due to firewall mode mismatch.

Explanation A master unit found a joining unit that has an incompatible firewall mode.

Recommended Action None.

747026

Error Message %ASA-4-747026: Clustering: New cluster member unit-name rejected due to cluster interface name mismatch ( ifc-name on new unit, ifc-name on local unit).

Explanation A master unit found a joining unit that has an incompatible cluster control link interface name.

Recommended Action None.

747027

Error Message %ASA-4-747027: Clustering: Failed to enroll unit unit-name due to insufficient size of cluster pool pool-name in context-name .

Explanation A master unit could not enroll a joining unit because of the size limit of the minimal cluster pool configured.

Recommended Action None.

747028

Error Message %ASA-4-747028: Clustering: New cluster member unit-name rejected due to interface mode mismatch ( mode-name on new unit, mode-name on local unit).

Explanation A master unit found a joining unit that has an incompatible interface-mode, either spanned or individual.

Recommended Action None.

747029

Error Message %ASA-4-747029: Clustering: Unit unit-name is quitting due to Cluster Control Link down.

Explanation A unit disabled clustering because of a cluster interface failure.

Recommended Action None.

747030

Error Message %ASA-3-747030: Clustering: Asking slave unit unit-name to quit because it failed interface health check x times (last failure on interface-name ), Clustering must be manually enabled on the unit to re-join.

Explanation An interface health check has failed and the maximum number of rejoin attempts has been exceeded. A slave unit has disabled clustering because of an interface health check failure.

Recommended Action None.

747031

Error Message %ASA-3-747031: Clustering: Platform mismatch between cluster master ( platform-type ) and joining unit unit-name ( platform-type ). unit-name aborting cluster join.

Explanation The joining unit's platform type does not match with that of the cluster master.

  • unit-name —Name of the unit in the cluster bootstrap
  • platform-type —Type of ASA platform

Recommended Action Make sure that the joining unit has the same platform type as that of the cluster master.

747032

Error Message %ASA-3-747032: Clustering: Service module mismatch between cluster master ( module-name ) and joining unit unit-name ( module-name )in slot slot-number . unit-name aborting cluster join.

Explanation The joining unit's external modules are not consistent (module type and order in which they are installed) with those on the cluster master.

  • module-name— Name of the external module
  • unit-name —Name of the unit in the cluster bootstrap
  • slot-number —The number of the slot in which the mismatch occurred

Recommended Action Make sure that the modules installed on the joining unit are of the same type and are in the same order as they are in the cluster master.

747033

Error Message %ASA-3-747033: Clustering: Interface mismatch between cluster master and joining unit unit-name . unit-name aborting cluster join.

Explanation The joining unit's interfaces are not the same as those on the cluster master.

  • unit-name —Name of the unit in the cluster bootstrap

Recommended Action Make sure that the interfaces available on the joining unit are the same as those on the cluster master.

750001

Error Message %ASA-5-750001: Local: local IP : local port Remote: remote IP : remote port Username: username Received request to request an IPsec tunnel; local traffic selector = local selectors: range, protocol, port range ; remote traffic selector = remote selectors: range, protocol, port range

Explanation A request is being made for an operation on the IPsec tunnel such as a rekey, a request to establish a connection, and so on.

  • local IP:local port — Local IP address for this request. The ASA IP address and port number used for this connection
  • remote IP:remote port — Remote IP address for this request. Peer IP address and port number that the connection is coming from
  • username —Username of the requester for remote access, if known, or the tunnel group
  • local selectors —Locally configured traffic selectors or proxies that are being used for this IPsec tunnel
  • remote selectors —Remote peers requested traffic selectors or proxies for this IPsec tunnel

Recommended Action None required.

750002

Error Message %ASA-5-750002: Local: local IP : local port Remote: remote IP : remote port Username: username Received a IKE_INIT_SA request

Explanation An incoming tunnel or SA initiation request (IKE_INIT_SA request) has been received.

  • local IP:local port — Local IP address for this request. The ASA IP address and port number used for this connection
  • remote IP:remote port — Remote IP address for this request. Peer IP address and port number that the connection is coming from
  • username —Username of the requester for remote access, if known, or the tunnel group

Recommended Action None required.

750003

Error Message %ASA-4-750003: Local: local IP:local port Remote: remote IP:remote port Username: username Negotiation aborted due to ERROR: error

Explanation The negotiation of an SA was aborted because of the provided error reason.

  • local IP:local port — Local IP address for this request. The ASA IP address and port number used for this connection
  • remote IP:remote port — Remote IP address for this request. Peer IP address and port number that the connection is coming from
  • username —Username of the requester for remote access, if known yet
  • error —Error reason for aborting the negotiation

Recommended Action Review the syslog and follow the flow of the logs to determine if this syslog is the final in the exchange and if it is the cause of a potential failure or a transient error that was renegotiated through. For example, a peer may suggest a DH group via the KE payload that is not configured that causes an initial request to fail, but the correct DH group is communicated so that the peer can come back with the correct group in a new request.

750004

Error Message %ASA-5-750004: Local: local IP: local port Remote: remote IP: remote port Username: username Sending COOKIE challenge to throttle possible DoS

Explanation An incoming connection request was challenged with a cookie based on the cookie challenge thresholds that are configured to prevent a possible DoS attack.

  • local IP:local port — Local IP address for this request. The ASA IP address and port number used for this connection
  • remote IP:remote port — Remote IP address for this request. Peer IP address and port number that the connection is coming from
  • username —Username of the requester for remote access, if known yet

Recommended Action None required.

750005

Error Message %ASA-5-750005: Local: local IP: local port Remote: remote IP: remote port Username: username IPsec rekey collision detected. I am lowest nonce initiator, deleting SA with inbound SPI SPI

Explanation A rekey collision was detected (both peers trying to initiate a rekey at the same time), and it was resolved by keeping the one initiated by this ASA because it had the lowest nonce. This action caused the indicated SA referenced by the SPI to be deleted.

  • local IP:local port — Local IP address for this request. The ASA IP address and port number used for this connection
  • remote IP:remote port — Remote IP address for this request. Peer IP address and port number that the connection is coming from
  • username —Username of the requester for remote access, if known yet
  • SPI —SPI handle of the SA being deleted by resolving the rekey collision that was detected

Recommended Action None required.

750006

Error Message %ASA-5-750006: Local: local IP: local port Remote: remote IP: remote port Username: username SA UP. Reason: reason

Explanation An SA came up for the given reason, such as for a newly established connection or a rekey.

  • local IP:local port — Local IP address for this request. The ASA IP address and port number used for this connection
  • remote IP:remote port — Remote IP address for this request. Peer IP address and port number that the connection is coming from
  • username —Username of the requester for remote access, if known yet
  • reason —Reason that the SA came into the UP state

Recommended Action None required.

750007

Error Message %ASA-5-750007: Local: local IP: local port Remote: r emote IP: remote port Username: username SA DOWN. Reason: reason

Explanation An SA was torn down or deleted for the given reason, such as a request by the peer, operator request (via an administrator action), rekey, and so on.

  • local IP:local port — Local IP address for this request. The ASA IP address and port number used for this connection
  • remote IP:remote port — Remote IP address for this request. Peer IP address and port number that the connection is coming from
  • username —Username of the requester for remote access, if known yet
  • reason —Reason that the SA came into the DOWN state

Recommended Action None required.

750008

Error Message %ASA-5-750008: Local: local IP: local port Remote: remote IP: remote port Username: username SA rejected due to system resource low

Explanation An SA request was rejected to alleviate a low system resource condition.

  • local IP:local port — Local IP address for this request. The ASA IP address and port number used for this connection
  • remote IP:remote port — Remote IP address for this request. Peer IP address and port number that the connection is coming from
  • username —Username of the requester for remote access, if known yet

Recommended Action Check CAC settings for IKEv2 to determine if this is expected behavior based on configured thresholds; otherwise, if the condition persists, investigate further to alleviate the issue.

750009

Error Message %ASA-5-750009: Local: local IP: local port Remote: remote IP: remote port Username: username SA request rejected due to CAC limit reached: Rejection reason: reason

Explanation A Connection Admission Control (CAC) limiting threshold was reached, which caused the SA request to be rejected.

  • local IP:local port — Local IP address for this request. The ASA IP address and port number used for this connection
  • remote IP:remote port — Remote IP address for this request. Peer IP address and port number that the connection is coming from
  • username —Username of the requester for remote access, if known yet
  • reason —Reason that the SA was rejected

Recommended Action Check CAC settings for IKEv2 to determine if this is expected behavior based on configured thresholds; otherwise, if the condition persists, investigate further to alleviate the issue.

750010

Error Message %ASA-5-750010: Local: local-ip Remote: remote-ip Username: username IKEv2 local throttle-request queue depth threshold of threshold reached; increase the window size on peer peer for better performance
  • local-ip —Local peer IP address
  • remote-ip —Remote peer IP address
  • username —Username of the requester for remote access or tunnel group name for L2L, if known yet
  • threshold —Queue depth threshold of the local throttle-request queue reached
  • peer —Remote peer IP address

Explanation The ASA overflowed its throttle request queue to the specified peer, indicating that the peer is slow. The throttle request queue holds requests destined for the peer, which cannot be sent immediately because the maximum number of requests allowed to be in-flight based on the IKEv2 window size were already in-flight. As in-flight requests are completed, requests are pulled off of the throttle request queue and sent to the peer. If the peer is not processing these requests quickly, the throttle queue backs up.

Recommended Action If possible, increase the IKEv2 window size on the remote peer to allow more concurrent requests to be in-flight, which may improve performance.


Note The ASA does not currently support an increased IKEv2 window size setting.


750011

Error Message %ASA-3-750011: Tunnel Rejected: Selected IKEv2 encryption algorithm ( IKEV2 encry algo ) is not strong enough to secure proposed IPSEC encryption algorithm ( IPSEC encry algo ).

Explanation The tunnel was rejected because the selected IKEv2 encryption algorithm is not strong enough to secure the proposed IPSEC encryption algorithm.

Recommended Action Configure a stronger IKEv2 encryption algorithm to match or exceed the strength of the IPsec child SA encryption algorithm.

750012

Error Message %ASA-4-750012: Selected IKEv2 encryption algorithm ( IKEV2 encry algo ) is not strong enough to secure proposed IPSEC encryption algorithm ( IPSEC encry algo ).

Explanation The selected IKEv2 encryption algorithm is not strong enough to secure the proposed IPSEC encryption algorithm.

Recommended Action Configure a stronger IKEv2 encryption algorithm to match or exceed the strength of the IPsec child SA encryption algorithm.

751001

Error Message %ASA-3-751001: Local: localIP:port Remote: remoteIP:port Username: username/group Failed to complete Diffie-Hellman operation. Error: error

Explanation A failure to complete a Diffie-Hellman operation occurred, as indicated by the error.

  • localIP:port —The local IP address and port number
  • remoteIP:port —The remote IP address and port number
  • username/group —The username or group associated with this connection attempt
  • error —The error string that indicates the specific error

Recommended Action A low memory issue or other internal error that should be resolved has occurred. If it persists, use the memory tracking tool to isolate the issue.

751002

Error Message %ASA-3-751002: Local: localIP:port Remote: remoteIP:port Username: username/group No preshared key or trustpoint configured for self in tunnel group group

Explanation The ASA was unable to find any type of authentication information in the tunnel group that it could use to authenticate itself to the peer.

  • localIP:port —The local IP address and port number
  • remoteIP:port —The remote IP address and port number
  • username/group —The username or group associated with this connection attempt
  • group —The name of the tunnel group

Recommended Action Check the tunnel group configuration, and configure a preshared key or certificate for self-authentication in the indicated tunnel group.

751003

Error Message %ASA-7-751003: Local: localIP:port Remote: remoteIP:port Username: username/group Need to send a DPD message to peer

Explanation Dead peer detection needs to be performed for the specified peer to determine if it is still alive. The ASA may have terminated a connection to the peer.

  • localIP:port —The local IP address and port number
  • remoteIP:port —The remote IP address and port number
  • username/group —The username or group associated with this connection attempt

Recommended Action None required.

751004

Error Message %ASA-3-751004: Local: localIP:port Remote: remoteIP:port Username: username/group No remote authentication method configured for peer in tunnel group group

Explanation A method to authenticate the remote peer was not found in the configuration to allow the connection.

  • localIP:port —The local IP addre