Catalyst 2950 and Catalyst 2955 Switch System Message Guide, 12.1(13)EA1
Security and QoS Configuration Messages
Downloads: This chapterpdf (PDF - 190.0KB) The complete bookPDF (PDF - 876.0KB) | Feedback

Security and QoS Configuration Messages

Table Of Contents

Security and QoS Configuration Messages


Security and QoS Configuration Messages


This appendix describes the error messages for configuring network security with access control lists (ACLs) and for configuring quality of service (QoS). In Table A-1, Access Control Parameters (ACPs) are referred to as masks. For more information about ACPs, refer to the software configuration guide for this release.

These error messages occur only if you have installed the enhanced software image (EI) on your switch.

Table A-1 Common ACL Error Messages 

Error Message
Explanation and Suggested Solution
%Error:Class-map [class-map name] has a 
different mask than the Policymap [policy-map 
name]

This error message means that the policy map has a different mask than the class map.

Use the same mask in both the class map and the policy map.

%Error:Class-maps have a mix of System Defined 
and User Defined masks within the Policymap 
[policy-map name]

This error message means that a combination of system-defined and user-defined masks has been used in the multiple class maps that are part of a policy map.

Class maps that are in a policy map cannot have ACLs that use both system-defined masks and user-defined masks.

%Error:System Defined ACEs of TCP/UDP and IP 
cannot exist together in a policy-map. Check 
policy-map :[policy-map name]

This error message means that a combination of Layer 3 system-defined access control entries (ACEs) and Layer 4 system-defined ACEs is in the same policy map.

A policy map cannot have both Layer 3 system-defined ACEs and Layer 4 system-defined ACEs.

Note You cannot have masks such as permit tcp any any, permit udp any any, and permit ip any any within the same policy map.

%Error:Service-Policy is not supported on VLAN 
interface

This error message means that you have tried to attach a policy map to a VLAN interface.

A policy map can be attached only to a physical interface.

%Error:Invalid policy-map

This error message means that the policy map is invalid.

This message is normally preceded by a more explicit error message that gives details about the reasons for the invalidity of the policy map.

%Error:Match Numbered Attach Filter :ONLY one 
ACL allowed in a class-map

This error message means that there was an attempt to add another numbered ACL in the class map.

Only one ACL is allowed in a class map.

%Error:Deny ACE not supported in access-group 
within a class-map.  
Check class-map : [class-map name]

This error message means that a deny ACE has been entered in an access group within a class map.

A deny ACE is not supported in an access group within a class map.

%Error:System Defined and User Defined ACEs 
cannot exist together in access-group within a 
class-map.  
Check class-map : [class-map name]

This error message means that a combination of system-defined and user-defined masks has been used in an access group within a class map.

The access group in a class map cannot have ACLs that use both system-defined masks and user-defined masks.

%Error:System Defined ACEs of TCP/UDP and IP 
cannot exist together in access-group within a 
class-map.
Check class-map :[class-map name]

This error message means that a combination of Layer 3 system-defined access control entries (ACEs) and Layer 4 system-defined ACEs has been configured in the same access group.

The access group in a class map cannot have cannot have both Layer 3 and Layer 4 system-defined ACEs .

%Error:Match Named Attach Filter :ONLY one ACL 
allowed in a class-map

This error message means that an attempt was made to add another ACL in the class map.

Only one ACL is allowed in a class map.

%Error:The ACL has a different mask than the 
Policy-map [policy-map name]

This error message means that an attempt was made to create an ACL with a different mask within a policy map.

All ACLs within the same class maps of a policy map must have the same mask.

%Error:Service policy cannot be configured

This error message means that the policy map cannot be configured. The exact causes are provided in separate error messages that precede this error message.

The switches support the policy-map global configuration command with certain restrictions. For more information, refer to the command reference for this release.

%Error:Service policy cannot be supported - 
Policers required exceed Maximum Allowed on 
this interface

This error message means that the policy map cannot be supported because the required number of policers on this interface are more than permitted.

A Fast Ethernet port supports 6 policers, and a Gigabit Ethernet port supports 60 policers.

%Error:Service policy cannot be supported - 
Rules required exceed available resources in 
ASIC.

This error message means that the policy map cannot be supported because the required number of resources to support this policy map is not available in the hardware.

Reduce the number of resources on this policy map.

%Error:Removing service-policy policy-map name 
from interface interface_number 

This error message means that a policy map was invalid and was removed from an interface.

If a policy map is attached to an interface and you modify the policy map so that it becomes invalid, the system removes the policy map from the interface.

%Error:ASIC memory read write issues

This error message means that the switch hardware is having problems.

If the message recurs, copy the error message exactly as it appears on the console or in the system log, call your Cisco technical support representative, and provide the representative with the gathered information.

%Error:ASIC Resources unavailable

This error message means that the hardware does not have sufficient resources to support the user policies.

%Error:Invalid mask

This error message means that the user-defined mask is not entered correctly in the hardware.

Remove the mask, and re-enter it.

%Error:Invalid rule

This error message means that the hardware had a problem programming the resource.

Re-enter the command that you had entered before receiving the error message.

If the message recurs, copy the error message exactly as it appears on the console or in the system log, call your Cisco technical support representative, and provide the representative with the gathered information.

%Error:Invalid ingress port

This error message means that an invalid ingress port was detected by the hardware.

Re-enter the command that you had entered before receiving the error message.

If the message recurs, copy the error message exactly as it appears on the console or in the system log, call your Cisco technical support representative, and provide the representative with the gathered information.

%Error:Another security mask on this interface

This error message means that there is another security mask present on the interface.

Only one security mask is allowed on any interface.

Remove all the security access groups on this interface, and attach the security access group that is required.

%Error:Another qos mask on this interface

This error message means that there is more than one quality of service (QoS) mask on the interface.

Only one QoS mask is allowed on any interface.

Remove all the QoS policy maps on this interface, and attach the policy map that is required.

%Error:No sec mask on this interface

This error message means that no security mask has been applied on this interface.

%Error:No qos mask on this interface

This error message means that no QoS mask has been applied on this interface.

%Error:No sec rules on this interface

This error message means that there are no security resources on this interface.

%Error:No qos rules on this interface

This error message means that there are no QoS resources on this interface.

%Error:No free masks available

This error message means that there are no free masks available for the user.

You must use one of the user-defined masks that is already configured. As an alternative, you can free up one of the masks by removing all the policies that use that mask.

%Error:Invalid sequence - IP protocol ACE not 
allowed after TCP/UDP protocol ACE

This error message means that a Layer 4 (TCP or UDP protocol) ACE preceded a Layer 3 (IP protocol) ACE.

%Error: Service-Policy is not supported on 
EtherChannel interface

This error message means that an access group is applied on an EtherChannel interface.

Access groups can be applied only to Layer 2 physical interfaces or management VLANs.

%Error:A MAC Access Group exists on this 
interface

This error message means that a MAC access group was previously configured on this interface.

Delete the MAC access group by using the no mac access-group interface configuration command, and re-enter the ip access-group interface configuration command.

%Error:An IP Access Group exists on this 
interface

This error message means that an IP access group was previously configured on this interface.

Delete the IP access group by using the no ip access-group interface configuration command, and re-enter the mac access-group interface configuration command.

%Error:Out of Rule Resources

This error message means that the hardware has run out of resources.

Re-enter the command with fewer ACEs.

%Error:No free rules on this interface

This error message means that the hardware has run out of resources.

Re-enter the command with fewer ACEs.

%Error:ASIC error

This error message means that the hardware has returned an error and that the command cannot be completed.

%Error:ASIC out of resources

This error message means that the hardware does not have sufficient resources to support the user policies.

%Error:Mask/rule entry failure, errcode=XX

This error message means that the hardware displays an unknown error with the specified error code.

%Error:FAILURE to reinsert old ACL

This error message means a hardware failure has occurred.

Delete the access group, and re-enter the command.

%Error:Max limit reached for number of ACEs in 
ACL :<acl_name>

This error message means that the maximum number of ACEs in an ACL has been reached.

The ACE cannot be added to the ACL.

%Error:access-list too large to support on 
this interface. Check class-map :[class-map 
name] and access-list :[acl name]

This error message means that the access list cannot be applied on this interface because the interface does not have sufficient resources to meet the requirement of this access list.

Re-enter the command with fewer ACEs.

%Error:FAILURE to reinsert old ACL, errcode=XX

This error message means that a hardware failure has occurred.

Delete the access group, and re-enter the command that you had entered before receiving the error message.

If the message recurs, copy the error message exactly as it appears on the console or in the system log, call your Cisco technical support representative, and provide the representative with the gathered information.

%Error:Egress port invalid

This error message means that an invalid egress port was detected by the hardware.

Re-enter the command that you had entered before receiving the error message.

If the message recurs, copy the error message exactly as it appears on the console or in the system log, call your Cisco technical support representative, and provide the representative with the gathered information.

%Error:The field sets of all the ACEs in an 
ACL on Ethernet interface should match. Please 
refer to the Software Configuration Guide to 
understand one mask restriction for ACLs on 
Ethernet interface

This error message means that one or more of the ACEs in an ACL must have the same mask.

Change the ACEs to have the same mask as the other ACEs in the ACL.

%Error:Access-list with '[keyword]' keyword is 
not supported on Ethernet Interface. The ACL 
'[acl name]' is either used as a Security ACL 
or QoS ACL. Please refer to the Software 
Configuration Guide for all the supported 
keywords

This error message means that the new ACE added to the ACL contains one or more keywords that are not supported on the Ethernet interface.

Remove any nonsupported keywords from ACL.

%Error:Access-list with '[keyword]' keyword is 
not supported on Ethernet Interface. Please 
refer to the Software Configuration Guide for 
all the supported keywords

This error message means that the ACL to be applied to a Layer 2 interface or class-map contains one or more keywords that are not supported.

Remove any nonsupported keywords from ACL.

%Error:Policer Configuration Incorrect for 
this interface. Check the policer rate in 
policy-map :[policy-map name], class-map 
:[class-map name]. Please choose either [lower 
rate] or [upper rate] (bits per second) as the 
policer rate

This error message means that the granularity of the policer rate in the policy-map is 1 Mbps.

Change the policer rate to either of the suggested values.

%Error:The name '[aclname]' has been used for 
ACL of another type

This error message means that the name on the MAC extended ACL might have been used in another named ACL that is not a MAC extended ACL.