Catalyst 3550, 2955, 2950 and 2940 Switch System Message Guide, 12.1(22)EA7
Security and QoS Configuration Messages
Downloads: This chapterpdf (PDF - 195.0KB) The complete bookPDF (PDF - 1.68MB) | Feedback

Security and QoS Configuration Messages on Catalyst 2955 and 2950 Switches

Table Of Contents

Security and QoS Configuration Messages on Catalyst 2955 and 2950 Switches


Security and QoS Configuration Messages on Catalyst 2955 and 2950 Switches


This appendix describes the error messages for configuring network security with access control lists (ACLs) and for configuring quality of service (QoS) on Catalyst 3550, 2955, and 2950. In Table A-1, access control parameters (ACPs) are referred to as masks. For more information about ACPs, see the software configuration guide for this release.

These error messages appear only if you have installed the enhanced software image (EI) on your switch.

Table A-1 Common ACL Error Messages 

Error Message
Explanation and Suggested Solution
%Error:Class-map [class-map name] has a  
different mask than the Policymap  
[policy-map name]

This error message means that the policy map has a different mask than the class map.

Use the same mask in both the class map and the policy map.

%Error:Class-maps have a mix of System Defined  
and User Defined masks within the Policymap  
[policy-map name]

This error message means that a combination of system-defined and user-defined masks has been used in the multiple class maps that are part of a policy map.

Class maps that are in a policy map cannot have ACLs that use both system-defined masks and user-defined masks.

%Error:System Defined ACEs of TCP/UDP and IP  
cannot exist together in a policy-map. Check  
policy-map :[policy-map name]

This error message means that a combination of Layer 3 system-defined access control entries (ACEs) and Layer 4 system-defined ACEs is in the same policy map.

A policy map cannot have both Layer 3 system-defined ACEs and Layer 4 system-defined ACEs.

Note You cannot have masks such as permit tcp any any, permit udp any any, and permit ip any any within the same policy map.

%Error:Service-Policy is not supported on VLAN  
interface

This error message means that you have tried to attach a policy map to a VLAN interface.

A policy map can be attached only to a physical interface.

%Error:Invalid policy-map

This error message means that the policy map is invalid.

This message is normally preceded by a more explicit error message that gives details about the reasons for the invalidity of the policy map.

%Error:Match Numbered Attach Filter :ONLY one  
ACL allowed in a class-map

This error message means that there was an attempt to add another numbered ACL in the class map.

Only one ACL is allowed in a class map.

%Error:Deny ACE not supported in access-group  
within a class-map.  
Check class-map : [class-map name]

This error message means that a deny ACE has been entered in an access group within a class map.

A deny ACE is not supported in an access group within a class map.

%Error:System Defined and User Defined ACEs  
cannot exist together in access-group within a  
class-map.  
Check class-map : [class-map name]

This error message means that a combination of system-defined and user-defined masks has been used in an access group within a class map.

The access group in a class map cannot have ACLs that use both system-defined masks and user-defined masks.

%Error:System Defined ACEs of TCP/UDP and IP  
cannot exist together in access-group within a  
class-map. 
Check class-map :[class-map name]

This error message means that a combination of Layer 3 system-defined access control entries (ACEs) and Layer 4 system-defined ACEs has been configured in the same access group.

The access group in a class map cannot have cannot have both Layer 3 and Layer 4 system-defined ACEs.

%Error:Match Named Attach Filter :ONLY one ACL  
allowed in a class-map

This error message means that an attempt was made to add another ACL in the class map.

Only one ACL is allowed in a class map.

%Error:The ACL has a different mask than the  
Policy-map [policy-map name]

This error message means that an attempt was made to create an ACL with a different mask within a policy map.

All ACLs within the same class maps of a policy map must have the same mask.

%Error:Service policy cannot be configured

This error message means that the policy map cannot be configured. The exact causes are provided in separate error messages that precede this error message.

The switches support the policy-map global configuration command with certain restrictions. For more information, see the command reference for this release.

%Error:Service policy cannot be supported -  
Policers required exceed Maximum Allowed on  
this interface

This error message means that the policy map cannot be supported because the required number of policers on this interface are more than permitted.

A Fast Ethernet port supports 6 policers, and a Gigabit Ethernet port supports 60 policers.

%Error:Service policy cannot be supported -  
Rules required exceed available resources in 
ASIC. 

This error message means that the policy map cannot be supported because the required number of resources to support this policy map is not available in the hardware.

Reduce the number of resources on this policy map.

%Error:Removing service-policy policy-map name  
from interface interface_number 

This error message means that a policy map was invalid and was removed from an interface.

If a policy map is attached to an interface and you modify the policy map so that it becomes invalid, the system removes the policy map from the interface.

%Error:ASIC memory read write issues

This error message means that the switch hardware is having problems.

Find out more about the error by using the show tech-support privileged EXEC command and by copying the error message exactly as it appears on the console or system log and entering it in the Output Interpreter tool. Use the Bug Toolkit to look for similar reported problems. For more information about these online tools and about contacting Cisco, see the "Error Message Traceback Reports" section for more information.

%Error:ASIC Resources unavailable

This error message means that the hardware does not have sufficient resources to support the user policies.

%Error:Invalid mask

This error message means that the user-defined mask is not entered correctly in the hardware.

Remove the mask, and re-enter it.

%Error:Invalid rule

This error message means that the hardware had a problem programming the resource.

Re-enter the command that you had entered before receiving the error message.

Find out more about the error by using the show tech-support privileged EXEC command and by copying the error message exactly as it appears on the console or system log and entering it in the Output Interpreter tool. Use the Bug Toolkit to look for similar reported problems. For more information about these online tools and about contacting Cisco, see the "Error Message Traceback Reports" section for more information.

%Error:Invalid ingress port

This error message means that an invalid ingress port was detected by the hardware.

Re-enter the command that you had entered before receiving the error message.

Find out more about the error by using the show tech-support privileged EXEC command and by copying the error message exactly as it appears on the console or system log and entering it in the Output Interpreter tool. Use the Bug Toolkit to look for similar reported problems. For more information about these online tools and about contacting Cisco, see the "Error Message Traceback Reports" section for more information.

%Error:Another security mask on this  
interface

This error message means that there is another security mask present on the interface.

Only one security mask is allowed on any interface.

Remove all the security access groups on this interface, and attach the security access group that is required.

%Error:Another qos mask on this interface

This error message means that there is more than one quality of service (QoS) mask on the interface.

Only one QoS mask is allowed on any interface.

Remove all the QoS policy maps on this interface, and attach the policy map that is required.

%Error:No sec mask on this interface

This error message means that no security mask has been applied on this interface.

%Error:No qos mask on this interface

This error message means that no QoS mask has been applied on this interface.

%Error:No sec rules on this interface

This error message means that there are no security resources on this interface.

%Error:No qos rules on this interface

This error message means that there are no QoS resources on this interface.

%Error:No free masks available

This error message means that there are no free masks available for the user.

You must use one of the user-defined masks that is already configured. As an alternative, you can free up one of the masks by removing all the policies that use that mask.

%Error:Invalid sequence - IP protocol ACE not  
allowed after TCP/UDP protocol ACE

This error message means that a Layer 4 (TCP or UDP protocol) ACE preceded a Layer 3 (IP protocol) ACE.

%Error: Service-Policy is not supported on  
EtherChannel interface

This error message means that an access group is applied on an EtherChannel interface.

Access groups can be applied only to Layer 2 physical interfaces or management VLANs.

%Error:A MAC Access Group exists on this 
interface

This error message means that a MAC access group was previously configured on this interface.

Delete the MAC access group by using the no mac access-group interface configuration command, and re-enter the ip access-group interface configuration command.

%Error:An IP Access Group exists on this  
interface

This error message means that an IP access group was previously configured on this interface.

Delete the IP access group by using the no ip access-group interface configuration command, and re-enter the mac access-group interface configuration command.

%Error:Out of Rule Resources

This error message means that the hardware has run out of resources.

Re-enter the command with fewer ACEs.

%Error:No free rules on this interface

This error message means that the hardware has run out of resources.

Re-enter the command with fewer ACEs.

%Error:ASIC error

This error message means that the hardware has returned an error and that the command cannot be completed.

%Error:ASIC out of resources

This error message means that the hardware does not have sufficient resources to support the user policies.

%Error:Mask/rule entry failure, errcode=XX

This error message means that the hardware displays an unknown error with the specified error code.

%Error:FAILURE to reinsert old ACL

This error message means a hardware failure has occurred.

Delete the access group, and re-enter the command.

%Error:Max limit reached for number of ACEs  
in ACL :<acl_name>

This error message means that the maximum number of ACEs in an ACL has been reached.

The ACE cannot be added to the ACL.

%Error:access-list too large to support on  
this interface. Check class-map : 
[class-map name] and access-list :[acl name]

This error message means that the access list cannot be applied on this interface because the interface does not have sufficient resources to meet the requirement of this access list.

Re-enter the command with fewer ACEs.

%Error:FAILURE to reinsert old ACL, errcode=XX

This error message means that a hardware failure has occurred.

Delete the access group, and re-enter the command that you had entered before receiving the error message.

Find out more about the error by using the show tech-support privileged EXEC command and by copying the error message exactly as it appears on the console or system log and entering it in the Output Interpreter tool. Use the Bug Toolkit to look for similar reported problems. For more information about these online tools and about contacting Cisco, see the "Error Message Traceback Reports" section for more information.

%Error:Egress port invalid

This error message means that an invalid egress port was detected by the hardware.

Re-enter the command that you had entered before receiving the error message.

Find out more about the error by using the show tech-support privileged EXEC command and by copying the error message exactly as it appears on the console or system log and entering it in the Output Interpreter tool. Use the Bug Toolkit to look for similar reported problems. For more information about these online tools and about contacting Cisco, see the "Error Message Traceback Reports" section for more information.

%Error:The field sets of all the ACEs in an  
ACL on Ethernet interface should match. Please  
refer to the Software Configuration Guide to  
understand one mask restriction for ACLs on  
Ethernet interface

This error message means that one or more of the ACEs in an ACL must have the same mask.

Change the ACEs to have the same mask as the other ACEs in the ACL.

%Error:Access-list with '[keyword]' keyword is  
not supported on Ethernet Interface. The ACL  
'[acl name]' is either used as a Security ACL  
or QoS ACL. Please refer to the Software  
Configuration Guide for all the supported  
keywords

This error message means that the new ACE added to the ACL contains one or more keywords that are not supported on the Ethernet interface.

Remove any nonsupported keywords from ACL.

%Error:Access-list with '[keyword]' keyword is  
not supported on Ethernet Interface. Please  
refer to the Software Configuration Guide for  
all the supported keywords

This error message means that the ACL to be applied to a Layer 2 interface or class-map contains one or more keywords that are not supported.

Remove any nonsupported keywords from ACL.

%Error:Policer Configuration Incorrect for  
this interface. Check the policer rate in  
policy-map :[policy-map name], class-map  
:[class-map name]. Please choose either [lower  
rate] or [upper rate] (bits per second) as the  
policer rate

This error message means that the granularity of the policer rate in the policy map is 1 Mbps.

Change the policer rate to either of the suggested values.

%Error:The name '[aclname]' has been used for  
ACL of another type

This error message means that the name on the MAC extended ACL might have been used in another named ACL that is not a MAC extended ACL.