Application Control Engine Module System Message Guide (Software Version A2(1.0)) - System Messages [Cisco Services Modules]

Table Of Contents

System Messages

Messages 106021 to 199006

106021

106023

106028

111008

111009

199006

Messages 212007 to 254002

212007

212008

251001

251002

251003

251004

251005

251006

251007

251008

251009

251010

251011

251012

251013

253001

253002

253003

253004

253005

253006

253007

253008

253009

253010

254001

254002

Messages 302022 to 327001

302022

302023

302024

302025

302026

302027

302028

302029

302030

302031

303003

303004

304001

313004

313006

313007

314001

322001

322002

322003

327001

Messages 400000 to 444007

400000

405001

406001

406002

410001

411001

411002

411003

411004

412001

415004

415006

415007

415008

415009

415010

415011

415021

415022

415023

415024

415025

415026

415027

440002

440003

441001

441002

442001

442002

442003

442004

442005

444001

444002

444003

444004

444005

444006

444007

Messages 504001 to 504002

504001

504002

Messages 607001 to 615004

607001

607003

608001

608002

608003

608004

608005

615003

615004

Messages 727001 to 729003

727001

727002

727003

727004

727005

727006

727007

727008

727009

727010

727011

727012

727013

727014

727015

727016

727017

727018

727019

727020

727021

727022

727023

728001

728002

728003

728004

728005

728006

728007

728008

728009

728011

728012

728013

728014

728015

728016

728017

728018

728019

728020

728021

728022

728023

728024

728025

728026

728027

728028

728029

728030

728031

728032

729001

729002

729003

System Messages

This chapter lists the ACE system log messages. The messages are listed numerically by message code.

To view a list of the majority of variables used in ACE system log messages, see Table 1-2 in Chapter 1, Configuring System Message Logging. To view ACE system log messages listed by severity level, see Chapter 3, Messages Listed by Severity Level.

This chapter includes the following sections:

•Messages 106021 to 199006

•Messages 212007 to 254002

•Messages 302022 to 327001

•Messages 400000 to 444007

•Messages 504001 to 504002

•Messages 607001 to 615004

•Messages 727001 to 729003

Messages 106021 to 199006

This section contains messages from 106021 to 199006.

106021
Error Message    %ACE-1-106021: Deny protocol reverse path check from source_address to 
dest_address on interface interface_name
Explanation An attack is in progress. Someone is attempting to spoof an IP address on an inbound connection. Unicast reverse path forwarding (RPF), also known as reverse route lookup, detected a packet that does not have a source address represented by a route and assumes that it is part of an attack on the ACE.
This message appears when you have enabled Unicast RPF with the ip verify reverse-path command (see the Cisco Application Control Engine Module Security Configuration Guide). Reverse path forwarding works on packets that are sent to an interface. If you configure this command on the outside, then the ACE checks packets arriving from the outside.

The ACE looks up a route based on the source address. If an entry is not found and a route is not defined, then this system log message appears and the connection is discarded.

If a route is defined, the ACE checks which interface to which it corresponds. If the packet arrived on another interface, it is either a spoof or there is an asymmetric routing environment that has more than one path to a destination. The ACE does not support asymmetric routing.

If the ACE is configured on an internal interface, it checks static route command statements or RIP, and if the source address is not found, then an internal user is spoofing their address.

Recommended Action Even though an attack is in progress, if this feature is enabled, no user action is required. The ACE repels the attack.

106023
Error Message    %ACE-4-106023: Deny protocol number | name src 
incoming-interface:src-ip dst outgoing-interface:dst-ip by access-group 
"acl-name" (hash 1, hash 2)
Explanation An IP packet was denied by the ACL. This message appears even if you do not have the log option enabled for an ACL. If a packet hits an input ACL, the outgoing interface will not be known. In this case, the ACE prints the outgoing interface as undetermined. The source IP and destination IP addresses are the unmapped and mapped addresses for the input and output ACLs, respectively, when used with NAT.
The hash 1 field is a 32-bit hexadecimal (0xnnnnnnnn) MD5-hash value that the ACE computes from the access-list command immediately when you configure an ACL. The ACE includes this hash value in deny syslog messages to help you identify the ACL entry that caused the syslog in the output of the show access-list name detail command. This hash value is line-number independent.

The hash 2 field is a 16-bit hexadecimal (0xnnnn) MD5-hash value that the ACE computes from the expanded access-list entries resulting from the object groups that you configure in an ACL. The ACE computes the hash 2 value when you activate the ACL on an interface. For ACLs that do not have object groups, the hash 2 value is always 0x0. The ACE also includes the hash 2 value in deny syslog messages to help you identify the expanded ACL entry that caused the syslog. This hash value is also line-number independent. To uniquely identify the expanded ACL entry that caused the syslog, you need to search for an entry in the show access-list name detail command output that matches both the hash 1 and the hash 2 hexadecimal values.

To prevent possible discrepancies between the hash numbers in the deny syslog message and the output of the show access-list detail command after a reboot, be sure to use Tab completion or type entire keywords in the CLI when you configure individual entries in an ACL.

Recommended Action If messages persist from the same source address, contact the remote host administrators. Such messages may indicate a foot-printing or port-scanning attempt.

106028
Error Message    %ACE-1-106028: String Incomplete rule is currently applied on 
interface interface-name.  Manual rollback to a previous access rule configuration 
on this interface is needed. 
Explanation Possible String values are:
•WARNING: Access rules memory exhausted while processing component

•WARNING: Unknown error while processing component

Possible values for component are

•Access-list

•Service-policy

•Merged list

For example:

WARNING: Unknown error while processing service-policy. Incomplete rule is currently applied on interface VLAN100. Manual roll back to a previous access rule configuration on this interface is needed.

The access control list (ACL) compilation process has run out of memory, which does not allow new ACL entries to be applied to the specified interface. The ACL configuration downloaded in hardware for that interface may not be in a known state because of this failure.

Recommended Action The ACL configuration downloaded to the network processors is incomplete. Remove and recreate the affected interface to recover to a known state. If the message is "Access rules memory exhausted," either allocate more memory to that context or remove some of the access group or service policy configuration to reduce the memory usage. If the message is "Unknown error," then there may be an issue with the configuration manager or the ACL merge process.

111008
Error Message    %ACE-5-111008: User user executed the command string
Explanation This message is informational. The user entered a command that modified the configuration.
Recommended Action None required.

111009
Error Message    %ACE-7-111009: User user executed cmd:string
Explanation This message is informational. The user entered a command that does not modify the configuration.
Recommended Action None required.

199006
Error Message    %ACE-5-199006 : Orderly reload started at when by whom. Reload reason: 
reason 
Explanation This message logs a reload record of the ACE and the reason for the reload.
The reason variable describes why the reload occurred. Possible reasons are as follows:

•reload command

•sup request

•CF format

•hardware failure

The when variable specifies the time at which the orderly reload operation begins.

The whom variable specifies the name of the user who entered the reload command. If the reload is caused by other reasons, "System" is specified.

Recommended Action None required.

Messages 212007 to 254002

This section contains messages from 212007 to 254002.

212007
Error Message    %ACE-2-212007: SNMPD initialization failed while Variable1 
Explanation This is an SNMP message that is logged when the SNMP daemon fails to initialize. The SNMP daemon is created during device initialization.
The possible values of the Variable1 variable are the following:

•loading mib module

•performing mts_bind

•performing mts_options_set

•initializing kernel memory map

•registering read/write file descriptor

•creating socket endpoint

•creating daemon process

Recommended Action Reboot the ACE (see the Cisco Application Control Engine Module Administration Guide for details). If the SNMP daemon still fails to initialize, contact Cisco TAC and provide them with the output of show processes and show np commands.

212008
Error Message    %ACE-3-212008: Failed while allocating memory in snmpd
Explanation This is an SNMP message that is logged after a memory allocation failure in the SNMPD process. When this error occurs, SNMPD processes (for example, SNMP Get/GetNext responses, trap generation, or SNMP CLI) may be affected.
Recommended Action Check for the system memory using the show system command. If the ACE is low on memory, reboot it (see the Cisco Application Control Engine Module Administration Guide for details). If the memory is not low, contact the Cisco TAC and provide them with the output of the show system resources and show processes cpu memory commands.

251001
Error Message    %ACE-3-251001: Probe configuration error, memory allocation failure.
Explanation The ACE does not have enough memory to support the specified probe configuration. When the Config Manager sends a probe configuration to the Health Monitor module, the Health Monitor module needs to reserve memory to set up the probe. If memory is not available when the Health Monitor is setting up the probe, the syslog message is sent.
Recommended Action Reduce the size of the probe configuration.

251002
Error Message    %ACE-4-251002: The configured health probe script script-name for 
server A.B.C.D on port P is empty
Explanation An empty script is configured for the scripted health probe for server A.B.C.D on port P.
Recommended Action Update the script file with appropriate probe information, unload, and then reload the script (see the Cisco Application Control Engine Module Server Load-Balancing Configuration Guidefor details). You can also reconfigure the health probe to use a nonempty script.

251003
Error Message    %ACE-3-251003: Could not load script script-name - File not found
Explanation The ACE is unable to find the script file that it needs to load.
Recommended Action Create a new script file, unload the old file, and then load the new file (see the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide for details).

251004
Error Message    %ACE-3-251004: Could not load script script-name - memory allocation 
failure
Explanation The ACE does not have sufficient memory to load the specified script file.
Recommended Action Reduce the size of the configuration or unload any unused script files.

251005
Error Message    %ACE-4-251005: Could not unload script script-name
Explanation The ACE is unable to load the specified script file due to an internal error.
Recommended Action Contact Cisco TAC if this error frequently occurs.

251006
Error Message    %ACE-3-251006: Health probe failed for server A.B.C.D on port P, 
internal error: error message
Explanation The configured service on port P of server A.B.C.D. failed its health checks because the ACE encountered an internal error while performing the probe. Because the error is internal to the system, the real health of the server is unknown.
The possible values of the error message variable are the following:

•failed to setup a socket

•forced disconnect

•failed to allocate memory

•failed to create SSL context

•failed to create SSL session

•failed to assign socket to SSL session

•failed to build a server query

•failed to initialize LDAP

•failed to bind to LDAP

•invalid probe request

•failed to set LDAP option

•failed to get LDAP option

Recommended Action Contact Cisco TAC if this error frequently occurs.

251007
Error Message    %ACE-3-251007: ICMP health probe failed for server A.B.C.D, internal 
error: error message
Explanation The configured service on port P of server A.B.C.D. failed its health checks because the ACE encountered an internal error while performing the ICMP probe. Because the error is internal to the system, the real health of the server is unknown.
The possible values of the error message variable are the following:

•general encap-decap failure

•write failure

•received bad file descriptor

•data entry being modified

•transmit queue is full

Recommended Action Contact Cisco TAC if this error frequently occurs.

251008
Error Message    %ACE-3-251008: Health probe failed for server A.B.C.D on port P, 
connectivity error: server open timeout (no SYN ACK)
Explanation The configured service on port P of server A.B.C.D. failed its health checks because a probe was unable to reach the server due to network problem.
Recommended Action Verify network connectivity to the server, and then reprobe the server.

251009
Error Message    %ACE-3-251009: ICMP health probe failed for server A.B.C.D, 
connectivity error: error message
Explanation The configured real server A.B.C.D. failed its health checks because an ICMP health probe was unable to reach the server due to a network connectivity problem.
The possible values of the error message variable are as follows:

•host unreachable, no route found to destination

•ARP not resolved for destination ip address

•network down

•interface has no ip address

•ICMP host unreachable

•ICMP destination unreachable

Recommended Action Verify network connectivity to the server, and then reprobe the server.

251010
Error Message    %ACE-3-251010: Health probe failed for server A.B.C.D on port P, error 
message
Explanation The configured service on port P of server A.B.C.D. failed its health checks because the server response is not as expected.
The possible values of the error message variable are the following:

•connection reset by server

•connection refused by server

•authentication failed

•unrecognized or invalid response

•server reply timeout

•graceful disconnect timeout (no FIN ACK)

•user defined Reg-Exp was not found in host response

•expect status code mismatch

•received invalid status code

•MD5 checksum mismatch

•invalid server greeting

•received Out-Of-Band data

Recommended Action Check the service running on the affected server.

251011
Error Message    %ACE-3-251011: ICMP health probe failed for server A.B.C.D, error 
message.
Explanation The configured real server A.B.C.D. failed its health checks because the ICMP server response is not as expected.
The possible values of the error message variable are the following:

•ICMP time exceeded

•ICMP redirect

•received ICMP Echo request

•received ICMP Stale packet

•received unexpected ICMP packet type

•received packet is too short

•received packet is too long

•server reply timeout

Recommended Action Check the service running on the affected server.

251012
Error Message    %ACE-3-251012: Could not load script script-name - Error reading 
script-file
Explanation The ACE is unable to read the script file that it is attempting to load. The file may be corrupted.
Recommended Action Verify if the file contents are correct. If correct, unload, and then reload the script file (see the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide for details). If necessary, create a new script file. Unload the old file, and then load the new file.

251013
Error Message    %ACE-3-251013: Could not load script script-name - Error getting file 
size
Explanation This message is logged when the ACE is unable to determine the script file size. Before a script file can be loaded, the ACE needs determine its size so the appropriate amount of memory can be allocated.
Recommended Action Verify if the file contents are correct. If correct, unload, and then reload the script file (see the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide for details). If necessary, create a new script file. Unload the old file, and then load the new file.

253001
Error Message    %ACE-6-253001: Certificate certificate_information expired
Explanation This message is logged during the SSL handshake when client authentication is enabled. The ACE determines that the certificate has expired.
Recommended Action None required.

253002
Error Message    %ACE-6-253002: Certificate certificate_information not yet valid
Explanation This message is logged during the SSL handshake when client authentication is enabled. The ACE determines that the certificate is not currently valid.
Recommended Action None required.

253003
Error Message    %ACE-6-253003: Unknown CA certificate_information
Explanation This message is logged during the SSL handshake when client authentication is enabled. The ACE determines that the certificate has an unknown certificate authority (CA).
Recommended Action None required.

253004
Error Message    %ACE-6-253004: Certificate certificate_information revoked
Explanation This message is logged during the SSL handshake when client authentication is enabled. The ACE determines that the certificate has been revoked by the CA.
Recommended Action None required.

253005
Error Message    %ACE-6-253005: Signature for certificate_information is invalid
Explanation This message is logged during the SSL handshake when client authentication is enabled. The ACE determines that the signature for the certificate is invalid.
Recommended Action None required.

253006
Error Message    %ACE-6-253006: Error peer sent invalid or nonexistent certificate 
Explanation This message is logged during the SSL handshake when client authentication is enabled. The ACE determines a certificate is invalid or nonexistent.
Recommended Action None required.

253007
Error Message    %ACE-6-253007: Certificate in file file_name is expired 
Explanation This message is logged when the ACE attempts to use a certificate that has expired. X509 certificates have a fixed lifetime. If the ACE uses an expired certificate in an SSL handshake, the client may reject the connection. The file_name argument is the name of the file where the certificate resides.
Recommended Action Obtain a new certificate and replace the expired one.

253008
Error Message    %ACE-6-253008: CRL crl_name could not be retrieved 
Explanation This message is logged when the ACE failed to retrieve a CRL. If you define CRL checking for SSL client authentication, the ACE periodically retrieves a CRL. Due to a variety of reasons, these attempts can occasionally fail. The crl_name variable is the name of the CRL as defined by the crypto crl command.
Recommended Action Check to see if there is a network connectivity problem or if the server location of the CRL has changed.

253009
Error Message    %ACE-6-253009: Certificate in file file_name is not yet valid 
Explanation X509 certificates have a fixed lifetime. This message is logged when a certificate that is not currently valid is used in an SSL handshake. This event may cause the client to reject the connection. The file_name variable is the name of the file where the certificate resides.
Recommended Action Use a certificate that is currently valid.

253010
Error Message    %ACE-3-253010: Configuration failure: Certificate in file 
certificate_name and key in file key_name do not match
Explanation This message is logged when the certificate and key do not match. As a result, the SSL handshake fails and the ACE does not download the unmatched certificate and key in the configuration. Note that a X509 certificate has a matching private key. The certificate_name variable is the name of the certificate file. The key_file variable is the name of the key file.
Recommended Action Verify that the correct certificate and key are in use in the SSL-proxy service. If necessary, modify the SSL-proxy service to contain the correct files.

254001
Error Message    %ACE-4-254001: ACL resource usage beyond maximum limit for context 
context_id. Free up some resources.
Explanation This message indicates that ACL resources in use for the specified context (context_id) are above the maximum limit allowed by the resource class.
Recommended Action Decrease the minimum ACL usage in the specified context to below the maximum limit.

254002
Error Message    %ACE-4-254002: Minimum ACL resources could not be guaranteed for 
context context_id.
Explanation This message indicates that the requested minimum ACL resources could not be guaranteed in the specified context (context_id).
Recommended Action Contact the global administrator to request that other context administrators release ACL resources.

Messages 302022 to 327001

This section contains messages from 302022 to 327001.

302022
Error Message    %ACE-6-302022: Built TCP connection id for 
interface:real-address/real-port (mapped-address/mapped-port) to 
interface:real-address/real-port (mapped-address/mapped-port)
Explanation This informational message is logged when a TCP connection slot between two hosts is created. This message is formatted by the control plane.
Recommended Action None required.

302023
Error Message    %ACE-6-302023: Teardown TCP connection id for 
interface:real-address/real-port to interface:real-address/real-port duration 
hh:mm:ss bytes bytes [reason]
Explanation This informational message is logged when a TCP connection slot between two hosts is terminated. This message is formatted by the control plane.
The reason variable presents the action that causes the connection to terminate. Table 2-1 lists the TCP termination causes.

Recommended Action None required.

Table 2-1 TCP Termination Reasons

Reason

Description

TCP FINs

Normal close down sequence.

TCP Reset

A TCP reset is received.

Idle Timeout

TCP connection is timed out.

FIN Timeout

TCP FIN timeout.

SYN Timeout

TCP SYN timeout.

Exception

Connection setup error.

Policy Close

A policy closes the TCP connection.

Voluntary Close

TCP connection is closed voluntarily by a user.

Rebalance

HTTP rebalance.

Reuse Conn.

Connection is reused.

Reap Conn.

Connection is closed due to control plane reap messages.

Xlate clear

Connection is closed due to execution of a clear xlate command.

Conn clear

Connection is closed due to execution of a clear conn command.

302024
Error Message    %ACE-6-302024: Built UDP connection id for 
interface:real-address/real-port (mapped-address/mapped-port) to 
interface:real-address/real-port (mapped-address/mapped-port)
Explanation A UDP connection slot between two hosts was added. This message is formatted by the control plane.
Recommended Action None required.

302025
Error Message    %ACE-6-302025: Teardown UDP connection id for 
interface:real-address/real-port to interface:real-address/real-port duration 
hh:mm:ss bytes bytes
Explanation A UDP connection slot between two hosts was deleted. This message is formatted by the control plane
Recommended Action None required.

302026
Error Message    %ACE-6-302026: Built ICMP connection for faddr/NATed_ID 
gaddr/icmp_type laddr/icmpID 
Explanation An ICMP session was established.
Recommended Action None required.

302027
Error Message    %ACE-6-302027: Teardown ICMP connection for faddr/NATed ID 
gaddr/icmp_type laddr/icmpID 
Explanation An ICMP session was removed.
Recommended Action None required.

302028
Error Message    %ACE-6-302028: Built TCP connection id for interface: 
real-address/real-port  (mapped-address/mapped-port) to interface: 
real-address/real-port (mapped-address/mapped-port)
Explanation A TCP connection slot between two hosts was created. This message is generated by the data plane.
Recommended Action None required.

302029
Error Message    %ACE-6-302029: Teardown TCP connection id for interface: 
real-address/real-port to interface: real-address/real-port duration hh:mm:ss 
bytes bytes [reason]
Explanation A TCP connection between two hosts was terminated. This message is generated by the data plane.
The reason variable presents the action that causes the connection to terminate. Table 2-1lists the TCP termination causes.

Recommended Action None required.

302030
Error Message    %ACE-6-302030: Built UDP connection id for interface:       
real-address/real-port (mapped-address/mapped-port) to interface: 
real-address/real-port (mapped-address/mapped-port)
Explanation A UDP connection slot between two hosts was added.This message is generated by the data plane.
Recommended Action None required.

302031
Error Message    %ACE-6-302031: Teardown UDP connection id for interface: 
real-address/real-port to interface: real-address/real-port duration hh:mm:ss 
bytes bytes
Explanation A UDP connection slot between two hosts was deleted. This message is generated by the data plane.
Recommended Action None required.

303003
Error Message    %ACE-6-303003: FTP cmd_name command denied - failed strict inspection, 
terminating connection from source_interface:source_address/source_port to 
dest_interface:dest_address/dest_port 
Explanation The ACE module is using strict inspection on FTP traffic. This message displays if an FTP request command is denied by the strict FTP inspection policy from the ftp-map command.
Recommended Action None required.

303004
Error Message    %ACE-5-303004: FTP cmd_string command unsupported - failed strict 
inspection, terminating connection from 
source_interface:source_address/source_port to 
dest_interface:dest_address/dest_interface
Explanation The ACE module is using strict FTP inspection on FTP traffic. This message displays if an FTP request message contains a command that is not recognized by the device.
Recommended Action None required.

304001
Error Message    %ACE-5-304001: user source_address Accessed {URL} dest_address: url 
Connection connection_ID
Explanation This is a URL message that is logged when the specified host attempts to access the specified URL.
Recommended Action None required.

313004
Error Message    %ACE-4-313004: Denied ICMP type=icmp_type, from source_address on 
interface interface_name to dest_address:no matching session
Explanation ICMP packets were discarded by the ACE because of security checks added by the stateful ICMP feature. These ICMP packets are discarded for any of the following reasons:
•ICMP echo replies are received without a valid echo request already passed across the ACE

•ICMP error messages are received that are not related to any TCP, UDP, or ICMP session already established in the ACE

Recommended Action None required.

313006
Error Message    %ACE-2-313006: ICMP Manager Initialization Failed. Reason : Variable1 
Explanation The ICMP Manager running on the Control Plane of the ACE fails to start.
The possible values of the Variable1 variable are the following:

•Timer creation failed.

•MTS initialization failed.

•Error while opening system call.

•Error while mapping buffer manager memory.

•Encap/Decap registration failed.

Recommended Action The ACE should automatically reboot the card. If not, try rebooting manually. If the problem still exists, contact Cisco TAC and provide them with the output of show tech-support command.

313007
Error Message    %ACE-3-313007: ICMP Manager Memory Problem. Reason: Variable1 
Explanation Reports ICMP-related memory failures.
The possible values of the Variable1 variable are the following:

•No memory available to create ping free list.

•No memory from buffer manager. Cannot send packet.

•No memory available for ping block.

•Possible memory corruption.

Recommended Action Reboot the ACE (see the Cisco Application Control Engine Module Administration Guide for details). If the problem persists, contact Cisco TAC and provide them with the following command output:
•If the "No memory from buffer manager. Cannot send packet." message appears, provide the output generated from the show buffer usage and show buffer stats commands.

•If any other message is returned, provide the output generated from the show process cpu memory command.

314001
Error Message    %ACE-6-314001: Pre-allocate RTSP UDP backconnection for 
foreign_address outside_address/outside_port to local_address 
inside_address/inside_port
Explanation The Cisco ASA opened an RTSP connection for the specified IP addresses and ports.
Recommended Action None required.

322001
Error Message    %ACE-3-322001: Deny MAC address MAC_address, possible spoof attempt on 
interface interface
Explanation The ACE received a packet from the offending MAC address on the specified interface, but the source MAC address in the packet is statically bound to another interface in your configuration. This situation can be caused by either a MAC-spoofing attack or a misconfiguration.
Recommended Action Check the configuration and take appropriate action by either finding the offending host or by reconfiguring the ACE.

322002
Error Message    %ACE-3-322002: ARP inspection check failed for arp {request|response} 
received from host MAC_address on interface interface. This host is advertising 
MAC Address MAC_address_1 for IP Address IP_address, which is 
{statically|dynamically} bound to MAC Address MAC_address_2.
Explanation If ARP inspection is enabled, the ACE checks whether a new ARP entry advertised in the packet conforms to the statically configured or dynamically learned IP-MAC address binding before forwarding ARP packets. If this check fails, the ACE drops the ARP packet and generates this message. This situation can be caused by either ARP spoofing attacks in the network or an invalid configuration (IP-MAC binding).
Recommended Action If the cause is an attack, deny the host by using an ACL. If the cause is an invalid configuration, correct the binding (see the Cisco Application Control Engine Module Routing and Bridging Configuration Guide for details).

322003
Error Message    %ACE-3-322003: ARP inspection check failed for arp {request|response} 
received from host MAC_address on interface interface. This host is advertising 
MAC Address MAC_address_1 for IP Address IP_address, which is not bound to any MAC 
Address. 
Explanation If ARP inspection is enabled, the ACE checks whether a new ARP entry advertised in the packet conforms to the statically configured IP-MAC address binding before forwarding ARP packets. If this check fails, the ACE drops the ARP packet and generates this message. This situation may be caused by either ARP spoofing attacks in the network or an invalid configuration (IP-MAC binding).
Recommended Action If the cause is an attack, deny the host by using an ACL. If the cause is an invalid configuration, correct the binding (see the Cisco Application Control Engine Module Routing and Bridging Configuration Guide for details).

327001
Error Message    %ACE-3-327001: Detected Encap table Full when allocating encap entry 
for IP interface interface_name
Explanation The Encap table size is limited to 32,000 entries. This message is logged when trying to allocate an encap entry after the limit is reached.
Recommended Action Use the clear arp command to remove any unused or invalid table entries.

Messages 400000 to 444007

This section contains messages from 400000 to 444007.

400000
Error Message    %ACE-4-400000: IDS:1000 IP Option Bad Option List from IP_address to 
IP_address on interface interface_name
Explanation Cisco Intrusion Detection System signature message. The ACE does not support IP options. This IDS message is generated whenever the ACE detects IP options in a packet.
Recommended Action See the Cisco Intrusion Detection System User Guide.

405001
Error Message    %ACE-4-405001: Received ARP {request | response} collision from 
IP_address/mac_address on interface interface_name
Explanation The ACE received an ARP packet, and the MAC address in the packet differs from the ARP cache entry.
Recommended Action This traffic may be legitimate, or it may indicate that an ARP poisoning attack is in progress. Check the source MAC address to determine where the packets are coming from and determine if the host is valid.

406001
Error Message    %ACE-4-406001: FTP port command low port: IP_address/port to 
IP_address on interface interface_name
Explanation A client issued an FTP port command with a port number less than 1024; in the well-known port range, this number is typically devoted to server ports. This error message indicates an attempt to avert the site security policy. The Cisco ASA drops the packet, terminates the connection, and logs the event.
Recommended Action None required.

406002
Error Message    %ACE-4-406002: FTP port command different address: 
IP_address(IP_address) to IP_address on interface interface_name
Explanation A client issued an FTP port command with an address other than the address used in the connection. This error message indicates that an attempt was made to avert the site security policy. The address in parentheses is the address from the port command. For example, an attacker may attempt to hijack an FTP session by changing the transmitted packet and putting different source information instead of the correct source information. The security appliance drops the packet, terminates the connection, and logs the event.
Recommended Action None required.

410001
Error Message    %ACE-4-410001: Dropped UDP DNS packet_type from 
source_interface:source_address/source_port to 
dest_interface:dest_address/dest_port; error_length_type length length bytes 
exceeds max_length_type limit of maximum_length bytes. 
Explanation The domain-name length exceeds 255 bytes in a UDP DNS packet. (See RFC 1035 section 3.1.)
Recommended Action None required.

411001
Error Message    %ACE-4-411001: Line protocol on interface interface_name changed state 
to up
Explanation The status of the line protocol has changed from down to up.
Recommended Action None required.

411002
Error Message    %ACE-4-411002: Line protocol on interface interface_name changed state 
to down
Explanation The status of the line protocol has changed from up to down.
Recommended Action If this is an unexpected event on the interface, check the line.

411003
Error Message    %ACE-4-411003:  Configuration status on interface interface_name 
changed state to up
Explanation The configuration status of the interface has changed from down to up.
Recommended Action If this is an unexpected event on the interface, check the line.

411004
Error Message    %ACE-4-411004:  Configuration status on interface interface_name 
changed state to down
Explanation The configuration status of the interface has changed from up to down.
Recommended Action None required.

412001
Error Message    %ACE-4-412001: MAC MAC_address moved from interface_1 to interface_2
Explanation The ACE detects that a host was moved from one module interface to another. In a transparent ACE, mapping between the host (MAC) and the ACE port is maintained in a Layer 2 forwarding table. The table dynamically binds packet source MAC addresses to an ACE port. When movement of a host from one interface to another interface is detected during this binding process, this error message is generated.
Recommended Action The host move may be valid or the host move may be an attempt to spoof host MACs on other interfaces. You can take one of these actions:
•If it is a genuine host move, no action is required.

•If it is a MAC spoof attempt, you can either locate vulnerable hosts on your network and remove them or configure static MAC entries. Configuring static MAC entries will not allow MAC address and port binding to change.

415004
Error Message    %ACE-5-415004:HTTP - matched mime_type in policy-map policy_map_name, 
content-type verification failed from source_address to dest_address/port_num 
Connection connection_ID
Explanation The match content-type-verification command is configured and a MIME type in the content-type HTTP header field is found in the list of policies of allowed types. However, the expected number in the body of the message is not the correct number to identify a file of that type. This behavior is unusual and could indicate an attempt to smuggle contraband data over the connection.
Recommended Action None required.

415006
Error Message    %ACE-5-415006: HTTP - matched class_map_name in policy_map_name, URI 
matched connection_action from source_address/port_num to dest_address/port_num 
Connection connection_ID
Explanation The URI matches the regular expression that the user configured.
Recommended Action None required.

415007
Error Message    %ACE-5-415007: HTTP - matched class_map_name in policy-map 
policy_map_name, Body matched connection_action from IP_address/port_num to 
IP_address/port_num Connection connection_ID
Explanation The body matches the regular expression that the user configured.
Recommended Action None required.

415008
Error Message    %ACE-5-415008: HTTP - matched class_map_name in policy-map 
policy_map_name, Header matched connection_action from IP_address/port_num to 
IP_address/port_num Connection connection_ID
Explanation The header matches the regular expression that the user configured.
Recommended Action None required.

415009
Error Message    %ACE-5-415009: HTTP - matched class_map_name in policy-map 
policy_map_name, method matched - connection_action from IP_address/port_num to 
IP_address/port_num Connection connection_ID
Explanation The request method matches the regular expression that the user configured.
Recommended Action None required.

415010
Error Message    %ACE-5-415010: HTTP - matched class_map_name in policy-map 
policy_map_name, transfer encoding matched connection_action from 
IP_address/port_num to IP_address/port_num Connection connection_ID
Explanation The transfer or content encoding matches the regular expression that the user configured.
Recommended Action None required.

415011
Error Message    %ACE-5-415011: HTTP - policy-map policy_map_name:Protocol violation 
connection_action from IP_address/port_num to IP_address/port_num Connection 
connection_ID
Explanation The HTTP parser cannot detect a valid HTTP message in the first few bytes of an HTTP message. A user may be running a protocol over the port for HTTP transactions. This action violates the user-configured policy.
Recommended Action None required.

415021
Error Message    %ACE-5-415021: HTTP - matched class_map_name in policy-map 
policy_map_name, URI length range matched connection_action from 
source_address/port_num to dest_address/port_num Connection connection_ID
Explanation The URI length is within the range that the user configured.
Recommended Action None required.

415022
Error Message    %ACE-5-415022: HTTP - matched class_map_name in policy_map_name, 
Header length range matched connection_action from source_address/port_num to 
dest_address/port_num Connection connection_ID
Explanation The header length is within the range that the user configured.
Recommended Action None required.

415023
Error Message    %ACE-5-415023: HTTP - matched class_map_name in policy-map 
policy_map_name, body length range matched connection_action from 
source_interface:source_address/port_num to dest_interface:dest_address/port_num 
Connection connection_ID
Explanation The body length is within the range that the user configured.
Recommended Action None required.

415024
Error Message    %ACE-5-415024:HTTP - matched class_map_name in policy-map 
policy_map_name, Header content type matched connection_action from 
IP_address/port_num to IP_address/port_num Connection connection_ID
Explanation The header content type matches the regular expression that the user configured.
Recommended Action None required.

415025
Error Message    %ACE-5-415025: HTTP policy_map_name - Tunnel detected - 
connection_action from IP_address/port_num to IP_address/port_num connection 
connection_ID
Explanation A tunneling protocol is detected in the HTTP content. A user may be running a tunneling protocol using HTTP as the transport. This action violates the user-configured policy.
Recommended Action None required.

415026
Error Message    %ACE-5-415026: HTTP  policy_map_name: Instant Messenger detected 
connection_action from IP_address/port_num to IP_address/port_num connection 
connection_ID
Explanation An instant messenger protocol is detected in the HTTP content. A user may be running an instant messenger protocol using HTTP as the transport. This action violates the user-configured policy.
Explanation None required.

415027
Error Message    %ACE-5-415027: HTTP policy_map_name:  Peer-to-Peer detected 
connection_action from IP_address/port_num to IP_address/port_num connection 
connection_ID
Explanation A peer-to-peer protocol is detected in the HTTP content. A user may be running a peer-to-peer protocol using HTTP as the transport. This action violates the user-configured policy.
Recommended Action None required.

440002
Error Message    %ACE-3-440002: Addition failed for variable 1
Explanation An error occurred for the SNMP Shadow Table Addition. SNMP Get/Get-Next requests may fail on the table name specified by variable 1.
Recommended Action Check the memory-related information in the system. Enter the show processes cpu memory command and locate the MemAlloc column in the output.

440003
Error Message    %ACE-3-440003: Deletion failed for variable 2 
Explanation An error occurred for the SNMP Shadow Table Deletion. Deletion failure may result in a memory leak or wrong or non-existent values being returned for subsequent Get/Get-Next requests on the table name specified by variable 2.
Recommended Action Check the Memory related information in the system. Execute the show processes cpu memory command and locate the MemAlloc column in the output.

441001
Error Message    %ACE-5-441001: Serverfarm name failed over to backup. Number of 
failovers = count1, number of times back in service = count2 
Explanation A serverfarm failover event has occurred. The name variable is the name of the serverfarm. The count1 variable is the number of times that the primary serverfarm failed over to the backup serverfarm. The count2 variable is the number of times the primary serverfarm returned to service.
Recommended Action None required.

441002
Error Message    %ACE-5-441002: Serverfarm name is back in service. Number of failovers 
= count1, number of times back in service = count2 
Explanation A serverfarm in service event has occurred. The name variable is the name of the serverfarm. The count1 variable is the number of times that the primary serverfarm failed over to the backup serverfarm. The count2 variable is the number of times the primary serverfarm returned to service.
Recommended Action None required.

442001
Error Message    %ACE-4-442001:  Health probe probe name detected real_server_name 
(interface interface_name) in serverfarm sfarm_name changed state to UP
Explanation The state of a real server changed from down to up in the specified server farm.
Recommended Action None required.

442002
Error Message    %ACE-4-442002:  Health probe probe name detected real_server_name 
(interface interface_name) in serverfarm sfarm_name changed state to DOWN
Explanation The state of a real server changed from up to down in the specified server farm.
Recommended Action None required.

442003
Error Message    %ACE-5-442003:  Real Server real_server_name in serverfarm sfarm_name 
changed state to new state
Explanation This message reports a real server state change.
The new state variable can be one of the following:

•outOfService since max connection reached

•outOfService since retcode threshold reached

•outOfService in normal scenarios

Recommended Action None required.

442004
Error Message    %ACE-4-442004:  Health probe probe name detected real_server_name 
(interface interface_name) changed state to UP
Explanation The state of a real server changed from down to up.
Recommended Action None required.

442005
Error Message    %ACE-4-442005:  Health probe probe name detected real_server_name 
(interface interface_name) changed state to DOWN
Explanation The state of a real server changed from up to down.
Recommended Action None required.

444001
Error Message    %ACE-2-444001: License checkout failure for feature feature_name 
reason 
Explanation A license checkout error has occurred for a specified feature due to the reported reason.
Recommended Action Contact Cisco TAC.

444002
Error Message    %ACE-5-444002: Installed license file license_file_name
Explanation The license installation completed for the specified license filename.
Recommended Action Use the show license usage command to verify that this license installed.

444003
Error Message    %ACE-5-444003: Uninstalled license file license_file_name 
Explanation The license uninstall completed for the specified license filename.
Recommended Action Use the show license usage command to verify that the license uninstalled.

444004
Error Message    %ACE-2-444004: Evaluation license expired for feature feature_name
Explanation The license for the specified feature has exceeded the evaluation time period. All the licensed feature specific configurations are removed.
Recommended Action Install a new license for this feature to use it.

444005
Error Message    %ACE-4-444005: Evaluation license for feature feature_name will expire 
in num_days days num_hours hours
Explanation The specified license will exceed its evaluation time period after specified duration as designated in the days and hours remaining. All the licensed feature specific configurations will be removed after the license expires.
Recommended Action Install new license to continue to use the feature without any interruption.

444006
Error Message    %ACE-1-444006: License manager exiting: reason 
Explanation The license manager exits due to the reported reason.
Recommended Action Contact Cisco TAC.

444007
Error Message    %ACE-4-444007: Installed feature_name license on Revision 6 or older 
hardware, will not take effect until next reboot.
Explanation The installed 16G throughput license on Revision 6 or older hardware does not take effect until the next ACE reboot.
Recommended Action Reboot the ACE after saving the current running configuration.

Messages 504001 to 504002

This section contains messages from 504001 to 504002.

504001
Error Message    %ACE-5-504001: Security context context-name was added to the system
Explanation A security context was successfully added to the system.
Recommended Action None required.

504002
Error Message    %ACE-5-504002: Security context context-name was successfully removed 
from the system
Explanation A security context was successfully removed from the system.
Recommended Action None required.

Messages 607001 to 615004

This section contains messages from 607001 to 615004.

607001
Error Message    %ACE-6-6-7001: Pre-allocate SIP media secondary channel for 
source_interface:source_address/source_port to 
destination_interface:destination_address/destination_port from message_id 
message
Explanation This message is generated when a connection is prealloacted to allow media streams negotiated on a Session Initiation Protocol (SIP) session.
Recommended Action None required.

607003
Error Message    %ACE-6-6-7003: SIP Classification: Action_type and log SIP message_id 
from source_interface:source_address/source_port to 
destination_interface:destination_address/destination_port
Explanation This message is generated when the ACE permits or drops a SIP packet or resets the SIP control connection (if it is over TCP), and a log action is configured.
Recommended Action None required.

608001
Error Message    %ACE-6-608001: Pre-allocate Skinny connection_type secondary channel 
for source_interface:source_address/source_port to 
destination_interface:destination_address/destination_port from message_id 
message
Explanation This message is generated when a connection is preallocated to allow media streams negotiated on a Skinny Client Control Protocol (SCCP) session.
Recommended Action None required.

608002
Error Message    %ACE-4-608002: Dropping Skinny message for 
source_interface:source_address/source_port to 
destination_interface:destination_address/destination_port, SCCPPrefix length 
prefex_length too small
Explanation This message appears when using SCCP inspection on SCCP traffic. It is displayed if a SCCP message is too small to carry the SCCP payload.
Recommended Action None required.

608003
Error Message    %ACE-4-608003: Dropping Skinny message for 
source_interface:source_address/source_port to 
destination_interface:destination_address/destination_port, SCCPPrefix length 
prefex_length too large
Explanation This message appears when using SCCP inspection on SCCP traffic. It is displayed if a SCCP message is larger than the maximum configured size.
Recommended Action None required.

608004
Error Message    %ACE-4-608004: Dropping Skinny message for 
source_interface:source_address/source_port to 
destination_interface:destination_address/destination_port, message id 
message_id not allowed
Explanation This message is generated when using inspection on SCCP traffic. It is displayed if a Skinny command is denied by the SCCP inspection policy.
Recommended Action None required.

608005
Error Message    %ACE-4-608005: Dropping Skinny message for 
source_interface:source_address/source_port to 
destination_interface:destination_address/destination_port, message id 
message_id registration not complete
Explanation This message is generated when using inspection on SCCP traffic. It is displayed if a Skinny command that is not allowed before registration is seen before the IP phone has successfully registered with the Cisco Call Manager (CCM).
Recommended Action None required.

615003
Error Message    %ACE-6-615003: VLAN VLAN-number not available for configuring an 
interface
Explanation The specified VLAN number is no longer assigned to the ACE. If an interface is configured with that VLAN number on the module, it will be kept in a shutdown state. If an interface is already configured with that VLAN and is up, it will change the state to shutdown.
Recommended Action If the VLAN specified in the log message is not required for the ACE, delete all interfaces that use this VLAN from the module configuration.

615004
Error Message    %ACE-6-615004: VLAN VLAN-number available for configuring an interface
Explanation The specified VLAN number is now assigned to the ACE. The module can use that VLAN to configure an interface and receive traffic on it.
Recommended Action To use the new VLAN, configure interfaces on the ACE using the new VLAN.

Messages 727001 to 729003

This section contains messages from 727001 to 729003.

727001
Error Message    %ACE-1-727001: HA: Peer IP address is not reachable. Error: error str.
Explanation An active or standby device cannot reach its redundant peer. This message is displayed on both devices and causes a switchover on the standby device. After the switchover occurs, both devices are no longer redundant. The error str value can be one of the following:
•Heartbeat stopped. Ping on alternate interface failed.

•Heartbeat stopped. No alternate interface configured.

Recommended Action Verify connectivity between the peers. If a peer device is physically up but connectivity is the problem, you may end up with two active devices. If connectivity is lost due to the peer going down, reboot the peer to restore redundancy between the two devices.

727002
Error Message    %ACE-1-727002: HA: FT interface interface name to reach peer IP address 
is down. Error: error str
Explanation A peer device is not reachable on an FT interface. In this situation the standby device does not switchover to active, which prevents two actives in the network. The error str value can be one of the following:
•Heartbeats stopped. Peer is reachable via alternate interface.

•Heartbeats are up but cannot use the Telnet connection to the peer device.

Recommended Action Verify connectivity between the two devices over the FT interface. Ping or use Telnet to the peer IP address to confirm connectivity.

727003
Error Message    %ACE-1-727003: HA: Mismatch in context names detected for FT group 
FTgroupID. Cannot be redundant.
Explanation Redundancy is enabled for a particular context, but both devices are unable to become active or standby because of a mismatch in context names.
Recommended Action Check the FT group configuration on both devices. Make sure that both devices are associated with the same context.

727004
Error Message    %ACE-1-727004: HA: Two actives have been detected for FT group 
FTgroupID. 
Explanation Both devices were detected to be active for the same FT group. At this point, one of the two devices automatically relinquishes control and switches over to standby.
Recommended Action None required.

727005
Error Message    %ACE-1-727005: HA: Config replication failed for context ctx name. 
Error : error str
Explanation A configuration could not be synchronized to the peer device due to the error condition returned by the error str value. The error str value can be one of the following:
•Error on Standby device when applying Configuration file replicated from Active.

•Failed to transfer Configuration file to standby. TFTP Failed.

•Failed to generate Running Configuration for peer device. "show running peer" failed.

•Failed to convert Configuration to peer version. Flip of peer addresses failed.

•Failed to retrieve Context Information.

•Failed to rollback Running Configuration on Standby device.

•Failed to sync Running Configuration to Standby device.

•Failed to sync Startup Configuration to Standby device.

•Failed to send MTS message to peer to communicate config status.

Recommended Action Check the running and startup configurations on both devices. To recover, disable configuration synchronization, and then manually apply the configuration on each device.

727006
Error Message    %ACE-1-727006: HA: Peer is incompatible due to error str. Cannot be 
Redundant. 
Explanation A peer device failed to become compatible. This can be a result of Software Relationship Graph (SRG) version inconsistency or a mismatch in licenses between the devices. The error string indicates the reason for the failure.
The error str value can be one of the following:

•License Compatibility Mismatch.

•SRG Compatibility Mismatch.

Recommended Action Verify version and license compatibility on both the devices.

727007
Error Message    %ACE-1-727007: HA: Module Initialization failure - Error Error str. 
Explanation An initialization error occurred for one of the redundant modules. The Error str variable indicates the reason for the failure.
The Error str variable can be one of the following:

•MTS Init Failure

•TNRPC Failure

•Select Call Failure

•Timer Creation Failure

Recommended Action Contact Cisco TAC.

727008
Error Message    %ACE-1-727008: HA: Failed to send heartbeats to peer. Internal error: 
Error str
Explanation The device is unable to send heartbeats to its peer due to an internal error. The error string indicates the reason for the failure.
The Error str variable can be one of the following:

•Failed to setup UDP Connection to Peer for Heartbeats.

•Failed to create Encap for Peer.

•Failed to communicate to IXP.

Recommended Action Contact Cisco TAC.

727009
Error Message    %ACE-2-727009: HA: Communication failure for Peer Peer id Event: error 
str
Explanation The device is unable to establish a TCP connection to the peer. The error str variable is "Failed to establish TCP connection to Peer device."
Recommended Action Contact Cisco TAC.

727010
Error Message    %ACE-2-727010: HA: Data replication failed for context ctx name. Error 
code error str
Explanation Data replication fails and data could not be successfully synchronized to the peer device. The next periodic synchronization will correct the failure and update the lost records. The error str variable indicates the reason for the failure.
The error str variable can be one of the following:

•Failed to bulk sync Connection Records.

•Failed to bulk sync Load Balancer Records.

Recommended Action None required.

727011
Error Message    %ACE-2-727011: HA: Configuration replication for context ctx name will 
not happen. Error: Error str
Explanation The configuration synchronization does not occur for a context. The error string indicates the reason for the failure.
The Error str value can be one of the following:

•Failed to open Startup Configuration File. It does not exist.

•HA election timed out.

•Configuration sync to peer not initiated because Peer doesn't exist.

•HA has not been configured for context.

Recommended Action None required.

727012
Error Message    %ACE-2-727012: HA: FT Group group ID changed state to NewState. Reason: 
reason str.
Explanation This message displays the state transitions made by an HA state (redundancy) device for a context.
Table 2-2 lists the values for the NewState variable.

Table 2-2 NewState Values and Descriptions

NewState Value

Description

FSM_FT_STATE_INIT

The initial state. Visible only when the configuration for the FT group exists but it is not in service.

FSM_FT_STATE_ELECT

After you enter the inservice command when you are configuring an FT group, the ACE enters the ELECT state. The redundancy state machine negotiates with its peer context in the FT group to determine the redundancy role (active or standby).

FSM_FT_STATE_ACTIVE

The active member of the FT group.

FSM_FT_STATE_STANDBY_COLD

This state can be entered if one of the following actions occur:

•FT VLAN is down but the peer device is still alive.

•Configuration or application state synchronization failure have occurred.

FSM_FT_STATE_STANDBY_CONFIG

The standby context is waiting to receive configuration information. Upon entering this state, the active context will be notified to send a copy of the running configuration.

FSM_FT_STATE_STANDBY_BULK

The standby context is waiting to receive state information. Upon entering this state, the active context will be notified to send a copy of the current states information for all applications.

FSM_FT_STATE_STANDBY_HOT

The standby context is ready to become active in a failover situation.

.

Values returned for the reason str variable can be one of the following:

•FSM_FT_EV_PEER_DOWN

•FSM_FT_EV_PEER_FT_VLAN_DOWN

•FSM_FT_EV_PEER_SOFT_RESET

•FSM_FT_EV_STATE

•FSM_FT_EV_TIMEOUT

•FSM_FT_EV_CFG_SYNC_STATUS

•FSM_FT_EV_BULK_SYNC_STATUS

•FSM_FT_EV_COUP

•FSM_FT_EV_RELINQUISH

•FSM_FT_EV_TRACK_STATUS

•FSM_FT_EV_UPDATE

•FSM_FT_EV_ENABLE_INSERVICE

•FSM_FT_EV_DISABLE_INSERVICE

•FSM_FT_EV_SWITCHOVER

•FSM_FT_EV_PEER_COMPATIBLE

•FSM_FT_EV_MAINT_MODE_OFF

•FSM_FT_EV_MAINT_MODE_PARTIAL

•FSM_FT_EV_MAINT_MODE_FULL

Recommended Action None required.

727013
Error Message    %ACE-2-727013: HA: Peer Peer # is UP and reachable.
Explanation The peer is now reachable. Heartbeats are flowing successfully between the two peers.
Recommended Action None required.

727014
Error Message    %ACE-2-727014: HA: Heartbeats from Peer Peer id have become 
unidirectional.
Explanation Redundancy heartbeats from a peer have become unidirectional. That is, the peer cannot receive (only send) heartbeats. This problem occurs if one of the network processors has a problem.
Recommended Action Collect network processor drop counters, and then contact Cisco TAC.

727015
Error Message    %ACE-2-727015: HA: Detected mismatch in heartbeat interval from Peer 
peer id. Modified interval to interval. 
Explanation The redundancy heartbeat received from one peer differs from the value of the second peer. This condition can occur when you choose to dynamically change the heartbeat interval. The modified heartbeat interval that is displayed shows the adjusted interval. This value is the greater of the two values.
Recommended Action None required.

727016
Error Message    %ACE-2-727016: HA: Replication for context ctx name has started. Status 
- status.
The replication is being carried out to a peer. The status variable indicates the synchronization status.

Values for the status variable can be one of the following:

•Running Configuration sync has started to peer.

•Startup Configuration sync has started to peer.

•Startup Configuration sync has completed to peer.

•Running Configuration sync has completed to peer.

•Data Replication has completed to peer.

•Startup configuration has been applied successfully for context.

Recommended Action None required.

727017
Error Message    %ACE-2-727017: HA: FT Track track type track name is UP.
Explanation The FT track is up.
The track type variable can be one of the following:

•Interface

•HSRP

•Host

Recommended Action None required.

727018
Error Message    %ACE-2-727018: HA: FT Track track type track name is DOWN. 
Explanation The FT track is down.
The track type variable can be one of the following:

•Interface

•HSRP

•Host

Recommended Action None required.

727019
Error Message    %ACE-5-727019: HA: Started alternate ping to IP address ip addr 
Explanation ICMP pings have started on the alternate interface to check the health of the peer. This process starts when heartbeats from the peer are no longer received. The standby device issues an alternate ping to the peer to determine whether the peer is still alive. If it is alive, it does not switchover, which prevents two active states on the network.
Recommended Action None required.

727020
Error Message    %ACE-5-727020: HA: Stopped alternate ping to IP address ip addr. 
Explanation ICMP pings have stopped on the alternate interface. This occurs when heartbeats from the peer are received and the peer is up and reachable.
Recommended Action None required.

727021
Error Message    %ACE-5-727021: HA: Peer is compatible.
Explanation The two devices are in a compatible state and can be configured for redundancy.
Recommended Action None required.

727022
Error Message    %ACE-5-727022: HA: Started sending heartbeats to peer Peer id interval 
value and count cnt
Explanation The redundancy connections to the peer have been successfully established and heartbeats have been started to the peer with the configured interval and count.
The interval variable specifies interval in milliseconds. The count variable specifies the number of missed heartbeat intervals before the peer is declared down.

Recommended Action None required.

727023
Error Message    %ACE-5-727023: HA: Stopped sending heartbeats to peer Peer id. 
Explanation Redundancy heartbeats to the peer have been stopped. This can occur if you unconfigure redundancy or make changes to basic connection parameters such as the peer IP address.
Recommended Action None required.

728001
Error Message    %ACE-1-728001: Initialization failure (general) type variable1
Explanation Initialization of the ACE load-balancing process is aborted due to a failure of a general nature (for example, lack of memory, failure to spawn threads, failure to establish a communication channel, and so on).
variable1 specifies the exact failure location in the codebase.

Recommended Action Document the syslog message, and then reboot the ACE (see the Cisco Application Control Engine Module Administration Guide for details). Contact Cisco TAC with the documented message text.

728002
Error Message    %ACE-1-728002: Initialization failure (sticky) type variable1
Explanation Initialization of the ACE load-balancing process is aborted because of a failure in the sticky subsystem (for example, memory alignment failure, failure to spawn threads, failure to a establish communication channel).
variable1 specifies the exact failure location in the codebase.

Recommended Action Document the syslog message, and then reboot the ACE (see the Cisco Application Control Engine Module Administration Guide for details). Contact Cisco TAC with the documented message text.

728003
Error Message    %ACE-1-728003: Initialization failure (sticky hash) variable1 entries, 
variable2 min, variable3 max type variable4
Explanation Initialization of the ACE load-balancing process is aborted because of a failure when allocating entries for the sticky database (for example, the database is not allocated).
The variables displayed in this message represent the following:

•variable1—Specifies the requested number of sticky entries.

•variable2—Specifies the minimum number of sticky entries required for successful operation of the hash algorithm.

•variable3—Specifies the maximum number of entries that can be allocated.

•variable4—Specifies the exact failure location in the codebase.

Recommended Action Document the syslog message, and then reboot the ACE (see the Cisco Application Control Engine Module Administration Guide for details). Contact Cisco TAC with the documented message text.

728004
Error Message    %ACE-5-728004: Internal communications notice (general) type variable1
Explanation The ACE load-balancing process detects a spurious or unintelligible internal message that cannot be dispatched. Under high load, message loss may occur.
variable1 specifies the exact failure location in the codebase.

Recommended Action If this message occurs frequently, or in conjunction with problems in load balancing under normal system load, contact Cisco TAC.

728005
Error Message    %ACE-3-728005: Failed to transmit variable1 decision for connection 
from client variable2 type variable3
Explanation A load-balancing decision was lost internally. No server connection can be initiated, and the identified client connection is reset. At this point, the client can attempt reconnection.
variable1 specifies the connection type. Possible values are as follows:

•destination (determined by load balancer)

•drop (connection discarded)

•forwarded (not load balanced)

variable2 specifies the address of client from whom the connection originated.

variable3 specifies the unique identifier for the line of code where the error was logged.

Recommended Action If this message occurs frequently, document the syslog message, and then contact Cisco TAC.

728006
Error Message    %ACE-5-728006: Internal communications error (messaging) msg subType 
variable1 -- type variable2
During load balancing, the ACE received an internal message that cannot be identified. This message is discarded without processing.

The variables displayed in this message represent the following:

•variable1—Specifies the message type (decimal) that could not be processed.

•variable2—Specifies the unique identifier for the line of code where the error was logged.

Recommended Action If this message occurs frequently, document the syslog message, and then contact Cisco TAC.

728007
Error Message    %ACE-3-728007: Internal configuration communications error (sticky) 
type variable1
Explanation During load balancing, the ACE received a configuration request for sticky database resources that cannot be honored. The resources may exceed the permitted amounts or the resources cannot be located.
variable1 specifies the unique identifier for the line of code where the error was logged.

Recommended Action Verify that the requested resources are available within the chosen context. If the requested resources are available and are allowed by the configuration, an internal error exists. Contact Cisco TAC.

728008
Error Message    %ACE-3-728008: Internal communications error (sticky) /source 
processor variable1 destination processor variable2 -- type variable3
Explanation During load balancing, the ACE detected an error in communication between the two network processors. As a result, sticky load balancing may not occur for some client connections.
The variables displayed in this message represent the following:

•variable1—Specifies the received decimal identifier of source processor.

•variable2—Specifies the received decimal identifier of destination processor.

•variable3—Specifies the unique identifier for the line of code where the error was logged.

Recommended Action Contact Cisco TAC.

728009
Error Message    %ACE-3-728009: Context ID variable1 requested variable2 of variable3 
sticky entries. No action taken. -- type variable4
Explanation This message is reported from the Admin context. A configuration request from the context identified by variable1 cannot be responded to because it exceeds the permitted resources for the sticky entries.
The variables displayed in this message represent the following:

•variable1—Specifies the context requesting the sticky entry action.

•variable2—Specifies the requested action.

•variable3—Specifies the number of sticky entries requested.

•variable4—Specifies the unique identifier for the line of code where the error was logged.

Recommended Action Contact Cisco TAC.

728011
Error Message    %ACE-4-728011: Context ID variable1 being variable2 should not have 
variable3 associated sticky groups -- type variable4
Explanation This message is reported from the Admin context and appears when adding or removing a context that has associated sticky groups. When this condition exists and the error message is logged, the addition or removal of the context still occurs.
•variable1—specifies the context identifier to be added or removed.

•variable2—specifies the requested action. Possible values are added or removed.

•variable3—specifies the number of associated sticky groups detected.

•variable4—specifies the unique identifier for the line of code where the error was logged.

Recommended Action Before adding or removing a context, make sure there are no sticky groups associated with that context.

728012
Error Message    %ACE-5-728012: Context ID variable1 failed to receive return data -- 
type variable2
Explanation Data collected in response to a show command at the CLI was not successfully returned from the network processor to the CLI.
The variables displayed in this message represent the following:

•variable1—Specifies the context identifier for the context that made the request.

•variable2—Specifies the unique identifier for the line of code where the error was logged.

Recommended Action Reenter the show command. If the problem persists, contact Cisco TAC.

728013
Error Message    %ACE-4-728013: A cache alignment error variable1 was detected during 
initialization -- type variable2
Explanation A cache alignment error was detected during the load-balancing initialization. This may impact performance, but load balancing will still be correctly performed.
The variables displayed in this message represent the following:

•variable1 specifies the cache alignment return code.

•variable2 specifies the unique identifier for the line of code where the error was logged.

Recommended Action If you see this error message frequently, contact Cisco TAC.

728014
Error Message    %ACE-3-728014: Internal cross-processor communications error (sticky) 
type variable1
Explanation During load-balancing, the ACE could not parse a message from the second network processor on the ACE. This can result in the loss of sticky information between the two processors, resulting in a sticky server-connection loss for some clients.
variable1 specifies the unique identifier for the line of code where the error was logged.

Recommended Action Contact Cisco TAC.

728015
Error Message    %ACE-3-728015: Internal channel communications error (sticky) type 
variable1
Explanation During load-balancing operations, the ACE was unable to open or use an internal communications channel to process a load-balancing configuration or a display directive. The specific directive on which the failure occurred is not be completed (although it may be retried).
variable1 specifies the unique identifier for the line of code where the error was logged.

Recommended Action Contact Cisco TAC.

728016
Error Message    %ACE-4-728016: HA data receive failure (type variable1)
Explanation This message is logged when an redundancy message received from the redundant peer cannot be understood and is subsequently discarded.
variable1 specifies the unique identifier for the line of code where the error was logged.

Recommended Action Use the show ft stats group_id command to display load-balancing statistics for the FT group:
•If the type variable returned a value of 90 (decimal), then monitor the "Number of Sticky Entries Dropped" value. Contact Cisco TAC if the values continue to increase over time.

•If the type variable returned a value of 99 (decimal), then monitor the "Number of Receive Failures" value. Contact Cisco TAC if the values continue to increase over time.

728017
Error Message    %ACE-3-728017: Internal communications error (ha) -- type variable1
Explanation This message is reported from the current context. An attempt to send a redundancy message to the redundant peer was unsuccessful because the message could not be sent.
variable1 specifies the unique identifier for the line of code where the error was logged.

Recommended Action Use the show ft stats group_id command to display load-balancing statistics for the FT group. Monitor the "Number of Send Failures" value. Contact Cisco TAC if the problem persists.

728018
Error Message    %ACE-5-728018: Proxy connection variable1 rebalanced to server 
variable2
Explanation The ACE has determined that the server side of a connection should be rebalanced to another server. This is an informational message issued in the context in which the rebalance occurs.
The variables displayed in this message represent the following:

•variable1 specifies the identifier of the proxy connection.

•variable2 specifies the index of the realServer to which the connection was rebalanced.

Recommended Action None required.

728019
Error Message    %ACE-4-728019: Sticky resources were not variable1 for this context -- 
type variable2 
Explanation A sticky request (lookup, configure, or delete a sticky entry) was not honored because the sticky group could not locate any configured sticky entries. This is not the result of exceeding the configuration limits, but indicates an unexpected sticky group lookup result.
variable1 specifies the requested sticky action. Possible values are as follows:

•detected

•inserted

•removed

variable2 specifies the unique identifier for the line of code where the error was logged.

Recommended Action Contact Cisco TAC.

728020
Error Message    %ACE-6-728020: LB is configured to consume variable1 bytes of memory.
Explanation The message indicates the amount of physical memory that is mapped by the ACE during load-balancing initialization and indicates that the mapping was successful.
variable1 specifies the bytes of mapped physical memory.

Recommended Action None required.

728021
Error Message    %ACE-6-728021: Found inconsistent sticky entry.  Terminating 
variable1.
Explanation Various commands processed by the ACE during load balancing require searching the sticky database to find all relevant sticky entries. An unexpected finding of no further sticky entries generates this message. This message is useful in troubleshooting sticky issues. The indicated action is terminated, but further requests of the same type (or of other types) are completed.
variable1 specifies the terminated action. Possible values are as follows:

•show screen (user request)

•resetting timestamps (aging sticky entries)

•HA share (updating database with entries learned via HA)

Recommended Action None required.

728022
Error Message    %ACE-6-728022: Invalid hash table index (variable1) used for variable2
Explanation The specified action was aborted because of an invalid hash index.
variable1 specifies the value of the invalid hash table index.

variable2 specifies the index table use. Possible values are as follows:

•LookupRealServerId

•InsertNewEntry

Recommended Action None required.

728023
Error Message    %ACE-6-728023: variable1 variable2 sticky entries from ContextId 
variable3.
Explanation Sticky entries have been added or removed from a context as a result of a resource limit change.
variable1 specifies the action. Possible values are as follows:

•Added

•Removed

variable2 specifies the number of sticky entries moved.

variable3 specifies the context ID from which the entries were added or removed.

Recommended Action None required.

728024
Error Message    %ACE-4-728024: Received an unknown variable1 type message (variable2) 
for Sticky from remote IXP variable3!
Explanation A request or reply from the second network processor indicates an unknown operation type. The request or reply is not responded to and is discarded. This message is useful when troubleshooting sticky database synchronization problems with the network processors.
variable1 specifies the message class. Possible values are as follows:

•request

•reply

variable2 specifies the numerical value of the operation type that could not be identified.

variable3 specifies the identifier of the IXP (network processor) that sent the message.

Recommended Action No action required.

728025
Error Message    %ACE-6-728025: Dropped variable1 'variable2' messages (variable3 
total) from IXP variable4 to IXP variable5!
Explanation Sticky messages between network processors (sticky insert, sticky lookup, or sticky connection close) were lost. This information may be useful when troubleshooting problems with sticky functionality.
variable1 specifies the number of lost messages.

variable2 specifies the message type. Possible values are as follows:

•request

•response

variable3 specifies the total number of messages discarded (includes both lost messages and messages which were discarded because they could not be sent).

variable4 specifies the source network processor identifier.

variable5 specifies the destination network processor identifier.

Recommended Action None required.

728026
Error Message    %ACE-6-728026: Attempting to use invalid lookup key for variable1 
processing.
Explanation The message indicates that a connection close notification was not sent to the remote network processor because of an invalid key. Variable1 specifies the type of processing (connection close). This information may be useful when troubleshooting problems with sticky functionality.
Recommended Action None required.

728027
Error Message    %ACE-4-728027: Received unhandled message of type variable1 from CP 
SrcSAP variable2.
Explanation An unrecognized message was received from the control processor (CP) during load-balancing operations. The message is discarded. This message is useful when troubleshooting commands or configuration directives from the control processor that are ignored by the ACE.
The variables displayed in this message represent the following:

•variable1—Specifies the raw (decimal) unrecognized message type that is received.

•variable2—Specifies the (decimal) source SAP on the CP from which this message was sent.

Recommended Action No action required.

728028
Error Message    %ACE-5-728028: Sticky mapping failed: variable1 variable2
Explanation Information received from an redundant peer cannot be mapped locally. The associated sticky entry information is discarded.
variable1 specifies the reason for the mapping failure. Possible values are as follows:

•Invalid sticky group id

•Invalid real server id

•Sticky group not active

variable2 specifies the (decimal) identifier of the invalid entity. If the entry is an "invalid real server id," the value of the real server ID is displayed. Otherwise, the invalid or inactive sticky group ID is displayed.

Recommended Action Use the show ft stats group_id command to display load-balancing statistics for the FT group. Monitor the "Number of Sticky Entries Dropped" value. Contact Cisco TAC if the values continue to increase over time.

728029
Error Message    %ACE-6-728029: HA state for FtGroup variable1 changed from variable2 
to variable3 State variable4.
Explanation This message tracks state changes received from the redundant peer. Events that are not relevant to load balancing are ignored. This message is useful when tracking redundancy state changes to troubleshoot redundant peer synchronization problems.
variable1 specifies the (decimal) fault tolerant group ID.

variable2 and variable3 specify the previous and current state change event. Possible values are as follows:

•Active

•StartCfgSync

•StartBulkSync

•StartPeriodicSync

•StopSync

•StdbyCfg

•StdbyBulk

•StdbyHot

•StdbyCold

•BulkSyncDone

•NonRedundant

•None

•"???" (specifies an unidentified event)

variable4 specifies the state change action. Possible values are as follows:

•handled

•ignored

Recommended Action No action required.

728030
Error Message    %ACE-6-728030: Silently discarding HA data: variable1
Explanation Redundancy data must be discarded during load-balancing operations because the ACE could not process the data. The discarding of the data could affect seamless failover. This message is useful when troubleshooting redundant peer problems
variable1 specifies the reason for discarding data from the redundant peer. Possible values are as follows:

•Received unknown message type

•Received data packet in wrong HA state

Recommended Action No action required.

728031
Error Message    %ACE-3-728031: Memory mapping for debug logging failed. 
Explanation Memory mapping fails during initialization for debug logging. Load balancing continues, but no debug logging will occur, even if invoked from the command line.
Recommended Action Reboot the ACE to reinitialize the debug logging component (see the Cisco Application Control Engine Module Administration Guide for details). Rebooting may correct a transient mapping issue. If this error persists, contact Cisco TAC.

728032
Error Message    %ACE-LB_General-4-728032: Real Server variable1 in Serverfarm 
variable2 has reached configured threshold for HTTP retcode variable3
Explanation HTTP return codes were configured on a server farm and a specific real server has reached the configured return code threshold.
The variables displayed in this message represent the following:

•variable1—Specifies the name of the real server within the server farm.

•variable2—Specifies the name of the server farm.

•variable3—Specifies the HTTP return code value returned by the server which caused this message to be logged.

Recommended Action Review the types of client HTTP requests that cause these server return code responses. Look for return codes that indicate possible problems, for example, missing content or incorrect search paths.

729001
Error Message    %ACE-3-729001: Regular expression config download failed due to out of 
memory.  No regexp rules are currently applied on class-map map_name in 
service-policy policy_name.  Manual roll back to a previous regexp configuration 
on this service-policy is needed.
Explanation The regular expression table compilation process has run out of memory or encountered an error, causing inability to apply new rules to the specified service policy. The regular expression configuration downloaded in hardware for the service policy may not be in a known state due to this failure.
Recommended Action Remove some regular expressions or allocate more regular expression resources.

729002
Error Message    %ACE-4-729002: Regex resource usage beyond maximum limit for context 
context_id. Free up some resources.
Explanation This syslog message indicates that regex resources in use for the specified context (context_id) are above the maximum limit allowed by the resource class.
Recommended Action Decrease the minimum regex usage in the specified context to below the maximum limit.

729003
Error Message    %ACE-4-729003: Minimum regex resources could not be guaranteed for 
context context_id.
Explanation This syslog message indicates that the requested minimum regex resources could not be guaranteed in the specified context (context_id).
Recommended Action Contact the global administrator to request that other context administrators release regex resources.