Feedback
Table Of Contents
System Messages
This chapter lists the Cisco Application Control Engine (ACE) module system log messages. The messages are listed numerically by message code.
To view a list of the majority of variables used in ACE system log messages, see Table 1-2 in Chapter 1, Configuring System Message Logging. To view ACE system log messages listed by severity level, see Chapter 3, Messages Listed by Severity Level.
This chapter includes the following sections:
Messages 100001 to 199006
This section contains messages from 100001 to 199006.
100001
Error Message %ACE-2-100001: EOL function chars from library chars exited due to Signal decExplanation An error occurred in the CLI end of line (EOL) function.
Recommended Action None required.
106021
Error Message %ACE-1-106021: Deny protocol reverse path check from source_address to dest_address on interface interface_nameExplanation Someone is attempting to spoof an IP address on an inbound connection. Unicast reverse path forwarding (RPF), also known as reverse route lookup, detected a packet that does not have a source address represented by a route and assumes that it is part of an attack on the ACE.
This message appears when you have enabled Unicast RPF with the ip verify reverse-path command (see the Cisco Application Control Engine Module Security Configuration Guide. Reverse path forwarding works on packets that are sent to an interface. If you configure this command on the outside, then the ACE checks packets arriving from the outside.
The ACE looks up a route based on the source address. If an entry is not found and a route is not defined, then this system log message appears and the connection is discarded.
If a route is defined, the ACE checks which interface to which it corresponds. If the packet arrived on another interface, it is either a spoof or there is an asymmetric routing environment that has more than one path to a destination. The ACE does not support asymmetric routing.
If the ACE is configured on an internal interface, it checks static route command statements or RIP, and if the source address is not found, then an internal user is spoofing their address.
Recommended Action Even though someone is attempting to spoof an IP address on an inbound connection, if this feature is enabled no user action is required. The ACE repels the attack.
106023
Error Message %ACE-4-106023: Deny protocol number | name src incoming-interface:src-ip dst outgoing-interface:dst-ip by access-group "acl-name"Explanation An IP packet was denied by the ACL. This message displays even if you do not have the log option enabled for an ACL. If a packet hits an input ACL, the outgoing interface will not be known. In this case, the ACE prints the outgoing interface as undetermined. The source IP and destination IP addresses are the unmapped and mapped addresses for the input and output ACLs, respectively, when used with NAT.
Recommended Action If messages persist from the same source address, messages may indicate a foot-printing or port-scanning attempt. Contact the remote host administrators.
106028
Error Message %ACE-1-106028: WARNING: ACL Merge configuration download timeout in context Admin. Error while processing merged list. Incomplete rule is currently applied on interface interface-name. Configuration on this interface needs to be manually reverted.Explanation The configuration manager timed out while waiting for the status of the ACL Merge process. New ACL entries are not applied to the specified interface and the ACL configuration downloaded in hardware for this interface may not be in a known state because of this failure.
Recommended Action Remove and recreate the affected interface to recover to a known state.
111008
Error Message %ACE-5-111008: User root executed the string commandExplanation This message is informational. The user entered a command that modified the configuration.
Recommended Action None required.
111009
Error Message %ACE-7-111009: User user executed cmd:stringExplanation This message is informational. The user entered a command that does not modify the configuration.
Recommended Action None required.
199006
Error Message %ACE-2-199006 : Orderly reload started at when by whom. Reload reason: reasonExplanation This message logs a reload record of the ACE and the reason for the reload.
The reason variable describes why the reload occurred. Possible reasons are as follows:
•
reload command
•
•
The when variable specifies the time at which the orderly reload operation begins.
The whom variable specifies the name of the user who entered the reload command. If the reload is caused by other reasons, System is specified.
Recommended Action None required.
199008
Error Message %ACE-6-199008: DC controller: channel_number reasonExplanation (ACE module only).This message is informational. The user entered a command that does not modify the configuration.
Recommended Action None required.
199009
Error Message %ACE-2-199009: NP Fatal Error: error_text detected, Contact Cisco TACExplanation The error_text variable can be any of the following NP interrupt errors:
•
•
•
•
•
•
•
•
•
•
•
•
Recommended Action Contact Cisco TAC.
Messages 211001 to 256002
This section contains messages from 211001 to 256002.
211001
Error Message %ACE-3-211001: Memory allocation Error [; SIP packet dropped from vlanSource_interface:source_real_address/source_real_port (0.0.0.0:0) to Unknown:destination_address_on_source_interface/destination_port_on_source_inter face (0.0.0.0:0)]Explanation Failed to allocate RAM system memory. The SIP portion of the message occurs when SIP packets are dropped due to a system resource error and displays the associated IP addresses.
Recommended Action If this message occurs periodically, it can be ignored. If it repeats frequently, contact Cisco TAC.
212007
Error Message %ACE-2-212007: SNMPD initialization failed while Variable1Explanation This is an SNMP message that is logged when the SNMP daemon fails to initialize. The SNMP daemon is created during device initialization.
The possible values of the Variable1 variable are as follows:
•
•
•
•
•
•
•
Recommended Action Reboot the ACE (see the Cisco Application Control Engine Module Administration Guide for details). If the SNMP daemon still fails to initialize, contact Cisco TAC and provide them with the output of show processes and show np commands.
212008
Error Message %ACE-3-212008: Failed while allocating memory in snmpdExplanation This is an SNMP message that is logged after a memory allocation failure in the SNMPD process. When this error occurs, SNMPD processes (for example, SNMP Get/GetNext responses, trap generation, or SNMP CLI) may be affected.
Recommended Action Check for the system memory using the show system command. If the ACE is low on memory, reboot it (see the Cisco Application Control Engine Module Administration Guide for details). If the memory is not low, contact the Cisco TAC and provide them with the output of the show system resources and show processes cpu memory commands.
251001
Error Message %ACE-3-251001: Probe configuration error, memory allocation failure.Explanation The ACE does not have enough memory to support the specified probe configuration. When the Config Manager sends a probe configuration to the Health Monitor module, the Health Monitor module needs to reserve memory to set up the probe. If memory is not available when the Health Monitor is setting up the probe, the syslog message is sent.
Recommended Action Reduce the size of the probe configuration.
251002
Error Message %ACE-4-251002: The configured health probe script script-name for server A.B.C.D on port P is emptyExplanation An empty script is configured for the scripted health probe for server A.B.C.D on port P.
Recommended Action Update the script file with appropriate probe information, unload, and then reload the script (see the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide for details). You can also reconfigure the health probe to use a nonempty script.
251003
Error Message %ACE-3-251003: Could not load script script-name - File not foundExplanation The ACE is unable to find the script file that it needs to load.
Recommended Action Create a new script file, unload the old file, and then load the new file (see the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide for details).
251004
Error Message %ACE-3-251004: Could not load script script-name - memory allocation failureExplanation The ACE does not have sufficient memory to load the specified script file.
Recommended Action Reduce the size of the configuration or unload any unused script files.
251005
Error Message %ACE-4-251005: Could not unload script script-nameExplanation The ACE is unable to load the specified script file due to an internal error.
Recommended Action Contact Cisco TAC if this error frequently occurs.
251006
Error Message %ACE-3-251006: Health probe failed for server A.B.C.D on port P, internal error: error messageExplanation The configured service on port P of server A.B.C.D failed its health checks because the ACE encountered an internal error while performing the probe. Because the error is internal to the system, the real health of the server is unknown.
The possible values of the error message variable are as follows:
•
•
•
•
•
•
•
•
•
•
•
•
Recommended Action Contact Cisco TAC if this error frequently occurs.
251007
Error Message %ACE-3-251007: ICMP health probe failed for server A.B.C.D, internal error: error messageExplanation The configured service on port P of server A.B.C.D failed its health checks because the ACE encountered an internal error while performing the ICMP probe. Because the error is internal to the system, the real health of the server is unknown.
The possible values of the error message variable are as follows:
•
•
•
•
•
Recommended Action Contact Cisco TAC if this error frequently occurs.
251008
Error Message %ACE-3-251008: Health probe failed for server A.B.C.D on port P, connectivity error: server open timeout (no SYN ACK)Explanation The configured service on port P of server A.B.C.D failed its health checks because a probe was unable to reach the server due to network problem.
Recommended Action Verify network connectivity to the server, and then reprobe the server.
251009
Error Message %ACE-3-251009: ICMP health probe failed for server A.B.C.D, connectivity error: error messageExplanation The configured real server A.B.C.D failed its health checks because an ICMP health probe was unable to reach the server due to a network connectivity problem.
The possible values of the error message variable are as follows:
•
•
•
•
•
•
Recommended Action Verify network connectivity to the server, and then reprobe the server.
251010
Error Message %ACE-3-251010: Health probe failed for server A.B.C.D on port P, error messageExplanation The configured service on port P of server A.B.C.D failed its health checks because the server response is not as expected.
The possible values of the error message variable are as follows:
•
•
•
•
•
•
•
•
•
•
•
•
Recommended Action Check the service running on the affected server.
251011
Error Message %ACE-3-251011: ICMP health probe failed for server A.B.C.D, error message.Explanation The configured real server A.B.C.D failed its health checks because the ICMP server response is not as expected.
The possible values of the error message variable are as follows:
•
•
•
•
•
•
•
•
Recommended Action Check the service running on the affected server.
251012
Error Message %ACE-3-251012: Could not load script script-name - Error reading script-fileExplanation The ACE is unable to read the script file that it is attempting to load. The file may be corrupted.
Recommended Action Verify if the file contents are correct. If correct, unload, and then reload the script file (see the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide for details). If necessary, create a new script file. Unload the old file, and then load the new file.
251013
Error Message %ACE-3-251013: Could not load script script-name - Error getting file sizeExplanation This message is logged when the ACE is unable to determine the script file size. Before a script file can be loaded, the ACE needs determine its size so the appropriate amount of memory can be allocated.
Recommended Action Verify if the file contents are correct. If correct, unload, and then reload the script file (see the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide for details). If necessary, create a new script file. Unload the old file, and then load the new file.
251014
Error Message %ACE-3-251014: Could not probe server IP_address on port port_number for number consecutive tries - Internal error.Explanation The health probe could not be sent because of an internal error. The probe is skipped.
Recommended Action Remove and then readd the probe to the real server or server farm.
253001
Error Message %ACE-6-253001: Certificate certificate_information expiredExplanation This message is logged during the SSL handshake when client authentication is enabled. The ACE determines that the certificate has expired.
Recommended Action None required.
253002
Error Message %ACE-6-253002: Certificate certificate_information not yet validExplanation This message is logged during the SSL handshake when client authentication is enabled. The ACE determines that the certificate is not currently valid.
Recommended Action None required.
253003
Error Message %ACE-6-253003: Certificate client_information is signed by an unknown CAExplanation This message is logged during the SSL handshake when a client attempts to connect with a certificate that was signed by an unknown CA (the certificate is not part of the authgroup for this VIP's SSL proxy).The client_information variable is the subject name of the client certificate.
Recommended Action None required.
253004
Error Message %ACE-6-253004: Certificate subject_of_certificate revoked, ssl-proxy: proxy_name, reason: reasonExplanation This message is logged during the SSL handshake when client or server authentication is enabled. The ACE determines that the certificate has been revoked by the CA. The subject_of_certificate variable is the subject field of the certificate. The proxy_name variable is the name of the SSL proxy service. The reason variable is the reason for the revocation of the certificate and has one of the following messages:
•
revoked—The certificate is revoked by the CA.•
no workable cdps in cert—The certificate does not have a workable CRL distribution point (CDP). A CDP indicates the location of the CRL in the form of a URL.•
crl download failure—The download of the CRL failed.Recommended Action None required.
253005
Error Message %ACE-6-253005: Signature for certificate_information is invalidExplanation This message is logged during the SSL handshake when client authentication is enabled. The ACE determines that the signature for the certificate is invalid.
Recommended Action None required.
253006
Error Message %ACE-6-253006: Error peer sent invalid or nonexistent certificate subject_of_peer_certificate, reason: reasonExplanation This message is logged during the SSL handshake when client authentication is enabled. The ACE determines a certificate is invalid or nonexistent. The subject_of_peer_certificate variable is the subject field of the peer certificate. The reason variable is the reason for rejecting the certificate and can be one of the following messages:
–
–
–
Recommended Action None required.
253007
Error Message %ACE-6-253007: Certificate in file file_name is expiredExplanation This message is logged when the ACE attempts to use a certificate that has expired. X509 certificates have a fixed lifetime. If the ACE uses an expired certificate in an SSL handshake, the client may reject the connection. The file_name variable is the name of the file where the certificate resides.
Recommended Action Obtain a new certificate and replace the expired one.
253008
Error Message %ACE-6-253008: CRL crl_name could not be retrieved, reason: reasonExplanation This message is logged when the ACE failed to retrieve a CRL. If you define CRL checking for SSL client authentication, the ACE periodically retrieves a CRL. Due to a variety of reasons, these attempts can occasionally fail. The crl_name variable is the name of the CRL as defined by the crypto crl command. The reason variable is the reason for the CRL download failure. and can be one of the following messages:
–
DNS error–
host conn timeoutmemory outage–
crl max size limit violation–
crl cache full–
crl data/file not found–
invalid format of data–
crl signature mismatch–
next update field erroneous–
next update field expired–
internal error–
not okay to download–
http connection error–
http file read error–
http request writing error–
ldap bind error–
ldap search errorRecommended Action Check to see if there is a network connectivity problem or if the server location of the CRL has changed.
253009
Error Message %ACE-6-253009: Certificate in file file_name is not yet validExplanation X509 certificates have a fixed lifetime. This message is logged when a certificate that is not currently valid is used in an SSL handshake. This event may cause the client to reject the connection. The file_name variable is the name of the file where the certificate resides.
Recommended Action Use a certificate that is currently valid.
253010
Error Message %ACE-3-253010: Configuration failure: Certificate in file certificate_name and key in file key_name do not matchExplanation This message is logged when the certificate and key do not match. As a result, the SSL handshake fails and the ACE does not download the unmatched certificate and key in the configuration. Note that a X509 certificate has a matching private key. The certificate_name variable is the name of the certificate file. The key_file variable is the name of the key file.
Recommended Action Verify that the correct certificate and key are in use in the SSL-proxy service. If necessary, modify the SSL-proxy service to contain the correct files.
253011
Error Message %ACE-6-253011: The CRL crl_Name may not be from a trusted source. Signature mismatch detected for CRL.Explanation When the ACE performs signature verification on a CRL with a CA certificate configured with the crypto crlparams command, it detects a signature mismatch. Either the CRL (crl_name) download failed or the CRL has been removed from the ACE.
Recommended Action Verify the CRL configuration for the crypto crlparams command.
253012
Error Message %ACE-2-253012: Crypto file storage failure: All certificates/keys were removed. Error: text_stringExplanation A system failure deleted the SSL services internal database of certificates and keys. The text_string variable can be one of the following:
•
Corrupted certificates/keys metadata found•
Out of resources while trying to store certificates/keys metadataRecommended Action Contact Cisco TAC and send them the message output. Reimport the certificates and keys to maintain the integrity of the SSL services.
254001
Error Message %ACE-4-254001: ACL resource usage beyond maximum limit for context context_id. Free up some resources.Explanation This message indicates that ACL resources in use for the specified context (context_id) are above the maximum limit allowed by the resource class.
Recommended Action Decrease the minimum ACL usage in the specified context to below the maximum limit.
254002
Error Message %ACE-4-254002: Minimum ACL resources could not be guaranteed for context context_id.Explanation This message indicates that the requested minimum ACL resources could not be guaranteed in the specified context (context_id).
Recommended Action Contact the global administrator to request that other context administrators release ACL resources.
255001
Error Message %ACE-5-255001: Backup for context ctx_name is successfulExplanation This message indicates that the backup of the context specified by the ctx_name variable was successful.
Recommended Action No user action is required. The backup archive was created in disk0:. For more details, enter the show backup status detail command.
255002
Error Message %ACE-5-255002: Backup for all contexts is successfulExplanation This message indicates that the backup of the entire ACE performed from the Admin context was successful.
Recommended Action No user action is required.The backup archive was created in disk0:. For more details, enter the show backup status detail command.
255003
Error Message %ACE-3-255003: Backup for context <ctx_name> failed for component <component> due to <reason>Explanation This message indicates that the backup of the context specified by the ctx_name variable has failed. Possible values of the component variable are as follows:
•
•
•
•
•
•
•
Possible values of the reason variable are as follows:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Recommended Action To troubleshoot the backup failure, enter the show backup status and the show backup errors commands.
255004
Error Message %ACE-3-255004: Backup for all contexts failed in context <ctx_name> for component <component> due to <reason>Explanation This message indicates that the backup of all contexts in the ACE performed from the Admin context has failed. Possible values of the component variable are as follows:
•
•
•
•
•
•
•
Possible values of the reason variable are as follows:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Recommended Action To troubleshoot the backup failure, enter the show backup status and the show backup errors commands.
255005
Error Message %ACE-5-255005: Restore for context ctx_name is successfulExplanation This message indicates that the restore of the context specified by the ctx_name variable was successful.
Recommended Action No user action is required. For more details, enter the show restore status detail command.
255006
Error Message %ACE-5-255006: Restore for all contexts successfulExplanation This message indicates that the restore of all contexts in the ACE performed from the Admin context was successful.
Recommended Action No user action is required. For more details, enter the show restore status detail command.
255007
Error Message %ACE-2-255007: Restore for context <ctx_name> failed for component <component> due to <reason>Explanation This message indicates that the restore of the context specified by the ctx_name variable has failed. Possible values of the component variable are as follows:
•
•
•
•
•
•
•
Possible values of the reason variable are as follows:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Recommended Action To troubleshoot the restore failure, enter the show restore status and the show restore errors commands.
255008
Error Message %ACE-2-255008: Restore for all contexts failed in context <ctx_name> for component <component_name> due to <reason>Explanation This message indicates that the restore of all contexts in the ACE performed from the Admin context has failed. Possible values of the component variable are as follows:
•
•
•
•
•
•
•
Possible values of the reason variable are as follows:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Recommended Action To troubleshoot the restore failure, enter the show restore status and the show restore errors commands.
256001
Error Message %ACE-3-256001: Failed to login to vcenter, reason: reason.Explanation A record error occurred because of a problem with the connection to the VMware vCenter Server. Except in the case of a duplicate IP address, the ACE drops the request. The reason variable can be either of the following:
–
–
Recommended Action Verify the web service server configuration and network connectivity.
256002
Error Message %ACE-3-256002: Failed to retrieve load value for vm ip_address, reason: reason.Explanation An error occurred while trying to obtain load information for a particular virtual machine (VM) from the vCenter server. Except in the case of a duplicate IP address, the ACE drops the request. The reason variable can be either of the following:
–
–
Recommended Action Verify the real server list and VM probe configuration. This issue may also be caused by vCenter errors.
257001
Error Message %ACE-2-257001, nexus-device polling failed with error: <%s>.Explanation The ACE attempted to poll the Nexus 7000 series switch for VM locality information, but the request failed. The possible failure reasons are as follows:
–
–
–
–
–
Recommended Action Verify the connectivity between the ACE and the Nexus 7000 series switch.
Messages 302022 to 327001
This section contains messages from 302022 to 327001.
302022
Error Message %ACE-6-302022: Built TCP connection id for interface:real-address/real-port (mapped-address/mapped-port) to interface:real-address/real-port (mapped-address/mapped-port)Explanation This informational message is logged when a TCP connection slot between two hosts is created.
Recommended Action None required.
302023
Error Message %ACE-6-302023: Teardown TCP connection id for interface:real-address/real-port (mapped-address/mapped-port) to interface:real-address/real-port (mapped-address/mapped-port) duration hh:mm:ss bytes bytes [reason]Explanation This informational message is logged when a TCP connection slot between two hosts is terminated.
The reason variable presents the action that causes the connection to terminate. Table 2-1 lists the TCP termination causes.
Recommended Action None required.
302024
Error Message %ACE-6-302024: Built UDP connection id for interface:real-address/real-port (mapped-address/mapped-port) to interface:real-address/real-port (mapped-address/mapped-port)Explanation A UDP connection slot between two hosts was added.
Recommended Action None required.
302025
Error Message %ACE-6-302025: Teardown UDP connection id for interface:real-address/real-port to interface:real-address/real-port duration hh:mm:ss bytes bytesExplanation A UDP connection slot between two hosts was deleted.
Recommended Action None required.
302026
Error Message %ACE-6-302026: Built ICMP connection for faddr/NATed_ID gaddr/icmp_type laddr/icmpIDExplanation An ICMP session was established.
Recommended Action None required.
302027
Error Message %ACE-6-302027: Teardown ICMP connection for faddr/NATed ID gaddr/icmp_type laddr/icmpIDExplanation An ICMP session was removed.
Recommended Action None required.
302028
Error Message %ACE-6-302028: Built TCP connection id for interface: real-address/real-port (mapped-address/mapped-port) to interface: real-address/real-port (mapped-address/mapped-port)Explanation A TCP connection slot between two hosts was created.
Recommended Action None required.
302029
Error Message %ACE-6-302029: Teardown TCP connection id for interface: real-address/real-port to interface: real-address/real-port duration hh:mm:ss bytes bytes [reason]Explanation A TCP connection between two hosts was terminated.
The reason variable presents the action that causes the connection to terminate. Table 2-1 lists the TCP termination causes.
Recommended Action None required.
302030
Error Message %ACE-6-302030: Built UDP connection id for interface: real-address/real-port (mapped-address/mapped-port) to interface: real-address/real-port (mapped-address/mapped-port)Explanation A UDP connection slot between two hosts was added.
Recommended Action None required.
302031
Error Message %ACE-6-302031: Teardown UDP connection id for interface: real-address/real-port to interface: real-address/real-port duration hh:mm:ss bytes bytesExplanation A UDP connection slot between two hosts was deleted.
Recommended Action None required.
303003
Error Message %ACE-6-303003: FTP cmd_name command denied - failed strict inspection, terminating connection from source_interface:source_address/source_port to dest_interface:dest_address/dest_portExplanation The ACE module is using strict inspection on FTP traffic. This message displays if an FTP request command is denied by the strict FTP inspection policy from the ftp-map command.
Recommended Action None required.
303004
Error Message %ACE-5-303004: FTP cmd_string command unsupported - failed strict inspection, terminating connection from source_interface:source_address/source_port to dest_interface:dest_address/dest_interfaceExplanation The ACE module is using strict FTP inspection on FTP traffic. This message displays if an FTP request message contains a command that is not recognized by the device.
Recommended Action None required.
304001
Error Message %ACE-5-304001: user source_address Accessed {URL} dest_address: url.Explanation This is a URL message that is logged when the specified host attempts to access the specified URL.
Recommended Action None required.
305009
Error Message %ACE-6-305009: Built {dynamic|static} translation from interface_name [(acl-name)]:real_address to interface_name:mapped_addressExplanation An address translation slot was created. The slot translates the source address from the local side to the global side. In reverse, the slot translates the destination address from the global side to the local side.
Recommended Action None required.
305010
Error Message %ACE-6-305010: Teardown {dynamic|static} translation from interface_name:real_address to interface_name:mapped_address duration timeExplanation An address translation slot was deleted. The duration time variable displays the total duration time, which is the time that the entry was created until it expired and applies to dynamic NAT or PAT only.
Recommended Action None required.
305011
Error Message %ACE-6-305011: Built {dynamic|static} {TCP|UDP|ICMP} translation from interface_name:real_address/real_port to interface_name:mapped_address/mapped_portExplanation A TCP, UDP, or ICMP address translation slot was created. The slot translates the source socket from the local side to the global side. In reverse, the slot translates the destination socket from the global side to the local side.
Recommended Action None required.
305012
Error Message %ACE-6-305012: Teardown {dynamic|static} {TCP|UDP|ICMP} translation from interface_name:real_address/{real_port|real_ICMP_ID}to interface_name:mapped_address/{mapped_port|mapped_ICMP_ID} duration timeExplanation An address translation slot was deleted. The duration time variable displays the total duration time, which is the time that the entry was created until it expired and applies to dynamic NAT or PAT only.
Recommended Action None required.
313004
Error Message %ACE-4-313004: Denied ICMP type=icmp_type, from source_address on interface interface_name to dest_address:no matching sessionExplanation ICMP packets were discarded by the ACE because of security checks added by the stateful ICMP feature. These ICMP packets are discarded for any of the following reasons:
•
•
Recommended Action None required.
313006
Error Message %ACE-1-313006: ICMP Manager Initialization Failed. Reason : Variable1Explanation The ICMP Manager running on the Control Plane of the ACE fails to start.
The possible values of the Variable1 variable are as follows:
•
•
•
•
•
Recommended Action The ACE should automatically reboot the card. If not, try rebooting manually. If the problem still exists, contact Cisco TAC and provide them with the output of show tech-support command.
313007
Error Message %ACE-1-313007: ICMP Manager Memory Problem. Reason: Variable1Explanation The ACE reports ICMP-related memory failures.
The possible values of the Variable1 variable are as follows:
•
•
•
•
Recommended Action Reboot the ACE (see the Cisco Application Control Engine Module Administration Guide for details). If the problem persists, contact Cisco TAC and provide them with the following command output:
•
•
314001
Error Message %ACE-6-314001: Allocate media connection from ip_address1/port1 to ip_address2/port2Explanation The Cisco ASA opened an RTSP connection for the specified IP addresses and ports.
Recommended Action None required.
322001
Error Message %ACE-3-322001: Deny MAC address MAC_address, possible spoof attempt on interface interfaceExplanation The ACE received a packet from the offending MAC address on the specified interface, but the source MAC address in the packet is statically bound to another interface in your configuration. This situation can be caused by either a MAC-spoofing attack or a misconfiguration.
Recommended Action Check the configuration and take appropriate action by either finding the offending host or modifying the configuration.
322002
Error Message %ACE-3-322002: ARP inspection check failed for arp {request|response} received from host MAC_address on interface interface. This host is advertising MAC Address MAC_address_1 for IP Address IP_address, which is {statically|dynamically} bound to MAC Address MAC_address_2.Explanation If ARP inspection is enabled, the ACE checks whether a new ARP entry advertised in the packet conforms to the statically configured or dynamically learned IP-MAC address binding before forwarding ARP packets. If this check fails, the ACE drops the ARP packet and generates this message. This situation can be caused by either ARP spoofing attacks in the network or an invalid configuration (IP-MAC binding).
Recommended Action If the cause is an ARP spoofing attack, deny the host by using an ACL. If the cause is an invalid configuration, correct the binding (see the Cisco Application Control Engine Module Routing and Bridging Configuration Guide for details).
322003
Error Message %ACE-3-322003: ARP inspection check failed for arp {request|response} received from host MAC_address on interface interface. This host is advertising MAC Address MAC_address_1 for IP Address IP_address, which is not bound to any MAC Address.Explanation If ARP inspection is enabled, the ACE checks whether a new ARP entry advertised in the packet conforms to the statically configured IP-MAC address binding before forwarding ARP packets. If this check fails, the ACE drops the ARP packet and generates this message. This situation may be caused by either ARP spoofing attacks in the network or an invalid configuration (IP-MAC binding).
Recommended Action If the cause is an attack, deny the host by using an ACL. If the cause is an invalid configuration, correct the binding (see the Cisco Application Control Engine Module Routing and Bridging Configuration Guide for details).
327001
Error Message %ACE-3-327001: Detected Encap table Full when allocating encap entry for IP interface interface_nameExplanation The Encap table size is limited to 32,000 entries. This message is logged when trying to allocate an encap entry after the limit is reached.
Recommended Action Use the clear arp command to remove any unused or invalid table entries.
Messages 400000 to 444007
This section contains messages from 400000 to 444007.
400000
Error Message %ACE-4-400000: IDS:1000 IP Option Bad Option List from IP_address to IP_address on interface interface_nameExplanation Cisco Intrusion Detection System signature message. The ACE does not support IP options. This IDS message is generated whenever the ACE detects IP options in a packet.
Recommended Action See the Cisco Intrusion Detection System User Guide.
405001
Error Message %ACE-4-405001: Received ARP {request | response} collision from IP_address/mac_address on interface interface_nameExplanation The ACE received an ARP packet, and the MAC address in the packet differs from the ARP cache entry. This traffic may be legitimate, or it may indicate that an ARP poisoning attack is in progress.
Recommended Action Check the source MAC address to determine where the packets are coming from and determine if the host is valid.
405201
Error Message %ACE-4-405201: ILS ctxid from vlan x:src_ip/src_prt to vlan y:dst_ip/dst_prt has wrong embedded address embedded addr in ILS payloadExplanation The embedded IP address in the ILS packet payload is not same as the source IP address of the IP packet header.
Recommended Action Check the host with the specified source IP address to determine why it sent an ILS packet with an incorrect embedded IP address.
406001
Error Message %ACE-4-406001: FTP port command low port: IP_address/port to IP_address on interface interface_nameExplanation A client issued an FTP port command with a port number less than 1024; in the well-known port range, this number is typically devoted to server ports. This error message indicates an attempt to avert the site security policy. The Cisco ASA drops the packet, terminates the connection, and logs the event.
Recommended Action None required.
406002
Error Message %ACE-4-406002: FTP port command different address: IP_address(IP_address) to IP_address on interface interface_nameExplanation A client issued an FTP port command with an address other than the address used in the connection. This error message indicates that an attempt was made to avert the site security policy. The address in parentheses is the address from the port command. For example, an attacker may attempt to hijack an FTP session by changing the transmitted packet and putting different source information instead of the correct source information. The security appliance drops the packet, terminates the connection, and logs the event.
Recommended Action None required.
410001
Error Message %ACE-4-410001: Dropped UDP DNS packet_type from source_interface:source_address/source_port to dest_interface:dest_address/dest_port; error_length_type length length bytes exceeds max_length_type limit of maximum_length bytes.Explanation The domain-name length exceeds 255 bytes in a UDP DNS packet. (See RFC 1035 section 3.1.)
Recommended Action None required.
411001
Error Message %ACE-4-411001: Line protocol on interface interface_name changed state to upExplanation The status of the line protocol has changed from down to up.
Recommended Action None required.
411002
Error Message %ACE-4-411002: Line protocol on interface interface_name changed state to downExplanation The status of the line protocol has changed from up to down.
Recommended Action If this event on the interface is unexpected, check the line.
411003
Error Message %ACE-4-411003: Interface interface_name changed state to administratively upExplanation The configuration status of the interface has changed from down to up.
Recommended Action If this event on the interface is unexpected, check the line.
411004
Error Message %ACE-4-411004: Interface interface_name changed state to administratively downExplanation The configuration status of the interface has changed from up to down.
Recommended Action None required.
412001
Error Message %ACE-4-412001: MAC MAC_address moved from interface_1 to interface_2Explanation The ACE detects that a host was moved from one appliance interface to another. In a transparent ACE, mapping between the host (MAC) and the ACE port is maintained in a Layer 2 forwarding table. The table dynamically binds packet source MAC addresses to an ACE port. When movement of a host from one interface to another interface is detected during this binding process, this error message is generated.
The host move may be valid or the host move may be an attempt to spoof host MACs on other interfaces.
Recommended Action You can take one of these actions:
•
•
415004
Error Message %ACE-5-415004:HTTP - matched mime_type in policy-map policy_map_name, content-type verification failed from source_address to dest_address/port_num Connection connection_IDExplanation The match content-type-verification command is configured and a MIME type in the content-type HTTP header field is found in the list of policies of allowed types. However, the expected number in the body of the message is not the correct number to identify a file of that type. This behavior is unusual and could indicate an attempt to smuggle contraband data over the connection.
Recommended Action None required.
415006
Error Message %ACE-5-415006: HTTP - matched class_map_name in policy_map_name, URI matched connection_action from source_address/port_num to dest_address/port_num Connection connection_IDExplanation The URI matches the regular expression that the user configured.
Recommended Action None required.
415007
Error Message %ACE-5-415007: HTTP - matched class_map_name in policy-map policy_map_name, Body matched connection_action from IP_address/port_num to IP_address/port_num Connection connection_IDExplanation The body matches the regular expression that the user configured.
Recommended Action None required.
415008
Error Message %ACE-5-415008: HTTP - matched class_map_name in policy-map policy_map_name, Header matched connection_action from IP_address/port_num to IP_address/port_num Connection connection_IDExplanation The header matches the regular expression that the user configured.
Recommended Action None required.
415009
Error Message %ACE-5-415009: HTTP - matched class_map_name in policy-map policy_map_name, method matched - connection_action from IP_address/port_num to IP_address/port_num Connection connection_IDExplanation The request method matches the regular expression that the user configured.
Recommended Action None required.
415010
Error Message %ACE-5-415010: HTTP - matched class_map_name in policy-map policy_map_name, transfer encoding matched connection_action from IP_address/port_num to IP_address/port_num Connection connection_IDExplanation The transfer or content encoding matches the regular expression that the user configured.
Recommended Action None required.
415011
Error Message %ACE-5-415011: HTTP - policy-map policy_map_name:Protocol violation connection_action from IP_address/port_num to IP_address/port_num Connection connection_IDExplanation The HTTP parser cannot detect a valid HTTP message in the first few bytes of an HTTP message. A user may be running a protocol over the port for HTTP transactions. This action violates the user-configured policy.
Recommended Action None required.
415021
Error Message %ACE-5-415021: HTTP - matched class_map_name in policy-map policy_map_name, URI length range matched connection_action from source_address/port_num to dest_address/port_num Connection connection_IDExplanation The URI length is within the range that the user configured.
Recommended Action None required.
415022
Error Message %ACE-5-415022: HTTP - matched class_map_name in policy_map_name, Header length range matched connection_action from source_address/port_num to dest_address/port_num Connection connection_IDExplanation The header length is within the range that the user configured.
Recommended Action None required.
415023
Error Message %ACE-5-415023: HTTP - matched class_map_name in policy-map policy_map_name, body length range matched connection_action from source_interface:source_address/port_num to dest_interface:dest_address/port_num Connection connection_IDExplanation The body length is within the range that the user configured.
Recommended Action None required.
415024
Error Message %ACE-5-415024:HTTP - matched class_map_name in policy-map policy_map_name, Header content type matched connection_action from IP_address/port_num to IP_address/port_num Connection connection_IDExplanation The header content type matches the regular expression that the user configured.
Recommended Action None required.
415025
Error Message %ACE-5-415025: HTTP policy_map_name - Tunnel detected - connection_action from IP_address/port_num to IP_address/port_num connection connection_IDExplanation A tunneling protocol is detected in the HTTP content. A user may be running a tunneling protocol using HTTP as the transport. This action violates the user-configured policy.
Recommended Action None required.
415026
Error Message %ACE-5-415026: HTTP policy_map_name: Instant Messenger detected connection_action from IP_address/port_num to IP_address/port_num connection connection_IDExplanation An instant messenger protocol is detected in the HTTP content. A user may be running an instant messenger protocol using HTTP as the transport. This action violates the user-configured policy.
Explanation None required.
415027
Error Message %ACE-5-415027: HTTP policy_map_name: Peer-to-Peer detected connection_action from IP_address/port_num to IP_address/port_num connection connection_IDExplanation A peer-to-peer protocol is detected in the HTTP content. A user may be running a peer-to-peer protocol using HTTP as the transport. This action violates the user-configured policy.
Recommended Action None required.
440002
Error Message %ACE-3-440002: Addition failed for variable 1Explanation An error occurred for the SNMP Shadow Table Addition. SNMP Get/Get-Next requests may fail on the table name specified by variable 1.
Recommended Action Check the memory-related information in the system. Enter the show processes cpu memory command and locate the MemAlloc column in the output.
440003
Error Message %ACE-3-440003: Deletion failed for variable 2Explanation An error occurred for the SNMP Shadow Table Deletion. A deletion failure may result in a memory leak or wrong or nonexistent values being returned for subsequent Get/Get-Next requests on the table name specified by variable 2.
Recommended Action Check the memory-related information in the system. Enter the show processes cpu memory command and locate the MemAlloc column in the output.
441001
Error Message %ACE-5-441001: Serverfarm name failed over to backupServerfarm (backup_name) in policy_map (lb_Policy_Map). Number of failovers = count1, number of times back in service = count2Explanation A serverfarm failover event has occurred. The name variable is the name of the serverfarm. The backup_name is the name of the backup serverfarm. The lb_Policy_Map is the name of the load-balancing policy map. The count1 variable is the number of times that the primary serverfarm failed over to the backup serverfarm. The count2 variable is the number of times the primary serverfarm returned to service.
Recommended Action None required.
441002
Error Message %ACE-5-441002: Serverfarm name is back in service in policy_map (lb_Policy_Map). Number of failovers = count1, number of times back in service = count2Explanation A serverfarm in service event has occurred. The name variable is the name of the serverfarm. The lb_Policy_Map is the name of the load-balancing policy map. The count1 variable is the number of times that the primary serverfarm failed over to the backup serverfarm. The count2 variable is the number of times the primary serverfarm returned to service.
Recommended Action None required.
441003
Error Message %ACE-5-441003: Serverfarm (name) failed in policy_map (policy_name) --> class_map (cmap_name) without backup. Number of failovers = count1, number of times back in service = count2Explanation This syslog message is generated when a server farm has failed without a backup server farm. The count1 variable is the number of times that the primary server farm failed over to the backup server farm. The count2 variable is the number of times the primary server farm returned to service.
Recommended Action None required.
441004
Error Message %ACE-5-441004: Starting the loadbalancing on remote VMs for serverfarm name, reason: reasonExplanation The reason variable can be any one of the following:
–
–
–
–
Recommended Action None required. This syslog is for informational purposes only.
441005
Error Message %ACE-5-441005: Stopping the loadbalancing on remote VMs for serverfarm name, reason: reasonExplanation The reason variable has the following value:
Average CPU and memory load for local VMs crossed below the maximum threshold.When the average load of the VMs in the server farm of the local data center drops below the configured minimum CPU and memory usage threshold, the ACE stops bursting traffic to the VMs in the remote data center and continues to load balance traffic locally.Recommended Action None required.
441006
Error Message %ACE-4-441006: Starting the loadbalancing on remote VMs for serverfarm name, but no operational remote VMs available for remote loadbalancingExplanation The average load of the virtual machines (VMs) in the server farm of the local data center reached or exceeded the configured maximum CPU or memory usage threshold, but the ACE could not find any VMs in the remote data center for load balancing.
Recommended Action Configure new VMs (either local or remote) under the server farm to reduce the load on the local VMs or use the show serverfarm detail command to see if one or more real servers in the server farm are unexpectedly down. If so, try to bring them back into service.
442001
Error Message %ACE-4-442001: Health probe probe name detected real_server_name (interface interface_name) in serverfarm sfarm_name changed state to UPExplanation The state of a real server changed from down to up.
Recommended Action None required.
442002
Error Message %ACE-4-442002: Health probe probe name detected real_server_name (interface interface_name) in serverfarm sfarm_name changed state to DOWNExplanation The state of a real server changed from up to down.
Recommended Action None required.
442003
Error Message %ACE-4-442003: Real Server real_server_name in serverfarm sfarm_name changed state to new stateExplanation This message reports a real server state change.
The new state variable can be one of the following:
•
•
•
•
When you configure the inband health monitoring (HM) action as remove, the configured threshold for inband HM is crossed. This message is generated when the control plane receives a threshold crossed notification from the network processors and moves the real server to INBAND-HM-FAILED state.
Recommended Action None required.
However, if you configured the Inband HM action as remove and did not configure a resume-service value, the real server remains in the INBAND-HM-FAILED state until you manually suspend it and then reactivate it.
442004
Error Message %ACE-4-442004: Health probe probe name detected real_server_name (interface interface_name) changed state to UPExplanation The state of a real server changed from down to up.
Recommended Action None required.
442005
Error Message %ACE-4-442005: Health probe probe name detected real_server_name (interface interface_name) changed state to DOWNExplanation The state of a real server changed from up to down.
Recommended Action None required.
442006
Error Message %ACE-4-442006: Real Server Real Server name changed state to inService/outOfService>Explanation Whenever a real server is manually placed in service or taken out of service, this syslog is generated. Also, this syslog is generated if there is an indication from the data plane about the state change of the real server.
Recommended Action None required. This syslog is for informational purposes only.
442007
Error Message %ACE-4-442007: VIP in class: 'VIP' changed state from OUTOFSERVICE/INSERVICE to INSERVICE/OUTOFSERVICEExplanation When a server farm transitions from the INSERVICE or OUTOFSERVICE state, the VIP state changes respectively and this syslog is generated.
Recommended Action None required. This syslog is for informational purposes only.
442008
Error Message %ACE-5-442008: Locality state for rserver name has changed to remote or localExplanation This syslog is generated when a real server's locality changes from local to remote or from remote to local.
Recommended Action None required. This syslog is for informational purposes only.
443001
Error Message %ACE-2-443001: System experienced fatal failure. Char, reloading systemExplanation If the ACE encounters a fatal error and reloads, it displays the module or service name and reboots. The Char variable can be one of the following:
•
•
•
Recommended Action Check the core file. The show version command output displays the reason for the failure in the last boot reason field.
444001
Error Message %ACE-2-444001: License checkout failure for feature feature_name reasonExplanation A license checkout error has occurred for a specified feature due to the reported reason.
Recommended Action Contact Cisco TAC.
444002
Error Message %ACE-5-444002: Installed license file license_file_nameExplanation The license installation completed for the specified license filename.
Recommended Action Use the show license usage command to verify that this license installed.
444003
Error Message %ACE-5-444003: Uninstalled license file license_file_nameExplanation The license uninstall completed for the specified license filename.
Recommended Action Use the show license usage command to verify that the license uninstalled.
444004
Error Message %ACE-2-444004: Evaluation license expired for feature feature_nameExplanation The license for the specified feature has exceeded the evaluation time period. All the licensed feature specific configurations are removed.
Recommended Action Install a new license for this feature to use it.
444005
Error Message %ACE-4-444005: Evaluation license for feature feature_name will expire in num_days days num_hours hoursExplanation The specified license will exceed its evaluation time period after specified duration as designated in the days and hours remaining. All the licensed feature specific configurations will be removed after the license expires.
Recommended Action Install new license to continue to use the feature without any interruption.
444006
Error Message %ACE-1-444006: License manager exiting: reasonExplanation The license manager exits due to the reported reason.
Recommended Action Contact Cisco TAC.
444007
Error Message %ACE-4-444007: Installed feature_name license on Revision 6 or older hardware, will not take effect until next reboot.Explanation The installed 16G throughput license on Revision 6 or older hardware does not take effect until the next ACE reboot.
Recommended Action Reboot the ACE after saving the current running configuration.
Messages 504001 to 504003
This section contains messages from 504001 to 504003.
504001
Error Message %ACE-5-504001: Security context context-name was added to the systemExplanation A security context was successfully added to the system.
Recommended Action None required.
504002
Error Message %ACE-5-504002: Security context context-name was removed from the systemExplanation A security context was successfully removed from the system.
Recommended Action None required.
504003
Error Message %ACE-4-504003: Admin context is not guaranteed of one or more resources. Admin context might get starved of these resources, leading to denial of some of the services.Explanation This syslog will be generated when you do any of the following:
•
•
•
–
–
Recommended Action Use the show resource usage command to check which of the resources are allocated as zero percentage under the min column for Admin context and allocate these resources using the resource-class command to avoid starvation.
Messages 607001 to 615004
This section contains messages from 607001 to 615004.
607001
Error Message %ACE-6-607001: Pre-allocate SIP media secondary channel for source_interface:source_address/source_port to destination_interface:destination_address/destination_port from message_id messageExplanation This message is generated when a connection is prealloacted to allow media streams negotiated on a Session Initiation Protocol (SIP) session.
Recommended Action None required.
607002
Error Message %ACE-6-607002: SIP Received packet from vlanSource_interface:source_real_address/source_real_port (source_NAT_address_on_destination_interface:source_NAT_port_on_destination_inte rface) to vlanDest_interface:destination_address_on_source_interface/
destination_port_on_source_interface (destintation_real_address_on_destination_i nterface:destination_real_port_on_destination_interface); Call-ID: call_ID Message Type: type [description]Error Message This message is generated for a SIP received packet, a log action is configured, and the logging of received and transmitted SIP messages is enabled.–
–
–
–
A brief description may follow the Message Type that identifies the packet, and the request or respond type.
Recommended Action None required.
607003
Error Message %ACE-6-607003: SIP Classification: Action_type and log SIP message_id from source_interface:source_address/source_port to destination_interface:destination_address/destination_portExplanation This message is generated when the ACE permits or drops a SIP packet or resets the SIP control connection (if it is over TCP), and a log action is configured.
Recommended Action None required.
607004
Error Message %ACE-6-607004: SIP Transmitted packet from vlanSource_interface:source_real_address/source_real_port (source_NAT_address_on_destination_interface:source_NAT_port_on_destination_interface) to vlanDest_interface:destination_address_on_source_interface/
destination_port_on_source_interface (destintation_real_address_on_destination_interface: destination_real_port_on_destination_interface); Call-ID: call_ID Message Type: type [description]Error Message This message is generated for a SIP transmitted packet, a log action is configured, and the logging of received and transmitted SIP messages is enabled.–
–
–
–
A brief description may follow the Message Type that identifies the packet, and the request or respond type.
Recommended Action None required.
607005
Error Message %ACE-4-607005: SIP dropped packet from vlanSource_interface:source_real_address/source_real_port (source_NAT_address_on_destination_interface:source_NAT_port_on_destination_inte rface) to vlanDest_interface:destination_address_on_source_interface/
destination_port_on_source_interface (destintation_real_address_on_destination_i nterface:destination_real_port_on_destination_interface); Call-ID: Unknown Message Type: Unknown; invalid data buffer receivedExplanation This message is generated for dropped SIP packets due to an internal error, and a log action is configured.
Recommended Action None required.
608001
Error Message %ACE-6-608001: Pre-allocate Skinny connection_type secondary channel for source_interface:source_address/source_port to destination_interface:destination_address/destination_port from message_id messageExplanation This message is generated when a connection is preallocated to allow media streams negotiated on a Skinny Client Control Protocol (SCCP) session.
Recommended Action None required.
608002
Error Message %ACE-4-608002: Dropping Skinny message for source_interface:source_address/source_port to destination_interface:destination_address/destination_port, SCCPPrefix length prefex_length too smallExplanation This message appears when using SCCP inspection on SCCP traffic. It is displayed if a SCCP message is too small to carry the SCCP payload.
Recommended Action None required.
608003
Error Message %ACE-4-608003: Dropping Skinny message for source_interface:source_address/source_port to destination_interface:destination_address/destination_port, SCCPPrefix length prefex_length too largeExplanation This message appears when using SCCP inspection on SCCP traffic. It is displayed if a SCCP message is larger than the maximum configured size.
Recommended Action None required.
608004
Error Message %ACE-4-608004: Dropping Skinny message for source_interface:source_address/source_port to destination_interface:destination_address/destination_port, message id message_id not allowedExplanation This message is generated when using inspection on SCCP traffic. It is displayed if a Skinny command is denied by the SCCP inspection policy.
Recommended Action None required.
608005
Error Message %ACE-4-608005: Dropping Skinny message for source_interface:source_address/source_port to destination_interface:destination_address/destination_port, message id message_id registration not completeExplanation This message is generated when using inspection on SCCP traffic. It is displayed if a Skinny command that is not allowed before registration is seen before the IP phone has successfully registered with the Cisco Call Manager (CCM).
Recommended Action None required.
615003
Error Message %ACE-6-615003: VLAN VLAN-number not available for configuring an interfaceExplanation The specified VLAN number is no longer assigned to the ACE. If an interface is configured with that VLAN number on the module, it will be kept in a shutdown state. If an interface is already configured with that VLAN and is up, it will change the state to shutdown.
Recommended Action If the VLAN specified in the log message is not required for the ACE, delete all interfaces that use this VLAN from the module configuration.
615004
Error Message %ACE-6-615004: VLAN VLAN-number available for configuring an interfaceExplanation The specified VLAN number is now assigned to the ACE. The module can use the VLAN to configure an interface and to receive traffic.
Recommended Action To use the new VLAN, configure interfaces on the ACE using the new VLAN.
Messages 727001 to 751001
This section contains messages from 727001 to 751001.
727001
Error Message %ACE-1-727001: HA: Peer IP address is not reachable. Error: error str.Explanation An active or standby device cannot reach its redundant peer. This message is displayed on both devices and causes a switchover on the standby device. After the switchover occurs, both devices are no longer redundant. The error str value can be one of the following:
•
•
Recommended Action Verify connectivity between the peers. If a peer device is physically up but connectivity is the problem, you may end up with two active devices. If connectivity is lost due to the peer going down, reboot the peer to restore redundancy between the two devices.
727002
Error Message %ACE-1-727002: HA: FT interface interface name to reach peer IP address is down. Error: error strExplanation A peer device is not reachable on an FT interface. In this situation the standby device does not switchover to active, which prevents two actives in the network. The error str value can be one of the following:
•
•
Recommended Action Verify connectivity between the two devices over the FT interface. Ping or use Telnet to the peer IP address to confirm connectivity.
727003
Error Message %ACE-1-727003: HA: Mismatch in context names detected for FT group FTgroupID. Cannot be redundant.Explanation Redundancy is enabled for a particular context, but both devices are unable to become active or standby because of a mismatch in context names.
Recommended Action Check the FT group configuration on both devices. Make sure that both devices are associated with the same context.
727004
Error Message %ACE-1-727004: HA: Two actives have been detected for FT group FTgroupID.Explanation Both devices were detected to be active for the same FT group. At this point, one of the two devices automatically relinquishes control and switches over to standby.
Recommended Action None required.
727005
Error Message %ACE-1-727005: HA: Config replication failed for context ctx name. Error : error strExplanation A configuration could not be synchronized to the peer device due to the error condition returned by the error str value. The error str value can be one of the following:
•
•
•
•
•
•
•
•
•
Recommended Action Check the running and startup configurations on both devices. To recover, disable configuration synchronization, and then manually apply the configuration on each device.
727006
Error Message %ACE-1-727006: HA: Peer is incompatible due to error str. Cannot be Redundant.Explanation A peer device failed to become compatible. This can be a result of Software Relationship Graph (SRG) version inconsistency or a mismatch in licenses between the devices. The error string indicates the reason for the failure.
The error str value can be one of the following:
•
•
Recommended Action Verify version and license compatibility on both the devices.
727007
Error Message %ACE-1-727007: HA: Module Initialization failure - Error Error str.Explanation An initialization error occurred for one of the redundant ACEs. The Error str variable indicates the reason for the failure.
The Error str vraiable can be one of the following:
•
•
•
•
Recommended Action Contact Cisco TAC.
727008
Error Message %ACE-1-727008: HA: Failed to send heartbeats to peer. Internal error: Error strExplanation The device is unable to send heartbeats to its peer due to an internal error. The error string indicates the reason for the failure.
The Error str variable can be one of the following:
•
•
•
Recommended Action Contact Cisco TAC.
727009
Error Message %ACE-1-727009: HA: Communication failure for Peer Peer id Event: error strExplanation The device is unable to establish a TCP connection to the peer. The error str variable is "Failed to establish TCP connection to Peer device."
Recommended Action Contact Cisco TAC.
727010
Error Message %ACE-2-727010: HA: Data replication failed for context ctx name. Error code error strExplanation Data replication fails and data could not be successfully synchronized to the peer device. The next periodic synchronization will correct the failure and update the lost records. The Error str variable indicates the reason for the failure.
The error str variable can be one of the following:
•
•
Recommended Action None required.
727011
Error Message %ACE-2-727011: HA: Configuration replication for context ctx name will not happen. Error: Error strExplanation The configuration synchronization does not occur for a context. The error string indicates the reason for the failure.
The Error str value can be:
•
•
•
•
Recommended Action None required.
727012
Error Message %ACE-2-727012: HA: FT Group group ID changed state to NewState. Reason: reason str.Explanation This message displays the state transitions made by an HA state (redundancy) device for a context.
Table 2-2 lists the values for the NewState variable.
.
Values returned for the reason str variable can be one of the following:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Recommended Action None required.
727013
Error Message %ACE-2-727013: HA: Peer Peer # is UP and reachable.Explanation The peer is now reachable. Heartbeats are flowing successfully between the two peers.
Recommended Action None required.
727014
Error Message %ACE-2-727014: HA: Heartbeats from Peer Peer id have become unidirectional.Explanation Redundancy heartbeats from a peer have become unidirectional. That is, the peer cannot receive (only send) heartbeats. This problem occurs if one of the network processors has a problem.
Recommended Action Collect network processor drop counters, and then contact Cisco TAC.
727015
Error Message %ACE-2-727015: HA: Detected mismatch in heartbeat interval from Peer peer id. Modified interval to interval.Explanation The redundancy heartbeat received from one peer differs from the value of the second peer. This condition can occur when you choose to dynamically change the heartbeat interval. The modified heartbeat interval that is displayed shows the adjusted interval. This value is the greater of the two values.
Recommended Action None required.
727016
Error Message %ACE-2-727016: HA: replication_messageExplanation When replication is being carried out to a peer, the following replication_message string is displayed:
Replication for context ctx name has started. Status - status.The status variable indicates the synchronization status. Values for the status variable can be one of the following:
•
•
•
•
•
•
When config sync is enabled, the active ACE sends the following replication_message string if the peer has a different major software version:
Configuration Replication status for context Admin - Incremental Sync disabled due to peer software version mismatch.Recommended Action None required.
727017
Error Message %ACE-2-727017: HA: FT Track track type track name is UP.Explanation The FT track is up.
The track type variable can be one of the following:
•
•
•
Recommended Action None required.
727018
Error Message %ACE-2-727018: HA: FT Track track type track name is DOWN.Explanation The FT track is down.
The track type variable can be one of the following:
•
•
•
Recommended Action None required.
727019
Error Message %ACE-5-727019: HA: Started alternate ping to IP address ip addrExplanation ICMP pings have started on the alternate interface to check the health of the peer. This process starts when heartbeats from the peer are no longer received. The standby device issues an alternate ping to the peer to determine whether the peer is still alive. If it is alive, it does not switchover, which prevents two active states on the network.
Recommended Action None required.
727020
Error Message %ACE-5-727020: HA: Stopped alternate ping to IP address ip addr.Explanation ICMP pings have stopped on the alternate interface. This occurs when heartbeats from the peer are received and the peer is up and reachable.
Recommended Action None required.
727021
Error Message %ACE-5-727021: HA: Peer is compatible.Explanation The two devices are in a compatible state and can be configured for redundancy.
Recommended Action None required.
727022
Error Message %ACE-5-727022: HA: Started sending heartbeats to peer Peer id interval value and count cntExplanation The redundancy connections to the peer have been successfully established and heartbeats have been started to the peer with the configured interval and count.
The interval variable specifies interval in milliseconds. The count variable specifies the number of missed heartbeat intervals before the peer is declared down.
Recommended Action None required.
727023
Error Message %ACE-5-727023: HA: Stopped sending heartbeats to peer Peer id.Explanation Redundancy heartbeats to the peer have been stopped. This can occur if you reconfigure redundancy or make changes to basic connection parameters such as the peer IP address.
Recommended Action None required.
727024
Error Message %ACE-HA_HB-2-727024: HA: HB state change for peer Peer_ID message failed due to CP queue fullExplanation When the control plane (CP) queue is full, the ACE drops Inter-Process Control Plane (IPCP) messages from the data plane (DP). The IPCP informs the DP with a return value of -1. When the DP CM component receives the error condition, it generates this message.
Recommended Action Since ACE does not correctly reflect the FT state of the FT interface, transition the state by entering the shutdown command and then the no shutdown command.
728001
Error Message %ACE-1-728001: Initialization failure (general) type variable1Explanation Initialization of the ACE load-balancing process is aborted due to a failure of a general nature (for example, lack of memory, failure to spawn threads, failure to establish a communication channel, and so on).
variable1 specifies the exact failure location in the code base.
Recommended Action Document the syslog message, and then reboot the ACE (see the Cisco Application Control Engine Module Administration Guide for details). Contact Cisco TAC with the documented message text.
728002
Error Message %ACE-1-728002: Initialization failure (sticky) type variable1Explanation Initialization of the ACE load-balancing process is aborted because of a failure in the sticky subsystem (for example, memory alignment failure, failure to spawn threads, failure to a establish communication channel.)
variable1 specifies the exact failure location in the code base.
Recommended Action Document the syslog message, and then reboot the ACE (see the Cisco Application Control Engine Module Administration Guide for details). Contact Cisco TAC with the documented message text.
728003
Error Message %ACE-1-728003: Initialization failure (sticky hash) variable1 entries, variable2 min, variable3 max type variable4Explanation Initialization of the ACE load-balancing process is aborted because of a failure when allocating entries for the sticky database (for example, the database is not allocated.)
The variables displayed in this message represent the following:
•
•
•
•
Recommended Action Document the syslog message, and then reboot the ACE (see the Cisco Application Control Engine Module Administration Guide for details). Contact Cisco TAC with the documented message text.
728004
Error Message %ACE-5-728004: Internal communications notice (general) type variable1Explanation The ACE load-balancing process detects a spurious or unintelligible internal message that cannot be dispatched. Under high load, message loss may occur.
variable1 specifies the exact failure location in the code base.
Recommended Action If this message occurs frequently, or in conjunction with problems in load balancing under normal system load, contact Cisco TAC.
728005
Error Message %ACE-3-728005: Failed to transmit variable1 decision for connection from client variable2 type variable3Explanation A load-balancing decision was lost internally. No server connection can be initiated, and the identified client connection is reset. At this point, the client can attempt reconnection.
variable1 specifies the connection type. Possible values are as follows:
•
•
•
variable2 specifies the address of client from whom the connection originated.
variable3 specifies the unique identifier for the line of code where the error was logged.
Recommended Action If this message occurs frequently, document the syslog message, and then contact Cisco TAC.
728006
Error Message %ACE-5-728006: Internal communications error (messaging) msg subType variable1 -- type variable2During load balancing, the ACE received an internal message that cannot be identified. This message is discarded without processing.
The variables displayed in this message represent the following:
•
•
Recommended Action If this message occurs frequently, document the syslog message, and then contact Cisco TAC.
728007
Error Message %ACE-3-728007: Internal configuration communications error (sticky) type variable1Explanation During load balancing, the ACE received a configuration request for sticky database resources that cannot be honored. The resources may exceed the permitted amounts or the resources cannot be located.
variable1 specifies the unique identifier for the line of code where the error was logged.
Recommended Action Verify that the requested resources are available within the chosen context. If the requested resources are available and are allowed by the configuration, an internal error exists. Contact Cisco TAC.
728008
Error Message %ACE-3-728008: Internal communications error (sticky) /source processor variable1 destination processor variable2 -- type variable3Explanation During load balancing, the ACE detected an error in communication between the two network processors. As a result, sticky load balancing may not occur for some client connections.
The variables displayed in this message represent the following:
•
•
•
Recommended Action Contact Cisco TAC.
728009
Error Message %ACE-3-728009: Context ID variable1 requested variable2 of variable3 sticky entries. No action taken. -- type variable4Explanation This message is reported from the Admin context. A configuration request from the context identified by variable1 cannot be responded to because it exceeds the permitted resources for the sticky entries.
The variables displayed in this message represent the following:
•
•
•
•
Recommended Action Contact Cisco TAC.
728011
Error Message %ACE-4-728011: Context ID variable1 being variable2 should not have variable3 associated sticky groups -- type variable4Explanation This message is reported from the Admin context and appears when adding or removing a context that has associated sticky groups. When this condition exists and the error message is logged, the addition or removal of the context still occurs.
•
•
•
•
Recommended Action Before adding or removing a context, make sure there are no sticky groups associated with that context.
728012
Error Message %ACE-5-728012: Context ID variable1 failed to receive return data -- type variable2Explanation Data collected in response to a show command at the CLI was not successfully returned from the network processor to the CLI.
The variables displayed in this message represent the following:
•
•
Recommended Action Reenter the show command. If the problem persists, contact Cisco TAC.
728013
Error Message %ACE-4-728013: A cache alignment error variable1 was detected during initialization -- type variable2Explanation A cache alignment error was detected during the load-balancing initialization. This may impact performance, but load balancing will still be correctly performed.
The variables displayed in this message represent the following:
•
•
Recommended Action If you see this error message frequently, contact Cisco TAC.
728014
Error Message %ACE-3-728014: Internal cross-processor communications error (sticky) type variable1Explanation During load-balancing, the ACE could not parse a message from the second network processor on the ACE. This can result in the loss of sticky information between the two processors, resulting in a sticky server-connection loss for some clients.
variable1 specifies the unique identifier for the line of code where the error was logged.
Recommended Action Contact Cisco TAC.
728015
Error Message %ACE-3-728015: Internal channel communications error (sticky) type variable1Explanation During load-balancing operations, the ACE was unable to open or use an internal communications channel to process a load-balancing configuration or a display directive. The specific directive on which the failure occurred is not be completed (although it may be retried).
variable1 specifies the unique identifier for the line of code where the error was logged.
Recommended Action Contact Cisco TAC.
728016
Error Message %ACE-4-728016: HA data receive failure (type variable1)Explanation This message is logged when an redundancy message received from the redundant peer cannot be understood and is subsequently discarded.
variable1 specifies the unique identifier for the line of code where the error was logged.
Recommended Action Use the show ft stats group_id command to display load-balancing statistics for the FT group:
•
•
728017
Error Message %ACE-3-728017: Internal communications error (ha) -- type variable1Explanation This message is reported from the current context. An attempt to send a redundancy message to the redundant peer was unsuccessful because the message could not be sent.
variable1 specifies the unique identifier for the line of code where the error was logged.
Recommended Action Use the show ft stats group_id command to display load-balancing statistics for the FT group. Monitor the "Number of Send Failures" value. Contact Cisco TAC if the problem persists.
728018
Error Message %ACE-5-728018: Proxy connection variable1 rebalanced to server variable2Explanation The ACE has determined that the server side of a connection should be rebalanced to another server. This is an informational message issued in the context in which the rebalance occurs.
The variables displayed in this message represent the following:
•
•
Recommended Action None required.
728019
Error Message %ACE-4-728019: Sticky resources were not variable1 for this context -- type variable2Explanation A sticky request (lookup, configure, or delete a sticky entry) was not honored because the sticky group could not locate any configured sticky entries. This is not the result of exceeding the configuration limits, but indicates an unexpected sticky group lookup result.
variable1 specifies the requested sticky action. Possible values are as follows:
•
•
•
variable2 specifies the unique identifier for the line of code where the error was logged.
Recommended Action Contact Cisco TAC.
728020
Error Message %ACE-6-728020: LB is configured to consume variable1 bytes of memory.Explanation The message indicates the amount of physical memory that is mapped by the ACE during load-balancing initialization and indicates that the mapping was successful.
variable1 specifies the bytes of mapped physical memory.
Recommended Action None required.
728021
Error Message %ACE-6-728021: Found inconsistent sticky entry. Terminating variable1.Explanation Various commands processed by the ACE during load balancing require searching the sticky database to find all relevant sticky entries. An unexpected finding of no further sticky entries generates this message. The indicated action is terminated, but further requests of the same type (or of other types) are completed.
variable1 specifies the terminated action. Possible values are as follows:
•
•
•
Recommended Action None required. This message is useful in troubleshooting sticky issues.
728022
Error Message %ACE-6-728022: Invalid hash table index (variable1) used for variable2Explanation The specified action was aborted because of an invalid hash index.
variable1 specifies the value of the invalid hash table index.
variable2 specifies the index table use. Possible values are as follows:
•
•
Recommended Action None required.
728023
Error Message %ACE-6-728023: variable1 variable2 sticky entries from ContextId variable3.Explanation Sticky entries have been added or removed from a context as a result of a resource limit change.
variable1 specifies the action. Possible values are as follows:
•
•
variable2 specifies the number of sticky entries moved.
variable3 specifies the context ID from which the entries were added or removed.
Recommended Action None required.
728024
Error Message %ACE-4-728024: Received an unknown variable1 type message (variable2) for Sticky from remote IXP variable3!Explanation A request or reply from the second network processor indicates an unknown operation type. The request or reply is not responded to and is discarded.
variable1 specifies the message class. Possible values are as follows:
•
•
variable2 specifies the numerical value of the operation type that could not be identified.
variable3 specifies the identifier of the IXP (network processor) that sent the message.
Recommended Action None required. This message is useful when troubleshooting sticky database synchronization problems with the network processors.
728025
Error Message %ACE-6-728025: Dropped variable1 'variable2' messages (variable3 total) from IXP variable4 to IXP variable5!Explanation Sticky messages between network processors (sticky insert, sticky lookup, or sticky connection close) were lost.
variable1 specifies the number of lost messages.
variable2 specifies the message type. Possible values are as follows:
•
•
variable3 specifies the total number of messages discarded (includes both lost messages and messages which were discarded because they could not be sent).
variable4 specifies the source network processor identifier.
variable5 specifies the destination network processor identifier.
Recommended Action None required. This information may be useful when troubleshooting problems with sticky functionality.
728026
Error Message %ACE-6-728026: Attempting to use invalid lookup key for variable1 processing.Explanation The message indicates that a connection close notification was not sent to the remote network processor because of an invalid key. Variable1 specifies the type of processing (connection close).
Recommended Action None required. This information may be useful in troubleshooting problems with sticky functionality.
728027
Error Message %ACE-3-728027: Received unhandled message of type variable1 from CP SrcSAP variable2.Explanation An unrecognized message was received from the control processor (CP) during load-balancing operations. The message is discarded.
The variables displayed in this message represent the following:
•
•
Recommended Action None required. This message is useful when troubleshooting commands or configuration directives from the control processor that are ignored by the ACE.
728028
Error Message %ACE-5-728028: Sticky mapping failed: variable1 variable2Explanation Information received from an redundant peer cannot be mapped locally. The associated sticky entry information is discarded.
variable1 specifies the reason for the mapping failure. Possible values are as follows:
•
•
•
variable2 specifies the (decimal) identifier of the invalid entity. If the entry is an "invalid real server id," the value of the real server ID is displayed. Otherwise, the invalid or inactive sticky group ID is displayed.
Recommended Action Use the show ft stats group_id command to display load-balancing statistics for the FT group. Monitor the "Number of Sticky Entries Dropped" value. Contact Cisco TAC if the values continue to increase over time.
728030
Error Message %ACE-6-728030: Silently discarding HA data: variable1Explanation Redundancy data must be discarded during load-balancing operations because the ACE could not process the data. The discarding of the data could affect seamless failover.
variable1 specifies the reason for discarding data from the redundant peer. Possible values are as follows:
•
•
Recommended Action None required. This message is useful when troubleshooting redundant peer problems.
728031
Error Message %ACE-3-728031: Memory mapping for debug logging failed.Explanation Memory mapping fails during initialization for debug logging. Load balancing continues, but no debug logging will occur, even if invoked from the command line.
Recommended Action Reboot the ACE to reinitialize the debug logging component (see the Cisco Application Control Engine Module Administration Guide for details). Rebooting may correct a transient mapping issue. If this error persists, contact Cisco TAC.
728032
Error Message %ACE-LB_General-4-728032: Real Server variable1 in Serverfarm variable2 has reached configured threshold for HTTP retcode variable3Explanation HTTP return codes were configured on a server farm and a specific real server has reached the configured return code threshold.
The variables displayed in this message represent the following:
•
•
•
Recommended Action Review the types of client HTTP requests that cause these server return code responses. Look for return codes that indicate possible problems, for example, missing content or incorrect search paths.
728034
Error Message %ACE-4-728034: Real Server real_server_name in Serverfarm server_farm_name has reached configured threshold for Inband Health MonitoringExplanation When you configure the inband health monitoring (HM) action as log or remove, the configured threshold for inband is crossed. This message is generated when the control plane receives a threshold crossed notification from the network processors.
Recommended Action If you configured the Inband HM action as remove and did not configure a resume-service value, the real server remains in the INBAND-HM-FAILED state until you manually suspend it and then reactivate it.
729002
Error Message %ACE-4-729002: Regex resource usage beyond maximum limit for context context_id. Free up some resources.Explanation This syslog message indicates that regex resources in use for the specified context (context_id) are above the maximum limit allowed by the resource class.
Recommended Action Decrease the minimum regex usage in the specified context to below the maximum limit.
729003
Error Message %ACE-4-729003: Minimum regex resources could not be guaranteed for context context_id.Explanation This syslog message indicates that the requested minimum regex resources could not be guaranteed in the specified context (context_id).
Recommended Action Contact the global administrator to request that other context administrators release regex resources.
750001
Error Message %ACE-4-750001: Sticky resource usage beyond maximum limit for context ctx idExplanation The sticky resources in use for the context have exceeded the configured limit for that context.
Recommended Action Free up resources in the context to keep them within the configured limit. For details about managing resources, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
750002
Error Message %ACE-4-750002: Minimum sticky resources could not be guaranteed for context ctx idExplanation .When configuring a sticky resource limit for a particular context, the ACE was not able to guarantee the resource limit.
Recommended Action Free up resources in all other contexts that have exceeded their configured limits. For details about managing resources, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
751001
Error Message %ACE-4-751001: Delay in message processing observed for <process_name> with pid <ppp>, message_id <mmm>, opcode <ooo>, src_sap <sss> ,dest_sap <ddd><process_name> is the name of the process. Ex: syslogd, vacd.<ppp> is the process id.<ooo> is the MTS opcode that is at the top of the process's MTS queue<mmm> is the message Id corresponding to the MTS message, at the top of the process's MTS queue<sss> is the SAP ID from where the message is originated.<ddd> is the SAP ID of the process that is hung.Explanation A new log message is added. The new group is 751 (MTSMON_GROUP).
Recommended Action Contact Cisco TAC.
Message 901001
This section contains message 901001.
901001
Error Message %ACE-<severity depending on the printk severity>-901001: kernel message.Explanation A new log message is added. The new group is 901. For example, the following messages occur when the ACE reaches an available memory threshold:
%ACE-2-901001 kernel: Available CP memory reached below 1 percent threshold, TotalMemFree: number1 bytes, High MemFree: number2 bytes%ACE-2-901001 kernel: CP memory reached below 1 percent threshold, System will be reloaded after 90 seconds, if same condition persists%ACE-2-901001 kernel: Available CP memory reached below 3 percent threshold, TotalMemFree: number1 bytes, High MemFree: number2 bytes%ACE-2-901001 kernel: Available CP memory reached below 5 percent threshold, TotalMemFree: number1 bytes, High MemFree: number2 bytes%ACE-2-901001 kernel: Available CP Memory reached above 10 percent threshold. TotalMemFree: number1 bytes, High MemFree: number2 bytesThe number1 variable displays the total available memory. The number2 variable displays the available high memory.
Recommended Action For severity 1 and 2 syslogs, contact the TAC.