Table Of Contents
System Log Messages
This chapter lists the security appliance system log messages. The messages are listed numerically by message code.
Note
The messages shown in this guide apply to software Version 7.0 and higher. When a number is skipped from a sequence, the message is no longer in the security appliance code.
This chapter includes the following sections:
Messages 101001 to 199009
This section contains messages from 101001 to 199009.
101001
Error Message %PIX|ASA-1-101001: (Primary) Failover cable OK.Explanation This is a failover message. This message reports that the failover cable is present and functioning correctly. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action None required.
101002
Error Message %PIX|ASA-1-101002: (Primary) Bad failover cable.Explanation This is a failover message. This message reports that the failover cable is present but not functioning correctly. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action Replace the failover cable.
101003, 101004
Error Message %PIX|ASA-1-101003: (Primary) Failover cable not connected (this unit).Error Message %PIX|ASA-1-101004: (Primary) Failover cable not connected (other unit).Explanation Both instances are failover messages. These messages are logged when failover mode is enabled, but the failover cable is not connected to one unit of the failover pair. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action Connect the failover cable to both units of the failover pair.
101005
Error Message %PIX|ASA-1-101005: (Primary) Error reading failover cable status.Explanation This is a failover message. This message is displayed if the failover cable is connected, but the primary unit is unable to determine its status.
Recommended Action Replace the cable.
102001
Error Message %PIX|ASA-1-102001: (Primary) Power failure/System reload other side.Explanation This is a failover message. This message is logged if the primary unit detects a system reload or a power failure on the other unit. "Primary" can also be listed as "Secondary" for the secondary unit.
Recommended Action On the unit that experienced the reload, issue the show crashinfo command to determine if there is a traceback associated with the reload. Also verify that the unit is powered on and that power cables are properly connected.
103001
Error Message %PIX|ASA-1-103001: (Primary) No response from other firewall (reason code = code).Explanation This is a failover message. This message is displayed if the primary unit is unable to communicate with the secondary unit over the failover cable. (Primary) can also be listed as (Secondary). for the secondary unit. Table 2-1 lists the reason codes and the descriptions to determine why the failover occurred.
Recommended Action Verify that the failover cable is connected properly and both units have the same hardware, software, and configuration; otherwise, contact Cisco TAC.
103002
Error Message %PIX|ASA-1-103002: (Primary) Other firewall network interface interface_number OK.Explanation This is a failover message. This message is displayed when the primary unit detects that the network interface on the secondary unit is okay. (Primary) can also be listed as (Secondary) for the secondary unit. Refer to Table 1-6 in Chapter 1, "Configuring Logging on the Security Appliance," for possible values for the interface_number variable.
Recommended Action None required.
103003
Error Message %PIX|ASA-1-103003: (Primary) Other firewall network interface interface_number failed.Explanation This is a failover message. This message is displayed if the primary unit detects a bad network interface on the secondary unit. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action Check the network connections on the secondary unit and check the network hub connection. If necessary, replace the failed network interface.
103004
Error Message %PIX|ASA-1-103004: (Primary) Other firewall reports this firewall failed.Explanation This is a failover message. This message is displayed if the primary unit receives a message from the secondary unit indicating that the primary has failed. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action Verify the status of the primary unit.
103005
Error Message %PIX|ASA-1-103005: (Primary) Other firewall reporting failure.Explanation This is a failover message. This message is displayed if the secondary unit reports a failure to the primary unit. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action Verify the status of the secondary unit.
104001, 104002
Error Message %PIX|ASA-1-104001: Primary/Secondary) Switching to ACTIVE — Other unit wants me Active. Secondary/Primary unit switch reason: reason_stringError Message %PIX|ASA-1-104002: (Primary/Secondary) Switching to STNDBY — Other unit wants me Standby.Secondary/Primary unit switch reason: reason_stringExplanation Both instances are failover messages. These messages usually are logged when you force the pair to switch roles, either by entering the failover active command on the standby unit, or the no failover active command on the active unit. (Primary) can also be listed as (Secondary) for the secondary unit. Possible values for the string variable are as follows:
•
•
•
•
•
•
•
Recommended Action If the message occurs because of manual intervention, no action is required. Otherwise, use the cause reported by the secondary unit to verify the status of both units of the pair.
104003
Error Message %PIX|ASA-1-104003: (Primary) Switching to FAILED.Explanation This is a failover message. This message is displayed when the primary unit fails.
Recommended Action Check the system log messages for the primary unit for an indication of the nature of the problem (see message 104001). (Primary) can also be listed as (Secondary) for the secondary unit.
104004
Error Message %PIX|ASA-1-104004: (Primary) Switching to OK.Explanation This is a failover message. This message is displayed when a previously failed unit now reports that it is operating again. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action None required.
105001
Error Message %PIX|ASA-1-105001: (Primary) Disabling failover.Explanation This is a failover message. This message is displayed when you enter the no failover command on the console. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action None required.
105002
Error Message %PIX|ASA-1-105002: (Primary) Enabling failover.Explanation This is a failover message. This message is displayed when you enter the failover command with no arguments on the console, after having previously disabled failover. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action None required.
105003
Error Message %PIX|ASA-1-105003: (Primary) Monitoring on interface interface_name waitingExplanation This is a failover message. The security appliance is testing the specified network interface with the other unit of the failover pair. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action None required. The security appliance monitors its network interfaces frequently during normal operations.
105004
Error Message %PIX|ASA-1-105004: (Primary) Monitoring on interface interface_name normalExplanation This is a failover message. The test of the specified network interface was successful. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action None required.
105005
Error Message %PIX|ASA-1-105005: (Primary) Lost Failover communications with mate on interface interface_name.Explanation This is a failover message. This message is displayed if this unit of the failover pair can no longer communicate with the other unit of the pair. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action Verify that the network connected to the specified interface is functioning correctly.
105006, 105007
Error Message %PIX|ASA-1-105006: (Primary) Link status `Up' on interface interface_name.Error Message %PIX|ASA-1-105007: (Primary) Link status `Down' on interface interface_name.Explanation Both instances are failover messages. These messages report the results of monitoring the link status of the specified interface. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action If the link status is down, verify that the network connected to the specified interface is operating correctly.
105008
Error Message %PIX|ASA-1-105008: (Primary) Testing interface interface_name.Explanation This is a failover message. This message is displayed when the tests a specified network interface. This testing is performed only if the security appliance fails to receive a message from the standby unit on that interface after the expected interval. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action None required.
105009
Error Message %PIX|ASA-1-105009: (Primary) Testing on interface interface_name {Passed|Failed}.Explanation This is a failover message. This message reports the result (either Passed or Failed) of a previous interface test. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action None required if the result is Passed. If the result is Failed, you should check the network cable connection to both failover units, that the network itself is functioning correctly, and verify the status of the standby unit.
105010
Error Message %PIX|ASA-3-105010: (Primary) Failover message block alloc failedExplanation Block memory was depleted. This is a transient message and the security appliance should recover. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action Use the show blocks command to monitor the current block memory.
105011
Error Message %PIX|ASA-1-105011: (Primary) Failover cable communication failureExplanation The failover cable is not permitting communication between the primary and secondary units. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action Ensure that the cable is properly connected.
105020
Error Message %PIX|ASA-1-105020: (Primary) Incomplete/slow config replicationExplanation When a failover occurs, the active security appliance detects a partial configuration in memory. Normally, this is caused by an interruption in the replication service. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action Once the failover is detected by the security appliance, the security appliance automatically reloads itself and loads configuration from Flash memory and/or resynchronizes with another security appliance. If failovers happen continuously, check the failover configuration and make sure both security appliance units can communicate with each other.
105021
Error Message %PIX|ASA-1-105021: (failover_unit) Standby unit failed to sync due to a locked context_name config. Lock held by lock_owner_nameExplanation During configuration synchronizing, a standby unit will reload itself if some other process locks the configuration for more than 5 minutes, which prevents the failover process from applying the new configuration. This can occur when an administrator pages through a running configuration on the standby unit while configuration synchronization is in process. See also the show running-config EXEC command and the pager lines num CONFIG command.
Recommended Action Avoid viewing or modifying configuration on standby unit when it first comes up and is in the process of establishing a failover connection with the active unit.
105031
Error Message %PIX|ASA-1-105031: Failover LAN interface is upExplanation LAN failover interface link is up.
Recommended Action None required.
105032
Error Message %PIX|ASA-1-105032: LAN Failover interface is downExplanation LAN failover interface link is down.
Recommended Action Check the connectivity of the LAN failover interface. Make sure that the speed/duplex setting is correct.
105034
Error Message %PIX|ASA-1-105034: Receive a LAN_FAILOVER_UP message from peer.Explanation The peer has just booted and sent the initial contact message.
Recommended Action None required.
105035
Error Message %PIX|ASA-1-105035: Receive a LAN failover interface down msg from peer.Explanation The peer LAN failover interface link is down. The unit switches to active mode if it is in standby mode.
Recommended Action Check the connectivity of the peer's LAN failover interface.
105036
Error Message %PIX|ASA-1-105036: dropped a LAN Failover command message.Explanation The security appliance dropped an unacknowledged LAN failover command message, indicating a connectivity problem on the LAN failover interface.
Recommended Action Check that the LAN interface cable is connected.
105037
Error Message %PIX|ASA-1-105037: The primary and standby units are switching back and forth as the active unit.Explanation The primary and standby units are switching back and forth as the active unit, indicating a LAN failover connectivity problem or software bug.
Recommended Action Check that the LAN interface cable is connected.
105038
Error Message %PIX|ASA-1-105038: (Primary) Interface count mismatchExplanation When a failover occurs, the active security appliance detects a partial configuration in memory. Normally, this is caused by an interruption in the replication service. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action Once the failover is detected by the security appliance, the security appliance automatically reloads itself and loads the configuration from Flash memory and/or resyncs with another security appliance. If failovers happen continuously, check the failover configuration and make sure that both security appliance units can communicate with each other.
105039
Error Message %PIX|ASA-1-105039: (Primary) Unable to verify the Interface count with mate. Failover may be disabled in mate.Explanation Failover initially verifies that the number of interfaces configured on the primary and secondary security appliances are the same. This message indicates that the primary security appliance is not able to verify the number of interfaces configured on the secondary security appliance. This message indicates that the primary security appliance is not able communicate with the secondary security appliance over the failover interface. (Primary) can also be listed as (Secondary) for the secondary security appliance.
Recommended Action Verify the failover LAN, interface configuration, and status on the primary and secondary security appliances. Make sure that the secondary security appliance is running the security appliance application and that failover is enabled.
105040
Error Message %PIX|ASA-1-105040: (Primary) Mate failover version is not compatible.Explanation The primary and secondary security appliance should run the same failover software version to act as a failover pair. This message indicates that the secondary security appliance's failover software version is not compatible with the primary security appliance. Failover is disabled on the primary security appliance. (Primary) can also be listed as (Secondary) for the secondary security appliance.
Recommended Action Maintain consistent software versions between the primary and secondary security appliances to enable failover.
105042
Error Message %PIX|ASA-1-105042: (Primary) Failover interface OKExplanation LAN failover interface link is up.
Explanation The interface used to send failover messages to the secondary security appliance is functioning. (Primary) can also be listed as (Secondary) for the secondary security appliance.
Recommended Action None required.
105043
Error Message %PIX|ASA-1-105043: (Primary) Failover interface failedExplanation LAN failover interface link is down.
Recommended Action Check the connectivity of the LAN failover interface. Make sure that the speed/duplex setting is correct.
105044
Error Message %PIX|ASA-1-105044: (Primary) Mate operational mode mode is not compatible with my mode mode.Explanation When the operational mode (single or multi) does not match between failover peers, failover will be disabled.
Recommended Action Configure the failover peers to have the same operational mode, and then reenable failover.
105045
Error Message %PIX|ASA-1-105045: (Primary) Mate license (number contexts) is not compatible with my license (number contexts).Explanation When the feature licenses do not match between failover peers, failover will be disabled.
Recommended Action Configure the failover peers to have the same feature license, and then reenable failover.
105046
Error Message %PIX|ASA-1-105046 (Primary|Secondary) Mate has a different chassisExplanation This message is issued when two failover units have a different type of chassis. For example, one is a PIX, the other is an ASA-5520, or one has a 3-slot chassis, the other has a 6-slot chassis.
Recommended Action Make sure that the two failover units are the same.
105047
Error Message %PIX|ASA-1-105047: Mate has a io_card_name1 card in slot slot_number which is different from my io_card_name2Explanation The two failover units have different types of cards in their respective slots.
Recommended Action Make sure that the card configurations for the failover units are the same.
106001
Error Message %PIX|ASA-2-106001: Inbound TCP connection denied from IP_address/port to IP_address/port flags tcp_flags on interface interface_nameExplanation This is a connection-related message. This message occurs when an attempt to connect to an inside address is denied by your security policy. Possible tcp_flags values correspond to the flags in the TCP header that were present when the connection was denied. For example, a TCP packet arrived for which no connection state exists in the security appliance, and it was dropped. The tcp_flags in this packet are FIN and ACK.
The tcp_flags are as follows:
•
•
•
•
•
•
Recommended Action None required.
106002
Error Message %PIX|ASA-2-106002: protocol Connection denied by outbound list acl_ID src inside_address dest outside_addressExplanation This is a connection-related message. This message is displayed if the specified connection fails because of an outbound deny command. The protocol variable can be ICMP, TCP, or UDP.
Recommended Action Use the show outbound command to check outbound lists.
106006
Error Message %PIX|ASA-2-106006: Deny inbound UDP from outside_address/outside_port to inside_address/inside_port on interface interface_name.Explanation This is a connection-related message. This message is displayed if an inbound UDP packet is denied by your security policy.
Recommended Action None required.
106007
Error Message %PIX|ASA-2-106007: Deny inbound UDP from outside_address/outside_port to inside_address/inside_port due to DNS {Response|Query}.Explanation This is a connection-related message. This message is displayed if a UDP packet containing a DNS query or response is denied.
Recommended Action If the inside port number is 53, the inside host probably is set up as a caching name server. Add an access-list command statement to permit traffic on UDP port 53, and a translation entry for the inside. If the outside port number is 53, a DNS server was probably too slow to respond, and the query was answered by another server.
106010
Error Message %PIX|ASA-3-106010: Deny inbound protocol src interface_name:dest_address/dest_port dst interface_name:source_address/source_portExplanation This is a connection-related message. This message is displayed if an inbound connection is denied by your security policy.
Recommended Action Modify the security policy if traffic should be permitted. If the message occurs at regular intervals, contact the remote peer administrator.
106011
Error Message %PIX|ASA-3-106011: Deny inbound (No xlate) stringExplanation The message will appear under normal traffic conditions if there are internal users that are accessing the Internet through a web browser. Any time a connection is reset, when the host at the end of the connection sends a packet after the security appliance receives the reset, this message will appear. It can typically be ignored.
Recommended Action Prevent this syslog message from getting logged to the syslog server by entering the no logging message 106011 command.
106012
Error Message %PIX|ASA-6-106012: Deny IP from IP_address to IP_address, IP options hex.Explanation This is a packet integrity check message. An IP packet was seen with IP options. Because IP options are considered a security risk, the packet was discarded.
Recommended Action Contact the remote host system administrator to determine the problem. Check the local site for loose source routing or strict source routing.
106013
Error Message %PIX|ASA-2-106013: Dropping echo request from IP_address to PAT address IP_addressExplanation The security appliance discarded an inbound ICMP Echo Request packet with a destination address that corresponds to a PAT global address. The inbound packet is discarded because it cannot specify which PAT host should receive the packet.
Recommended Action None required.
106014
Error Message %PIX|ASA-3-106014: Deny inbound icmp src interface_name: IP_address dst interface_name: IP_address (type dec, code dec)Explanation The security appliance denied any inbound ICMP packet access. By default, all ICMP packets are denied access unless specifically permitted.
Recommended Action None required.
106015
Error Message %PIX|ASA-6-106015: Deny TCP (no connection) from IP_address/port to IP_address/port flags tcp_flags on interface interface_name.Explanation The security appliance discarded a TCP packet that has no associated connection in the security appliance's connection table. The security appliance looks for a SYN flag in the packet, which indicates a request to establish a new connection. If the SYN flag is not set, and there is not an existing connection, the security appliance discards the packet.
Recommended Action None required unless the security appliance receives a large volume of these invalid TCP packets. If this is the case, trace the packets to the source and determine the reason these packets were sent.
106016
Error Message %PIX|ASA-2-106016: Deny IP spoof from (IP_address) to IP_address on interface interface_name.Explanation The security appliance discarded a packet with an invalid source address. Invalid source addresses are those addresses belonging to the following:
•
•
•
To further enhance spoof packet detection, use the conduit command to configure the security appliance to discard packets with source addresses belonging to the internal network. Now that the icmp command has been implemented, the conduit command has been deprecated and is no longer guaranteed to work properly.
Recommended Action Determine if an external user is trying to compromise the protected network. Check for misconfigured clients.
106017
Error Message %PIX|ASA-2-106017: Deny IP due to Land Attack from IP_address to IP_addressExplanation The security appliance received a packet with the IP source address equal to the IP destination, and the destination port equal to the source port. This message indicates a spoofed packet that is designed to attack systems. This attack is referred to as a Land Attack.
Recommended Action If this message persists, an attack may be in progress. The packet does not provide enough information to determine where the attack originates.
106018
Error Message %PIX|ASA-2-106018: ICMP packet type ICMP_type denied by outbound list acl_ID src inside_address dest outside_addressExplanation The outgoing ICMP packet with the specified ICMP from local host (inside_address) to the foreign host (outside_address) was denied by the outbound ACL list.
Recommended Action None required.
106020
Error Message %PIX|ASA-2-106020: Deny IP teardrop fragment (size = number, offset = number) from IP_address to IP_addressExplanation The security appliance discarded an IP packet with a teardrop signature containing either a small offset or fragment overlapping. This is a hostile event that circumvents the security appliance or an Intrusion Detection System.
Recommended Action Contact the remote peer administrator or escalate this issue according to your security policy.
106021
Error Message %PIX|ASA-1-106021: Deny protocol reverse path check from source_address to dest_address on interface interface_nameExplanation An attack is in progress. Someone is attempting to spoof an IP address on an inbound connection. Unicast RPF, also known as reverse route lookup, detected a packet that does not have a source address represented by a route and assumes that it is part of an attack on your security appliance.
This message appears when you have enabled Unicast RPF with the ip verify reverse-path command. This feature works on packets input to an interface; if it is configured on the outside, then the security appliance checks packets arriving from the outside.
The security appliance looks up a
