Table Of Contents
Messages Listed by Severity Level
Alert Messages, Severity 1
Critical Messages, Severity 2
Error Messages, Severity 3
Warning Messages, Severity 4
Notification Messages, Severity 5
Informational Messages, Severity 6
Debugging Messages, Severity 7
Messages Listed by Severity Level
This appendix contains the following sections:
•
Alert Messages, Severity 1
•Critical Messages, Severity 2
•Error Messages, Severity 3
•Warning Messages, Severity 4
•Notification Messages, Severity 5
•Informational Messages, Severity 6
•Debugging Messages, Severity 7
Note The Cisco ASA does not send severity 0, emergency messages to syslog. These are analogous to a UNIX panic message, and denote an unstable system.
Alert Messages, Severity 1
The following messages appear at severity 1, alerts:
•%PIX|ASA-1-101001: (Primary) Failover cable OK.
•%PIX|ASA-1-101002: (Primary) Bad failover cable.
•%PIX|ASA-1-101003: (Primary) Failover cable not connected (this unit).
•%PIX|ASA-1-101004: (Primary) Failover cable not connected (other unit).
•%PIX|ASA-1-101005: (Primary) Error reading failover cable status.
•%PIX|ASA-1-102001: (Primary) Power failure/System reload other side.
•%PIX|ASA-1-103001: (Primary) No response from other firewall (reason code = code).
•%PIX|ASA-1-103002: (Primary) Other firewall network interface interface_number OK.
•%PIX|ASA-1-103003: (Primary) Other firewall network interface interface_number failed.
•%PIX|ASA-1-103004: (Primary) Other firewall reports this firewall failed.
•%PIX|ASA-1-103005: (Primary) Other firewall reporting failure.
•%PIX|ASA-1-104001: (Primary) Switching to ACTIVE (cause: string).
•%PIX|ASA-1-104002: (Primary) Switching to STNDBY (cause: string).
•%PIX|ASA-1-104003: (Primary) Switching to FAILED.
•%PIX|ASA-1-104004: (Primary) Switching to OK.
•%PIX|ASA-1-105001: (Primary) Disabling failover.
•%PIX|ASA-1-105002: (Primary) Enabling failover.
•%PIX|ASA-1-105003: (Primary) Monitoring on interface interface_name waiting
•%PIX|ASA-1-105004: (Primary) Monitoring on interface interface_name normal
•%PIX|ASA-1-105005: (Primary) Lost Failover communications with mate on interface interface_name.
•%PIX|ASA-1-105006: (Primary) Link status `Up' on interface interface_name.
•%PIX|ASA-1-105007: (Primary) Link status `Down' on interface interface_name.
•%PIX|ASA-1-105008: (Primary) Testing interface interface_name.
•%PIX|ASA-1-105009: (Primary) Testing on interface interface_name {Passed|Failed}.
•%PIX|ASA-1-105011: (Primary) Failover cable communication failure
•%PIX|ASA-1-105020: (Primary) Incomplete/slow config replication
•%PIX|ASA-1-105021: (failover_unit) Standby unit failed to sync due to a locked context_name config. Lock held by lock_owner_name
•%PIX|ASA-1-105031: Failover LAN interface is up
•%PIX|ASA-1-105032: LAN Failover interface is down
•%PIX|ASA-1-105034: Receive a LAN_FAILOVER_UP message from peer.
•%PIX|ASA-1-105035: Receive a LAN failover interface down msg from peer.
•%PIX|ASA-1-105036: dropped a LAN Failover command message.
•%PIX|ASA-1-105037: The primary and standby units are switching back and forth as the active unit.
•%PIX|ASA-1-105038: (Primary) Interface count mismatch
•%PIX|ASA-1-105039: (Primary) Unable to verify the Interface count with mate. Failover may be disabled in mate.
•%PIX|ASA-1-105040: (Primary) Mate failover version is not compatible.
•%PIX|ASA-1-105042: (Primary) Failover interface OK
•%PIX|ASA-1-105043: (Primary) Failover interface failed
•%PIX|ASA-1-105044: (Primary) Mate operational mode mode is not compatible with my mode mode.
•%PIX|ASA-1-105045: (Primary) Mate license (number contexts) is not compatible with my license (number contexts).
•%PIX|ASA-1-105046 (Primary|Secondary) Mate has a different chassis
•%PIX|ASA-1-105047: Mate has a io_card_name1 card in slot slot_number which is different from my io_card_name2
•%ASA-1-105048: (unit) Mate's service module (application) is different from mine (application)
•%PIX|ASA-1-106021: Deny protocol reverse path check from source_address to dest_address on interface interface_name
•%PIX|ASA-1-106022: Deny protocol connection spoof from source_address to dest_address on interface interface_name
•%PIX|ASA-1-106101 The number of ACL log deny-flows has reached limit (number).
•%PIX|ASA-1-107001: RIP auth failed from IP_address: version=number, type=string, mode=string, sequence=number on interface interface_name
•%PIX|ASA-1-107002: RIP pkt failed from IP_address: version=number on interface interface_name
•%PIX|ASA-1-111111 error_message
•%ASA-1-114001: Failed to initialize 4GE SSM I/O card (error error_string).
•%ASA-1-114002: Failed to initialize SFP in 4GE SSM I/O card (error error_string).
•%ASA-1-114003: Failed to run cached commands in 4GE SSM I/O card (error error_string).
•%ASA-n-216001: internal error in: function: message
•%ASA-1-216005: ERROR: Duplex-mismatch on interface_name resulted in transmitter lockup. A soft reset of the switch was performed.
•%ASA|PIX-1-332004: Web Cache IP_address/service_ID lost
•%ASA-1-505015: SSM model Module in slot number, application up application, version version
•%PIX|ASA-1-709003: (Primary) Beginning configuration replication: Sending to mate.
•%PIX|ASA-1-709004: (Primary) End Configuration Replication (ACT)
•%PIX|ASA-1-709005: (Primary) Beginning configuration replication: Receiving from mate.
•%PIX|ASA-1-709006: (Primary) End Configuration Replication (STB)
Critical Messages, Severity 2
The following messages appear at severity 2, critical:
•%PIX|ASA-2-106001: Inbound TCP connection denied from IP_address/port to IP_address/port flags tcp_flags on interface interface_name
•%PIX|ASA-2-106002: protocol Connection denied by outbound list acl_ID src inside_address dest outside_address
•%PIX|ASA-2-106006: Deny inbound UDP from outside_address/outside_port to inside_address/inside_port on interface interface_name.
•%PIX|ASA-2-106007: Deny inbound UDP from outside_address/outside_port to inside_address/inside_port due to DNS {Response|Query}.
•%PIX|ASA-2-106013: Dropping echo request from IP_address to PAT address IP_address
•%PIX|ASA-2-106016: Deny IP spoof from (IP_address) to IP_address on interface interface_name.
•%PIX|ASA-2-106017: Deny IP due to Land Attack from IP_address to IP_address
•%PIX|ASA-2-106018: ICMP packet type ICMP_type denied by outbound list acl_ID src inside_address dest outside_address
•%PIX|ASA-2-106020: Deny IP teardrop fragment (size = number, offset = number) from IP_address to IP_address
•%PIX|ASA-2-106024: Access rules memory exhausted
•%PIX|ASA-2-108002: SMTP replaced string: out source_address in inside_address data: string
•%PIX|ASA-2-108003: Terminating ESMTP/SMTP connection; malicious pattern detected in the mail address from source_interface:source_address/source_port to dest_interface:dest_address/dset_port. Data:string
•%PIX|ASA-2-109011: Authen Session Start: user 'user', sid number
•%PIX|ASA-2-112001: (string:dec) Clear complete.
•%ASA-2-113022: AAA Marking protocol server ip-addr in server group tag as FAILED
•%ASA-2-113023: AAA Marking protocol server ip-addr in server group tag as ACTIVE
•%PIX|ASA-2-201003: Embryonic limit exceeded nconns/elimit for outside_address/outside_port (global_address) inside_address/inside_port on interface interface_name
•%PIX|ASA-2-214001: Terminating manager session from IP_address on interface interface_name. Reason: incoming encrypted data (number bytes) longer than number bytes
•%PIX|ASA-2-215001:Bad route_compress() call, sdb= number
•%ASA-n-216001: internal error in: function: message
•%PIX|ASA-2-217001: No memory for string in string
•%PIX|ASA-2-218001: Failed Identification Test in slot# [fail#/res].
•%PIX|ASA-2-218002: Module (slot#) is a registered proto-type for Cisco Lab use only, and not certified for live network operation.
•%PIX|ASA-2-218003: Module Version in <slot#> is obsolete. The module in slot = <slot#> is obsolete and must be returned via RMA to Cisco Manufacturing. If it is a lab unit, it must be returned to Proto Services for upgrade.
•%PIX|ASA-2-218004: Failed Identification Test in slot# [fail#/res]
•%PIX|ASA-2-304007: URL Server IP_address not responding, ENTERING ALLOW mode.
•%PIX|ASA-2-304008: LEAVING ALLOW mode, URL Server is up.
•%PIX|ASA-2-410002: Dropped num DNS responses with mis-matched id in the past sec second(s): from src_ifc:sip/sport to dest_ifc:dip/dport
•%PIX|ASA-2-709007: Configuration replication failed for command command
•%PIX|ASA-2-713078: Temp buffer for building mode config attributes exceeded: bufsize available_size, used value
•%PIX|ASA-2-713176: Device_type memory resources are critical, IKE key acquire message on interface interface_number, for Peer IP_address ignored
•%ASA-2-716500: internal error in: function: Fiber library cannot locate AK47 instance
•%ASA-2-716501: internal error in: function: Fiber library cannot attach AK47 instance
•%ASA-2-716502: internal error in: function: Fiber library cannot allocate defaut arena
•%ASA-2-716503: internal error in: function: Fiber library cannot allocate fiber descriptors pool
•%ASA-2-716504: internal error in: function: Fiber library cannot allocate fiber stacks pool
•%ASA-2-716505: internal error in: function: Fiber has joined fiber in unfinished state
•%ASA-2-716507: internal error in: function: Fiber scheduler has reached unreachable code. Cannot continue terminating
•%ASA-2-716508: internal error in: function: Fiber scheduler is scheduling rotten fiber. Cannot continuing terminating
•%ASA-2-716509:internal error in: function: Fiber scheduler is scheduling alien fiber. Cannot continue terminating
•%ASA-2-716510:internal error in: function: Fiber scheduler is scheduling finished fiber. Cannot continue terminating
•%ASA-2-716512:internal error in: function: Fiber has joined fiber waited upon by someone else
•%ASA-2-716513: internal error in: function: Fiber in callback blocked on other channel
•%ASA-2-716515:internal error in: function: OCCAM failed to allocate memory for AK47 instance
•%ASA-2-716516: internal error in: function: OCCAM has corrupted ROL array. Cannot continue terminating
•%ASA-2-716517: internal error in: function: OCCAM cached block has no associated arena
•%ASWA-2-716518: internal error in: function: OCCAM pool has no associated arena
•%ASA-2-716519: internal error in: function: OCCAM has corrupted pool list. Cannot continue terminating
•%ASA-2-716520:internal error in: function: OCCAM pool has no block list
•%ASA-2-716521: internal error in: function: OCCAM no realloc allowed in named pool
•%ASA-2-716522: internal error in: function: OCCAM corrupted standalone block
•%ASA-2-716525: UNICORN_SYSLOGID_SAL_CLOSE_PRIVDATA_CHANGED
•%ASA-2-716526: UNICORN_SYSLOGID_PERM_STORAGE_SERVER_LOAD_FAIL
•%ASA-2-716527: UNICORN_SYSLOGID_PERM_STORAGE_SERVER_STORE_FAIL
•%ASA-2-716528: Unexpected fiber scheduler error; possible out-of-memory condition
•%PIX|ASA-2-717008: Insufficient memory to process_requiring_memory.
•%PIX|ASA-2-717011: Unexpected event event event_ID
Error Messages, Severity 3
The following messages appear at severity 3, errors:
•%PIX|ASA-3-105010: (Primary) Failover message block alloc failed
•%PIX|ASA-3-106010: Deny inbound protocol src interface_name:dest_address/dest_port dst interface_name:source_address/source_port
•%PIX|ASA-3-106011: Deny inbound (No xlate) string
•%PIX|ASA-3-106014: Deny inbound icmp src interface_name: IP_address dst interface_name: IP_address (type dec, code dec)
•%PIX-3-107003: RIP: Attempted reference of stale data encountered in function, line: line_num
•%PIX|ASA-3-109010: Auth from inside_address/inside_port to outside_address/outside_port failed (too many pending auths) on interface interface_name.
•%PIX|ASA-3-109013: User must authenticate before using this service
•%PIX|ASA-3-109016: Can't find authorization ACL acl_ID for user 'user'
•%PIX|ASA-3-109018: Downloaded ACL acl_ID is empty
•%PIX|ASA-3-109019: Downloaded ACL acl_ID has parsing error; ACE string
•%PIX|ASA-3-109020: Downloaded ACL has config error; ACE
•%PIX|ASA-3-109023: User from source_address/source_port to dest_address/dest_port on interface outside_interface must authenticate before using this service.
•%PIX|ASA-3-109026: [aaa protocol] Invalid reply digest received; shared server key may be mismatched.
•%PIX|ASA-3-109032: Unable to install ACL access_list, downloaded for user username; Error in ACE: ace.
•%PIX|ASA-3-113001: Unable to open AAA session. Session limit [limit] reached.
•%PIX|ASA-3-113018: User: user, Unsupported downloaded ACL Entry: ACL_entry, Action: action
•%PIX|ASA-3-113020: Kerberos error : Clock skew with server ip_address greater than 300 seconds
•%ASA-3-114006: Failed to get port statistics in 4GE SSM I/O card (error error_string).
•%ASA-3-114007: Failed to get current msr in 4GE SSM I/O card (error error_string).
•%ASA-3-114008: Failed to enable port after link is up in 4GE SSM I/O card due to either I2C serial bus access error or switch access error.
•%ASA-3-114009: Failed to set multicast address in 4GE SSM I/O card (error error_string).
•%ASA-3-114010: Failed to set multicast hardware address in 4GE SSM I/O card (error error_string).
•%ASA-3-114011: Failed to delete multicast address in 4GE SSM I/O card (error error_string).
•%ASA-3-114012: Failed to delete multicast hardware address in 4GE SSM I/O card (error error_string).
•%ASA-3-114013: Failed to set mac address table in 4GE SSM I/O card (error error_string).
•%ASA-3-114014: Failed to set mac address in 4GE SSM I/O card (error error_string).
•%ASA-3-114015: Failed to set mode in 4GE SSM I/O card (error error_string).
•%ASA-3-114016: Failed to set multicast mode in 4GE SSM I/O card (error error_string).
•%ASA-3-114017: Failed to get link status in 4GE SSM I/O card (error error_string).
•%ASA-3-114018: Failed to set port speed in 4GE SSM I/O card (error error_string).
•%ASA-3-114019: Failed to set media type in 4GE SSM I/O card (error error_string).
•%ASA-3-114020: Port link speed is unknown in 4GE SSM I/O card.
•%PIX|ASA-3-201002: Too many TCP connections on {static|xlate} global_address! econns nconns
•%PIX|ASA-3-201004: Too many UDP connections on {static|xlate} global_address! udp connections limit
•%PIX|ASA-3-201005: FTP data connection failed for IP_address IP_address
•%PIX|ASA-3-201006: RCMD backconnection failed for IP_address/port
•%PIX|ASA-3-201008: The security appliance is disallowing new connections.
•%PIX|ASA-3-201009: TCP connection limit of number for host IP_address on interface_name exceeded
•%PIX|ASA-3-201010: Embryonic connection limit exceeded econns/limit for dir packet from source_address/source_port to dest_address/dest_port on interface interface_name
•%PIX|ASA-3-201011: Connection limit exceeded cnt/limit for dir packet from sip/sport to dip/dport on interface if_name
•%PIX|ASA-3-202005: Non-embryonic in embryonic list outside_address/outside_port inside_address/inside_port
•%PIX|ASA-3-202011: Connection limit exceeded econns/limit for dir packet from source_address/source_port to dest_address/dest_port on interface interface_name
•%PIX|ASA-3-208005: (function:line_num) clear command return code
•%PIX|ASA-3-210001: LU sw_module_name error = number
•%PIX|ASA-3-210002: LU allocate block (bytes) failed.
•%PIX|ASA-3-210003: Unknown LU Object number
•%PIX|ASA-3-210005: LU allocate connection failed
•%PIX|ASA-3-210006: LU look NAT for IP_address failed
•%PIX|ASA-3-210007: LU allocate xlate failed
•%PIX|ASA-3-210008: LU no xlate for inside_address/inside_port outside_address/outside_port
•%PIX|ASA-3-210010: LU make UDP connection for outside_address:outside_port inside_address:inside_port failed
•%PIX|ASA-3-210020: LU PAT port port reserve failed
•%PIX|ASA-3-210021: LU create static xlate global_address ifc interface_name failed
•%PIX|ASA-3-211001: Memory allocation Error
•%PIX|ASA-3-211003: CPU utilization for number seconds = percent
•%PIX|ASA-3-212001: Unable to open SNMP channel (UDP port port) on interface interface_number, error code = code
•%PIX|ASA-3-212002: Unable to open SNMP trap channel (UDP port port) on interface interface_number, error code = code
•%PIX|ASA-3-212003: Unable to receive an SNMP request on interface interface_number, error code = code, will try again.
•%PIX|ASA-3-212004: Unable to send an SNMP response to IP Address IP_address Port port interface interface_number, error code = code
•%PIX|ASA-3-212005: incoming SNMP request (number bytes) on interface interface_name exceeds data buffer size, discarding this SNMP request.
•%PIX|ASA-3-212006: Dropping SNMP request from source_address/source_port to interface_name:dest_address/dest_port because: reason.
•%PIX|ASA-3-213001: PPTP control daemon socket io string, errno = number.
•%PIX|ASA-3-213002: PPTP tunnel hashtable insert failed, peer = IP_address.
•%PIX|ASA-3-213003: PPP virtual interface interface_number isn't opened.
•%PIX|ASA-3-213004: PPP virtual interface interface_number client ip allocation failed.
•%ASA-n-216001: internal error in: function: message
•PIX|ASA-3-216002: Unexpected event (major: major_id, minor: minor_id) received by task_string in function at line: line_num
•%PIX|ASA-3-216003: Unrecognized timer timer_ptr, timer_id received by task_string in function at line: line_num
•%ASA-3-219002: I2C_API_name error, slot = slot_number, device = device_number, address = address, byte count = count. Reason: reason_string
•%PIX|ASA-3-302019: H.323 library_name ASN Library failed to initialize, error code number
•%PIX|ASA-3-302302: ACL = deny; no sa created
•%PIX|ASA-3-304003: URL Server IP_address timed out URL url
•%PIX|ASA-3-304006: URL Server IP_address not responding
•%PIX|ASA-3-305005: No translation group found for protocol src interface_name:source_address/source_port dst interface_name:dest_address/dest_port
•%PIX|ASA-3-305006: {outbound static|identity|portmap|regular) translation creation failed for protocol src interface_name:source_address/source_port dst interface_name:dest_address/dest_port
•%PIX|ASA-3-305008: Free unallocated global IP address.
•%PIX|ASA-3-313001: Denied ICMP type=number, code=code from IP_address on interface interface_name
•%PIX|ASA-3-313008: Denied ICMPv6 type=number, code=code from IP_address on interface interface_name
•%PIX|ASA-3-315004: Fail to establish SSH session because RSA host key retrieval failed.
•%PIX|ASA-3-316001: Denied new tunnel to IP_address. VPN peer limit (platform_vpn_peer_limit) exceeded
•%ASA-3-316002: VPN Handle error: protocol=protocol, src in_if_num:src_addr, dst out_if_num:dst_addr
•%PIX|ASA-3-317001: No memory available for limit_slow
•%PIX|ASA-3-317002: Bad path index of number for IP_address, number max
•%PIX|ASA-3-317003: IP routing table creation failure - reason
•%PIX|ASA-3-317004: IP routing table limit warning
•%PIX|ASA-3-317005: IP routing table limit exceeded - reason, IP_address netmask
•%PIX|ASA-3-318001: Internal error: reason
•%PIX|ASA-3-318002: Flagged as being an ABR without a backbone area
•%PIX|ASA-3-318003: Reached unknown state in neighbor state machine
•%PIX|ASA-3-318004: area string lsid IP_address mask netmask adv IP_address type number
•%PIX|ASA-3-318005: lsid ip_address adv IP_address type number gateway gateway_address metric number network IP_address mask netmask protocol hex attr hex net-metric number
•%PIX|ASA-3-318006: if interface_name if_state number
•%PIX|ASA-3-318007: OSPF is enabled on interface_name during idb initialization
•%PIX|ASA-3-318008: OSPF process number is changing router-id. Reconfigure virtual link neighbors with our new router-id
•%PIX|ASA-3-318009: OSPF: Attempted reference of stale data encountered in function, line: line_num
•%PIX|ASA-3-319001: Acknowledge for arp update for IP address dest_address not received (number).
•%PIX|ASA-3-319002: Acknowledge for route update for IP address dest_address not received (number).
•%PIX|ASA-3-319003: Arp update for IP address address to NPn failed.
•%PIX|ASA-3-319004: Route update for IP address dest_address failed (number).
•%PIX|ASA-3-320001: The subject name of the peer cert is not allowed for connection
•%PIX|ASA-3-322001: Deny MAC address MAC_address, possible spoof attempt on interface interface
•%PIX|ASA-3-322002: ARP inspection check failed for arp {request|response} received from host MAC_address on interface interface. This host is advertising MAC Address MAC_address_1 for IP Address IP_address, which is {statically|dynamically} bound to MAC Address MAC_address_2.
•%PIX|ASA-3-322003:ARP inspection check failed for arp {request|response} received from host MAC_address on interface interface. This host is advertising MAC Address MAC_address_1 for IP Address IP_address, which is not bound to any MAC Address.
•%ASA-3-323001: Module in slot slotnum experienced a control channel communications failure.
•%ASA-3-323002: Module in slot slotnum is not able to shut down, shut down request not answered.
•%ASA-3-323003: Module in slot slotnum is not able to reload, reload request not answered.
•%ASA-3-323004: Module in slot slotnum failed to write software vnewver (currently vver), reason. Hw-module reset is required before further use.
•%ASA-3-323005: Module in slot slotnum can not be powered on completely
•%ASA-3-323006: Type Module in slot slot experienced a data channel communication failure, data channel is DOWN.
•%PIX|ASA-3-324000: Drop GTPv version message msg_type from source_interface:source_address/source_port to dest_interface:dest_address/dest_port Reason: reason
•%PIX|ASA-3-324001: GTPv0 packet parsing error from source_interface:source_address/source_port to dest_interface:dest_address/dest_port, TID: tid_value, Reason: reason
•%PIX|ASA-3-324002: No PDP[MCB] exists to process GTPv0 msg_type from source_interface:source_address/source_port to dest_interface:dest_address/dest_port, TID: tid_value
•%PIX|ASA-3-324003: No matching request to process GTPv version msg_type from source_interface:source_address/source_port to source_interface:dest_address/dest_port
•%PIX|ASA-3-324004: GTP packet with version%d from source_interface:source_address/source_port to dest_interface:dest_address/dest_port is not supported
•%PIX|ASA-3-324005: Unable to create tunnel from source_interface:source_address/source_port to dest_interface:dest_address/dest_port
•%PIX|ASA-3-324006:GSN IP_address tunnel limit tunnel_limit exceeded, PDP Context TID tid failed
•%PIX|ASA-3-324007: Unable to create GTP connection for response from source_interface:source_address/0 to dest_interface:dest_address/dest_port
•%PIX|ASA-3-324300: Radius Accounting Request from from_addr has an incorrect request authenticator
•%PIX|ASA-3-324301: Radius Accounting Request has a bad header length hdr_len, packet length pkt_len
•%PIX|ASA-3-325001: Router ipv6_address on interface has conflicting ND (Neighbor Discovery) settings
•%PIX-3-325003: EUI-64 source address check failed. Dropped packet from interface_in:source_address/source_port to dest_address/dest_port with source MAC address MAC_address.
•%PIX|ASA-3-326001: Unexpected error in the timer library: error_message
•%PIX|ASA-3-326002: Error in error_message : error_message
•%PIX|ASA-3-326004: An internal error occurred while processing a packet queue
•%PIX|ASA-3-326005: Mrib notification failed for (IP_address, IP_address)
•%PIX|ASA-3-326006: Entry-creation failed for (IP_address, IP_address)
•%PIX|ASA-3-326007: Entry-update failed for (IP_address, IP_address)
•%PIX|ASA-3-326008: MRIB registration failed
•%PIX|ASA-3-326009: MRIB connection-open failed
•%PIX|ASA-3-326010: MRIB unbind failed
•%PIX|ASA-3-326011: MRIB table deletion failed
•%PIX|ASA-3-326012: Initialization of string functionality failed
•%PIX|ASA-3-326013: Internal error: string in string line %d (%s)
•%PIX|ASA-3-326014: Initialization failed: error_message error_message
•%PIX|ASA-3-326015: Communication error: error_message error_message
•%PIX|ASA-3-326016: Failed to set un-numbered interface for interface_name (string)
•%PIX|ASA-3-326017: Interface Manager error - string in string : string
•%PIX|ASA-3-326019: string in string : string
•%PIX|ASA-3-326020: List error in string : string
•%PIX|ASA-3-326021: Error in string : string
•%PIX|ASA-3-326022: Error in string : string
•%PIX|ASA-3-326023: string - IP_address : string
•%PIX|ASA-3-326024: An internal error occurred while processing a packet queue.
•%PIX|ASA-3-326025: string
•%PIX|ASA-3-326026: Server unexpected error: error_messsage
•%PIX|ASA-3-326027: Corrupted update: error_messsage
•%PIX|ASA-3-326028: Asynchronous error: error_messsage
•%PIX|ASA-3-327001: IP SLA Monitor: Cannot create a new process
•%PIX|ASA-3-327002: IP SLA Monitor: Failed to initialize, IP SLA Monitor functionality will not work
•%PIX|ASA-3-327003: IP SLA Monitor: Generic Timer wheel timer functionality failed to initialize
•%PIX|ASA-3-328001: Attempt made to overwrite a set stub function in string.
•%PIX|ASA-3-329001: The string0 subblock named string1 was not removed
•ASA|PIX-3-331001: Dynamic DNS Update for 'fqdn_name' <=> ip_address failed
•%PIX|ASA-3-402130: CRYPTO: Received an ESP packet (SPI = 0x54A5C634, sequence number= 0x7B) from 75.2.96.101 (user= user) to 85.2.96.10 with incorrect IPsec padding.
•%PIX|ASA-3-403501: PPPoE - Bad host-unique in PADO - packet dropped. Intf:interface_name AC:ac_name
•%PIX|ASA-3-403502: PPPoE - Bad host-unique in PADS - dropping packet. Intf:interface_name AC:ac_name
•%PIX|ASA-3-403503: PPPoE:PPP link down:reason
•%PIX|ASA-3-403504: PPPoE:No 'vpdn group group_name' for PPPoE is created
•%PIX|ASA-3-403507:PPPoE:PPPoE client on interface interface failed to locate PPPoE vpdn group group_name
•%PIX|ASA-3-404102: ISAKMP: Exceeded embryonic limit
•%PIX|ASA-4-407002: Embryonic limit nconns/elimit for through connections exceeded.outside_address/outside_port to global_address (inside_address)/inside_port on interface interface_name
•%PIX|ASA-3-414001: Failed to save logging buffer using file name filename to FTP server ftp_server_address on interface interface_name: [fail_reason]
•%PIX|ASA-3-414002: Failed to save logging buffer to flash:/syslog directory using file name: filename: [fail_reason]
•%ASA-3-420001 : IPS card not up and fail-close mode used, dropping ICMP packet ifc_in:SIP to ifc_out:DIP (typeICMP_TYPE, code ICMP_CODE)"
•%ASA-3-421001: TCP|UDP flow from interface_name:ip/port to interface_name:ip/port is dropped because application has failed.
•%ASA-3-421003: Invalid data plane encapsulation.
•%ASA-3-421007: TCP|UDP flow from interface_name:IP_address/port to interface_name:IP_address/port is skipped because application has failed.
•%ASA-3-500005: connection terminated for protocol from in_ifc_name:src_adddress/src_port to out_ifc_name:dest_address/dest_port due to invalid combination of inspections on same flow. Inspect inspect_name is not compatible with inspect filter_name.
•%PIX|ASA-3-610001: NTP daemon interface interface_name: Packet denied from IP_address
•%PIX|ASA-3-610002: NTP daemon interface interface_name: Authentication failed for packet from IP_address
•%PIX|ASA-3-611313: VPNClient: Backup Server List Error: reason
•%PIX|ASA-3-702305: IPSEC: An direction tunnel_type SA (SPI=spi) between local_IP and remote_IP (username) is rekeying due to sequence number rollover.
•%PIX|ASA-3-702307: IPSEC: An direction tunnel_type SA (SPI=spi) between local_IP and remote_IP (username) is rekeying due to data rollover.
•%PIX|ASA-3-713008: Key ID in ID payload too big for pre-shared IKE tunnel
•%PIX|ASA-3-713009: OU in DN in ID payload too big for Certs IKE tunnel
•%PIX|ASA-3-713012: Unknown protocol (protocol). Not adding SA w/spi=SPI value
•%PIX|ASA-3-713014: Unknown Domain of Interpretation (DOI): DOI value
•%PIX|ASA-3-713016: Unknown identification type, Phase 1 or 2, Type ID_Type
•%PIX|ASA-3-713017: Identification type not supported, Phase 1 or 2, Type ID_Type
•%PIX|ASA-3-713018: Unknown ID type during find of group name for certs, Type ID_Type
•%PIX|ASA-3-713020: No Group found by matching OU(s) from ID payload: OU_value
•%PIX|ASA-3-713022: No Group found matching peer_ID or IP_address for Pre-shared key peer IP_address
•%PIX|ASA-3-713032: Received invalid local Proxy Range IP_address - IP_address
•%PIX|ASA-3-713033: Received invalid remote Proxy Range IP_address - IP_address
•%PIX|ASA-3-713042: IKE Initiator unable to find policy: Intf interface_number, Src: source_address, Dst: dest_address
•%PIX|ASA-3-713043: Cookie/peer address IP_address session already in progress
•%PIX|ASA-3-713047: Unsupported Oakley group: Group Diffie-Hellman group
•%PIX|ASA-3-713048: Error processing payload: Payload ID: id
•%PIX|ASA-3-713051: Terminating connection attempt: IPSEC not permitted for group (group_name)
•%PIX|ASA-3-713056: Tunnel rejected: SA (SA_name) not found for group (group_name)!
•%PIX|ASA-3-713059: Tunnel Rejected: User (user) matched with group name, group-lock check failed.
•%PIX|ASA-3-713060: Tunnel Rejected: User (user) not member of group (group_name), group-lock check failed.
•%PIX|ASA-3-713061: Tunnel rejected: Crypto Map Policy not found for Src:source_address, Dst: dest_address!
•%PIX|ASA-3-713062: IKE Peer address same as our interface address IP_address
•%PIX|ASA-3-713063: IKE Peer address not configured for destination IP_address
•%PIX|ASA-3-713065: IKE Remote Peer did not negotiate the following: proposal attribute
•%PIX|ASA-3-713072: Password for user (user) too long, truncating to number characters
•%PIX|ASA-3-713081: Unsupported certificate encoding type encoding_type
•%PIX|ASA-3-713082: Failed to retrieve identity certificate
•%PIX|ASA-3-713083: Invalid certificate handle
•%PIX|ASA-3-713084: Received invalid phase 1 port value (port) in ID payload
•%PIX|ASA-3-713085: Received invalid phase 1 protocol (protocol) in ID payload
•%PIX|ASA-3-713086: Received unexpected Certificate payload Possible invalid Auth Method (Auth method (auth numerical value))
•%PIX|ASA-3-713088: Set Cert filehandle failure: no IPSec SA in group group_name
•%PIX|ASA-3-713098: Aborting: No identity cert specified in IPSec SA (SA_name)!
•%PIX|ASA-3-713102: Phase 1 ID Data length number too long - reject tunnel!
•%PIX|ASA-3-713105: Zero length data in ID payload received during phase 1 or 2 processing
•%PIX|ASA-3-713107: IP_Address request attempt failed!
•%PIX|ASA-3-713109: Unable to process the received peer certificate
•%PIX|ASA-3-713112: Failed to process CONNECTED notify (SPI SPI_value)!
•%PIX|ASA-3-713014: Unknown Domain of Interpretation (DOI): DOI value
•%PIX|ASA-3-713016: Unknown identification type, Phase 1 or 2, Type ID_Type
•%PIX|ASA-3-713017: Identification type not supported, Phase 1 or 2, Type ID_Type
•%PIX|ASA-3-713118: Detected invalid Diffie-Hellman group_descriptor group_number, in IKE area
•%PIX|ASA-3-713122: Keep-alives configured keepalive_type but peer IP_address support keep-alives (type = keepalive_type)
•%PIX|ASA-3-713123: IKE lost contact with remote peer, deleting connection (keepalive type: keepalive_type)
•%PIX|ASA-3-713124: Received DPD sequence number rcv_sequence_# in DPD Action, description expected seq #
•%PIX|ASA-3-713127: Xauth required but selected Proposal does not support xauth, Check priorities of ike xauth proposals in ike proposal list
•%PIX|ASA-3-713128: Connection attempt to VCPIP redirected to VCA peer IP_address via load balancing
•%PIX|ASA-3-713129: Received unexpected Transaction Exchange payload type: payload_id
•%PIX|ASA-3-713132: Cannot obtain an IP_address for remote peer
•%PIX|ASA-3-713133: Mismatch: Overriding phase 2 DH Group(DH group DH group_id) with phase 1 group(DH group DH group_number
•%PIX|ASA-3-713134: Mismatch: P1 Authentication algorithm in the crypto map entry different from negotiated algorithm for the L2L connection
•%PIX|ASA-3-713138: Group group_name not found and BASE GROUP default preshared key not configured
•%PIX|ASA-3-713140: Split Tunneling Policy requires network list but none configured
•%PIX|ASA-3-713141: Client-reported firewall does not match configured firewall: action tunnel. Received -- Vendor: vendor(id), Product product(id), Caps: capability_value. Expected -- Vendor: vendor(id), Product: product(id), Caps: capability_value
•%PIX|ASA-3-713142: Client did not report firewall in use, but there is a configured firewall: action tunnel. Expected -- Vendor: vendor(id), Product product(id), Caps: capability_value
•%PIX|ASA-3-713146: Could not add route for Hardware Client in network extension mode, address: IP_address, mask: netmask
•%PIX|ASA-3-713149: Hardware client security attribute attribute_name was enabled but not requested.
•%PIX|ASA-3-713152: Unable to obtain any rules from filter ACL_tag to send to client for CPP, terminating connection.
•%PIX|ASA-3-713159: TCP Connection to Firewall Server has been lost, restricted tunnels are now allowed full network access
•%PIX|ASA-3-713161: Remote user (session Id - id) network access has been restricted by the Firewall Server
•%PIX|ASA-3-713162: Remote user (session Id - id) has been rejected by the Firewall Server
•%PIX|ASA-3-713163: Remote user (session Id - id) has been terminated by the Firewall Server
•%PIX|ASA-3-713165: Client IKE Auth mode differs from the group's configured Auth mode
•%PIX|ASA-3-713166: Headend security gateway has failed our user authentication attempt - check configured username and password
•%PIX|ASA-3-713167: Remote peer has failed user authentication - check configured username and password
•%PIX|ASA-3-713168: Re-auth enabled, but tunnel must be authenticated interactively!
•%PIX|ASA-3-713174: Hardware Client connection rejected! Network Extension Mode is not allowed for this group!
•%PIX|ASA-3-713182: IKE could not recognize the version of the client! IPSec Fragmentation Policy will be ignored for this connection!
•%PIX|ASA-3-713185: Error: Username too long - connection aborted
•%PIX|ASA-3-713186: Invalid secondary domain name list received from the authentication server. List Received: list_text Character index (value) is illegal
•%PIX|ASA-3-713189: Attempted to assign network or broadcast IP_address, removing (IP_address) from pool.
•%PIX|ASA-3-713193: Received packet with missing payload, Expected payload: payload_id
•%PIX|ASA-3-713194: IKE|IPSec Delete With Reason message: termination_reason
•%PIX|ASA-3-713195: Tunnel rejected: Originate-Only: Cannot accept incoming tunnel yet!
•%PIX|ASA-3-713198: User Authorization failed: user User authorization failed.
•%PIX|ASA-3-713203: IKE Receiver: Error reading from socket.
•%PIX|ASA-3-713205: Could not add static route for client address: IP_address
•%PIX|ASA-3-713206: Tunnel Rejected: Conflicting protocols specified by tunnel-group and group-policy
•%PIX|ASA-3-713208: Cannot create dynamic rule for Backup L2L entry rule rule_id
•%PIX|ASA-3-713209: Cannot delete dynamic rule for Backup L2L entry rule id
•%PIX|ASA-3-713210: Cannot create dynamic map for Backup L2L entry rule_id
•%PIX|ASA-3-713212: Could not add route for L2L peer coming in on a dynamic map. address: IP_address, mask: netmask
•%PIX|ASA-3-713214: Could not delete route for L2L peer that came in on a dynamic map. address: IP_address, mask: netmask
•%PIX|ASA-3-713217: Skipping unrecognized rule: action: action client type: client_type client version: client_version
•%PIX|ASA-3-713218: Tunnel Rejected: Client Type or Version not allowed.
•%PIX|ASA-3-713226: Connection failed with peer IP_address, no trust-point defined in tunnel-group tunnel_group
•%PIX|ASA-3-713230 Internal Error, ike_lock trying to lock bit that is already locked for type type
•%PIX|ASA-3-713231 Internal Error, ike_lock trying to unlock bit that is not locked for type type
•%PIX|ASA-3-713232 SA lock refCnt = value, bitmask = hexvalue, p1_decrypt_cb = value, qm_decrypt_cb = value, qm_hash_cb = value, qm_spi_ok_cb = value, qm_dh_cb = value, qm_secret_key_cb = value, qm_encrypt_cb = value
•%PIX|ASA-3-713238: Invalid source proxy address: 0.0.0.0! Check private address on remote client
•%PIX|ASA-3-713902 descriptive_event_string
•%ASA-3-716056: Group group-name User user-name IP IP_address Authentication to SSO server name: name type type failed reason: reason
•%PIX|ASA-3-717001: Querying keypair failed.
•%PIX|ASA-3-717002: Certificate enrollment failed for trustpoint trustpoint_name. Reason: reason_string.
•%PIX|ASA-3-717009: Certificate validation failed. Reason: reason_string.
•%PIX|ASA-3-717010: CRL polling failed for trustpoint trustpoint_name.
•%PIX|ASA-3-717012: Failed to refresh CRL cache entry from the server for trustpoint trustpoint_name at time_of_failure
•%PIX|ASA-3-717015: CRL received from issuer is too large to process (CRL size = crl_size, maximum CRL size = max_crl_size)
•%PIX|ASA-3-717017: Failed to query CA certificate for trustpoint trustpoint_name from enrollment_url
•%PIX|ASA-3-717018: CRL received from issuer has too many entries to process (number of entries = number_of_entries, maximum number allowed = max_allowed)
•%PIX|ASA-3-717019: Failed to insert CRL for trustpoint trustpoint_name. Reason: failure_reason.
•%PIX|ASA-3-717021 Certificate data could not be verified. Locate Reason: reason_string serial number: serial number, subject name: subject name, key length key length bits.
•%PIX|ASA-3-717023 SSL failed to set device certificate for trustpoint trustpoint name. Reason: reason_string.
•%PIX|ASA-3-717027 Certificate chain failed validation. reason_string.
•%PIX-3-717032 OCSP status check failed. Reason: reason_string.
•%ASA-3-719002: Email Proxy session pointer from source_address has been terminated due to reason error.
•%ASA-3-719008: Email Proxy service is shutting down.
•%ASA-3-722007: Group group User user-name IP IP_address SVC Message: type-num/ERROR: message
•%ASA-3-722008: Group group User user-name IP IP_address SVC Message: type-num/ERROR: message
•%ASA-3-722009: Group group User user-name IP IP_address SVC Message: type-num/ERROR: message
•%ASA-3-722020: Group group User user-name IP IP_address No address available for SVC connection
•%ASA-3-722021: Group group User user-name IP IP_address Unable to start compression due to lack of memory resources
•%ASA-3-722035: Group group User user-name IP IP_address Transmitting large packet length (threshold threshold).
•%ASA-3-722036: Group group User user-name IP IP_address Received large packet length (threshold threshold).
Warning Messages, Severity 4
The following messages appear at severity 4, warning:
•%PIX|ASA-4-106023: Deny protocol src [interface_name:source_address/source_port] dst interface_name:dest_address/dest_port [type {string}, code {code}] by access_group acl_ID
•%PIX|ASA-4-106027:Failed to determine the security context for the packet:vlansource Vlan#:ethertype src sourceMAC dst destMAC
•%PIX|ASA-4-106100: access-list acl_ID {permitted | denied | est-allowed} protocol interface_name/source_address(source_port) -> interface_name/dest_address(dest_port) hit-cnt number ({first hit | number-second interval})
•%PIX|ASA-4-108004: action_class: action ESMTP req_resp from src_ifc:sip|sport to dest_ifc:dip|dport;further_info
•%PIX|ASA-4-109017: User at IP_address exceeded auth proxy connection limit (max)
•%PIX|ASA-4-109022: exceeded HTTPS proxy process limit
•%PIX|ASA-4-109027: [aaa protocol] Unable to decipher response message Server = server_IP_address, User = user
•%PIX|ASA-4-109028: aaa bypassed for same-security traffic from ingress_ interface:source_address/source_port to egress_interface:dest_address/dest_port
•%PIX|ASA-4-109030: Autodetect ACL convert wildcard did not convert ACL access_list source | dest netmask netmask.
•%PIX|ASA-4-109031: NT Domain Authentication Failed: rejecting guest login for username.
•%PIX|ASA-4-109033: Authentication failed for admin user user from src_IP. Interactive challenge processing is not supported for protocol connections
•%PIX|ASA-4-109034: Authentication failed for network user user from src_IP/port to dst_IP/port. Interactive challenge processing is not supported for protocol connections
•
