Guest

Support

System Log Messages

Hierarchical Navigation

 Feedback

Table Of Contents

Syslog Messages

Messages 101001 to 199012

101001

101002

101003, 101004

101005

102001

103001

103002

103003

103004

103005

103006

103007

104001, 104002

104003

104004

105001

105002

105003

105004

105005

105006, 105007

105008

105009

105010

105011

105020

105021

105031

105032

105034

105035

105036

105037

105038

105039

105040

105042

105043

105044

105045

105046

105047

105048

106001

106002

106006

106007

106010

106011

106012

106013

106014

106015

106016

106017

106018

106020

106021

106022

106023

106024

106025, 106026

106027

106100

106101

106102

107001

107002

107003

108002

108003

108004

108005

108006

108007

109001

109002

109003

109005

109006

109007

109008

109010

109011

109012

109013

109014

109016

109017

109018

109019

109020

109021

109022

109023

109024

109025

109026

109027

109028

109029

109030

109031

109032

109033

109034

109035

109036

109037

109038

110002

110003

111001

111002

111003

111004

111005

111007

111008

111009

111010

111111

112001

113001

113003

113004

113005

113006

113007

113008

113009

113010

113011

113012

113013

113014

113015

113016

113017

113018

113019

113020

113021

113022

113023

113024

113025

114001

114002

114003

114004

114005

114006

114007

114008

114009

114010

114011

114012

114013

114014

114015

114016

114017

114018

114019

114020

114021

114022

120001

120002

120003

120004

120005

120006

120007

120008

120009

120010

199001

199002

199003

199005

199006

199007

199008

199009

199010

199011

199012

Messages 201002 to 219002

201002

201003

201004

201005

201006

201008

201009

201010

201011

201012

201013

202001

202005

202011

208005

209003

209004

209005

210001

210002

210003

210005

210006

210007

210008

210010

210011

210020

210021

210022

211001

211003

212001

212002

212003

212004

212005

212006

213001

213002

213003

213004

213005

213006

214001

215001

217001

216001

216002

216003

216004

216005

218001

218002

218003

218004

219002

Messages 302003 to 339001

302003

302004

302009

302010

302012

302013

302014

302015

302016

302017

302018

302019

302020

302021

302033

302034

302302

303002

303003

303004

303005

304001

304002

304003

304004

304005

304006

304007

304008

304009

305005

305006

305007

305008

305009

305010

305011

305012

305013

308001

308002

311001

311002

311003

311004

312001

313001

313004

313005

313008

314001

314002

314003

314004

314005

314006

315004

315011

316001

316002

317001

317002

317003

317004

317005

317006

318001

318002

318003

318004

318005

318006

318007

318008

318009

319001

319002

319003

319004

320001

321001

321002

321003

321004

322001

322002

322003

322004

323001

323002

323003

323004

323005

323006

323007

324000

324001

324002

324003

324004

324005

324006

324007

324300

324301

325001

325002

325003

326001

326002

326004

326005

326006

326007

326008

326009

326010

326011

326012

326013

326014

326015

326016

326017

326019

326020

326021

326022

326023

326024

326025

326026

326027

326028

327001

327002

327003

328001

329001

331001

331002

332001

332002

332003

332004

333001

333002

333003

333004

333005

333006

333007

333008

333009

333010

334001

334002

334003

334004

334005

334006

334007

334008

334009

335001

335002

335003

335004

335004

335005

335006

335007

335008

335009

335010

335011

335012

335013

335014

336001

336002

336003

336004

336005

336006

336007

336008

336009

336010

336011

337001

337002

337003

337004

337005

337006

337007

337008

337009

338001

338002

338003

338004

338005

338006

338007

338008

338201

338202

338203

338204

339001

339002

339003

339004

339005

339006

339007

339008

339009

Messages 400000 to 466002

4000nn

401001

401002

401003

401004

401005

402114

402115

402116

402117

402118

402119

402120

402121

402122

402123

402124

402125

402126

402127

402128

402129

402130

403101

403102

403103

403104

403106

403107

403108

403109

403110

403500

403501

403502

403503

403504

403505

403506

403507

404101

404102

405001

405101

405002

405101

405102

405103

405104

405105

405106

405107

405201

405300

405301

406001

406002

407001

407002

407003

408001

408002

408003

409001

409002

409003

409004

409005

409006

409007

409008

409009

409010

409011

409012

409013

409023

410001

410002

410003

410004

411001

411002

411003

411004

411005

412001

412002

413001

413002

413003

413004

413005

413006

414001

414002

414003

414004

415001

415002

415003

415004

415005

415006

415007

415008

415009

415010

415011

415012

415013

415014

415015

415016

415017

415018

415019

415020

416001

417001

417004

417006

417008

417009

418001

419001

419002

419003

420001

420002

420003

420004

420005

420006

420007

421001

421002

421003

421004

421005

421006

421007

422004

422005

422006

423001

423002

423003

423004

423005

424001

424002

425001

425002

425003

425004

425005

425006

428001

431001

431002

444004

444005

444007

446001

446002

446003

448001

450001

466002

Messages 500001 to 509001

500001

500002

500003

500004

500005

501101

502101

502102

502103

502111

502112

503001

504001

504002

505001

505002

505003

505004

505005

505006

505007

505008

505009

505010

505011

505012

505013

505014

505015

505016

506001

507001

507002

507003

508001

508002

509001

Messages 602101 to 634001

602101

602103

602104

602303

602304

603101

603102

603103

603104

603105

603106

603107

603108

603109

603110

604101

604102

604103

604104

605004

605005

606001

606002

606003

606004

607001

607002

607003

608001

608002

608003

608004

608005

609001

609002

610001

610002

610101

611101

611102

611103

611104

611301

611302

611303

611304

611305

611306

611307

611308

611309

611310

611311

611312

611313

611314

611315

611316

611317

611318

611319

611320

611321

611322

611323

612001

612002

612003

613001

613002

613003

614001

614002

615001

615002

616001

617001

617002

617003

617004

617100

620001

620002

621001

621002

621003

621006

621007

621008

621009

621010

622001

622101

622102

634001

Messages 701001 to 737033

701001

701002

702305

702307

703001

703002

709001, 709002

709003

709004

709005

709006

709007

710001

710002

710003

710004

710005

710006

710007

711001

711003

711004

711005

713004

713006

713008

713009

713010

713012

713014

713016

713017

713018

713020

713022

713024

713025

713026

713027

713028

713029

713030

713031

713032

713033

713034

713035

713036

713037

713039

713040

713041

713042

713043

713048

713049

713050

713051

713052

713056

713059

713060

713061

713062

713063

713065

713066

713068

713072

713073

713074

713075

713076

713078

713081

713082

713083

713084

713085

713086

713088

713092

713094

713098

713099

713102

713103

713104

713105

713107

713109

713112

713113

713114

713115

713116

713117

713118

713119

713120

713121

713122

713123

713124

713127

713128

713129

713130

713131

713132

713133

713134

713135

713136

713137

713138

713139

713140

713141

713142

713143

713144

713145

713146

713147

713148

713149

713152

713154

713155

713156

713157

713158

713159

713160

713161

713162

713163

713164

713165

713166

713167

713168

713169

713170

713171

713172

713174

713176

713177

713178

713179

713182

713184

713185

713186

713187

713189

713190

713193

713194

713195

713196

713197

713198

713199

713201

713203

713204

713205

713206

713208

713209

713210

713211

713212

713213

713214

713215

713216

713217

713218

713219

713220

713221

713222

713223

713224

713225

713226

713227

713228

713229

713230

713231

713232

713233

713234

713235

713236

713237

713238

713239

713240

713241

713242

713243

713244

713245

713246

713247

713248

713249

713250

713251

713252

713253

713254

713255

713256

713257

713258

713259

713900

713901

713902

713903

713904

713905

713906

714001

714002

714003

714004

714005

714006

714007

714011

715001

715004

715005

715006

715007

715008

715009

715013

715019

715020

715021

715022

715027

715028

715033

715034

715035

715036

715037

715038

715039

715040

715041

715042

715044

715045

715046

715047

715048

715049

715050

715051

715052

715053

715054

715055

715056

715057

715058

715059

715060

715061

715062

715063

715064

715065

715066

715067

715068

715069

715070

715071

715072

715074

715075

715076

715077

715078

715079

715080

716001

716002

716003

716004

716005

716006

716007

716008

716009

716010

716011

716012

716013

716014

716015

716016

716017

716018

716019

716020

716021

716022

716023

716024

716025

716026

716027

716028

716029

716030

716031

716032

716033

716034

716035

716036

716037

716038

716039

716040

716041

716042

716043

716044

716045

716046

716047

716048

716049

716050

716051

716052

716053

716054

716055

716056

716057

716058

716059

716060

716500

716501

716502

716503

716504

716505

716506

716507

716508

716509

716510

716512

716513

716515

716516

716517

716518

716519

716520

716521

716522

716525

716526

716527

716528

717001

717002

717003

717004

717005

717006

717007

717008

717009

717010

717011

717012

717013

717014

717015

717016

717017

717018

717019

717020

717021

717022

717023

717024

717025

717026

717027

717028

717029

717030

717031

717032

717033

717034

717035

717036

717037

717038

717039

717040

717041

717042

717043

717044

717045

717046

717047

717048

717049

718001

718002

718003

718004

718005

718006

718007

718008

718009

718010

718011

718012

718013

718014

718015

718016

718017

718018

718019

718020

718021

718022

718023

718024

718025

718026

718027

718028

718029

718030

718031

718032

718033

718034

718035

718036

718037

718038

718039

718040

718041

718042

718043

718044

718045

718046

718047

718048

718049

718050

718051

718052

718053

718054

718055

718056

718057

718058

718059

718060

718061

718062

718063

718064

718065

718066

718067

718068

718069

718070

718071

718072

718073

718074

718075

718076

718077

718078

718079

718080

718081

718082

718083

718084

718085

718086

718087

718088

719001

719002

719003

719004

719005

719006

719007

719008

719009

719010

719011

719012

719013

719014

719015

719016

719017

719018

719019

719020

719021

719022

719023

719024

719025

719026

720001

720002

720003

720004

720005

720006

720007

720008

720009

720010

720011

720012

720013

720014

720015

720016

720017

720018

720019

720020

720021

720022

720023

720024

720025

720026

720027

720028

720029

720030

720031

720032

720033

720034

720035

720036

720037

720038

720039

720040

720041

720042

720043

720044

720045

720046

720047

720048

720049

720050

720051

720052

720053

720054

720055

720056

720057

720058

720059

720060

720061

720062

720063

720064

720065

720066

720067

720068

720069

720070

720071

720072

720073

721001

721002

721003

721004

721005

721006

721007

721008

721009

721010

721011

721012

721013

721014

721015

721016

721017

721018

721019

722001

722002

722003

722004

722005

722006

722007

722008

722009

722010

722011

722012

722013

722014

722015

722016

722017

722018

722019

722020

722021

722022

722023

722024

722025

722026

722027

722028

722029

722030

722031

722032

722033

722034

722035

722036

722037

722038

722039

722040

722041

722042

722043

722044

722045

722046

722047

722048

722049

722050

722051

722053

723001

723002

723003

723004

723005

723006

723007

723008

723009

723010

723011

723012

723013

723014

724001

724002

725001

725002

725003

725004

725005

725006

725007

725008

725009

725010

725011

725012

725013

725014

725015

726001

730001

730002

730004

730005

730010

733100

733101

733102

733103

731001

731002

731003

732001

732002

732003

733104

733105

734001

734002

734003

734004

737001

737002

737003

737004

737005

737006

737007

737008

737009

737010

737011

737012

737013

737014

737015

737016

737017

737018

737019

737023

737024

737025

737026

737027

737028

737029

737030

737031

737032

737033

742001

742002

742003

742004

742005

742006

742007

742008

742009

742010


Syslog Messages


This chapter lists the syslog messages in numerical order.


Note When a number is skipped in a sequence, the message is no longer in the security appliance code.


For information about how to configure logging and SNMP, see the Cisco Security Appliance Command Line Configuration Guide.

Table 1-1 lists the syslog message classes and the ranges of syslog message IDs associated with each class. The valid range of syslog message IDs is between 100000 and 999999, respectively.

Table 1-1 Syslog Message Classes and Associated Message ID Numbers 

Class
Definition
Syslog Message ID Numbers

auth

User Authentication

109, 113

bridge

Transparent Firewall

110, 220

ca

PKI Certification Authority

717

config

Command Interface

111, 112, 208, 308

dap

Dynamic Access Policies

734

e-mail

E-mail Proxy

719

ha

High Availability (Failover)

101, 102, 103, 104, 210, 311, 709

ip

IP Stack

209, 215, 313, 317, 408

ipaa

IP Address Assignment

735

ips

Intrusion Protection Service

400, 401, 415

np

Network Processor

319

npssl

NP SSL

725

ospf

OSPF Routing

318, 409, 503, 613

rip

RIP Routing

107, 312

rm

Resource Manager

321

session

User Session

106, 108, 201, 202, 204, 302, 303, 304, 305, 314, 405, 406, 407, 500, 502, 607, 608, 609, 616, 620, 703, 710

snmp

SNMP

212

sys

System

199, 211, 214, 216, 306, 307, 315, 414, 604, 605, 606, 610, 612, 614, 615,701, 711

vpdn

PPTP and L2TP Sessions

213, 403, 603

vpn

IKE and IPSec

316, 320, 402, 404, 501, 602, 702, 713, 714, 715

vpnc

VPN Client

611

vpnfo

VPN Failover

720

vpnlb

VPN Load Balancing

718

webvpn

Web-based VPN

716


This chapter includes the following sections:

Messages 101001 to 199012

Messages 201002 to 219002

Messages 302003 to 339001

Messages 400000 to 466002

Messages 500001 to 509001

Messages 602101 to 634001

Messages 701001 to 737033

Messages 101001 to 199012

This section contains messages from 101001 to 199012.

101001

Error Message    %PIX|ASA-1-101001: (Primary) Failover cable OK.

Explanation    This is a failover message. This message reports that the failover cable is present and functioning correctly. (Primary) can also be listed as (Secondary) for the secondary unit.

Recommended Action    None required.

101002

Error Message    %PIX|ASA-1-101002: (Primary) Bad failover cable. 

Explanation    This is a failover message. This message reports that the failover cable is present but not functioning correctly. (Primary) can also be listed as (Secondary) for the secondary unit.

Recommended Action    Replace the failover cable.

101003, 101004

Error Message    %PIX|ASA-1-101003: (Primary) Failover cable not connected (this unit).
Error Message    %PIX|ASA-1-101004: (Primary) Failover cable not connected (other 
unit).

Explanation    Both instances are failover messages. These messages are logged when failover mode is enabled, but the failover cable is not connected to one unit of the failover pair. (Primary) can also be listed as (Secondary) for the secondary unit.

Recommended Action    Connect the failover cable to both units of the failover pair.

101005

Error Message    %PIX|ASA-1-101005: (Primary) Error reading failover cable status.

Explanation    This is a failover message. This message is displayed if the failover cable is connected, but the primary unit is unable to determine its status.

Recommended Action    Replace the cable.

102001

Error Message    %PIX|ASA-1-102001: (Primary) Power failure/System reload other side.

Explanation    This is a failover message. This message is logged if the primary unit detects a system reload or a power failure on the other unit. "Primary" can also be listed as "Secondary" for the secondary unit.

Recommended Action    On the unit that experienced the reload, issue the show crashinfo command to determine if there is a traceback associated with the reload. Also verify that the unit is powered on and that power cables are properly connected.

103001

Error Message    %PIX|ASA-1-103001: (Primary) No response from other firewall (reason 
code = code).

Explanation    This is a failover message. This message is displayed if the primary unit is unable to communicate with the secondary unit over the failover cable. (Primary) can also be listed as (Secondary). for the secondary unit. Table 1-2 lists the reason codes and the descriptions to determine why the failover occurred.

Table 1-2 Reason Codes

Reason Code
Description

1

The local unit is not receiving the hello packet on the failover LAN interface when LAN failover occurs or on the serial failover cable when serial failover occurs, and declares that the peer is down.

2

An interface did not pass one of the 4 failover tests. The four tests are as follows: 1) Link Up, 2) Monitor for Network Traffic, 3) ARP test, 4) Broadcast Ping test.

3

No proper ACK for 15+ seconds after a command was sent on the serial cable.

4

The failover LAN interface is down, and other data interfaces are not responding to additional interface testing. In addition, the local unit is declaring that the peer is down.

5

The standby peer went down during the configuration synchronization process.


Recommended Action    Verify that the failover cable is connected properly and both units have the same hardware, software, and configuration. If the problem persists, contact the Cisco TAC.

103002

Error Message    %PIX|ASA-1-103002: (Primary) Other firewall network interface 
interface_number OK.

Explanation    This is a failover message. This message is displayed when the primary unit detects that the network interface on the secondary unit is okay. (Primary) can also be listed as (Secondary) for the secondary unit.

Recommended Action    None required.

103003

Error Message    %PIX|ASA-1-103003: (Primary) Other firewall network interface 
interface_number failed.

Explanation    This is a failover message. This message is displayed if the primary unit detects a bad network interface on the secondary unit. (Primary) can also be listed as (Secondary) for the secondary unit.

Recommended Action    Check the network connections on the secondary unit and check the network hub connection. If necessary, replace the failed network interface.

103004

Error Message    %PIX|ASA-1-103004: (Primary) Other firewall reports this firewall 
failed.

Explanation    This is a failover message. This message is displayed if the primary unit receives a message from the secondary unit indicating that the primary has failed. (Primary) can also be listed as (Secondary) for the secondary unit.

Recommended Action    Verify the status of the primary unit.

103005

Error Message    %PIX|ASA-1-103005: (Primary) Other firewall reporting failure.

Explanation    This is a failover message. This message is displayed if the secondary unit reports a failure to the primary unit. (Primary) can also be listed as (Secondary) for the secondary unit.

Recommended Action    Verify the status of the secondary unit.

103006

Error Message    %PIX|ASA-1-103006: (Primary|Secondary) Mate version ver_num is not 
compatible with ours ver_num

Explanation    This message appears when PIX firewall detects peer unit is running a version that is not the same as local unit and also is not compatible with HA Hitless Upgrade feature.

ver_num—Version number

Recommended Action    Install same or compatible versions image on both firewall units.

103007

Error Message    %PIX|ASA-1-103007: (Primary|Secondary) Mate version ver_num is not 
identical with ours ver_num

Explanation    This message appears when PIX firewall detects peer unit is running a version that is not identical but does support Hitless Upgrade and is compatible with local unit. The system performance could be degraded due to the image version not being equal and could encounter a stability issue if running for extended period.

ver_num—Version number

Recommended Action    Install same version image on both units as soon as possible.

104001, 104002

Error Message    %PIX|ASA-1-104001: (Primary) Switching to ACTIVE (cause: string).
Error Message    %PIX|ASA-1-104002: (Primary) Switching to STNDBY (cause: string).

Explanation    Both instances are failover messages. These messages usually are logged when you force the pair to switch roles, either by entering the failover active command on the standby unit, or the no failover active command on the active unit. (Primary) can also be listed as (Secondary) for the secondary unit. Possible values for the string variable are as follows:

state check

bad/incomplete config

ifc [interface] check, mate is healthier

the other side wants me to standby

in failed state, cannot be active

switch to failed state

other unit set to active by CLI config command `fail active'

Recommended Action    If the message occurs because of manual intervention, no action is required. Otherwise, use the cause reported by the secondary unit to verify the status of both units of the pair.

104003

Error Message    %PIX|ASA-1-104003: (Primary) Switching to FAILED.

Explanation    This is a failover message. This message is displayed when the primary unit fails.

Recommended Action    Check the syslog messages for the primary unit for an indication of the nature of the problem (see message 104001). (Primary) can also be listed as (Secondary) for the secondary unit.

104004

Error Message    %PIX|ASA-1-104004: (Primary) Switching to OK.

Explanation    This is a failover message. This message is displayed when a previously failed unit now reports that it is operating again. (Primary) can also be listed as (Secondary) for the secondary unit.

Recommended Action    None required.

105001

Error Message    %PIX|ASA-1-105001: (Primary) Disabling failover.

Explanation    In version 7.x and later, this message may indicate the following: failover has been automatically disabled because of a mode mismatch (single or multiple), a license mismatch (encryption or context), or a hardware difference (one unit has an IPS SSM installed, and its peer has a CSC SSM installed). (Primary) can also be listed as (Secondary) for the secondary unit.

Recommended Action    None required.

105002

Error Message    %PIX|ASA-1-105002: (Primary) Enabling failover.

Explanation    This is a failover message, which is displayed when you enter the failover command with no arguments on the console, after having previously disabled failover. (Primary) can also be listed as (Secondary) for the secondary unit.

Recommended Action    None required.

105003

Error Message    %PIX|ASA-1-105003: (Primary) Monitoring on interface interface_name 
waiting

Explanation    This is a failover message. The security appliance is testing the specified network interface with the other unit of the failover pair. (Primary) can also be listed as (Secondary) for the secondary unit.

Recommended Action    None required. The security appliance monitors its network interfaces frequently during normal operations.

105004

Error Message    %PIX|ASA-1-105004: (Primary) Monitoring on interface interface_name 
normal

Explanation    This is a failover message. The test of the specified network interface was successful. (Primary) can also be listed as (Secondary) for the secondary unit.

Recommended Action    None required.

105005

Error Message    %PIX|ASA-1-105005: (Primary) Lost Failover communications with mate on 
interface interface_name.

Explanation    This is a failover message. This message is displayed if this unit of the failover pair can no longer communicate with the other unit of the pair. (Primary) can also be listed as (Secondary) for the secondary unit.

Recommended Action    Verify that the network connected to the specified interface is functioning correctly.

105006, 105007

Error Message    %PIX|ASA-1-105006: (Primary) Link status `Up' on interface 
interface_name.
Error Message    %PIX|ASA-1-105007: (Primary) Link status `Down' on interface 
interface_name.

Explanation    Both instances are failover messages. These messages report the results of monitoring the link status of the specified interface. (Primary) can also be listed as (Secondary) for the secondary unit.

Recommended Action    If the link status is down, verify that the network connected to the specified interface is operating correctly.

105008

Error Message    %PIX|ASA-1-105008: (Primary) Testing interface interface_name.

Explanation    This is a failover message. This message is displayed when the tests a specified network interface. This testing is performed only if the security appliance fails to receive a message from the standby unit on that interface after the expected interval. (Primary) can also be listed as (Secondary) for the secondary unit.

Recommended Action    None required.

105009

Error Message    %PIX|ASA-1-105009: (Primary) Testing on interface interface_name 
{Passed|Failed}.

Explanation    This is a failover message. This message reports the result (either Passed or Failed) of a previous interface test. (Primary) can also be listed as (Secondary) for the secondary unit.

Recommended Action    None required if the result is Passed. If the result is Failed, you should check the network cable connection to both failover units, that the network itself is functioning correctly, and verify the status of the standby unit.

105010

Error Message    %PIX|ASA-3-105010: (Primary) Failover message block alloc failed

Explanation    Block memory was depleted. This is a transient message and the security appliance should recover. (Primary) can also be listed as (Secondary) for the secondary unit.

Recommended Action    Use the show blocks command to monitor the current block memory.

105011

Error Message    %PIX|ASA-1-105011: (Primary) Failover cable communication failure

Explanation    The failover cable is not permitting communication between the primary and secondary units. (Primary) can also be listed as (Secondary) for the secondary unit.

Recommended Action    Ensure that the cable is properly connected.

105020

Error Message    %PIX|ASA-1-105020: (Primary) Incomplete/slow config replication

Explanation    When a failover occurs, the active security appliance detects a partial configuration in memory. Normally, this is caused by an interruption in the replication service. (Primary) can also be listed as (Secondary) for the secondary unit.

Recommended Action    Once the failover is detected by the security appliance, the security appliance automatically reloads itself and loads configuration from Flash memory and/or resynchronizes with another security appliance. If failovers happen continuously, check the failover configuration and make sure both security appliance units can communicate with each other.

105021

Error Message    %PIX|ASA-1-105021: (failover_unit) Standby unit failed to sync due to 
a locked context_name config. Lock held by lock_owner_name

Explanation    During configuration synchronizing, a standby unit will reload itself if some other process locks the configuration for more than 5 minutes, which prevents the failover process from applying the new configuration. This can occur when an administrator pages through a running configuration on the standby unit while configuration synchronization is in process. See also the show running-config EXEC command and the pager lines num CONFIG command.

Recommended Action    Avoid viewing or modifying configuration on standby unit when it first comes up and is in the process of establishing a failover connection with the active unit.

105031

Error Message    %PIX|ASA-1-105031: Failover LAN interface is up

Explanation    LAN failover interface link is up.

Recommended Action    None required.

105032

Error Message    %PIX|ASA-1-105032: LAN Failover interface is down

Explanation    LAN failover interface link is down.

Recommended Action    Check the connectivity of the LAN failover interface. Make sure that the speed/duplex setting is correct.

105034

Error Message    %PIX|ASA-1-105034: Receive a LAN_FAILOVER_UP message from peer.

Explanation    The peer has just booted and sent the initial contact message.

Recommended Action    None required.

105035

Error Message    %PIX|ASA-1-105035: Receive a LAN failover interface down msg from peer.

Explanation    The peer LAN failover interface link is down. The unit switches to active mode if it is in standby mode.

Recommended Action    Check the connectivity of the peer LAN failover interface.

105036

Error Message    %PIX|ASA-1-105036: dropped a LAN Failover command message.

Explanation    The security appliance dropped an unacknowledged LAN failover command message, indicating a connectivity problem on the LAN failover interface.

Recommended Action    Check that the LAN interface cable is connected.

105037

Error Message    %PIX|ASA-1-105037: The primary and standby units are switching back 
and forth as the active unit.

Explanation    The primary and standby units are switching back and forth as the active unit, indicating a LAN failover connectivity problem or software bug.

Recommended Action    Check that the LAN interface cable is connected.

105038

Error Message    %PIX|ASA-1-105038: (Primary) Interface count mismatch

Explanation    When a failover occurs, the active security appliance detects a partial configuration in memory. Normally, this is caused by an interruption in the replication service. (Primary) can also be listed as (Secondary) for the secondary unit.

Recommended Action    Once the failover is detected by the security appliance, the security appliance automatically reloads itself and loads the configuration from Flash memory and/or resyncs with another security appliance. If failovers happen continuously, check the failover configuration and make sure that both security appliance units can communicate with each other.

105039

Error Message    %PIX|ASA-1-105039: (Primary) Unable to verify the Interface count with 
mate. Failover may be disabled in mate. 

Explanation    Failover initially verifies that the number of interfaces configured on the primary and secondary security appliances are the same. This message indicates that the primary security appliance is not able to verify the number of interfaces configured on the secondary security appliance. This message indicates that the primary security appliance is not able communicate with the secondary security appliance over the failover interface. (Primary) can also be listed as (Secondary) for the secondary security appliance.

Recommended Action    Verify the failover LAN, interface configuration, and status on the primary and secondary security appliances. Make sure that the secondary security appliance is running the security appliance application and that failover is enabled.

105040

Error Message    %PIX|ASA-1-105040: (Primary) Mate failover version is not compatible.

Explanation    The primary and secondary security appliance should run the same failover software version to act as a failover pair. This message indicates that the secondary security appliance failover software version is not compatible with the primary security appliance. Failover is disabled on the primary security appliance. (Primary) can also be listed as (Secondary) for the secondary security appliance.

Recommended Action    Maintain consistent software versions between the primary and secondary security appliances to enable failover.

105042

Error Message    %PIX|ASA-1-105042: (Primary) Failover interface OK 

Explanation    LAN failover interface link is up.

Explanation    The interface used to send failover messages to the secondary security appliance is functioning. (Primary) can also be listed as (Secondary) for the secondary security appliance.

Recommended Action    None required.

105043

Error Message    %PIX|ASA-1-105043: (Primary) Failover interface failed 

Explanation    LAN failover interface link is down.

Recommended Action    Check the connectivity of the LAN failover interface. Make sure that the speed/duplex setting is correct.

105044

Error Message    %PIX|ASA-1-105044: (Primary) Mate operational mode mode is not 
compatible with my mode mode.

Explanation    When the operational mode (single or multi) does not match between failover peers, failover will be disabled.

Recommended Action    Configure the failover peers to have the same operational mode, and then reenable failover.

105045

Error Message    %PIX|ASA-1-105045: (Primary) Mate license (number contexts) is not 
compatible with my license (number contexts).

Explanation    When the feature licenses do not match between failover peers, failover will be disabled.

Recommended Action    Configure the failover peers to have the same feature license, and then reenable failover.

105046

Error Message    %PIX|ASA-1-105046 (Primary|Secondary) Mate has a different chassis 

Explanation    This message is issued when two failover units have a different type of chassis. For example, one is a PIX, the other is an ASA-5520, or one has a 3-slot chassis, the other has a 6-slot chassis.

Recommended Action    Make sure that the two failover units are the same.

105047

Error Message    %PIX|ASA-1-105047: Mate has a io_card_name1 card in slot slot_number 
which is different from my io_card_name2

Explanation    The two failover units have different types of cards in their respective slots.

Recommended Action    Make sure that the card configurations for the failover units are the same.

105048

Error Message    %ASA-1-105048: (unit) Mate's service module (application) is different 
from mine (application)

Explanation    The failover process detected that different applications are running on the service modules in the active and standby units. The two failover units are incompatible if different service modules are used.

unit—Primary or secondary.

application—The name of the application, such as InterScan Security Card.

Recommended Action    Make sure that both units have identical service modules before trying to re-enable failover.

106001

Error Message    %PIX|ASA-2-106001: Inbound TCP connection denied from IP_address/port 
to IP_address/port flags tcp_flags on interface interface_name

Explanation    This is a connection-related message. This message occurs when an attempt to connect to an inside address is denied by the security policy that is defined for the specified traffic type. Possible tcp_flags values correspond to the flags in the TCP header that were present when the connection was denied. For example, a TCP packet arrived for which no connection state exists in the security appliance, and it was dropped. The tcp_flags in this packet are FIN and ACK.

The tcp_flags are as follows:

ACK—The acknowledgment number was received.

FIN—Data was sent.

PSH—The receiver passed data to the application.

RST—The connection was reset.

SYN—Sequence numbers were synchronized to start a connection.

URG—The urgent pointer was declared valid.

Recommended Action    None required.

106002

Error Message    %PIX|ASA-2-106002: protocol Connection denied by outbound list acl_ID 
src inside_address dest outside_address

Explanation    This is a connection-related message. This message is displayed if the specified connection fails because of an outbound deny command. The protocol variable can be ICMP, TCP, or UDP.

Recommended Action    Use the show outbound command to check outbound lists.

106006

Error Message    %PIX|ASA-2-106006: Deny inbound UDP from outside_address/outside_port 
to inside_address/inside_port on interface interface_name.

Explanation    This is a connection-related message. This message is displayed if an inbound UDP packet is denied by the security policy that is defined for the specified traffic type.

Recommended Action    None required.

106007

Error Message    %PIX|ASA-2-106007: Deny inbound UDP from outside_address/outside_port 
to inside_address/inside_port due to DNS {Response|Query}.

Explanation    This is a connection-related message. This message is displayed if a UDP packet containing a DNS query or response is denied.

Recommended Action    If the inside port number is 53, the inside host probably is set up as a caching name server. Add an access-list command statement to permit traffic on UDP port 53 and a translation entry for the inside host. If the outside port number is 53, a DNS server was probably too slow to respond, and the query was answered by another server.

106010

Error Message    %PIX|ASA-3-106010: Deny inbound protocol src 
interface_name:dest_address/dest_port dst 
interface_name:source_address/source_port

Explanation    This is a connection-related message. This message is displayed if an inbound connection is denied by your security policy.

Recommended Action    Modify the security policy if traffic should be permitted. If the message occurs at regular intervals, contact the remote peer administrator.

106011

Error Message    %PIX|ASA-3-106011: Deny inbound (No xlate) string

Explanation    The message will appear under normal traffic conditions if there are internal users that are accessing the Internet through a web browser. Any time a connection is reset, when the host at the end of the connection sends a packet after the security appliance receives the reset, this message will appear. It can typically be ignored.

Recommended Action    Prevent this syslog message from getting logged to the syslog server by entering the no logging message 106011 command.

106012

Error Message    %PIX|ASA-6-106012: Deny IP from IP_address to IP_address, IP options hex.

Explanation    This is a packet integrity check message. An IP packet was seen with IP options. Because IP options are considered a security risk, the packet was discarded.

Recommended Action    Contact the remote host system administrator to determine the problem. Check the local site for loose source routing or strict source routing.

106013

Error Message    %PIX|ASA-2-106013: Dropping echo request from IP_address to PAT address 
IP_address

Explanation    The security appliance discarded an inbound ICMP Echo Request packet with a destination address that corresponds to a PAT global address. The inbound packet is discarded because it cannot specify which PAT host should receive the packet.

Recommended Action    None required.

106014

Error Message    %PIX|ASA-3-106014: Deny inbound icmp src interface_name: IP_address dst 
interface_name: IP_address (type dec, code dec) 

Explanation    The security appliance denied any inbound ICMP packet access. By default, all ICMP packets are denied access unless specifically permitted.

Recommended Action    None required.

106015

Error Message    %PIX|ASA-6-106015: Deny TCP (no connection) from IP_address/port to 
IP_address/port flags tcp_flags on interface interface_name.

Explanation    The security appliance discarded a TCP packet that has no associated connection in the security appliance connection table. The security appliance looks for a SYN flag in the packet, which indicates a request to establish a new connection. If the SYN flag is not set, and there is not an existing connection, the security appliance discards the packet.

Recommended Action    None required unless the security appliance receives a large volume of these invalid TCP packets. If this is the case, trace the packets to the source and determine the reason these packets were sent.

106016

Error Message    %PIX|ASA-2-106016: Deny IP spoof from (IP_address) to IP_address on 
interface interface_name.

Explanation    This message is generated when a packet arrives at the security appliance interface that has a destination IP address of 0.0.0.0 and a destination MAC address of the security appliance interface. In addition, this message is generated when the security appliance discarded a packet with an invalid source address, which may include one of the following or some other invalid address:

Loopback network (127.0.0.0)

Broadcast  (limited, net-directed, subnet-directed, and all-subnets-directed)

The destination host (land.c)

To further enhance spoof packet detection, use the icmp command to configure the security appliance to discard packets with source addresses belonging to the internal network, because the access-list command has been deprecated and is no longer guaranteed to work correctly.

Recommended Action    Determine if an external user is trying to compromise the protected network. Check for misconfigured clients.

106017

Error Message    %PIX|ASA-2-106017: Deny IP due to Land Attack from IP_address to 
IP_address

Explanation    The security appliance received a packet with the IP source address equal to the IP destination, and the destination port equal to the source port. This message indicates a spoofed packet that is designed to attack systems. This attack is referred to as a Land Attack.

Recommended Action    If this message persists, an attack may be in progress. The packet does not provide enough information to determine where the attack originates.

106018

Error Message    %PIX|ASA-2-106018: ICMP packet type ICMP_type denied by outbound list 
acl_ID src inside_address dest outside_address

Explanation    The outgoing ICMP packet with the specified ICMP from local host (inside_address) to the foreign host (outside_address) was denied by the outbound ACL list.

Recommended Action    None required.

106020

Error Message    %PIX|ASA-2-106020: Deny IP teardrop fragment (size = number, offset = 
number) from IP_address to IP_address

Explanation    The security appliance discarded an IP packet with a teardrop signature containing either a small offset or fragment overlapping. This is a hostile event that circumvents the security appliance or an Intrusion Detection System.

Recommended Action    Contact the remote peer administrator or escalate this issue according to your security policy.

106021

Error Message    %PIX|ASA-1-106021: Deny protocol reverse path check from 
source_address to dest_address on interface interface_name

Explanation    An attack is in progress. Someone is attempting to spoof an IP address on an inbound connection. Unicast RPF, also known as reverse route lookup, detected a packet that does not have a source address represented by a route and assumes that it is part of an attack on your security appliance.

This message appears when you have enabled Unicast RPF with the ip verify reverse-path command. This feature works on packets input to an interface; if it is configured on the outside, then the security appliance checks packets arriving from the outside.

The security appliance looks up a route based on the source_address. If an entry is not found and a route is not defined, then this syslog message appears and the connection is dropped.

If there is a route, the security appliance checks which interface it corresponds to. If the packet arrived on another interface, it is either a spoof or there is an asymmetric routing environment that has more than one path to a destination. The security appliance does not support asymmetric routing.

If the security appliance is configured on an internal interface, it checks static route command statements or RIP, and if the source_address is not found, then an internal user is spoofing their address.

Recommended Action    Even though an attack is in progress, if this feature is enabled, no user action is required. The security appliance repels the attack.

106022

Error Message    %PIX|ASA-1-106022: Deny protocol connection spoof from source_address 
to dest_address on interface interface_name

Explanation    A packet matching a connection arrives on a different interface from the interface that the connection began on.

For example, if a user starts a connection on the inside interface, but the security appliance detects the same connection arriving on a perimeter interface, the security appliance has more than one path to a destination. This is known as asymmetric routing and is not supported on the security appliance.

An attacker also might be attempting to append packets from one connection to another as a way to break into the security appliance. In either case, the security appliance displays this message and drops the connection.

Recommended Action    This message appears when the ip verify reverse-path command is not configured. Check that the routing is not asymmetric.

106023

Error Message    %PIX|ASA-4-106023: Deny protocol src 
[interface_name:source_address/source_port] dst 
interface_name:dest_address/dest_port [type {string}, code {code}] by 
access_group acl_ID

Explanation    A real IP packet was denied by the ACL. This message displays even if you do not have the log option enabled for an ACL.

Recommended Action    If messages persist from the same source address, messages might indicate a foot-printing or port-scanning attempt. Contact the remote host administrators.

106024

Error Message    %PIX|ASA-2-106024: Access rules memory exhausted

Explanation    The access list compilation process has run out of memory. All configuration information that has been added since the last successful access list was removed from the system, and the most recently compiled set of access lists will continue to be used.

Recommended Action    Access lists, AAA, ICMP, SSH, Telnet, and other rule types are stored and compiled as access list rule types. Remove some of these rule types so that others can be added.

106025, 106026

Error Message    %PIX|ASA-6-106025: Failed to determine the security context for the 
packet:sourceVlan:source_address dest_address source_port dest_port protocol
Error Message    %PIX|ASA-6-106026: Failed to determine the security context for the 
packet:sourceVlan:source_address dest_address source_port dest_port protocol

Explanation    The security context of the packet in multiple context mode cannot be determined. Both messages can be generated for IP packets being dropped in either router and transparent mode.

Recommended Action    None required.

106027

Error Message    %PIX|ASA-4-106027:Failed to determine the security context for the 
packet:vlansource Vlan#:ethertype src sourceMAC dst destMAC 

Explanation    The security context of the packet in multiple context mode cannot be determined. This message is generated for non-IP packets being dropped in transparent mode only.

Recommended Action    None required.

106100

Error Message    %PIX|ASA-6-106100: access-list acl_ID {permitted | denied | 
est-allowed} protocol interface_name/source_address(source_port) -> 
interface_name/dest_address(dest_port) hit-cnt number ({first hit | 
number-second interval}) hash codes

Explanation    This message is generated any time that a packet is seen that does not match an existing connection on the security appliance. The message indicates either the initial occurrence or the total number of occurrences during an interval. This message provides more information than message 106023, which only logs denied packets, and does not include the hit count or a configurable level.

When an access-list line has the log argument, it is expected that this syslog ID might be triggered because of a non-synchronized packet reaching the security appliance and being evaluated by the access-list. For example, if an ACK packet is received on the security appliance (for which no TCP connection exists in the connection table), the device might generate syslog 106100, indicating that the packet was permitted; however, the packet is later correctly dropped because of no matching connection.

The following list describes the message values:

Explanation    permitted | denied | est-allowed —These values specify if the packet was permitted or denied by the ACL. If the value is est-allowed, the packet was denied by the ACL but was allowed for an already established session (for example, an internal user is allowed to accesss the Internet, and responding packets that would normally be denied by the ACL are accepted).

protocol—TCP, UDP, ICMP, or an IP protocol number.

interface_name—The interface name for the source or destination of the logged flow. The VLAN interfaces are supported.

source_address—The source IP address of the logged flow.

dest_address—The destination IP address of the logged flow.

source_port—The source port of the logged flow (TCP or UDP). For ICMP, this field is 0.

dest_port—The destination port of the logged flow (TCP or UDP). For ICMP, this field is src_addr.

hit-cnt number—The number of times this flow was permitted or denied by this ACL entry in the configured time interval. The value is 1 when the security appliance generates the first syslog message for this flow.

first hit—The first message generated for this flow.

number-second interval—The interval in which the hit count is accumulated. Set this interval using the access-list command with the interval option.

hash codes—Two are always printed for the object group ACE and the constituent regular ACE. Values are determined on which ACE that the packet hit. To display these hash codes, enter the show-access list command.

Recommended Action    None required.

106101

Error Message    %PIX|ASA-1-106101 The number of ACL log deny-flows has reached limit 
(number).

Explanation    If you configured the log option for an ACL deny statement (access-list id deny command), and a traffic flow matches the ACL statement, the security appliance caches the flow information. This message indicates that the number of matching flows that are cached on the security appliance exceeds the user-configured limit (using the access-list deny-flow-max command).

The number value is the limit configured using the access-list deny-flow-max command.

Recommended Action    None required. This message might be generated as a result of a DoS attack.

106102

Error Message    %ASA-6-106102: access-list acl_ID {permitted|denied} protocol 
interface_name/source_address source_port interface_name/dest_address dest_port 
hit-cnt number {first hit|number-second interval}

Explanation    This message indicates that a packet was either permitted or denied by an access list that is applied through a VPN filter.

Recommended Action    None required.

107001

Error Message    %PIX|ASA-1-107001: RIP auth failed from IP_address: version=number, 
type=string, mode=string, sequence=number on interface interface_name

Explanation    This is an alert log message. The security appliance received a RIP reply message with bad authentication. This message might be caused by a misconfiguration on the router or the security appliance or by an unsuccessful attempt to attack the routing table of the security appliance.

Recommended Action    This message indicates a possible attack and should be monitored. If you are not familiar with the source IP address listed in this message, change your RIP authentication keys between trusted entities. An attacker might be trying to determine the existing keys.

107002

Error Message    %PIX|ASA-1-107002: RIP pkt failed from IP_address: version=number on 
interface interface_name

Explanation    This is an alert log message. This message could be caused by a router bug, a packet with non-RFC values inside, or a malformed entry. This should not happen, and may be an attempt to exploit routing table of the security appliance.

Recommended Action    This message indicates a possible attack and should be monitored. The packet has passed authentication, if enabled, and bad data is in the packet. Monitor the situation and change the keys if there are any doubts about the originator of the packet.

107003

Error Message    %PIX-3-107003: RIP: Attempted reference of stale data encountered in 
function, line: line_num

Explanation    This syslog message is generated when RIP is running and tries to reference some related data structures that have been removed elsewhere. Clearing the interface and router configurations might correct the problem. However, when this syslog message appears, it is an indication that some sequence of steps caused premature deletion of data structures and that should be investigated.

function: The function that received the unexpected event.

line_num: The line number in the code.

Recommended Action    Copy the error message exactly as it appears, and report it to Cisco TAC.

108002

Error Message    %PIX|ASA-2-108002: SMTP replaced string: out source_address in 
inside_address data: string

Explanation    This is a Mail Guard (SMTP) message generated by the inspect esmtp command. This message is displayed if the security appliance replaces an invalid character in an e-mail address with a space.

Recommended Action    None required.

108003

Error Message    %PIX|ASA-2-108003: Terminating ESMTP/SMTP connection; malicious 
pattern detected in the mail address from 
source_interface:source_address/source_port to 
dest_interface:dest_address/dset_port. Data:string

Explanation    This message is generated by Mail Guard (SMTP). This message is displayed if the security appliance detects malicious pattern in an e-mail address and drops the connection. This indicates an attack in progress.

Recommended Action    None required.

108004

Error Message    %PIX|ASA-4-108004: action_class: action ESMTP req_resp from 
src_ifc:sip|sport to dest_ifc:dip|dport;further_info

Explanation    This event is generated when a ESMTP classification is performed on a ESMTP message and the specified criteria are satisfied. The configured action is taken.

action_class—The class of action: "ESMTP Classification" for ESMTP match commands; "ESMTP Parameter" for parameter commands.

action—action taken: "Dropped," "Dropped connection for," "Reset connection for," or "Masked header flags for"

req_resp—"Request" or "Response"

src_ifc—Source interface name

sip|sport—Source IP address or source port

dest_ifc—Destination interface name

dip|dport—Destination IP address or destination port

further info—One of the following:

For single match command: matched Class id: match_command (for example, matched Class 1234: match body length 100).

For parameter commands: parameter-command: descriptive-message (for example, mail-relay: No Mail Relay allowed).

Recommended Action    None required.

108005

Error Message    %PIX|ASA-6-108005: action_class: Received ESMTP req_resp from 
src_ifc:sip|sport to dest_ifc:dip|dport;further_info

Explanation    This event is generated when a ESMTP classification is performed on a ESMTP message and the specified criteria are satisfied. The standalone log action is taken.

action_class—The class of action: "ESMTP Classification" for ESMTP match commands; "ESMTP Parameter" for parameter commands.

req_resp—"Request" or "Response"

src_ifc—Source interface name

sip|sport—Source IP address or source port

dest_ifc—Destination interface name

dip|dport—Destination IP address or destination port

further info—One of the following:

For single match command: matched Class id: match_command (for example, matched Class 1234: match body length 100).

For parameter commands (commands under parameter section): parameter-command: descriptive-message (for example, mail-relay: No Mail Relay allowed).

Recommended Action    None required.

108006

Error Message    %PIX|ASA-7-108006: Detected ESMTP size violation from 
src_ifc:sip|sport to dest_ifc:dip|dport;declared size is: decl_size, actual size 
is act_size.

Explanation    This event is generated when an ESMTP message size exceeds the size declared in the RCPT command.

src_ifc—Source interface name

sip|sport—Source IP address or source port

dest_ifc—Destination interface name

dip|dport—Destination IP address or destination port

decl_size—Declared size

act_size—Actual size

Recommended Action    None required.

108007

Error Message    %ASA-6-108007: TLS started on ESMTP session between client client-side 
interface-name: client IP address/client port and server server-side 
interface-name: server IP address/server port

Explanation    This message indicates that on an ESMTP connection, the server has responded with a 220 reply code to the client STARTTLS command. The ESMTP inspection engine no longer inspects the traffic on this connection.

client-side interface-name—The name for the interface that faces the client side

client IP address—The IP address of the client

client port—The TCP port number for the client

server-side interface-name—The name for the interface that faces the server side

server IP address—The IP address of the server

server port—The TCP port number for the server

Recommended Action    Log and review the message. Check whether the ESMTP policy map associated with this connection has the following setting: "allow-tls action log." If not, contact the Cisco TAC.

109001

Error Message    %PIX|ASA-6-109001: Auth start for user user from 
inside_address/inside_port to outside_address/outside_port

Explanation    This is an authentication, authorization and accounting (AAA) message. This message is displayed if the security appliance is configured for AAA and detects an authentication request by the specified user.

Recommended Action    None required.

109002

Error Message    %PIX|ASA-6-109002: Auth from inside_address/inside_port to 
outside_address/outside_port failed (server IP_address failed) on interface 
interface_name.

Explanation    This is a AAA message. This message is displayed if an authentication request fails because the specified authentication server cannot be contacted by the module.

Recommended Action    Check that the authentication daemon is running on the specified authentication server.

109003

Error Message    %PIX|ASA-6-109003: Auth from inside_address to 
outside_address/outside_port failed (all servers failed) on interface 
interface_name, >, so marking all servers ACTIVE again.

Explanation    This is a AAA message. This message is displayed if no authentication server can be found.

Recommended Action    Ping the authentication servers from the security appliance. Make sure that the daemons are running.

109005

Error Message    %PIX|ASA-6-109005: Authentication succeeded for user user from 
inside_address/inside_port to outside_address/outside_port on interface 
interface_name.

Explanation    This is a AAA message. This message is displayed when the specified authentication request succeeds.

Recommended Action    None required.

109006

Error Message    %PIX|ASA-6-109006: Authentication failed for user user from 
inside_address/inside_port to outside_address/outside_port on interface 
interface_name.

Explanation    This is a AAA message. This message is displayed if the specified authentication request fails, possibly because of an incorrect password.

Recommended Action    None required.

109007

Error Message    %PIX|ASA-6-109007: Authorization permitted for user user from 
inside_address/inside_port to outside_address/outside_port on interface 
interface_name.

Explanation    This is a AAA message. This message is displayed when the specified authorization request succeeds.

Recommended Action    None required.

109008

Error Message    %PIX|ASA-6-109008: Authorization denied for user user from 
outside_address/outside_port to inside_address/ inside_port on interface 
interface_name. 

Explanation    This is a AAA message. This message is displayed if a user is not authorized to access the specified address, possibly because of an incorrect password.

Recommended Action    None required.

109010

Error Message    %PIX|ASA-3-109010: Auth from inside_address/inside_port to 
outside_address/outside_port failed (too many pending auths) on interface 
interface_name.

Explanation    This is a AAA message. This message is displayed if an authentication request cannot be processed because the server has too many requests pending.

Recommended Action    Check to see if the authentication server is too slow to respond to authentication requests. Enable the Flood Defender feature with the floodguard enable command.

109011

Error Message    %PIX|ASA-2-109011: Authen Session Start: user 'user', sid number

Explanation    An authentication session started between the host and the security appliance and has not yet completed.

Recommended Action    None required.

109012

Error Message    %PIX|ASA-5-109012: Authen Session End: user 'user', sid number, 
elapsed number seconds

Explanation    The authentication cache has timed out.  Users must reauthenticate on their next connection. You can change the duration of this timer with the timeout uauth command.

Recommended Action    None required.

109013

Error Message    %PIX|ASA-3-109013: User must authenticate before using this service

Explanation    The user must be authenticated before using the service.

Recommended Action    Authenticate using FTP, Telnet, or HTTP before using the service.

109014

Error Message    %PIX|ASA-7-109014: uauth_lookup_net fail for uauth_in()

Explanation    A request to authenticate did not have a corresponding request for authorization.

Recommended Action    Ensure that both the aaa authentication and aaa authorization command statements are included in the configuration.

109016

Error Message    %PIX|ASA-3-109016: Can't find authorization ACL acl_ID for user 'user'

Explanation    The access control list specified on the AAA server for this user does not exist on the security appliance. This error can occur if you configure the AAA server before you configure the security appliance. The Vender-Specific Attribute (VSA) on your AAA server might be one of the following values:

acl=acl_ID

shell:acl=acl_ID

ACS:CiscoSecured-Defined-ACL=acl_ID

Recommended Action    Add the ACL to the security appliance, making sure to use the same name specified on the AAA server.

109017

Error Message    %PIX|ASA-4-109017: User at IP_address exceeded auth proxy connection 
limit (max)

Explanation    A user has exceeded the user authentication proxy limit, and has opened too many connections to the proxy.

Recommended Action    Increase the proxy limit by entering the proxy-limit proxy_limit command, or ask the user to close unused connections. If the error persists, it may indicate a possible DoS attack.

109018

Error Message    %PIX|ASA-3-109018: Downloaded ACL acl_ID is empty

Explanation    The downloaded authorization access control list has no ACEs. This situation might be caused by misspelling the attribute string "ip:inacl#" or omitting the access-list command.

junk:junk# 1=permit tcp any any eq junk ip:inacl#1="

Recommended Action    Correct the ACL components that have the indicated error on the AAA server.

109019

Error Message    %PIX|ASA-3-109019: Downloaded ACL acl_ID has parsing error; ACE string

Explanation    An error is encountered during parsing the sequence number NNN in the attribute string ip:inacl#NNN= of a downloaded authorization access control list. The reasons include: - missing = - contains non-numeric, non-space characters between '#' and '=' - NNN is greater than 999999999.

ip:inacl# 1 permit tcp any any
ip:inacl# 1junk2=permit tcp any any
ip:inacl# 1000000000=permit tcp any any

Recommended Action    Correct the ACL element that has the indicated error on the AAA server.

109020

Error Message    %PIX|ASA-3-109020: Downloaded ACL has config error; ACE

Explanation    One of the components of the downloaded authorization access control list has a configuration error. The entire text of the element is included in the syslog message. This message is usually caused by an invalid access-list command statement.

Recommended Action    Correct the ACL component that has the indicated error on the AAA server.

109021

Error Message    %PIX|ASA-7-109021: Uauth null proxy error

Explanation    An internal User Authentication error has occurred.

Recommended Action    None required. However, if this error appears repeatedly, contact the Cisco TAC.

109022

Error Message    %PIX|ASA-4-109022: exceeded HTTPS proxy process limit

Explanation    For each HTTPS authentication, the security appliance dedicates a process to service the authentication request. When the number of concurrently running processes exceeds the system-imposed limit, the security appliance does not perform the authentication, and this message is displayed.

Recommended Action    None required.

109023

Error Message    %PIX|ASA-3-109023: User from source_address/source_port to 
dest_address/dest_port on interface outside_interface must authenticate before using this 
service.

Explanation    This is a AAA message. Based on the configured policies, you need to be authenticated before you can use this service port.

Recommended Action    Authenticate using Telnet, FTP, or HTTP before attempting to use the above service port.

109024

Error Message    %PIX|ASA-6-109024: Authorization denied from source_address/source_port 
to dest_address/dest_port (not authenticated) on interface interface_name using protocol

Explanation    This is a AAA message. This message is displayed if the security appliance is configured for AAA and a user attempted to make a TCP connection across the security appliance without prior authentication.

Recommended Action    None required.

109025

Error Message    %PIX|ASA-6-109025: Authorization denied (acl=acl_ID) for user 'user' 
from source_address/source_port to dest_address/dest_port on interface interface_name 
using protocol

Explanation    The access control list check failed. The check either matched a deny or did not match anything, such as an implicit deny. The connection was denied by the user access control list acl_ID, which was defined per the AAA authorization policy on Cisco Secure Access Control Server (ACS).

Recommended Action    None required.

109026

Error Message    %PIX|ASA-3-109026: [aaa protocol] Invalid reply digest received; 
shared server key may be mismatched.

Explanation    The response from the AAA server could not be validated. It is likely that the configured server key is incorrect. This event may be generated during transactions with RADIUS or TACACS+ servers.

Recommended Action    Verify that the server key, configured using the aaa-server command, is correct.

109027

Error Message    %PIX|ASA-4-109027: [aaa protocol] Unable to decipher response message 
Server = server_IP_address, User = user

Explanation    The response from the AAA server could not be validated. The configured server key is probably incorrect. This message may be displayed during transactions with RADIUS or TACACS+ servers. The server_IP_address is the IP address of the relevant AAA server. The user is the user name associated with the connection.

Recommended Action    Verify that the server key, configured using the aaa-server command, is correct.

109028

Error Message    %PIX|ASA-4-109028: aaa bypassed for same-security traffic from 
ingress_ interface:source_address/source_port to 
egress_interface:dest_address/dest_port

Explanation    AAA is being bypassed for same security traffic that matches a configured AAA rule. This can only occur when traffic passes between two interfaces that have the same configured security level, when the same security traffic is permitted, and if the AAA configuration uses the include or exclude syntax.

Recommended Action    None required.

109029

Error Message    %PIX|ASA-5-109029: Parsing downloaded ACL: string

Explanation    A syntax error was encountered while parsing an access list that was downloaded from a RADIUS server during user authentication.

string—An error message detailing the syntax error that prevented the access list from parsing correctly.

Recommended Action    Use the information presented in this message to identify and correct the syntax error in the access list definition within the RADIUS server configuration.

109030

Error Message    %PIX|ASA-4-109030: Autodetect ACL convert wildcard did not convert ACL 
access_list source | dest netmask netmask.

Explanation    This message is displayed when a dynamic ACL that is configured on a RADIUS server is not converted by the mechanism for automatically detecting wildcard netmasks. The problem occurs because this mechanism could not determine if the netmask is a wildcard or a normal netmask.

access_list—The access list that could not be converted

source—The source IP address.

dest—The destination IP address.

netmask—The subnet mask for the destination or source address in dotted-decimal notation.

Recommended Action    Check the access list netmask on the RADIUS server for wildcard configuration. If it is meant to be a wildcard, and if all access list netmasks on that server are wildcard then use the wildcard setting for acl-netmask-convert for the AAA server. Otherwise, change the netmask to a normal netmask or to a wildcard netmask that does not contain holes. In other words, where the netmask presents consecutive binary 1's. For example, 00000000.00000000.00011111.11111111 or hex 0.0.31.255. If the mask is meant to be normal and all access list netmasks on that server are normal then use the normal setting acl-netmask-convert for the AAA server.

109031

Error Message    %PIX|ASA-4-109031: NT Domain Authentication Failed: rejecting guest 
login for username. 

Explanation    This message is displayed when a user tries to authenticate to an NT Auth domain that was configured for guest account access and the username is not a valid username on the NT server. The connection is denied.

Recommended Action    If the user is a valid user add an account to the NT server. If the user is not allowed access, no action is required.

109032

Error Message    %PIX|ASA-3-109032: Unable to install ACL access_list, downloaded for user 
username; Error in ACE: ace.

Explanation    This message is displayed when an access control list is received from a RADIUS server during the authentication of a network user. The log event indicates a syntax error in one of the elements of the access list. When this occurs, the element is discarded but the rest of access list is still applied. The entire text of the malformed element is included in the message. Note that this condition does not result in an authentication failure.

access_list—The name assigned to the dynamic access list as it would appear in the output of the show access-list command.

username—The name of the user whose connection will be subject to this access list.

ace—The access list entry that was being processed when the error was detected.

Recommended Action    Correct the access list definition in the RADIUS server configuration.

109033

Error Message    %PIX|ASA-4-109033: Authentication failed for admin user user from 
src_IP. Interactive challenge processing is not supported for protocol connections

Explanation    AAA challenge processing was triggered during authentication of an administrative connection, but the security appliance cannot initiate interactive challenge processing with the client application. When this occurs, the authentication attempt will be rejected and the connection denied.

user—The name of the user being authenticated.

src_IP—The IP address of the client host.

protocol—The client connection protocol. Possible values: "SSH v1" or "administrative HTTP."

Recommended Action    Reconfigure AAA so that challenge processing does not occur for these connection types. This generally means to avoid authenticating these connection types to RSA SecurID servers or to any token-based AAA server via RADIUS.

109034

Error Message    %PIX|ASA-4-109034: Authentication failed for network user user from 
src_IP/port to dst_IP/port. Interactive challenge processing is not supported for 
protocol connections

Explanation    AAA challenge processing was triggered during authentication of a network connection, but the security appliance cannot initiate interactive challenge processing with the client application. When this occurs, the authentication attempt will be rejected and the connection denied.

user—The name of the user being authenticated.

src_IP/port—The IP address and port of the client host.

dst_IP/port—The IP address and port of the server to which the client is attempting to connect.

protocol—The client connection protocol. Possible value: "FTP."

Recommended Action    Reconfigure AAA so that challenge processing does not occur for these connection types. This generally means to avoid authenticating these connection types to RSA SecurID servers or to any token-based AAA server via RADIUS.

109035

Error Message    %ASA-3-109035: Exceeded maximum number (999) of DAP attribute 
instances for user string.

Explanation    The Dynamic Access Policy supports multiple values of the same attribute received from an AAA server. If the AAA server should send a response containing more than 999 values for the same attribute, then the ASA will treat this response message as being malformed and reject the authentication. This condition has only been seen in lab environments using specialized test tools. It is unlikely that the condition should occur in a real-world production network.

string—The username at login

Recommended Action    If this message is generated, it would be helpful to capture the authentication traffic between the ASA and AAA server using a protocol sniffer (such as WireShark) and forward the trace file to Cisco Engineering for analysis.

109036

Error Message    %ASA-3-109036: RADIUS Server has received a request from unconfigured 
ip address src_ip_addr, dropping the request.

Explanation    The local RADIUS Server is not configured to receive requests from the specified source. The local RADIUS Server accepts RADIUS requests only from the IP address using the radius-client-interface if_name [ip ip_address]key secret_key command. RADIUS requests from all other IP addresses are dropped. This message is rate-limited at 1 message every 10 seconds.

src_ip_addr—The source IP address of the originator of the RADIUS request

Recommended Action    Investigate who is generating such packets and why. Block the sender if it is not the wireless AP.

109037

Error Message    %ASA-6-109037: RADIUS Server has sent an Access Accept message to the 
client ip-address, user = username

Explanation    The RADIUS Server successfully authenticated a user according to the local database and sent a RADIUS Access-Accept message to the client.

ip-address—The IP address of the RADIUS client

username—The username received in the RADIUS Request message

Recommended Action    None required.

109038

Error Message    %ASA-6-109038: RADIUS Server has sent an Access Reject message to the 
client ip-address, user = username

Explanation    The RADIUS Server could not authenticate the user according to the local database and sent an Access-Reject message to the client.

ip-address—The IP address of the RADIUS client

username—The username received in the RADIUS Request message

Recommended Action    None required.

110002

Error Message    %PIX|ASA-6-110002: Failed to locate egress interface for protocol from 
src interface:src IP/src port to dest IP/dest port

Explanation    .An error occurred when the security appliance tried to find the interface through which to send the packet.

protocol—The protocol of the packet

src interface—The interface from which the packet was received

src IP—The source IP address of the packet

src port—The source port number

dest IP—The destination IP address of the packet

dest port—The destination port number

Recommended Action    Copy the error message, the configuration, and any details about the events leading up to the error, and contact Cisco TAC.

110003

Error Message    %PIX|ASA-6-110003: Routing failed to locate next-hop for protocol from 
src interface:src IP/src port to dest interface:dest IP/dest port

Explanation    .An error occurred when the security appliance tried to find the next hop on an interface routing table.

protocol—The protocol of the packet

src interface—The interface from which the packet was received

src IP—The source IP address of the packet

src port—The source port number

dest IP—The destination IP address of the packet

dest port—The destination port number

Recommended Action    Copy the error message, the configuration, and any details about the events leading up to the error, and contact Cisco TAC. During debugging, use the show asp table routing command to view the routing table details.

111001

Error Message    %PIX|ASA-5-111001: Begin configuration: IP_address writing to device

Explanation    This message is displayed when you enter the write command to store your configuration on a device (either floppy, Flash memory, TFTP, the failover standby unit, or the console terminal). The IP_address indicates whether the login was made at the console port or with a Telnet connection.

Recommended Action    None required.

111002

Error Message    %PIX|ASA-5-111002: Begin configuration: IP_address reading from device

Explanation    This message is displayed when you enter the read command to read your configuration from a device (either floppy, Flash memory, TFTP, the failover standby unit, or the console terminal). The IP_address indicates whether the login was made at the console port or with a Telnet connection.

Recommended Action    None required.

111003

Error Message    %PIX|ASA-5-111003: IP_address Erase configuration

Explanation    This is a management message. This message is displayed when you erase the contents of Flash memory by entering the write erase command at the console. The IP_address value indicates whether the login was made at the console port or through a Telnet connection.

Recommended Action    After erasing the configuration, reconfigure the security appliance and save the new configuration. Alternatively, you can restore information from a configuration that was previously saved, either on floppy or on a TFTP server elsewhere on the network.

111004

Error Message    %PIX|ASA-5-111004: IP_address end configuration: {FAILED|OK}

Explanation    This message is displayed when you enter the config floppy/memory/ network command or the write floppy/memory/network/standby command. The IP_address value indicates whether the login was made at the console port or through a Telnet connection.

Recommended Action    None required if the message ends with OK. If the message indicates a failure, try to fix the problem. For example, if writing to a floppy disk, ensure that the floppy disk is not write protected; if writing to a TFTP server, ensure that the server is up.

111005

Error Message    %PIX|ASA-5-111005: IP_address end configuration: OK

Explanation    This message is displayed when you exit the configuration mode. The IP_address value indicates whether the login was made at the console port or through a Telnet connection.

Recommended Action    None required.

111007

Error Message    %PIX|ASA-5-111007: Begin configuration: IP_address reading from device.

Explanation    This message is displayed when you enter the reload or configure command to read in a configuration. The device text can be floppy, memory, net, standby, or terminal. The IP_address value indicates whether the login was made at the console port or through a Telnet connection.

Recommended Action    None required.

111008

Error Message    %PIX|ASA-5-111008: User user executed the command string

Explanation    The user entered any command, with the exception of a show command.

Recommended Action    None required.

111009

Error Message    %PIX|ASA-7-111009:User user executed cmd:string

Explanation    The user entered a command that does not modify the configuration. This message appears only for show commands.

Recommended Action    None required.

111010

Error Message    %ASA-5-111010: User username, running application-name from IP ip 
addr, executed cmd

Explanation    This message is generated whenever a user makes a configuration change.

username—The user making the configuration change

application-name—The application that the user is running

ip addr—The IP address of the management station

cmd—The command that the user has executed

Recommended Action    None required.

111111

Error Message    %PIX|ASA-1-111111 error_message 

Explanation    System or infrastructure error has occurred.

Recommended Action    If the problem persists, contact the Cisco TAC.

112001

Error Message    %PIX|ASA-2-112001: (string:dec) Clear complete.

Explanation    This message is displayed when a request to clear the module configuration is completed. The source file and line number are identified.

Recommended Action    None required.

113001

Error Message    %PIX|ASA-3-113001: Unable to open AAA session. Session limit [limit] 
reached.

Explanation    The AAA operation on an IPSec tunnel or WebVPN connection could not be performed because of the unavailability of system resources. The limit value indicates the maximum number of concurrent AAA transactions.

Recommended Action    Reduce the demand for AAA resources if possible.

113003

Error Message    %PIX|ASA-6-113003: AAA group policy for user user is being set to 
policy_name. 

Explanation    The group policy that is associated with the tunnel-group is being overridden with a user specific policy, policy_name. The policy_name is specified using the username command when LOCAL authentication is configured or is returned in the RADIUS CLASS attribute when RADIUS authentication is configured.

Recommended Action    None required.

113004

Error Message    %PIX|ASA-6-113004: AAA user aaa_type Successful: server = 
server_IP_address, User = user

Explanation    This is an indication that a AAA operation on an IPSec or WebVPN connection has been completed successfully. The AAA types are "authentication," "authorization," or "accounting." The server_IP_address is the IP address of the relevant AAA server. The user is the user name associated with the connection.

Recommended Action    None required.

113005

Error Message    %PIX|ASA-6-113005: AAA user authentication Rejected: reason = string: 
server = server_IP_address, User = user

Explanation    This is an indication that either an authentication or authorization request for a user associated with an IPSec or WebVPN connection has been rejected. Details of why the request was rejected are provided in the reason field. server_IP_address is the IP address of the relevant AAA server. user is the user name associated with the connection. aaa_operation is either authentication or authorization.

Recommended Action    None required.

113006

Error Message    %PIX|ASA-6-113006: User user locked out on exceeding number successive 
failed authentication attempts

Explanation    A locally configured user is being locked out. This happens when a configured number of consecutive authentication failures have occurred for this user and indicates that all future authentication attempts by this user will be rejected until an administrator unlocks the user using the clear aaa local user lockout command. user is the user that is now locked and number is the consecutive failure threshold configured with the aaa local authentication attempts max-fail command.

Recommended Action    Try unlocking the user using the clear_aaa_local_user_lockout command or adjusting the maximum number of consecutive authentication failures that are tolerated.

113007

Error Message    %PIX|ASA-6-113007: User user unlocked by administrator

Explanation    A locally configured user that was locked out after exceeding the maximum number of consecutive authentication failures set by the aaa local authentication attempts max-fail command has been unlocked by the indicated administrator.

Recommended Action    None required.

113008

Error Message    %PIX|ASA-6-113008: AAA transaction status ACCEPT: user = user

Explanation    The AAA transaction for a user associated with an IPSec or WebVPN connection was completed successfully. The user is the username associated with the connection.

Recommended Action    None required.

113009

Error Message    %PIX|ASA-6-113009: AAA retrieved default group policy policy for user 
user

Explanation    This message may be generated during the authentication or authorization of an IPSec or WebVPN connection. The attributes of the group policy that were specified with the tunnel-group or webvpn commands have been retrieved.

Recommended Action    None required.

113010

Error Message    %PIX|ASA-6-113010: AAA challenge received for user user from server 
server_IP_address

Explanation    This message may be generated during the authentication of an IPSec connection when the authentication is done with a SecurID server. The user will be prompted to provide further information prior to being authenticated. server _IP_address is the IP address of the relevant AAA server. user is the username associated with the connection.

Recommended Action    None required.

113011

Error Message    %PIX|ASA-6-113011: AAA retrieved user specific group policy policy for 
user user

Explanation    This event may be generated during the authentication or authorization of an IPSec or WebVPN connection. The attributes of the group policy that was specified with the tunnel-group or webvpn commands have been retrieved.

Recommended Action    None required.

113012

Error Message    %PIX|ASA-6-113012: AAA user authentication Successful: local database: 
user = user

Explanation    The user associated with a IPSec or WebVPN connection has been successfully authenticated to the local user database. user is the username associated with the connection.

Recommended Action    None required.

113013

Error Message    %PIX|ASA-6-113013: AAA unable to complete the request Error: reason = 
reason: user = user

Explanation    The AAA transaction for a user associated with an IPSec or WebVPN connection has failed due to an error or has been rejected due to a policy violation. Details are provided in the reason field. user is the username associated with the connection.

Recommended Action    None required.

113014

Error Message    %PIX|ASA-6-113014: AAA authentication server not accessible: server = 
server_IP_address: user = user

Explanation    The device was unable to communicate with the configured AAA server during the AAA transaction associated with an IPSec or WebVPN connection. This may or may not result in a failure of the user connection attempt depending on the backup servers configured in the aaa-server group and the availability of those servers.

Recommended Action    Verify connectivity with the configured AAA servers.

113015

Error Message    %PIX|ASA-6-113015: AAA user authentication Rejected: reason = reason: 
local database: user = user

Explanation    A request for authentication to the local user database for a user associated with an IPSec or WebVPN connection has been rejected. Details of why the request was rejected are provided in the reason field. user is the username associated with the connection.

Recommended Action    None required.

113016

Error Message    %PIX|ASA-6-113016: AAA credentials rejected: reason = reason: server = 
server_IP_address: user = user

Explanation    The AAA transaction for a user associated with an IPSec or WebVPN connection has failed due to an error or rejected due to a policy violation. Details are provided in the reason field. server_IP_address is the IP address of the relevant AAA server. user is the username associated with the connection.

Recommended Action    None required.

113017

Error Message    %PIX|ASA-6-113017: AAA credentials rejected: reason = reason: local 
database: user = user\

Explanation    This is an indication that the AAA transaction for a user associated with an IPSec or WebVPN connection has failed due to an error or rejected due to a policy violation. Details are provided in the reason field. This event only appears when the AAA transaction is with the local user database rather than with an external AAA server. user is the username associated with the connection.

Recommended Action    None required.

113018

Error Message    %PIX|ASA-3-113018: User: user, Unsupported downloaded ACL Entry: 
ACL_entry, Action: action

Explanation    An ACL entry in unsupported format was downloaded from the authentication server.The following list describes the message values:

user—User trying to login.

ACL_entry—Unsupported ACL entry downloaded from the authentication server.

action—Action taken on encountering the unsupported ACL Entry.

Recommended Action    The ACL entry on the authentication server has to be changed appropriately by the administrator to conform with the supported ACL entry formats.

113019

Error Message    %PIX|ASA-auth-4-113019: Group = group, Username = username, IP = 
peer_address, Session disconnected. Session Type: type, Duration: duration, 
Bytes xmt: count, Bytes rcv: count, Reason: reason

Explanation    This is an informational message that indicates when and why the longest idle user is disconnected.

group—Group name

username—Username

peer_address—Peer address

type—Session type (for example, IPSec/UDP)

duration—Connection duration in hours, minutes, and seconds

count—Number of bytes

reason—Reason for disconnection

Port Preempted. This reason indicates that the allowed number of simultaneous (same user) logins has been exceeded. To resolve this problem, increase the number of simultaneous logins or have users only log in once with a given username and password.

Recommended Action    None required.

113020

Error Message    %PIX|ASA-3-113020: Kerberos error: Clock skew with server ip_address 
greater than 300 seconds

Explanation    This message is displayed when authentication for an IPSec or WebVPN user through a Kerberos server fails because the clocks on the security appliance and the server are more than five minutes (300 seconds) apart. When this occurs, the connection attempt is rejected.

ip_address—The IP address of the Kerberos server.

Recommended Action    Synchronize the clocks on the security appliance and the Kerberos server.

113021

Error Message    %ASA-3-113021: Attempted console login failed. User username did NOT 
have appropriate Admin Rights. 

Explanation    A user has attempted access to the management console and was denied.

username—The user name entered by the user.

Recommended Action    If the user is a newly added Admin Rights user, check that the service-type (LOCAL or RADIUS authentication server) for that user is set to allow access:

nas-prompt - Allows login to the console and exec privileges at the required level, but not enable (configuration modification) access.

admin - Allows all access and can be further constrained by command privilege.

Otherwise, the user is inappropriately attempting to access the management console; the action to be taken should be consistent with company policy for these matters.

113022

Error Message    %ASA-2-113022: AAA Marking RADIUS server server_name in aaa-server 
group AAA-Using-DNS as FAILED

Explanation    This syslog message indicates that the security appliance has tried an authentication, authorization, or accounting request to the AAA server and did not receive a response within the configured timeout window. The AAA server will be marked as "failed" and has been removed from service.

Recommended Action    Verify that the AAA server is online and is accessible from the security appliance.

113023

Error Message    %ASA-2-113023: AAA Marking protocol server ip-addr in server group tag 
as ACTIVE

Explanation    This syslog message indicates that the security appliance has reactivated the AAA server that was previously marked as "failed." The AAA server is now available to service AAA requests.

protocol—The type of authentication protocol, which can be one of the following:

- RADIUS

- TACACS+

- NT

- RSA SecurID

- Kerberos

- LDAP

ip-addr—The IP address of the AAA server

tag—The server group name

Recommended Action    None required.

113024

Error Message    %ASA-5-113024: Group tg: Authenticating type connection from ip with 
username, user_name, from client certificate

Explanation    This message is generated when the pre-fill username feature overrides the username with one derived from the client certificate for use in AAA.

tg—The tunnel group

type—The type of connection (ssl-client or clientless)

ip—The IP address of the connecting user

user_name—The name extracted from the client certificate for use in AAA

Recommended Action    None required.

113025

Error Message    %ASA-5-113025: Group tg: FAILED to extract username from certificate 
while authenticating type connection from ip

Explanation    This message indicates that a username could not be successfully extracted from the certificate for use in AAA.

tg—The tunnel group

type—The type of connection (SSL client or clientless)

ip—The IP address of the connecting user

Recommended Action    The administrator should check that the authentication aaa certificate, ssl certificate-authentication, and authorization-dn-attributes keywords are all set correctly.

114001

Error Message    %ASA-1-114001: Failed to initialize 4GE SSM I/O card (error 
error_string).

Explanation    This message is displayed when the system fails to initialize a 4GE SSM I/O card due to an I2C error or a switch initialization error.

syslog_id—Message identifier

error_string—Describes either an I2C serial bus error or a switch access error, which is a decimal error code. The following are the I2C serial bus errors:

I2C_BUS_TRANSACTION_ERROR

I2C_CHKSUM_ERROR

I2C_TIMEOUT_ERROR

I2C_BUS_COLLISION_ERROR

I2C_HOST_BUSY_ERROR

I2C_UNPOPULATED_ERROR

I2C_SMBUS_UNSUPPORT

I2C_BYTE_COUNT_ERROR

I2C_DATA_PTR_ERROR

Recommended Action    Perform the following steps:

1. Log and review the messages and the errors associated with the event.

2. Reboot the software running on the system.

3. Power cycle the box. When you turn off the power, make sure you wait several seconds before turning the power on.

4. If the problem persists, contact the Cisco TAC.

114002

Error Message    %ASA-1-114002: Failed to initialize SFP in 4GE SSM I/O card (error 
error_string).

This message is displayed when the system fails to initialize an SFP connector in an 4GE SSM I/O card due to an I2C error or a switch initialization error.

syslog_id—Message identifier

error_string—Describes either an I2C serial bus error or a switch access error, which is a decimal error code. The following are the I2C serial bus errors:

I2C_BUS_TRANSACTION_ERROR

I2C_CHKSUM_ERROR

I2C_TIMEOUT_ERROR

I2C_BUS_COLLISION_ERROR

I2C_HOST_BUSY_ERROR

I2C_UNPOPULATED_ERROR

I2C_SMBUS_UNSUPPORT

I2C_BYTE_COUNT_ERROR

I2C_DATA_PTR_ERROR

Recommended Action    Perform the following steps:

1. Log and review the messages and the errors associated with the event.

2. Reboot the software running on the system.

3. Power cycle the box. When you turn off the power, make sure you wait several seconds before turning the power on.

4. If the problem persists, contact the Cisco TAC.

114003

Error Message    %ASA-1-114003: Failed to run cached commands in 4GE SSM I/O card (error 
error_string).

Explanation    This message is displayed when the system fails to run cached commands in an 4GE SSM I/O card due to an I2C error or a switch initialization error.

syslog_id—Message identifier

error_string—Describes either an I2C serial bus error or a switch access error, which is a decimal error code. The following are the I2C serial bus errors:

I2C_BUS_TRANSACTION_ERROR

I2C_CHKSUM_ERROR

I2C_TIMEOUT_ERROR

I2C_BUS_COLLISION_ERROR

I2C_HOST_BUSY_ERROR

I2C_UNPOPULATED_ERROR

I2C_SMBUS_UNSUPPORT

I2C_BYTE_COUNT_ERROR

I2C_DATA_PTR_ERROR

Recommended Action    Perform the following steps:

1. Log and review the messages and the errors associated with the event.

2. Reboot the software running on the system.

3. Power cycle the box. When you turn off the power, make sure you wait several seconds before turning the power on.

4. If the problem persists, contact the Cisco TAC.

114004

Error Message    %ASA-6-114004: 4GE SSM I/O Initialization start.

Explanation    This message is displayed to notify the user that an 4GE SSM I/O Initialization is starting.

syslog_id—Message identifier

Recommended Action    No action is required.

114005

Error Message    %ASA-6-114005: 4GE SSM I/O Initialization end.

Explanation    This message is displayed to notify user that an 4GE SSM I/O Initialization is finished.

syslog_id—Message identifier

Recommended Action    No action is required.

114006

Error Message    %ASA-3-114006: Failed to get port statistics in 4GE SSM I/O card (error 
error_string).

Explanation    This message is displayed when the system fails to get port statistics in an 4GE SSM I/O card due to an I2C error or a switch initialization error.

syslog_id—Message identifier

error_string—Describes either an I2C serial bus error or a switch access error, which is a decimal error code. The following are the I2C serial bus errors:

I2C_BUS_TRANSACTION_ERROR

I2C_CHKSUM_ERROR

I2C_TIMEOUT_ERROR

I2C_BUS_COLLISION_ERROR

I2C_HOST_BUSY_ERROR

I2C_UNPOPULATED_ERROR

I2C_SMBUS_UNSUPPORT

I2C_BYTE_COUNT_ERROR

I2C_DATA_PTR_ERROR

Recommended Action    Perform the following steps:

1. Log and review the messages and the errors associated with the event.

2. Reboot the software running on the system.

3. Power cycle the box. When you turn off the power, make sure you wait several seconds before turning the power on.

4. If the problem persists, contact the Cisco TAC.

114007

Error Message    %ASA-3-114007: Failed to get current msr in 4GE SSM I/O card (error 
error_string).

Explanation    This message is displayed when the system fails to get the current module status register information in an 4GE SSM I/O card due to an I2C error or a switch initialization error.

syslog_id—Message identifier

error_string—Describes either an I2C serial bus error or a switch access error, which is a decimal error code. The following are the I2C serial bus errors:

I2C_BUS_TRANSACTION_ERROR

I2C_CHKSUM_ERROR

I2C_TIMEOUT_ERROR

I2C_BUS_COLLISION_ERROR

I2C_HOST_BUSY_ERROR

I2C_UNPOPULATED_ERROR

I2C_SMBUS_UNSUPPORT

I2C_BYTE_COUNT_ERROR

I2C_DATA_PTR_ERROR

Recommended Action    Perform the following steps:

1. Log and review the messages and the errors associated with the event.

2. Reboot the software running on the system.

3. Power cycle the box. When you turn off the power, make sure you wait several seconds before turning the power on.

4. If the problem persists, contact the Cisco TAC.

114008

Error Message    %ASA-3-114008: Failed to enable port after link is up in 4GE SSM I/O 
card due to either I2C serial bus access error or switch access error.

Explanation    This message is displayed when the system fails to enable a port after the link transition to Up state is detected in an 4GE SSM I/O card due to either an I2C serial bus access error or a switch access error.

syslog_id—Message identifier

error_string—Describes either an I2C serial bus error or a switch access error, which is a decimal error code. The following are the I2C serial bus errors:

I2C_BUS_TRANSACTION_ERROR

I2C_CHKSUM_ERROR

I2C_TIMEOUT_ERROR

I2C_BUS_COLLISION_ERROR

I2C_HOST_BUSY_ERROR

I2C_UNPOPULATED_ERROR

I2C_SMBUS_UNSUPPORT

I2C_BYTE_COUNT_ERROR

I2C_DATA_PTR_ERROR

Recommended Action    Perform the following steps:

1. Log and review the messages and the errors associated with the event.

2. Reboot the software running on the system.

3. Power cycle the box. When you turn off the power, make sure you wait several seconds before turning the power on.

4. If the problem persists, contact the Cisco TAC.

114009

Error Message    %ASA-3-114009: Failed to set multicast address in 4GE SSM I/O card 
(error error_string).

Explanation    This message is displayed when the system fails to set the multicast address in an 4GE SSM I/O card due to an I2C error or a switch initialization error.

syslog_id—Message identifier

error_string—Describes either an I2C serial bus error or a switch access error, which is a decimal error code. The following are the I2C serial bus errors:

I2C_BUS_TRANSACTION_ERROR

I2C_CHKSUM_ERROR

I2C_TIMEOUT_ERROR

I2C_BUS_COLLISION_ERROR

I2C_HOST_BUSY_ERROR

I2C_UNPOPULATED_ERROR

I2C_SMBUS_UNSUPPORT

I2C_BYTE_COUNT_ERROR

I2C_DATA_PTR_ERROR

Recommended Action    Perform the following steps:

1. Log and review the messages and the errors associated with the event.

2. Reboot the software running on the system.

3. Power cycle the box. When you turn off the power, make sure you wait several seconds before turning the power on.

4. If the problem persists, contact the Cisco TAC.

114010

Error Message    %ASA-3-114010: Failed to set multicast hardware address in 4GE SSM I/O 
card (error error_string).

Explanation    This message is displayed when the system fails to set the multicast hardware address in an 4GE SSM I/O card due to an I2C error or a switch initialization error.

syslog_id—Message identifier

error_string—Describes either an I2C serial bus error or a switch access error, which is a decimal error code. The following are the I2C serial bus errors:

I2C_BUS_TRANSACTION_ERROR

I2C_CHKSUM_ERROR

I2C_TIMEOUT_ERROR

I2C_BUS_COLLISION_ERROR

I2C_HOST_BUSY_ERROR

I2C_UNPOPULATED_ERROR

I2C_SMBUS_UNSUPPORT

I2C_BYTE_COUNT_ERROR

I2C_DATA_PTR_ERROR

I2C_DATA_PTR_ERROR

Recommended Action    Perform the following steps:

1. Log and review the messages and the errors associated with the event.

2. Reboot the software running on the system.

3. Power cycle the box. When you turn off the power, make sure you wait several seconds before turning the power on.

4. If the problem persists, contact the Cisco TAC.

114011

Error Message    %ASA-3-114011: Failed to delete multicast address in 4GE SSM I/O card 
(error error_string).

syslog_id—Message identifier

error_string—Describes either an I2C serial bus error or a switch access error, which is a decimal error code. The following are the I2C serial bus errors:

I2C_BUS_TRANSACTION_ERROR

I2C_CHKSUM_ERROR

I2C_TIMEOUT_ERROR

I2C_BUS_COLLISION_ERROR

I2C_HOST_BUSY_ERROR

I2C_UNPOPULATED_ERROR

I2C_SMBUS_UNSUPPORT

I2C_BYTE_COUNT_ERROR

I2C_DATA_PTR_ERROR

Explanation    This message is displayed when the system fails to delete the multicast address in an 4GE SSM I/O card due to either an I2C error or a switch initialization error.

Recommended Action    Perform the following steps:

1. Log and review the messages and the errors associated with the event.

2. Reboot the software running on the system.

3. Power cycle the box. When you turn off the power, make sure you wait several seconds before turning the power on.

4. If the problem persists, contact the Cisco TAC.

114012

Error Message    %ASA-3-114012: Failed to delete multicast hardware address in 4GE SSM 
I/O card (error error_string).

syslog_id—Message identifier

error_string—Describes either an I2C serial bus error or a switch access error, which is a decimal error code. The following are the I2C serial bus errors:

I2C_BUS_TRANSACTION_ERROR

I2C_CHKSUM_ERROR

I2C_TIMEOUT_ERROR

I2C_BUS_COLLISION_ERROR

I2C_HOST_BUSY_ERROR

I2C_UNPOPULATED_ERROR

I2C_SMBUS_UNSUPPORT

I2C_BYTE_COUNT_ERROR

I2C_DATA_PTR_ERROR

Explanation    This message is displayed when the system fails to delete the multicast hardware address in an 4GE SSM I/O card due to an I2C error or a switch initialization error.

Recommended Action    Perform the following steps:

1. Log and review the messages and the errors associated with the event.

2. Reboot the software running on the system.

3. Power cycle the box. When you turn off the power, make sure you wait several seconds before turning the power on.

4. If the problem persists, contact the Cisco TAC.

114013

Error Message    %ASA-3-114013: Failed to set mac address table in 4GE SSM I/O card 
(error error_string).

Explanation    This message is displayed when the system fails to set the MAC address table in an 4GE SSM I/O card due to an I2C error or a switch initialization error.

syslog_id—Message identifier

error_string—Describes either an I2C serial bus error or a switch access error, which is a decimal error code. The following are the I2C serial bus errors:

I2C_BUS_TRANSACTION_ERROR

I2C_CHKSUM_ERROR

I2C_TIMEOUT_ERROR

I2C_BUS_COLLISION_ERROR

I2C_HOST_BUSY_ERROR

I2C_UNPOPULATED_ERROR

I2C_SMBUS_UNSUPPORT

I2C_BYTE_COUNT_ERROR

I2C_DATA_PTR_ERROR

Recommended Action    Perform the following steps:

1. Log and review the messages and the errors associated with the event.

2. Reboot the software running on the system.

3. Power cycle the box. When you turn off the power, make sure you wait several seconds before turning the power on.

4. If the problem persists, contact the Cisco TAC.

114014

Error Message    %ASA-3-114014: Failed to set mac address in 4GE SSM I/O card (error 
error_string).

syslog_id—Message identifier

error_string—Describes either an I2C serial bus error or a switch access error, which is a decimal error code. The following are the I2C serial bus errors:

I2C_BUS_TRANSACTION_ERROR

I2C_CHKSUM_ERROR

I2C_TIMEOUT_ERROR

I2C_BUS_COLLISION_ERROR

I2C_HOST_BUSY_ERROR

I2C_UNPOPULATED_ERROR

I2C_SMBUS_UNSUPPORT

I2C_BYTE_COUNT_ERROR

I2C_DATA_PTR_ERROR

Explanation    This message is displayed when the system fails to set the MAC address in an 4GE SSM I/O card due to an I2C error or a switch initialization error.

Recommended Action    Perform the following steps:

1. Log and review the messages and the errors associated with the event.

2. Reboot the software running on the system.

3. Power cycle the box. When you turn off the power, make sure you wait several seconds before turning the power on.

4. If the problem persists, contact the Cisco TAC.

114015

Error Message    %ASA-3-114015: Failed to set mode in 4GE SSM I/O card (error 
error_string).

syslog_id—Message identifier

error_string—Describes either an I2C serial bus error or a switch access error, which is a decimal error code. The following are the I2C serial bus errors:

I2C_BUS_TRANSACTION_ERROR

I2C_CHKSUM_ERROR

I2C_TIMEOUT_ERROR

I2C_BUS_COLLISION_ERROR

I2C_HOST_BUSY_ERROR

I2C_UNPOPULATED_ERROR

I2C_SMBUS_UNSUPPORT

I2C_BYTE_COUNT_ERROR

I2C_DATA_PTR_ERROR

Explanation    This message is displayed when the system fails to set individual/promiscuous mode in an 4GE SSM I/O card due to an I2C error or a switch initialization error.

Recommended Action    Perform the following steps:

1. Log and review the messages and the errors associated with the event.

2. Reboot the software running on the system.

3. Power cycle the box. When you turn off the power, make sure you wait several seconds before turning the power on.

4. If the problem persists, contact the Cisco TAC.

114016

Error Message    %ASA-3-114016: Failed to set multicast mode in 4GE SSM I/O card (error 
error_string).

syslog_id—Message identifier

error_string—Describes either an I2C serial bus error or a switch access error, which is a decimal error code. The following are the I2C serial bus errors:

I2C_BUS_TRANSACTION_ERROR

I2C_CHKSUM_ERROR

I2C_TIMEOUT_ERROR

I2C_BUS_COLLISION_ERROR

I2C_HOST_BUSY_ERROR

I2C_UNPOPULATED_ERROR

I2C_SMBUS_UNSUPPORT

I2C_BYTE_COUNT_ERROR

I2C_DATA_PTR_ERROR

Explanation    This message is displayed when the system fails to set the multicast mode in an 4GE SSM I/O card due to an I2C error or a switch initialization error.

Recommended Action    Perform the following steps:

1. Log and review the messages and the errors associated with the event.

2. Reboot the software running on the system.

3. Power cycle the box. When you turn off the power, make sure you wait several seconds before turning the power on.

4. If the problem persists, contact the Cisco TAC.

114017

Error Message    %ASA-3-114017: Failed to get link status in 4GE SSM I/O card (error 
error_string).

Explanation    This message is displayed when the system fails to get link status in an 4GE SSM I/O card due to either an I2C serial bus access error or a switch access error.

syslog_id—Message identifier

error_string—Describes either an I2C serial bus error or a switch access error, which is a decimal error code. The following are the I2C serial bus errors:

I2C_BUS_TRANSACTION_ERROR

I2C_CHKSUM_ERROR

I2C_TIMEOUT_ERROR

I2C_BUS_COLLISION_ERROR

I2C_HOST_BUSY_ERROR

I2C_UNPOPULATED_ERROR

I2C_SMBUS_UNSUPPORT

I2C_BYTE_COUNT_ERROR

I2C_DATA_PTR_ERROR

Recommended Action    Perform the following steps:

1. Notify the system administrator

2. Log and review the messages and the errors associated with the event.

3. Reboot the software running on the system.

4. Power cycle the box. When you turn off the power, make sure you wait several seconds before turning the power on.

5. If the problem persists, contact the Cisco TAC.

114018

Error Message    %ASA-3-114018: Failed to set port speed in 4GE SSM I/O card (error 
error_string).

Explanation    This message is displayed when the system fails to set the port speed in an 4GE SSM I/O card due to an I2C error or a switch initialization error.

syslog_id—Message identifier

error_string—Describes either an I2C serial bus error or a switch access error, which is a decimal error code. The following are the I2C serial bus errors:

I2C_BUS_TRANSACTION_ERROR

I2C_CHKSUM_ERROR

I2C_TIMEOUT_ERROR

I2C_BUS_COLLISION_ERROR

I2C_HOST_BUSY_ERROR

I2C_UNPOPULATED_ERROR

I2C_SMBUS_UNSUPPORT

I2C_BYTE_COUNT_ERROR

I2C_DATA_PTR_ERROR

Recommended Action    Perform the following steps:

1. Log and review the messages and the errors associated with the event.

2. Reboot the software running on the system.

3. Power cycle the box. When you turn off the power, make sure you wait several seconds before turning the power on.

4. If the problem persists, contact the Cisco TAC.

114019

Error Message    %ASA-3-114019: Failed to set media type in 4GE SSM I/O card (error 
error_string).

Explanation    This message is displayed when the system fails to set the media type in an 4GE SSM I/O card due to an I2C error or a switch initialization error.

syslog_id—Message identifier

error_string—Describes either an I2C serial bus error or a switch access error, which is a decimal error code. The following are the I2C serial bus errors:

I2C_BUS_TRANSACTION_ERROR

I2C_CHKSUM_ERROR

I2C_TIMEOUT_ERROR

I2C_BUS_COLLISION_ERROR

I2C_HOST_BUSY_ERROR

I2C_UNPOPULATED_ERROR

I2C_SMBUS_UNSUPPORT

I2C_BYTE_COUNT_ERROR

I2C_DATA_PTR_ERROR

Recommended Action    Perform the following steps:

1. Log and review the messages and the errors associated with the event.

2. Reboot the software running on the system.

3. Power cycle the box. When you turn off the power, make sure you wait several seconds before turning the power on.

4. If the problem persists, contact the Cisco TAC.

114020

Error Message    %ASA-3-114020: Port link speed is unknown in 4GE SSM I/O card.

Explanation    This message is displayed when the system cannot detect the port link speed in an 4GE SSM I/O card.

Recommended Action    Perform the following steps:

1. Log and review the messages associated with the event.

2. Reset the 4GE SSM I/O card and observe if the software automatically recovers from the event.

3. If the software does not recover automatically, power cycle the box. When you turn off the power, make sure you wait several seconds before you turn the power on.

4. If the problem persists, contact the Cisco TAC.

114021

Error Message    %PIX|ASA-3-114021: Failed to set multicast address table in 4GE SSM 
I/O card due to error.

Explanation    This message is displayed when the system fails to set the multicast address table in the 4GE SSM I/O card due to either I2C serial bus access error, or to switch access error.

error—describes either a switch access error (which will be a decimal error code), or an I2C serial bus error. Possible I2C serial bus errors include:

- I2C_BUS_TRANSACTION_ERROR

- I2C_CHKSUM_ERROR

- I2C_TIMEOUT_ERROR

- I2C_BUS_COLLISION_ERROR

- I2C_HOST_BUSY_ERROR

- I2C_UNPOPULATED_ERROR

- I2C_SMBUS_UNSUPPORT

- I2C_BYTE_COUNT_ERROR

- I2C_DATA_PTR_ERROR

Recommended Action    Perform the following steps:

1. Log and review the messages associated with the event.

2. Try to software reboot the box.

3. If the software does not recover automatically, power cycle the box. When you turn off the power, make sure you wait several seconds before you turn the power on.

4. If the problem persists, contact the Cisco TAC.

114022

Error Message    %ASA-3-114022: Failed to pass broadcast traffic in 4GE SSM I/O card 
due to error_string

Explanation    The security appliance failed to pass broadcast traffic in the 4GE SSM I/O card because of a switch access error.

error_string—A switch access error, which will be a decimal error code

Recommended Action    Perform the following steps:

1. Log the syslog message and errors surrounding the event.

2. Retrieve the ssm4ge_dump file from the compact flash, and send it to Cisco TAC.

3. Contact Cisco TAC with the information collected in Steps 1 and 2.


Note The 4GE SSM will be automatically reset and recover.


120001

Error Message    %ASA-5-120001: Smart Call Home Module was started.

Explanation    This message is generated when the Smart Call Home module is enabled and starts successfully after system bootup and failover in stable state. The module is ready to process Smart Call Home events.

Recommended Action    None required.

120002

Error Message    %ASA-5-120002: Smart Call Home Module was terminated.

Explanation    When the Smart Call Home module is disabled, it is terminated and this message is generated. You can only disable the Smart Call Home module through CLI commands or when the configuration is cleared. This message can result from an operation action or a failover configuration synchronization.

Recommended Action    None required.

120003

Error Message    %ASA-6-120003: Process event group `title'.

Explanation    This message is generated when the Smart Call Home module gets an event from the queue to process.

group—The event group, which can be inventory, configuration, diagnostic, syslog, environment, snapshot, telemetry, threat, or test.

title—The event title.

Recommended Action    None required.

120004

Error Message    %ASA-4-120004: Event group `title' was dropped. Reason `reason'.

Explanation    This message is generated when a Smart Call Home event is dropped. The event may be dropped because of an internal error, the event queue is full, or the Smart Call Home module is disabled after the message is generated, but before it can be processed.

group—The event group, which can be inventory, configuration, diagnostic, syslog, environment, snapshot, telemetry, threat, or test.

title—The event title

reason—The drop reason, which can be any of the following:

- NO_MEMORY

- BUFFER_TOO_SMALL

- INTERNAL_ERROR

- INTERRUPTED

- DISABLED

- INVALID_CONTEXT

- COMMAND_PARSE_ERROR

- QUEUE_FULL

- QUEUE_FAILED

Recommended Action    If the drop reason is QUEUE_FULL, increase the event queue size and the rate limit configuration to avoid event queue buildup. If the reason is INTERNAL_ERROR, turn on debugging by using the debug sch fail command to obtain more detailed debugging information.

120005

Error Message    %ASA-4-120005: Message group to `destination' was dropped. Reason 
`reason'.

Explanation    This message is generated when a Smart Call Home module message is dropped. The message may be dropped because of an internal error, a network error, or the Smart Call Home module is disabled after the message is generated, but before it can be delivered.

group—The event group, which can be inventory, configuration, diagnostic, syslog, environment, snapshot, telemetry, threat, or test.

destination—The e-mail or URL destination

reason—The drop reason, which can be any of the following:

- NO_MEMORY

- BUFFER_TOO_SMALL

- INTERNAL_ERROR

- INTERRUPTED

- INVALID_STATE

- INVALID_ADDRESS

- INVALID_URL

- INVALID_CONTEXT

- INVALID SLOT

- COMMAND_PARSE_ERROR

- QUEUE_FULL

- QUEUE_FAILED

- EXCEED_LIMIT

- INVALID_TYPE

- MISSING_REQUIRED_ATTRIBUTE

- INSUFFICIENT_REQUIRED_ELEMENT

- DUPLICATED_ELEMENT

- TOO_MANY_ELEMENTS

- INVALID_ELEMENT

- MISSING_REQUIRED_ELEMENT

- DUPLICATED_ATTRIBUTE

- INVALID_ATTRIBUTE

- INVALID_ID

- SOCKET_ERROR

- NO_ROUTE

- CONNECT_FAILED

- WRITE_FAILED

- READ_FAILED

- SMTP_COMMAND_FAILED

- HTTP_FAILED

- DELIVERY_FULL

Recommended Action    If the drop reason is DELIVERY_FULL, the message is dropped after three unsuccessful retransmissions, or because the error is local, such as no route to the destination. Search syslog message 120006 for the failure delivery reason, or turn on debugging by using the debug sch fail command to obtain detailed debugging information.

120006

Error Message    %ASA-4-120006: Delivering message group to `destination' failed. 
Reason: `reason'

Explanation    This error may be transient. This message is generated when an error occurred while the Smart Call Home module was trying to deliver a message. The message is not dropped; it may be queued for retransmission. The message is only dropped when syslog message 120005 is generated.

group—The event group, which can be inventory, configuration, diagnostic, syslog, environment, snapshot, telemetry, threat, or test.

destination—The e-mail or URL destination

reason—The failure reason

Recommended Action    Check the error reason in the syslog message. If the reason is NO_ROUTE, INVALID_ADDRESS, or INVALID_URL, check the system configuration, DNS, and name settings.

120007

Error Message    %ASA-6-120007: Message group to `destination' delivered.

Explanation    This message is generated when a Smart Call Home module message is successfully delivered.

group—The event group, which can be inventory, configuration, diagnostic, syslog, environment, snapshot, telemetry, threat, or test.

destination—The e-mail or URL destination

Recommended Action    None required.

120008

Error Message    %ASA-5-120008: SCH client `client' was activated.

Explanation    When the Smart Call Home module is enabled, an event group is enabled, and that group is subscribed to by at least one active profile, all clients of that group are activated and this message is generated.

client—The name of the Smart Call Home client.

Recommended Action    None required.

120009

Error Message    %ASA-5-120009: SCH client `client' was deactivated.

Explanation    When the Smart Call Home module is disabled, or an event group is no longer subscribed to by any active profile, all clients of that group are deactivated and this message is generated.

client—The name of the Smart Call Home client.

Recommended Action    None required.

120010

Error Message    %ASA-3-120010: Notify command command to SCH client `client' failed. 
Reason `reason'.

Explanation    This is usually an internal system error. The Smart Call Home module notifies Smart Call Home client of an event. If the client does not interpret the event correctly, does not understand the command, or cannot process the command, an error occurs and this message is generated.

command—One of the following three commands: ENABLE, DISABLE, READY.

client—The name of the Smart Call Home client.

reason—The failure reason.

Recommended Action    Turn on debugging by using the debug sch fail command to obtain more detailed error message information.

199001

Error Message    %PIX|ASA-5-199001: Reload command executed from telnet (remote 
IP_address).

Explanation    This message logs the address of the host that is initiating a security appliance reboot with the reload command.

Recommended Action    None required.

199002

Error Message    %PIX|ASA-6-199002: startup completed. Beginning operation.

Explanation    The security appliance finished its initial boot and the Flash memory reading sequence, and is ready to begin operating normally.


Note This message cannot be blocked by using the no logging message command.


Recommended Action    None required.

199003

Error Message    %PIX|ASA-6-199003: Reducing link MTU dec.

Explanation    The security appliance received a packet from the outside network that uses a larger MTU than the inside network. The security appliance then sent an ICMP message to the outside host to negotiate an appropriate MTU. The log message includes the sequence number of the ICMP message.

Recommended Action    None required.

199005

Error Message    %PIX|ASA-6-199005: Startup begin

Explanation    The security appliance started.

Recommended Action    None required.

199006

Error Message    %PIX-5-199006: Orderly reload started at when by whom. Reload reason: 
reason

Explanation    This message is generated when a reload operation is started.

when—The time at which orderly reload operation begins. The time is in the format of hh:mm:ss time zone day month date year, for example "13:23:45 UTC Sun Dec 28 2003."

whom—The user or system that scheduled the reload. The user or system is in the format of username from where, for example "enable_15 from ssh (remote 30.0.0.122)."

reason—The reload reason. String will be unspecified if a more complete reason is not displayed.

Recommended Action    No action is required from the user.

199007

Error Message    %PIX-5-199007: Reload scheduled for when by whom at 
when-command-issued. Reload reason: reason

Explanation    This message is generated when a reload operation is scheduled by using the in or at option of the reload command.

when—The time at which the reload operation should begin. The time is in the format of hh:mm:ss time zone day month date year, for example "13:23:45 UTC Sun Dec 28 2003."

whom—The user or system that scheduled the reload. The user or system is in the format of username from where, for example "enable_15 from ssh (remote 30.0.0.122)."

when-command-issued—The time that the reload command is issued. The time is in the format of hh:mm:ss time zone day month date year.

reason—The reload reason. String will be unspecified if a more complete reason is not displayed.

Recommended Action    No action is required from the user.

199008

Error Message    %PIX-5-199008: Scheduled reload for when-reload-is-supposed-to-happen 
cancelled by whom at when.

Explanation    This message is generated when a scheduled reload operation is cancelled.

when-reload-is-supposed-to-happen—The when the reload was supposed to happen. The time is in the format of hh:mm:ss timezone weekday month day year, for example "13:23:45 UTC Sun Dec 28 2003."

whom—The user or system that cancelled the reload. The user or system is in the format username from where, for example "enable_15 from ssh (remote 30.0.0.122."

when—The time at which the reload operation is cancelled. The time is in the format of hh:mm:ss timezone weekday month day year.

Recommended Action    No action is required from the user.

199009

Error Message    %PIX-7-199009: Reloaded at when by whom. Reload reason: reason

Explanation    This message is generated when a reload operation is started.

when—The time at which orderly reload operation begins. The time is in the format of hh:mm:ss timezone weekday month day year, for example "13:23:45 UTC Sun Dec 28 2003."

whom—The user or system that scheduled the reload. The user or system is in the format username from where, for example "enable_15 from ssh (remote 30.0.0.122."

reason—The reload reason. String will be unspecified if a more complete reason is not displayed.

Recommended Action    No action is required from the user.

199010

Error Message    %ASA-1-199010: Signal 11 caught in process/fiber(rtcli async executor 
process)/(rtcli async executor) at address 0xf132e03b, corrective action at 
0xca1961a0

Explanation    The crash recovery mechanism generates this message after a system has recovered from a serious error.

Recommended Action    Contact the Cisco TAC.

199011

Error Message    %ASA-2-199011: Close on bad channel in process/fiber process/fiber, 
channel ID p, channel state s process/fiber name of the process/fiber that caused 
the bad channel close operation.

Explanation    An unexpected channel close condition has been detected.

p—The channel ID.

process/fiber—The name of the process/fiber that caused the bad channel close operation.

s—The channel state.

Recommended Action    Contact Cisco TAC and attach a log file.

199012

Error Message    %ASA-1-1199012: Stack smash during new_stack_call in process/fiber 
process/fiber, call target f, stack size s, process/fiber name of the 
process/fiber that caused the stack smash

Explanation    A stack smash condition has been detected.

f—The target of the new_stack_call.

process/fiber—The name of the process/fiber that caused the stack smash.

s—The new stack size specified in new_stack_call.

Recommended Action    Contact Cisco TAC and attach a log file.

Messages 201002 to 219002

This section contains messages from 201002 to 219002.

201002

Error Message    %PIX|ASA-3-201002: Too many TCP connections on {static|xlate} 
global_address! econns nconns

Explanation    This is a connection-related message. This message is displayed when the maximum number of TCP connections to the specified global address was exceeded. The econns variable is the maximum number of embryonic connections and the nconns variable is the maximum number of connections permitted for the static or xlate.

Recommended Action    Use the show static or show nat command to check the limit imposed on connections to a static address. The limit is configurable.

201003

Error Message    %PIX|ASA-2-201003: Embryonic limit exceeded nconns/elimit for 
outside_address/outside_port (global_address) inside_address/inside_port on interface 
interface_name

Explanation    This is a connection-related message regarding traffic to the security appliance. This message is displayed when the number of embryonic connections from the specified foreign address with the specified static global address to the specified local address exceeds the embryonic limit. When the limit on embryonic connections to the security appliance is reached, the security appliance attempts to accept them anyway, but puts a time limit on the connections. This situation allows some connections to succeed even if the security appliance is very busy. The nconns variable lists the number of embryonic connections received and the elimit variable lists the maximum number of embryonic connections specified in the static or nat command.

Recommended Action    This message indicates a more serious overload than message 201002. It could be caused by a SYN attack, or by a very heavy load of legitimate traffic. Use the show static command to check the limit imposed on embryonic connections to a static address.

201004

Error Message    %PIX|ASA-3-201004: Too many UDP connections on {static|xlate} 
global_address! udp connections limit

Explanation    This is a connection-related message. This message is displayed when the maximum number of UDP connections to the specified global address was exceeded. The udp conn limit variable is the maximum number of UDP connections permitted for the static or translation.

Recommended Action    Use the show static or show nat command to check the limit imposed on connections to a static address. You can configure the limit.

201005

Error Message    %PIX|ASA-3-201005: FTP data connection failed for IP_address IP_address

Explanation    The security appliance could not allocate a structure to track the data connection for FTP because of insufficient memory.

Recommended Action    Reduce the amount of memory usage or purchase additional memory.

201006

Error Message    %PIX|ASA-3-201006: RCMD backconnection failed for IP_address/port.

Explanation    This is a connection-related message. This message is displayed if the security appliance is unable to preallocate connections for inbound standard output for rsh commands due to insufficient memory.

Recommended Action    Check the rsh client version; the security appliance only supports the Berkeley rsh. You can also reduce the amount of memory usage, or purchase additional memory.

201008

Error Message    %PIX|ASA-3-201008: The security appliance is disallowing new 
connections.

Explanation    This message appears when you have enabled TCP syslog messaging and the syslog server cannot be reached, or when using security appliance syslog server (PFSS) and the disk on the Windows NT system is full, or when the auto-update timeout is configured and the auto-update server is not reachable.

Recommended Action    Disable TCP syslog messaging. If using PFSS, free up space on the Windows NT system where PFSS resides. Also, make sure that the syslog server is up and you can ping the host from the security appliance console. Then restart TCP system message logging to allow traffic. If the Auto Update Server has not been contacted for a certain period of time, the following command will cause it to cease sending packets: [no] auto-update timeout period.

201009

Error Message    %PIX|ASA-3-201009: TCP connection limit of number for host IP_address 
on interface_name exceeded

Explanation    This is a connection-related message. This message is displayed when the maximum number of connections to the specified static address was exceeded. The number variable is the maximum of connections permitted for the host specified by the IP_address variable.

Recommended Action    Use the show static and show nat commands to check the limit imposed on connections to an address. The limit is configurable.

201010

Error Message    %PIX|ASA-3-201010: Embryonic connection limit exceeded econns/limit 
for dir packet from source_address/source_port to dest_address/dest_port on 
interface interface_name

Explanation    An attempt to establish a TCP connection failed due to an exceeded embryonic connection limit, which was configured with the set connection embryonic-conn-max MPC command for a traffic class.

econns—The current count of embryonic connections associated to the configured traffic class.

limit—The configured embryonic connection limit for the traffic class.

dir
input: The first packet that initiates the connection is an input packet on the interface interface_name.
output: The first packet that initiates the connection is an output packet on the interface interface_name.

source_address/source_port—The source real IP address and the source port of the packet initiating the connection.

dest_address/dest_port—The destination real IP address and the destination port of the packet initiating the connection.

interface_name—The name of the interface on which the policy limit is enforced.

Recommended Action    None required.

201011

Error Message    %PIX|ASA-3-201011: Connection limit exceeded cnt/limit for dir packet 
from sip/sport to dip/dport on interface if_name.

Explanation    A new connection through the firewall device resulted in exceeding at least one of the configured maximum connection limits. This message applies both to connection limits configured using a "static" command, or to those configured using Cisco Modular Policy Framework. The new connection will not be allowed through the firewall device until one of the existing connections are torn down thereby bringing the current connection count below the configured maximum.

cnt—Current connection count.

limit—Configured connection limit.

dir—Direction of traffic, inbound or outbound.

sip—Source real IP address.

sport—Source Port.

dip—Destination real IP address.

dport—Destination Port.

if_name—Name of the interface on which we received the traffic.

Recommended Action    None required.

201012

Error Message    %ASA-6-201012: Per-client embryonic connection limit exceeded curr 
num/limit for [input|output] packet from IP_address/ port to ip/port on interface 
interface_name

Explanation    An attempt to establish a TCP connection failed because the per-client embryonic connection limit was exceeded. By default, this message is rate limited to 1 message every 10 seconds.

curr num—The current number.

limit—The configured limit.

[input|output]—Input or output packet on interface interface_name.

IP_address—Real IP address.

port—TCP or UDP port.

interface_name—The name of the interface on which the policy is applied.

Recommended Action    When the limit is reached, any new connection request will be proxied by the security appliance to prevent a SYN flood attack. The security appliance will only connect to the server if the client is able to finish the three-way handshake. This usually does not affect the end user or the application. However, if this creates a problem for any application that has a legitimate need for a higher number of embryonic connections, you can adjust the setting by entering the set connection per-client-embryonic-max command.

201013

Error Message    %ASA-3-201013: Per-client connection limit exceeded curr num/limit for 
[input|output] packet from ip/port to ip/port on interface interface_name

Explanation    A connection was rejected because the per-client connection limit was exceeded.

curr num—The current number.

limit—The configured limit.

[input|output]—The input or output packet on interface interface_name.

IP_address—The real IP address.

port—The TCP or UDP port.

interface_name—The name of the interface on which the policy is applied.

Recommended Action    When the limit is reached any new connection request will be silently dropped. Normally an application will retry. This will cause delay or even a timeout if all retries also fail. If an application has a legitimate need for a higher number of concurrent connections, you can adjust the setting by entering the set connection per-client-max command.

202001

Error Message    %PIX|ASA-3-202001: Out of address translation slots!

Explanation    This is a connection-related message. This message is displayed if the security appliance has no more address translation slots available.

Recommended Action    Check the size of the global pool compared to the number of inside network clients. A PAT address may be necessary. Alternatively, shorten the timeout interval of translates and connections. This error message could also be caused by insufficient memory; reduce the amount of memory usage, or purchase additional memory usage if possible.

202005

Error Message    %PIX|ASA-3-202005: Non-embryonic in embryonic list 
outside_address/outside_port inside_address/inside_port

Explanation    This is a connection-related message. This message is displayed when a connection object (xlate) is in the wrong list.

Recommended Action    Contact the Cisco TAC.

202011

Error Message    %PIX|ASA-3-202011: Connection limit exceeded econns/limit for dir packet 
from source_address/source_port to dest_address/dest_port on interface interface_name

Explanation    This message is displayed when an attempt to create a TCP or UDP connection fails due to an exceeded connection limit which is configured with the set connection conn-max MPC command for a traffic class.

econns—The current count of embryonic connections associated to the configured traffic class.

limit—The configured embryonic connection limit for the traffic class.

dir
input—The first packet that initiates the connection is an input packet on the interface interface_name.
output—The first packet that initiates the connection is an output packet on the interface interface_name.

source_address/source_port—The source IP address and the source port of the packet initiating the connection.

dest_address/dest_port—The destination IP address and the destination port of the packet initiating the connection.

interface_name—The name of the interface on which the policy limit is enforced.

Recommended Action    None required.

208005

Error Message    %PIX|ASA-3-208005: (function:line_num) clear command return code

Explanation    The security appliance received a nonzero value (an internal error) when attempting to clear the configuration in Flash memory. The message includes the reporting subroutine filename and line number.

Recommended Action    For performance reasons, the end host should be configured to not inject IP fragments. This configuration change is probably due to NFS. Set the read and write size equal to the interface MTU for NFS.

209003

Error Message    %PIX|ASA-4-209003: Fragment database limit of number exceeded: src = 
source_address, dest = dest_address, proto = protocol, id = number

Explanation    Too many IP fragments are currently awaiting reassembly. By default, the maximum number of fragments is 200 (refer to the fragment size command in the Cisco Security Appliance Command Reference to raise the maximum). The security appliance limits the number of IP fragments that can be concurrently reassembled. This restriction prevents memory depletion at the security appliance under abnormal network conditions. In general, fragmented traffic should be a small percentage of the total traffic mix. An exception is in a network environment with NFS over UDP where a large percentage is fragmented traffic; if this type of traffic is relayed through the security appliance, consider using NFS over TCP instead. To prevent fragmentation, see the sysopt connection tcpmss bytes command in the Cisco Security Appliance Command Reference.

Recommended Action    If this message persists, a denial of service (DoS) attack might be in progress. Contact the remote peer administrator or upstream provider.

209004

Error Message    %PIX|ASA-4-209004: Invalid IP fragment, size = bytes exceeds maximum 
size = bytes: src = source_address, dest = dest_address, proto = protocol, id = number

Explanation    An IP fragment is malformed. The total size of the reassembled IP packet exceeds the maximum possible size of 65,535 bytes.

Recommended Action    A possible intrusion event may be in progress. If this message persists, contact the remote peer's administrator or upstream provider.

209005

Error Message    %PIX|ASA-4-209005: Discard IP fragment set with more than number 
elements: src = Too many elements are in a fragment set. 

Explanation    The security appliance disallows any IP packet that is fragmented into more than 24 fragments. Refer to the fragment command in the Cisco Security Appliance Command Reference for more information.

Recommended Action    A possible intrusion event may be in progress. If the message persists, contact the remote peer administrator or upstream provider. You can change the number of fragments per packet by using the fragment chain xxx interface_name command.

210001

Error Message    %PIX|ASA-3-210001: LU sw_module_name error = number

Explanation    A Stateful Failover error occurred.

Recommended Action    If this error persists after traffic lessens through the security appliance, report this error to Cisco TAC.

210002

Error Message    %PIX|ASA-3-210002: LU allocate block (bytes) failed.

Explanation    Stateful Failover could not allocate a block of memory to transmit stateful information to the standby security appliance.

Recommended Action    Check the failover interface using the show interface command to make sure its transmit is normal. Also check the current block memory using the show block command. If current available count is 0 within any of the blocks of memory, then reload the security appliance software to recover the lost blocks of memory.

210003

Error Message    %PIX|ASA-3-210003: Unknown LU Object number

Explanation    Stateful Failover received an unsupported Logical Update object and therefore was unable to process it. This could be caused by corrupted memory, LAN transmissions, and other events.

Recommended Action    If you see this error infrequently, then no action is required. If this error occurs frequently, check the Stateful Failover link LAN connection. If the error was not caused by a faulty failover link LAN connection, determine if an external user is trying to compromise the protected network. Check for misconfigured clients.

210005

Error Message    %PIX|ASA-3-210005: LU allocate connection failed

Explanation    Stateful Failover cannot allocate a new connection on the standby unit. This may be caused by little or no RAM memory available within the security appliance.

Recommended Action    Check the available memory using the show memory command to make sure that the security appliance has free memory in the system. If there is no available memory, add more physical memory to the security appliance.

210006

Error Message    %PIX|ASA-3-210006: LU look NAT for IP_address failed

Explanation    Stateful Failover was unable to locate a NAT group for the IP address on the standby unit. The active and standby security appliance units may be out of synchronization.

Recommended Action    Use the write standby command on the active unit to synchronize system memory with the standby unit.

210007

Error Message    %PIX|ASA-3-210007: LU allocate xlate failed

Explanation    Stateful Failover failed to allocate a translation (xlate) slot record.

Recommended Action    Check the available memory by using the show memory command to make sure that the security appliance has free memory in the system. If no memory is available, add more memory.

210008

Error Message    %PIX|ASA-3-210008: LU no xlate for inside_address/inside_port 
outside_address/outside_port

Explanation    Unable to find a translation slot (xlate) record for a Stateful Failover connection; unable to process the connection information.

Recommended Action    Enter the write standby command on the active unit to synchronize system memory between the active and standby units.

210010

Error Message    %PIX|ASA-3-210010: LU make UDP connection for outside_address:outside_port 
inside_address:inside_port failed

Explanation    Stateful Failover was unable to allocate a new record for a UDP connection.

Recommended Action    Check the available memory by using the show memory command to make sure that the security appliance has free memory in the system. If no memory is available, add more memory.

210011

Error Message    %PIX|ASA-3-210011: Connection limit exceeded cnt/limit for dir packet 
from sip/sport to dip/dport on interface if_name.

Explanation    This syslog message indicates that establishing a new connection through the security appliance will result in exceeding at least one of the configured maximum connection limits. The syslog message applies both for connection limits configured using a "static" command, or to those configured using Cisco Modular Policy Framework. The new connection will not be allowed through the security appliance until one of the existing connections are torn down, thereby bringing the current connection count below the configured maximum.

cnt—Current connection count

limit—Configured connection limit

dir—Direction of traffic, inbound or outbound

sip—Source IP address

sport—Source port

dip—Destination IP address

dport—Destination port

if_name—Name of the interface on which we received the traffic unit, either "Primary" or "Secondary."

Recommended Action    Because connection limits are configured for a good reason, this syslog message could indicate a possible DOS attack, in which case the source of the traffic could likely be a spoofed IP address. If the source IP address is not totally random, identifying the source and blocking it using an access-list might help. In other cases getting sniffer traces and analyzing the source of the traffic would help in isolating unwanted traffic from legitimate traffic.

210020

Error Message    %PIX|ASA-3-210020: LU PAT port port reserve failed

Explanation    Stateful Failover is unable to allocate a specific PAT address which is in use.

Recommended Action    Enter the write standby command on the active unit to synchronize system memory between the active and standby units.

210021

Error Message    %PIX|ASA-3-210021: LU create static xlate global_address ifc 
interface_name failed

Explanation    Stateful Failover is unable to create a translation slot (xlate).

Recommended Action    Enter the write standby command on the active unit to synchronize system memory between the active and standby units.

210022

Error Message    %PIX|ASA-6-210022: LU missed number updates

Explanation    Stateful Failover assigns a sequence number for each record sent to the standby unit. When a received record sequence number is out of sequence with the last updated record, the information in between is assumed lost and this error message is sent.

Recommended Action    Unless there are LAN interruptions, check the available memory on both security appliance units to ensure that there is enough memory to process the stateful information. Use the show failover command to monitor the quality of stateful information updates.

211001

Error Message    %PIX|ASA-3-211001: Memory allocation Error

Explanation    Failed to allocate RAM system memory.

Recommended Action    If this message occurs periodically, it can be ignored. If it repeats frequently, contact the Cisco TAC.

211003

Error Message    %PIX|ASA-3-211003: CPU utilization for number seconds = percent

Explanation    This message is displayed if the percentage of CPU usage is greater than 100 percent for the number of seconds.

Recommended Action    If this message occurs periodically, it can be ignored. If it repeats frequently, contact the Cisco TAC.

212001

Error Message    %PIX|ASA-3-212001: Unable to open SNMP channel (UDP port port) on 
interface interface_number, error code = code

Explanation    This is an SNMP message. This message reports that the security appliance is unable to receive SNMP requests destined for the security appliance from SNMP management stations located on this interface. This does not affect the SNMP traffic passing through the security appliance through any interface.

An error code of -1 indicates that the security appliance could not open the SNMP transport for the interface. This can occur when the user attempts to change the port on which SNMP accepts queries to one that is already in use by another feature. In this case, the port used by SNMP will be reset to the default port for incoming SNMP queries (UDP/161).

An error code of -2 indicates that the security appliance could not bind the SNMP transport for the interface.

Recommended Action    After the security appliance reclaims some of its resources when traffic is lighter, reenter the snmp-server host command for that interface.

212002

Error Message    %PIX|ASA-3-212002: Unable to open SNMP trap channel (UDP port port) on 
interface interface_number, error code = code

Explanation    This is an SNMP message. This message reports that the security appliance is unable to send its SNMP traps from the security appliance to SNMP management stations located on this interface. This does not affect the SNMP traffic passing through the security appliance through any interface.

An error code of -1 indicates that the security appliance could not open the SNMP trap transport for the interface.

An error code of -2 indicates that the security appliance could not bind the SNMP trap transport for the interface.

An error code of -3 indicates that the security appliance could not set the trap channel as write-only.

Recommended Action    After the security appliance reclaims some of its resources when traffic is lighter, reenter the snmp-server host command for that interface.

212003

Error Message    %PIX|ASA-3-212003: Unable to receive an SNMP request on interface 
interface_number, error code = code, will try again.

Explanation    This is an SNMP message. This message is displayed because of an internal error in receiving an SNMP request destined for the security appliance on the specified interface.

An error code of -1 indicates that the security appliance could not find a supported transport type for the interface.

An error code of -5 indicates that the security appliance received no data from the UDP channel for the interface.

An error code of -7 indicates that the security appliance received an incoming request that exceeded the supported buffer size.

An error code of -14 indicates that the security appliance was unable to determine the source IP address from the UDP channel.

An error code of -22 indicates that the security appliance received an invalid parameter.

Recommended Action    None required. The security appliance SNMP agent goes back to wait for the next SNMP request.

212004

Error Message    %PIX|ASA-3-212004: Unable to send an SNMP response to IP Address 
IP_address Port port interface interface_number, error code = code

Explanation    This is an SNMP message. This message is displayed because of an internal error in sending an SNMP response from the security appliance to the specified host on the specified interface.

An error code of -1 indicates that the security appliance could not find a supported transport type for the interface.

An error code of -2 indicates that the security appliance sent an invalid parameter.

An error code of -3 indicates that the security appliance was unable to set the destination IP address in the UDP channel.

An error code of -4 indicates that the security appliance sent a PDU length that exceeded the supported UDP segment size.

An error code of -5 indicates that the security appliance was unable to allocate a system block to construct the PDU.

Recommended Action    None required.

212005

Error Message    %PIX|ASA-3-212005: incoming SNMP request (number bytes) on interface 
interface_name exceeds data buffer size, discarding this SNMP request.

Explanation    This is an SNMP message. This message reports that the length of the incoming SNMP, request which is destined for the security appliance exceeds the size of the internal data buffer (512 bytes) used for storing the request during internal processing. The security appliance is unable to process this request. This situation does not affect the SNMP traffic passing through the security appliance using any interface.

Recommended Action    Have the SNMP management station resend the request with a shorter length. For example, instead of querying multiple MIB variables in one request, try querying only one MIB variable in a request. You may need to modify the configuration of the SNMP manager software.

212006

Error Message    %PIX|ASA-3-212006: Dropping SNMP request from source_address/source_port 
to interface_name:dest_address/dest_port because: reason.

Explanation    This is an SNMP message. This message is displayed if the device is unable to process a SNMP request to the device for the following reasons.

The snmp-server command is disabled.

SNMPv3 is not supported.

Recommended Action    Make sure that the SNMP daemon is entering by issuing the snmp-server enable command. Only SNMPv1 and SNMPv2c packets are handled by the device.

213001

Error Message    %PIX|ASA-3-213001: PPTP control daemon socket io string, errno = number.

Explanation    An internal TCP socket I/O error occurred.

Recommended Action    Contact the Cisco TAC.

213002

Error Message    %PIX|ASA-3-213002: PPTP tunnel hashtable insert failed, peer = 
IP_address.

Explanation    An internal software error occurred while creating a new PPTP tunnel.

Recommended Action    Contact the Cisco TAC.

213003

Error Message    %PIX|ASA-3-213003: PPP virtual interface interface_number isn't opened.

Explanation    An internal software error occurred while closing a PPP virtual interface.

Recommended Action    Contact the Cisco TAC.

213004

Error Message    %PIX|ASA-3-213004: PPP virtual interface interface_number client ip 
allocation failed.

Explanation    An internal software error occurred while allocating an IP address to the PPTP client.

Recommended Action    This error occurs when the IP local address pool was depleted. Consider allocating a larger pool with the ip local pool command.

213005

Error Message    %PIX|ASA-3-213005%: Dynamic-Access-Policy action (DAP) action aborted

Explanation    The Dynamic Access Policy created for this connection has determined that the session should be terminated.

Recommended Action    The Dynamic Access Policy is dynamically created by selecting configured access policies based on the authorization rights of the user and the posture assessment results of the remote endpoint device. The resulting dynamic policy indicates that the session should be terminated.

213006

Error Message    %PIX|ASA-3-21306%: Unable to read dynamic access policy record.

Explanation    There was either an error in retrieving the DAP policy record data or the action configuration was missing. There was an error reading the configured dynamic access policy record.

Recommended Action    A configuration change might have resulted in deleting a dynamic access policy record. Use ASDM to re-create the dynamic access policy record.

214001

Error Message    %PIX|ASA-2-214001: Terminating manager session from IP_address on 
interface interface_name. Reason: incoming encrypted data (number bytes) longer than 
number bytes

Explanation    An incoming encrypted data packet destined for the security appliance management port indicates a packet length exceeding the specified upper limit. This may be a hostile event. The security appliance immediately terminates this management connection.

Recommended Action    Ensure that the management connection was initiated by Cisco Secure Policy Manager.

215001

Error Message    %PIX|ASA-2-215001:Bad route_compress() call, sdb= number

Explanation    An internal software error occurred.

Recommended Action    Contact the Cisco TAC.

217001

Error Message    %PIX|ASA-2-217001: No memory for string in string

Explanation    An operation failed due to low memory.

Recommended Action    If sufficient memory exists, then copy the error message, the configuration, and any details about the events leading up the error to the Cisco TAC.

216001

Error Message    %ASA-n-216001: internal error in: function: message 

Explanation    This message reports a variety of internal errors that should not appear during normal operation. The severity level varies depending on the cause of the message.

n—The message severity.

function—The affected component.

message—A message describing the cause of the problem.

Recommended Action    Search the Bug Toolkit for the specific text message and also try to use the Output Interpreter to resolve the problem. If the problem persists, contact the Cisco TAC.

216002

Error Message    PIX|ASA-3-216002: Unexpected event (major: major_id, minor: minor_id) 
received by task_string in function at line: line_num 

Explanation    This message is displayed when a task registers for event notification and the task cannot handle the specific event. Events that can be watched include those associated with queues, booleans, timer services, and so forth. If any of the registered events occur, the scheduler wakes up the task to process the event. This message is generated if an unexpected event woke up the task and it does not know how to handle the event.

If an event is left unprocessed, it can wake up the task very often to make sure it is processed, but this should not occur under normal conditions. If This message is displayed, it does not necessarily mean the box is unusable, but something unusual has occurred and needs to be investigated.

major_id—Event identifier

minor_id— Event identifier

task_string—Custom string passed by the task to identify itself

function—The function that received the unexpected event

line_num —Line number in the code

Recommended Action    If the problem persists, contact the Cisco TAC.

216003

Error Message    %PIX|ASA-3-216003: Unrecognized timer timer_ptr, timer_id received by 
task_string in function at line: line_num 

Explanation    This message is displayed when an unexpected timer event woke up the task and the task does not know how to handle the event. A task can register a set of timer services with the scheduler. If any of the timers expire, the scheduler wakes up the task to take action. This message is generated if the task is woken up by an unrecognized timer event.

An expired timer, if left unprocessed, wakes up the task continuously to make sure it is processed, and this is undesirable. This should not occur under normal conditions. If This message is displayed, it does not necessarily mean the box is unusable, but something unusual has occurred and needs to be investigated.

timer_ptr—Pointer to the timer

timer_id—Timer identifier

task_string—Custom string passed by the task to identify itself

function—The function that received the unexpected event

line_num—Line number in the code

Recommended Action    If the problem persists, contact the Cisco TAC.

216004

Error Message    %PIX|ASA-4-216004:prevented: error in function at file(line) - stack 
trace

Explanation    This syslog message reports an internal logic error, and should not occur during normal operation.

error—internal logic error. Possible errors include the following:

Exception

Dereferencing null pointer

Array index out of bounds

Invalid buffer size

Writing from input

Source and destination overlap

Invalid date

Access offset from array indices

function—the calling function that generated the error

file(line)—the file and line number that generated the error

stack trace—Full call stack traceback, starting with the calling function. For example: ("0x001010a4 0x00304e58 0x00670060 0x00130b04").

Recommended Action    If the problem persists, contact the Cisco TAC.

216005

Error Message    %ASA-1-216005: ERROR: Duplex-mismatch on interface_name resulted in 
transmitter lockup. A soft reset of the switch was performed.

Explanation    A duplex-mismatch on the port caused a problem whereby the port could no longer transmit packets. This condition was detected, and the switch was reset to auto-recover from this condition. This message applies only to the ASA 5505 device.

interface_name—The interface name that was locked up.

Recommended Action    A duplex-mismatch exists between the specified port and the device that is connected to it. Correct the duplex-mismatch by either setting both devices to "auto," or hard-coding the duplex on both sides to be the same.

218001

Error Message    %PIX|ASA-2-218001: Failed Identification Test in slot# [fail#/res].

Explanation    The module in slot# of the security appliance could not be identified as a genuine Cisco product. Cisco warranties and support programs apply only to genuine Cisco products. If Cisco determines that the cause of a support issue is related to non-Cisco memory, SSM modules, SSC cards, or other modules, Cisco may deny support under your warranty or under a Cisco support program such as SmartNet.

Recommended Action    If this message reoccurs, copy it exactly as it appears on the console or in the syslog. Research and attempt to resolve the error using the Output Interpreter. Also perform a search with the Bug Toolkit. If the problem persists, contact the Cisco TAC.

218002

Error Message    %PIX|ASA-2-218002: Module (slot#) is a registered proto-type for Cisco 
Lab use only, and not certified for live network operation.

Explanation    Hardware in the specified location is a prototype module that came from a Cisco lab.

Recommended Action    If this message reoccurs, copy it exactly as it appears on the console or in the syslog. Research and attempt to resolve the error using the Output Interpreter. Also perform a search of the Bug Toolkit. If the problem persists, contact the Cisco TAC.

218003

Error Message    %PIX|ASA-2-218003: Module Version in <slot#> is obsolete. The module 
in slot = <slot#> is obsolete and must be returned via RMA to Cisco Manufacturing. 
If it is a lab unit, it must be returned to Proto Services for upgrade.

Explanation    This syslog message is generated when obsolete hardware is detected or when the show module command is entered for the module. This syslog message is generated every minute once it starts.

Recommended Action    If this message reoccurs, copy it exactly as it appears on the console or in the syslog. Research and attempt to resolve the error using the Output Interpreter. Also perform a search of the Bug Toolkit. If the problem persists, contact the Cisco TAC.

218004

Error Message    %PIX|ASA-2-218004: Failed Identification Test in slot# [fail#/res]

Explanation    There was a problem while identifying hardware in the specified location.

Recommended Action    If this message reoccurs, copy it exactly as it appears on the console or in the syslog. Research and attempt to resolve the error using the Output Interpreter. Also perform a search of the Bug Toolkit. If the problem persists, contact the Cisco TAC.

219002

Error Message    %ASA-3-219002: I2C_API_name error, slot = slot_number, device = 
device_number, address = address, byte count = count. Reason: reason_string

Explanation    The I2C serial bus API has failed. This might be because of a hardware or software problem.

I2C_API_name—The I2C API that failed:

I2C_read_byte_w_wait()

I2C_read_word_w_wait()

I2C_read_block_w_wait()

I2C_write_byte_w_wait()

I2C_write_word_w_wait()

I2C_write_block_w_wait()

I2C_read_byte_w_suspend()

I2C_read_word_w_suspend()

I2C_read_block_w_suspend()

I2C_write_byte_w_suspend()

I2C_write_word_w_suspend()

I2C_write_block_w_suspend()

slot_number—The hexadecimal number of the slot where the I/O operation that generated the syslog message occurred.The slot number cannot be unique to a slot in the chassis. Depending on the chassis, two different slots might have the same I2C slot number. Also the value is not necessarily less than or equal to the number of slots. The value depends on the way the I2C hardware is wired.

device_number—The hexadecimal number of the device on the slot the I/O operation was performed.

address—This is the hexadecimal address of the device on which the I/O operation occurred.

byte_count—This is the byte count in decimal of the I/O operation.

error_string—The reason for the error:

I2C_BUS_TRANSACTION_ERROR

I2C_CHKSUM_ERROR

I2C_TIMEOUT_ERROR

I2C_BUS_COLLISION_ERROR

I2C_HOST_BUSY_ERROR

I2C_UNPOPULATED_ERROR

I2C_SMBUS_UNSUPPORT

I2C_BYTE_COUNT_ERROR

I2C_DATA_PTR_ERROR

Recommended Action    Perform the following steps:

1. Log and review the messages and the errors associated with the event. If the syslog message does not occur continuously and goes away after a few minutes, it might be because the I2C serial bus is busy.

2. Reboot the software running on the system.

3. Power cycle the box. When you turn off the power, make sure you wait several seconds before turning the power on.

4. If the problem persists, contact the Cisco TAC.

Messages 302003 to 339001

This section contains messages from 302003 to 339001.

302003

Error Message    %PIX|ASA-6-302003: Built H245 connection for foreign_address 
outside_address/outside_port local_address inside_address/inside_port

Explanation    This is a connection-related message. This message is displayed when an H.245 connection is started from the outside_address to the inside_address. This message only occurs if the security appliance detects the use of an Intel Internet Phone. The foreign port (outside port) only displays on connections from outside the security appliance. The local port value (inside port) only appears on connections started on an internal interface.

Recommended Action    None required.

302004

Error Message    %PIX|ASA-6-302004: Pre-allocate H323 UDP backconnection for 
foreign_address outside_address/outside_port to local_address inside_address/inside_port

Explanation    This is a connection-related message. This message is displayed when an H.323 UDP back-connection is preallocated to the foreign address (outside_address) from the local address (inside_address). This message only occurs if the security appliance detects the use of an Intel Internet Phone. The foreign port (outside_port) only displays on connections from outside the security appliance. The local port value (inside_port) only appears on connections started on an internal interface.

Recommended Action    None required.

302009

Error Message    %PIX|ASA-6-302009: Rebuilt TCP connection number for foreign_address 
outside_address/outside_port global_address global_address/global_port local_address 
inside_address/inside_port

Explanation    This is a connection-related message. This message appears after a TCP connection is rebuilt after a failover. A sync packet is not sent to the other security appliance. The outside_address IP address is the foreign host, the global_address IP address is a global address on the lower security level interface, and the inside_address IP address is the local IP address "behind" the security appliance on the higher security level interface.

Recommended Action    None required.

302010

Error Message    %PIX|ASA-6-302010: connections in use, connections most used

Explanation    This is a connection-related message. This message appears after a TCP connection restarts. connections is the number of connections.

Recommended Action    None required.

302012

Error Message    %PIX|ASA-6-302012: Pre-allocate H225 Call Signalling Connection for 
faddr IP_address/port to laddr IP_address

Explanation    An H.225 secondary channel has been preallocated.

Recommended Action    None required.

302013

Error Message    %PIX|ASA-6-302013: Built {inbound|outbound} TCP connection_id for 
interface:real-address/real-port (mapped-address/mapped-port) to interface:real-address/real-port 
(mapped-address/mapped-port) [(user)]

Explanation    A TCP connection slot between two hosts was created.

connection_id is a unique identifier.

interface, real-address, real-port identify the actual sockets.

mapped-address, mapped-port identify the mapped sockets.

user is the AAA name of the user.

If inbound is specified, the original control connection was initiated from the outside. For example, for FTP, all data transfer channels are inbound if the original control channel is inbound. If outbound is specified, the original control connection was initiated from the inside.

Recommended Action    None required.

302014

Error Message    %PIX|ASA-6-302014: Teardown TCP connection id for 
interface:real-address/real-port to interface:real-address/real-port duration hh:mm:ss bytes 
bytes [reason] [(user)]

Explanation    A TCP connection between two hosts was deleted. The following list describes the message values:

connection id is an unique identifier.

interface, real-address, real-port identify the actual sockets.

duration is the lifetime of the connection.

bytes bytes is the data transfer of the connection.

user is the AAA name of the user.

The reason variable presents the action that causes the connection to terminate. Set the reason variable to one of the TCP termination reasons listed in Table 1-3.

Table 1-3 TCP Termination Reasons 

Reason
Description

Conn-timeout

Connection ended because it was idle longer than the configured idle timeout.

Deny Terminate

Flow was terminated by application inspection.

Failover primary closed

The standby unit in a failover pair deleted a connection because of a message received from the active unit.

FIN Timeout

Force termination after 10 minutes awaiting the last ACK or after half-closed timeout.

Flow closed by inspection

Flow was terminated by inspection feature.

Flow terminated by IPS

Flow was terminated by IPS.

Flow reset by IPS

Flow was reset by IPS.

Flow terminated by TCP Intercept

Flow was terminated by TCP Intercept.

Flow timed out

Flow has timed out.

Flow timed out with reset

Flow has timed out, but was reset.

Invalid SYN

SYN packet not valid.

Idle Timeout

Connection timed out because it was idle longer than timeout value.

IPS fail-close

Flow was terminated due to IPS card down.

Pinhole Timeout

Counter is incremented to report that the appliance opened a secondary flow, but no packets passed through this flow within the timeout interval, and hence it was removed. An example of a secondary flow is the FTP data channel that is created after successful negotiation on the FTP control channel.

SYN Control

Back channel initiation from wrong side.

SYN Timeout

Force termination after 30 seconds awaiting three-way handshake completion.

TCP bad retransmission

Connection terminated because of bad TCP retransmission.

TCP FINs

Normal close down sequence.

TCP Invalid SYN

Invalid TCP SYN packet.

TCP Reset-APPLIANCE

Reset was from the security appliance.

TCP Reset-I

Reset was from the inside.

TCP Reset-O

Reset was from the outside.

TCP segment partial overlap

Detected a partially overlapping segment.

TCP unexpected window size variation

Connection terminated due to variation in the TCP window size.

Tunnel has been torn down

Flow terminated because tunnel is down.

Unauth Deny

Denied by URL filter.

Unknown

Catch-all error.

Xlate Clear

Command-line removal.


Recommended Action    None required.

302015

Error Message    %PIX|ASA-6-302015: Built {inbound|outbound} UDP connection number for 
interface_name:real_address/real_port (mapped_address/mapped_port) to 
interface_name:real_address/real_port (mapped_address/mapped_port) [(user)]

Explanation    A UDP connection slot between two hosts is created. The following list describes the message values:

connection number—A unique identifier.

interface, real_address, real_port—The actual sockets.

mapped_address and mapped_port—The mapped sockets.

user—The AAA name of the user.

If inbound is specified, then the original control connection is initiated from the outside. For example, for UDP, all data transfer channels are inbound if the original control channel is inbound. If outbound is specified, then the original control connection is initiated from the inside.

Recommended Action    None required.

302016

Error Message    %PIX|ASA-6-302016: Teardown UDP connection number for 
interface:real-address/real-port to interface:real-address/real-port duration hh:mm:ss bytes 
bytes [(user)]

Explanation    A UDP connection slot between two hosts was deleted. The following list describes the message values:

connection number is an unique identifier.

interface, real_address, real_port are the actual sockets.

time is the lifetime of the connection.

bytes is the data transfer of the connection.

connection id is an unique identifier.

interface, real-address, real-port are the actual sockets.

duration is the lifetime of the connection.

bytes is the data transfer of the connection.

user is the AAA name of the user.

Recommended Action    None required.

302017

Error Message    %PIX|ASA-6-302017: Built {inbound|outbound} 
GRE connection id from
interface:real_address (translated_address) to
interface:real_address/real_cid
(translated_address/translated_cid)[(user)

Explanation    A GRE connection slot between two hosts is created. The id is an unique identifier. The interface, real_address, real_cid tuple identifies the one of the two simplex PPTP GRE streams. The parenthetical translated_address, translated_cid tuple identifies the translated value with NAT.

If inbound is indicated, then the connection can only be used inbound. If outbound is indicated, then the connection can only be used for outbound. The following list describes the message values:

id—Unique number identifying the connection.

inbound—Control connection is for inbound PPTP GRE flow.

outbound—Control connection is for outbound PPTP GRE flow.

interface_name—The interface name.

real_address—IP address of the actual host.

real_cid—Untranslated call-ID for the connection.

translated_address—IP address after translation.

translated_cid—Translated call.

user—AAA user name.

Recommended Action    This is an informational message.

302018

Error Message    %PIX|ASA-6-302018: Teardown GRE connection id from
interface:real_address (translated_address) to
interface:real_address/real_cid
(translated_address/translated_cid)
duration hh:mm:ss bytes bytes [(user)]

Explanation    A GRE connection slot between two hosts is deleted. The interface, real_address, real_port tuples identify the actual sockets. Duration accounts the lifetime of the connection. The following list describes the message values:

id—Unique number identifying the connection.

interface—The interface name.

real_address—IP address of the actual host.

real_port—Port number of the actual host.

hh:mm:ss—Time in hour:minute:second format.

bytes—Number of PPP bytes transferred in the GRE session.

reason—Reason why the connection was terminated.

user—AAA user name.

Recommended Action    This is an informational message.

302019

Error Message    %PIX|ASA-3-302019: H.323 library_name ASN Library failed to initialize, 
error code number

Explanation    The specified ASN library that the security appliance uses for decoding the H.323 messages failed to initialize; the security appliance cannot decode or inspect the arriving H.323 packet. The security appliance allows the H.323 packet to pass through without any modification. When the next H.323 message arrives, the security appliance attempts to initialize the library again.

Recommended Action    If this message is generated consistently for a particular library, contact the Cisco TAC and provide them with all log messages (preferably with timestamps).

302020

Error Message    %PIX|ASA-6-302020: Built {in | out}bound ICMP connection for faddr 
{faddr | icmp_seq_num} gaddr {gaddr | cmp_type} laddr laddr 

Explanation    An ICMP session was established in the fast-path when stateful ICMP is enabled using the inspect icmp command.

Recommended Action    None required.

302021

Error Message    %PIX|ASA-6-302021: Teardown ICMP connection for faddr {faddr | 
icmp_seq_num} gaddr {gaddr | cmp_type} laddr laddr

Explanation    An ICMP session was removed in the fast-path when stateful ICMP is enabled using the inspect icmp command.

Recommended Action    None required.

302033

Error Message    %PIX|ASA-6-302033:Pre-allocated H323 GUP Connection for faddr 
interface:foreign address/foreign-port to laddr interface:local-address/local-port

Explanation    This is a connection-related message. This message is displayed when a GUP connection is started from the foreign_address to the local_address. The foreign port (outside port) only displays on connections from outside the security device. The local port value (inside port) only appears on connections started on an internal interface.

interface—The interface name

foreign-address—IP address of the foreign host

foreign-port—Port number of the foreign host

local-address—IP address of the local host

local-port—Port number of the local host

Recommended Action    None required

302034

Error Message    %PIX|ASA-4-302034: Unable to pre-allocate H323 GUP Connection for 
faddr interface: foreign address/foreign-port to laddr interface:local-address/local-port

Explanation    The module failed to allocate RAM system memory while starting a connection or has no more address translation slots available.

interface—The interface name

foreign-address—IP address of the foreign host

foreign-port—Port number of the foreign host

local-address—IP address of the local host

local-port—Port number of the local host

Recommended Action    If this message occurs periodically, it can be ignored. If it repeats frequently, contact Cisco TAC. You can check the size of the global pool compared to the number of inside network clients. Alternatively, shorten the timeout interval of translates and connections. This error message may also be caused by insufficient memory; try reducing the amount of memory usage, or purchasing additional memory.

302302

Error Message    %PIX|ASA-3-302302: ACL = deny; no sa created

Explanation    IPSec proxy mismatches. Proxy hosts for the negotiated SA correspond to a deny access-list command policy.

Recommended Action    Check the access-list command statement in the configuration. Contact the administrator for the peer.

303002

Error Message    PIX-6-303002: FTP connection from src_ifc:src_ip/src_port to 

dst_ifc:dst_ip/dst_port, user username action file filename

Explanation    This event is generated whenever a client uploads or downloads a file from the FTP server.

src_ifc—The interface where the client resides.

src_ip—The IP address of the client.

src_port—The client port.

dst_ifc—The interface where the server resides.

dst_ip—The IP address of the FTP server.

dst_port—The server port.

username—The FTP username.

action—The stored/retrieved actions.

filename—The file stored or retrieved.

Recommended Action    None required.

303003

Error Message    %PIX|ASA-5-303003: FTP cmd_string command denied - failed strict 
inspection, terminating connection from %s:%A/%d to %s:%A/%d.

Explanation    This message is generated when using strict FTP inspection on FTP traffic. It is displayed if an FTP request message contains a command that is not recognized by the device.

Recommended Action    None required.

303004

Error Message    %PIX|ASA-5-303004: FTP cmd_string command unsupported - failed strict 
inspection, terminating connection from source_interface:source_address/source_port to 
dest_interface:dest_address/dest_interface

Explanation    This message is generated when using strict FTP inspection on FTP traffic. It is displayed if an FTP request message contains a command that is not recognized by the device.

Recommended Action    None required.

303005

Error Message    %PIX|ASA-5-303005: Strict FTP inspection matched match_string in 
policy-map policy-name, action_string from src_ifc:sip/sport to 
dest_ifc:dip/dport

Explanation    This message is generated when FTP inspection matches any of the following configured values: filename, file type, request command, server, or user name. Then the action specified by the action_string in this syslog message occurs.

match_string—The match clause in the policy-map.

policy-name—The policy-map that matched.

action_string—The action to take; for example, "Reset Connection."

src_ifc—The source interface name.

sip—The source IP address.

sport—The source port.

dest_ifc—The destination interface name.

dip—The destination IP address.

dport—The destination port.

Recommended Action    None required.

304001

Error Message    %PIX|ASA-5-304001: user@source_address Accessed {JAVA URL|URL} 
dest_address: url

Explanation    This is an FTP/URL message. This message is displayed when the specified host attempts to access the specified URL.

Recommended Action    None required.

304002

Error Message    %PIX|ASA-5-304002: Access denied URL chars SRC IP_address DEST 
IP_address: chars

Explanation    This is an FTP/URL message. This message is displayed if access from the source address to the specified URL or FTP site is denied.

Recommended Action    None required.

304003

Error Message    %PIX|ASA-3-304003: URL Server IP_address timed out URL url

Explanation    A URL server timed out.

Recommended Action    None required.

304004

Error Message    %PIX|ASA-6-304004: URL Server IP_address request failed URL url

Explanation    This is an FTP/URL message. This message is displayed if a Websense server request fails.

Recommended Action    None required.

304005

Error Message    %PIX|ASA-7-304005: URL Server IP_address request pending URL url

Explanation    This is an FTP/URL message. This message is displayed when a Websense server request is pending.

Recommended Action    None required.

304006

Error Message    %PIX|ASA-3-304006: URL Server IP_address not responding

Explanation    This is an FTP/URL message. The Websense server is unavailable for access, and the security appliance attempts to either try to access the same server if it is the only server installed, or another server if there is more than one.

Recommended Action    None required.

304007

Error Message    %PIX|ASA-2-304007: URL Server IP_address not responding, ENTERING ALLOW 
mode.

Explanation    This is an FTP/URL message. This message is displayed when you use the allow option of the filter command, and the Websense servers are not responding. The security appliance allows all web requests to continue without filtering while the servers are not available.

Recommended Action    None required.

304008

Error Message    %PIX|ASA-2-304008: LEAVING ALLOW mode, URL Server is up.

Explanation    This is an FTP/URL message. This message is displayed when you use the allow option of the filter command, and the security appliance receives a response message from a Websense server that previously was not responding. With this response message, the security appliance exits the allow mode, which enables the URL filtering feature again.

Recommended Action    None required.

304009

Error Message    %PIX|ASA-7-304009: Ran out of buffer blocks specified by url-block 
command

Explanation    The URL pending buffer block is running out of space.

Recommended Action    Change the buffer block size by entering the url-block block block_size command.

305005

Error Message    %PIX|ASA-3-305005: No translation group found for protocol src 
interface_name: source_address/source_port dst interface_name: dest_address/dest_port

Explanation    A packet does not match any of the outbound nat command rules. If NAT is not configured for the specified source and destination systems, the message will be generated frequently.

Recommended Action    This message indicates a configuration error. If dynamic NAT is desired for the source host, ensure that the nat command matches the source IP address. If static NAT is desired for the source host, ensure that the local IP address of the static command matches. If no NAT is desired for the source host, check the ACL bound to the NAT 0 ACL.

305006

Error Message    %PIX|ASA-3-305006: {outbound static|identity|portmap|regular) 
translation creation failed for protocol src interface_name:source_address/source_port 
dst interface_name:dest_address/dest_port

Explanation    A protocol (UDP, TCP, or ICMP) failed to create a translation through the security appliance. This message appears as a fix to caveat CSCdr00663 that requested that security appliance not allow packets that are destined for network or broadcast addresses. The security appliance provides this checking for addresses that are explicitly identified with static command statements. With the change, for inbound traffic, the security appliance denies translations for a destined IP address identified as a network or broadcast address.

The security appliance does not apply PAT to all ICMP message types; it only applies PAT ICMP echo and echo-reply packets (types 8 and 0). Specifically, only ICMP echo or echo-reply packets create a PAT xlate. So, when the other ICMP messages types are dropped, syslog message 305006 (on the security appliance) is generated.

The security appliance utilizes the global IP and mask from configured static command statements to differ regular IP addresses from network or broadcast IP addresses. If the global IP address is a valid network address with a matching network mask, then the security appliance does not create a translation for network or broadcast IP addresses with inbound packets.

For example:

static (inside,outside) 10.2.2.128 10.1.1.128 netmask 255.255.255.128


Global address 10.2.2.128 is responded to as a network address and 10.2.2.255 is responded to as the broadcast address. Without an existing translation, security appliance denies inbound packets destined for 10.2.2.128 or 10.2.2.255, and logs this syslog message.

When the suspected IP is a host IP, configure a separated static command statement with a host mask in front of the subnet static (first match rule for static command statements). The following static causes the security appliance to respond to 10.2.2.128 as a host address:

static (inside,outside) 10.2.2.128 10.2.2.128 netmask 255.255.255.255
static (inside,outside) 10.2.2.128 10.2.2.128 netmask 255.255.255.128


The translation may be created by traffic started with the inside host with the questioned IP address. Because the security appliance views a network or broadcast IP address as a host IP address with overlapped subnet static configuration, the network address translation for both static command statements must be the same.

Recommended Action    None required.

305007

Error Message    %PIX|ASA-6-305007: addrpool_free(): Orphan IP IP_address on interface 
interface_number

Explanation    The security appliance has attempted to translate an address that it cannot find in any of its global pools. The security appliance assumes that the address was deleted and drops the request.

Recommended Action    None required.

305008

Error Message    %PIX|ASA-3-305008: Free unallocated global IP address.

Explanation    The security appliance kernel detected an inconsistency condition when trying to free an unallocated global IP address back to the address pool. This abnormal condition may occur if the security appliance is running a Stateful Failover setup and some of the internal states are momentarily out of synchronization between the active unit and the standby unit. This condition is not catastrophic, and the sync recovers automatically.

Recommended Action    If the problem persists, contact the Cisco TAC.

305009

Error Message    %PIX|ASA-6-305009: Built {dynamic|static} translation from 
interface_name [(acl-name)]:real_address to interface_name:mapped_address

Explanation    An address translation slot was created. The slot translates the source address from the local side to the global side. In reverse, the slot translates the destination address from the global side to the local side.

Recommended Action    None required.

305010

Error Message    %PIX|ASA-6-305010: Teardown {dynamic|static} translation from 
interface_name:real_address to interface_name:mapped_address duration time

Explanation    The address translation slot was deleted.

Recommended Action    None required.

305011

Error Message    %PIX|ASA-6-305011: Built {dynamic|static} {TCP|UDP|ICMP} translation 
from interface_name:real_address/real_port to interface_name:mapped_address/mapped_port

Explanation    A TCP, UDP, or ICMP address translation slot was created. The slot translates the source socket from the local side to the global side. In reverse, the slot translates the destination socket from the global side to the local side.

Recommended Action    None required.

305012

Error Message    %PIX|ASA-6-305012: Teardown {dynamic|static} {TCP|UDP|ICMP} 
translation from interface_name [(acl-name)]:real_address/{real_port|real_ICMP_ID}to 
interface_name:mapped_address/{mapped_port|mapped_ICMP_ID} duration time

Explanation    The address translation slot was deleted.

Recommended Action    None required.

305013

Error Message    %PIX|ASA-5-305013: Asymmetric NAT rules matched for forward and 
reverse flows; Connection protocol src interface_name:source_address/source_port 
dest interface_name:dest_address/dest_port denied due to NAT reverse path failure.

Explanation    An attempt to connect to a mapped host using its actual address was rejected.

Recommended Action    When not on the same interface as the host using NAT, use the mapped address instead of the actual address to connect to the host. In addition, enable the applicable inspect command if the application embeds the IP address.

308001

Error Message    %PIX|ASA-6-308001: console enable password incorrect for number tries 
(from IP_address)

Explanation    This is a security appliance management message. This message is displayed after the specified number of times a user incorrectly types the password to enter privileged mode. The maximum is three attempts.

Recommended Action    Verify the password and try again.

308002

Error Message    %PIX|ASA-4-308002: static global_address inside_address netmask netmask 
overlapped with global_address inside_address

Explanation    The IP addresses in one or more static command statements overlap. global_address is the global address, which is the address on the lower security interface, and inside_address is the local address, which is the address on the higher security-level interface.

Recommended Action    Use the show static command to view the static command statements in your configuration and fix the commands that overlap. The most common overlap occurs if you specify a network address such as 10.1.1.0, and in another static command you specify a host within that range such as 10.1.1.5.

311001

Error Message    %PIX|ASA-6-311001: LU loading standby start

Explanation    Stateful Failover update information was sent to the standby security appliance when the standby security appliance is first to be online.

Recommended Action    None required.

311002

Error Message    %PIX|ASA-6-311002: LU loading standby end

Explanation    Stateful Failover update information stopped sending to the standby security appliance.

Recommended Action    None required.

311003

Error Message    %PIX|ASA-6-311003: LU recv thread up

Explanation    An update acknowledgment was received from the standby security appliance.

Recommended Action    None required.

311004

Error Message    %PIX|ASA-6-311004: LU xmit thread up

Explanation    This message appears when a Stateful Failover update is transmitted to the standby security appliance.

Recommended Action    None required.

312001

Error Message    %PIX|ASA-6-312001: RIP hdr failed from IP_address: cmd=string, 
version=number domain=string on interface interface_name

Explanation    The security appliance received a RIP message with an operation code other than reply, the message has a version number different from what is expected on this interface, and the routing domain entry was nonzero.

Recommended Action    This message is informational, but it may also indicate that another RIP device is not configured correctly to communicate with the security appliance.

313001

Error Message    %PIX|ASA-3-313001: Denied ICMP type=number, code=code from IP_address 
on interface interface_name

Explanation    When using the icmp command with an access list, if the first matched entry is a permit entry, the ICMP packet continues processing. If the first matched entry is a deny entry or an entry is not matched, the security appliance discards the ICMP packet and generates this syslog message. The icmp command enables or disables pinging to an interface. With pinging disabled, the security appliance cannot be detected on the network. This feature is also referred to as configurable proxy pinging.

Recommended Action    Contact the administrator of the peer device.

313004

Error Message    %PIX|ASA-4-313004:Denied ICMP type=icmp_type, from source_address 
oninterface interface_name to dest_address:no matching session

Explanation    ICMP packets were dropped by the security appliance because of security checks added by the stateful ICMP feature that are usually either ICMP echo replies without a valid echo request already passed across the security appliance or ICMP error messages not related to any TCP, UDP, or ICMP session already established in the security appliance.

Recommended Action    None required.

313005

Error Message    %PIX|ASA-4-313005: No matching connection for ICMP error message: 
icmp_msg_info on interface_name interface. Original IP payload: 
embedded_frame_info icmp_msg_info = icmp src src_interface_name:src_address dst 
dest_interface_name:dest_address (type icmp_type, code icmp_code) 
embedded_frame_info = prot src source_address/source_port dst 
dest_address/dest_port

Explanation    ICMP error packets were dropped by the security appliance because the ICMP error messages are not related to any session already established in the security appliance.

Recommended Action    If the cause is an attack, you can deny the host by using ACLs.

313008

Error Message    %PIX|ASA-3-313008: Denied ICMPv6 type=number, code=code from 
IP_address on interface interface_name

Explanation    When using the icmp command with an access list, if the first matched entry is a permit entry, the ICMPv6 packet continues processing. If the first matched entry is a deny entry, or an entry is not matched, the security appliance discards the ICMPv6 packet and generates this syslog message.

The icmp command enables or disables pinging to an interface. When pinging is disabled, the security appliance is undetectable on the network. This feature is also referred to as "configurable proxy pinging."

Recommended Action    Contact the administrator of the peer device.

314001

Error Message    %PIX|ASA-6-314001: Pre-allocated RTSP UDP backconnection for 
src_intf:src_IP to dst_intf:dst_IP/dst_port.

Explanation    Open UDP media channel for RTSP client receiving data from server

src_intf—Source interface name

src_IP—Source interface IP address

dst_intf—Destination interface name

dst_IP—Destination IP address

dst_port—Destination port

Recommended Action    None required.

314002

Error Message    %PIX|ASA-6-314002: RTSP failed to allocate UDP media connection from 
src_intf:src_IP to dst_intf:dst_IP/dst_port: reason_string.

Explanation    The security appliance cannot open a new pinhole for the media channel

src_intf—Source interface name.

src_IP—Source interface IP address.

dst_intf—Destination interface name.

dst_IP—Destination IP address.

dst_port—Destination port.

reason_string—Pinhole already exists | Unknown.

Recommended Action    If the reason is "unknown," check the free memory available (show memory), or number of connections used (show conn), because the security appliance is low on memory.

314003

Error Message    %PIX|ASA-6-314003: Dropped RTSP traffic from src_intf:src_ip due to: reason.

Explanation    The RTSP message violated the user-configured RTSP security policy, either because it contains a port from the reserve port range, or it contains a URL with a length greater than the maximum limit allowed.

src_intf—Source interface name

src_IP—Source interface IP address

reason—One of the following two reasons pertain:

Endpoint negotiating media ports in the reserved port range from 0 to 1024

URL length of <url length> bytes exceeds the maximum <url length limit> bytes

Recommended Action    Investigate why the RTSP client sends messages that violate the security policy. If the requested URL is legitimate, you can relax the policy by specifying a longer URL length limit in the RTSP policy-map.

314004

Error Message    %PIX|ASA-6-314004: RTSP client src_intf:src_IP accessed RTSP URL 
RTSP URL

Explanation    RTSP client attempt to access an RTSP server.

src_intf—Source interface name

src_IP—Source interface IP address

RTSP URL—RTSP server URL

Recommended Action    None required.

314005

Error Message    %PIX|ASA-6-314005: RTSP client src_intf:src_IP denied access to URL 
RTSP_URL.

Explanation    RTSP client attempt to access prohibited site, as configured on the security appliance.

src_intf—Source interface name

src_IP—Source interface IP address

RTSP_URL—RTSP server URL

Recommended Action    None required.

314006

Error Message    %PIX|ASA-6-314006: RTSP client src_intf:src_IP exceeds configured rate 
limit of rate for request_method messages.

Explanation    A specific RTSP request message exceeded the configured rate limit of RTSP policy.

src_intf—Source interface name

src_IP—Source interface IP address

rate—Configured rate limit

request_method—Type of request message

Recommended Action    Investigate why the specific RTSP request message from the client exceeded the rate limit.

315004

Error Message    %PIX|ASA-3-315004: Fail to establish SSH session because RSA host key 
retrieval failed.

Explanation    The security appliance could not find the security appliance RSA host key, which is required for establishing an SSH session. The security appliance host key may be absent because it was not generated or because the license for this security appliance does not allow DES or 3DES.

Recommended Action    From the security appliance console, enter the show crypto key mypubkey rsa command to verify that the RSA host key is present. If the host key is not present, enter the show version command to verify that DES or 3DES is allowed. If an RSA host key is present, restart the SSH session. To generate the RSA host key, enter the crypto key mypubkey rsa command.

315011

Error Message    %PIX|ASA-6-315011: SSH session from IP_address on interface 
interface_name for user user disconnected by SSH server, reason: reason

Explanation    This message appears after an SSH session completes. If a user enters quit or exit, the terminated normally message displays. If the session disconnected for another reason, the text describes the reason. Table 1-4 lists the possible reasons why a session disconnected.

Table 1-4 SSH Disconnect Reasons 

Text String
Explanation
Action

Bad checkbytes

A mismatch was detected in the check bytes during an SSH key exchange.

Restart the SSH session.

CRC check failed

The CRC value computed for a particular packet does not match the CRC value embedded in the packet; the packet is bad.

None required. If this message persists, call Cisco TAC.

Decryption failure

Decryption of an SSH session key failed during an SSH key exchange.

Check the RSA host key and try again.

Format error

A non-protocol version message was received during an SSH version exchange.

Check the SSH client, to ensure it is a supported version.

Internal error

This message indicates either an error internal to SSH on the security appliance or an RSA key may not have been entered on the security appliance or cannot be retrieved.

From the security appliance console, enter the show crypto key mypubkey rsa command to verify that the RSA host key is present. If the host key is not present, enter the show version command to verify that DES or 3DES is allowed. If an RSA host key is present, restart the SSH session. To generate the RSA host key, enter the crypto key mypubkey rsa command.

Invalid cipher type

The SSH client requested an unsupported cipher.

Enter the show version command to determine what features your license supports, then reconfigure the SSH client to use the supported cipher.

Invalid message length

The length of SSH message arriving at the security appliance exceeds 262,144 bytes or is shorter than 4096 bytes. The data may be corrupted.

None required.

Invalid message type

The security appliance received a non-SSH message, or an unsupported or unwanted SSH message.

Check whether the peer is an SSH client. If it is a client supporting SSHv1, and this message persists, from the security appliance serial console enter the debug ssh command and capture the debug messages. contact the Cisco TAC.

Out of memory

This message appears when the security appliance cannot allocate memory for use by the SSH server, probably when the security appliance is busy with high traffic.

Restart the SSH session later.

Rejected by server

User authentication failed.

Ask the user to verify their username and password.

Reset by client

An SSH client sent the SSH_MSG_DISCONNECT message to the security appliance.

None required.

status code: hex (hex)

Users closed the SSH client window (running on Windows) instead of entering quit or exit at the SSH console.

None required. Encourage users to exit the client gracefully instead of just exiting.

Terminated by operator

The SSH session was terminated by entering the ssh disconnect command at the security appliance console.

None required.

Time-out activated

The SSH session timed out because the duration specified by the ssh timeout command was exceeded.

Restart the SSH connection. You can use the ssh timeout command to increase the default value of 5 minutes up to 60 minutes if required.


Recommended Action    None required.

316001

Error Message    %PIX|ASA-3-316001: Denied new tunnel to IP_address. VPN peer limit 
(platform_vpn_peer_limit) exceeded

Explanation    If more VPN tunnels (ISAKMP/IPSec) are concurrently attempting to be established than supported by the platform VPN peer limit, then the excess tunnels are aborted.

Recommended Action    None required.

316002

Error Message    %ASA-3-316002: VPN Handle error: protocol=protocol, src 
in_if_num:src_addr, dst out_if_num:dst_addr

Explanation    This message is generated when the security appliance is unable to create a VPN handle, because the VPN handle already exists.

protocol—The protocol of the VPN flow

in_if_num—The ingress interface number of the VPN flow

src_addr—The source IP address of the VPN flow

out_if_num—The egress interface number of the VPN flow

dst_addr—The destination IP address of the VPN flow

Recommended Action    This message may occur during normal operation; however, if the message occurs repeatedly and a major malfunction of VPN-based applications occurs, a software defect may be the cause. Enter the following commands to collect more information and contact the Cisco TAC to investigate the issue further.

capture name type asp-drop vpn-handle-error
show asp table classify crypto detail
show asp table vpn-context

317001

Error Message    %PIX|ASA-3-317001: No memory available for limit_slow

Explanation    The requested operation failed because of a low-memory condition.

Recommended Action    Reduce other system activity to ease memory demands. If conditions warrant, upgrade to a larger memory configuration.

317002

Error Message    %PIX|ASA-3-317002: Bad path index of number for IP_address, number max

Explanation    A software error occurred.

Recommended Action    If the problem persists, contact the Cisco TAC.

317003

Error Message    %PIX|ASA-3-317003: IP routing table creation failure - reason

Explanation    An internal software error occurred, which prevented the creation of new IP routing table.

Recommended Action    Copy the message exactly as it appears, and report it to Cisco TAC.

317004

Error Message    %PIX|ASA-3-317004: IP routing table limit warning

Explanation    The number of routes in the named IP routing table has reached the configured warning limit.

Recommended Action    Reduce the number of routes in the table, or reconfigure the limit.

317005

Error Message    %PIX|ASA-3-317005: IP routing table limit exceeded - reason, IP_address 
netmask

Explanation    Additional routes will be added to the table.

Recommended Action    Reduce the number of routes in the table, or reconfigure the limit.

317006

Error Message    %PIX|ASA-3-317006: Pdb index error pdb, pdb_index, pdb_type

Explanation    The index into the pdb is out of range.

pdb—Protocol Descriptor Block, the descriptor of the Pdb index error

pdb_index—The Pdb index identifier

pdb_type—The type of the Pdb index error

Recommended Action    If the problem persists, copy the error message exactly as it appears on the console or in the syslog, contact the Cisco TAC, and provide the representative with the gathered information.

318001

Error Message    %PIX|ASA-3-318001: Internal error: reason

Explanation    An internal software error occurred. This message occurs at 5-second intervals.

Recommended Action    If the problem persists, contact the Cisco TAC.

318002

Error Message    %PIX|ASA-3-318002: Flagged as being an ABR without a backbone area

Explanation    The router was flagged as an area border router (ABR) without a backbone area configured in the router. This message occurs at 5-second intervals.

Recommended Action    Restart the OSPF process.

318003

Error Message    %PIX|ASA-3-318003: Reached unknown state in neighbor state machine

Explanation    An internal software error occurred. This message occurs at 5 second intervals.

Recommended Action    None required.

318004

Error Message    %PIX|ASA-3-318004: area string lsid IP_address mask netmask adv IP_address 
type number

Explanation    OSPF had a problem locating the link state advertisement (LSA), which might lead to a memory leak.

Recommended Action    If the problem persists, contact the Cisco TAC.

318005

Error Message    %PIX|ASA-3-318005: lsid ip_address adv IP_address type number gateway 
gateway_address metric number network IP_address mask netmask protocol hex attr hex 
net-metric number

Explanation    OSPF found an inconsistency between its database and the IP routing table.

Recommended Action    If the problem persists, contact the Cisco TAC.

318006

Error Message    %PIX|ASA-3-318006: if interface_name if_state number

Explanation    An internal error occurred.

Recommended Action    If the problem persists, contact the Cisco TAC.

318007

Error Message    %PIX|ASA-3-318007: OSPF is enabled on interface_name during idb 
initialization

Explanation    An internal error occurred.

Recommended Action    If the problem persists, contact the Cisco TAC.

318008

Error Message    %PIX|ASA-3-318008: OSPF process number is changing router-id. 
Reconfigure virtual link neighbors with our new router-id

Explanation    The OSPF process is being reset, and it is going to select a new router ID. This action will bring down all virtual links.

Recommended Action    Change virtual link configuration on all of the virtual link neighbors to reflect the new router ID.

318009

Error Message    %PIX|ASA-3-318009: OSPF: Attempted reference of stale data encountered 
in function, line: line_num 

Explanation    This message is displayed when OSPF is running and tries to reference some related data structures that have been removed elsewhere. Clearing interface and router configurations may resolve the problem. However, if this message appears, some sequence of steps caused premature deletion of data structures and this needs to be investigated.

function—The function that received the unexpected event

line_num —Line number in the code

Recommended Action    If the problem persists, contact the Cisco TAC.

319001

Error Message    %PIX|ASA-3-319001: Acknowledge for arp update for IP address 
dest_address not received (number).

Explanation    The ARP process in the security appliance lost internal synchronization because the system was overloaded.

Recommended Action    No immediate action is required. The failure is only temporary. Check the average load of the system and make sure it is not used beyond its capabilities.

319002

Error Message    %PIX|ASA-3-319002: Acknowledge for route update for IP address 
dest_address not received (number).

Explanation    The routing module in the security appliance lost internal synchronization because the system was overloaded.

Recommended Action    No immediate action required. The failure is only temporary. Check the average load of the system and make sure it is not used beyond its capabilities.

319003

Error Message    %PIX|ASA-3-319003: Arp update for IP address address to NPn failed. 

Explanation    When an ARP entry has to be updated, a message is sent to the network processor (NP) in order to update the internal ARP table. If the module is experiencing high utilization of memory or if the internal table is full, the message to the NP may be rejected and this message generated.

Recommended Action    Verify if the ARP table is full. If it is not full, check the load of the module with respect to the CPU utilization and connections per second. If CPU utilization is high and/or there is a large number of connections per second, normal operations will resume when the load returns to normal.

319004

Error Message    %PIX|ASA-3-319004: Route update for IP address dest_address failed 
(number).

Explanation    The routing module in the security appliance lost internal synchronization because the system was overloaded.

Recommended Action    No immediate action required. The failure is only temporary. Check the average load of the system and make sure it is not used beyond its capabilities.

320001

Error Message    %PIX|ASA-3-320001: The subject name of the peer cert is not allowed 
for connection

Explanation    When the security appliance is an easy VPN remote device or server, the peer certificate contains a subject name that does not match the ca verifycertdn command.

Recommended Action    This message might indicate a "man in the middle" attack, where a device spoofs the peer IP address and attempts to intercept a VPN connection from the security appliance.

321001

Error Message    %PIX|ASA-5-321001: Resource var1 limit of var2 reached.

Explanation    A configured resource usage or rate limit for the indicated resource was reached.

Recommended Action    None required.

321002

Error Message    %PIX|ASA-5-321002: Resource var1 rate limit of var2 reached.

Explanation    A configured resource usage or rate limit for the indicated resource was reached.

Recommended Action    None required.

321003

Error Message    %PIX|ASA-6-321003: Resource var1 log level of var2 reached.

Explanation    A configured resource usage or rate log level for the indicated resource was reached.

Recommended Action    None required.

321004

Error Message    %PIX|ASA-6-321004: Resource var1 rate log level of var2 reached

Explanation    A configured resource usage or rate log level for the indicated resource was reached.

Recommended Action    None required.

322001

Error Message    %PIX|ASA-3-322001: Deny MAC address MAC_address, possible spoof 
attempt on interface interface

Explanation    The security appliance received a packet from the offending MAC address on the specified interface but the source MAC address in the packet is statically bound to another interface in your configuration. This could be caused by either be a MAC-spoofing attack or a misconfiguration.

Recommended Action    Check the configuration and take appropriate action by either finding the offending host or correcting the configuration.

322002

Error Message    %PIX|ASA-3-322002: ARP inspection check failed for arp 
{request|response} received from host MAC_address on interface interface. This host 
is advertising MAC Address MAC_address_1 for IP Address IP_address, which is 
{statically|dynamically} bound to MAC Address MAC_address_2.

Explanation    If the ARP inspection module is enabled, it checks whether a new ARP entry advertised in the packet conforms to the statically configured or dynamically learned IP-MAC address binding before forwarding ARP packets across the security appliance. If this check fails, the ARP inspection module drops the ARP packet and generates this message. This situation may be caused by either ARP spoofing attacks in the network or an invalid configuration (IP-MAC binding).

Recommended Action    If the cause is an attack, you can deny the host using the ACLs. If the cause is an invalid configuration, correct the binding.

322003

Error Message    %PIX|ASA-3-322003:ARP inspection check failed for arp 
{request|response} received from host MAC_address on interface interface. This host 
is advertising MAC Address MAC_address_1 for IP Address IP_address, which is not 
bound to any MAC Address. 

Explanation    If the ARP inspection module is enabled, it checks whether a new ARP entry advertised in the packet conforms to the statically configured IP-MAC address binding before forwarding ARP packets across the security appliance. If this check fails, the ARP inspection module drops the ARP packet and generates this message. This situation may be caused by either ARP spoofing attacks in the network or an invalid configuration (IP-MAC binding).

Recommended Action    If the cause is an attack, you can deny the host using the ACLs. If the cause is an invalid configuration, correct the binding.

322004

Error Message    %PIX|ASA-6-322004: No management IP address configured for transparent 
firewall. Dropping protocol protocol packet from interface_in:source_address/source_port 
to interface_out:dest_address/dest_port

Explanation    The security appliance dropped a packet due to no management IP address configured in the transparent mode.

protocol—Protocol string or value

interface_in—Input interface name

source_address—Source IP address of the packet

source_port—Source port of the packet

interface_out—Output interface name

dest_address—Destination IP address of the packet

dest_port—Destination port of the packet

Recommended Action    Configure the device with management IP address and mask values.

323001

Error Message    %ASA-3-323001: Module in slot slotnum experienced a control channel 
communications failure.

Explanation    System is unable to communicate via control channel with module installed in slot slot.

slotnum—The slot in which the failure occurred. Slot = 0 indicates the system main board and slot 1 indicates the module installed in the expansion slot. For this error, slot should always be 1.

Recommended Action    If the problem persists, contact the Cisco TAC.

323002

Error Message    %ASA-3-323002: Module in slot slotnum is not able to shut down, shut 
down request not answered.

Explanation    Module installed in slot slot didn't respond to a shut down request.

slotnum—The slot in which the failure occurred. Slot = 0 indicates the system main board and slot 1 indicates the module installed in the expansion slot. For this error, slot should always be 1.

Recommended Action    If the problem persists, contact the Cisco TAC.

323003

Error Message    %ASA-3-323003: Module in slot slotnum is not able to reload, reload 
request not answered.

Explanation    Module installed in slot slot didn't respond to a reload request.

slotnum—The slot in which the failure occurred. Slot = 0 indicates the system main board and slot 1 indicates the module installed in the expansion slot. For this error, slot should always be 1.

Recommended Action    If the problem persists, contact the Cisco TAC.

323004

Error Message    %ASA-3-323004: Module in slot slotnum failed to write software vnewver 
(currently vver), reason. Hw-module reset is required before further use.

Explanation    The module in the specified slot number failed to accept a software version, and will be transitioned to an UNRESPONSIVE state. The module is not usable until the software is updated.

slotnum—The slot number containing the module

newver—The new version number of software that was not successfully written to the module (for example, 1.0(1)0)

ver—The current version number of the software on the module (for example, 1.0(1)0)

reason—The reason the new version could not be written to the module. The possible values for reason include the following:

write failure

failed to create a thread to write the image

Recommended Action    The module must be reset by using the hw-module module slotnum reset before further upgrade attempts will be made. If the module software can not be updated it will not be usable. Ensure the module is completely seated in the chassis. If the problem persists, contact the Cisco TAC.

323005

Error Message    %ASA-3-323005: Module in slot slotnum can not be powered on completely

Explanation    This message indicates that the module can not be powered up completely. The module will remain in the UNRESPONSIVE state until this condition is corrected. A likely cause of this is a module that is not fully seated in the slot.

slotnum—The slot number containing the module

Recommended Action    Verify that the module is fully seated in the slot and check if any status LEDs on the module are on. It may take a minute after fully reseating the module for the system to recognize that it is powered up. If this message appears after verifying that the module is seated and after resetting the module using the hw-module module slotnum reset command, contact the Cisco TAC.

323006

Error Message    %ASA-1-323006: Type Module in slot slot experienced a data channel 
communication failure, data channel is DOWN.

Explanation    This message indicates that a data channel communication failure occurred and the system was unable to forward traffic to the SSM. This failure triggers a failover when the failure occurs on the active appliance in an HA configuration. The failure also results in the configured fail open or fail closed policy being enforced on traffic that would normally be sent to the SSM. This message is generated whenever a communication problem over the security appliance dataplane occurs between the system module and the SSM, which can be caused when the SSM stops, resets, or is removed.

Type—The type of SSM (for example, ASA-SSM-10)

slot—The slot in which the failure occurred (for example, slot 1)

Recommended Action    If this message is not the result of the SSM reloading or resetting and the corresponding message 1-505010 is not seen after the SSM returns to an UP state, the module may need to be reset using the hw-module module 1 reset command.

323007

Error Message    %ASA-3-323007: Module in slot slot experienced a firmware failure and 
the recovery is in progress.

Explanation    If an security appliance with a 4GE-SSM card installed experiences a short power surge and reboots, the 4GE-SSM may come up in an unresponsive state. The security appliance detects this condition and automatically recovers.

slot—The slot in which the failure occurred (for example, slot 1)

Recommended Action    None required.

324000

Error Message    %PIX|ASA-3-324000: Drop GTPv version message msg_type from 
source_interface:source_address/source_port to dest_interface:dest_address/dest_port Reason: 
reason

Explanation    The packet being processed did not meet the filtering requirements as described in the reason variable and is being dropped.

Recommended Action    None required.

324001

Error Message    %PIX|ASA-3-324001: GTPv0 packet parsing error from 
source_interface:source_address/source_port to dest_interface:dest_address/dest_port, TID: 
tid_value, Reason: reason

Explanation    There was an error processing the packet. The following are possible reasons:

Mandatory IE is missing

Mandatory IE incorrect

IE out of sequence

Invalid message format.

Optional IE incorrect

Invalid TEID

Unknown IE

Bad length field

Unknown GTP message.

Message too short

Unexpected message seen

Null TID

Version not supported

Recommended Action    If this message is seen periodically, it can be ignored. If it is seen frequently, then the endpoint maybe sending out bad packets as part of an attack.

324002

Error Message    %PIX|ASA-3-324002: No PDP[MCB] exists to process GTPv0 msg_type from 
source_interface:source_address/source_port to dest_interface:dest_address/dest_port, TID: 
tid_value

Explanation    If this message was preceded by message 321100: Memory allocation Error, the message indicates that there were not enough resources to create the PDP Context. If not, it was not preceded by message 321100, for version 0 it indicates that the corresponding PDP context could not be found. For version 1, if this message was preceded by message 324001, then a packet-processing error occurred, and the operation stopped.

Recommended Action    If the problem persists, contact the Cisco TAC.

324003

Error Message    %PIX|ASA-3-324003: No matching request to process GTPv version msg_type 
from source_interface:source_address/source_port to 
source_interface:dest_address/dest_port

Explanation    The response received does not have a matching request in the request queue and should not be processed further.

Recommended Action    If this message is seen periodically, it can be ignored. But if it is seen frequently, then the endpoint maybe sending out bad packets as part of an attack.

324004

Error Message    %PIX|ASA-3-324004: GTP packet with version%d from 
source_interface:source_address/source_port to dest_interface:dest_address/dest_port is not 
supported 

Explanation    The packet being processed has a version other than the currently supported version, which is 0 or 1. If the version number printed out is an incorrect number and is seen frequently, then the endpoint may be sending out bad packets as part of an attack.

Recommended Action    None required.

324005

Error Message    %PIX|ASA-3-324005: Unable to create tunnel from 
source_interface:source_address/source_port to dest_interface:dest_address/dest_port

Explanation    An error occurred while trying to create the tunnel for the TPDUs.

Recommended Action    If this message occurs periodically, it can be ignored. If it repeats frequently, contact the Cisco TAC.

324006

Error Message    %PIX|ASA-3-324006:GSN IP_address tunnel limit tunnel_limit exceeded, PDP 
Context TID tid failed

Explanation    The GSN sending the request has exceeded the maximum allowed tunnels created, so no tunnel will be created.

Recommended Action    Check to see whether the tunnel limit should be increased or if there is a possible attack on the network.

324007

Error Message    %PIX|ASA-3-324007: Unable to create GTP connection for response from 
source_address/0 to dest_address/dest_port

Explanation    An error occurred while trying to create the tunnel for the TPDUs for a different SGSN or GGSN.

Recommended Action    Check debugs and messages to see why the connection was not created properly. If the problem persists, contact the Cisco TAC.

324300

Error Message    %PIX|ASA-3-324300: Radius Accounting Request from from_addr has an 
incorrect request authenticator

Explanation    When a shared secret is configured for a host, the request-authenticator is verified with that secret. If it fails, it is logged and packet processing stops.

from_addr—The IP address of the host sending the RADIUS accounting request.

Recommended Action    Check to see that the correct shared secret was configured. If it is, double-check the source of the packet to make sure it is not spoofed.

324301

Error Message    %PIX|ASA-3-324301: Radius Accounting Request has a bad header length 
hdr_len, packet length pkt_len

Explanation    The accounting request message has a header length that is not the same as the actual packet length, so packet processing stops.

hdr_len— The length indicated in the request header.

pkt_len—The actual packet length.

Recommended Action    Make sure the packet is not spoofed. If the packet is legitimate, then capture the packet and make sure the header length is incorrect as indicated by the syslog message. If the header length is correct, of the problem persists, contact the Cisco TAC.

325001

Error Message    %PIX|ASA-3-325001: Router ipv6_address on interface has conflicting ND 
(Neighbor Discovery) settings

Explanation    Another router on the link sent router advertisements with conflicting parameters. ipv6_address is the IPv6 address of the other router. interface is the interface name of the link with the other router.

Recommended Action    Verify that all IPv6 routers on the link have the same parameters in the router advertisement for hop_limit, managed_config_flag, other_config_flag, reachable_time and ns_interval, and that preferred and valid lifetimes for the same prefix, advertised by several routers are the same. To list the parameters per interface enter the command show ipv6 interface.

325002

Error Message    %PIX|ASA-4-325002: Duplicate address ipv6_address/MAC_address on 
interface

Explanation    Another system is using your IPv6 address. ipv6_address is the IPv6 address of the other router. MAC_address is the MAC address of the other system if known, otherwise "unknown." interface is the interface name of the link with the other system.

Recommended Action    Change the IPv6 address of one of the two systems.

325003

Error Message    %PIX-3-325003: EUI-64 source address check failed. Dropped packet from 
interface_in:source_address/source_port to dest_address/dest_port with source MAC 
address MAC_address.

Explanation    The ipv6 enforce-eui64 command is configured for the input interface of this packet, but the source address of the packet is not a correct EUI-64 address derived from the source MAC address.

Recommended Action    None required.

326001

Error Message    %PIX|ASA-3-326001: Unexpected error in the timer library: error_message

Explanation    A managed timer event was received without a context or a proper type or no handler exists. This message will also be displayed if the number of events queued exceed a system limit and will be attempted to be processed at a later time.

Recommended Action    If the problem persists, contact the Cisco TAC.

326002

Error Message    %PIX|ASA-3-326002: Error in error_message: error_message

Explanation    The IGMP process failed to shut down upon request. Events that are performed in preparation for this shut down may be out of synchronization.

Recommended Action    If the problem persists, contact the Cisco TAC.

326004

Error Message    %PIX|ASA-3-326004: An internal error occurred while processing a 
packet queue

Explanation    The IGMP packet queue received a signal without a packet.

Recommended Action    If the problem persists, contact the Cisco TAC.

326005

Error Message    %PIX|ASA-3-326005: Mrib notification failed for (IP_address, IP_address)

Explanation    A packet triggering a data-driven event was received, and the attempt to notify the MRIB failed.

Recommended Action    If the problem persists, contact the Cisco TAC.

326006

Error Message    %PIX|ASA-3-326006: Entry-creation failed for (IP_address, IP_address)

Explanation    The MFIB received an entry update from the MRIB, but failed to create the entry related to the addresses displayed, which can cause insufficient memory.

Recommended Action    If the problem persists, contact the Cisco TAC.

326007

Error Message    %PIX|ASA-3-326007: Entry-update failed for (IP_address, IP_address)

Explanation    The MFIB received an interface update from the MRIB, but failed to create the interface related to the addresses displayed. The likely result is insufficient memory.

Recommended Action    If the problem persists, contact the Cisco TAC.

326008

Error Message    %PIX|ASA-3-326008: MRIB registration failed

Explanation    The MFIB failed to register with the MRIB.

Recommended Action    If the problem persists, contact the Cisco TAC.

326009

Error Message    %PIX|ASA-3-326009: MRIB connection-open failed

Explanation    The MFIB failed to open a connection to the MRIB.

Recommended Action    If the problem persists, contact the Cisco TAC.

326010

Error Message    %PIX|ASA-3-326010: MRIB unbind failed

Explanation    The MFIB failed to unbind from the MRIB.

Recommended Action    If the problem persists, contact the Cisco TAC.

326011

Error Message    %PIX|ASA-3-326011: MRIB table deletion failed

Explanation    The MFIB failed to retrieve the table that was supposed to be deleted.

Recommended Action    If the problem persists, contact the Cisco TAC.

326012

Error Message    %PIX|ASA-3-326012: Initialization of string functionality failed

Explanation    The initialization of a functionality failed. This component might still operate without the functionality.

Recommended Action    If the problem persists, contact the Cisco TAC.

326013

Error Message    %PIX|ASA-3-326013: Internal error: string in string line %d (%s)

Explanation    A fundamental error occurred in the MRIB.

Recommended Action    If the problem persists, contact the Cisco TAC.

326014

Error Message    %PIX|ASA-3-326014: Initialization failed: error_message error_message

Explanation    The MRIB failed to initialize.

Recommended Action    If the problem persists, contact the Cisco TAC.

326015

Error Message    %PIX|ASA-3-326015: Communication error: error_message error_message

Explanation    The MRIB received a malformed update.

Recommended Action    If the problem persists, contact the Cisco TAC.

326016

Error Message    %PIX|ASA-3-326016: Failed to set un-numbered interface for 
interface_name (string)

Explanation    The PIM tunnel is not usable without a source address. This situation occurs because a numbered interface could not be found, or because of some internal error.

Recommended Action    If the problem persists, contact the Cisco TAC.

326017

Error Message    %PIX|ASA-3-326017: Interface Manager error - string in string: string

Explanation    An error occurred while creating a PIM tunnel interface.

Recommended Action    If the problem persists, contact the Cisco TAC.

326019

Error Message    %PIX|ASA-3-326019: string in string: string

Explanation    An error occurred while creating a PIM RP tunnel interface.

Recommended Action    If the problem persists, contact the Cisco TAC.

326020

Error Message    %PIX|ASA-3-326020: List error in string: string 

Explanation    An error occurred while processing a PIM interface list.

Recommended Action    If the problem persists, contact the Cisco TAC.

326021

Error Message    %PIX|ASA-3-326021: Error in string: string

Explanation    An error occurred while setting the SRC of a PIM tunnel interface.

Recommended Action    If the problem persists, contact the Cisco TAC.

326022

Error Message    %PIX|ASA-3-326022: Error in string: string

Explanation    The PIM process failed to shut down upon request. Events that are performed in preparation for this shut down may be out of sync.

Recommended Action    If the problem persists, contact the Cisco TAC.

326023

Error Message    %PIX|ASA-3-326023: string - IP_address: string

Explanation    An error occurred while processing a PIM group range.

Recommended Action    If the problem persists, contact the Cisco TAC.

326024

Error Message    %PIX|ASA-3-326024: An internal error occurred while processing a 
packet queue. 

Explanation    The PIM packet queue received a signal without a packet.

Recommended Action    If the problem persists, contact the Cisco TAC.

326025

Error Message    %PIX|ASA-3-326025: string

Explanation    An internal error occurred while trying to send a message. Events scheduled to happen on receipt of the message such as deletion of the PIM tunnel IDB may not take place.

Recommended Action    If the problem persists, contact the Cisco TAC.

326026

Error Message    %PIX|ASA-3-326026: Server unexpected error: error_messsage

Explanation    The MRIB failed to register a client.

Recommended Action    If the problem persists, contact the Cisco TAC.

326027

Error Message    %PIX|ASA-3-326027: Corrupted update: error_messsage

Explanation    The MRIB received a corrupt update.

Recommended Action    If the problem persists, contact the Cisco TAC.

326028

Error Message    %PIX|ASA-3-326028: Asynchronous error: error_messsage

Explanation    An unhandled asynchronous error occurred in the MRIB API.

Recommended Action    If the problem persists, contact the Cisco TAC.

327001

Error Message    %PIX|ASA-3-327001: IP SLA Monitor: Cannot create a new process

Explanation    IP SLA Monitor was unable to start a new process.

Recommended Action    Check the system memory. If memory is low, then this is the likely cause. Try to reenter the commands when memory is available. If the problem persists, contact the Cisco TAC.

327002

Error Message    %PIX|ASA-3-327002: IP SLA Monitor: Failed to initialize, IP SLA Monitor 
functionality will not work

Explanation    IP SLA monitor failed to initialize. This condition is caused by either the timer wheel timer functionality failed to initialize or a process could not be created. A likely cause of this condition is that sufficient memory is not available to complete the task.

Recommended Action    Check the system memory. If memory is low, then this is the likely cause. Try to reenter the commands when memory is available. If the problem persists, contact the Cisco TAC.

327003

Error Message    %PIX|ASA-3-327003: IP SLA Monitor: Generic Timer wheel timer 
functionality failed to initialize

Explanation    IP SLA monitor could not initialize the timer wheel.

Recommended Action    Check the system memory. If memory is low, then the timer wheel functionality did not initialize. Try to reenter the commands when memory is available. If the problem persists, contact the Cisco TAC

328001

Error Message    %PIX|ASA-3-328001: Attempt made to overwrite a set stub function in 
string.

Explanation    A single function can be set as a callback for when a stub w/ check registry is invoked. This message indicates that an attempt to set a new callback failed because a callback function has already been set.

string—The name of the function.

Recommended Action    If the problem persists, contact the Cisco TAC.

329001

Error Message    %PIX|ASA-3-329001: The string0 subblock named string1 was not removed

Explanation    A software error has occurred. This message displays when IDB subblocks cannot be removed.

string0—SWIDB or HWIDB.

string1—The name of the subblock.

Recommended Action    If the problem persists, contact the Cisco TAC.

331001

Error Message    ASA|PIX-3-331001: Dynamic DNS Update for 'fqdn_name' <=> ip_address 
failed

Explanation    This message is generated when the dynamic DNS subsystem fails to update the resource records on the DNS server. This failure might occur if the security appliance is unable to contact the DNS server or DNS service is not running on the destination system.

fqdn_name—The fully qualified domain name for which the DNS update was attempted.

ip_address—The IP address of the DNS update.

Recommended Action    Make sure a DNS server is configured and reachable by the security appliance. If the problem persists, contact the Cisco TAC.

331002

Error Message    ASA|PIX-5-331002: Dynamic DNS type RR for ('fqdn_name' -> ip_address 
| ip_address -> 'fqdn_name') successfully updated in DNS server dns_server_ip

Explanation    This message is generated when a Dynamic DNS update succeeds in the DNS server.

type—The type of resource record, could be "A" or "PTR".

fqdn_name—The fully qualified domain name for which the DNS update was attempted.

ip_address—The IP address of the DNS update.

dns_server_ip—The IP address of the DNS server.

332001

Error Message    %ASA|PIX-3-332001: Unable to open cache discovery socket, WCCP V2 
closing down.

Explanation    An internal error that indicates the WCCP process was unable to open the UDP socket used to listen for protocol messages from caches.

Recommended Action    Ensure that the IP configuration is correct and that at least one IP address is configured.

332002

Error Message    %ASA|PIX-3-332002: Unable to allocate message buffer, WCCP V2 closing 
down. 

Explanation    An internal error that indicates the WCCP process was unable to allocate memory to hold incoming protocol messages.

Recommended Action    Ensure that there is enough memory available for all processes.

332003

Error Message    %ASA|PIX-5-332003: Web Cache IP_address/service_ID acquired 

Explanation    A service from the web cache of the security appliance was acquired.

IP_address—The IP address of the web cache.

service_ID—The WCCP service identifier.

Recommended Action    None required.

332004

Error Message    %ASA|PIX-1-332004: Web Cache IP_address/service_ID lost 

Explanation    A service from the web cache of the security appliance was lost.

IP_address—The IP address of the web cache.

service_ID—The WCCP service identifier.

Recommended Action    Verify operation of specified web cache.

333001

Error Message    %PIX|ASA-6-333001: EAP association initiated - context:EAP-context

Explanation    An EAP association has been initiated with a remote host.

EAP-context—A unique identifier for the EAP session, displayed as an eight-digit hexadecimal number (for example, 0x2D890AE0).

Recommended Action    None required.

333002

Error Message    %PIX|ASA-5-333002: Timeout waiting for EAP response - 
context:EAP-context

Explanation    A timeout occurred while waiting for an EAP response.

EAP-context—A unique identifier for the EAP session displayed as an eight-digit hexadecimal number (for example, 0x2D890AE0).

Recommended Action    None required.

333003

Error Message    %PIX|ASA-6-333003: EAP association terminated - context:EAP-context

Explanation    The EAP association has been terminated with the remote host.

EAP-context—A unique identifier for the EAP session displayed as an eight-digit hexadecimal number (for example, 0x2D890AE0).

Recommended Action    None required.

333004

Error Message    %PIX|ASA-7-333004: EAP-SQ response invalid - context:EAP-context

Explanation    The EAP-Status Query response failed basic packet validation.

EAP-context—A unique identifier for the EAP session displayed as an eight-digit hexadecimal number (for example, 0x2D890AE0).

Recommended Action    If the problem persists, contact the Cisco TAC.

333005

Error Message    %PIX|ASA-7-333005: EAP-SQ response contains invalid TLV(s) - 
context:EAP-context

Explanation    The EAP-Status Query response has one or more invalid TLVs.

EAP-context—A unique identifier for the EAP session displayed as an eight-digit hexadecimal number (for example, 0x2D890AE0).

Recommended Action    If the problem persists, contact the Cisco TAC.

333006

Error Message    %PIX|ASA-7-333006: EAP-SQ response with missing TLV(s) - 
context:EAP-context

Explanation    The EAP-Status Query response is missing one or more mandatory TLVs.

EAP-context—A unique identifier for the EAP session displayed as an eight-digit hexadecimal number (for example, 0x2D890AE0).

Recommended Action    If the problem persists, contact the Cisco TAC.

333007

Error Message    %PIX|ASA-7-333007: EAP-SQ response TLV has invalid length - 
context:EAP-context

Explanation    The EAP-Status Query response contains a TLV with an invalid length.

EAP-context—A unique identifier for the EAP session displayed as an eight-digit hexadecimal number (for example, 0x2D890AE0).

Recommended Action    If the problem persists, contact the Cisco TAC.

333008

Error Message    %PIX|ASA-7-333008: EAP-SQ response has invalid nonce TLV - 
context:EAP-context

Explanation    The EAP-Status Query response contains an invalid nonce TLV.

EAP-context—A unique identifier for the EAP session displayed as an eight-digit hexadecimal number (for example, 0x2D890AE0).

Recommended Action    If the problem persists, contact the Cisco TAC.

333009

Error Message    %PIX|ASA-6-333009: EAP-SQ response MAC TLV is invalid - 
context:EAP-context

Explanation    The EAP-Status Query response contains a MAC which does not match the calculated MAC.

EAP-context—A unique identifier for the EAP session displayed as an eight-digit hexadecimal number (for example, 0x2D890AE0).

Recommended Action    If the problem persists, contact the Cisco TAC.

333010

Error Message    %PIX|ASA-5-333010: EAP-SQ response Validation Flags TLV indicates PV 
request - context:EAP-context

Explanation    The EAP-Status Query response contains a Validation Flags TLV which indicates that the peer requested a full posture validation.

Recommended Action    None required.

334001

Error Message    %PIX|ASA-6-334001: EAPoUDP association initiated - <host-address> 

Explanation    An EAPoUDP association has been initiated with a remote host.

host-address—The IP address of the host, in dotted decimal format (for example, 10.86.7.101).

Recommended Action    None required.

334002

Error Message    %PIX|ASA-5-334002: EAPoUDP association successfully established - 
host-address

Explanation    An EAPoUDP association has been successfully established with the host.

host-address—The IP address of the host, in dotted decimal format (for example, 10.86.7.101).

Recommended Action    None required.

334003

Error Message    %PIX|ASA-5-334003: EAPoUDP association failed to establish - host-address

Explanation    An EAPoUDP association has failed to establish with the host.

host-address—The IP address of the host, in dotted decimal format (for example, 10.86.7.101).

Recommended Action    Verify configuration of Cisco Secure Access Control Server.

334004

Error Message    %PIX|ASA-6-334004: Authentication request for NAC Clientless host - host-address

Explanation    An authentication request was made for a NAC Clientless host.

host-address—The IP address of the host, in dotted decimal format (for example, 10.86.7.101)

Recommended Action    None required.

334005

Error Message    %PIX|ASA-5-334005: Host put into NAC Hold state - host-address

Explanation    The NAC session for the host was put into the Hold state.

host-address—The IP address of the host, in dotted decimal format (for example, 10.86.7.101)

Recommended Action    None required.

334006

Error Message    %PIX|ASA-5-334006: EAPoUDP failed to get a response from host - 
host-address

Explanation    An EAPoUDP response was not received from the host.

host-address—The IP address of the host, in dotted decimal format (for example, 10.86.7.101)

Recommended Action    None required.

334007

Error Message    %PIX|ASA-6-334007: EAPoUDP association terminated - host-address

Explanation    An EAPoUDP association has terminated with the host.

host-address—The IP address of the host, in dotted decimal format (for example, 10.86.7.101)

Recommended Action    None required.

334008

Error Message    %PIX|ASA-6-334008: NAC EAP association initiated - host-address, EAP 
context:EAP-context

Explanation    EAPoUDP has initiated EAP with the host.

host-address—The IP address of the host, in dotted decimal format (for example, 10.86.7.101).

EAP-context—A unique identifier for the EAP session displayed as an eight-digit hexadecimal number (for example, 0x2D890AE0).

Recommended Action    None required.

334009

Error Message    %PIX|ASA-6-334009: Audit request for NAC Clientless host - Assigned_IP.

Explanation    This is an informational message indicating that an audit request is being sent for the specified assigned IP address.

Assigned_IP—The IP address assigned to the client

Recommended Action    None required.

335001

Error Message    %PIX|ASA-6-335001: NAC session initialized - host-address

Explanation    A NAC session has started for a remote host.

host-address—The IP address of the host, in dotted decimal format (for example, 10.86.7.101)

Recommended Action    None required.

335002

Error Message    %PIX|ASA-5-335002: Host is on the NAC Exception List - host-address, OS:oper-sys

Explanation    The client is on the NAC Exception List is is therefore not subject toPosture Validation.

host-address—The IP address of the host, in dotted decimal format (for example, 10.86.7.101)

oper-sys—The operating system (e.g., Windows XP) of the host

Recommended Action    None required.

335003

Error Message    %PIX|ASA-5-335003: NAC Default ACL applied, ACL:ACL-name - 
host-address

Explanation    The NAC Default ACL has been applied for the client.

ACL-name—The name of the ACL being applied.

host-address—The IP address of the host, in dotted decimal format (for example, 10.86.7.101).

Recommended Action    None required.

335004

Error Message    %PIX|ASA-6-335004: NAC is disabled for host - host-address

Explanation    NAC is disabled for the remote host.

host-address—The IP address of the host, in dotted decimal format (for example, 10.86.7.101)

Recommended Action    None required.

335004

Error Message    %PIX|ASA-6-335004: NAC is disabled for host - host-address

Explanation    NAC is disabled for the remote host.

host-address—The IP address of the host, in dotted decimal format (for example, 10.86.7.101)

Recommended Action    None required.

335005

Error Message    %PIX|ASA-4-335005: NAC Downloaded ACL parse failure - host-address

Explanation    Parsing of downloaded ACL failed.

host-address—The IP address of the host, in dotted decimal format (for example, 10.86.7.101)

Recommended Action    Verify configuration of Cisco Secure Access Control Server.

335006

Error Message    %PIX|ASA-6-335006: NAC Applying ACL:ACL-name - host-address

Explanation    Name of the ACL being applied as a result of NAC Posture Validation.

ACL-name—The name of the ACL being applied.

host-address—The IP address of the host, in dotted decimal format (for example, 10.86.7.101).

Recommended Action    None required.

335007

Error Message    %PIX|ASA-7-335007: NAC Default ACL not configured - host-address

Explanation    NAC Default ACL has not been configured.

host-address—The IP address of the host, in dotted decimal format (for example, 10.86.7.101).

Recommended Action    None required.

335008

Error Message    %PIX|ASA-5-335008: NAC IPSec terminate from dynamic ACL:ACL-name - 
host-address

Explanation    A dynamic ACL obtained as a result of PV warrants IPSec termination.

ACL-name—The name of the ACL being applied.

host-address—The IP address of the host, in dotted decimal format (for example, 10.86.7.101).

Recommended Action    None required.

335009

Error Message    %PIX|ASA-6-335009: NAC 'Revalidate' request by administrative action - 
host-address

Explanation    NAC "Revalidate" was requested by the administrator.

host-address—The IP address of the host, in dotted decimal format (for example, 10.86.7.101).

Recommended Action    None required.

335010

Error Message    %PIX|ASA-6-335010: NAC 'Revalidate All' request by administrative 
action - num sessions

Explanation    NAC "Revalidate All" was requested by the administrator.

num—A decimal integer that indicates the number of sessions to be revalidated.

Recommended Action    None required.

335011

Error Message    %PIX|ASA-6-335011: NAC 'Revalidate Group' request by administrative 
action for group-name group - num sessions

Explanation    NAC "Revalidate Group" was requested by the administrator.

group-name—The VPN group name.

num—A decimal integer that indicates the number of sessions to be revalidated.

Recommended Action    None required.

335012

Error Message    %PIX|ASA-6-335012: NAC 'Initialize' request by administrative action 
- host-address

Explanation    NAC "Initialize" was requested by the administrator.

host-address—The IP address of the host, in dotted decimal format (for example, 10.86.7.101).

Recommended Action    None required.

335013

Error Message    %PIX|ASA-6-335013: NAC 'Initialize All' request by administrative action - num 
sessions

Explanation    NAC "Initialize All" was requested by the administrator.

num—A decimal integer that indicates the number of sessions to be revalidated.

Recommended Action    None required.

335014

Error Message    %PIX|ASA-6-335014: NAC 'Initialize Group' request by administrative 
action for group-name group - num sessions

Explanation    NAC 'Initialize Group' was requested by the administrator.

group-name—The VPN group name

num—A decimal integer that indicates the number of sessions to be revalidated

Recommended Action    None required.

336001

Error Message    %ASA-3-336001 Route desination_network stuck-in-active state in 
EIGRP-ddb_name as_num. Cleaning up

Explanation    The stuck in active (SIA) state means that an EIGRP router has not received a reply to a query from one or more neighbors within the time allotted (approximately 3 minutes). When this happens, EIGRP clears the neighbors that did not send a reply and logs an error message for the route that went active.

desination_network—the route that went active

ddb_name—IPv4

as_num—the EIGRP router

Recommended Action    Check to see why the router did not get a response from all of its neighbors and why the route disappeared.

336002

Error Message    %ASA-3-336002: Handle handle_id is not allocated in pool.

Explanation    Handle not allocated. The EIGRP router is unable to find the handle for the next hop.

handle_id—The identity of the missing handle

Recommended Action    If the problem persists, contact the Cisco TAC.

336003

Error Message    %ASA-3-336003: No buffers available for bytes byte packet

Explanation    No Buffer. The Diffusing Update Algorithm (DUAL) software was unable to allocate a packet buffer. The system may be out of memory.

bytes—number of bytes in the packet

Recommended Action    Check to see if the system is out of memory by doing a `show mem' or `show tech'. If the problem persists, contact the Cisco TAC.

336004

Error Message    %ASA-3-336004: Negative refcount in pakdesc pakdesc.

Explanation    Negative refcount. The reference count packet count that went negative.

pakdesc—packet identifier

Recommended Action    If the problem persists, contact the Cisco TAC.

336005

Error Message    %ASA-3-336005: Flow control error, error, on interface_name.

Explanation    This log is issued when the interface is flow-blocked for multicast. Qelm is the 'queue element', in this case, the last multicast packet on the queue for this particular interface.

error—error statement "Qelm on flow ready"

interface_name—Name of the interface on which the error occurred

Recommended Action    If the problem persists, contact the Cisco TAC.

336006

Error Message    %ASA-3-336006: num peers exist on IIDB interface_name.

Explanation    Peers still exist on a particular interface during or after clean up of the IDB of the EIGRP.

num—The number of peers

interface_name—The interface name

Recommended Action    If the problem persists, contact the Cisco TAC.

336007

Error Message    %ASA-3-336007: Anchor count negative

Explanation    Negative Anchor Count. An error occurred and the count of the anchor became negative when it was released.

Recommended Action    If the problem persists, contact the Cisco TAC.

336008

Error Message    %ASA-3-336008: Lingering DRDB deleting IIDB, dest network, nexthop 
address (interface), origin origin_str

Explanation    Lingering DRDB. An interface is being deleted and some lingering DRDB exists.

network—The destination network

address—The nexthop address

interface—The nexthop interface

origin_str—String defining the origin

Recommended Action    If the problem persists, contact the Cisco TAC.

336009

Error Message    %ASA-3-336009 ddb_name as_id: Internal Error

Explanation    An internal error occurred.

ddb_name—Protocol Dependent Module (PDM) name, for example, IPv4 PDM

as_id—autonomous system ID

Recommended Action    If the problem persists, contact the Cisco TAC.

336010

Error Message    %ASA-5-336010 EIGRP-<ddb_name> tableid as_id: Neighbor address 
(%interface) is event_msg: msg

Explanation    Neighbor Change. A neighbor went up or down.

ddb_name—IPv4

tableid— Internal ID for the RIB

as_id—Autonomous system ID

address—IP address of the neighbor

interface—Name of the interface

event_msg— Event that is occurring for the neighbor (that is, "up" or "down")

msg—Reason for the event. Possible event_msg and msg value pairs include:

resync: peer graceful-restart

down: holding timer expired

up: new adjacency

down: Auth failure

down: Stuck in Active

down: Interface PEER-TERMINATION received

down: K-value mismatch

down: Peer Termination received

down: stuck in INIT state

down: peer info changed

down: summary configured

down: Max hopcount changed

down: metric changed

down: [No reason]

Recommended Action    Check to see why the link on the neighbor is going down or is flapping. This may be a sign of a problem, or a problem may occur because of this.

336011

Error Message    %ASA-6-336011: event event

Explanation    A dual event occurred. The events can be one of the following:

Redist rt change

SIA Query while Active

Recommended Action    If the problem persists, contact the Cisco TAC.

337001

Error Message    %ASA-3-337001: Phone Proxy SRTP: Encryption failed on packet from 
in_ifc:src_ip/src_port to out_ifc:dest_ip/dest_port

Explanation    This message occurs when the crypto hardware was unable to do SRTP encryption.

in_ifc—The input interface

src_ip—The source IP address of the packet

src_port—The source port of the packet output interface

dest_ip—The destination IP address of the packet

dest_port—The destination port of the packet

Recommended Action    If this message persists, call Cisco TAC to debug the crypto hardware to see why SRTP encryption is failing.

337002

Error Message    %ASA-3-337002: Phone Proxy SRTP: Decryption failed on packet from 
in_ifc:src_ip/src_port to out_ifc:dest_ip/dest_port

Explanation    This message occurs when the crypto hardware was unable to do SRTP decryption.

in_ifc—The input interface

src_ip—The source IP address of the packet

src_port—The source port of the packet output interface

dest_ip—The destination IP address of the packet

dest_port—The destination port of the packet

Recommended Action    If this message persists, call Cisco TAC to debug the crypto hardware to see why SRTP decryption is failing.

337003

Error Message    %ASA-3-337003: Phone Proxy SRTP: Authentication tag generation failed 
on packet from in_ifc:src_ip/src_port to out_ifc:dest_ip/dest_port

Explanation    This message occurs when the authentication tag generation fails in the crypto hardware.

in_ifc—The input interface

src_ip—The source IP address of the packet

src_port—The source port of the packet output interface

dest_ip—The destination IP address of the packet

dest_port—The destination port of the packet

Recommended Action    If this message persists, call Cisco TAC to debug the crypto hardware to see why SRTP generation of the authentication tag is failing.

337004

Error Message    %ASA-3-337004: Phone Proxy SRTP: Authentication tag validation failed 
on packet from in_ifc:src_ip/src_port to out_ifc:dest_ip/dest_port

Explanation    This message occurs when the computed authentication tag is not the same as the authentication tag in the packet.

in_ifc—The input interface

src_ip—The source IP address of the packet

src_port—The source port of the packet output interface

dest_ip—The destination IP address of the packet

dest_port—The destination port of the packet

Recommended Action    Check to see whether an attack is underway.

337005

Error Message    %ASA-3-337005: Phone Proxy SRTP: Media session not found for 
media_term_ip/media_term_port for packet from in_ifc:src_ip/src_port to 
out_ifc:dest_ip/dest_port

Explanation    This message occurs when the security appliance gets an SRTP/RTP packet destined to the media termination IP address and port but the corresponding media session to process this packet is not found.

in_ifc—The input interface

src_ip—The source IP address of the packet

src_port—The source port of the packet

out_ifc—The output interface

dest_ip—The destination IP address of the packet

dest_port—The destination port of the packet

Recommended Action    If this syslog occurs at the end of the call, it is considered normal because the signaling messages could have released the media session but the end-point is continuing to send a few SRTP/RTP packets. If this syslog occurs for a odd numbered media termination port, the endpoint is sending RTCP and that has to be disabled from the CUCM. If this syslog happens continuously for a call, debug the signaling message transaction either using phone proxy debug commands or capture commands to see if the signaling messages are being modified with the media termination IP address and port.

337006

Error Message    %ASA-3-337006: Phone Proxy SRTP: Failed to sign file filename requested 
by UDP client cifc:caddr/cport for sifc:saddr/sport

Explanation    This message occurs when the crypto hardware was unable to perform encryption and create a signature for a file.

filename—The name of the file

sifc—The server interface

saddr—The server IP address

sport—The server port

cifc—The client interface

caddr—The client IP address

cport—The client port

Recommended Action    If this message persists, check associated syslog messages for other errors related to the crypto hardware engine.

337007

Error Message    %ASA-3-337007: Phone Proxy SRTP: Failed to find configuration file 
filename for UDP client cifc:caddr/cport by server sifc:saddr/sport

Explanation    This message occurs when the CUCM returns the "File Not Found" error when a phone requests its configuration file.

filename—The name of the file

sifc—The server interface

saddr—The server IP address

sport—The server port

cifc—The client interface

caddr—The client IP address

cport—The client port

Recommended Action    Check to make sure that this phone has been configured on the CUCM.

337008

Error Message    %ASA-3-337008: Phone Proxy: Unable to allocate media port from 
media-termination address phone_proxy_ifc:media_term_IP for 
client_ifc:client_IP/client_port; call failed.

Explanation    This syslog is generated when we could not find a port to allocate for media when creating a new media session. This could be because of the fact that the user has not provided a big enough range of ports for phone proxy use, declared in the media-termination address command, or the fact that all the available ports are already used up.

media-termination address—The media termination address

phone_proxy_ifc—The media termination interface name (identity)

media_term_ip—The media termination IP address

client_ifc—The client interface name

client_ip—The client IP address

client_port—The client port

Recommended Action    Check the phone-proxy configuration to see the range of media ports specified and allocate a larger range of media ports if the range was too small and if their security policy allows it. The default port range is 16384 - 32767.

337009

Error Message    %ASA-3-337009: Unable to create secure phone entry, interface:IPaddr 
is already configured for the same MAC mac_addr.

Explanation    This syslog is generated when the user tries to register the same secure phone with a different IP. Since we already made an entry for the MAC address with the old IP, the user cannot have multiple entries with the same MAC address with different IP's.

interface—The interface name from which the previous entry is registered

ipaddr—The IP address of the existing secure phone entry

mac_addr—The MAC address of the phone

Recommended Action    Check the output of the show phone-proxy secure-phones command. Run the clear command to clear the entry which is causing the issue. Next, register the phone with the new IP.

338001

Error Message    %ASA-4-338001: Dynamic filter monitored black listed protocol traffic 
from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to 
out_interface:dest_ip_addr/dest_port, (mapped-ip/mapped-port), source malicious 
address resolved from local or dynamic list: domain name, threat-level: 
level_value, category: category_name

Explanation    This syslog message is generated when traffic from a blacklisted domain in the dynamic filter database appears. The threat level is a string that shows one of the following values: none, very-low, low, moderate, high, and very-high. The category is a string that shows the reason why a domain name is blacklisted (for example, botnet, Trojan, spyware, and so on).

Recommended Action    Access to a malicious site has been logged. Use the internal IP address to trace the infected machine, or enter the dynamic-filter drop blacklist command to automatically drop such traffic.

338002

Error Message    %ASA-4-338002: Dynamic filter monitored black listed protocol traffic 
from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to 
out_interface:dest_ip_addr/dest_port (mapped-ip/mapped-port), destination 
malicious address resolved from local or dynamic list: domain name, threat-level: 
level_value, category: category_name

Explanation    This syslog message is generated when traffic to a blacklisted domain name in the dynamic filter database appears. The threat level is a string that shows one of the following values: none, very-low, low, moderate, high, and very-high. The category is a string that shows the reason why a domain name is blacklisted (for example, botnet, Trojan, spyware, and so on).

Recommended Action    Access to a malicious site has been logged. Use the internal IP address to trace the infected machine, or enter the dynamic-filter drop blacklist command to automatically drop such traffic.

338003

Error Message    %ASA-4-338003: Dynamic filter monitored black listed protocol traffic 
from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to 
out_interface:dest_ip_addr/dest_port, (mapped-ip/mapped-port), source malicious 
address resolved from local or dynamic list: ip address/netmask, threat-level: 
level_value, category: category_name

Explanation    This syslog message is generated when traffic from a blacklisted IP address in the dynamic filter database appears. The threat level is a string that shows one of the following values: none, very-low, low, moderate, high, and very-high. The category is a string that shows the reason why a domain name is blacklisted (for example, botnet, Trojan, spyware, and so on).

Recommended Action    Access to a malicious site has been logged. Use the internal IP address to trace the infected machine, or enter the dynamic-filter drop blacklist command to automatically drop such traffic.

338004

Error Message    %ASA-4-338004: Dynamic filter monitored black listed protocol traffic 
from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to 
out_interface:dest_ip_addr/dest_port (mapped-ip/mapped-port), destination 
malicious address resolved from local or dynamic list: ip address/netmask, 
threat-level: level_value, category: category_name

Explanation    This syslog message is generated when traffic to a blacklisted IP address in the dynamic filter database appears. The threat level is a string that shows one of the following values: none, very-low, low, moderate, high, and very-high. The category is a string that shows the reason why a domain name is blacklisted (for example, botnet, Trojan, spyware, and so on).

Recommended Action    Access to a malicious site has been logged. Use the internal IP address to trace the infected machine, or enter the dynamic-filter drop blacklist command to automatically drop such traffic.

338005

Error Message    %ASA-4-338005: Dynamic filter dropped black listed protocol traffic 
from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to 
out_interface:dest_ip_addr/dest_port (mapped-ip/mapped-port), source malicious 
address resolved from local or dynamic list: domain name, threat-level: 
level_value, category: category_name

Explanation    This message is generated when traffic from a black-listed domain name in the dynamic filter database is denied. The threat level is a string that shows one of the following values: none, very-low, low, moderate, high, and very-high. The category is a string that shows the reason why a domain name is blacklisted (for example, botnet, Trojan, spyware, and so on).

Recommended Action    None required.

338006

Error Message    %ASA-4-338006: Dynamic filter dropped black listed protocol traffic 
from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to 
out_interface:dest_ip_addr/dest_port (mapped-ip/mapped-port), destination 
malicious address resolved from local or dynamic list: domain name, threat-level: 
level_value, category: category_name

Explanation    This message is generated when traffic from a black-listed domain name in the dynamic filter database is denied. The threat level is a string that shows one of the following values: none, very-low, low, moderate, high, and very-high. The category is a string that shows the reason why a domain name is blacklisted (for example, botnet, Trojan, spyware, and so on).

Recommended Action    None required.

338007

Error Message    %ASA-4-338007: Dynamic filter dropped black listed protocol traffic 
from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to 
out_interface:dest_ip_addr/dest_port (mapped-ip/mapped-port), source malicious 
address resolved from local or dynamic list: ip address/netmask, threat-level: 
level_value, category: category_name

Explanation    This message is generated when traffic from a black-listed IP address in the dynamic filter database is denied. The threat level is a string that shows one of the following values: none, very-low, low, moderate, high, and very-high. The category is a string that shows the reason why a domain name is blacklisted (for example, botnet, Trojan, spyware, and so on).

Recommended Action    None required.

338008

Error Message    %ASA-4-338008: Dynamic filter dropped black listed protocol traffic 
from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to 
out_interface:dest_ip_addr/dest_port (mapped-ip/mapped-port), destination 
malicious address resolved from local or dynamic list: ip address/netmask, 
threat-level: level_value, category: category_name

Explanation    This message is generated when traffic from a black-listed IP address in the dynamic filter database is denied. The threat level is a string that shows one of the following values: none, very-low, low, moderate, high, and very-high. The category is a string that shows the reason why a domain name is blacklisted (for example, botnet, Trojan, spyware, and so on).

Recommended Action    None required.

338201

Error Message    %ASA-4-338201: Dynamic filter monitored grey listed protocol traffic 
from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to 
out_interface:dest_ip_addr/dest_port, (mapped-ip/mapped-port), source malicious 
address resolved from local or dynamic list: domain name, threat-level: 
level_value, category: category_name

Explanation    This syslog message is generated when traffic to a greylisted domain in the dynamic filter database appears. The threat level is a string that shows one of the following values: none, very-low, low, moderate, high, and very-high. The category is a string that shows the reason why a domain name is blacklisted (for example, botnet, Trojan, spyware, and so on).

Recommended Action    Access to a malicious site has been logged. Use the internal IP address to trace the infected machine, or enter the dynamic-filter drop blacklist command and the dynamic-filter ambiguous-is-black command to automatically drop such traffic.

338202

Error Message    %ASA-4-338202: Dynamic filter monitored grey listed protocol traffic 
from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to 
out_interface:dest_ip_addr/dest_port (mapped-ip/mapped-port), destination 
malicious address resolved from local or dynamic list: domain name, threat-level: 
level_value, category: category_name

Explanation    This syslog message is generated when traffic from a greylisted domain name in the dynamic filter database appears. The threat level is a string that shows one of the following values: none, very-low, low, moderate, high, and very-high. The category is a string that shows the reason why a domain name is blacklisted (for example, botnet, Trojan, spyware, and so on).

Recommended Action    Access to a malicious site has been logged. Use the internal IP address to trace the infected machine, or enter the dynamic-filter drop blacklist command and the dynamic-filter ambiguous-is-black command to automatically drop such traffic.

338203

Error Message    %ASA-4-338203: Dynamic filter dropped grey listed protocol traffic 
from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to 
out_interface:dest_ip_addr/dest_port (mapped-ip/mapped-port), source malicious 
address resolved from local or dynamic list: domain name, threat-level: 
level_value, category: category_name

Explanation    This syslog message is generated when traffic from a greylisted domain name in the dynamic filter database is denied; however, the malicious IP address is also resolved to domain names that are unknown to the dynamic filter database. The threat level is a string that shows one of the following values: none, very-low, low, moderate, high, and very-high. The category is a string that shows the reason why a domain name is blacklisted (for example, botnet, Trojan, spyware, and so on).

Recommended Action    Access to a malicious site was dropped. If you do not want to automatically drop grey-listed traffic whose IP address matches both blacklisted domain names and unknown domain names, disable the dynamic-filter ambiguous-is-black command.

338204

Error Message    %ASA-4-338204: Dynamic filter dropped grey listed protocol traffic 
from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to 
out_interface:dest_ip_addr/dest_port (mapped-ip/mapped-port), destination 
malicious address resolved from local or dynamic list: domain name, threat-level: 
level_value, category: category_name

Explanation    This syslog message is generated when traffic from a greylisted domain name in the dynamic filter database is denied; however, the malicious IP address is also resolved to domain names that are unknown to the dynamic filter database. The threat level is a string that shows one of the following values: none, very-low, low, moderate, high, and very-high. The category is a string that shows the reason why a domain name is blacklisted (for example, botnet, Trojan, spyware, and so on).

Recommended Action    Access to a malicious site was dropped. If you do not want to automatically drop grey-listed traffic whose IP address matches both blacklisted domain names and unknown domain names, disable the dynamic-filter ambiguous-is-black command.

339001

Error Message    %ASA-3-339001: UC-IME-SIG: Ticket not found in SIP %s from %s:%A/%d to 
%s:%A/%d, packet dropped 

Explanation    For UC-IME SIP signaling, all dialog-forming SIP messages received from the outside must contain the UC-IME ticket header. If this header is missing from the message, the message will be dropped during SIP inspection. This header is only required when an existing SIP session (as determined by current SIP inspection rules) cannot be found for the message being inspected.

%s—SIP message name (INVITE, REFER, and so on)

%s—Source interface name (inside or outside)

%A—Source IP address

%d—Source port

%s—Destination interface name (inside or outside)

%A—Destination IP address

%d—Destination port

Recommended Action    Check to see if UC-IME calls are being spoofed.

339002

Error Message    %ASA-3-339002: UC-IME-SIG: Invalid ticket in SIP %s from %s:%A/%d to 
%s:%A/%d, packet dropped, %s

Explanation    When UC-IME ticket inspection and validation are performed, several data checks for timestamp validity and epoch matching, among others, are performed. If any of these checks fail, the SIP message or packet will be dropped.

%s—SIP message name (INVITE, REFER, and so on)

%s—Source interface name (inside or outside)

%A—Source IP address

%d—Source port

%s—Destination interface name (inside or outside)

%A—Destination IP address

%d—Destination port

%s—Additional description or data about the error condition

Recommended Action    Check to see if UC-IME calls are being spoofed. Turn on UC-IME debug tracing to obtain more details about the error condition.

339003

Error Message    %ASA-3-339003: UC-IME-SIG: Non-dialog forming SIP %s received from 
%s:%A/%d to %s:%A/%d, packet dropped

Explanation    When a SIP message is inspected by the UC-IME feature, checks are performed to see if the message belongs to an existing SIP session. In a non-UC-IME scenario, a SIP request received will create a SIP session (if permitted by a configured policy). However, for the UC-IME feature, non-dialog-creating SIP messages are not permitted to create a SIP session in the security appliance and are dropped.

%s—SIP message name (INVITE, REFER, and so on)

%s—Source interface name (inside or outside)

%A—Source IP address

%d—Source port

%s—Destination interface name (inside or outside)

%A—Destination IP address

%d—Destination port

Recommended Action    Check to see if UC-IME calls are being spoofed.

339004

Error Message    %ASA-3-339004: UC-IME-SIG: Dropping SIP %s received from %s:%A/%d to 
%s:%A/%d, route header validation failed, %s

Explanation    When an outbound SIP message is inspected by the UC-IME feature, the domain name included in the SIP route header is compared to the TLS certificate domain name. This comparison allows the UC-IME feature on the ASA to determine whether or not the SIP message is actually terminating at the intended enterprise. If a mismatch occurs, it implies that the remote end is not serving that domain, and the SIP session should be terminated.

%s—SIP message name (INVITE, REFER, and so on)

%s—Source interface name (inside or outside)

%A—Source IP address

%d—Source port

%s—Destination interface name (inside or outside)

%A—Destination IP address

%d—Destination port

%s—Additional description or data about the error condition (for example, the domain names received)

Recommended Action    Check to see if the remote enterprise is attempting to hijack UC-IME calls.

339005

Error Message    %ASA-3-339005: UC-IME-SIG: Message received from %s:%A/%d to %s:%A/%d 
does not contain SRTP, message dropped

Explanation    For UC-IME SIP signaling, SIP messages received that have media content from the outside need to be SRTP. If this content is not SRTP, the message will be dropped during SIP inspection.

%s—Source interface name (inside or outside)

%A—Source IP address

%d—Source port

%s—Destination interface name (inside or outside)

%A—Destination IP address

%d—Destination port

Recommended Action    None required.

339006

Error Message    %ASA-3-339006: UC-IME-Offpath: Failed to map remote UCM address %A:%d 
on %s interface, request from local UCM %A:%d on %s interface, reason %s

Explanation    For the UC-IME Mapping Service to work correctly, a correct configuration of global NAT must be in place. If this misconfiguration is detected, a syslog error message will be generated to inform the administrator. At the same time, all requests from UCM clients must conform to the Mapping Service stun message format. All nonconforming requests will be dropped silently, and a syslog error message will be generated to notify the administrator about this occurrence.

%A—Remote UCM IP address

%d—Remote UCM port

%s—Interface for the remote UCM IP address or port address

%A— Local UCM IP address (used for the mapping-service connection)

%d— Local UCM port (used for the mapping-service connection)

%s—Interface for the local UCM IP address or port address

%s—Failure reason

Recommended Action    Check to see if the UC-IME Offpath and the UCM Offpath are configured correctly.

339007

Error Message    %ASA-6-339007: UC-IME-Offpath: Mapped address %A:%d on %s interface 
for remote UCM %A:%d on %s interface, request from local UCM %A:%d on %s interface

%A—Mapped IP address

%d—Mapped port

%s—Interface for the mapped IP address or port address

%A—Remote UCM IP address

%d—Remote UCM port

%s—Interface for the remote UCM IP address or port address

%A—Local UCM IP address (used for the mapping-service connection)

%d—Local UCM port (used for the mapping-service connection)

%s—Interface for the local UCM IP address or port address

Explanation    UC-IME mapping service calls are tracked based on the mapping service client (UCM) address (IP:port) and remote UCM address (IP:port). The administrator may use this information to help debug an offpath UC-IME call.

Recommended Action    None required.

339008

Error Message    %ASA-6-339008: UC-IME-Media: Media session with Call-ID %s and 
Session-ID %s terminated. RTP monitoring parameters: Failover state: %s, Refer 
msgs sent: %d, Codec payload format: %s, RTP ptime (ms): %d, Max RBLR pct(x 100): 
%d, Max ITE count in 8 secs: %d, Max BLS (ms): %d, Max span PDV (usec): %d, Min 
span PDV (usec): %d, Move avg span PDV (usec): %d, Total ITE count: %d, Total sec 
count: %d, Concealed sec count: %d, Severely concealed sec count: %d, Max call 
interval (ms): %d

Explanation    UC-IME media session termination is tracked based on the Call ID or Session ID.This message is triggered at the end of a media session. The parameters returned by the RTP monitoring algorithm are included so that an administrator can adjust sensitivity parameters to improve the quality of service of a call.

%s—Failover state, which can be one of the following:

No error, for an active session

No media at startup timer expired

Error in received sequence numbering

Both ITE and BLS thresholds exceeded

BLS threshold exceeded within Burst Interval

RBLR threshold exceeded within last 8 sec

Combination (> 3/4 RBLR + > 3/4 BLS) failover

No media since last received packet exceeded

ITE threshold exceeded

%s—Codec payload format:, which can be one of the following:

UNKNOWN, G722, PCMU, PCMA, iLBC, or iSAC

Recommended Action    None required.

339009

Error Message    %ASA-6-339009: UC-IME: Ticket Password changed. Please update the same 
on UC-IME server.

Explanation    The security appliance administrator is allowed to change the ticket password without knowing the old password. This message is generated to ensure that the administrator is aware of this change. The syslog also serves as a reminder to the administrator that if the UC-IME password is changed on the security appliance, it should also be changed on the UC-IME server for everything to function correctly.

Recommended Action    Verify that the ticket password has been changed on the UC-IME server to match the value configured on the security appliance.

Messages 400000 to 466002

This section contains messages from 400000 to 466002.

4000nn

Error Message    %PIX|ASA-4-4000nn: IPS:number string from IP_address to IP_address on 
interface interface_name

Explanation    Messages 400000 through 400051 are Cisco Intrusion Prevention Service signature messages.

Recommended Action    See the Cisco Intrusion Prevention Service User Guide on Cisco.com.

All signature messages are not supported by the security appliance in this release. IPS syslog messages all start with 4-4000nn and have the following format:

Options:

number

The signature number. See the Cisco Intrusion Prevention Service User Guide on Cisco.com.

string

The signature message—approximately the same as the NetRanger signature message.

IP_address

The local to remote address to which the signature applies.

interface_name

The name of the interface on which the signature originated.


number

The signature number. See the Cisco Intrusion Detection System User Guide on Cisco.com.

string

The signature message, which is approximately the same as the NetRanger signature message.

IP_address

The local to remote address to which the signature applies.

interface_name

The name of the interface on which the signature originated.

For example:

%PIX|ASA-4-400013 IPS:2003 ICMP redirect from 10.4.1.2 to 10.2.1.1 on interface dmz
%PIX|ASA-4-400032 IPS:4051 UDP Snork attack from 10.1.1.1 to 192.168.1.1 on interface 
outside

Table 1-5 lists the supported signature messages.

Table 1-5 IPS syslog Messages 

Message
Number
Signature ID
Signature Title
Signature Type

400000

1000

IP options-Bad Option List

Informational

400001

1001

IP options-Record Packet Route

Informational

400002

1002

IP options-Timestamp

Informational

400003

1003

IP options-Security

Informational

400004

1004

IP options-Loose Source Route

Informational

400005

1005

IP options-SATNET ID

Informational

400006

1006

IP options-Strict Source Route

Informational

400007

1100

IP Fragment Attack

Attack

400008

1102

IP Impossible Packet

Attack

400009

1103

IP Fragments Overlap

Attack

400010

2000

ICMP Echo Reply

Informational

400011

2001

ICMP Host Unreachable

Informational

400012

2002

ICMP Source Quench

Informational

400013

2003

ICMP Redirect

Informational

400014

2004

ICMP Echo Request

Informational

400015

2005

ICMP Time Exceeded for a Datagram

Informational

400016

2006

ICMP Parameter Problem on Datagram

Informational

400017

2007

ICMP Timestamp Request

Informational

400018

2008

ICMP Timestamp Reply

Informational

400019

2009

ICMP Information Request

Informational

400020

2010

ICMP Information Reply

Informational

400021

2011

ICMP Address Mask Request

Informational

400022

2012

ICMP Address Mask Reply

Informational

400023

2150

Fragmented ICMP Traffic

Attack

400024

2151

Large ICMP Traffic

Attack

400025

2154

Ping of Death Attack

Attack

400026

3040

TCP NULL flags

Attack

400027

3041

TCP SYN+FIN flags

Attack

400028

3042

TCP FIN only flags

Attack

400029

3153

FTP Improper Address Specified

Informational

400030

3154

FTP Improper Port Specified

Informational

400031

4050

UDP Bomb attack

Attack

400032

4051

UDP Snork attack

Attack

400033

4052

UDP Chargen DoS attack

Attack

400034

6050

DNS HINFO Request

Informational

400035

6051

DNS Zone Transfer

Informational

400036

6052

DNS Zone Transfer from High Port

Informational

400037

6053

DNS Request for All Records

Informational

400038

6100

RPC Port Registration

Informational

400039

6101

RPC Port Unregistration

Informational

400040

6102

RPC Dump

Informational

400041

6103

Proxied RPC Request

Attack

400042

6150

ypserv (YP server daemon) Portmap Request

Informational

400043

6151

ypbind (YP bind daemon) Portmap Request

Informational

400044

6152

yppasswdd (YP password daemon) Portmap Request

Informational

400045

6153

ypupdated (YP update daemon) Portmap Request

Informational

400046

6154

ypxfrd (YP transfer daemon) Portmap Request

Informational

400047

6155

mountd (mount daemon) Portmap Request

Informational

400048

6175

rexd (remote execution daemon) Portmap Request

Informational

400049

6180

rexd (remote execution daemon) Attempt

Informational

400050

6190

statd Buffer Overflow

Attack


401001

Error Message    %PIX|ASA-4-401001: Shuns cleared

Explanation    The clear shun command was entered to remove existing shuns from memory.

Recommended Action    None required. This message is displayed to allow an institution to keep a record of shunning activity.

401002

Error Message    %PIX|ASA-4-401002: Shun added: IP_address IP_address port port

Explanation    A shun command was entered, where the first IP address is the shunned host. The other addresses and ports are optional and are used to terminate the connection if available.

Recommended Action    None required. This message is displayed to allow an institution to keep a record of shunning activity.

401003

Error Message    %PIX|ASA-4-401003: Shun deleted: IP_address

Explanation    A single shunned host was removed from the shun database.

Recommended Action    None required. This message is displayed to allow an institution to keep a record of shunning activity.

401004

Error Message    %PIX|ASA-4-401004: Shunned packet: IP_address ==> IP_address on interface 
interface_name

Explanation    A packet was dropped because the host defined by IP SRC is a host in the shun database. A shunned host cannot pass traffic on the interface on which it is shunned. For example, an external host on the Internet can be shunned on the outside interface.

Recommended Action    None required. This message provides a record of the activity of shunned hosts. This message and syslog message %PIX|ASA-4-401005 can be used to evaluate further risk assessment concerning this host.

401005

Error Message    %PIX|ASA-4-401005: Shun add failed: unable to allocate resources for 
IP_address IP_address port port

Explanation    The security appliance is out of memory; a shun could not be applied.

Recommended Action    The Cisco Intrusion Detection System should continue to attempt to apply this rule. Attempt to reclaim memory and reapply a shun manually, or wait for the Cisco Intrusion Detection System to do this.

402114

Error Message    %PIX|ASA-4-402114: IPSEC: Received an protocol packet (SPI=spi, sequence 
number= seq_num) from remote_IP to local_IP with an invalid SPI. 

protocol—IPSec protocol

spi—IPSec Security Parameter Index

seq_numIPSec sequence number

remote_IPIP address of the remote endpoint of the tunnel

username—Username associated with the IPSec tunnel

local_IPIP address of the local endpoint of the tunnel

Explanation    This message is displayed when an IPSec packet is received that specifies an SPI that does not exist in the SA database. This may be a temporary condition due to slight differences in aging of SAs between the IPSec peers, or it may be because the local SAs have been cleared. It may also indicate incorrect packets sent by the IPSec peer, which may be part of an attack. This message is rate limited to no more than one message every five seconds.

Recommended Action    The peer may not acknowledge that the local SAs have been cleared. If a new connection is established from the local router, the two peers may then reestablish successfully. Otherwise, if the problem occurs for more than a brief period, either attempt to establish a new connection or contact the peer administrator.

402115

Error Message    %PIX|ASA-4-402115: IPSEC: Received a packet from remote_IP to local_IP 
containing act_prot data instead of exp_prot data.

Explanation    This message is displayed when an IPSec packet is received that is missing the expected ESP header. The peer is sending packets that do not match the negotiated security policy. This may indicate an attack. This message is rate limited to no more than one message every five seconds.

remote_IPIP address of the remote endpoint of the tunnel

local_IPIP address of the local endpoint of the tunnel

act_prot—Received IPSec protocol

exp_prot—Expected IPSec protocol

Recommended Action    Contact the peer administrator.

402116

Error Message    %PIX|ASA-4-402116: IPSEC: Received an protocol packet (SPI=spi, sequence 
number= seq_num) from remote_IP (username) to local_IP. The decapsulated inner packet 
doesn't match the negotiated policy in the SA. The packet specifies its destination 
as pkt_daddr, its source as pkt_saddr, and its protocol as pkt_prot. The SA specifies 
its local proxy as id_daddr /id_dmask /id_dprot /id_dport and its remote proxy as 
id_saddr /id_smask /id_sprot /id_sport.

Explanation    This message is displayed when a decapsulated IPSec packet does not match the negotiated identity. The peer is sending other traffic through this security association. It may be due to a security association selection error by the peer, or it may be part of an attack. This message is rate limited to no more than one message every five seconds.

protocol—IPSec protocol

spi—IPSec Security Parameter Index

seq_numIPSec sequence number

remote_IPIP address of the remote endpoint of the tunnel

username—Username associated with the IPSec tunnel

local_IPIP address of the local endpoint of the tunnel

pkt_daddrDestination address from the decapsulated packet

pkt_saddrSource address from the decapsulated packet

pkt_protTransport protocol from the decapsulated packet

id_daddrLocal proxy IP address

id_dmaskLocal proxy IP subnet mask

id_dprotLocal proxy transport protocol

id_dportLocal proxy port

id_saddrRemote proxy IP address

id_smaskRemote proxy IP subnet mask

id_sprotRemote proxy transport protocol

id_sportRemote proxy port

Recommended Action    Contact the peer administrator and compare policy settings.

402117

Error Message    %PIX|ASA-4-402117: IPSEC: Received a non-IPSec (protocol) packet from 
remote_IP to local_IP.

Explanation    This message is displayed when the received packet matched the crypto map ACL, but it is not IPSec-encapsulated. The IPSec Peer is sending unencapsulated packets. This error can occur because of a policy setup error on the peer. For example, the firewall may be configured to only accept encrypted Telnet traffic to the outside interface port 23. If you attempt to Telnet without IPSec encryption to the outside interface on port 23, this message appears, but not on telnet or traffic to the outside interface on ports other than 23. This error can also indicate an attack. This syslog message is not generated except under these conditions (for example, it is not generated for traffic to the firewall interfaces themselves). See messages 710001, 710002, and 710003 for messages that track TCP and UDP requests. This message is rate limited to no more than one message every five seconds.

protocol—IPSec protocol

remote_IPIP address of the remote endpoint of the tunnel

local_IPIP address of the local endpoint of the tunnel

Recommended Action    Contact the peer administrator to compare policy settings.

402118

Error Message    %PIX|ASA-4-402118: IPSEC: Received an protocol packet (SPI=spi, sequence 
number seq_num) from remote_IP (username) to local_IP containing an illegal IP 
fragment of length frag_len with offset frag_offset.

Explanation    This message is displayed when a decapsulatd IPSec packet contains an IP fragment with an offset less than or equal to 128 bytes. The latest version of the Security Architecture for IP RFC recommends 128 bytes as the minimum IP fragment offset to prevent reassembly attacks. This may be part of an attack. This message is rate limited to no more than one message every five seconds.

protocol—IPSec protocol

spi—IPSec Security Parameter Index

seq_numIPSec sequence number

remote_IPIP address of the remote endpoint of the tunnel

username—Username associated with the IPSec tunnel

local_IPIP address of the local endpoint of the tunnel

frag_lenIP fragment length

frag_offsetIP fragment offset in bytes

Recommended Action    Contact the administrator of the remote peer to compare policy settings.

402119

Error Message    %PIX|ASA-4-402119: IPSEC: Received an protocol packet (SPI=spi, sequence 
number= seq_num) from remote_IP (username) to local_IP that failed anti-replay 
checking.

Explanation    This message is displayed when an IPSec packet is received with an invalid sequence number. The peer is sending packets containing sequence numbers that may have been previously used. This syslog message indicates that an IPSec packet has been received with a sequence number outside of the acceptable window. This packet will be dropped by IPSec as part of a possible attack. This message is rate limited to no more than one message every five seconds.

protocol—IPSec protocol

spi—IPSec Security Parameter Index

seq_numIPSec sequence number

remote_IPIP address of the remote endpoint of the tunnel

username—Username associated with the IPSec tunnel

local_IPIP address of the local endpoint of the tunnel

Recommended Action    Contact the peer administrator.

402120

Error Message    %PIX|ASA-4-402120: IPSEC: Received an protocol packet (SPI=spi, sequence 
number= seq_num) from remote_IP (username) to local_IP that failed authentication.

Explanation    This message is displayed when an IPSec packet is received and fails authentication. The packet is dropped. The packet may have been corrupted in transit or the peer may be sending invalid IPSec packets. This may indicate an attack if many of these packets are received from the same peer. This message is rate limited to no more than one message every five seconds.

protocol—IPSec protocol

spi—IPSec Security Parameter Index

seq_numIPSec sequence number

remote_IPIP address of the remote endpoint of the tunnel

username—Username associated with the IPSec tunnel

local_IPIP address of the local endpoint of the tunnel

Recommended Action    Contact the administrator of the remote peer if many failed packets are received.

402121

Error Message    %PIX|ASA-4-402121: IPSEC: Received an protocol packet (SPI=spi, sequence 
number= seq_num) from peer_addr (username) to lcl_addr that was dropped by IPSec 
(drop_reason).

Explanation    This message is displayed when an IPSec packet to be decapsulated was received and subsequently dropped by the IPSec subsystem. This could indicate a problem with the device configuration or with the device itself.

protocol—IPSec protocol

spi—IPSec Security Parameter Index

seq_numIPSec sequence number

peer_addrIP address of the tunnel's remote endpoint

username—Username associated with the IPSec tunnel

lcl_addrIP address of the local endpoint of the tunnel

drop_reasonReason that the packet was dropped

Recommended Action    If the problem persists, contact the Cisco TAC.

402122

Error Message    %PIX|ASA-4-402122: Received a cleartext packet from src_addr to 
dest_addr that was to be encapsulated in IPSec that was dropped by IPSec 
(drop_reason).

Explanation    A packet to be encapsulated in IPSec was received and subsequently dropped by the IPSec subsystem. This could indicate a problem with the device configuration or with the device itself.

src_addrSource IP address

dest_addrDestination IP address

drop_reasonReason that the packet was dropped

Recommended Action    If the problem persists, contact the Cisco TAC.

402123

Error Message    %PIX|ASA-4-402123: CRYPTO: The accel_type hardware accelerator 
encountered an error (code= error_string) while executing crypto command command.

Explanation    This message is displayed when an error is detected while running a crypto command with a hardware accelerator. This could indicate a problem with the accelerator. This type of error may occur for a variety of reasons, and this message supplements the crypto accelerator counters to help determine the cause.

accel_type—Hardware accelerator type

error_string—Code indicating the type of error

command—Crypto command that generated the error

Recommended Action    If the problem persists, contact the Cisco TAC

402124

Error Message    %ASA-4-402124: CRYPTO: The ASA hardware accelerator encountered an 
error (Hardware error address, Core, Hardware error code, IstatReg, PciErrReg, 
CoreErrStat, CoreErrAddr, Doorbell Size, DoorBell Outstanding, SWReset).

Explanation    This syslog message appears when the crypto hardware chip has reported a fatal error, indicating the chip is inoperable. The information from this syslog message captures the information and to allow further analysis of this problem. The crypto chip is reset when this condition is detected, to unobtrusively allow the ASA to continue functioning. Also, the crypto environment at the time this issue is detected is written to a crypto archive directory on flash, to provide further debug information. Various parameters related to the crypto hardware are contained in this syslog message; these include:

HWErrAddrHardware address (set by crypto chip)

CoreCrypto core experiencing the error

HwErrCodeHardware error code (set by crypto chip)

IstatRegInterrupt status register (set by crypto chip)

PciErrRegPCI error register (set by crypto chip)

CoreErrStatCore error status (set by crypto chip)

CoreErrAddrCore error address (set by crypto chip)

Doorbell SizeMaximum crypto commands allowed

DoorBell OutstandingCrypto commands outstanding

SWResetNumber of crypto chip resets since boot

Recommended Action    Forward the syslog message information to Cisco TAC for further analysis.

402125

Error Message    %ASA-4-402125: The ASA hardware accelerator ring timed out 
(parameters).

Explanation    The crypto driver has detected either the IPSEC or SSL/Admin descriptor ring is no longer progressing, meaning the crypto chip no longer appears to be functioning. The crypto chip is reset when this condition is detected, to unobtrusively allow the ASA to continue functioning. Also the crypto environment at the time this issue is detected is written to a crypto archive directory on flash, to provide further debug information.

ring—IPSEC ring or Admin ring

parametersinclude the following:

DescDescriptor address

CtrlStatControl/status value

ResultPSuccess pointer

ResultValSuccess value

CmdCrypto command

CmdSizeCommand size

ParamCommand parameters

DlenData length

DataPData pointer

CtxtPVPN context pointer

SWResetNumber of crypto chip resets since boot

Recommended Action    Forward the syslog message information to Cisco for further analysis.

402126

Error Message    %ASA-4-402126: CRYPTO: The ASA created Crypto Archive File 
Archive Filename as a Soft Reset was necessary. Please forward this archived 
information to Cisco.

Explanation    There was a functional problem detected with the hardware crypto chip (see syslog messages 4402124/4402125). To further debug the crypto problem a crypto archive file is generated, containing the current crypto hardware environment (hardware registers, Crypto Desc Entries, and so on). At boot time, a crypto_archive directory is automatically created on the flash file system (if not in prior existence). A maximum of two crypto archive files are allowed to exist in this directory.

Archive Filename—The name of the crypto archive file name. The crypto archive file names are of the form, "crypto_arch_x.bin", where "x" = (1 or 2).

Recommended Action    Forward the crypto archive file(s) to Cisco for further analysis.

402127

Error Message    %ASA-4-402127: CRYPTO: The ASA is skipping the writing of latest Crypto 
Archive File as the maximum # of files, max_number, allowed have been written to 
archive_directory. Please archive & remove files from Archive Directory if you 
want more Crypto Archive Files saved.

Explanation    There was a functional problem detected with the HW Crypto chip (see syslog messages 4402124 and 4402125). This syslog message indicates a crypto archive file was not written as the maximum number of crypto archive files already existed.

max_numberMaximum number of files allowed in the archive directory; currently set to two

archive_directory—Name of the archive directory

Recommended Action    Forward previously generated crypto archive files to Cisco. Remove the previously generated archive file(s) so more can be written (if deemed necessary).

402128

Error Message    %ASA-5-402128: CRYPTO: An attempt to allocate a large memory block 
failed, size: size, limit: limit

Explanation    An SSL connection is attempting to use more memory than allowed. The request has been denied.

size—The size of the memory block being allocated

limit—The maximum size of allocated memory permitted

Recommended Action    If this message persists, an SSL denial of service (DoS) attack may be in progress. Contact the remote peer administrator or upstream provider.

402129

Error Message    %ASA-6-402129: CRYPTO: An attempt to release a DMA memory block failed, 
location: address

Explanation    An internal software error has occurred.

address—The address being freed

Recommended Action    Contact the Cisco TAC for assistance.

402130

Error Message    %PIX|ASA-3-402130: CRYPTO: Received an ESP packet (SPI = 0x54A5C634,
sequence number= 0x7B) from 75.2.96.101 (user= user) to 85.2.96.10 with
incorrect IPsec padding.

Explanation    The ASA crypto hardware accelerator detected an IPSec packet with invalid padding.

SPI—The SPI associated with the packet

sequence number—The sequence number associated with packet

user—username string

padding—padding data from packet

Recommended Action    There have been customers using the ATT VPN client that have experienced this issue due to the ATT VPN client sometimes padding Ipsec packets incorrectly. While this syslog is informational only and doesn't indicate a problem with the ASA, customers using the ATT VPN
client may wish to upgrade their VPN client software.

403101

Error Message    %PIX|ASA-4-403101: PPTP session state not established, but received an 
XGRE packet, tunnel_id=number, session_id=number

Explanation    The security appliance received a PPTP XGRE packet without a corresponding control connection session.

Recommended Action    If the problem persists, contact the Cisco TAC

403102

Error Message    %PIX|ASA-4-403102: PPP virtual interface interface_name rcvd pkt with 
invalid protocol: protocol, reason: reason.

Explanation    The module received an XGRE encapsulated PPP packet with an invalid protocol field.

Recommended Action    If the problem persists, contact the Cisco TAC.

403103

Error Message    %PIX|ASA-4-403103: PPP virtual interface max connections reached.

Explanation    The module cannot accept additional PPTP connections.

Recommended Action    None required. Connections are allocated as soon as they are available.

403104

Error Message    %PIX|ASA-4-403104: PPP virtual interface interface_name requires mschap 
for MPPE.

Explanation    The Microsoft Point-to-Point Encryption (MPPE) is configured but MS-CHAP authentication is not.

Recommended Action    Add MS-CHAP authentication with the vpdn group group_name ppp authentication command.

403106

Error Message    %PIX|ASA-4-403106: PPP virtual interface interface_name requires RADIUS 
for MPPE.

Explanation    The MPPE is configured but RADIUS authentication is not.

Recommended Action    Add RADIUS authentication with the vpdn group group_name ppp authentication command.

403107

Error Message    %PIX|ASA-4-403107: PPP virtual interface interface_name missing aaa 
server group info

Explanation    The AAA server configuration information cannot be found.

Recommended Action    Add the AAA server information with the vpdn group group_name client authentication aaa aaa_server_group command.

403108

Error Message    %PIX|ASA-4-403108: PPP virtual interface interface_name missing client 
ip address option

Explanation    The client IP address pool information is missing.

Recommended Action    Add IP address pool information with the vpdn group group_name client configuration address local address_pool_name command.

403109

Error Message    %PIX|ASA-4-403109: Rec'd packet not an PPTP packet. (ip) dest_address= 
dest_address, src_addr= source_address, data: string.

Explanation    The module received a spoofed PPTP packet. This may be a hostile event.

Recommended Action    Contact the administrator of the peer to check the PPTP configuration settings.

403110

Error Message    %PIX|ASA-4-403110: PPP virtual interface interface_name, user: user 
missing MPPE key from aaa server.

Explanation    The AAA server is not returning the MPPE key attributes required to set up the MPPE encryption policy.

Recommended Action    Check the AAA server configuration and if the AAA server cannot return MPPE key attributes, use local authentication instead with the vpdn group group_name client authentication local command.

403500

Error Message    %PIX|ASA-6-403500: PPPoE - Service name 'any' not received in PADO. 
Intf:interface_name AC:ac_name.

Explanation    The security appliance requested the PPPoE service "any" from the access controller at the Internet service provider. The response from the service provider includes other services but does not include the service "any." This is a discrepancy in the implementation of the protocol. The PADO packet is processed normally and connection negotiations continue.

Recommended Action    None required.

403501

Error Message    %PIX|ASA-3-403501: PPPoE - Bad host-unique in PADO - packet dropped. 
Intf:interface_name AC:ac_name

Explanation    The security appliance sent an identifier called the host-unique value to the access controller. The access controller responded with a different host-unique value. The security appliance is unable to identify the corresponding connection request for this response. The packet is dropped and connection negotiations are discontinued.

Recommended Action    Contact the Internet service provider. Either the access controller at the service provider is mishandling the host-unique value or the PADO packet is being forged.

403502

Error Message    %PIX|ASA-3-403502: PPPoE - Bad host-unique in PADS - dropping packet. 
Intf:interface_name AC:ac_name

Explanation    The security appliance sent an identifier called the host-unique value to the access controller. The access controller responded with a different host-unique value. The security appliance is unable to identify the corresponding connection request for this response. The packet was dropped and connection negotiations were discontinued.

Recommended Action    Contact the Internet service provider. Either the access controller at the service provider is mishandling the host-unique value or the PADO packet is being forged.

403503

Error Message    %PIX|ASA-3-403503: PPPoE:PPP link down:reason 

Explanation    The PPP link has gone down. There are many reasons why this could happen. The first format will display a reason if PPP provides one.

Recommended Action    Check the network link to ensure that the link is connected. The access concentrator could be down. Ensure that your authentication protocol matches the access concentrator. Ensure that your name and password are correct. Check with your ISP or network support person.

403504

Error Message    %PIX|ASA-3-403504: PPPoE:No 'vpdn group group_name' for PPPoE is 
created

Explanation    PPPoE requires a dial-out configuration before starting a PPPoE session. In general, the configuration should specify a dialing policy, the PPP authentication, the username, and a password. The following example configures the security appliance for PPPoE dialout. The my-username and my-password commands are used to authenticate the access concentrator, using PAP if necessary.

For example:

vpdn group my-pppoe request dialout pppoe
vpdn group my-pppoe ppp authentication pap
vpdn group my-pppoe localname my-username
vpdn username my-username password my-password
ip address outside pppoe setroute

Recommended Action    Configure a VPDN group for PPPoE.

403505

Error Message    %PIX|ASA-4-403505: PPPoE:PPP - Unable to set default route to IP_address 
at interface_name

Explanation    This message is usually followed by the message - default route already exists.

Recommended Action    Remove the current default route or remove the "setroute" parameter so that there is no conflict between PPPoE and the manually configured route.

403506

Error Message    %PIX|ASA-4-403506: PPPoE:failed to assign PPP IP_address netmask netmask 
at interface_name

Explanation    This message is followed by - subnet is the same as interface, or on failover channel.

Recommended Action    In the first case, change the address causing the conflict. In the second case, configure the PPPoE on an interface other than the failover interface.

403507

Error Message    %PIX|ASA-3-403507:PPPoE:PPPoE client on interface interface failed to 
locate PPPoE vpdn group group_name

Explanation    You can configure the PPPoE client on an interface to use a particular VPDN group by entering the pppoe client vpdn group group_name command. If a PPPoE VPDN group of the configured name is not located during system startup, this syslog message is generated.

interface—The interface on which the PPPoE client failed.

group_name —The VPDN group name of the PPPoe client on the interface.

Recommended Action    Perform the following steps:

1. Add the required VPDN group by entering the vpdn group group_name command. Request dialout PPPoE in global configuration mode and add all the group properties.

2. Remove the pppoe client vpdn group group_name command from the interface indicated. In this case, the PPPoE client will attempt to use the first PPPoE VPDN group defined.


Note All changes take effect only after the PPPoE client on the interface is restarted by entering the ip address pppoe command.


404101

Error Message    %PIX|ASA-4-404101: ISAKMP: Failed to allocate address for client from 
pool string

Explanation    ISAKMP failed to allocate an IP address for the VPN client from the pool that you specified with the ip local pool command.

Recommended Action    Use the ip local pool command to specify additional IP addresses for the pool.

404102

Error Message    %PIX|ASA-3-404102: ISAKMP: Exceeded embryonic limit

Explanation    More than 500 embryonic security associations (SAs) exist, which could mean a DoS attack.

Recommended Action    Enter the show crypto isakmp ca command to determine the origin of the attack. After the source is identified, deny access to the offending IP address or network.

405001

Error Message    %PIX|ASA-4-405001: Received ARP {request | response} collision from 
IP_address/MAC_address on interface interface_name to IP_address/MAC_address on 
interface interface_name

Explanation    The security appliance received an ARP packet, and the MAC address in the packet differs from the ARP cache entry.

Recommended Action    This traffic might be legitimate, or it might indicate that an ARP poisoning attack is in progress. Check the source MAC address to determine where the packets are coming from and check to see if it belongs to a valid host.

405101

Error Message    %PIX|ASA-4-405101: Unable to Pre-allocate H225 Call Signalling 
Connection for foreign_address outside_address[/outside_port] to local_address 
inside_address[/inside_port]

Explanation    The module failed to allocate RAM system memory while starting a connection or has no more address translation slots available.

Recommended Action    If this message occurs periodically, it can be ignored. You can check the size of the global pool compared to the number of inside network clients. A PAT address may be necessary. Alternatively, shorten the timeout interval of translates and connections. This error message may also be caused by insufficient memory; try reducing the amount of memory usage, or purchasing additional memory. If the problem persists, contact the Cisco TAC.

405002

Error Message    %PIX|ASA-4-405002: Received mac mismatch collision from 
IP_address/MAC_address for authenticated host

Explanation    This packet appears for one of the following conditions:

The security appliance received a packet with the same IP address but a different MAC address from one of its uauth entries.

You configured the vpnclient mac-exempt command on the security appliance, and the security appliance receives a packet with an exempt MAC address but a different IP address from the corresponding uauth entry.

Recommended Action    This traffic might be legitimate, or it might indicate that a spoofing attack is in progress. Check the source MAC address and IP address to determine where the packets are coming from and check to see if they belong to a valid host.

405101

Error Message    %PIX|ASA-4-405101: Unable to Pre-allocate H225 Call Signalling 
Connection for foreign_address outside_address[/outside_port] to local_address 
inside_address[/inside_port]

Explanation    The security appliance failed to allocate RAM system memory while starting a connection or has no more address translation slots available.

Recommended Action    Check the size of the global pool compared to the number of inside network clients. A PAT address may be necessary. Alternatively, shorten the timeout interval of xlates and connections. This could also be caused by insufficient memory; reduce the amount of memory usage, or purchase additional memory. If this message occurs periodically, it can be ignored. If the problem persists, contact the Cisco TAC.

405102

Error Message    %PIX|ASA-4-405102: Unable to Pre-allocate H245 Connection for 
foreign_address outside_address[/outside_port] to local_address 
inside_address[/inside_port]

Explanation    The security appliance failed to allocate RAM system memory while starting a connection or has no more address translation slots available.

Recommended Action    Check the size of the global pool compared to the number of inside network clients. A PAT address may be necessary. Alternatively, shorten the timeout interval of xlates and connections. This could also be caused by insufficient memory; reduce the amount of memory usage, or purchase additional memory. If this message occurs periodically, it can be ignored. If the problem persists, contact the Cisco TAC.

405103

Error Message    %PIX|ASA-4-405103: H225 message from source_address/source_port to 
dest_address/dest_port contains bad protocol discriminator hex

Explanation    PIX is expecting the protocol discriminator, 0x08, but it received something other than 0x08. This might happen because the endpoint is sending a bad packet, or received a message segment other than the first segment.

Recommended Action    None required. The packet is allowed through.

405104

Error Message    %PIX|ASA-4-405104: H225 message received from outside_address/outside_port 
to inside_address/inside_port before SETUP

Explanation    This message appears after an H.225 message is received out of order. The H.225 message was received before the initial SETUP message, which is not allowed. The security appliance must receive an initial SETUP message for that H.225 call signalling channel before accepting any other H.225 messages.

Recommended Action    None required.

405105

Error Message    %PIX|ASA-4-405105: H323 RAS message AdmissionConfirm received from 
source_address/source_port to dest_address/dest_port without an AdmissionRequest

Explanation    A gatekeeper has sent an admission confirm (ACF), but the security appliance did not send an admission request (ARQ) to the gatekeeper.

Recommended Action    Check the gatekeeper with the specified source_address to determine why it sent an ACF without receiving an ARQ from the security appliance.

405106

Error Message    %PIX|ASA-4-405106: H323 num channel is not created from %I/%d to %I/%d 
%s

Explanation    This syslog message is generated when the security appliance attempts to create a match condition on the H.323 media-type channel. See the match media-type command for more information.

Recommended Action    None required.

405107

Explanation    %PIX|ASA-4-405107: H245 Tunnel is detected and connection dropped from %I/%d to %I/%d %s

Explanation    This syslog message is generated when an H.323 connection has been dropped because of attempted H.245 tunnel control during call setup. See the h245-tunnel-block command for more information.

Recommended Action    None required.

405201

Error Message    %PIX|ASA-4-405201: ILS ILS_message_type from 
inside_interface:source_IP_address to outside_interface:/destination_IP_address 
has wrong embedded address embedded_IP_address

Explanation    The embedded address in the ILS packet payload is not the same as the source IP address of the IP packet header.

Recommended Action    Check the host with the specified with the source_IP_address to determine why it sent an ILS packet with an incorrect embedded IP address.

405300

Error Message    %PIX|ASA-4-405300: Radius Accounting Request received from from_addr 
is not allowed

Explanation    The accounting request came from a host that was not configured in the policy-map. The message is logged and processing stops.

from_addr—The IP address of the host sending the request.

Recommended Action    If the host was configured to send RADIUS accounting messages to the security appliance, make sure it was configured in the correct policy-map that was applied to the service-policy. If the host was not configured to send RADIUS accounting messages to the security appliance, then check to see why the messages are being sent. If the messages are illegitimate, then create the proper ACLs to drop the packets.

405301

Error Message    %PIX|ASA-4-405301: Attribute attribute_number does not match for user user_ip

Explanation    When the validate-attribute command is entered, the attribute values stored in the Accounting Request Start received do not match those stored in entry, if it exists.

attribute_number—The RADIUS attribute to be validated with RADIUS accounting. Values range from 1 to 191. Vendor-specific attributes are not supported.

user_ip—The IP address (framed IP attribute) of the user.

Recommended Action    None required.

406001

Error Message    %PIX|ASA-4-406001: FTP port command low port: IP_address/port to 
IP_address on interface interface_name

Explanation    A client entered an FTP port command and supplied a port less than 1024 (in the well-known port range typically devoted to server ports). This is indicative of an attempt to avert the site security policy. The security appliance drops the packet, terminates the connection, and logs the event.

Recommended Action    None required.

406002

Error Message    %PIX|ASA-4-406002: FTP port command different address: 
IP_address(IP_address) to IP_address on interface interface_name

Explanation    A client issued an FTP port command and supplied an address other than the address used in the connection. This error message is indicative of an attempt to avert the site.s security policy. For example, an attacker might attempt to hijack an FTP session by changing the packet on the way, and putting different source information instead of the correct source information. The security appliance drops the packet, terminates the connection, and logs the event. The address in parenthesis is the address from the port command.

Recommended Action    None required.

407001

Error Message    %PIX|ASA-4-407001: Deny traffic for local-host 
interface_name:inside_address, license limit of number exceeded

Explanation    The host limit was exceeded. An inside host is counted toward the limit when one of the following conditions is true:

The inside host has forwarded traffic through the security appliance within the last five minutes.

The inside host currently reserved an xlate connection or user authentication at the security appliance.

Recommended Action    The host limit is enforced on the low-end platforms. Use the show version command to view the host limit. Use the show local-host command to view the current active hosts and the inside users that have sessions at the security appliance. To forcefully disconnect one or more users, use the clear local-host command. To expire the inside users more quickly from the limit, set the xlate, connection, and uauth timeouts to the recommended values or lower. (See Table 1-6.)

Table 1-6 Timeouts and Recommended Values

Timeout
Recommended Value

xlate

00:05:00 (five minutes)

conn

00:01:00 (one hour)

uauth

00:05:00 (five minutes)


407002

Error Message    %PIX|ASA-4-407002: Embryonic limit nconns/elimit for through connections 
exceeded.outside_address/outside_port to global_address (inside_address)/inside_port on 
interface interface_name

Explanation    This message is about connections through the security appliance. This message is displayed when the number of connections from a specified foreign address over a specified global address to the specified local address exceeds the maximum embryonic limit for that static. The security appliance attempts to accept the connection if it can allocate memory for that connection. It proxies on behalf of local host and sends a SYN_ACK packet to the foreign host. The security appliance retains pertinent state information, drops the packet, and waits for the acknowledgment from the client.

Recommended Action    The message might indicate legitimate traffic, or indicate that a denial of service (DoS) attack is in progress. Check the source address to determine where the packets are coming from and whether it is a valid host.

407003

Error Message    %PIX|ASA-4-407003: Established limit for RPC services exceeded number

Explanation    The security appliance tried to open a new hole for a pair of RPC servers or services that have already been configured after the maximum number of holes has been met.

Recommended Action    Wait for other holes to be closed (through associated timeout expiration) or limit the number of active pairs of servers or services.

408001

Error Message    %PIX|ASA-4-408001: IP route counter negative - reason, IP_address 
Attempt: number

Explanation    An attempt to decrement the IP route counter into a negative value failed.

Recommended Action    Enter the clear ip route * command to reset the route counter. If the problem persists, contact the Cisco TAC.

408002

Error Message    %PIX|ASA-4-408002: ospf process id route type update address1 netmask1 
[distance1/metric1] via source IP:interface1 address2 netmask2 [distance2/metric2] interface2

Explanation    A network update was received from a different interface with the same distance and a better metric than the existing route. The new route overrides the existing route that was installed through another interface. The new route is for redundancy purposes only and means that a path has shifted in the network. This change must be controlled through topology and redistribution. Any existing connections affected by this change are probably disabled and will timeout. This path shift only occurs if the network topology has been specifically designed to support path redundancy, in which case it is expected.

Recommended Action    None required.

408003

Error Message    %PIX|ASA-4-408003: can't track this type of object hex

Explanation    A component of the tracking system has encountered an object type that is not supported by the component. A STATE object was expected.

hex—A hexidecimal value(s) depicting variable value(s) or addresses in memory

Recommended Action    Reconfigure the track object to make it a STATE object.

409001

Error Message    %PIX|ASA-4-409001: Database scanner: external LSA IP_address netmask is 
lost, reinstalls

Explanation    The software detected an unexpected condition. The router will take corrective action and continue.

Recommended Action    None required.

409002

Error Message    %PIX|ASA-4-409002: db_free: external LSA IP_address netmask

Explanation    An internal software error occurred.

Recommended Action    None required.

409003

Error Message    %PIX|ASA-4-409003: Received invalid packet: reason from IP_address, 
interface_name

Explanation    An invalid OSPF packet was received. Details are included in the error message. The cause might be an incorrect OSPF configuration or an internal error in the sender.

Recommended Action    Check the OSPF configuration of the receiver and the sender configuration for inconsistency.

409004

Error Message    %PIX|ASA-4-409004: Received reason from unknown neighbor IP_address

Explanation    The OSPF hello, database description, or database request packet was received, but the router could not identify the sender.

Recommended Action    This situation should correct itself.

409005

Error Message    %PIX|ASA-4-409005: Invalid length number in OSPF packet from IP_address 
(ID IP_address), interface_name

Explanation    The system received an OSPF packet with a field length of less than normal header size or inconsistent with the size of the IP packet in which it arrived. This indicates a configuration error in the sender of the packet.

Recommended Action    From a neighboring address, locate the problem router and reboot it.

409006

Error Message    %PIX|ASA-4-409006: Invalid lsa: reason Type number, LSID IP_address from 
IP_address, IP_address, interface_name

Explanation    The router received an LSA with an invalid LSA type. The cause is either memory corruption or unexpected behavior on a router.

Recommended Action    From a neighboring address, locate the problem router and reboot it. If the problem persists, contact the Cisco TAC.

409007

Error Message    %PIX|ASA-4-409007: Found LSA with the same host bit set but using 
different mask LSA ID IP_address netmask New: Destination IP_address netmask

Explanation    An internal software error occurred.

Recommended Action    If the problem persists, contact the Cisco TAC.

409008

Error Message    %PIX|ASA-4-409008: Found generating default LSA with non-zero mask LSA 
type : number Mask: netmask metric: number area: string

Explanation    The router tried to generate a default LSA with the wrong mask and possibly wrong metric due to an internal software error.

Recommended Action    If the problem persists, contact the Cisco TAC.

409009

Error Message    %PIX|ASA-4-409009: OSPF process number cannot start. There must be at 
least one up IP interface, for OSPF to use as router ID

Explanation    OSPF failed while attempting to allocate a router ID from the IP address of one of its interfaces.

Recommended Action    Make sure that there is at least one interface that is up and has a valid IP address. If there are multiple OSPF processes running on the router, each requires a unique router ID. You must have enough interfaces up so that each of them can obtain a router ID.

409010

Error Message    %PIX|ASA-4-409010: Virtual link information found in non-backbone 
area: string

Explanation    An internal error occurred.

Recommended Action    If the problem persists, contact the Cisco TAC.

409011

Error Message    %PIX|ASA-4-409011: OSPF detected duplicate router-id IP_address from 
IP_address on interface interface_name

Explanation    OSPF received a hello packet from a neighbor that has the same router ID as this routing process. A full adjacency cannot be established.

Recommended Action    The OSPF router ID should be unique. Change the neighbor router ID.

409012

Error Message    %PIX|ASA-4-409012: Detected router with duplicate router ID IP_address 
in area string

Explanation    OSPF received a hello packet from a neighbor that has the same router ID as this routing process. A full adjacency cannot be established.

Recommended Action    The OSPF router ID should be unique. Change the neighbor router ID.

409013

Error Message    %PIX|ASA-4-409013: Detected router with duplicate router ID IP_address 
in Type-4 LSA advertised by IP_address 

Explanation    OSPF received a hello packet from a neighbor that has the same router ID as this routing process. A full adjacency cannot be established.

Recommended Action    The OSPF router ID should be unique. Change the neighbor router ID.

409023

Error Message    %PIX|ASA-4-409023: Attempting AAA Fallback method method_name for 
request_type request for user user:Auth-server group server_tag unreachable

Explanation    An authentication or authorization attempt to an external server has failed and will now be performed using the local user database. aaa_operation is either "authentication" or "authorization." username is the user associated with the connection. server_group is the name of the AAA server whose servers were unreachable.

Recommended Action    Investigate any connectivity problems with the AAA servers configured in the first method. Ping the authentication servers from the security appliance. Make sure that the daemons are running on your AAA server.

410001

Error Message    %PIX|ASA-4-410001: UDP DNS request from 
source_interface:source_address/source_port to dest_interface:dest_address/dest_port; (label 
length | domain-name length) 52 bytes exceeds remaining packet length of 44 bytes. 

Explanation    This syslog message is generated when the domain-name length exceeds 255 bytes in a UDP DNS packet. (See RFC 1035 section 3.1.)

Recommended Action    None required.

410002

Error Message    %PIX|ASA-2-410002: Dropped num DNS responses with mis-matched id in 
the past sec second(s): from src_ifc:sip/sport to dest_ifc:dip/dport

Explanation    This syslog message is generated when the security device detects an excess number of DNS responses with a mismatched DNS identifier. The threshold is set by the id-mismatch DNS policy-map parameter submode command.

num—The number of ID mismatch instances as configured by the id-mismatch command.

sec—The duration in seconds as configured by the id-mismatch command.

src_ifc—The source interface name at which the DNS message is received with a mismatched DNS identifier.

sip—The source IP address.

sport—The source port.

dest_ifc—The destination interface name.

dip—The destination IP address.

dport—The destination port.

Recommended Action    A high rate of mismatched DNS identifiers might indicate an attack on the cache. Check the IP address/port in the syslog message to trace the source of the attack. You can configure ACLs to block traffic permanently from the source.

410003

Error Message    %PIX|ASA-4-410003: action_class: action DNS query_response from 
src_ifc:sip/sport to dest_ifc:dip/dport; further_info

Explanation    This syslog message is generated when a DNS classification is performed on a DNS message and the specified criteria is satisfied. Then the configured action occurs.

action_class—The "DNS Classification" action class.

action—The action taken: "Dropped," "Dropped (no TSIG)," or "Masked header flags for."

query_response—Either "query" or "response."

src_ifc—The source interface name.

sip—The source IP address.

sport—The source port.

dest_ifc—The destination interface name.

dip—The destination IP address.

dport—The destination port.

further_info—One of the following: "matched Class id: class_name," "matched Class id: match_command" (for a standalone match command), or "TSIG resource record not present" (for syslog messages generated by the tsig enforced command).

Recommended Action    None required.

410004

Error Message    %ASA-6-410004: action_class: action DNS query_response from 
src_ifc:sip/sport to dest_ifc:dip/dport; further_info

Explanation    This event is generated when a DNS classification is performed on a DNS message and the specified criteria is satisfied.

action_class—The "DNS Classification" action class.

action—The action taken: "Received" or "Received (no TSIG)."

query_response—Either "query" or "response."

src_ifc—The source interface name.

sip—The source IP address.

sport—The source port.

dest_ifc—The destination interface name.

dip—The destination IP address.

dport—The destination port.

further_info—One of the following: "matched Class id: class_name," "matched Class id: match_command" (for a standalone match command), or "TSIG resource record not present" (for syslog messages generated by the tsig enforced command).

Recommended Action    None required.

411001

Error Message    %PIX|ASA-4-411001: Line protocol on interface interface_name changed 
state to up

Explanation    The status of the line protocol has changed from down to up. If interface_name is a logical interface name such as "inside" and "outside," this message indicates that the logical interface line protocol has changed from down to up. If interface_name is a physical interface name such as "Ethernet0" and "GigabitEthernet0/1," this message indicates that the physical interface line protocol has changed from down to up.

Recommended Action    None required.

411002

Error Message    %PIX|ASA-4-411002:Line protocol on interface interface_name changed 
state to down

Explanation    The status of the line protocol has changed from up to down. If interface_name is a logical interface name such as "inside" and "outside," this message indicates that the logical interface line protocol has changed from up to down. In this case, the physical interface line protocol status is not affected. If interface_name is a physical interface name such as "Ethernet0" and "GigabitEthernet0/1," this message indicates that the physical interface line protocol has changed from up to down.

Recommended Action    If this is an unexpected event on the interface, check the physical line.

411003

Error Message    %PIX|ASA-4-411003: Configuration status on interface interface_name 
changed state to downup

Explanation    The configuration status of the interface has changed from down to up.

Recommended Action    If this is an unexpected event, check the physical line.

411004

Error Message    %PIX|ASA-4-411004: Configuration status on interface interface_name 
changed state to up

Explanation    The configuration status of the interface has changed from down to up.

Recommended Action    None required.

411005

Error Message    %ASA-4-411005: Interface variable 1 experienced a hardware transmit 
hang. The interface has been reset.

Explanation    The interface experienced a hardware transmit hang that required a reset of the ethernet controller to restore the interface to full operation. This is a known issue with Gigabit interfaces on ASA 5510, ASA 5520, ASA 5540, and ASA 5550 devices.

variable 1—The interface name, such as GigabitEthernet0/0

Recommended Action    None required.

412001

Error Message    %PIX|ASA-4-412001:MAC MAC_address moved from interface_1 to interface_2

Explanation    This message is generated when a host move is detected from one module interface to another. In a transparent security appliance, mapping between the host (MAC) and security appliance port is maintained in a Layer 2 forwarding table. The table dynamically binds packet source MAC addresses to a security appliance port. In this process, whenever movement of a host from one interface to another interface is detected, this message is generated.

Recommended Action    The host move might be valid or the host move might be an attempt to spoof host MACs on other interfaces. If it is a MAC spoof attempt, you can either locate vulnerable hosts on your network and remove them or configure static MAC entries, which will not allow MAC address and port binding to change. If it is a genuine host move, no action is required.

412002

Error Message    %PIX|ASA-4-412002:Detected bridge table full while inserting MAC 
MAC_address on interface interface. Number of entries = num

Explanation    This message is generated when the bridge table is full and an attempt is made to add one more entry. The security appliance maintains a separate Layer 2 forwarding table per context and the message is generated whenever a context exceeds its size limit. The MAC address will be added, but it will replace the oldest existing dynamic entry (if available) in the table

Recommended Action    This might be an attempted attack. Make sure that the new bridge table entries are valid. In case of attack, use EtherType ACLs to access control vulnerable hosts.

413001

Error Message    %ASA-4-413001: Module in slot slotnum is not able to shut down. Module 
Error: errnum message

Explanation    The module in slotnum was not able to comply with a request from the ASA system module to shut down. It may be performing a task that could not be interrupted, like a software upgrade. The errnum and message text describes the reason why the module could not shut down, and recommends action.

Recommended Action    Wait for the task on the module to complete before shutting down the module, or use the session command to access the CLI on the module, and stop the task that's preventing the module from shutting down.

413002

Error Message    %ASA-4-413002: Module in slot slotnum is not able to reload. Module 
Error: errnum message

Explanation    The module in slotnum was not able to comply with a request from the ASA system module to reload. It may be performing a task that could not be interrupted, like a software upgrade. The errnum and message text describes the reason why the module could not reload, and the recommended action.

Recommended Action    Wait for the task on the module to complete before reloading the module, or use the session command to access the CLI on the module and stop the task that is preventing the module from reloading.

413003

Error Message    %ASA-4-413003: Module in slot slotnum is not a recognized type

Explanation    Generated whenever a card is detected that is not recognized as a valid card type.

Recommended Action    Upgrade to a version of ASA system software that supports the module type installed.

413004

Error Message    %ASA-4-413004: Module in slot slotnum failed to write software vnewver 
(currently vver), reason. Trying again.

Explanation    The module in the specified slot number failed to accept a software version, and will be transitioned to an UNRESPONSIVE state. Another attempt will be made to update the module software.

slotnum—The slot number containing the module.

newver—The new version number of software that was not successfully written to the module (for example, 1.0(1)0).

ver—The current version number of the software on the module (for example, 1.0(1)0).

reason—The reason the new version could not be written to the module. The possible values for reason include the following:

write failure.

failed to create a thread to write the image.

Recommended Action    None required. Subsequent attempts will either generate a message indicating a successful update or failure. You may verify the module transitions to UP after a subsequent update attempt by using the show module slotnum command.

413005

Error Message    %ASA-1-413005: prod_id Module in slot slot, application is not 
supported app_name version app_vers type app_type

Explanation    The module installed in slot slot is running an unsupported application version or type.

prod_id—Product ID string.

slot—Slot = 0 indicates the system main board and slot 1 indicates the module installed in the expansion slot. For this error, slot should always be 1.

app_name—Application name (string).

app_vers—Application version (string).

app_type—Application type (decimal).

Recommended Action    If the problem persists, contact the Cisco TAC.

413006

Error Message    %ASA-4-413006: prod-id Module software version mismatch; slot slot is 
prod-id version running-vers. Slot slot prod-id requires required-vers.

Explanation    The version of software running on the module in slot slot is not the version required by another module.

slot—Slot = 0 indicates the system main board and slot 1 indicates the module installed in the expansion slot

prod_id—Product Id string for the device installed in slot slot

running_vers—Version of software currently running on the module installed in slot <slot>

required_vers—Version of software required by the module in slot slot

Recommended Action    If the problem persists, contact the Cisco TAC.

414001

Error Message    %PIX|ASA-3-414001: Failed to save logging buffer using file name 
filename to FTP server ftp_server_address on interface interface_name: [fail_reason]

Explanation    This syslog message is generated when logging module failed to save the logging buffer to external FTP server.

Recommended Action    Take appropriate action based on the failed reason:

Protocol error—Make sure no connectivity issue between the FTP server and security appliance, and FTP sever can accept FTP PORT command and put request.

Invalid username or password—Make sure that the configured FTP client username and password are correct.

All other errors—If the problem persists, contact the Cisco TAC.

414002

Error Message    %PIX|ASA-3-414002: Failed to save logging buffer to flash:/syslog 
directory using file name: filename: [fail_reason]

Explanation    This syslog message is generated when logging module failed to save the logging buffer to system flash.

Recommended Action    If the failed reason is due to insufficient space, check the system flash's free space, make sure that the configured limits of the logging flash-size command are set properly. If the error is flash file system IO error, then contact the Cisco technical support for assistance.

414003

Error Message    %ASA-3-414003: TCP Syslog Server intf: IP_Address/port not responding. 
New connections are [permitted|denied] based on logging permit-hostdown policy.

Explanation    This message indicates that the TCP syslog server for remote host logging is successful, is connected to the server, and that new connections are permitted or denied based on the logging permit-hostdown policy. If logging permit-hostdown is configured, a new connection is permitted. If not configured, a new connection is denied.

intf—Interface of the security appliance to which the server is connected

IP_Address—IP address of the remote TCP syslog server

port—Port of the remote TCP syslog server

Recommended Action    Check whether or not the configured TCP syslog server is up. To permit new connections, configure the logging permit-hostdown policy. To deny new connections, do not configure the logging permit-hostdown policy.

414004

Error Message    %ASA-6-414004: TCP Syslog Server intf: IP_Address/port - Connection 
restored

Explanation    A retry to the TCP syslog server has been successful, and the connection has been established. This message is the first to reach the syslog server after a successful connection.

intf—Interface of the security appliance to which the server is connected

IP_Address—IP address of the remote TCP syslog server

port—Port of the remote TCP syslog server

Recommended Action    None required.

415001

Error Message    %PIX|ASA-6-415001: HTTP - matched matched_string in policy-map 
map_name, header field count exceeded connection_action from 
int_type:IP_address/port_num to int_type:IP_address/port_num

Explanation    This syslog message is generated when one of the following occurs:

a. The total number of fields in the HTTP header exceeds the user-configured number of header fields. The relevant command is: match {request | response} header count num.

b. The appearance of a specified field in the HTTP header exceeds the user-configured number for this header field.The relevant command is: match {request | response} header header-name count num.

matched_string—The matched string is one of the following:

The class map ID, followed by the name of the class map. This string displays when the class map is user configured.

The actual match command that initiated the syslog message. This string displays when the class map is internal.

map_name—The name of the policy map

connection_action—"Dropping connection" or "Resetting connection."

interface_type—The type of interface, for example, DMZ, outside, and so on

IP_address—The IP address of the interface

port_num—The port number

Recommended Action    Enter the match {request | response} header command to reconfigure the HTTP header field value.

415002

Error Message    %PIX|ASA-6-415002: HTTP - matched matched_string in policy-map map_name, 
header field length exceeded connection_action from int_type:IP_address/port_num to 
int_type:IP_address/port_num

Explanation    This syslog message is generated when the specified HTTP header field length exceeds the user-configured length.

matched_string—The matched string is one of the following:

The class map ID, followed by the name of the class map. This string displays when the class map is user configured.

The actual match command that initiated the syslog message. This string displays when the class map is internal.

map_name—The name of the policy map

connection_action—"Dropping connection" or "Resetting connection."

interface_type—The type of interface, for example, DMZ, outside, and so on

IP_address—The IP address of the interface

port_num—The port number

Recommended Action    Enter the match {request | response} header header_name length gt num command to change the HTTP header field length.

415003

Error Message    %PIX|ASA-6-415003: HTTP - matched matched_string in policy-map 
map_name, body length exceeded connection_action from 
int_type:IP_address/port_num to int_type:IP_address/port_num

Explanation    This syslog message is generated when the length of the message body exceeds user-configured length.

matched_string—The matched string is one of the following:

The class map ID, followed by the name of the class map. This string displays when the class map is user configured.

The actual match command that initiated the syslog message. This string displays when the class map is internal.

map_name—The name of the policy map

connection_action—"Dropping connection" or "Resetting connection."

interface_type—The type of interface, for example, DMZ, outside, and so on

IP_address—The IP address of the interface

port_num—The port number

Recommended Action    Enter the match {request | response} body length gt num command to change the length of the message body.

415004

Error Message    %PIX|ASA-5-415004: HTTP - matched matched_string in policy-map 
map_name, content-type verification failed connection_action from 
int_type:IP_address/port_num to int_type:IP_address/port_num

Explanation    This syslog message is generated when the "magic number" in the body of the HTTP message is not the correct magic number for the mime-type specified in the "content-type" field in the HTTP message header.

matched_string—The matched string is one of the following:

The class map ID, followed by the name of the class map. This string displays when the class map is user configured.

The actual match command that initiated the syslog message. This string displays when the class map is internal.

map_name—The name of the policy map

connection_action—"Dropping connection" or "Resetting connection."

interface_type—The type of interface, for example, DMZ, outside, and so on.

IP_address—The IP address of the interface

port_num—The port number

Recommended Action    Enter the match {request | response} header content-type violation command to correct the error.

415005

Error Message    %PIX|ASA-5-415005: HTTP - matched matched_string in policy-map 
map_name, URI length exceeded connection_action from int_type:IP_address/port_num 
to int_type:IP_address/port_num

Explanation    This syslog message is generated when the length of the URI exceeds the user-configured length.

matched_string—The matched string is one of the following:

The class map ID, followed by the name of the class map. This string displays when the class map is user configured.

The actual match command that initiated the syslog message. This string displays when the class map is internal.

map_name—The name of the policy map.

connection_action—"Dropping connection" or "Resetting connection."

interface_type—The type of interface, for example, DMZ, outside, and so on.

IP_address—The IP address of the interface.

port_num—The port number.

Recommended Action    Enter the match request uri length gt num command to change the length of the URI.

415006

Error Message    %PIX|ASA-5-415006: HTTP - matched matched_string in policy-map map_name, 
URI matched connection_action from int_type:IP_address/port_num to 
int_type:IP_address/port_num

Explanation    This syslog message is generated when the URI matches the regular expression that the user configured. See the match request uri regex {regex-name | class class-name} command for more information.

matched_string—The matched string is one of the following:

The class map ID, followed by the name of the class map. This string displays when the class map is user configured.

The actual match command that initiated the syslog message. This string displays when the class map is internal.

map_name—The name of the policy map.

connection_action—"Dropping connection" or "Resetting connection."

interface_type—The type of interface, for example, DMZ, outside, and so on.

IP_address—The IP address of the interface.

port_num—The port number.

Recommended Action    None required.

415007

Error Message    %PIX|ASA-5-415007: HTTP - matched matched_string in policy-map 
map_name, Body matched connection_action from int_type:IP_address/port_num to 
int_type:IP_address/port_num

Explanation    This syslog message is generated when the message body matches the regular expression that the user configured. See the match {request | response} body regex {regex-name | class class-name} command for more information.

matched_string—The matched string is one of the following:

The class map ID, followed by the name of the class map. This string displays when the class map is user configured.

The actual match command that initiated the syslog message. This string displays when the class map is internal.

map_name—The name of the policy map.

connection_action—"Dropping connection" or "Resetting connection."

interface_type—The type of interface, for example, DMZ, outside, and so on.

IP_address—The IP address of the interface.

port_num—The port number.

Recommended Action    None required.

415008

Error Message    %PIX|ASA-5-415008: HTTP - matched matched_string in policy-map 
map_name, header matched connection_action from int_type:IP_address/port_num to 
int_type:IP_address/port_num

Explanation    This syslog message is generated when a value in a user-specified field in the message header matches the regular expression that the user configured. See the match {request | response } header header-field-name {regex-name | class class-name} command for more information.

matched_string—The matched string is one of the following:

The class map ID, followed by the name of the class map. This string displays when the class map is user configured.

The actual match command that initiated the syslog message. This string displays when the class map is internal.

map_name—The name of the policy map.

connection_action—"Dropping connection" or "Resetting connection."

interface_type—The type of interface, for example, DMZ, outside, and so on.

IP_address—The IP address of the interface.

port_num—The port number.

Recommended Action    None required.

415009

Error Message    %PIX|ASA-5-415009: HTTP - matched matched_string in policy-map 
map_name, method matched connection_action from int_type:IP_address/port_num to 
int_type:IP_address/port_num

Explanation    This syslog message is generated when the HTTP method matches the user-configured regular expression. See the match request method {regex-name | class class-name} command for more information.

matched_string—The matched string is one of the following:

The class map ID, followed by the name of the class map. This string displays when the class map is user configured.

The actual match command that initiated the syslog message. This string displays when the class map is internal.

map_name—The name of the policy map.

connection_action—"Dropping connection" or "Resetting connection."

interface_type—The type of interface, for example, DMZ, outside, and so on.

IP_address—The IP address of the interface.

port_num—The port number.

Recommended Action    None required.

415010

Error Message    %PIX|ASA-5-415010: matched matched_string in policy-map map_name, transfer 
encoding matched connection_action from int_type:IP_address/port_num to 
int_type:IP_address/port_num

Explanation    This syslog message is issued when the value in the "transfer encoding" field matches the user-configured regular expression or keyword. See the match {request | response} header transfer-encoding {{regex-name | class class-name} | keyword} command for more information.

matched_string—The matched string is one of the following:

The class map ID, followed by the name of the class map. This string displays when the class map is user configured.

The actual match command that initiated the syslog message. This string displays when the class map is internal.

map_name—The name of the policy map.

connection_action—"Dropping connection" or "Resetting connection."

interface_type—The type of interface, for example, DMZ, outside, and so on.

IP_address—The IP address of the interface.

port_num—The port number.

Recommended Action    None required.

415011

Error Message    %PIX|ASA-5-415011: HTTP - policy-map map_name:Protocol violation 
connection_action from int_type:IP_address/port_num to 
int_type:IP_address/port_num

Explanation    This syslog message is generated when the HTTP parser cannot detect a valid HTTP message in the first few bytes of an HTTP message.

map_name—The name of the policy map.

connection_action—"Dropping connection" or "Resetting connection."

interface_type—The type of interface, for example, DMZ, outside, and so on.

IP_address—The IP address of the interface.

port_num—The port number.

Recommended Action    Enter the protocol-violation action {drop | reset} log command to correct the problem.

415012

Error Message    %PIX|ASA-5-415012: HTTP - matched matched_string in policy-map 
map_name, Unknown mime-type connection_action from int_type:IP_address/port_num to 
int_type:IP_address/port_num

Explanation    This syslog message is generated when the "content-type" field does not contain a mime type that matches a built-in mime type.

matched_string—The matched string is one of the following:

The class map ID, followed by the name of the class map. This string displays when the class map is user configured.

The actual match command that initiated the syslog message. This string displays when the class map is internal.

map_name—The name of the policy map.

connection_action—"Dropping connection" or "Resetting connection."

interface_type—The type of interface, for example, DMZ, outside, and so on.

IP_address—The IP address of the interface.

port_num—The port number.

Recommended Action    Enter the match {request | response} header content-type unknown command to correct the problem.

415013

Error Message    %PIX|ASA-5-415013: HTTP - policy-map map-name:Malformed chunked 
encoding connection_action from int_type:IP_address/port_num to 
int_type:IP_address/port_num

Explanation    This syslog message is generated when a chunked encoding is malformed and the HTTP message cannot be parse, and whenever logging for the protocol-violation command is configured.

map-name— The name of the policy map.

connection_action—"Dropping connection" or "Resetting connection."

interface_type—The type of interface, for example, DMZ, outside, and so on.

IP_address—The IP address of the interface.

port_num—The port number.

Recommended Action    Enter the protocol-violation action {drop | reset} log command to correct the problem.

415014

Error Message    %PIX|ASA-5-415014: HTTP - matched matched_string in policy-map 
map_name, Mime-type in response wasn't found in the accept-types of the request 
connection_action from int_type:IP_address/port_num to 
int_type:IP_address/port_num

Explanation    This syslog message is generated when the mime type in an HTTP response is not in the "accept" field of the request.

matched_string—The matched string is one of the following:

The class map ID, followed by the name of the class map. This string displays when the class map is user configured.

The actual match command that initiated the syslog message. This string displays when the class map is internal.

map_name—The name of the policy map.

connection_action—"Dropping connection" or "Resetting connection."

interface_type—The type of interface, for example, DMZ, outside, and so on.

IP_address—The IP address of the interface.

port_num—The port number.

Recommended Action    Enter the match req-resp content-type mismatch command to correct the problem.

415015

Error Message    %PIX|ASA-5-415015: HTTP - matched matched_string in policy-map map_name, 
transfer-encoding unknown connection_action from int_type:IP_address/port_num to 
int_type:IP_address/port_num

Explanation    This syslog message is generated when the an empty transfer encoding occurs.