Table Of Contents
Syslog Messages
This chapter lists the syslog messages in numerical order.
Note
When a number is skipped in a sequence, the message is no longer in the adaptive security appliance code.
For information about how to configure logging and SNMP, see the Cisco ASA 5500 Series Configuration Guide using the CLI.
Table 1-1 lists the syslog message classes and the ranges of syslog message IDs that are associated with each class. The valid range for syslog message IDs is between 100000 and 999999.
This chapter includes the following sections:
Messages 101001 to 199012
This section includes messages from 101001 to 199012.
101001
Error Message %ASA-1-101001: (Primary) Failover cable OK.Explanation This is a failover message, which reports that the failover cable is present and functioning correctly. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action None required.
101002
Error Message %ASA-1-101002: (Primary) Bad failover cable.Explanation This is a failover message, which reports that the failover cable is present but not functioning correctly. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action Replace the failover cable.
101003, 101004
Error Message %ASA-1-101003: (Primary) Failover cable not connected (this unit).Error Message %ASA-1-101004: (Primary) Failover cable not connected (other unit).Explanation Both instances are failover messages, which are logged when failover mode is enabled, but the failover cable is not connected to one unit of the failover pair. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action Connect the failover cable to both units of the failover pair.
101005
Error Message %ASA-1-101005: (Primary) Error reading failover cable status.Explanation This is a failover message, which is displayed if the failover cable is connected, but the primary unit is unable to determine its status.
Recommended Action Replace the cable.
102001
Error Message %ASA-1-102001: (Primary) Power failure/System reload other side.Explanation This is a failover message, which is logged if the primary unit detects a system reload or a power failure on the other unit. "Primary" can also be listed as "Secondary" for the secondary unit.
Recommended Action On the unit that experienced the reload, issue the show crashinfo command to determine if there is a traceback associated with the reload. Also verify that the unit is powered on and that power cables are correctly connected.
103001
Error Message %ASA-1-103001: (Primary) No response from other firewall (reason code = code).Explanation This is a failover message, which is displayed if the primary unit is unable to communicate with the secondary unit over the failover cable. (Primary) can also be listed as (Secondary). for the secondary unit. Table 1-2 lists the reason codes and the descriptions to determine why the failover occurred.
Recommended Action Verify that the failover cable is connected correctly and both units have the same hardware, software, and configuration. If the problem persists, contact the Cisco TAC.
103002
Error Message %ASA-1-103002: (Primary) Other firewall network interface interface_number OK.Explanation This is a failover message, which is displayed when the primary unit detects that the network interface on the secondary unit is okay. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action None required.
103003
Error Message %ASA-1-103003: (Primary) Other firewall network interface interface_number failed.Explanation This is a failover message. This message is displayed if the primary unit detects a bad network interface on the secondary unit. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action Check the network connections on the secondary unit and check the network hub connection. If necessary, replace the failed network interface.
103004
Error Message %ASA-1-103004: (Primary) Other firewall reports this firewall failed.Explanation This is a failover message, which is displayed if the primary unit receives a message from the secondary unit indicating that the primary has failed. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action Verify the status of the primary unit.
103005
Error Message %ASA-1-103005: (Primary) Other firewall reporting failure.Explanation This is a failover message, which is displayed if the secondary unit reports a failure to the primary unit. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action Verify the status of the secondary unit.
103006
Error Message %ASA-1-103006: (Primary|Secondary) Mate version ver_num is not compatible with ours ver_numExplanation This message appears when the adaptive security appliance detects that a peer unit is running a version that is different than the local unit and is not compatible with the HA Hitless Upgrade feature.
•
Recommended Action Install the same or a compatible version image on both firewall units.
103007
Error Message %ASA-1-103007: (Primary|Secondary) Mate version ver_num is not identical with ours ver_numExplanation This message appears when the adaptive security appliance detects that the peer unit is running a version that is not identical, but supports Hitless Upgrade and is compatible with the local unit. The system performance could be degraded because the image version is not identical, and the adaptive security appliancecould develop a stability issue if the non-identical image runs for an extended period.
•
Recommended Action Install the same image version on both units as soon as possible.
104001, 104002
Error Message %ASA-1-104001: (Primary) Switching to ACTIVE (cause: string).Error Message %ASA-1-104002: (Primary) Switching to STNDBY (cause: string).Explanation Both instances are failover messages, which usually are logged when you force the pair to switch roles, either by entering the failover active command on the standby unit, or the no failover active command on the active unit. (Primary) can also be listed as (Secondary) for the secondary unit. Possible values for the string variable are as follows:
•
•
•
•
•
•
•
Recommended Action If the message occurs because of manual intervention, no action is required. Otherwise, use the cause reported by the secondary unit to verify the status of both units of the pair.
104003
Error Message %ASA-1-104003: (Primary) Switching to FAILED.Explanation This is a failover message, which is displayed when the primary unit fails.
Recommended Action Check the syslog messages for the primary unit for an indication of the nature of the problem (see syslog message 104001). (Primary) can also be listed as (Secondary) for the secondary unit.
104004
Error Message %ASA-1-104004: (Primary) Switching to OK.Explanation This is a failover message, which is displayed when a previously failed unit now reports that it is operating again. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action None required.
105001
Error Message %ASA-1-105001: (Primary) Disabling failover.Explanation In version 7.x and later, this message may indicate the following: failover has been automatically disabled because of a mode mismatch (single or multiple), a license mismatch (encryption or context), or a hardware difference (one unit has an IPS SSM installed, and its peer has a CSC SSM installed). (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action None required.
105002
Error Message %ASA-1-105002: (Primary) Enabling failover.Explanation This is a failover message, which is displayed when you enter the failover command with no arguments on the console, after having previously disabled failover. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action None required.
105003
Error Message %ASA-1-105003: (Primary) Monitoring on interface interface_name waitingExplanation This is a failover message. The adaptive security appliance is testing the specified network interface with the other unit of the failover pair. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action None required. The adaptive security appliance monitors its network interfaces frequently during normal operations.
105004
Error Message %ASA-1-105004: (Primary) Monitoring on interface interface_name normalExplanation This is a failover message that indicates that the test of the specified network interface was successful. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action None required.
105005
Error Message %ASA-1-105005: (Primary) Lost Failover communications with mate on interface interface_name.Explanation This is a failover message, which is displayed if this unit of the failover pair can no longer communicate with the other unit of the pair. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action Verify that the network connected to the specified interface is functioning correctly.
105006, 105007
Error Message %ASA-1-105006: (Primary) Link status `Up' on interface interface_name.Error Message %ASA-1-105007: (Primary) Link status `Down' on interface interface_name.Explanation Both instances are failover messages, which report the results of monitoring the link status of the specified interface. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action If the link status is down, verify that the network connected to the specified interface is operating correctly.
105008
Error Message %ASA-1-105008: (Primary) Testing interface interface_name.Explanation This is a failover message, which is displayed when the tests a specified network interface. This testing is performed only if the adaptive security appliance fails to receive a message from the standby unit on that interface after the expected interval. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action None required.
105009
Error Message %ASA-1-105009: (Primary) Testing on interface interface_name {Passed|Failed}.Explanation This is a failover message, which reports the result (either Passed or Failed) of a previous interface test. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action None required if the result is Passed. If the result is Failed, you should check the network cable connection to both failover units, that the network itself is functioning correctly, and verify the status of the standby unit.
105010
Error Message %ASA-3-105010: (Primary) Failover message block alloc failedExplanation Block memory was depleted. This is a transient message and the adaptive security appliance should recover. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action Use the show blocks command to monitor the current block memory.
105011
Error Message %ASA-1-105011: (Primary) Failover cable communication failureExplanation The failover cable is not permitting communication between the primary and secondary units. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action Ensure that the cable is connected correctly.
105020
Error Message %ASA-1-105020: (Primary) Incomplete/slow config replicationExplanation When a failover occurs, the active adaptive security appliance detects a partial configuration in memory. Normally, this is caused by an interruption in the replication service. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action Once the failover is detected by the adaptive security appliance, the adaptive security appliance automatically reloads itself and loads configuration from flash memory and/or resynchronizes with another adaptive security appliance. If failovers happen continuously, check the failover configuration and make sure both adaptive security appliance units can communicate with each other.
105021
Error Message %ASA-1-105021: (failover_unit) Standby unit failed to sync due to a locked context_name config. Lock held by lock_owner_nameExplanation During configuration synchronizing, a standby unit will reload itself if some other process locks the configuration for more than 5 minutes, which prevents the failover process from applying the new configuration. This can occur when an administrator pages through a running configuration on the standby unit while configuration synchronization is in process. See also the show running-config EXEC command and the pager lines num CONFIG command.
Recommended Action Avoid viewing or modifying configuration on standby unit when it first comes up and is in the process of establishing a failover connection with the active unit.
105031
Error Message %ASA-1-105031: Failover LAN interface is upExplanation The LAN failover interface link is up.
Recommended Action None required.
105032
Error Message %ASA-1-105032: LAN Failover interface is downExplanation The LAN failover interface link is down.
Recommended Action Check the connectivity of the LAN failover interface. Make sure that the speed/duplex setting is correct.
105034
Error Message %ASA-1-105034: Receive a LAN_FAILOVER_UP message from peer.Explanation The peer has just booted and sent the initial contact message.
Recommended Action None required.
105035
Error Message %ASA-1-105035: Receive a LAN failover interface down msg from peer.Explanation The peer LAN failover interface link is down. The unit switches to active mode if it is in standby mode.
Recommended Action Check the connectivity of the peer LAN failover interface.
105036
Error Message %ASA-1-105036: dropped a LAN Failover command message.Explanation The adaptive security appliance dropped an unacknowledged LAN failover command message, indicating a connectivity problem on the LAN failover interface.
Recommended Action Check that the LAN interface cable is connected.
105037
Error Message %ASA-1-105037: The primary and standby units are switching back and forth as the active unit.Explanation The primary and standby units are switching back and forth as the active unit, indicating a LAN failover connectivity problem or software bug.
Recommended Action Check that the LAN interface cable is connected.
105038
Error Message %ASA-1-105038: (Primary) Interface count mismatchExplanation When a failover occurs, the active adaptive security appliance detects a partial configuration in memory. Normally, this is caused by an interruption in the replication service. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action Once the failover is detected by the adaptive security appliance, the adaptive security appliance automatically reloads itself and loads the configuration from flash memory and/or resynchronizes with another adaptive security appliance. If failovers happen continuously, check the failover configuration and make sure that both adaptive security appliance units can communicate with each other.
105039
Error Message %ASA-1-105039: (Primary) Unable to verify the Interface count with mate. Failover may be disabled in mate.Explanation Failover initially verifies that the number of interfaces configured on the primary and secondary adaptive security appliances are the same. This message indicates that the primary adaptive security appliance is not able to verify the number of interfaces configured on the secondary adaptive security appliance. This message indicates that the primary adaptive security appliance is not able communicate with the secondary adaptive security appliance over the failover interface. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action Verify the failover LAN, interface configuration, and status on the primary and secondary adaptive security appliances. Make sure that the secondary adaptive security appliance is running the adaptive security appliance application and that failover is enabled.
105040
Error Message %ASA-1-105040: (Primary) Mate failover version is not compatible.Explanation The primary and secondary adaptive security appliance should run the same failover software version to act as a failover pair. This message indicates that the secondary adaptive security appliance failover software version is not compatible with the primary adaptive security appliance. Failover is disabled on the primary adaptive security appliance. (Primary) can also be listed as (Secondary) for the secondary adaptive security appliance.
Recommended Action Maintain consistent software versions between the primary and secondary adaptive security appliances to enable failover.
105042
Error Message %ASA-1-105042: (Primary) Failover interface OKExplanation The LAN failover interface link is up.
Explanation The interface used to send failover messages to the secondary adaptive security appliance is functioning. (Primary) can also be listed as (Secondary) for the secondary adaptive security appliance.
Recommended Action None required.
105043
Error Message %ASA-1-105043: (Primary) Failover interface failedExplanation The LAN failover interface link is down.
Recommended Action Check the connectivity of the LAN failover interface. Make sure that the speed/duplex setting is correct.
105044
Error Message %ASA-1-105044: (Primary) Mate operational mode mode is not compatible with my mode mode.Explanation When the operational mode (single or multi) does not match between failover peers, failover will be disabled.
Recommended Action Configure the failover peers to have the same operational mode, and then reenable failover.
105045
Error Message %ASA-1-105045: (Primary) Mate license (number contexts) is not compatible with my license (number contexts).Explanation When the feature licenses do not match between failover peers, failover will be disabled.
Recommended Action Configure the failover peers to have the same feature license, and then reenable failover.
105046
Error Message %ASA-1-105046 (Primary|Secondary) Mate has a different chassisExplanation This message is issued when two failover units have a different type of chassis. For example, if one has a 3-slot chassis, the other has a 6-slot chassis.
Recommended Action Make sure that the two failover units are the same.
105047
Error Message %ASA-1-105047: Mate has a io_card_name1 card in slot slot_number which is different from my io_card_name2Explanation The two failover units have different types of cards in their respective slots.
Recommended Action Make sure that the card configurations for the failover units are the same.
105048
Error Message %ASA-1-105048: (unit) Mate's service module (application) is different from mine (application)Explanation The failover process detected that different applications are running on the service modules in the active and standby units. The two failover units are incompatible if different service modules are used.
•
•
Recommended Action Make sure that both units have identical service modules before trying to reenable failover.
106001
Error Message %ASA-2-106001: Inbound TCP connection denied from IP_address/port to IP_address/port flags tcp_flags on interface interface_nameExplanation This is a connection-related message, which occurs when an attempt to connect to an inside address is denied by the security policy that is defined for the specified traffic type. Possible tcp_flags values correspond to the flags in the TCP header that were present when the connection was denied. For example, a TCP packet arrived for which no connection state exists in the adaptive security appliance, and it was dropped. The tcp_flags in this packet are FIN and ACK.
The tcp_flags are as follows:
•
•
•
•
•
•
Recommended Action None required.
106002
Error Message %ASA-2-106002: protocol Connection denied by outbound list acl_ID src inside_address dest outside_addressExplanation This is a connection-related message, which is displayed if the specified connection fails because of an outbound deny command. The protocol variable can be ICMP, TCP, or UDP.
Recommended Action Use the show outbound command to check outbound lists.
106006
Error Message %ASA-2-106006: Deny inbound UDP from outside_address/outside_port to inside_address/inside_port on interface interface_name.Explanation This is a connection-related message, which is displayed if an inbound UDP packet is denied by the security policy that is defined for the specified traffic type.
Recommended Action None required.
106007
Error Message %ASA-2-106007: Deny inbound UDP from outside_address/outside_port to inside_address/inside_port due to DNS {Response|Query}.Explanation This is a connection-related message, which is displayed if a UDP packet containing a DNS query or response is denied.
Recommended Action If the inside port number is 53, the inside host probably is set up as a caching name server. Add an access-list command statement to permit traffic on UDP port 53 and a translation entry for the inside host. If the outside port number is 53, a DNS server was probably too slow to respond, and the query was answered by another server.
106010
Error Message %ASA-3-106010: Deny inbound protocol src interface_name:dest_address/dest_port dst interface_name:source_address/source_portExplanation This is a connection-related message, which is displayed if an inbound connection is denied by your security policy.
Recommended Action Modify the security policy if traffic should be permitted. If the message occurs at regular intervals, contact the remote peer administrator.
106011
Error Message %ASA-3-106011: Deny inbound (No xlate) stringExplanation The message will appear under normal traffic conditions if there are internal users that are accessing the Internet through a web browser. Any time a connection is reset, when the host at the end of the connection sends a packet after the adaptive security appliance receives the reset, this message will appear. It can typically be ignored.
Recommended Action Prevent this syslog message from getting logged to the syslog server by entering the no logging message 106011 command.
106012
Error Message %ASA-6-106012: Deny IP from IP_address to IP_address, IP options hex.Explanation This is a packet integrity check message. An IP packet was seen with IP options. Because IP options are considered a security risk, the packet was discarded.
Recommended Action Contact the remote host system administrator to determine the problem. Check the local site for loose source routing or strict source routing.
106013
Error Message %ASA-2-106013: Dropping echo request from IP_address to PAT address IP_addressExplanation The adaptive security appliance discarded an inbound ICMP Echo Request packet with a destination address that corresponds to a PAT global address. The inbound packet is discarded because it cannot specify which PAT host should receive the packet.
Recommended Action None required.
106014
Error Message %ASA-3-106014: Deny inbound icmp src interface_name: IP_address dst interface_name: IP_address (type dec, code dec)Explanation The adaptive security appliance denied any inbound ICMP packet access. By default, all ICMP packets are denied access unless specifically permitted.
Recommended Action None required.
106015
Error Message %ASA-6-106015: Deny TCP (no connection) from IP_address/port to IP_address/port flags tcp_flags on interface interface_name.Explanation The adaptive security appliance discarded a TCP packet that has no associated connection in the adaptive security appliance connection table. The adaptive security appliance looks for a SYN flag in the packet, which indicates a request to establish a new connection. If the SYN flag is not set, and there is not an existing connection, the adaptive security appliance discards the packet.
Recommended Action None required unless the adaptive security appliance receives a large volume of these invalid TCP packets. If this is the case, trace the packets to the source and determine the reason these packets were sent.
106016
Error Message %ASA-2-106016: Deny IP spoof from (IP_address) to IP_address on interface interface_name.Explanation This message is generated when a packet arrives at the adaptive security appliance interface that has a destination IP address of 0.0.0.0 and a destination MAC address of the adaptive security appliance interface. In addition, this message is generated when the adaptive security appliance discarded a packet with an invalid source address, which may include one of the following or some other invalid address:
•
•
•
To further enhance spoof packet detection, use the icmp command to configure the adaptive security appliance to discard packets with source addresses belonging to the internal network, because the access-list command has been deprecated and is no longer guaranteed to work correctly.
Recommended Action Determine if an external user is trying to compromise the protected network. Check for misconfigured clients.
106017
Error Message %ASA-2-106017: Deny IP due to Land Attack from IP_address to IP_addressExplanation The adaptive security appliance received a packet with the IP source address equal to the IP destination, and the destination port equal to the source port. This message indicates a spoofed packet that is designed to attack systems. This attack is referred to as a Land Attack.
Recommended Action If this message persists, an attack may be in progress. The packet does not provide enough information to determine where the attack originates.
106018
Error Message %ASA-2-106018: ICMP packet type ICMP_type denied by outbound list acl_ID src inside_address dest outside_addressExplanation The outgoing ICMP packet with the specified ICMP from local host (inside_address) to the foreign host (outside_address) was denied by the outbound ACL list.
Recommended Action None required.
106020
Error Message %ASA-2-106020: Deny IP teardrop fragment (size = number, offset = number) from IP_address to IP_addressExplanation The adaptive security appliance discarded an IP packet with a teardrop signature containing either a small offset or fragment overlapping. This is a hostile event that circumvents the adaptive security appliance or an Intrusion Detection System.
Recommended Action Contact the remote peer administrator or escalate this issue according to your security policy.
106021
Error Message %ASA-1-106021: Deny protocol reverse path check from source_address to dest_address on interface interface_nameExplanation An attack is in progress. Someone is attempting to spoof an IP address on an inbound connection. Unicast RPF, also known as reverse route lookup, detected a packet that does not have a source address represented by a route and assumes that it is part of an attack on your adaptive security appliance.
This message appears when you have enabled Unicast RPF with the ip verify reverse-path command. This feature works on packets input to an interface; if it is configured on the outside, then the adaptive security appliance checks packets arriving from the outside.
The adaptive security appliance looks up a route based on the source_address. If an entry is not found and a route is not defined, then this syslog message appears and the connection is dropped.
If there is a route, the adaptive security appliance checks which interface it corresponds to. If the packet arrived on another interface, it is either a spoof or there is an asymmetric routing environment that has more than one path to a destination. The adaptive security appliance does not support asymmetric routing.
If the adaptive security appliance is configured on an internal interface, it checks static route command statements or RIP, and if the source_address is not found, then an internal user is spoofing their address.
Recommended Action Even though an attack is in progress, if this feature is enabled, no user action is required. The adaptive security appliance repels the attack.
106022
Error Message %ASA-1-106022: Deny protocol connection spoof from source_address to dest_address on interface interface_nameExplanation A packet matching a connection arrives on a different interface from the interface that the connection began on.
For example, if a user starts a connection on the inside interface, but the adaptive security appliance detects the same connection arriving on a perimeter interface, the adaptive security appliance has more than one path to a destination. This is known as asymmetric routing and is not supported on the adaptive security appliance.
An attacker also might be attempting to append packets from one connection to another as a way to break into the adaptive security appliance. In either case, the adaptive security appliance displays this message and drops the connection.
Recommended Action This message appears when the ip verify reverse-path command is not configured. Check that the routing is not asymmetric.
106023
Error Message %ASA-4-106023: Deny protocol src [interface_name:source_address/source_port] dst interface_name:dest_address/dest_port [type {string}, code {code}] by access_group acl_IDExplanation An IP packet was denied by the ACL. This message displays even if you do not have the log option enabled for an ACL.
Recommended Action If messages persist from the same source address, messages might indicate a foot-printing or port-scanning attempt. Contact the remote host administrator.
106024
Error Message %ASA-2-106024: Access rules memory exhaustedExplanation The access list compilation process has run out of memory. All configuration information that has been added since the last successful access list was removed from the system, and the most recently compiled set of access lists will continue to be used.
Recommended Action Access lists, AAA, ICMP, SSH, Telnet, and other rule types are stored and compiled as access list rule types. Remove some of these rule types so that others can be added.
106025, 106026
Error Message %ASA-6-106025: Failed to determine the security context for the packet:sourceVlan:source_address dest_address source_port dest_port protocolError Message %ASA-6-106026: Failed to determine the security context for the packet:sourceVlan:source_address dest_address source_port dest_port protocolExplanation The security context of the packet in multiple context mode cannot be determined. Both messages can be generated for IP packets being dropped in either router and transparent mode.
Recommended Action None required.
106027
Error Message %ASA-4-106027:Failed to determine the security context for the packet:vlansource Vlan#:ethertype src sourceMAC dst destMACExplanation The security context of the packet in multiple context mode cannot be determined. This message is generated for non-IP packets being dropped in transparent mode only.
Recommended Action None required.
106100
Error Message %ASA-6-106100: access-list acl_ID {permitted | denied | est-allowed} protocol interface_name/source_address(source_port) - interface_name/dest_address(dest_port) hit-cnt number ({first hit | number-second interval}) hash codesExplanation If you configured the log argument for the access-list command, the packets matched an ACL statement. The message level depends on the level set in the access-list command (by default, the level is 6). The message indicates either the initial occurrence or the total number of occurrences during an interval. This message provides more information than message 106023, which only logs denied packets, and does not include the hit count or a configurable level.
When an access-list line has the log argument, it is expected that this syslog ID might be triggered because of a non-synchronized packet reaching the adaptive security appliance and being evaluated by the access-list. For example, if an ACK packet is received on the adaptive security appliance (for which no TCP connection exists in the connection table), the device might generate syslog 106100, indicating that the packet was permitted; however, the packet is later correctly dropped because of no matching connection.
The following list describes the message values:
permitted | denied | est-allowed—These values specify if the packet was permitted or denied by the ACL. If the value is est-allowed, the packet was denied by the ACL but was allowed for an already established session (for example, an internal user is allowed to accesss the Internet, and responding packets that would normally be denied by the ACL are accepted).
•
•
•
•
•
•
•
•
•
•
Recommended Action None required.
106101
Error Message %ASA-1-106101 The number of ACL log deny-flows has reached limit (number).Explanation If you configured the log option for an ACL deny statement (access-list id deny command), and a traffic flow matches the ACL statement, the adaptive security appliance caches the flow information. This message indicates that the number of matching flows that are cached on the adaptive security appliance exceeds the user-configured limit (using the access-list deny-flow-max command). This message might be generated as a result of a DoS attack.
•
Recommended Action None required.
106102
Error Message %ASA-6-106102: access-list acl_ID {permitted|denied} protocol interface_name/source_address source_port interface_name/dest_address dest_port hit-cnt number {first hit|number-second interval}Explanation This message indicates that a packet was either permitted or denied by an access-list that is applied through a VPN filter.
Recommended Action None required.
107001
Error Message %ASA-1-107001: RIP auth failed from IP_address: version=number, type=string, mode=string, sequence=number on interface interface_nameExplanation This is an alert log message. The adaptive security appliance received a RIP reply message with bad authentication. This message might be caused by a misconfiguration on the router or the adaptive security appliance or by an unsuccessful attempt to attack the routing table of the adaptive security appliance.
Recommended Action This message indicates a possible attack and should be monitored. If you are not familiar with the source IP address listed in this message, change your RIP authentication keys between trusted entities. An attacker might be trying to determine the existing keys.
107002
Error Message %ASA-1-107002: RIP pkt failed from IP_address: version=number on interface interface_nameExplanation This is an alert log message. This message could be caused by a router bug, a packet with non-RFC values inside, or a malformed entry. This should not happen, and may be an attempt to exploit the routing table of the adaptive security appliance.
Recommended Action This message indicates a possible attack and should be monitored. The packet has passed authentication, if enabled, and bad data is in the packet. Monitor the situation and change the keys if there are any doubts about the originator of the packet.
108002
Error Message %ASA-2-108002: SMTP replaced string: out source_address in inside_address data: stringExplanation This is a Mail Guard (SMTP) message generated by the inspect esmtp command. This message is displayed if the adaptive security appliance replaces an invalid character in an e-mail address with a space.
Recommended Action None required.
108003
Error Message %ASA-2-108003: Terminating ESMTP/SMTP connection; malicious pattern detected in the mail address from source_interface:source_address/source_port to dest_interface:dest_address/dset_port. Data:stringExplanation This message is generated by Mail Guard (SMTP). This message is displayed if the adaptive security appliance detects malicious pattern in an e-mail address and drops the connection. This indicates an attack in progress.
Recommended Action None required.
108004
Error Message %ASA-4-108004: action_class: action ESMTP req_resp from src_ifc:sip|sport to dest_ifc:dip|dport;further_infoExplanation This event is generated when an ESMTP classification is performed on an ESMTP message, and the specified criteria are satisfied. The configured action is taken.
•
•
•
•
•
•
•
•
For a single match command: matched Class id: match_command (for example, matched Class 1234: match body length 100).
For parameter commands: parameter-command: descriptive-message (for example, mail-relay: No Mail Relay allowed)
Recommended Action None required.
108005
Error Message %ASA-6-108005: action_class: Received ESMTP req_resp from src_ifc:sip|sport to dest_ifc:dip|dport;further_infoExplanation This event is generated when an ESMTP classification is performed on an ESMTP message, and the specified criteria are satisfied. The standalone log action is taken.
•
•
•
•
•
•
•
For a single match command: matched Class id: match_command (for example, matched Class 1234: match body length 100)
For parameter commands (commands under the parameter section): parameter-command: descriptive-message (for example, mail-relay: No Mail Relay allowed)
Recommended Action None required.
108006
Error Message %ASA-7-108006: Detected ESMTP size violation from src_ifc:sip|sport to dest_ifc:dip|dport;declared size is: decl_size, actual size is act_size.Explanation This event is generated when an ESMTP message size exceeds the size declared in the RCPT command.
•
•
•
•
•
•
Recommended Action None required.
108007
Error Message %ASA-6-108007: TLS started on ESMTP session between client client-side interface-name: client IP address/client port and server server-side interface-name: server IP address/server portExplanation This message indicates that on an ESMTP connection, the server has responded with a 220 reply code to the client STARTTLS command. The ESMTP inspection engine no longer inspects the traffic on this connection.
•
•
•
•
•
•
Recommended Action Log and review the message. Check whether the ESMTP policy map associated with this connection has the following setting: "allow-tls action log." If not, contact the Cisco TAC.
109001
Error Message %ASA-6-109001: Auth start for user user from inside_address/inside_port to outside_address/outside_portExplanation This is a AAA message, which is displayed if the adaptive security appliance is configured for AAA and detects an authentication request by the specified user.
Recommended Action None required.
109002
Error Message %ASA-6-109002: Auth from inside_address/inside_port to outside_address/outside_port failed (server IP_address failed) on interface interface_name.Explanation This is a AAA message, which is displayed if an authentication request fails because the specified authentication server cannot be contacted by the module.
Recommended Action Check that the authentication daemon is running on the specified authentication server.
109003
Error Message %ASA-6-109003: Auth from inside_address to outside_address/outside_port failed (all servers failed) on interface interface_name, so marking all servers ACTIVE again.Explanation This is a AAA message, which is displayed if no authentication server can be found.
Recommended Action Ping the authentication servers from the adaptive security appliance. Make sure that the daemons are running.
109005
Error Message %ASA-6-109005: Authentication succeeded for user user from inside_address/inside_port to outside_address/outside_port on interface interface_name.Explanation This is a AAA message, which is displayed when the specified authentication request succeeds.
Recommended Action None required.
109006
Error Message %ASA-6-109006: Authentication failed for user user from inside_address/inside_port to outside_address/outside_port on interface interface_name.Explanation This is a AAA message. This message is displayed if the specified authentication request fails, possibly because of an incorrect password.
Recommended Action None required.
109007
Error Message %ASA-6-109007: Authorization permitted for user user from inside_address/inside_port to outside_address/outside_port on interface interface_name.Explanation This is a AAA message. This message is displayed when the specified authorization request succeeds.
Recommended Action None required.
109008
Error Message %ASA-6-109008: Authorization denied for user user from outside_address/outside_port to inside_address/ inside_port on interface interface_name.Explanation This is a AAA message, which is is displayed if a user is not authorized to access the specified address, possibly because of an incorrect password.
Recommended Action None required.
109010
Error Message %ASA-3-109010: Auth from inside_address/inside_port to outside_address/outside_port failed (too many pending auths) on interface interface_name.Explanation This is a AAA message, which is displayed if an authentication request cannot be processed because the server has too many requests pending.
Recommended Action Check to see if the authentication server is too slow to respond to authentication requests. Enable the Flood Defender feature with the floodguard enable command.
109011
Error Message %ASA-2-109011: Authen Session Start: user 'user', sid numberExplanation An authentication session started between the host and the adaptive security appliance and has not yet completed.
Recommended Action None required.
109012
Error Message %ASA-5-109012: Authen Session End: user 'user', sid number, elapsed number secondsExplanation The authentication cache has timed out. Users must reauthenticate on their next connection. You can change the duration of this timer with the timeout uauth command.
Recommended Action None required.
109013
Error Message %ASA-3-109013: User must authenticate before using this serviceExplanation The user must be authenticated before using the service.
Recommended Action Authenticate using FTP, Telnet, or HTTP before using the service.
109014
Error Message %ASA-7-109014: uauth_lookup_net fail for uauth_in()Explanation A request to authenticate did not have a corresponding request for authorization.
Recommended Action Ensure that both the aaa authentication and aaa authorization command statements are included in the configuration.
109016
Error Message %ASA-3-109016: Can't find authorization ACL acl_ID for user 'user'Explanation The access control list specified on the AAA server for this user does not exist on the adaptive security appliance. This error can occur if you configure the AAA server before you configure the adaptive security appliance. The Vendor-Specific Attribute (VSA) on your AAA server might be one of the following values:
•
•
•
Recommended Action Add the ACL to the adaptive security appliance, making sure to use the same name specified on the AAA server.
109017
Error Message %ASA-4-109017: User at IP_address exceeded auth proxy connection limit (max)Explanation A user has exceeded the user authentication proxy limit, and has opened too many connections to the proxy.
Recommended Action Increase the proxy limit by entering the proxy-limit proxy_limit command, or ask the user to close unused connections. If the error persists, it may indicate a possible DoS attack.
109018
Error Message %ASA-3-109018: Downloaded ACL acl_ID is emptyExplanation The downloaded authorization access control list has no ACEs. This situation might be caused by misspelling the attribute string "ip:inacl#" or omitting the access-list command.
junk:junk# 1=permit tcp any any eq junk ip:inacl#1="Recommended Action Correct the ACL components that have the indicated error on the AAA server.
109019
Error Message %ASA-3-109019: Downloaded ACL acl_ID has parsing error; ACE stringExplanation An error is encountered during parsing the sequence number NNN in the attribute string ip:inacl#NNN= of a downloaded authorization access control list. The reasons include: - missing = - contains non-numeric, non-space characters between `#' and `=' - NNN is greater than 999999999.
ip:inacl# 1 permit tcp any anyip:inacl# 1junk2=permit tcp any anyip:inacl# 1000000000=permit tcp any anyRecommended Action Correct the ACL element that has the indicated error on the AAA server.
109020
Error Message %ASA-3-109020: Downloaded ACL has config error; ACEExplanation One of the components of the downloaded authorization access control list has a configuration error. The entire text of the element is included in the syslog message. This message is usually caused by an invalid access-list command statement.
Recommended Action Correct the ACL component that has the indicated error on the AAA server.
109021
Error Message %ASA-7-109021: Uauth null proxy errorExplanation An internal user authentication error has occurred.
Recommended Action None required. However, if this error appears repeatedly, contact the Cisco TAC.
109022
Error Message %ASA-4-109022: exceeded HTTPS proxy process limitExplanation For each HTTPS authentication, the adaptive security appliance dedicates a process to service the authentication request. When the number of concurrently running processes exceeds the system-imposed limit, the adaptive security appliance does not perform the authentication, and this message is displayed.
Recommended Action None required.
109023
Error Message %ASA-3-109023: User from source_address/source_port to dest_address/dest_port on interface outside_interface must authenticate before using this service.Explanation This is a AAA message. Based on the configured policies, you need to be authenticated before you can use this service port.
Recommended Action Authenticate using Telnet, FTP, or HTTP before attempting to use this service port.
109024
Error Message %ASA-6-109024: Authorization denied from source_address/source_port to dest_address/dest_port (not authenticated) on interface interface_name using protocolExplanation This is a AAA message, which is displayed if the adaptive security appliance is configured for AAA and a user attempted to make a TCP connection across the adaptive security appliance without prior authentication.
Recommended Action None required.
109025
Error Message %ASA-6-109025: Authorization denied (acl=acl_ID) for user 'user' from source_address/source_port to dest_address/dest_port on interface interface_name using protocolExplanation The access control list check failed. The check either matched a deny or did not match anything, such as an implicit deny. The connection was denied by the user access control list acl_ID, which was defined according to the AAA authorization policy on the Cisco Secure Access Control Server (ACS).
Recommended Action None required.
109026
Error Message %ASA-3-109026: [aaa protocol] Invalid reply digest received; shared server key may be mismatched.Explanation The response from the AAA server could not be validated. It is likely that the configured server key is incorrect. This event may be generated during transactions with RADIUS or TACACS+ servers.
Recommended Action Verify that the server key, configured using the aaa-server command, is correct.
109027
Error Message %ASA-4-109027: [aaa protocol] Unable to decipher response message Server = server_IP_address, User = userExplanation The response from the AAA server could not be validated. The configured server key is probably incorrect. This message may be displayed during transactions with RADIUS or TACACS+ servers. The server_IP_address is the IP address of the relevant AAA server. The user is the user name associated with the connection.
Recommended Action Verify that the server key, configured using the aaa-server command, is correct.
109028
Error Message %ASA-4-109028: aaa bypassed for same-security traffic from ingress_ interface:source_address/source_port to egress_interface:dest_address/dest_portExplanation AAA is being bypassed for same security traffic that matches a configured AAA rule. This can only occur when traffic passes between two interfaces that have the same configured security level, when the same security traffic is permitted, and if the AAA configuration uses the include or exclude syntax.
Recommended Action None required.
109029
Error Message %ASA-5-109029: Parsing downloaded ACL: stringExplanation A syntax error was encountered while parsing an access list that was downloaded from a RADIUS server during user authentication.
•
Recommended Action Use the information presented in this message to identify and correct the syntax error in the access list definition within the RADIUS server configuration.
109030
Error Message %ASA-4-109030: Autodetect ACL convert wildcard did not convert ACL access_list source|dest netmask netmask.Explanation This message is displayed when a dynamic ACL that is configured on a RADIUS server is not converted by the mechanism for automatically detecting wildcard netmasks. The problem occurs because this mechanism could not determine if the netmask is a wildcard or a normal netmask.
•
•
•
•
Recommended Action Check the access list netmask on the RADIUS server for the wildcard configuration. If the netmask is supposed to be a wildcard, and if all access list netmasks on that server are wildcards, then use the wildcard setting for acl-netmask-convert for the AAA server. Otherwise, change the netmask to a normal netmask or to a wildcard netmask that does not contain holes (that is, where the netmask presents consecutive binary 1s. For example, 00000000.00000000.00011111.11111111 or hex 0.0.31.255). If the mask is supposed to be normal and all access list netmasks on that server are normal, then use the normal setting for acl-netmask-convert for the AAA server.
109031
Error Message %ASA-4-109031: NT Domain Authentication Failed: rejecting guest login for username.Explanation This message is displayed when a user tries to authenticate to an NT domain that was configured for guest account access and the username is not a valid username on the NT server. The connection is denied.
Recommended Action If the user is a valid user, add an account to the NT server. If the user is not allowed access, no action is required.
109032
Error Message %ASA-3-109032: Unable to install ACL access_list, downloaded for user username; Error in ACE: ace.Explanation This message is displayed when an access control list is received from a RADIUS server during the authentication of a network user. The log event indicates a syntax error in one of the elements of the access list. When this occurs, the element is discarded, but the rest of the access list is still applied. The entire text of the malformed element is included in the message. Note that this condition does not result in an authentication failure.
•
•
•
Recommended Action Correct the access list definition in the RADIUS server configuration.
109033
Error Message %ASA-4-109033: Authentication failed for admin user user from src_IP. Interactive challenge processing is not supported for protocol connectionsExplanation AAA challenge processing was triggered during authentication of an administrative connection, but the adaptive security appliance cannot initiate interactive challenge processing with the client application. When this occurs, the authentication attempt will be rejected and the connection denied.
•
•
•
Recommended Action Reconfigure AAA so that challenge processing does not occur for these connection types. This generally means to avoid authenticating these connection types to RSA SecurID servers or to any token-based AAA server via RADIUS.
109034
Error Message %ASA-4-109034: Authentication failed for network user user from src_IP/port to dst_IP/port. Interactive challenge processing is not supported for protocol connectionsExplanation AAA challenge processing was triggered during authentication of a network connection, but the adaptive security appliance cannot initiate interactive challenge processing with the client application. When this occurs, the authentication attempt will be rejected and the connection denied.
•
•
•
•
Recommended Action Reconfigure AAA so that challenge processing does not occur for these connection types. This generally means to avoid authenticating these connection types to RSA SecurID servers or to any token-based AAA server via RADIUS.
109035
Error Message %ASA-3-109035: Exceeded maximum number (999) of DAP attribute instances for user = string.Explanation The Dynamic Access Policy supports multiple values of the same attribute received from an AAA server. If the AAA server should send a response containing more than 999 values for the same attribute, then the adaptive security appliance will treat this response message as being malformed and reject the authentication. This condition has only been seen in lab environments using specialized test tools. It is unlikely that the condition should occur in a real-world production network.
•
Recommended Action If this message is generated, it would be helpful to capture the authentication traffic between the adaptive security appliance and AAA server using a protocol sniffer (such as WireShark) and forward the trace file to Cisco Engineering for analysis.
110002
Error Message %ASA-6-110002: Failed to locate egress interface for protocol from src interface:src IP/src port to dest IP/dest portExplanation .An error occurred when the adaptive security appliance tried to find the interface through which to send the packet.
•
•
•
•
•
•
Recommended Action Copy the error message, the configuration, and any details about the events leading up to the error, and contact Cisco TAC.
110003
Error Message %ASA-6-110003: Routing failed to locate next-hop for protocol from src interface:src IP/src port to dest interface:dest IP/dest portExplanation .An error occurred when the adaptive security appliance tried to find the next hop on an interface routing table.
•
•
•
•
•
•
Recommended Action Copy the error message, the configuration, and any details about the events leading up to the error, and contact Cisco TAC. During debugging, use the show asp table routing command to view the routing table details.
111001
Error Message %ASA-5-111001: Begin configuration: IP_address writing to deviceExplanation This message is displayed when you enter the write command to store your configuration on a device (either floppy, flash memory, TFTP, the failover standby unit, or the console terminal). The IP_address indicates whether the login was made at the console port or with a Telnet connection.
Recommended Action None required.
111002
Error Message %ASA-5-111002: Begin configuration: IP_address reading from deviceExplanation This message is displayed when you enter the read command to read your configuration from a device (either floppy disk, flash memory, TFTP, the failover standby unit, or the console terminal). The IP_address indicates whether the login was made at the console port or with a Telnet connection.
Recommended Action None required.
111003
Error Message %ASA-5-111003: IP_address Erase configurationExplanation This is a management message. This message is displayed when you erase the contents of Flash memory by entering the write erase command at the console. The IP_address value indicates whether the login was made at the console port or through a Telnet connection.
Recommended Action After erasing the configuration, reconfigure the adaptive security appliance and save the new configuration. Alternatively, you can restore information from a configuration that was previously saved, either on a floppy disk or on a TFTP server elsewhere on the network.
111004
Error Message %ASA-5-111004: IP_address end configuration: {FAILED|OK}Explanation This message is displayed when you enter the config floppy/memory/ network command or the write floppy/memory/network/standby command. The IP_address value indicates whether the login was made at the console port or through a Telnet connection.
Recommended Action None required if the message ends with OK. If the message indicates a failure, try to fix the problem. For example, if writing to a floppy disk, ensure that the floppy disk is not write protected; if writing to a TFTP server, ensure that the server is up.
111005
Error Message %ASA-5-111005: IP_address end configuration: OKExplanation This message is displayed when you exit the configuration mode. The IP_address value indicates whether the login was made at the console port or through a Telnet connection.
Recommended Action None required.
111007
Error Message %ASA-5-111007: Begin configuration: IP_address reading from device.Explanation This message is displayed when you enter the reload or configure command to read in a configuration. The device text can be floppy, memory, net, standby, or terminal. The IP_address value indicates whether the login was made at the console port or through a Telnet connection.
Recommended Action None required.
111008
Error Message %ASA-5-111008: User user executed the command stringExplanation The user entered any command, with the exception of a show command.
Recommended Action None required.
111009
Error Message %ASA-7-111009:User user executed cmd:stringExplanation The user entered a command that does not modify the configuration. This message appears only for show commands.
Recommended Action None required.
111111
Error Message %ASA-1-111111 error_messageExplanation A system or infrastructure error has occurred.
Recommended Action If the problem persists, contact the Cisco TAC.
112001
Error Message %ASA-2-112001: (string:dec) Clear complete.Explanation This message is displayed when a request to clear the module configuration is completed. The source file and line number are identified.
Recommended Action None required.
113001
Error Message %ASA-3-113001: Unable to open AAA session. Session limit [limit] reached.Explanation The AAA operation on an IPSec tunnel or WebVPN connection could not be performed because of the unavailability of system resources. The limit value indicates the maximum number of concurrent AAA transactions.
Recommended Action Reduce the demand for AAA resources if possible.
113003
Error Message %ASA-6-113003: AAA group policy for user user is being set to policy_name.Explanation The group policy that is associated with the tunnel-group is being overridden with a user specific policy, policy_name. The policy_name is specified using the username command when LOCAL authentication is configured or is returned in the RADIUS CLASS attribute when RADIUS authentication is configured.
Recommended Action None required.
113004
Error Message %ASA-6-113004: AAA user aaa_type Successful: server = server_IP_address, User = userExplanation This is an indication that a AAA operation on an IPSec or WebVPN connection has been completed successfully. The AAA types are "authentication," "authorization," or "accounting." The server_IP_address is the IP address of the relevant AAA server. The user is the user name associated with the connection.
Recommended Action None required.
113005
Error Message %ASA-6-113005: AAA user authentication Rejected: reason = string: server = server_IP_address, User = userExplanation This is an indication that either an authentication or authorization request for a user associated with an IPSec or WebVPN connection has been rejected. Details of why the request was rejected are provided in the reason field. server_IP_address is the IP address of the relevant AAA server. user is the user name associated with the connection. aaa_operation is either authentication or authorization.
Recommended Action None required.
113006
Error Message %ASA-6-113006: User user locked out on exceeding number successive failed authentication attemptsExplanation A locally configured user is being locked out. This happens when a configured number of consecutive authentication failures have occurred for this user and indicates that all future authentication attempts by this user will be rejected until an administrator unlocks the user using the clear aaa local user lockout command. user is the user that is now locked and number is the consecutive failure threshold configured with the aaa local authentication attempts max-fail command.
Recommended Action Try unlocking the user using the clear_aaa_local_user_lockout command or adjusting the maximum number of consecutive authentication failures that are tolerated.
113007
Error Message %ASA-6-113007: User user unlocked by administratorExplanation A locally configured user that was locked out after exceeding the maximum number of consecutive authentication failures set by the aaa local authentication attempts max-fail command has been unlocked by the indicated administrator.
Recommended Action None required.
113008
Error Message %ASA-6-113008: AAA transaction status ACCEPT: user = userExplanation The AAA transaction for a user associated with an IPSec or WebVPN connection was completed successfully. The user is the username associated with the connection.
Recommended Action None required.
113009
Error Message %ASA-6-113009: AAA retrieved default group policy policy for user userExplanation This message may be generated during the authentication or authorization of an IPSec or WebVPN connection. The attributes of the group policy that were specified with the tunnel-group or webvpn commands have been retrieved.
Recommended Action None required.
113010
Error Message %ASA-6-113010: AAA challenge received for user user from server server_IP_addressExplanation This message may be generated during the authentication of an IPSec connection when the authentication is done with a SecurID server. The user will be prompted to provide further information before being authenticated.
•
•
Recommended Action None required.
113011
Error Message %ASA-6-113011: AAA retrieved user specific group policy policy for user userExplanation This event may be generated during the authentication or authorization of an IPSec or WebVPN connection. The attributes of the group policy that was specified with the tunnel-group or webvpn commands have been retrieved.
Recommended Action None required.
113012
Error Message %ASA-6-113012: AAA user authentication Successful: local database: user = userExplanation The user associated with a IPSec or WebVPN connection has been successfully authenticated to the local user database.
•
Recommended Action None required.
113013
Error Message %ASA-6-113013: AAA unable to complete the request Error: reason = reason: user = userExplanation The AAA transaction for a user associated with an IPSec or WebVPN connection has failed because of an error or has been rejected because of a policy violation.
•
•
Recommended Action None required.
113014
Error Message %ASA-6-113014: AAA authentication server not accessible: server = server_IP_address: user = userExplanation The device was unable to communicate with the configured AAA server during the AAA transaction associated with an IPSec or WebVPN connection. This may or may not result in a failure of the user connection attempt depending on the backup servers configured in the aaa-server group and the availability of those servers.
Recommended Action Verify connectivity with the configured AAA servers.
113015
Error Message %ASA-6-113015: AAA user authentication Rejected: reason = reason: local database: user = userExplanation A request for authentication to the local user database for a user associated with an IPSec or WebVPN connection has been rejected.
•
•
Recommended Action None required.
113016
Error Message %ASA-6-113016: AAA credentials rejected: reason = reason: server = server_IP_address: user = userExplanation The AAA transaction for a user associated with an IPSec or WebVPN connection has failed because of an error or rejected due to a policy violation.
•
•
•
Recommended Action None required.
113017
Error Message %ASA-6-113017: AAA credentials rejected: reason = reason: local database: user = userExplanation This is an indication that the AAA transaction for a user associated with an IPSec or WebVPN connection has failed because of an error or rejected because of a policy violation. This event only appears when the AAA transaction is with the local user database rather than with an external AAA server.
•
•
Recommended Action None required.
113018
Error Message %ASA-3-113018: User: user, Unsupported downloaded ACL Entry: ACL_entry, Action: actionExplanation An ACL entry in unsupported format was downloaded from the authentication server. The following list describes the message values:
•
•
•
Recommended Action The ACL entry on the authentication server has to be changed by the administrator to conform to the supported ACL entry formats.
113019
Error Message %ASA-4-113019: Group = group, Username = username, IP = peer_address, Session disconnected. Session Type: type, Duration: duration, Bytes xmt: count, Bytes rcv: count, Reason: reasonExplanation This is an informational message that indicates when and why the longest idle user is disconnected.
•
•
•
•
•
•
•
- Port preempted. This reason indicates that the allowed number of simultaneous (same user) logins has been exceeded. To resolve this problem, increase the number of simultaneous logins or have users only log in once with a given username and password.
Recommended Action None required.
113020
Error Message %ASA-3-113020: Kerberos error: Clock skew with server ip_address greater than 300 secondsExplanation This message is displayed when authentication for an IPSec or WebVPN user through a Kerberos server fails because the clocks on the adaptive security appliance and the server are more than five minutes (300 seconds) apart. When this occurs, the connection attempt is rejected.
•
Recommended Action Synchronize the clocks on the adaptive security appliance and the Kerberos server.
113021
Error Message %ASA-3-113021: Attempted console login failed. User username did NOT have appropriate Admin Rights.Explanation A user has attempted access to the management console and was denied.
•
Recommended Action If the user is a newly added Admin Rights user, check that the service-type (LOCAL or RADIUS authentication server) for that user is set to allow access:
•
•
Otherwise, the user is inappropriately attempting to access the management console; the action to be taken should be consistent with company policy for these matters.
113022
Error Message %ASA-2-113022: AAA Marking RADIUS server servername in aaa-server group AAA-Using-DNS as FAILEDExplanation This syslog message indicates that the adaptive security appliance has tried an authentication, authorization, or accounting request to the AAA server and did not receive a response within the configured timeout window. The AAA server will be marked as "failed" and has been removed from service.
•
- RADIUS
- TACACS+
- NT
- RSA SecurID
- Kerberos
- LDAP
•
•
Recommended Action Verify that the AAA server is online and is accessible from the adaptive security appliance.
113023
Error Message %ASA-2-113023: AAA Marking protocol server ip-addr in server group tag as ACTIVEExplanation This syslog message indicates that the adaptive security appliance has reactivated the AAA server that was previously marked as "failed." The AAA server is now available to service AAA requests.
•
- RADIUS
- TACACS+
- NT
- RSA SecurID
- Kerberos
- LDAP
•
•
Recommended Action None required.
113024
Error Message %ASA-5-113024: Group tg: Authenticating type connection from ip with username, user_name, from client certificateExplanation This message is generated when the pre-fill username feature overrides the username with one derived from the client certificate for use in AAA.
•
•
•
•
Recommended Action None required.
113025
Error Message %ASA-5-113025: Group tg: fields Could not authenticate connection type connection from ipExplanation This message indicates that a username could not be successfully extracted from the certificate.
•
•
•
•
Recommended Action The administrator should check that the authentication aaa certificate, ssl certificate-authentication, and authorization-dn-attributes keywords are all set correctly.
113026
Error Message %ASA-4-113026: Error error while executing Lua script for group tunnel groupExplanation This syslog states what error was encountered while extracting a username from the client certificate for use in AAA. This log will not be generated unless username-from-certificate use-script is enabled.
•
•
Recommended Action Examine the script being used by username-from-certificate for errors.
113027
Error Message %ASA-2-113027: Error activating tunnel-group scriptsExplanation This message indicates that the scripts file could not be loaded successfully. No tunnel groups using the "username-from-certificate use-script" option work correctly.
Recommended Action The administrator should check the script file for errors using ASDM. Use the debug aaa command to obtain a more detailed error message that may be useful.
114001
Error Message %ASA-1-114001: Failed to initialize 4GE SSM I/O card (error error_string).Explanation This message is displayed when the system fails to initialize a 4GE SSM I/O card because of an I2C error or a switch initialization error.
•
•
- I2C_BUS_TRANSACTION_ERROR
- I2C_CHKSUM_ERROR
- I2C_TIMEOUT_ERROR
- I2C_BUS_COLLISION_ERROR
- I2C_HOST_BUSY_ERROR
- I2C_UNPOPULATED_ERROR
- I2C_SMBUS_UNSUPPORT
- I2C_BYTE_COUNT_ERROR
- I2C_DATA_PTR_ERROR
Recommended Action Perform the following steps:
1.
2.
3.
4.
114002
Error Message %ASA-1-114002: Failed to initialize SFP in 4GE SSM I/O card (error error_string).Explanation This message is displayed when the system fails to initialize an SFP connector in a 4GE SSM I/O card because of an I2C error or a switch initialization error.
•
•
- I2C_BUS_TRANSACTION_ERROR
- I2C_CHKSUM_ERROR
- I2C_TIMEOUT_ERROR
- I2C_BUS_COLLISION_ERROR
- I2C_HOST_BUSY_ERROR
- I2C_UNPOPULATED_ERROR
- I2C_SMBUS_UNSUPPORT
- I2C_BYTE_COUNT_ERROR
- I2C_DATA_PTR_ERROR
Recommended Action Perform the following steps:
1.
2.
3.
4.
114003
Error Message %ASA-1-114003: Failed to run cached commands in 4GE SSM I/O card (error error_string).Explanation This message is displayed when the system fails to run cached commands in a 4GE SSM I/O card because of an I2C error or a switch initialization error.
•
•
- I2C_BUS_TRANSACTION_ERROR
- I2C_CHKSUM_ERROR
- I2C_TIMEOUT_ERROR
- I2C_BUS_COLLISION_ERROR
- I2C_HOST_BUSY_ERROR
- I2C_UNPOPULATED_ERROR
- I2C_SMBUS_UNSUPPORT
- I2C_BYTE_COUNT_ERROR
- I2C_DATA_PTR_ERROR
Recommended Action Perform the following steps:
1.
2.
3.
4.
114004
Error Message %ASA-6-114004: 4GE SSM I/O Initialization start.Explanation This message is displayed to notify the user that a 4GE SSM I/O initialization is starting.
•
Recommended Action None required.
114005
Error Message %ASA-6-114005: 4GE SSM I/O Initialization end.Explanation This message is displayed to notify users that an 4GE SSM I/O initialization is finished.
•
Recommended Action None required.
114006
Error Message %ASA-3-114006: Failed to get port statistics in 4GE SSM I/O card (error error_string).Explanation This message is displayed when the system fails to get port statistics in a 4GE SSM I/O card because of an I2C error or a switch initialization error.
•
•
- I2C_BUS_TRANSACTION_ERROR
- I2C_CHKSUM_ERROR
- I2C_TIMEOUT_ERROR
- I2C_BUS_COLLISION_ERROR
- I2C_HOST_BUSY_ERROR
- I2C_UNPOPULATED_ERROR
- I2C_SMBUS_UNSUPPORT
- I2C_BYTE_COUNT_ERROR
- I2C_DATA_PTR_ERROR
Recommended Action Perform the following steps:
1.
2.
3.
4.
114007
Error Message %ASA-3-114007: Failed to get current msr in 4GE SSM I/O card (error error_string).Explanation This message is displayed when the system fails to get the current module status register information in a 4GE SSM I/O card because of an I2C error or a switch initialization error.
•
•
- I2C_BUS_TRANSACTION_ERROR
- I2C_CHKSUM_ERROR
- I2C_TIMEOUT_ERROR
- I2C_BUS_COLLISION_ERROR
- I2C_HOST_BUSY_ERROR
- I2C_UNPOPULATED_ERROR
- I2C_SMBUS_UNSUPPORT
- I2C_BYTE_COUNT_ERROR
- I2C_DATA_PTR_ERROR
Recommended Action Perform the following steps:
1.
2.
3.
4.
114008
Error Message %ASA-3-114008: Failed to enable port after link is up in 4GE SSM I/O card due to either I2C serial bus access error or switch access error.Explanation This message is displayed when the system fails to enable a port after the link transition to Up state is detected in a 4GE SSM I/O card because of either an I2C serial bus access error or a switch access error.
•
•
- I2C_BUS_TRANSACTION_ERROR
- I2C_CHKSUM_ERROR
- I2C_TIMEOUT_ERROR
- I2C_BUS_COLLISION_ERROR
- I2C_HOST_BUSY_ERROR
- I2C_UNPOPULATED_ERROR
- I2C_SMBUS_UNSUPPORT
- I2C_BYTE_COUNT_ERROR
- I2C_DATA_PTR_ERROR
Recommended Action Perform the following steps:
1.
2.
3.
4.
114009
Error Message %ASA-3-114009: Failed to set multicast address in 4GE SSM I/O card (error error_string).Explanation This message is displayed when the system fails to set the multicast address in a 4GE SSM I/O card because of an I2C error or a switch initialization error.
•
•
- I2C_BUS_TRANSACTION_ERROR
- I2C_CHKSUM_ERROR
- I2C_TIMEOUT_ERROR
- I2C_BUS_COLLISION_ERROR
- I2C_HOST_BUSY_ERROR
- I2C_UNPOPULATED_ERROR
- I2C_SMBUS_UNSUPPORT
- I2C_BYTE_COUNT_ERROR
- I2C_DATA_PTR_ERROR
Recommended Action Perform the following steps:
1.
2.
3.
4.
114010
Error Message %ASA-3-114010: Failed to set multicast hardware address in 4GE SSM I/O card (error error_string).Explanation This message is displayed when the system fails to set the multicast hardware address in a 4GE SSM I/O card because of an I2C error or a switch initialization error.
•
•
- I2C_BUS_TRANSACTION_ERROR
- I2C_CHKSUM_ERROR
- I2C_TIMEOUT_ERROR
- I2C_BUS_COLLISION_ERROR
- I2C_HOST_BUSY_ERROR
- I2C_UNPOPULATED_ERROR
- I2C_SMBUS_UNSUPPORT
- I2C_BYTE_COUNT_ERROR
- I2C_DATA_PTR_ERROR
- I2C_DATA_PTR_ERROR
Recommended Action Perform the following steps:
1.
2.
3.
4.
114011
Error Message %ASA-3-114011: Failed to delete multicast address in 4GE SSM I/O card (error error_string).Explanation This message is displayed when the system fails to delete the multicast address in a 4GE SSM I/O card because of either an I2C error or a switch initialization error.
•
•
- I2C_BUS_TRANSACTION_ERROR
- I2C_CHKSUM_ERROR
- I2C_TIMEOUT_ERROR
- I2C_BUS_COLLISION_ERROR
- I2C_HOST_BUSY_ERROR
- I2C_UNPOPULATED_ERROR
- I2C_SMBUS_UNSUPPORT
- I2C_BYTE_COUNT_ERROR
- I2C_DATA_PTR_ERROR
Recommended Action Perform the following steps:
1.
2.
3.
4.
114012
Error Message %ASA-3-114012: Failed to delete multicast hardware address in 4GE SSM I/O card (error error_string).Explanation This message is displayed when the system fails to delete the multicast hardware address in a 4GE SSM I/O card because of an I2C error or a switch initialization error.
•
•
- I2C_BUS_TRANSACTION_ERROR
- I2C_CHKSUM_ERROR
- I2C_TIMEOUT_ERROR
- I2C_BUS_COLLISION_ERROR
- I2C_HOST_BUSY_ERROR
- I2C_UNPOPULATED_ERROR
- I2C_SMBUS_UNSUPPORT
- I2C_BYTE_COUNT_ERROR
- I2C_DATA_PTR_ERROR
Recommended Action Perform the following steps:
1.
2.
3.
4.
114013
Error Message %ASA-3-114013: Failed to set mac address table in 4GE SSM I/O card (error error_string).Explanation This message is displayed when the system fails to set the MAC address table in a 4GE SSM I/O card because of an I2C error or a switch initialization error.
•
•
- I2C_BUS_TRANSACTION_ERROR
- I2C_CHKSUM_ERROR
- I2C_TIMEOUT_ERROR
- I2C_BUS_COLLISION_ERROR
- I2C_HOST_BUSY_ERROR
- I2C_UNPOPULATED_ERROR
- I2C_SMBUS_UNSUPPORT
- I2C_BYTE_COUNT_ERROR
- I2C_DATA_PTR_ERROR
Recommended Action Perform the following steps:
1.
2.
3.
4.
114014
Error Message %ASA-3-114014: Failed to set mac address in 4GE SSM I/O card (error error_string).Explanation This message is displayed when the system fails to set the MAC address in a 4GE SSM I/O card because of an I2C error or a switch initialization error.
•
•
- I2C_BUS_TRANSACTION_ERROR
- I2C_CHKSUM_ERROR
- I2C_TIMEOUT_ERROR
- I2C_BUS_COLLISION_ERROR
- I2C_HOST_BUSY_ERROR
- I2C_UNPOPULATED_ERROR
- I2C_SMBUS_UNSUPPORT
- I2C_BYTE_COUNT_ERROR
- I2C_DATA_PTR_ERROR
Recommended Action Perform the following steps:
1.
2.
3.
4.
114015
Error Message %ASA-3-114015: Failed to set mode in 4GE SSM I/O card (error error_string).Explanation This message is displayed when the system fails to set individual/promiscuous mode in a 4GE SSM I/O card because of an I2C error or a switch initialization error.
•
•
- I2C_BUS_TRANSACTION_ERROR
- I2C_CHKSUM_ERROR
- I2C_TIMEOUT_ERROR
- I2C_BUS_COLLISION_ERROR
- I2C_HOST_BUSY_ERROR
- I2C_UNPOPULATED_ERROR
- I2C_SMBUS_UNSUPPORT
- I2C_BYTE_COUNT_ERROR
- I2C_DATA_PTR_ERROR
Recommended Action Perform the following steps:
1.
2.
3.
4.
114016
Error Message %ASA-3-114016: Failed to set multicast mode in 4GE SSM I/O card (error error_string).Explanation This message is displayed when the system fails to set the multicast mode in a 4GE SSM I/O card because of an I2C error or a switch initialization error.
•
•
- I2C_BUS_TRANSACTION_ERROR
- I2C_CHKSUM_ERROR
- I2C_TIMEOUT_ERROR
- I2C_BUS_COLLISION_ERROR
- I2C_HOST_BUSY_ERROR
- I2C_UNPOPULATED_ERROR
- I2C_SMBUS_UNSUPPORT
- I2C_BYTE_COUNT_ERROR
- I2C_DATA_PTR_ERROR
Recommended Action Perform the following steps:
1.
2.
3.
4.
114017
Error Message %ASA-3-114017: Failed to get link status in 4GE SSM I/O card (error error_string).Explanation This message is displayed when the system fails to get link status in a 4GE SSM I/O card because of an I2C serial bus access error or a switch access error.
•
•
- I2C_BUS_TRANSACTION_ERROR
- I2C_CHKSUM_ERROR
- I2C_TIMEOUT_ERROR
- I2C_BUS_COLLISION_ERROR
- I2C_HOST_BUSY_ERROR
- I2C_UNPOPULATED_ERROR
- I2C_SMBUS_UNSUPPORT
- I2C_BYTE_COUNT_ERROR
- I2C_DATA_PTR_ERROR
Recommended Action Perform the following steps:
1.
2.
3.
4.
5.
114018
Error Message %ASA-3-114018: Failed to set port speed in 4GE SSM I/O card (error error_string).Explanation This message is displayed when the system fails to set the port speed in a 4GE SSM I/O card because of an I2C error or a switch initialization error.
•
•
- I2C_BUS_TRANSACTION_ERROR
- I2C_CHKSUM_ERROR
- I2C_TIMEOUT_ERROR
- I2C_BUS_COLLISION_ERROR
- I2C_HOST_BUSY_ERROR
- I2C_UNPOPULATED_ERROR
- I2C_SMBUS_UNSUPPORT
- I2C_BYTE_COUNT_ERROR
- I2C_DATA_PTR_ERROR
Recommended Action Perform the following steps:
1.
2.
3.
4.
114019
Error Message %ASA-3-114019: Failed to set media type in 4GE SSM I/O card (error error_string).Explanation This message is displayed when the system fails to set the media type in a 4GE SSM I/O card because of an I2C error or a switch initialization error.
•
•
- I2C_BUS_TRANSACTION_ERROR
- I2C_CHKSUM_ERROR
- I2C_TIMEOUT_ERROR
- I2C_BUS_COLLISION_ERROR
- I2C_HOST_BUSY_ERROR
- I2C_UNPOPULATED_ERROR
- I2C_SMBUS_UNSUPPORT
- I2C_BYTE_COUNT_ERROR
- I2C_DATA_PTR_ERROR
Recommended Action Perform the following steps:
1.
2.
3.
4.
114020
Error Message %ASA-3-114020: Port link speed is unknown in 4GE SSM I/O card.Explanation This message is displayed when the system cannot detect the port link speed in a 4GE SSM I/O card.
Recommended Action Perform the following steps:
1.
2.
3.
4.
114021
Error Message %ASA-3-114021: Failed to set multicast address table in 4GE SSM I/O card due to error.Explanation This message is displayed when the system fails to set the multicast address table in the 4GE SSM I/O card because of either an I2C serial bus access error or to a switch access error.
•
- I2C_BUS_TRANSACTION_ERROR
- I2C_CHKSUM_ERROR
- I2C_TIMEOUT_ERROR
- I2C_BUS_COLLISION_ERROR
- I2C_HOST_BUSY_ERROR
- I2C_UNPOPULATED_ERROR
- I2C_SMBUS_UNSUPPORT
- I2C_BYTE_COUNT_ERROR
- I2C_DATA_PTR_ERROR
Recommended Action Perform the following steps:
1.
2.
3.
4.
115000
Error Message %ASA-2-115000: Critical assertion in process: process name fiber: fiber name, component: component name, subcomponent: subcomponent name, file: filename, line: line number, cond: conditionExplanation This message indicates that the critical assertion has gone off and is used during development in checked builds only, but never in production builds.
•
•
•
•
•
•
•
Recommended Action A high priority defect should be filed, the reason for the assertion should be investigated, and the problem corrected.
115001
Error Message %ASA-3-115001: Error in process: process name fiber: fiber name, component: component name, subcomponent: subcomponent name, file: filename, line: line number, cond: conditionExplanation This message indicates that an error assertion has gone off and is used during development in checked builds only, but never in production builds.
•
•
•
•
•
•
•
Recommended Action A defect should be filed, the reason for the assertion should be investigated, and the problem fixed.
115002
Error Message %ASA-4-115002: Warning in process: process name fiber: fiber name, component: component name, subcomponent: subcomponent name, file: filename, line: line number, cond: conditionExplanation This message indicates that a warning assertion has gone off and is used during development in checked builds only, but never in production builds.
•
•
•
•
•
•
•
Recommended Action The reason for the assertion should be investigated and if a problem is found, a defect should be filed, and the problem corrected.
120001
Error Message %ASA-5-120001: Smart Call Home Module was startedExplanation This message is generated when the Smart Call Home module is enabled and starts successfully after system bootup and failover in stable state. The module is ready to process Smart Call Home events.
Recommended Action None required.
199001
Error Message %ASA-5-199001: Reload command executed from Telnet (remote IP_address).Explanation This message logs the address of the host that is initiating an adaptive security appliance reboot with the reload command.
Recommended Action None required.
199002
Error Message %ASA-6-199002: startup completed. Beginning operation.Explanation The adaptive security appliance finished its initial boot and the flash memory reading sequence, and is ready to begin operating normally.
Note
Recommended Action None required.
199003
Error Message %ASA-6-199003: Reducing link MTU dec.Explanation The adaptive security appliance received a packet from the outside network that uses a larger MTU than the inside network. The adaptive security appliance then sent an ICMP message to the outside host to negotiate an appropriate MTU. The log message includes the sequence number of the ICMP message.
Recommended Action None required.
199005
Error Message %ASA-6-199005: Startup beginExplanation The adaptive security appliance started.
Recommended Action None required.
199010
Error Message %ASA-1-199010: Signal 11 caught in process/fiber(rtcli async executor process)/(rtcli async executor) at address 0xf132e03b, corrective action at 0xca1961a0Explanation The crash recovery mechanism generates this message after a system has recovered from a serious error.
Recommended Action Contact the Cisco TAC.
199011
Error Message %ASA-2-199011: Close on bad channel in process/fiber process/fiber, channel ID p, channel state s process/fiber name of the process/fiber that caused the bad channel close operation.Explanation An unexpected channel close condition has been detected.
•
•
•
Recommended Action Contact Cisco TAC and attach a log file.
199012
Error Message %ASA-1-1199012: Stack smash during new_stack_call in process/fiber process/fiber, call target f, stack size s, process/fiber name of the process/fiber that caused the stack smashExplanation A stack smash condition has been detected.
•
•
•
Recommended Action Contact Cisco TAC and attach a log file.
Messages 201002 to 219002
This section contains messages from 201002 to 219002.
201002
Error Message %ASA-3-201002: Too many TCP connections on {static|xlate} global_address! econns nconnsExplanation This is a connection-related message, which is displayed when the maximum number of TCP connections to the specified global address was exceeded.
•
•
Recommended Action Use the show static or show nat command to check the limit imposed on connections to a static address. The limit is configurable.
201003
Error Message %ASA-2-201003: Embryonic limit exceeded nconns/elimit for outside_address/outside_port (global_address) inside_address/inside_port on interface interface_nameExplanation This is a connection-related message regarding traffic to the adaptive security appliance, which is displayed when the number of embryonic connections from the specified foreign address with the specified static global address to the specified local address exceeds the embryonic limit. When the limit on embryonic connections to the adaptive security appliance is reached, the adaptive security appliance attempts to accept them anyway, but puts a time limit on the connections. This situation allows some connections to succeed even if the adaptive security appliance is very busy.
•
•
Recommended Action This message indicates a more serious overload than message 201002. It could be caused by a SYN attack, or by a very heavy load of legitimate traffic. Use the show static command to check the limit imposed on embryonic connections to a static address.
201004
Error Message %ASA-3-201004: Too many UDP connections on {static|xlate} global_address!udp connections limitExplanation This is a connection-related message, which is displayed when the maximum number of UDP connections to the specified global address was exceeded.
•
Recommended Action Use the show static or show nat command to check the limit imposed on connections to a static address. You can configure the limit.
201005
Error Message %ASA-3-201005: FTP data connection failed for IP_address IP_addressExplanation The adaptive security appliance could not allocate a structure to track the data connection for FTP because of insufficient memory.
Recommended Action Reduce the amount of memory usage or purchase additional memory.
201006
Error Message %ASA-3-201006: RCMD backconnection failed for IP_address/port.Explanation This is a connection-related message, which is displayed if the adaptive security appliance is unable to preallocate connections for inbound standard output for rsh commands because of insufficient memory.
Recommended Action Check the rsh client version; the adaptive security appliance only supports the Berkeley rsh client version. You can also reduce the amount of memory usage, or purchase additional memory.
201008
Error Message %ASA-3-201008: The security appliance is disallowing new connections.Explanation This message appears when you have enabled TCP system log messaging and the syslog server cannot be reached, or when using the adaptive security appliance syslog server (PFSS) and the disk on the Windows NT system is full, or when the auto-update timeout is configured and the auto-update server is not reachable.
Recommended Action Disable TCP syslog messaging. If using PFSS, free up space on the Windows NT system where PFSS resides. Also, make sure that the syslog server is up and you can ping the host from the adaptive security appliance console. Then restart TCP system message logging to allow traffic. If the Auto Update Server has not been contacted for a certain period of time, enter the [no] auto-update timeout period command to have it stop sending packets.
201009
Error Message %ASA-3-201009: TCP connection limit of number for host IP_address on interface_name exceededExplanation This is a connection-related message, which is displayed when the maximum number of connections to the specified static address was exceeded.
•
•
•
Recommended Action Use the show static and show nat commands to check the limit imposed on connections to an address. The limit is configurable.
201010
Error Message %ASA-3-201010: Embryonic connection limit exceeded econns/limit for dir packet from source_address/source_port to dest_address/dest_port on interface interface_nameExplanation An attempt to establish a TCP connection failed because of an exceeded embryonic connection limit, which was configured with the set connection embryonic-conn-max MPC command for a traffic class.
•
•
•
•
•
•
Recommended Action None required.
201011
Error Message %ASA-3-201011: Connection limit exceeded cnt/limit for dir packet from sip/sport to dip/dport on interface if_name.Explanation A new connection through the firewall device resulted in exceeding at least one of the configured maximum connection limits. This message applies both to connection limits configured using a static command, or to those configured using Cisco Modular Policy Framework. The new connection will not be allowed through the firewall device until one of the existing connections is torn down, thereby bringing the current connection count below the configured maximum.
•
•
•
•
•
•
•
•
Recommended Action None required.
201012
Error Message %ASA-6-201012: Per-client embryonic connection limit exceeded curr num/limit for [input|output] packet from IP_address/ port to ip/port on interface interface_nameExplanation An attempt to establish a TCP connection failed because the per-client embryonic connection limit was exceeded. By default, this message is rate limited to 1 message every 10 seconds.
•
•
•
•
•
•
Recommended Action When the limit is reached, any new connection request will be proxied by the adaptive security appliance to prevent a SYN flood attack. The adaptive security appliance will only connect to the server if the client is able to finish the three-way handshake. This usually does not affect the end user or the application. However, if this creates a problem for any application that has a legitimate need for a higher number of embryonic connections, you can adjust the setting by entering the set connection per-client-embryonic-max command.
201013
Error Message %ASA-3-201013: Per-client connection limit exceeded curr num/limit for [input|output] packet from ip/port to ip/port on interface interface_nameExplanation A connection was rejected because the per-client connection limit was exceeded.
•
•
•
•
•
•
Recommended Action When the limit is reached, any new connection request will be silently dropped. Normally an application will retry the connection, which will cause a delay or even a timeout if all retries also fail. If an application has a legitimate need for a higher number of concurrent connections, you can adjust the setting by entering the set connection per-client-max command.
202001
Error Message %ASA-3-202001: Out of address translation slots!Explanation This is a connection-related message. This message is displayed if the adaptive security appliance has no more address translation slots available.
Recommended Action Check the size of the global pool compared to the number of inside network clients. A PAT address may be necessary. Alternatively, shorten the timeout interval of translates and connections. This error message could also be caused by insufficient memory; reduce the amount of memory usage, or purchase additional memory, if possible.
202005
Error Message %ASA-3-202005: Non-embryonic in embryonic list outside_address/outside_port inside_address/inside_portExplanation This is a connection-related message. This message is displayed when a connection object (xlate) is in the wrong list.
Recommended Action Contact the Cisco TAC.
202011
Error Message %ASA-3-202011: Connection limit exceeded econns/limit for dir packet from source_address/source_port to dest_address/dest_port on interface interface_nameExplanation This message is displayed when an attempt to create a TCP or UDP connection fails because of an exceeded connection limit, which is configured with the set connection conn-max MPC command for a traffic class.
•
•
•
•
•
•
Recommended Action None required.
208005
Error Message %ASA-3-208005: (function:line_num) clear command return codeExplanation The adaptive security appliance received a nonzero value (an internal error) when attempting to clear the configuration in flash memory. The message includes the reporting subroutine filename and line number.
Recommended Action For performance reasons, the end host should be configured not to inject IP fragments. This configuration change is probably because of NFS. Set the read and write size equal to the interface MTU for NFS.
209003
Error Message %ASA-4-209003: Fragment database limit of number exceeded: src = source_address, dest = dest_address, proto = protocol, id = numberExplanation Too many IP fragments are currently awaiting reassembly. By default, the maximum number of fragments is 200 (to raise the maximum, see the fragment size command in the Cisco ASA 5500 Series Command Reference). The adaptive security appliance limits the number of IP fragments that can be concurrently reassembled. This restriction prevents memory depletion at the adaptive security appliance under abnormal network conditions. In general, fragmented traffic should be a small percentage of the total traffic mix. An exception is in a network environment with NFS over UDP where a large percentage is fragmented traffic; if this type of traffic is relayed through the adaptive security appliance, consider using NFS over TCP instead. To prevent fragmentation, see the sysopt connection tcpmss bytes command in the Cisco ASA 5500 Series Command Reference.
Recommended Action If this message persists, a denial of service (DoS) attack might be in progress. Contact the remote peer administrator or upstream provider.
209004
Error Message %ASA-4-209004: Invalid IP fragment, size = bytes exceeds maximum size = bytes: src = source_address, dest = dest_address, proto = protocol, id = numberExplanation An IP fragment is malformed. The total size of the reassembled IP packet exceeds the maximum possible size of 65,535 bytes.
Recommended Action A possible intrusion event may be in progress. If this message persists, contact the remote peer administrator or upstream provider.
209005
Error Message %ASA-4-209005: Discard IP fragment set with more than number elements: src = Too many elements are in a fragment set.Explanation The adaptive security appliance disallows any IP packet that is fragmented into more than 24 fragments. For more information, see the fragment command in the Cisco ASA 5500 Series Command Reference.
Recommended Action A possible intrusion event may be in progress. If the message persists, contact the remote peer administrator or upstream provider. You can change the number of fragments per packet by using the fragment chain xxx interface_name command.
210001
Error Message %ASA-3-210001: LU sw_module_name error = numberExplanation A Stateful Failover error occurred.
Recommended Action If this error persists after traffic lessens through the adaptive security appliance, report this error to Cisco TAC.
210002
Error Message %ASA-3-210002: LU allocate block (bytes) failed.Explanation Stateful Failover could not allocate a block of memory to transmit stateful information to the standby adaptive security appliance.
Recommended Action Check the failover interface using the show interface command to make sure its transmit is normal. Also check the current block memory using the show block command. If current available count is 0 within any of the blocks of memory, then reload the adaptive security appliance software to recover the lost blocks of memory.
210003
Error Message %ASA-3-210003: Unknown LU Object numberExplanation Stateful Failover received an unsupported Logical Update object and therefore was unable to process it. This could be caused by corrupted memory, LAN transmissions, and other events.
Recommended Action If you see this error infrequently, then no action is required. If this error occurs frequently, check the Stateful Failover link LAN connection. If the error was not caused by a faulty failover link LAN connection, determine if an external user is trying to compromise the protected network. Also check for misconfigured clients.
210005
Error Message %ASA-3-210005: LU allocate connection failedExplanation Stateful Failover cannot allocate a new connection on the standby unit. This may be caused by little or no RAM memory available within the adaptive security appliance.
Recommended Action Check the available memory using the show memory command to make sure that the adaptive security appliance has free memory in the system. If there is no available memory, add more physical memory to the adaptive security appliance.
210006
Error Message %ASA-3-210006: LU look NAT for IP_address failedExplanation Stateful Failover was unable to locate a NAT group for the IP address on the standby unit. The active and standby adaptive security appliance units may be out of sync with each other.
Recommended Action Use the write standby command on the active unit to synchronize system memory with the standby unit.
210007
Error Message %ASA-3-210007: LU allocate xlate failedExplanation Stateful Failover failed to allocate a translation (xlate) slot record.
Recommended Action Check the available memory by using the show memory command to make sure that the adaptive security appliance has free memory in the system. If no memory is available, add more memory.
210008
Error Message %ASA-3-210008: LU no xlate for inside_address/inside_port outside_address/outside_portExplanation The adaptive security appliance could not find a translation slot (xlate) record for a Stateful Failover connection; so the adaptive security appliance could not process the connection information.
Recommended Action Enter the write standby command on the active unit to synchronize system memory between the active and standby units.
210010
Error Message %ASA-3-210010: LU make UDP connection for outside_address:outside_port inside_address:inside_port failedExplanation Stateful Failover was unable to allocate a new record for a UDP connection.
Recommended Action Check the available memory by using the show memory command to make sure that the adaptive security appliance has free memory in the system. If no memory is available, add more memory.
210011
Error Message %ASA-3-210011: Connection limit exceeded cnt/limit for dir packet from sip/sport to dip/dport on interface if_name.Explanation This syslog message indicates that establishing a new connection through the adaptive security appliance will result in exceeding at least one of the configured maximum connection limits. The syslog message applies both for connection limits configured using a static command, or to those configured using Cisco Modular Policy Framework. The new connection will not be allowed through the adaptive security appliance until one of the existing connections is torn down, thereby bringing the current connection count below the configured maximum.
•
•
•
•
•
•
•
•
Recommended Action Because connection limits are configured for a good reason, this syslog message could indicate a possible DOS attack, in which case the source of the traffic could likely be a spoofed IP address. If the source IP address is not totally random, identifying the source and blocking it using an access-list might help. In other cases getting sniffer traces and analyzing the source of the traffic would help in isolating unwanted traffic from legitimate traffic.
210020
Error Message %ASA-3-210020: LU PAT port port reserve failedExplanation Stateful Failover is unable to allocate a specific PAT address that is in use.
Recommended Action Enter the write standby command on the active unit to synchronize system memory between the active and standby units.
210021
Error Message %ASA-3-210021: LU create static xlate global_address ifc interface_name failedExplanation Stateful Failover is unable to create a translation slot (xlate).
Recommended Action Enter the write standby command on the active unit to synchronize system memory between the active and standby units.
210022
Error Message %ASA-6-210022: LU missed number updatesExplanation Stateful Failover assigns a sequence number for each record sent to the standby unit. When a received record sequence number is out of sequence with the last updated record, the information in-between is assumed to be lost, and this error message is sent as a result.
Recommended Action Unless there are LAN interruptions, check the available memory on both adaptive security appliance units to ensure that there is enough memory to process the stateful information. Use the show failover command to monitor the quality of stateful information updates.
211001
Error Message %ASA-3-211001: Memory allocation ErrorExplanation This message appears if the adaptive security appliance failed to allocate RAM system memory.
Recommended Action If this message occurs periodically, it can be ignored. If it repeats frequently, contact the Cisco TAC.
211003
Error Message %ASA-3-211003: CPU utilization for number seconds = percentExplanation This message is displayed if the percentage of CPU usage is greater than 100 percent for the number of seconds.
Recommended Action If this message occurs periodically, it can be ignored. If it repeats frequently, contact the Cisco TAC.
212001
Error Message %ASA-3-212001: Unable to open SNMP channel (UDP port port) on interface interface_number, error code = codeExplanation This is an SNMP message, which reports that the adaptive security appliance is unable to receive SNMP requests destined for the adaptive security appliance from SNMP management stations located on this interface. This does not affect the SNMP traffic passing through the adaptive security appliance through any interface. The error codes are as follows:
•
•
Recommended Action After the adaptive security appliance reclaims some of its resources when traffic is lighter, reenter the snmp-server host command for that interface.
212002
Error Message %ASA-3-212002: Unable to open SNMP trap channel (UDP port port) on interface interface_number, error code = codeExplanation This is an SNMP message, which indicates that the adaptive security appliance is unable to send its SNMP traps from the adaptive security appliance to SNMP management stations located on this interface. This does not affect the SNMP traffic passing through the adaptive security appliance through any interface. The error codes are as follows:
•
•
•
Recommended Action After the adaptive security appliance reclaims some of its resources when traffic is lighter, reenter the snmp-server host command for that interface.
212003
Error Message %ASA-3-212003: Unable to receive an SNMP request on interface interface_number, error code = code, will try again.Explanation This is an SNMP message, which is displayed because an internal error occurred in receiving an SNMP request destined for the adaptive security appliance on the specified interface. The error codes are as follows:
•
•
•
•
•
Recommended Action None required. The adaptive security appliance SNMP agent goes back to wait for the next SNMP request.
212004
Error Message %ASA-3-212004: Unable to send an SNMP response to IP Address IP_address Port port interface interface_number, error code = codeExplanation This is an SNMP message, which is displayed because an internal error occurred in sending an SNMP response from the adaptive security appliance to the specified host on the specified interface. The error codes are as follows:
•
•
•
•
•
Recommended Action None required.
212005
Error Message %ASA-3-212005: incoming SNMP request (number bytes) on interface interface_name exceeds data buffer size, discarding this SNMP request.Explanation This is an SNMP message, which reports that the length of the incoming SNMP request that is destined for the adaptive security appliance exceeds the size of the internal data buffer (512 bytes) used for storing the request during internal processing. The adaptive security appliance is unable to process this request. This situation does not affect the SNMP traffic passing through the adaptive security appliance using any interface.
Recommended Action Have the SNMP management station resend the request with a shorter length. For example, instead of querying multiple MIB variables in one request, try querying only one MIB variable in a request. You may need to modify the configuration of the SNMP manager software.
212006
Error Message %ASA-3-212006: Dropping SNMP request from src_addr/src_port to ifc:dst_addr/dst_port because: reason usernameExplanation This SNMP message is displayed if the adaptive security appliance cannot process a SNMP request to it for the following reasons:
•
•
•
•
•
•
•
Note
Recommended Action Check the adaptive security appliance SNMP server settings and confirm that the NMS configuration is using the expected user, authentication, and encryption settings. Enter the show crypto accelerator statistics command to isolate errors in the platform crypto module.
212009
Error Message %ASA-5-212009: Configuration request for SNMP group groupname failed. User username, reason.Explanation A user has tried to change the SNMP server group configuration. One or more users that refer to the group have insufficient settings to comply with the requested group changes.
•
•
•
- missing auth-password—A user has tried to add authentication to the group, and the user has not specified an authentication password
- missing priv-password—A user has tried to add privacy to the group, and the user has not specified an encryption password
- reference group intended for removal—A user has tried to remove a group that has users belonging to it
Recommended Action The user must update the indicated user configurations before changing the group or removing indicated users, and then add them again after making changes to the group.
212010
Error Message %ASA-3-212010: Configuration request for SNMP user %s failed. Host %s reason.Explanation A user has tried to change the SNMP server user configuration by removing one or more hosts that reference the user. One message is generated per host.
•
•
- references user intended for removal—The name of the user to be removed from the host.
Recommended Action The user must either update the indicated host configuration before changing a user or remove the indicated hosts, then add them again after making changes to the user.
212011
Error Message %ASA-3-212011: SNMP engineBoots is set to maximum value. Reason: %s User intervention necessary.For example:
%ASA-3-212011: SNMP engineBoots is set to maximum value. Reason: error accessing persistent data. User intervention necessary.Explanation The device has rebooted 214783647 times, which is the maximum allowed value of the engineBoots variable, or an error reading the persistent value from flash memory has occurred. The engineBoots value is stored in flash memory in the flash:/snmp/ctx-name file, where ctx-name is the name of the context. In single mode, the name of this file is flash:/snmp/single_vf. In multi-mode, the name of the file for the admin context is flash:/snmp/admin. During a reboot, if the device is unable to read from the file or write to the file, the engineBoots value is set to the maximum.
•
Recommended Action For the first string, the administrator must delete all SNMP Version 3 users and add them again to reset the engineBoots variable to 1. All subsequent Version 3 queries will fail until all users have been removed. For the second string, the administrator must delete the context-specific file, then delete all SNMP Version users, and add them again to reset the engineBoots variable to 1. All subsequent Version 3 queries will fail until all users have been removed.
212012
Error Message %ASA-3-212012: Unable to write SNMP engine data to persistent storage.Explanation The SNMP engine data is written to the flash:/snmp/context-name file. For example: in single mode, the data is written to the file, flash:/snmp/single_vf. In the admin context in multi-mode, the file is written to the flash:/snmp/admin directory. The error could be caused by a failure to create the flash:/snmp directory or create the flash:/snmp/context-name file. The error could also be caused by a failure to write to the file.
Recommended Action The system administrator should remove the flash:/snmp/context-name file, then remove all SNMP Version 3 users, and add them again. This procedure should recreate the flash:/snmp/context-name file. If the problem persists, the system administrator should try reformatting the flash.
213001
Error Message %ASA-3-213001: PPTP control daemon socket io string, errno = number.Explanation An internal TCP socket I/O error occurred.
Recommended Action Contact the Cisco TAC.
213002
Error Message %ASA-3-213002: PPTP tunnel hashtable insert failed, peer = IP_address.Explanation An internal software error occurred while creating a new PPTP tunnel.
Recommended Action Contact the Cisco TAC.
213003
Error Message %ASA-3-213003: PPP virtual interface interface_number isn't opened.Explanation An internal software error occurred while closing a PPP virtual interface.
Recommended Action Contact the Cisco TAC.
213004
Error Message %ASA-3-213004: PPP virtual interface interface_number client ip allocation failed.Explanation An internal software error occurred while allocating an IP address to the PPTP client when the IP local address pool was depleted.
Recommended Action Consider allocating a larger pool with the ip local pool command.
213005
Error Message %ASA-3-213005%: Dynamic-Access-Policy action (DAP) action abortedExplanation The Dynamic Access Policy is dynamically created by selecting configured access policies based on the authorization rights of the user and the posture assessment results of the remote endpoint device. The resulting dynamic policy indicates that the session should be terminated.
Recommended Action None required.
213006
Error Message %ASA-3-213006%: Unable to read dynamic access policy record.Explanation There was either an error in retrieving the DAP policy record data or the action configuration was missing.
Recommended Action A configuration change might have resulted in deleting a dynamic access policy record. Use ASDM to recreate the dynamic access policy record.
214001
Error Message %ASA-2-214001: Terminating manager session from IP_address on interface interface_name. Reason: incoming encrypted data (number bytes) longer than number bytesExplanation An incoming encrypted data packet destined for the adaptive security appliance management port indicates a packet length exceeding the specified upper limit. This may be a hostile event. The adaptive security appliance immediately terminates this management connection.
Recommended Action Ensure that the management connection was initiated by Cisco Secure Policy Manager.
215001
Error Message %ASA-2-215001:Bad route_compress() call, sdb = numberExplanation An internal software error occurred.
Recommended Action Contact the Cisco TAC.
217001
Error Message %ASA-2-217001: No memory for string in stringExplanation An operation failed because of low memory.
Recommended Action If sufficient memory exists, then copy the error message, the configuration, and any details about the events leading up the error to the Cisco TAC.
216001
Error Message %ASA-n-216001: internal error in: function: messageExplanation This message reports a variety of internal errors that should not appear during normal operation. The severity level varies depending on the cause of the message.
•
•
•
Recommended Action Search the Bug Toolkit for the specific text message and also try to use the Output Interpreter to resolve the problem. If the problem persists, contact the Cisco TAC.
216002
Error Message ASA-3-216002: Unexpected event (major: major_id, minor: minor_id) received by task_string in function at line: line_numExplanation This message is displayed when a task registers for event notification and the task cannot handle the specific event. Events that can be watched include those associated with queues, booleans, timer services, and so forth. If any of the registered events occur, the scheduler wakes up the task to process the event. This message is generated if an unexpected event woke up the task and it does not know how to handle the event.
If an event is left unprocessed, it can wake up the task very often to make sure it is processed, but this should not occur under normal conditions. If this message is displayed, it does not necessarily mean the device is unusable, but something unusual has occurred and needs to be investigated.
•
•
•
•
•
Recommended Action If the problem persists, contact the Cisco TAC.
216003
Error Message %ASA-3-216003: Unrecognized timer timer_ptr, timer_id received by task_string in function at line: line_numExplanation This message is displayed when an unexpected timer event woke up the task and the task does not know how to handle the event. A task can register a set of timer services with the scheduler. If any of the timers expire, the scheduler wakes up the task to take action. This message is generated if the task is woken up by an unrecognized timer event.
An expired timer, if left unprocessed, wakes up the task continuously to make sure it is processed, and this is undesirable. This should not occur under normal conditions. If this message is displayed, it does not necessarily mean the device is unusable, but something unusual has occurred and needs to be investigated.
•
•
•
•
•
Recommended Action If the problem persists, contact the Cisco TAC.
216004
Error Message %ASA-4-216004:prevented: error in function at file(line) - stack traceExplanation This syslog message reports an internal logic error, and should not occur during normal operation.
•
- Exception
- Dereferencing null pointer
- Array index out of bounds
- Invalid buffer size
- Writing from input
- Source and destination overlap
- Invalid date
- Access offset from array indices
•
•
•
Recommended Action If the problem persists, contact the Cisco TAC.
216005
Error Message %ASA-1-216005: ERROR: Duplex-mismatch on interface_name resulted in transmitter lockup. A soft reset of the switch was performed.Explanation A duplex-mismatch on the port caused a problem whereby the port could no longer transmit packets. This condition was detected, and the switch was reset to auto-recover from this condition. This message applies only to the ASA 5505 device.
•
Recommended Action A duplex-mismatch exists between the specified port and the device that is connected to it. Correct the duplex-mismatch by either setting both devices to "auto," or hard-coding the duplex on both sides to be the same.
218001
Error Message %ASA-2-218001: Failed Identification Test in slot# [fail#/res].Explanation The module in slot# of the adaptive security appliance could not be identified as a genuine Cisco product. Cisco warranties and support programs apply only to genuine Cisco products. If Cisco determines that the cause of a support issue is related to non-Cisco memory, SSM modules, SSC modules, or other modules, Cisco may deny support under your warranty or under a Cisco support program such as SmartNet.
Recommended Action If this message reoccurs, copy it exactly as it appears on the console or in the system log. Research and attempt to resolve the error using the Output Interpreter. Also perform a search with the Bug Toolkit. If the problem persists, contact the Cisco TAC.
218002
Error Message %ASA-2-218002: Module (slot#) is a registered proto-type for Cisco Lab use only, and not certified for live network operation.Explanation The hardware in the specified location is a prototype module that came from a Cisco lab.
Recommended Action If this message reoccurs, copy it exactly as it appears on the console or in the system log. Research and attempt to resolve the error using the Output Interpreter. Also perform a search of the Bug Toolkit. If the problem persists, contact the Cisco TAC.
218003
Error Message %ASA-2-218003: Module Version in slot# is obsolete. The module in slot = slot# is obsolete and must be returned via RMA to Cisco Manufacturing. If it is a lab unit, it must be returned to Proto Services for upgrade.Explanation This syslog message is generated when obsolete hardware is detected or when the show module command is entered for the module. This syslog message is generated every minute once it starts.
Recommended Action If this message reoccurs, copy it exactly as it appears on the console or in the system log. Research and attempt to resolve the error using the Output Interpreter. Also perform a search of the Bug Toolkit. If the problem persists, contact the Cisco TAC.
218004
Error Message %ASA-2-218004: Failed Identification Test in slot# [fail#/res]Explanation There was a problem while identifying hardware in the specified location.
Recommended Action If this message recurs, copy it exactly as it appears on the console or in the system log. Research and attempt to resolve the error using the Output Interpreter. Also perform a search of the Bug Toolkit. If the problem persists, contact the Cisco TAC.
219002
Error Message %ASA-3-219002: I2C_API_name error, slot = slot_number, device = device_number, address = address, byte count = count. Reason: reason_stringExplanation The I2C serial bus API has failed because of a hardware or software problem.
•
–
–
–
–
–
–
–
–
–
–
–
–
•
•
•
•
•
–
–
–
–
–
–
–
–
–
Recommended Action Perform the following steps:
1.
2.
3.
4.
Messages 302003 to 338310
This section contains messages from 302003 to 338310.
302003
Error Message %ASA-6-302003: Built H245 connection for foreign_address outside_address/outside_port local_address inside_address/inside_portExplanation This is a connection-related message. This message is displayed when an H.245 connection is started from the outside_address to the inside_address. This message only occurs if the adaptive security appliance detects the use of an Intel Internet Phone. The foreign port (outside port) only displays on connections from outside the adaptive security appliance. The local port value (inside port) only appears on connections started on an internal interface.
Recommended Action None required.
302004
Error Message %ASA-6-302004: Pre-allocate H323 UDP backconnection for foreign_address outside_address/outside_port to local_address inside_address/inside_portExplanation This is a connection-related message. This message is displayed when an H.323 UDP back-connection is preallocated to the foreign address (outside_address) from the local address (inside_address). This message only occurs if the adaptive security appliance detects the use of an Intel Internet Phone. The foreign port (outside_port) only displays on connections from outside the adaptive security appliance. The local port value (inside_port) only appears on connections started on an internal interface.
Recommended Action None required.
302009
Error Message %ASA-6-302009: Rebuilt TCP connection number for foreign_address outside_address/outside_port global_address global_address/global_port local_address inside_address/inside_portExplanation This is a connection-related message. This message appears after a TCP connection is rebuilt after a failover. A sync packet is not sent to the other adaptive security appliance. The outside_address IP address is the foreign host, the global_address IP address is a global address on the lower security level interface, and the inside_address IP address is the local IP address "behind" the adaptive security appliance on the higher security level interface.
Recommended Action None required.
302010
Error Message %ASA-6-302010: connections in use, connections most usedExplanation This is a connection-related message. This message appears after a TCP connection restarts.
•
Recommended Action None required.
302012
Error Message %ASA-6-302012: Pre-allocate H225 Call Signalling Connection for faddr IP_address/port to laddr IP_addressExplanation An H.225 secondary channel has been preallocated.
Recommended Action None required.
302013
Error Message %ASA-6-302013: Built {inbound|outbound} TCP connection_id for interface:real-address/real-port (mapped-address/mapped-port) to interface:real-address/real-port (mapped-address/mapped-port) [(user)]Explanation A TCP connection slot between two hosts was created.
•
•
•
•
If inbound is specified, the original control connection was initiated from the outside. For example, for FTP, all data transfer channels are inbound if the original control channel is inbound. If outbound is specified, the original control connection was initiated from the inside.
Recommended Action None required.
302014
Error Message %ASA-6-302014: Teardown TCP connection id for interface:real-address/real-port to interface:real-address/real-port duration hh:mm:ss bytes bytes [reason] [(user)]Explanation A TCP connection between two hosts was deleted. The following list describes the message values:
•
•
•
•
•
•
Recommended Action None required.
302015
Error Message %ASA-6-302015: Built {inbound|outbound} UDP connection number for interface_name:real_address/real_port (mapped_address/mapped_port) to interface_name:real_address/real_port (mapped_address/mapped_port) [(user)]Explanation A UDP connection slot between two hosts is created. The following list describes the message values:
•
•
•
•
If inbound is specified, then the original control connection is initiated from the outside. For example, for UDP, all data transfer channels are inbound if the original control channel is inbound. If outbound is specified, then the original control connection is initiated from the inside.
Recommended Action None required.
302016
Error Message %ASA-6-302016: Teardown UDP connection number for interface:real-address/real-port to interface:real-address/real-port duration hh:mm:ss bytes bytes [(user)]Explanation A UDP connection slot between two hosts was deleted. The following list describes the message values:
•
•
•
•
•
•
•
•
•
Recommended Action None required.
302017
Error Message %ASA-6-302017: Built {inbound|outbound} GRE connection id from interface:real_address (translated_address) to interface:real_address/real_cid (translated_address/translated_cid)[(user)Explanation A GRE connection slot between two hosts is created. The id is an unique identifier. The interface, real_address, real_cid tuple identifies the one of the two simplex PPTP GRE streams. The parenthetical translated_address, translated_cid tuple identifies the translated value with NAT.
If inbound is indicated, then the connection can only be used inbound. If outbound is indicated, then the connection can only be used for outbound. The following list describes the message values:•
•
•
•
•
•
•
•
•
Recommended Action None required.
302018
Error Message %ASA-6-302018: Teardown GRE connection id from interface:real_address (translated_address) to interface:real_address/real_cid (translated_address/translated_cid) duration hh:mm:ss bytes bytes [(user)]Explanation A GRE connection slot between two hosts is deleted. The interface, real_address, real_port tuples identify the actual sockets. Duration identifies the lifetime of the connection. The following list describes the message values:
•
•
•
•
•
•
•
•
Recommended Action None required.
302019
Error Message %ASA-3-302019: H.323 library_name ASN Library failed to initialize, error code numberExplanation The specified ASN library that the adaptive security appliance uses for decoding the H.323 messages failed to initialize; the adaptive security appliance cannot decode or inspect the arriving H.323 packet. The adaptive security appliance allows the H.323 packet to pass through without any modification. When the next H.323 message arrives, the adaptive security appliance attempts to initialize the library again.
Recommended Action If this message is generated consistently for a particular library, contact the Cisco TAC and provide them with all log messages (preferably with timestamps).
302020
Error Message %-6-302020: Built {in | out}bound ICMP connection for faddr {faddr | icmp_seq_num} gaddr {gaddr | cmp_type} laddr laddrExplanation An ICMP session is established in the fast-path when stateful ICMP is enabled using the inspect icmp command.
Recommended Action None required.
302021
Error Message %-6-302021: Teardown ICMP connection for faddr {faddr | icmp_seq_num} gaddr {gaddr | cmp_type} laddr laddrExplanation An ICMP session is removed in the fast-path when stateful ICMP is enabled using the inspect icmp command.
Recommended Action None required.
302033
Error Message %ASA-6-302033:Pre-allocated H323 GUP Connection for faddr interface:foreign address/foreign-port to laddr interface:local-address/local-portExplanation This is a connection-related message. This message is displayed when a GUP connection is started from the foreign_address to the local_address. The foreign port (outside port) only displays on connections from outside the security device. The local port value (inside port) only appears on connections started on an internal interface.
•
•
•
•
•
Recommended Action None required
302034
Error Message %ASA-4-302034: Unable to pre-allocate H323 GUP Connection for faddr interface:foreign address/foreign-port to laddr interface:local-address/local-portExplanation The module failed to allocate RAM system memory while starting a connection or has no more address translation slots available.
•
•
•
•
•
Recommended Action If this message occurs periodically, it can be ignored. If it repeats frequently, contact Cisco TAC. You can check the size of the global pool compared to the number of inside network clients. Alternatively, shorten the timeout interval of translates and connections. This error message may also be caused by insufficient memory; try reducing the amount of memory usage, or purchasing additional memory.
302302
Error Message %ASA-3-302302: ACL = deny; no sa createdExplanation IPSec proxy mismatches have occurred. Proxy hosts for the negotiated SA correspond to a deny access-list command policy.
Recommended Action Check the access-list command statement in the configuration. Contact the administrator for the peer.
302303
Error Message %ASA-6-302303: Built TCP state-bypass connection conn_id from initiator_interface:real_ip/real_port(mapped_ip/mapped_port) to responder_interface:real_ip/real_port (mapped_ip/mapped_port)Explanation A new TCP connection has been created, and this connection is a TCP-state-bypass connection. This type of connection bypasses all the TCP state checks and additional security checks and inspections.
Recommended Action If you need to secure TCP traffic with all the normal TCP state checks as well as all other security checks and inspections, you can use the no set connection advanced-options tcp-state-bypass command to disable this feature for TCP traffic.
302304
Error Message %ASA-6-302304: Teardown TCP state-bypass connection conn_id from initiator_interface:ip/port to responder_interface:ip/port duration, bytes, teardown reason.Explanation A new TCP connection has been torn down, and this connection is a TCP-state-bypass connection. This type of connection bypasses all the TCP state checks and additional security checks and inspections.
•
•
•
Recommended Action If you need to secure TCP traffic with all the normal TCP state checks as well as all other security checks and inspections, you can use the no set connection advanced-options tcp-state-bypass command to disable this feature for TCP traffic.
303003
Error Message %ASA-5-303003: FTP cmd_string command denied - failed strict inspection, terminating connection from %s:%A/%d to %s:%A/%d\n.Explanation This message is generated when using strict FTP inspection on FTP traffic. It is displayed if an FTP request message contains a command that is not recognized by the device.
Recommended Action None required.
303004
Error Message %ASA-5-303004: FTP cmd_string command unsupported - failed strict inspection, terminating connection from source_interface:source_address/source_port to dest_interface:dest_address/dest_interfaceExplanation This message is generated when using strict FTP inspection on FTP traffic. It is displayed if an FTP request message contains a command that is not recognized by the device.
Recommended Action None required.
303005
Error Message %ASA-5-303005: Strict FTP inspection matched match_string in policy-map policy-name, action_string from src_ifc:sip/sport to dest_ifc:dip/dportExplanation This message is generated when FTP inspection matches any of the following configured values: filename, file type, request command, server, or user name. Then the action specified by the action_string in this syslog message occurs.
•
•
•
•
•
•
•
