Feedback
Table Of Contents
Syslog Messages
This chapter lists the messages in numerical order.
Note
When a number is skipped in a sequence, the message is no longer in the ASA code.
For information about how to configure logging, SNMP, and NetFlow, see the CLI configuration guide.
Table 1-1 lists the message classes and the ranges of message IDs that are associated with each class. The valid range for message IDs is between 100000 and 999999.
This chapter includes the following sections:
Messages 101001 to 199021
This section includes messages from 101001 to 199021.
101001
Error Message %ASA-1-101001: (Primary) Failover cable OK.Explanation The failover cable is present and functioning correctly. Primary can also be listed as Secondary for the secondary unit.
Recommended Action None required.
101002
Error Message %ASA-1-101002: (Primary) Bad failover cable.Explanation The failover cable is present, but not functioning correctly. Primary can also be listed as Secondary for the secondary unit.
Recommended Action Replace the failover cable.
101003, 101004
Error Message %ASA-1-101003: (Primary) Failover cable not connected (this unit).Error Message %ASA-1-101004: (Primary) Failover cable not connected (other unit).Explanation Failover mode is enabled, but the failover cable is not connected to one unit of the failover pair. Primary can also be listed as Secondary for the secondary unit.
Recommended Action Connect the failover cable to both units of the failover pair.
101005
Error Message %ASA-1-101005: (Primary) Error reading failover cable status.Explanation The failover cable is connected, but the primary unit is unable to determine its status.
Recommended Action Replace the cable.
102001
Error Message %ASA-1-102001: (Primary) Power failure/System reload other side.Explanation The primary unit has detected a system reload or a power failure on the other unit. Primary can also be listed as Secondary for the secondary unit.
Recommended Action On the unit that experienced the reload, use the show crashinfo command to determine if there is a traceback associated with the reload. Also verify that the unit is powered on and that power cables are correctly connected.
103001
Error Message %ASA-1-103001: (Primary) No response from other firewall (reason code = code).Explanation The primary unit is unable to communicate with the secondary unit over the failover cable. Primary can also be listed as Secondary for the secondary unit. Table 1-2 lists the reason codes and the descriptions to determine why the failover occurred.
Recommended Action Verify that the failover cable is connected correctly and both units have the same hardware, software, and configuration. If the problem persists, contact the Cisco TAC.
103002
Error Message %ASA-1-103002: (Primary) Other firewall network interface interface_number OK.Explanation The primary unit has detected that the network interface on the secondary unit is okay. Primary can also be listed as Secondary for the secondary unit.
Recommended Action None required.
103003
Error Message %ASA-1-103003: (Primary) Other firewall network interface interface_number failed.Explanation The primary unit has detected a bad network interface on the secondary unit. Primary can also be listed as Secondary for the secondary unit.
Recommended Action Check the network connections on the secondary unit and the network hub connection. If necessary, replace the failed network interface.
103004
Error Message %ASA-1-103004: (Primary) Other firewall reports this firewall failed. Reason: reason-stringExplanation The primary unit received a message from the secondary unit indicating that the primary unit has failed. Primary can also be listed as Secondary for the secondary unit. The reason can be one of the following:
•
•
•
•
•
Recommended Action Verify the status of the primary unit.
103005
Error Message %ASA-1-103005: (Primary) Other firewall reporting failure. Reason: SSM card failureExplanation The secondary unit has reported an SSM card failure to the primary unit. Primary can also be listed as Secondary for the secondary unit.
Recommended Action Verify the status of the secondary unit.
103006
Error Message %ASA-1-103006: (Primary|Secondary) Mate version ver_num is not compatible with ours ver_numExplanation The ASA has detected a peer unit that is running a version that is different than the local unit and is not compatible with the HA Hitless Upgrade feature.
•
Recommended Action Install the same or a compatible version image on both units.
103007
Error Message %ASA-1-103007: (Primary|Secondary) Mate version ver_num is not identical with ours ver_numExplanation The ASA has detected that the peer unit is running a version that is not identical, but supports Hitless Upgrade and is compatible with the local unit. The system performance may be degraded because the image version is not identical, and the ASA may develop a stability issue if the nonidentical image runs for an extended period.
•
Recommended Action Install the same image version on both units as soon as possible.
104001, 104002
Error Message %ASA-1-104001: (Primary) Switching to ACTIVE (cause: string).Error Message %ASA-1-104002: (Primary) Switching to STANDBY (cause: string).Explanation You have forced the failover pair to switch roles, either by entering the failover active command on the standby unit, or the no failover active command on the active unit. Primary can also be listed as Secondary for the secondary unit. Possible values for the string variable are as follows:
•
•
•
•
•
•
•
Recommended Action If the message occurs because of manual intervention, no action is required. Otherwise, use the cause reported by the secondary unit to verify the status of both units of the pair.
104003
Error Message %ASA-1-104003: (Primary) Switching to FAILED.Explanation The primary unit has failed.
Recommended Action Check the messages for the primary unit for an indication of the nature of the problem (see message 104001). Primary can also be listed as Secondary for the secondary unit.
104004
Error Message %ASA-1-104004: (Primary) Switching to OK.Explanation A previously failed unit reports that it is operating again. Primary can also be listed as Secondary for the secondary unit.
Recommended Action None required.
105001
Error Message %ASA-1-105001: (Primary) Disabling failover.Explanation In version 7.x and later, this message may indicate the following: failover has been automatically disabled because of a mode mismatch (single or multiple), a license mismatch (encryption or context), or a hardware difference (one unit has an IPS SSM installed, and its peer has a CSC SSM installed). Primary can also be listed as Secondary for the secondary unit.
Recommended Action None required.
105002
Error Message %ASA-1-105002: (Primary) Enabling failover.Explanation You have used the failover command with no arguments on the console, after having previously disabled failover. Primary can also be listed as Secondary for the secondary unit.
Recommended Action None required.
105003
Error Message %ASA-1-105003: (Primary) Monitoring on interface interface_name waitingExplanation The ASA is testing the specified network interface with the other unit of the failover pair. Primary can also be listed as Secondary for the secondary unit.
Recommended Action None required. The ASA monitors its network interfaces frequently during normal operation.
105004
Error Message %ASA-1-105004: (Primary) Monitoring on interface interface_name normalExplanation The test of the specified network interface was successful. Primary can also be listed as Secondary for the secondary unit.
Recommended Action None required.
105005
Error Message %ASA-1-105005: (Primary) Lost Failover communications with mate on interface interface_name.Explanation One unit of the failover pair can no longer communicate with the other unit of the pair. Primary can also be listed as Secondary for the secondary unit.
Recommended Action Verify that the network connected to the specified interface is functioning correctly.
105006, 105007
Error Message %ASA-1-105006: (Primary) Link status Up on interface interface_name.Error Message %ASA-1-105007: (Primary) Link status Down on interface interface_name.Explanation The results of monitoring the link status of the specified interface have been reported. Primary can also be listed as Secondary for the secondary unit.
Recommended Action If the link status is down, verify that the network connected to the specified interface is operating correctly.
105008
Error Message %ASA-1-105008: (Primary) Testing interface interface_name.Explanation Testing of a specified network interface has occurred. This testing is performed only if the ASA fails to receive a message from the standby unit on that interface after the expected interval. Primary can also be listed as Secondary for the secondary unit.
Recommended Action None required.
105009
Error Message %ASA-1-105009: (Primary) Testing on interface interface_name {Passed|Failed}.Explanation The result (either Passed or Failed) of a previous interface test has been reported. Primary can also be listed as Secondary for the secondary unit.
Recommended Action None required if the result is Passed. If the result is Failed, you should check the network cable connection to both failover units, that the network itself is functioning correctly, and verify the status of the standby unit.
105010
Error Message %ASA-3-105010: (Primary) Failover message block alloc failedExplanation Block memory was depleted. This is a transient message and the ASA should recover. Primary can also be listed as Secondary for the secondary unit.
Recommended Action Use the show blocks command to monitor the current block memory.
105011
Error Message %ASA-1-105011: (Primary) Failover cable communication failureExplanation The failover cable is not permitting communication between the primary and secondary units. Primary can also be listed as Secondary for the secondary unit.
Recommended Action Ensure that the cable is connected correctly.
105020
Error Message %ASA-1-105020: (Primary) Incomplete/slow config replicationExplanation When a failover occurs, the active ASA detects a partial configuration in memory. Normally, this is caused by an interruption in the replication service. Primary can also be listed as Secondary for the secondary unit.
Recommended Action After the ASA detects the failover, the ASA automatically reboots and loads the configuration from flash memory and/or resynchronizes with another ASA. If failovers occurs continuously, check the failover configuration and make sure that both ASAs can communicate with each other.
105021
Error Message %ASA-1-105021: (failover_unit) Standby unit failed to sync due to a locked context_name config. Lock held by lock_owner_nameExplanation During configuration synchronization, a standby unit will reload itself if some other process locks the configuration for more than five minutes, which prevents the failover process from applying the new configuration. This can occur when an administrator pages through a running configuration on the standby unit while configuration synchronization is in process. See also the show running-config command in privileged EXEC mode and the pager lines num command in global configuration mode in the Cisco ASA 5500 Series Command Reference.
Recommended Action Avoid viewing or modifying the configuration on the standby unit when it first boots up and is in the process of establishing a failover connection with the active unit.
105031
Error Message %ASA-1-105031: Failover LAN interface is upExplanation The LAN failover interface link is up.
Recommended Action None required.
105032
Error Message %ASA-1-105032: LAN Failover interface is downExplanation The LAN failover interface link is down.
Recommended Action Check the connectivity of the LAN failover interface. Make sure that the speed or duplex setting is correct.
105034
Error Message %ASA-1-105034: Receive a LAN_FAILOVER_UP message from peer.Explanation The peer has just booted and sent the initial contact message.
Recommended Action None required.
105035
Error Message %ASA-1-105035: Receive a LAN failover interface down msg from peer.Explanation The peer LAN failover interface link is down. The unit switches to active mode if it is in standby mode.
Recommended Action Check the connectivity of the peer LAN failover interface.
105036
Error Message %ASA-1-105036: dropped a LAN Failover command message.Explanation The ASA dropped an unacknowledged LAN failover command message, indicating a connectivity problem exists on the LAN failover interface.
Recommended Action Check that the LAN interface cable is connected.
105037
Error Message %ASA-1-105037: The primary and standby units are switching back and forth as the active unit.Explanation The primary and standby units are switching back and forth as the active unit, indicating a LAN failover connectivity problem or software bug exists.
Recommended Action Make sure that the LAN interface cable is connected.
105038
Error Message %ASA-1-105038: (Primary) Interface count mismatchExplanation When a failover occurs, the active ASA detects a partial configuration in memory. Normally, this is caused by an interruption in the replication service. Primary can also be listed as Secondary for the secondary unit.
Recommended Action Once the failover is detected by the ASA, the ASA automatically reboots and loads the configuration from flash memory and/or resynchronizes with another ASA. If failovers occur continuously, check the failover configuration and make sure that both ASAs can communicate with each other.
105039
Error Message %ASA-1-105039: (Primary) Unable to verify the Interface count with mate. Failover may be disabled in mate.Explanation Failover initially verifies that the number of interfaces configured on the primary and secondary ASAs are the same. This message indicates that the primary ASA is not able to verify the number of interfaces configured on the secondary ASA. This message indicates that the primary ASA is not able to communicate with the secondary ASA over the failover interface. Primary can also be listed as Secondary for the secondary unit.
Recommended Action Verify the failover LAN, interface configuration, and status on the primary and secondary ASAs. Make sure that the secondary ASA is running the ASA application and that failover is enabled.
105040
Error Message %ASA-1-105040: (Primary) Mate failover version is not compatible.Explanation The primary and secondary ASAs should run the same failover software version to act as a failover pair. This message indicates that the secondary ASA failover software version is not compatible with the primary ASA. Failover is disabled on the primary ASA. Primary can also be listed as Secondary for the secondary ASA.
Recommended Action Maintain consistent software versions between the primary and secondary ASAs to enable failover.
105042
Error Message %ASA-1-105042: (Primary) Failover interface OKExplanation The LAN failover interface link is up.
Explanation The interface used to send failover messages to the secondary ASA is functioning. Primary can also be listed as Secondary for the secondary ASA.
Recommended Action None required.
105043
Error Message %ASA-1-105043: (Primary) Failover interface failedExplanation The LAN failover interface link is down.
Recommended Action Check the connectivity of the LAN failover interface. Make sure that the speed or duplex setting is correct.
105044
Error Message %ASA-1-105044: (Primary) Mate operational mode mode is not compatible with my mode mode.Explanation When the operational mode (single or multiple) does not match between failover peers, failover will be disabled.
Recommended Action Configure the failover peers to have the same operational mode, and then reenable failover.
105045
Error Message %ASA-1-105045: (Primary) Mate license (number contexts) is not compatible with my license (number contexts).Explanation When the feature licenses do not match between failover peers, failover will be disabled.
Recommended Action Configure the failover peers to have the same feature license, and then reenable failover.
105046
Error Message %ASA-1-105046 (Primary|Secondary) Mate has a different chassisExplanation Two failover units have a different type of chassis. For example, one has a three-slot chassis; the other has a six-slot chassis.
Recommended Action Make sure that the two failover units are the same.
105047
Error Message %ASA-1-105047: Mate has a io_card_name1 card in slot slot_number which is different from my io_card_name2Explanation The two failover units have different types of cards in their respective slots.
Recommended Action Make sure that the card configurations for the failover units are the same.
105048
Error Message %ASA-1-105048: (unit) Mate's service module (application) is different from mine (application)Explanation The failover process detected that different applications are running on the service modules in the active and standby units. The two failover units are incompatible if different service modules are used.
•
•
Recommended Action Make sure that both units have identical service modules before trying to reenable failover.
106001
Error Message %ASA-2-106001: Inbound TCP connection denied from IP_address/port to IP_address/port flags tcp_flags on interface interface_nameExplanation An attempt was made to connect to an inside address is denied by the security policy that is defined for the specified traffic type. The IP address displayed is the real IP address instead of the IP address that appears through NAT. Possible tcp_flags values correspond to the flags in the TCP header that were present when the connection was denied. For example, a TCP packet arrived for which no connection state exists in the ASA, and it was dropped. The tcp_flags in this packet are FIN and ACK.
The tcp_flags are as follows:
•
•
•
•
•
•
Recommended Action None required.
106002
Error Message %ASA-2-106002: protocol Connection denied by outbound list acl_ID src inside_address dest outside_addressExplanation The specified connection failed because of an outbound deny command. The protocol variable can be ICMP, TCP, or UDP.
Recommended Action Use the show outbound command to check outbound lists.
106006
Error Message %ASA-2-106006: Deny inbound UDP from outside_address/outside_port to inside_address/inside_port on interface interface_name.Explanation An inbound UDP packet was denied by the security policy that is defined for the specified traffic type.
Recommended Action None required.
106007
Error Message %ASA-2-106007: Deny inbound UDP from outside_address/outside_port to inside_address/inside_port due to DNS {Response|Query}.Explanation A UDP packet containing a DNS query or response was denied.
Recommended Action If the inside port number is 53, the inside host probably is set up as a caching name server. Add an access-list command statement to permit traffic on UDP port 53 and a translation entry for the inside host. If the outside port number is 53, a DNS server was probably too slow to respond, and the query was answered by another server.
106010
Error Message %ASA-3-106010: Deny inbound protocol src [interface_name: source_address/source_port] [([idfw_user | FQDN_string], sg_info)] dst [interface_name: dest_address/dest_port}[([idfw_user | FQDN_string], sg_info)]Explanation An inbound connection was denied by your security policy.
Recommended Action Modify the security policy if traffic should be permitted. If the message occurs at regular intervals, contact the remote peer administrator.
106011
Error Message %ASA-3-106011: Deny inbound (No xlate) stringExplanation The message appears under normal traffic conditions if there are internal users that are accessing the Internet through a web browser. Any time a connection is reset, when the host at the end of the connection sends a packet after the ASA receives the connection reset, this message appears. It can typically be ignored.
Recommended Action Prevent this message from getting logged to the syslog server by entering the no logging message 106011 command.
106012
Error Message %ASA-6-106012: Deny IP from IP_address to IP_address, IP options hex.Explanation An IP packet was seen with IP options. Because IP options are considered a security risk, the packet was discarded.
Recommended Action Contact the remote host system administrator to determine the problem. Check the local site for loose source routing or strict source routing.
106013
Error Message %ASA-2-106013: Dropping echo request from IP_address to PAT address IP_addressExplanation The ASA discarded an inbound ICMP Echo Request packet with a destination address that corresponds to a PAT global address. The inbound packet is discarded because it cannot specify which PAT host should receive the packet.
Recommended Action None required.
106014
Error Message %ASA-3-106014: Deny inbound icmp src interface_name: IP_address [([idfw_user | FQDN_string], sg_info)] dst interface_name: IP_address [([idfw_user | FQDN_string], sg_info)] (type dec, code dec)Explanation The ASA denied any inbound ICMP packet access. By default, all ICMP packets are denied access unless specifically allowed.
Recommended Action None required.
106015
Error Message %ASA-6-106015: Deny TCP (no connection) from IP_address/port to IP_address/port flags tcp_flags on interface interface_name.Explanation The ASA discarded a TCP packet that has no associated connection in the ASA connection table. The ASA looks for a SYN flag in the packet, which indicates a request to establish a new connection. If the SYN flag is not set, and there is no existing connection, the ASA discards the packet.
Recommended Action None required unless the ASA receives a large volume of these invalid TCP packets. If this is the case, trace the packets to the source and determine the reason these packets were sent.
106016
Error Message %ASA-2-106016: Deny IP spoof from (IP_address) to IP_address on interface interface_name.Explanation A packet arrived at the ASA interface that has a destination IP address of 0.0.0.0 and a destination MAC address of the ASA interface. In addition, this message is generated when the ASA discarded a packet with an invalid source address, which may include one of the following or some other invalid address:
•
•
•
To further enhance spoof packet detection, use the icmp command to configure the ASA to discard packets with source addresses belonging to the internal network, because the access-list command has been deprecated and is no longer guaranteed to work correctly.
Recommended Action Determine if an external user is trying to compromise the protected network. Check for misconfigured clients.
106017
Error Message %ASA-2-106017: Deny IP due to Land Attack from IP_address to IP_addressExplanation The ASA received a packet with the IP source address equal to the IP destination, and the destination port equal to the source port. This message indicates a spoofed packet that is designed to attack systems. This attack is referred to as a Land Attack.
Recommended Action If this message persists, an attack may be in progress. The packet does not provide enough information to determine where the attack originates.
106018
Error Message %ASA-2-106018: ICMP packet type ICMP_type denied by outbound list acl_ID src inside_address dest outside_addressExplanation The outgoing ICMP packet with the specified ICMP from local host (inside_address) to the foreign host (outside_address) was denied by the outbound ACL list.
Recommended Action None required.
106020
Error Message %ASA-2-106020: Deny IP teardrop fragment (size = number, offset = number) from IP_address to IP_addressExplanation The ASA discarded an IP packet with a teardrop signature containing either a small offset or fragment overlapping. This is a hostile event that circumvents the ASA or an Intrusion Detection System.
Recommended Action Contact the remote peer administrator or escalate this issue according to your security policy.
106021
Error Message %ASA-1-106021: Deny protocol reverse path check from source_address to dest_address on interface interface_nameExplanation An attack is in progress. Someone is attempting to spoof an IP address on an inbound connection. Unicast RPF, also known as reverse route lookup, detected a packet that does not have a source address represented by a route and assumes that it is part of an attack on your ASA.
This message appears when you have enabled Unicast RPF with the ip verify reverse-path command. This feature works on packets input to an interface; if it is configured on the outside, then the ASA checks packets arriving from the outside.
The ASA looks up a route based on the source_address. If an entry is not found and a route is not defined, then this message appears and the connection is dropped.
If there is a route, the ASA checks which interface it corresponds to. If the packet arrived on another interface, it is either a spoof or there is an asymmetric routing environment that has more than one path to a destination. The ASA does not support asymmetric routing.
If the ASA is configured on an internal interface, it checks static route command statements or RIP, and if the source_address is not found, then an internal user is spoofing their address.
Recommended Action Even though an attack is in progress, if this feature is enabled, no user action is required. The ASA repels the attack.
106022
Error Message %ASA-1-106022: Deny protocol connection spoof from source_address to dest_address on interface interface_nameExplanation A packet matching a connection arrived on a different interface from the interface on which the connection began. In addition, the ip verify reverse-path command is not configured.
For example, if a user starts a connection on the inside interface, but the ASA detects the same connection arriving on a perimeter interface, the ASA has more than one path to a destination. This is known as asymmetric routing and is not supported on the ASA.
An attacker also might be attempting to append packets from one connection to another as a way to break into the ASA. In either case, the ASA shows this message and drops the connection.
Recommended Action Check that the routing is not asymmetric.
106023
Error Message %ASA-4-106023: Deny protocol src [interface_name:source_address/source_port] [([idfw_user|FQDN_string], sg_info)] dst interface_name:dest_address/dest_port [([idfw_user|FQDN_string], sg_info)] [type {string}, code {code}] by access_group acl_ID [0x8ed66b60, 0xf8852875]Explanation A real IP packet was denied by the ACL. This message appears even if you do not have the log option enabled for an ACL. The IP address is the real IP address instead of the values that display through NAT. Both user identity information and FQDN information is provided for the IP addresses if a matched one is found. The ASA logs either identity information (domain\user) or FQDN (if the username is not available). If the identity information or FQDN is available, the ASA logs this information for both the source and destination.
Recommended Action If messages persist from the same source address, a footprinting or port scanning attempt might be occurring. Contact the remote host administrator.
106024
Error Message %ASA-2-106024: Access rules memory exhaustedExplanation The access list compilation process has run out of memory. All configuration information that has been added since the last successful access list was removed from the ASA, and the most recently compiled set of access lists will continue to be used.
Recommended Action Access lists, AAA, ICMP, SSH, Telnet, and other rule types are stored and compiled as access list rule types. Remove some of these rule types so that others can be added.
106025, 106026
Error Message %ASA-6-106025: Failed to determine the security context for the packet:sourceVlan:source_address dest_address source_port dest_port protocolError Message %ASA-6-106026: Failed to determine the security context for the packet:sourceVlan:source_address dest_address source_port dest_port protocolExplanation The security context of the packet in multiple context mode cannot be determined. Both messages can be generated for IP packets being dropped in either router and transparent mode.
Recommended Action None required.
106027
Error Message %ASA-4-106027:Failed to determine the security context for the packet:vlansource Vlan#:ethertype src sourceMAC dst destMACExplanation The security context of the packet in multiple context mode cannot be determined. This message is generated for non-IP packets being dropped in transparent mode only.
Recommended Action None required.
106100
Error Message %ASA-4-106100: access-list acl_ID {permitted | denied | est-allowed} protocol interface_name/source_address(source_port) (idfw_user, sg_info) interface_name/dest_address(dest_port) (idfw_user, sg_info) hit-cnt number ({first hit | number-second interval}) hash codesExplanation The initial occurrence or the total number of occurrences during an interval are listed. This message provides more information than message 106023, which only logs denied packets, and does not include the hit count or a configurable level.
When an access-list line has the log argument, it is expected that this message ID might be triggered because of a nonsynchronized packet reaching the ASA and being evaluated by the access list. For example, if an ACK packet is received on the ASA (for which no TCP connection exists in the connection table), the ASA might generate message 106100, indicating that the packet was permitted; however, the packet is later correctly dropped because of no matching connection.
The following list describes the message values:
•
•
•
•
•
•
•
•
•
•
•
•
•
Recommended Action None required.
106101
Error Message %ASA-1-106101 The number of ACL log deny-flows has reached limit (number).Explanation If you configured the log option for an ACL deny statement (access-list id deny command), and a traffic flow matches the ACL statement, the ASA caches the flow information. This message indicates that the number of matching flows that are cached on the ASA exceeds the user-configured limit (using the access-list deny-flow-max command). This message might be generated as a result of a DoS attack.
•
Recommended Action None required.
106102
Error Message %ASA-6-106102: access-list acl_ID {permitted|denied} protocol for user username interface_name/source_address source_port interface_name/dest_address dest_port hit-cnt number {first hit|number-second interval} hash codesExplanation A packet was either permitted or denied by an access-list that was applied through a VPN filter. This message is the VPN/AAA filter equivalent of message 106100.
Recommended Action None required.
106103
Error Message %ASA-4-106103: access-list acl_ID denied protocol for user username interface_name/source_address source_port interface_name/dest_address dest_port hit-cnt number first hit hash codesExplanation A packet was denied by an access-list that was applied through a VPN filter. This message is the VPN/AAA filter equivalent of message106023.
Recommended Action None required.
107001
Error Message %ASA-1-107001: RIP auth failed from IP_address: version=number, type=string, mode=string, sequence=number on interface interface_nameExplanation The ASA received a RIP reply message with bad authentication. This message might be caused by a misconfiguration on the router or the ASA or by an unsuccessful attempt to attack the routing table of the ASA.
Recommended Action This message indicates a possible attack and should be monitored. If you are not familiar with the source IP address listed in this message, change your RIP authentication keys between trusted entities. An attacker might be trying to determine the existing keys.
107002
Error Message %ASA-1-107002: RIP pkt failed from IP_address: version=number on interface interface_nameExplanation A router bug, a packet with non-RFC values inside, or a malformed entry may have caused this message to appear. This should not happen, and may be an attempt to exploit the routing table of the ASA.
Recommended Action This message indicates a possible attack and should be monitored. The packet has passed authentication, if enabled, and bad data is in the packet. Monitor the situation and change the keys if there are any doubts about the originator of the packet.
108002
Error Message %ASA-2-108002: SMTP replaced string: out source_address in inside_address data: stringExplanation A Mail Guard (SMTP) message has been generated by the inspect esmtp command. The ASA has replaced an invalid character in an e-mail address with a space.
Recommended Action None required.
108003
Error Message %ASA-2-108003: Terminating ESMTP/SMTP connection; malicious pattern detected in the mail address from source_interface:source_address/source_port to dest_interface:dest_address/dset_port. Data:stringExplanation The ASA has detected a malicious pattern in an e-mail address and drops the connection. An attack is in progress.
Recommended Action None required.
108004
Error Message %ASA-4-108004: action_class: action ESMTP req_resp from src_ifc:sip|sport to dest_ifc:dip|dport;further_infoExplanation An ESMTP classification is performed on an ESMTP message, and the specified criteria are satisfied. The configured action is taken.
•
•
•
•
•
•
•
•
For a single match command: matched Class id: match_command (for example, matched Class 1234: match body length 100).
For parameter commands: parameter-command: descriptive-message (for example, mail-relay: No Mail Relay allowed)
Recommended Action None required.
108005
Error Message %ASA-6-108005: action_class: Received ESMTP req_resp from src_ifc:sip|sport to dest_ifc:dip|dport;further_infoExplanation An ESMTP classification is performed on an ESMTP message, and the specified criteria are satisfied. The standalone log action is taken.
•
•
•
•
•
•
•
For a single match command: matched Class id: match_command (for example, matched Class 1234: match body length 100)
For parameter commands (commands under the parameter section): parameter-command: descriptive-message (for example, mail-relay: No Mail Relay allowed)
Recommended Action None required.
108006
Error Message %ASA-7-108006: Detected ESMTP size violation from src_ifc:sip|sport to dest_ifc:dip|dport;declared size is: decl_size, actual size is act_size.Explanation This event is generated when an ESMTP message size exceeds the size declared in the RCPT command.
•
•
•
•
•
•
Recommended Action None required.
108007
Error Message %ASA-6-108007: TLS started on ESMTP session between client client-side interface-name: client IP address/client port and server server-side interface-name: server IP address/server portExplanation On an ESMTP connection, the server has responded with a 220 reply code to the client STARTTLS command. The ESMTP inspection engine no longer inspects the traffic on this connection.
•
•
•
•
•
•
Recommended Action Log and review the message. Check whether the ESMTP policy map associated with this connection has the allow-tls action log setting. If not, contact the Cisco TAC.
109001
Error Message %ASA-6-109001: Auth start for user user from inside_address/inside_port to outside_address/outside_portExplanation The ASA is configured for AAA and detects an authentication request by the specified user.
Recommended Action None required.
109002
Error Message %ASA-6-109002: Auth from inside_address/inside_port to outside_address/outside_port failed (server IP_address failed) on interface interface_name.Explanation An authentication request failed because the specified authentication server cannot be contacted by the module.
Recommended Action Check that the authentication daemon is running on the specified authentication server.
109003
Error Message %ASA-6-109003: Auth from inside_address to outside_address/outside_port failed (all servers failed) on interface interface_name, so marking all servers ACTIVE again.Explanation No authentication server can be found.
Recommended Action Ping the authentication servers from the ASA. Make sure that the daemons are running.
109005
Error Message %ASA-6-109005: Authentication succeeded for user user from inside_address/inside_port to outside_address/outside_port on interface interface_name.Explanation The specified authentication request succeeded.
Recommended Action None required.
109006
Error Message %ASA-6-109006: Authentication failed for user user from inside_address/inside_port to outside_address/outside_port on interface interface_name.Explanation The specified authentication request failed, possibly because of an incorrect password.
Recommended Action None required.
109007
Error Message %ASA-6-109007: Authorization permitted for user user from inside_address/inside_port to outside_address/outside_port on interface interface_name.Explanation The specified authorization request succeeded.
Recommended Action None required.
109008
Error Message %ASA-6-109008: Authorization denied for user user from outside_address/outside_port to inside_address/ inside_port on interface interface_name.Explanation A user is not authorized to access the specified address, possibly because of an incorrect password.
Recommended Action None required.
109010
Error Message %ASA-3-109010: Auth from inside_address/inside_port to outside_address/outside_port failed (too many pending auths) on interface interface_name.Explanation An authentication request cannot be processed because the server has too many requests pending.
Recommended Action Check to see if the authentication server is too slow to respond to authentication requests. Enable the Flood Defender feature with the floodguard enable command.
109011
Error Message %ASA-2-109011: Authen Session Start: user 'user', sid numberExplanation An authentication session started between the host and the ASA and has not yet completed.
Recommended Action None required.
109012
Error Message %ASA-5-109012: Authen Session End: user 'user', sid number, elapsed number secondsExplanation The authentication cache has timed out. Users must reauthenticate on their next connection. You can change the duration of this timer with the timeout uauth command.
Recommended Action None required.
109013
Error Message %ASA-3-109013: User must authenticate before using this serviceExplanation The user must be authenticated before using the service.
Recommended Action Authenticate using FTP, Telnet, or HTTP before using the service.
109014
Error Message %ASA-7-109014: A non-Telnet connection was denied to the configured virtual Telnet IP address.Explanation A request to authenticate did not have a corresponding request for authorization.
Recommended Action Ensure that both the aaa authentication and aaa authorization command statements are included in the configuration.
109016
Error Message %ASA-3-109016: Can't find authorization ACL acl_ID for user 'user'Explanation The specified on the AAA server for this user does not exist on the ASA. This error can occur if you configure the AAA server before you configure the ASA. The Vendor-Specific Attribute (VSA) on your AAA server might be one of the following values:
•
•
•
Recommended Action Add the ACL to the ASA, making sure to use the same name specified on the AAA server.
109017
Error Message %ASA-4-109017: User at IP_address exceeded auth proxy connection limit (max)Explanation A user has exceeded the user authentication proxy limit, and has opened too many connections to the proxy.
Recommended Action Increase the proxy limit by entering the proxy-limit proxy_limit command, or ask the user to close unused connections. If the error persists, it may indicate a possible DoS attack.
109018
Error Message %ASA-3-109018: Downloaded ACL acl_ID is emptyExplanation The downloaded authorization has no ACEs. This situation might be caused by misspelling the attribute string ip:inacl# or omitting the access-list command.
junk:junk# 1=permit tcp any any eq junk ip:inacl#1="Recommended Action Correct the ACL components that have the indicated error on the AAA server.
109019
Error Message %ASA-3-109019: Downloaded ACL acl_ID has parsing error; ACE stringExplanation An error occurred during parsing the sequence number NNN in the attribute string ip:inacl#NNN= of a downloaded authorization. The reasons include: - missing = - contains nonnumeric, nonpace characters between # and = - NNN is greater than 999999999.
ip:inacl# 1 permit tcp any anyip:inacl# 1junk2=permit tcp any anyip:inacl# 1000000000=permit tcp any anyRecommended Action Correct the ACL element that has the indicated error on the AAA server.
109020
Error Message %ASA-3-109020: Downloaded ACL has config error; ACEExplanation One of the components of the downloaded authorization has a configuration error. The entire text of the element is included in the message. This message is usually caused by an invalid access-list command statement.
Recommended Action Correct the ACL component that has the indicated error on the AAA server.
109021
Error Message %ASA-7-109021: Uauth null proxy errorExplanation An internal user authentication error has occurred.
Recommended Action None required. However, if this error appears repeatedly, contact the Cisco TAC.
109022
Error Message %ASA-4-109022: exceeded HTTPS proxy process limitExplanation For each HTTPS authentication, the ASA dedicates a process to service the authentication request. When the number of concurrently running processes exceeds the system-imposed limit, the ASA does not perform the authentication, and this message appears.
Recommended Action None required.
109023
Error Message %ASA-3-109023: User from source_address/source_port to dest_address/dest_port on interface outside_interface must authenticate before using this service.Explanation Based on the configured policies, you need to be authenticated before you can use this service port.
Recommended Action Authenticate using Telnet, FTP, or HTTP before attempting to use this service port.
109024
Error Message %ASA-6-109024: Authorization denied from source_address/source_port to dest_address/dest_port (not authenticated) on interface interface_name using protocolExplanation The ASA is configured for AAA and a user attempted to make a TCP connection across the ASA without prior authentication.
Recommended Action None required.
109025
Error Message %ASA-6-109025: Authorization denied (acl=acl_ID) for user 'user' from source_address/source_port to dest_address/dest_port on interface interface_name using protocolExplanation The check failed. The check either matched a deny or did not match anything, such as an implicit deny. The connection was denied by the user acl_ID, which was defined according to the AAA authorization policy on the Cisco Secure Access Control Server (ACS).
Recommended Action None required.
109026
Error Message %ASA-3-109026: [aaa protocol] Invalid reply digest received; shared server key may be mismatched.Explanation The response from the AAA server cannot be validated. The configured server key is probably incorrect. This message may be generated during transactions with RADIUS or TACACS+ servers.
Recommended Action Verify that the server key, configured using the aaa-server command, is correct.
109027
Error Message %ASA-4-109027: [aaa protocol] Unable to decipher response message Server = server_IP_address, User = userExplanation The response from the AAA server cannot be validated. The configured server key is probably incorrect. This message may be displayed during transactions with RADIUS or TACACS+ servers. The server_IP_address is the IP address of the relevant AAA server. The user is the user name associated with the connection.
Recommended Action Verify that the server key, configured using the aaa-server command, is correct.
109028
Error Message %ASA-4-109028: aaa bypassed for same-security traffic from ingress_ interface:source_address/source_port to egress_interface:dest_address/dest_portExplanation AAA is being bypassed for same security traffic that matches a configured AAA rule. This can only occur when traffic passes between two interfaces that have the same configured security level, when the same security traffic is permitted, and if the AAA configuration uses the include or exclude syntax.
Recommended Action None required.
109029
Error Message %ASA-5-109029: Parsing downloaded ACL: stringExplanation A syntax error occurred while parsing an access list that was downloaded from a RADIUS server during user authentication.
•
Recommended Action Use the information presented in this message to identify and correct the syntax error in the access list definition within the RADIUS server configuration.
109030
Error Message %ASA-4-109030: Autodetect ACL convert wildcard did not convert ACL access_list source|dest netmask netmask.Explanation A dynamic ACL that is configured on a RADIUS server is not converted by the mechanism for automatically detecting wildcard netmasks. The problem occurs because this mechanism cannot determine if the netmask is a wildcard or a normal netmask.
•
•
•
•
Recommended Action Check the access list netmask on the RADIUS server for the wildcard configuration. If the netmask is supposed to be a wildcard, and if all access list netmasks on that server are wildcards, then use the wildcard setting for acl-netmask-convert for the AAA server. Otherwise, change the netmask to a normal netmask or to a wildcard netmask that does not contain holes (that is, where the netmask presents consecutive binary 1s. For example, 00000000.00000000.00011111.11111111 or hex 0.0.31.255). If the mask is supposed to be normal and all access list netmasks on that server are normal, then use the normal setting for acl-netmask-convert for the AAA server.
109031
Error Message %ASA-4-109031: NT Domain Authentication Failed: rejecting guest login for username.Explanation A user has tried to authenticate to an NT domain that was configured for guest account access and the username is not a valid username on the NT server. The connection is denied.
Recommended Action If the user is a valid user, add an account to the NT server. If the user is not allowed access, no action is required.
109032
Error Message %ASA-3-109032: Unable to install ACL access_list, downloaded for user username; Error in ACE: ace.Explanation The ASA received an access control list from a RADIUS server to apply to a user connection, but an entry in the list contains a syntax error. Th euse of a list containing an error could result in the violation of a security policy, so the ASA failed to authenticate the user.
•
•
•
Recommended Action Correct the access list definition in the RADIUS server configuration.
109033
Error Message %ASA-4-109033: Authentication failed for admin user user from src_IP. Interactive challenge processing is not supported for protocol connectionsExplanation AAA challenge processing was triggered during authentication of an administrative connection, but the ASA cannot initiate interactive challenge processing with the client application. When this occurs, the authentication attempt will be rejected and the connection denied.
•
•
•
Recommended Action Reconfigure AAA so that challenge processing does not occur for these connection types. This generally means to avoid authenticating these connection types to RSA SecurID servers or to any token-based AAA server via RADIUS.
109034
Error Message %ASA-4-109034: Authentication failed for network user user from src_IP/port to dst_IP/port. Interactive challenge processing is not supported for protocol connectionsExplanation AAA challenge processing was triggered during authentication of a network connection, but the ASA cannot initiate interactive challenge processing with the client application. When this occurs, the authentication attempt will be rejected and the connection denied.
•
•
•
•
Recommended Action Reconfigure AAA so that challenge processing does not occur for these connection types. This generally means to avoid authenticating these connection types to RSA SecurID servers or to any token-based AAA server via RADIUS.
109036
Error Message %ASA-6-109036: Exceeded 1000 attribute values for the attribute name attribute for user username.Explanation The LDAP response message contains an attribute that has more than 1000 values.
•
•
Recommended Action None required.
109037
Error Message %ASA-3-109037: Exceeded 5000 attribute values for the attribute name attribute for user username.Explanation The ASA supports multiple values of the same attribute received from a AAA server. If the AAA server sends a response containing more than 5000 values for the same attribute, then the ASA treats this response message as being malformed and rejects the authentication. This condition has only been seen in lab environments using specialized test tools. It is unlikely that the condition would occur in a real-world production network.
•
•
Recommended Action Capture the authentication traffic between the ASA and AAA server using a protocol sniffer (such as WireShark), then forward the trace file to the Cisco TAC for analysis.
109038
Error Message %ASA-3-109038: Attribute internal-attribute-name value string-from-server from AAA server could not be parsed as a type internal-attribute-name string representation of the attribute nameExplanation The AAA subsystem tried to parse an attribute from the AAA server into an internal representation and failed.
•
•
Recommended Action Verify that the attribute is being generated correctly on the AAA server. For additional information, use the debug ldap and debug radius commands.
109039
Error Message %ASA-5-109039: AAA Authentication:Dropping an unsupported IPv6/IP46/IP64 packet from lifc:laddr to fifc:faddrExplanation A packet containing IPv6 addresses or IPv4 addresses translated to IPv6 addresses by NAT requires AAA authentication or authorization. AAA authentication and authorization do not support IPv6 addresses. The packet is dropped.
•
•
•
•
Recommended Action None required.
110002
Error Message %ASA-6-110002: Failed to locate egress interface for protocol from src interface:src IP/src port to dest IP/dest portExplanation .An error occurred when the ASA tried to find the interface through which to send the packet.
•
•
•
•
•
•
Recommended Action Copy the error message, the configuration, and any details about the events leading up to the error, and contact Cisco TAC.
110003
Error Message %ASA-6-110003: Routing failed to locate next-hop for protocol from src interface:src IP/src port to dest interface:dest IP/dest portExplanation .An error occurred when the ASA tried to find the next hop on an interface routing table.
•
•
•
•
•
•
Recommended Action Copy the error message, the configuration, and any details about the events leading up to the error, and contact Cisco TAC. During debugging, use the show asp table routing command to view the routing table details.
111001
Error Message %ASA-5-111001: Begin configuration: IP_address writing to deviceExplanation You have entered the write command to store your configuration on a device (either floppy, flash memory, TFTP, the failover standby unit, or the console terminal). The IP_address indicates whether the login was made at the console port or with a Telnet connection.
Recommended Action None required.
111002
Error Message %ASA-5-111002: Begin configuration: IP_address reading from deviceExplanation You have entered the read command to read your configuration from a device (either floppy disk, flash memory, TFTP, the failover standby unit, or the console terminal). The IP_address indicates whether the login was made at the console port or with a Telnet connection.
Recommended Action None required.
111003
Error Message %ASA-5-111003: IP_address Erase configurationExplanation You have erased the contents of flash memory by entering the write erase command at the console. The IP_address value indicates whether the login was made at the console port or through a Telnet connection.
Recommended Action After erasing the configuration, reconfigure the ASA and save the new configuration. Alternatively, you can restore information from a configuration that was previously saved, either on a floppy disk or on a TFTP server elsewhere on the network.
111004
Error Message %ASA-5-111004: IP_address end configuration: {FAILED|OK}Explanation You have entered the config floppy/memory/ network command or the write floppy/memory/network/standby command. The IP_address value indicates whether the login was made at the console port or through a Telnet connection.
Recommended Action None required if the message ends with OK. If the message indicates a failure, try to fix the problem. For example, if writing to a floppy disk, ensure that the floppy disk is not write protected; if writing to a TFTP server, ensure that the server is up.
111005
Error Message %ASA-5-111005: IP_address end configuration: OKExplanation You have exited the configuration mode. The IP_address value indicates whether the login was made at the console port or through a Telnet connection.
Recommended Action None required.
111007
Error Message %ASA-5-111007: Begin configuration: IP_address reading from device.Explanation You have entered the reload or configure command to read in a configuration. The device text can be floppy, memory, net, standby, or terminal. The IP_address value indicates whether the login was made at the console port or through a Telnet connection.
Recommended Action None required.
111008
Error Message %ASA-5-111008: User user executed the command stringExplanation The user entered any command, with the exception of a show command.
Recommended Action None required.
111009
Error Message %ASA-7-111009:User user executed cmd:stringExplanation The user entered a command that does not modify the configuration. This message appears only for show commands.
Recommended Action None required.
111010
Error Message %ASA-5-111010: User username, running application-name from IP ip addr, executed cmdExplanation A user made a configuration change.
•
•
•
•
Recommended Action None required.
111111
Error Message %ASA-1-111111 error_messageExplanation A system or infrastructure error has occurred.
Recommended Action If the problem persists, contact the Cisco TAC.
112001
Error Message %ASA-2-112001: (string:dec) Clear complete.Explanation A request to clear the module configuration was completed. The source file and line number are identified.
Recommended Action None required.
113001
Error Message %ASA-3-113001: Unable to open AAA session. Session limit [limit] reached.Explanation The AAA operation on an IPsec tunnel or WebVPN connection cannot be performed because of the unavailability of AAA resources. The limit value indicates the maximum number of concurrent AAA transactions.
Recommended Action Reduce the demand for AAA resources, if possible.
113003
Error Message %ASA-6-113003: AAA group policy for user user is being set to policy_name.Explanation The group policy that is associated with the tunnel group is being overridden with a user-specific policy, policy_name. The policy_name is specified using the username command when LOCAL authentication is configured or is returned in the RADIUS CLASS attribute when RADIUS authentication is configured.
Recommended Action None required.
113004
Error Message %ASA-6-113004: AAA user aaa_type Successful: server = server_IP_address, User = userExplanation The AAA operation on an IPsec or WebVPN connection has been completed successfully. The AAA types are authentication, authorization, or accounting. The server_IP_address is the IP address of the relevant AAA server. The user is the user name associated with the connection.
Recommended Action None required.
113005
Error Message %ASA-6-113005: AAA user authentication Rejected: reason = string: server = server_IP_address, User = userExplanation An authentication or authorization request for a user associated with an IPsec or WebVPN connection has been rejected. Details of why the request was rejected are provided in the reason field. The server_IP_address is the IP address of the relevant AAA server. The user is the username associated with the connection. The aaa_operation is either authentication or authorization.
Recommended Action None required.
113006
Error Message %ASA-6-113006: User user locked out on exceeding number successive failed authentication attemptsExplanation A locally configured user is being locked out. This happens when a configured number of consecutive authentication failures have occurred for this user and indicates that all future authentication attempts by this user will be rejected until an administrator unlocks the user using the clear aaa local user lockout command. The user is the user that is now locked, and the number is the consecutive failure threshold configured using the aaa local authentication attempts max-fail command.
Recommended Action Try unlocking the user using the clear_aaa_local_user_lockout command or adjusting the maximum number of consecutive authentication failures that are tolerated.
113007
Error Message %ASA-6-113007: User user unlocked by administratorExplanation A locally configured user that was locked out after exceeding the maximum number of consecutive authentication failures set by using the aaa local authentication attempts max-fail command has been unlocked by the indicated administrator.
Recommended Action None required.
113008
Error Message %ASA-6-113008: AAA transaction status ACCEPT: user = userExplanation The AAA transaction for a user associated with an IPsec or WebVPN connection was completed successfully. The user is the username associated with the connection.
Recommended Action None required.
113009
Error Message %ASA-6-113009: AAA retrieved default group policy policy for user userExplanation The authentication or authorization of an IPsec or WebVPN connection has occurred. The attributes of the group policy that were specified with the tunnel-group or webvpn commands have been retrieved.
Recommended Action None required.
113010
Error Message %ASA-6-113010: AAA challenge received for user user from server server_IP_addressExplanation The authentication of an IPsec connection has occurred with a SecurID server. The user will be prompted to provide further information before being authenticated.
•
•
Recommended Action None required.
113011
Error Message %ASA-6-113011: AAA retrieved user specific group policy policy for user userExplanation The authentication or authorization of an IPsec or WebVPN connection has occurred. The attributes of the group policy that was specified with the tunnel-group or webvpn commands have been retrieved.
Recommended Action None required.
113012
Error Message %ASA-6-113012: AAA user authentication Successful: local database: user = userExplanation The user associated with a IPsec or WebVPN connection has been successfully authenticated to the local user database.
•
Recommended Action None required.
113013
Error Message %ASA-6-113013: AAA unable to complete the request Error: reason = reason: user = userExplanation The AAA transaction for a user associated with an IPsec or WebVPN connection has failed because of an error or has been rejected because of a policy violation.
•
•
Recommended Action None required.
113014
Error Message %ASA-6-113014: AAA authentication server not accessible: server = server_IP_address: user = userExplanation The device was unable to communicate with the configured AAA server during the AAA transaction associated with an IPsec or WebVPN connection. This may or may not result in a failure of the user connection attempt depending on the backup servers configured in the aaa-server group and the availability of those servers.
Recommended Action Verify connectivity with the configured AAA servers.
113015
Error Message %ASA-6-113015: AAA user authentication Rejected: reason = reason: local database: user = userExplanation A request for authentication to the local user database for a user associated with an IPsec or WebVPN connection has been rejected.
•
•
Recommended Action None required.
113016
Error Message %ASA-6-113016: AAA credentials rejected: reason = reason: server = server_IP_address: user = userExplanation The AAA transaction for a user associated with an IPsec or WebVPN connection has failed because of an error or rejected due to a policy violation.
•
•
•
Recommended Action None required.
113017
Error Message %ASA-6-113017: AAA credentials rejected: reason = reason: local database: user = userExplanation The AAA transaction for a user associated with an IPsec or WebVPN connection has failed because of an error or rejected because of a policy violation. This event only appears when the AAA transaction is with the local user database rather than with an external AAA server.
•
•
Recommended Action None required.
113018
Error Message %ASA-3-113018: User: user, Unsupported downloaded ACL Entry: ACL_entry, Action: actionExplanation An ACL entry in unsupported format was downloaded from the authentication server. The following list describes the message values:
•
•
•
Recommended Action The ACL entry on the authentication server has to be changed by the administrator to conform to the supported ACL entry formats.
113019
Error Message %ASA-4-113019: Group = group, Username = username, IP = peer_address, Session disconnected. Session Type: type, Duration: duration, Bytes xmt: count, Bytes rcv: count, Reason: reasonExplanation An indication of when and why the longest idle user is disconnected.
•
•
•
•
•
•
•
•
User Requested
Lost Carrier
Lost Service
Idle Timeout
Max time exceeded
Administrator Reset
Administrator Reboot
Administrator Shutdown
Port Error
NAS Error
NAS Request
NAS Reboot
Port unneeded
Connection preempted. Indicates that the allowed number of simultaneous (same user) logins has been exceeded. To resolve this problem, increase the number of simultaneous logins or have users only log in once with a given username and password.
Port Suspended
Service Unavailable
Callback
User error
Host Requested
SA Expired
IKE Delete
Bandwidth Management Error
Certificate Expired
Phase 2 Mismatch
Firewall Mismatch
Peer Address Changed
ACL Parse Error
Phase 2 Error
Configuration Error
Peer Reconnected
Internal Error
Crypto map policy not found
L2TP initiated
VLAN Mapping Error
NAC-Policy Error
Dynamic Access Policy terminate
Client type not supported
Unknown
Recommended Action Unless the reason indicates a problem, then no action is required.
113020
Error Message %ASA-3-113020: Kerberos error: Clock skew with server ip_address greater than 300 secondsExplanation Authentication for an IPsec or WebVPN user through a Kerberos server has failed because the clocks on the ASA and the server are more than five minutes (300 seconds) apart. When this occurs, the connection attempt is rejected.
•
Recommended Action Synchronize the clocks on the ASA and the Kerberos server.
113021
Error Message %ASA-3-113021: Attempted console login failed. User username did NOT have appropriate Admin Rights.Explanation A user has tried to access the management console and was denied.
•
Recommended Action If the user is a newly added admin rights user, check that the service type (LOCAL or RADIUS authentication server) for that user is set to allow access:
•
•
Otherwise, the user is inappropriately trying to access the management console; the action to be taken should be consistent with company policy for these matters.
113022
Error Message %ASA-2-113022: AAA Marking RADIUS server servername in aaa-server group AAA-Using-DNS as FAILEDExplanation The ASA has tried an authentication, authorization, or accounting request to the AAA server and did not receive a response within the configured timeout window. The AAA server will be marked as failed and has been removed from service.
•
- RADIUS
- TACACS+
- NT
- RSA SecurID
- Kerberos
- LDAP
•
•
Recommended Action Verify that the AAA server is online and is accessible from the ASA.
113023
Error Message %ASA-2-113023: AAA Marking protocol server ip-addr in server group tag as ACTIVEExplanation The ASA has reactivated the AAA server that was previously marked as failed. The AAA server is now available to service AAA requests.
•
- RADIUS
- TACACS+
- NT
- RSA SecurID
- Kerberos
- LDAP
•
•
Recommended Action None required.
113024
Error Message %ASA-5-113024: Group tg: Authenticating type connection from ip with username, user_name, from client certificateExplanation The prefill username feature overrides the username with one derived from the client certificate for use in AAA.
•
•
•
•
Recommended Action None required.
113025
Error Message %ASA-5-113025: Group tg: fields Could not authenticate connection type connection from ipExplanation A username cannot be successfully extracted from the certificate.
•
•
•
•
Recommended Action The administrator should check that the authentication aaa certificate, ssl certificate-authentication, and authorization-dn-attributes keywords have been set correctly.
113026
Error Message %ASA-4-113026: Error error while executing Lua script for group tunnel groupExplanation An error occurred while extracting a username from the client certificate for use in AAA. This message is only generated when the username-from-certificate use-script option is enabled.
•
•
Recommended Action Examine the script being used by the username-from-certificate use-script option for errors.
113027
Error Message %ASA-2-113027: Error activating tunnel-group scriptsExplanation The script file cannot be loaded successfully. No tunnel groups using the username-from-certificate use-script option work correctly.
Recommended Action The administrator should check the script file for errors using ASDM. Use the debug aaa command to obtain a more detailed error message that may be useful.
113028
Error Message %ASA-7-113028: Extraction of username from VPN client certificate has string. [Request num]Explanation The processing request of a username from a certificate is running or has finished.
•
•
- been requested
- started
- finished with error
- finished successfully
- completed
Recommended Action None required.
113029
Error Message %ASA-4-113029: Group group User user IP ipaddr Session could not be established: session limit of num reachedExplanation The user session cannot be established because the current number of sessions exceeds the maximum session load.
Recommended Action Increase the configured limit, if possible, to create a load-balanced cluster.
113030
Error Message %ASA-4-113030: Group group User user IP ipaddr User ACL acl from AAA doesn't exist on the device, terminating connection.Explanation The specified ACL was not found on the ASA.
•
•
•
•
Recommended Action Modify the configuration to add the specified ACL or to correct the ACL name.
113031
Error Message %ASA-4-113031: Group group User user IP ipaddr AnyConnect vpn-filter filter is an IPv6 ACL; ACL not applied.Explanation The type of ACL to be applied is incorrect. An IPv6 ACL has been configured as an IPv4 ACL through the vpn-filter command.
•
•
•
•
Recommended Action Validate the VPN filter and IPv6 VPN filter configurations on the ASA, and the filter parameters on the AAA (RADIUS) server. Make sure that the correct type of ACL is specified.
113032
Error Message %ASA-4-113032: Group group User user IP ipaddr AnyConnect ipv6-vpn-filter filter is an IPv4 ACL; ACL not applied.Explanation The type of ACL to be applied is incorrect. An IPv4 ACL has been configured as an IPv6 ACL through the ipv6-vpn-filter command.
•
•
•
•
Recommended Action Validate the VPN filter and IPv6 VPN filter configurations on the ASA and the filter parameters on the AAA (RADIUS) server. Make sure that the correct type of ACL is specified.
113033
Error Message %ASA-6-113033: Group group User user IP ipaddr AnyConnect session not allowed. ACL parse error.Explanation The WebVPN session for the specified user in this group is not allowed because the associated ACL did not parse. The user will not be allowed to log in via WebVPN until this error has been corrected.
•
•
•
Recommended Action Correct the WebVPN ACL.
113034
Error Message %ASA-4-113034: Group group User user IP ipaddr User ACL acl from AAA ignored, AV-PAIR ACL used instead.Explanation The specified ACL was not used because a Cisco AV-PAIR ACL was used.
•
•
•
•
Recommended Action Determine the correct ACL to use and correct the configuration.
113035
Error Message %ASA-4-113035: Group group User user IP ipaddr Session terminated: AnyConnect not enabled or invalid AnyConnect image on the ASA.Explanation The user logged in via the AnyConnect client. The SVC service is not enabled globally, or the SVC image is invalid or corrupted. The session connection has been terminated.
•
•
•
Recommended Action Enable the SVC globally using the svc-enable command. Validate the integrity and versions of the SVC images by reloading new images using the svc image command.
113036
Error Message %ASA-4-113036: Group group User user IP ipaddr AAA parameter name value invalid.Explanation The given parameter has a bad value. The value is not shown because it might be very long.
•
•
•
•
Recommended Action Modify the configuration to correct the indicated parameter.
113037
Error Message %ASA-6-113037: Reboot pending, new sessions disabled. Denied user login.Explanation A user was unable to log in to WebVPN because the ASA is in the process of rebooting.
Recommended Action None required.
113038
Error Message %ASA-4-113038: Group group User user IP ipaddr Unable to create AnyConnect parent session.Explanation The AnyConnect session was not created for the user in the specified group because of resource issues. For example, the user may have reached the maximum login limit.
•
•
•
Recommended Action None required.
113039
Error Message %ASA-6-113039: Group group User user IP ipaddr AnyConnect parent session started.Explanation The AnyConnect session has started for the user in this group at the specified IP address. When the user logs in via the AnyConnect login page, the AnyConnect session starts.
•
•
•
Recommended Action None required.
113040
Error Message %ASA-4-113040: Terminating the VPN connection attempt from attempted group. Reason: This connection is group locked to locked group.Explanation The tunnel group over which the connection is attempted is not the same as the tunnel group set in the group lock.
•
•
Recommended Action Check the group-lock value in the group policy or the user attributes.
114001
Error Message %ASA-1-114001: Failed to initialize 4GE SSM I/O card (error error_string).Explanation The system failed to initialize a 4GE SSM I/O card because of an I2C error or a switch initialization error.
•
•
- I2C_BUS_TRANSACTION_ERROR
- I2C_CHKSUM_ERROR
- I2C_TIMEOUT_ERROR
- I2C_BUS_COLLISION_ERROR
- I2C_HOST_BUSY_ERROR
- I2C_UNPOPULATED_ERROR
- I2C_SMBUS_UNSUPPORT
- I2C_BYTE_COUNT_ERROR
- I2C_DATA_PTR_ERROR
Recommended Action Perform the following steps:
1.
2.
3.
4.
114002
Error Message %ASA-1-114002: Failed to initialize SFP in 4GE SSM I/O card (error error_string).Explanation The system failed to initialize an SFP connector in a 4GE SSM I/O card because of an I2C error or a switch initialization error.
•
•
- I2C_BUS_TRANSACTION_ERROR
- I2C_CHKSUM_ERROR
- I2C_TIMEOUT_ERROR
- I2C_BUS_COLLISION_ERROR
- I2C_HOST_BUSY_ERROR
- I2C_UNPOPULATED_ERROR
- I2C_SMBUS_UNSUPPORT
- I2C_BYTE_COUNT_ERROR
- I2C_DATA_PTR_ERROR
Recommended Action Perform the following steps:
1.
2.
3.
4.
114003
Error Message %ASA-1-114003: Failed to run cached commands in 4GE SSM I/O card (error error_string).Explanation The system failed to run cached commands in a 4GE SSM I/O card because of an I2C error or a switch initialization error.
•
•
- I2C_BUS_TRANSACTION_ERROR
- I2C_CHKSUM_ERROR
- I2C_TIMEOUT_ERROR
- I2C_BUS_COLLISION_ERROR
- I2C_HOST_BUSY_ERROR
- I2C_UNPOPULATED_ERROR
- I2C_SMBUS_UNSUPPORT
- I2C_BYTE_COUNT_ERROR
- I2C_DATA_PTR_ERROR
Recommended Action Perform the following steps:
1.
2.
3.
4.
114004
Error Message %ASA-6-114004: 4GE SSM I/O Initialization start.Explanation he user has been notified that a 4GE SSM I/O initialization is starting.
•
Recommended Action None required.
114005
Error Message %ASA-6-114005: 4GE SSM I/O Initialization end.Explanation The user has been notified that an 4GE SSM I/O initialization is finished.
•
Recommended Action None required.
114006
Error Message %ASA-3-114006: Failed to get port statistics in 4GE SSM I/O card (error error_string).Explanation The ASA failed to obtain port statistics in a 4GE SSM I/O card because of an I2C error or a switch initialization error.
•
•
- I2C_BUS_TRANSACTION_ERROR
- I2C_CHKSUM_ERROR
- I2C_TIMEOUT_ERROR
- I2C_BUS_COLLISION_ERROR
- I2C_HOST_BUSY_ERROR
- I2C_UNPOPULATED_ERROR
- I2C_SMBUS_UNSUPPORT
- I2C_BYTE_COUNT_ERROR
- I2C_DATA_PTR_ERROR
Recommended Action Perform the following steps:
1.
2.
3.
4.
114007
Error Message %ASA-3-114007: Failed to get current msr in 4GE SSM I/O card (error error_string).Explanation The ASA failed to obtain the current module status register information in a 4GE SSM I/O card because of an I2C error or a switch initialization error.
•
•
- I2C_BUS_TRANSACTION_ERROR
- I2C_CHKSUM_ERROR
- I2C_TIMEOUT_ERROR
- I2C_BUS_COLLISION_ERROR
- I2C_HOST_BUSY_ERROR
- I2C_UNPOPULATED_ERROR
- I2C_SMBUS_UNSUPPORT
- I2C_BYTE_COUNT_ERROR
- I2C_DATA_PTR_ERROR
Recommended Action Perform the following steps:
1.
2.
3.
4.
114008
Error Message %ASA-3-114008: Failed to enable port after link is up in 4GE SSM I/O card due to either I2C serial bus access error or switch access error.Explanation The ASA failed to enable a port after the link transition to Up state is detected in a 4GE SSM I/O card because of either an I2C serial bus access error or a switch access error.
•
•
- I2C_BUS_TRANSACTION_ERROR
- I2C_CHKSUM_ERROR
- I2C_TIMEOUT_ERROR
- I2C_BUS_COLLISION_ERROR
- I2C_HOST_BUSY_ERROR
- I2C_UNPOPULATED_ERROR
- I2C_SMBUS_UNSUPPORT
- I2C_BYTE_COUNT_ERROR
- I2C_DATA_PTR_ERROR
Recommended Action Perform the following steps:
1.
2.
3.
4.
114009
Error Message %ASA-3-114009: Failed to set multicast address in 4GE SSM I/O card (error error_string).Explanation The ASA failed to set the multicast address in a 4GE SSM I/O card because of an I2C error or a switch initialization error.
•
•
- I2C_BUS_TRANSACTION_ERROR
- I2C_CHKSUM_ERROR
- I2C_TIMEOUT_ERROR
- I2C_BUS_COLLISION_ERROR
- I2C_HOST_BUSY_ERROR
- I2C_UNPOPULATED_ERROR
- I2C_SMBUS_UNSUPPORT
- I2C_BYTE_COUNT_ERROR
- I2C_DATA_PTR_ERROR
Recommended Action Perform the following steps:
1.
2.
3.
4.
114010
Error Message %ASA-3-114010: Failed to set multicast hardware address in 4GE SSM I/O card (error error_string).Explanation The ASA failed to set the multicast hardware address in a 4GE SSM I/O card because of an I2C error or a switch initialization error.
•
•
- I2C_BUS_TRANSACTION_ERROR
- I2C_CHKSUM_ERROR
- I2C_TIMEOUT_ERROR
- I2C_BUS_COLLISION_ERROR
- I2C_HOST_BUSY_ERROR
- I2C_UNPOPULATED_ERROR
- I2C_SMBUS_UNSUPPORT
- I2C_BYTE_COUNT_ERROR
- I2C_DATA_PTR_ERROR
- I2C_DATA_PTR_ERROR
Recommended Action Perform the following steps:
1.
2.
3.
4.
114011
Error Message %ASA-3-114011: Failed to delete multicast address in 4GE SSM I/O card (error error_string).Explanation The ASA failed to delete the multicast address in a 4GE SSM I/O card because of either an I2C error or a switch initialization error.
•
•
- I2C_BUS_TRANSACTION_ERROR
- I2C_CHKSUM_ERROR
- I2C_TIMEOUT_ERROR
- I2C_BUS_COLLISION_ERROR
- I2C_HOST_BUSY_ERROR
- I2C_UNPOPULATED_ERROR
- I2C_SMBUS_UNSUPPORT
- I2C_BYTE_COUNT_ERROR
- I2C_DATA_PTR_ERROR
Recommended Action Perform the following steps:
1.
2.
3.
4.
114012
Error Message %ASA-3-114012: Failed to delete multicast hardware address in 4GE SSM I/O card (error error_string).Explanation The ASA failed to delete the multicast hardware address in a 4GE SSM I/O card because of an I2C error or a switch initialization error.
•
•
- I2C_BUS_TRANSACTION_ERROR
- I2C_CHKSUM_ERROR
- I2C_TIMEOUT_ERROR
- I2C_BUS_COLLISION_ERROR
- I2C_HOST_BUSY_ERROR
- I2C_UNPOPULATED_ERROR
- I2C_SMBUS_UNSUPPORT
- I2C_BYTE_COUNT_ERROR
- I2C_DATA_PTR_ERROR
Recommended Action Perform the following steps:
1.
2.
3.
4.
114013
Error Message %ASA-3-114013: Failed to set mac address table in 4GE SSM I/O card (error error_string).Explanation The ASA failed to set the MAC address table in a 4GE SSM I/O card because of an I2C error or a switch initialization error.
•
•
- I2C_BUS_TRANSACTION_ERROR
- I2C_CHKSUM_ERROR
- I2C_TIMEOUT_ERROR
- I2C_BUS_COLLISION_ERROR
- I2C_HOST_BUSY_ERROR
- I2C_UNPOPULATED_ERROR
- I2C_SMBUS_UNSUPPORT
- I2C_BYTE_COUNT_ERROR
- I2C_DATA_PTR_ERROR
Recommended Action Perform the following steps:
1.
2.
3.
4.
114014
Error Message %ASA-3-114014: Failed to set mac address in 4GE SSM I/O card (error error_string).Explanation The ASA failed to set the MAC address in a 4GE SSM I/O card because of an I2C error or a switch initialization error.
•
•
- I2C_BUS_TRANSACTION_ERROR
- I2C_CHKSUM_ERROR
- I2C_TIMEOUT_ERROR
- I2C_BUS_COLLISION_ERROR
- I2C_HOST_BUSY_ERROR
- I2C_UNPOPULATED_ERROR
- I2C_SMBUS_UNSUPPORT
- I2C_BYTE_COUNT_ERROR
- I2C_DATA_PTR_ERROR
Recommended Action Perform the following steps:
1.
2.
3.
4.
114015
Error Message %ASA-3-114015: Failed to set mode in 4GE SSM I/O card (error error_string).Explanation The ASA failed to set individual or promiscuous mode in a 4GE SSM I/O card because of an I2C error or a switch initialization error.
•
•
- I2C_BUS_TRANSACTION_ERROR
- I2C_CHKSUM_ERROR
- I2C_TIMEOUT_ERROR
- I2C_BUS_COLLISION_ERROR
- I2C_HOST_BUSY_ERROR
- I2C_UNPOPULATED_ERROR
- I2C_SMBUS_UNSUPPORT
- I2C_BYTE_COUNT_ERROR
- I2C_DATA_PTR_ERROR
Recommended Action Perform the following steps:
1.
2.
3.
4.
114016
Error Message %ASA-3-114016: Failed to set multicast mode in 4GE SSM I/O card (error error_string).Explanation The ASA failed to set the multicast mode in a 4GE SSM I/O card because of an I2C error or a switch initialization error.
•
•
- I2C_BUS_TRANSACTION_ERROR
- I2C_CHKSUM_ERROR
- I2C_TIMEOUT_ERROR
- I2C_BUS_COLLISION_ERROR
- I2C_HOST_BUSY_ERROR
- I2C_UNPOPULATED_ERROR
- I2C_SMBUS_UNSUPPORT
- I2C_BYTE_COUNT_ERROR
- I2C_DATA_PTR_ERROR
Recommended Action Perform the following steps:
1.
2.
3.
4.
114017
Error Message %ASA-3-114017: Failed to get link status in 4GE SSM I/O card (error error_string).Explanation The ASA failed to obtain link status in a 4GE SSM I/O card because of an I2C serial bus access error or a switch access error.
•
•
- I2C_BUS_TRANSACTION_ERROR
- I2C_CHKSUM_ERROR
- I2C_TIMEOUT_ERROR
- I2C_BUS_COLLISION_ERROR
- I2C_HOST_BUSY_ERROR
- I2C_UNPOPULATED_ERROR
- I2C_SMBUS_UNSUPPORT
- I2C_BYTE_COUNT_ERROR
- I2C_DATA_PTR_ERROR
Recommended Action Perform the following steps:
1.
2.
3.
4.
5.
114018
Error Message %ASA-3-114018: Failed to set port speed in 4GE SSM I/O card (error error_string).Explanation The ASA failed to set the port speed in a 4GE SSM I/O card because of an I2C error or a switch initialization error.
•
•
- I2C_BUS_TRANSACTION_ERROR
- I2C_CHKSUM_ERROR
- I2C_TIMEOUT_ERROR
- I2C_BUS_COLLISION_ERROR
- I2C_HOST_BUSY_ERROR
- I2C_UNPOPULATED_ERROR
- I2C_SMBUS_UNSUPPORT
- I2C_BYTE_COUNT_ERROR
- I2C_DATA_PTR_ERROR
Recommended Action Perform the following steps:
1.
2.
3.
4.
114019
Error Message %ASA-3-114019: Failed to set media type in 4GE SSM I/O card (error error_string).Explanation The ASA failed to set the media type in a 4GE SSM I/O card because of an I2C error or a switch initialization error.
•
•
- I2C_BUS_TRANSACTION_ERROR
- I2C_CHKSUM_ERROR
- I2C_TIMEOUT_ERROR
- I2C_BUS_COLLISION_ERROR
- I2C_HOST_BUSY_ERROR
- I2C_UNPOPULATED_ERROR
- I2C_SMBUS_UNSUPPORT
- I2C_BYTE_COUNT_ERROR
- I2C_DATA_PTR_ERROR
Recommended Action Perform the following steps:
1.
2.
3.
4.
114020
Error Message %ASA-3-114020: Port link speed is unknown in 4GE SSM I/O card.Explanation The ASA cannot detect the port link speed in a 4GE SSM I/O card.
Recommended Action Perform the following steps:
1.
2.
3.
4.
114021
Error Message %ASA-3-114021: Failed to set multicast address table in 4GE SSM I/O card due to error.Explanation The ASA failed to set the multicast address table in the 4GE SSM I/O card because of either an I2C serial bus access error or a switch access error.
•
- I2C_BUS_TRANSACTION_ERROR
- I2C_CHKSUM_ERROR
- I2C_TIMEOUT_ERROR
- I2C_BUS_COLLISION_ERROR
- I2C_HOST_BUSY_ERROR
- I2C_UNPOPULATED_ERROR
- I2C_SMBUS_UNSUPPORT
- I2C_BYTE_COUNT_ERROR
- I2C_DATA_PTR_ERROR
Recommended Action Perform the following steps:
1.
2.
3.
4.
114022
Error Message %ASA-3-114022: Failed to pass broadcast traffic in 4GE SSM I/O card due to error_stringExplanation The ASA failed to pass broadcast traffic in the 4GE SSM I/O card because of a switch access error.
•
Recommended Action Perform the following steps:
1.
2.
3.
Note
114023
Error Message %ASA-3-114023: Failed to cache/flush mac table in 4GE SSM I/O card due to error_string.Explanation A failure to cache or flush the MAC table in a 4GE SSM I/O card occurred because of an I2C serial bus access error or a switch access error. This message rarely occurs.
•
•
I2C_BUS_TRANSACTION_ERROR
I2C_CHKSUM_ERROR
I2C_TIMEOUT_ERROR
I2C_BUS_COLLISION_ERROR
I2C_HOST_BUSY_ERROR
I2C_UNPOPULATED_ERROR
I2C_SMBUS_UNSUPPORT
I2C_BYTE_COUNT_ERROR
I2C_DATA_PTR_ERROR
Recommended Action Perform the following steps:
1.
2.
3.
Note
115000
Error Message %ASA-2-115000: Critical assertion in process: process name fiber: fiber name, component: component name, subcomponent: subcomponent name, file: filename, line: line number, cond: conditionExplanation The critical assertion has gone off and is used during development in checked builds only, but never in production builds.
•
•
•
•
•
•
•
Recommended Action A high priority defect should be filed, the reason for the assertion should be investigated, and the problem corrected.
115001
Error Message %ASA-3-115001: Error in process: process name fiber: fiber name, component: component name, subcomponent: subcomponent name, file: filename, line: line number, cond: conditionExplanation An error assertion has gone off and is used during development in checked builds only, but never in production builds.
•
•
•
•
•
•
•
Recommended Action A defect should be filed, the reason for the assertion should be investigated, and the problem fixed.
115002
Error Message %ASA-4-115002: Warning in process: process name fiber: fiber name, component: component name, subcomponent: subcomponent name, file: filename, line: line number, cond: conditionExplanation A warning assertion has gone off and is used during development in checked builds only, but never in production builds.
•
•
•
•
•
•
•
Recommended Action The reason for the assertion should be investigated and if a problem is found, a defect should be filed, and the problem corrected.
120001
Error Message %ASA-5-120001: Smart Call-Home Module is started.Explanation The Smart Call-Home module started successfully after system bootup and failover in a stable state, and is ready to process Smart-Call Home events.
Recommended Action None required.
120002
Error Message %ASA-5-120002: Smart Call-Home Module is terminated.Explanation When the Smart Call-Home module is disabled, it is then terminated.
Recommended Action None required.
120003
Error Message %ASA-6-120003: Process event group titleExplanation The Smart Call-Home module retrieved an event from the queue to process.
•
•
Recommended Action None required.
120004
Error Message %ASA-4-120004: Event group title is dropped. Reason reasonExplanation A Smart Call-Home event was dropped. The event may have been dropped because of an internal error, the event queue is full, or the Smart Call-Home module was disabled after the message was generated, but before it was processed.
•
•
•
Internal Error—Various internal system errors occurred, such as being out of memory or parsing a CLI failed.
Queue Full—The number of events reached the configured limit.
Cancelled—The event was cancelled because the Smart Call-Home module is disabled.
Recommended Action If the drop reason is Queue Full, try to increase the event queue size and the rate-limit configuration to avoid event queue buildup. If the drop reason is Internal Error, turn on debugging by entering the debug sch fail command to obtain more detailed debugging information.
120005
Error Message %ASA-4-120005: Message group to destination is dropped. Reason reasonExplanation A Smart Call-Home message was dropped. The message may have been dropped because of an internal error, a network error, or the Smart Call-Home module was disabled after the message was generated, but before it was delivered.
•
•
•
Internal Error—Various internal system errors occurred.
Delivery Failed—The packets cannot be delivered because a network error occurred.
Cancelled—The event was cancelled because the Smart Call-Home module is disabled.
Recommended Action If the drop reason is Delivery Failed, the message is dropped after three unsuccessful retransmissions, or because the error is local (such as no route to destination). Search message 120006 for the delivery failure reason, or turn on debugging by entering the debug sch fail command to obtain more detailed debugging information.
120006
Error Message %ASA-4-120006: Delivering message group to destination failed. Reason reasonExplanation An error occurred while the Smart Call Home module tried to deliver a message. The error may be transient. The message is not dropped when message 120006 is generated. The message may be queued for retransmission. The message is only dropped when message 120005 is generated.
•
•
•
Recommended Action Check the error reason in the message. If the reason is NO_ROUTE, INVALID_ADDRESS, or INVALID_URL, check the system configuration, DNS, and the name setting.
120007
Error Message %ASA-6-120007: Message group to destination delivered.Explanation A Smart Call Home message was successfully delivered.
•
•
Recommended Action None required.
120008
Error Message %ASA-5-120008: SCH client client is activated.Explanation The Smart Call Home module is enabled, an event group is also enabled, and that event group is subscribed to by at least one active profile. If these conditions are met, then all clients of that group will be activated.
•
Recommended Action None required.
120009
Error Message %ASA-5-120009: SCH client client is deactivated.Explanation The Smart Call Home module is disabled, an event group is enabled, or an event group is no longer subscribed to by any active profile. If these conditions are met, clients of that event group will be deactivated.
•
Recommended Action None required.
120010
Error Message %ASA-3-120010: Notify command command to SCH client client failed. Reason reason.Explanation The Smart Call Home module notified Smart Call Home clients of certain events through the callback function. If the client does not interpret the command correctly, does not understand the command, or cannot process the command, an error will be returned.
•
•
•
Recommended Action Turn on debugging by entering the debug sch fail command to obtain more detailed debugging information.
120012
Error Message %ASA-5-120012: User username chose to choice call-home anonymous reporting at the prompt.Explanation The administrator was notified that a user has responded to the Smart Call Home prompt to enable, disable, or postpone anonymous reporting.
•
•
Recommended Action To enable anonymous reporting in the future, enter the call-home reporting anonymous command. To disable anonymous reporting, enter the no call-home reporting anonymous command.
199001
Error Message %ASA-5-199001: Reload command executed from Telnet (remote IP_address).Explanation The address of the host that is initiating an ASA reboot with the reload command has been recorded.
Recommended Action None required.
199002
Error Message %ASA-6-199002: startup completed. Beginning operation.Explanation The ASA finished its initial boot and the flash memory reading sequence, and is ready to begin operating normally.
Note
Recommended Action None required.
199003
Error Message %ASA-6-199003: Reducing link MTU dec.Explanation The ASA received a packet from the outside network that uses a larger MTU than the inside network. The ASA then sent an ICMP message to the outside host to negotiate an appropriate MTU. The log message includes the sequence number of the ICMP message.
Recommended Action None required.
199005
Error Message %ASA-6-199005: Startup beginExplanation The ASA started.
Recommended Action None required.
199010
Error Message %ASA-1-199010: Signal 11 caught in process/fiber(rtcli async executor process)/(rtcli async executor) at address 0xf132e03b, corrective action at 0xca1961a0Explanation The system has recovered from a serious error.
Recommended Action Contact the Cisco TAC.
199011
Error Message %ASA-2-199011: Close on bad channel in process/fiber process/fiber, channel ID p, channel state s process/fiber name of the process/fiber that caused the bad channel close operation.Explanation An unexpected channel close condition has been detected.
•
•
•
Recommended Action Contact the Cisco TAC and attach a log file.
199012
Error Message %ASA-1-1199012: Stack smash during new_stack_call in process/fiber process/fiber, call target f, stack size s, process/fiber name of the process/fiber that caused the stack smashExplanation A stack smash condition has been detected.
•
•
•
Recommended Action Contact the Cisco TAC and attach a log file.
199013
Error Message %ASA-1-199013: syslogExplanation A variable syslog was generated by an assistive process.
•
Recommended Action Contact the Cisco TAC.
199014
Error Message %ASA-2-199014: syslogExplanation A variable syslog was generated by an assistive process.
•
Recommended Action Contact the Cisco TAC.
199015
Error Message %ASA-3-199015: syslogExplanation A variable syslog was generated by an assistive process.
•
Recommended Action Contact the Cisco TAC.
199016
Error Message %ASA-4-199016: syslogExplanation A variable syslog was generated by an assistive process.
•
Recommended Action Contact the Cisco TAC.
199017
Error Message %ASA-5-199017: syslogExplanation A variable syslog was generated by an assistive process.
•
Recommended Action None required.
199018
Error Message %ASA-6-199018: syslogExplanation A variable syslog was generated by an assistive process.
•
Recommended Action None required.
199019
Error Message %ASA-7-199019: syslogExplanation A variable syslog was generated by an assistive process.
•
Recommended Action None required.
199020
Error Message %ASA-2-199020: System memory utilization has reached X%. System will reload if memory usage reaches the configured trigger level of Y%.Explanation The system memory utilization has reached 80% of the system memory watchdog facility's configured value.
Recommended Action Reduce system memory utilization by reducing traffic load, removing traffic inspections, reducing the number of ACL entries, and so on. If a memory leak is suspected, contact Cisco TAC.
199021
Error Message %ASA-1-199021: System memory utilization has reached the configured watchdog trigger level of Y%. System will now reloadExplanation .The system memory utilization has reached 100% of the system memory watchdog facility's configured value. The system will automatically reload.
Recommended Action Reduce system memory utilization by reducing traffic load, removing traffic inspections, reducing the number of ACL entries, and so on. If a memory leak is suspected, contact Cisco TAC.
Messages 201002 to 219002
This section includes messages from 201002 to 219002.
201002
Error Message %ASA-3-201002: Too many TCP connections on {static|xlate} global_address! econns nconnsExplanation The maximum number of TCP connections to the specified global address was exceeded.
•
•
Recommended Action Use the show static or show nat command to check the limit imposed on connections to a static address. The limit is configurable.
201003
Error Message %ASA-2-201003: Embryonic limit exceeded nconns/elimit for outside_address/outside_port (global_address) inside_address/inside_port on interface interface_nameExplanation The number of embryonic connections from the specified foreign address with the specified static global address to the specified local address exceeds the embryonic limit. When the limit on embryonic connections to the ASA is reached, the ASA attempts to accept them anyway, but puts a time limit on the connections. This situation allows some connections to succeed even if the ASA is very busy. This message indicates a more serious overload than message 201002, which can be caused by a SYN attack, or by a very heavy load of legitimate traffic.
•
•
Recommended Action Use the show static command to check the limit imposed on embryonic connections to a static address.
201004
Error Message %ASA-3-201004: Too many UDP connections on {static|xlate} global_address!udp connections limitExplanation The maximum number of UDP connections to the specified global address was exceeded.
•
Recommended Action Use the show static or show nat command to check the limit imposed on connections to a static address. You can configure the limit.
201005
Error Message %ASA-3-201005: FTP data connection failed for IP_address IP_addressExplanation The ASA cannot allocate a structure to track the data connection for FTP because of insufficient memory.
Recommended Action Reduce the amount of memory usage or purchase additional memory.
201006
Error Message %ASA-3-201006: RCMD backconnection failed for IP_address/port.Explanation The ASA cannot preallocate connections for inbound standard output for rsh commands because of insufficient memory.
Recommended Action Check the rsh client version; the ASA only supports the Berkeley rsh client version. You can also reduce the amount of memory usage, or purchase additional memory.
201008
Error Message %ASA-3-201008: Disallowing new connections.Explanation You have enabled TCP system log messaging and the syslog server cannot be reached, or when using the ASA syslog server (PFSS) and the disk on the Windows NT system is full, or when the auto-update timeout is configured and the auto-update server is not reachable.
Recommended Action Disable TCP syslog messaging. If using PFSS, free up space on the Windows NT system where PFSS resides. Also, make sure that the syslog server is up and you can ping the host from the ASA console. Then restart TCP system message logging to allow traffic. If the Auto Update Server has not been contacted for a certain period of time, enter the [no] auto-update timeout period command to have it stop sending packets.
201009
Error Message %ASA-3-201009: TCP connection limit of number for host IP_address on interface_name exceededExplanation The maximum number of connections to the specified static address was exceeded.
•
•
•
Recommended Action Use the show static and show nat commands to check the limit imposed on connections to an address. The limit is configurable.
201010
Error Message %ASA-3-201010: Embryonic connection limit exceeded econns/limit for dir packet from source_address/source_port to dest_address/dest_port on interface interface_nameExplanation An attempt to establish a TCP connection failed because of an exceeded embryonic connection limit, which was configured with the set connection embryonic-conn-max MPC command for a traffic class.
•
•
•
•
•
•
Recommended Action None required.
201011
Error Message %ASA-3-201011: Connection limit exceeded cnt/limit for dir packet from sip/sport to dip/dport on interface if_name.Explanation A new connection through the ASA resulted in exceeding at least one of the configured maximum connection limits. This message applies both to connection limits configured using a static command, or to those configured using Cisco Modular Policy Framework. The new connection will not be allowed through the ASA until one of the existing connections is torn down, which brings the current connection count below the configured maximum.
•
•
•
•
•
•
•
•
Recommended Action None required.
201012
Error Message %ASA-6-201012: Per-client embryonic connection limit exceeded curr num/limit for [input|output] packet from IP_address/ port to ip/port on interface interface_nameExplanation An attempt to establish a TCP connection failed because the per-client embryonic connection limit was exceeded. By default, this message is rate limited to 1 message every 10 seconds.
•
•
•
•
•
•
Recommended Action When the limit is reached, any new connection request will be proxied by the ASA to prevent a SYN flood attack. The ASA will only connect to the server if the client is able to finish the three-way handshake. This usually does not affect the end user or the application. However, if this creates a problem for any application that has a legitimate need for a higher number of embryonic connections, you can adjust the setting by entering the set connection per-client-embryonic-max command.
201013
Error Message %ASA-3-201013: Per-client connection limit exceeded curr num/limit for [input|output] packet from ip/port to ip/port on interface interface_nameExplanation A connection was rejected because the per-client connection limit was exceeded.
•
•
•
•
•
•
Recommended Action When the limit is reached, any new connection request will be silently dropped. Normally an application will retry the connection, which will cause a delay or even a timeout if all retries also fail. If an application has a legitimate need for a higher number of concurrent connections, you can adjust the setting by entering the set connection per-client-max command.
202001
Error Message %ASA-3-202001: Out of address translation slots!Explanation The ASA has no more address translation slots available.
Recommended Action Check the size of the global pool compared to the number of inside network clients. A PAT address may be necessary. Alternatively, shorten the timeout interval of translates and connections. This error message can also be caused by insufficient memory; reduce the amount of memory usage, or purchase additional memory, if possible.
202005
Error Message %ASA-3-202005: Non-embryonic in embryonic list outside_address/outside_port inside_address/inside_portExplanation A connection object (xlate) is in the wrong list.
Recommended Action Contact the Cisco TAC.
202010
Error Message %ASA-3-202010: [NAT | PAT] pool exhausted for pool-name, port range [1-511 | 512-1023 | 1024-65535]. Unable to create protocol connection from in-interface:src-ip/src-port to out-interface:dst-ip/dst-port•
•
•
•
•
•
•
•
Explanation The ASA has no more address translation pools available.
Recommended Action Use the show nat pool and show nat detail commands to determine why all addresses and ports in the pool are used up. If this occurs under normal conditions, then add additional IP addresses to the NAT/PAT pool.
202011
Error Message %ASA-3-202011: Connection limit exceeded econns/limit for dir packet from source_address/source_port to dest_address/dest_port on interface interface_nameExplanation An attempt to create a TCP or UDP connection failed because of an exceeded connection limit, which is configured with the set connection conn-max MPC command for a traffic class.
•
•
•
•
•
•
Recommended Action None required.
208005
Error Message %ASA-3-208005: (function:line_num) clear command return codeExplanation The ASA received a nonzero value (an internal error) when attempting to clear the configuration in flash memory. The message includes the reporting subroutine filename and line number.
Recommended Action For performance reasons, the end host should be configured not to inject IP fragments. This configuration change is probably because of NFS. Set the read and write size equal to the interface MTU for NFS.
209003
Error Message %ASA-4-209003: Fragment database limit of number exceeded: src = source_address, dest = dest_address, proto = protocol, id = numberExplanation Too many IP fragments are currently awaiting reassembly. By default, the maximum number of fragments is 200 (to raise the maximum, see the fragment size command in the command reference). The ASA limits the number of IP fragments that can be concurrently reassembled. This restriction prevents memory depletion at the ASA under abnormal network conditions. In general, fragmented traffic should be a small percentage of the total traffic mix. An exception is in a network environment with NFS over UDP where a large percentage is fragmented traffic; if this type of traffic is relayed through the ASA, consider using NFS over TCP instead. To prevent fragmentation, see the sysopt connection tcpmss bytes command in the command reference.
Recommended Action If this message persists, a denial of service (DoS) attack might be in progress. Contact the remote peer administrator or upstream provider.
209004
Error Message %ASA-4-209004: Invalid IP fragment, size = bytes exceeds maximum size = bytes: src = source_address, dest = dest_address, proto = protocol, id = numberExplanation An IP fragment is malformed. The total size of the reassembled IP packet exceeds the maximum possible size of 65,535 bytes.
Recommended Action A possible intrusion event may be in progress. If this message persists, contact the remote peer administrator or upstream provider.
209005
Error Message %ASA-4-209005: Discard IP fragment set with more than number elements: src = Too many elements are in a fragment set.Explanation The ASA disallows any IP packet that is fragmented into more than 24 fragments. For more information, see the fragment command in the command reference.
Recommended Action A possible intrusion event may be in progress. If the message persists, contact the remote peer administrator or upstream provider. You can change the number of fragments per packet by using the fragment chain xxx interface_name command.
210001
Error Message %ASA-3-210001: LU sw_module_name error = numberExplanation A Stateful Failover error occurred.
Recommended Action If this error persists after traffic lessens through the ASA, report this error to the Cisco TAC.
210002
Error Message %ASA-3-210002: LU allocate block (bytes) failed.Explanation Stateful Failover cannot allocate a block of memory to transmit stateful information to the standby ASA.
Recommended Action Check the failover interface using the show interface command to make sure its transmit is normal. Also check the current block memory using the show block command. If current available count is 0 within any of the blocks of memory, then reload the ASA software to recover the lost blocks of memory.
210003
Error Message %ASA-3-210003: Unknown LU Object numberExplanation Stateful Failover received an unsupported Logical Update object and was unable to process it. This can be caused by corrupted memory, LAN transmissions, and other events.
Recommended Action If you see this error infrequently, then no action is required. If this error occurs frequently, check the Stateful Failover link LAN connection. If the error was not caused by a faulty failover link LAN connection, determine if an external user is trying to compromise the protected network. Also check for misconfigured clients.
210005
Error Message %ASA-3-210005: LU allocate connection failedExplanation Stateful Failover cannot allocate a new connection on the standby unit. This may be caused by little or no RAM memory available within the ASA.
Recommended Action Check the available memory using the show memory command to make sure that the ASA has free memory. If there is no available memory, add more physical memory to the ASA.
210006
Error Message %ASA-3-210006: LU look NAT for IP_address failedExplanation Stateful Failover was unable to locate a NAT group for the IP address on the standby unit. The active and standby ASAs may be out-of-sync with each other.
Recommended Action Use the write standby command on the active unit to synchronize system memory with the standby unit.
210007
Error Message %ASA-3-210007: LU allocate xlate failedExplanation Stateful Failover failed to allocate a translation slot record.
Recommended Action Check the available memory by using the show memory command to make sure that the ASA has free memory available. If no memory is available, add more memory.
210008
Error Message %ASA-3-210008: LU no xlate for inside_address/inside_port outside_address/outside_portExplanation The ASA cannot find a translation slot record for a Stateful Failover connection; as a result, the ASA cannot process the connection information.
Recommended Action Use the write standby command on the active unit to synchronize system memory between the active and standby units.
210010
Error Message %ASA-3-210010: LU make UDP connection for outside_address:outside_port inside_address:inside_port failedExplanation Stateful Failover was unable to allocate a new record for a UDP connection.
Recommended Action Check the available memory by using the show memory command to make sure that the ASA has free memory available. If no memory is available, add more memory.
210011
Error Message %ASA-3-210011: Connection limit exceeded cnt/limit for dir packet from sip/sport to dip/dport on interface if_name.Explanation Establishing a new connection through the ASA has resulted in exceeding at least one of the configured maximum connection limits. The message applies both for connection limits configured using a static command, or to those configured using Cisco Modular Policy Framework. The new connection will not be allowed through the ASA until one of the existing connections is torn down, which brings the current connection count below the configured maximum. Because connection limits are configured for a good reason, this message may indicate a possible DOS attack, in which case the source of the traffic may be a spoofed IP address.
•
•
•
•
•
•
•
•
Recommended Action If the source IP address is not totally random, identifying the source and blocking it using an access list might help. In other cases, getting sniffer traces and analyzing the source of the traffic helps to isolate unwanted traffic from legitimate traffic.
210020
Error Message %ASA-3-210020: LU PAT port port reserve failedExplanation Stateful Failover is unable to allocate a specific PAT address that is in use.
Recommended Action Use the write standby command on the active unit to synchronize system memory between the active and standby units.
210021
Error Message %ASA-3-210021: LU create static xlate global_address ifc interface_name failedExplanation Stateful Failover is unable to create a translation slot.
Recommended Action Enter the write standby command on the active unit to synchronize system memory between the active and standby units.
210022
Error Message %ASA-6-210022: LU missed number updatesExplanation Stateful Failover assigns a sequence number for each record sent to the standby unit. When a received record sequence number is out of sequence with the last updated record, the information in between is assumed to be lost, and this error message is sent as a result.
Recommended Action Unless LAN interruptions occur, check the available memory on both ASA units to ensure that enough memory is available to process the stateful information. Use the show failover command to monitor the quality of stateful information updates.
211001
Error Message %ASA-3-211001: Memory allocation ErrorExplanation The ASA failed to allocate RAM system memory.
Recommended Action If this message occurs periodically, it can be ignored. If it repeats frequently, contact the Cisco TAC.
211003
Error Message %ASA-3-211003: Error in computed percentage CPU usage valueExplanation The percentage of CPU usage is greater than 100 percent.
Recommended Action If this message occurs periodically, it can be ignored. If it repeats frequently, contact the Cisco TAC.
211004
Error Message %ASA-1-211004: WARNING: Minimum Memory Requirement for ASA version ver not met for ASA image. min MB required, actual MB found.Explanation The ASA does not meet the minimum memory requirements for this version. A memory upgrade is required. If a memory upgrade is not immediately available, then downgrade the ASA to Version 8.2(1) or lower. Continuing to run an 8.3 image without meeting the minimum memory requirements is not supported and may result in critical system failures.
•
•
ASA5505-MEM-512=
ASA5510-MEM-1GB=
ASA5520-MEM-2GB=
ASA5540-MEM-2GB=
•
Recommended Action Install the required amount of RAM. Use the memory upgrade PID numbers to order the required amount of RAM.
212001
Error Message %ASA-3-212001: Unable to open SNMP channel (UDP port port) on interface interface_number, error code = codeExplanation The ASA is unable to receive SNMP requests destined for the ASA from SNMP management stations located on this interface. The SNMP traffic passing through the ASA on any interface is not affected. The error codes are as follows:
•
•
Recommended Action After the ASA reclaims some of its resources when traffic is lighter, reenter the snmp-server host command for that interface.
212002
Error Message %ASA-3-212002: Unable to open SNMP trap channel (UDP port port) on interface interface_number, error code = codeExplanation The ASA is unable to send its SNMP traps from the ASA to SNMP management stations located on this interface. The SNMP traffic passing through the ASA on any interface is not affected. The error codes are as follows:
•
•
•
Recommended Action After the ASA reclaims some of its resources when traffic is lighter, reenter the snmp-server host command for that interface.
212003
Error Message %ASA-3-212003: Unable to receive an SNMP request on interface interface_number, error code = code, will try again.Explanation An internal error occurred in receiving an SNMP request destined for the ASA on the specified interface. The error codes are as follows:
•
•
•
•
•
Recommended Action None required. The ASA SNMP agent goes back to wait for the next SNMP request.
212004
Error Message %ASA-3-212004: Unable to send an SNMP response to IP Address IP_address Port port interface interface_number, error code = codeExplanation An internal error occurred in sending an SNMP response from the ASA to the specified host on the specified interface. The error codes are as follows:
•
•
•
•
•
Recommended Action None required.
212005
Error Message %ASA-3-212005: incoming SNMP request (number bytes) on interface interface_name exceeds data buffer size, discarding this SNMP request.Explanation The length of the incoming SNMP request that is destined for the ASA exceeds the size of the internal data buffer (512 bytes) used for storing the request during internal processing. The ASA is unable to process this request. The SNMP traffic passing through the ASA on any interface is not affected.
Recommended Action Have the SNMP management station resend the request with a shorter length. For example, instead of querying multiple MIB variables in one request, try querying only one MIB variable in a request. You may need to modify the configuration of the SNMP manager software.
212006
Error Message %ASA-3-212006: Dropping SNMP request from src_addr/src_port to ifc:dst_addr/dst_port because: reason usernameExplanation The ASA cannot process the SNMP request being sent to it for the following reasons:
•
•
•
•
•
•
•
Note
Recommended Action Check the ASA SNMP server settings and confirm that the NMS configuration is using the expected user, authentication, and encryption settings. Enter the show crypto accelerator statistics command to isolate errors in the platform crypto module.
212009
Error Message %ASA-5-212009: Configuration request for SNMP group groupname failed. User username, reason.Explanation A user has tried to change the SNMP server group configuration. One or more users that refer to the group have insufficient settings to comply with the requested group changes.
•
•
•
- missing auth-password—A user has tried to add authentication to the group, and the user has not specified an authentication password
- missing priv-password—A user has tried to add privacy to the group, and the user has not specified an encryption password
- reference group intended for removal—A user has tried to remove a group that has users belonging to it
Recommended Action The user must update the indicated user configurations before changing the group or removing indicated users, and then add them again after making changes to the group.
212010
Error Message %ASA-3-212010: Configuration request for SNMP user %s failed. Host %s reason.Explanation A user has tried to change the SNMP server user configuration by removing one or more hosts that reference the user. One message is generated per host.
•
•
- references user intended for removal—The name of the user to be removed from the host.
Recommended Action The user must either update the indicated host configuration before changing a user or remove the indicated hosts, then add them again after making changes to the user.
212011
Error Message %ASA-3-212011: SNMP engineBoots is set to maximum value. Reason: %s User intervention necessary.For example:
%ASA-3-212011: SNMP engineBoots is set to maximum value. Reason: error accessing persistent data. User intervention necessary.Explanation The device has rebooted 214783647 times, which is the maximum allowed value of the engineBoots variable, or an error reading the persistent value from flash memory has occurred. The engineBoots value is stored in flash memory in the flash:/snmp/ctx-name file, where ctx-name is the name of the context. In single mode, the name of this file is flash:/snmp/single_vf. In multi-mode, the name of the file for the admin context is flash:/snmp/admin. During a reboot, if the device is unable to read from the file or write to the file, the engineBoots value is set to the maximum.
•
Recommended Action For the first string, the administrator must delete all SNMP Version 3 users and add them again to reset the engineBoots variable to 1. All subsequent Version 3 queries will fail until all users have been removed. For the second string, the administrator must delete the context-specific file, then delete all SNMP Version users, and add them again to reset the engineBoots variable to 1. All subsequent Version 3 queries will fail until all users have been removed.
212012
Error Message %ASA-3-212012: Unable to write SNMP engine data to persistent storage.Explanation The SNMP engine data is written to the file, flash:/snmp/context-name. For example: in single mode, the data is written to the file, flash:/snmp/single_vf. In the admin context in multi-mode, the file is written to the directory, flash:/snmp/admin. The error may be caused by a failure to create the flash:/snmp directory or the flash:/snmp/context-name file. The error may also be caused by a failure to write to the file.
Recommended Action The system administrator should remove the flash:/snmp/context-name file, then remove all SNMP Version 3 users, and add them again. This procedure should recreate the flash:/snmp/context-name file. If the problem persists, the system administrator should try reformatting the flash.
213001
Error Message %ASA-3-213001: PPTP control daemon socket io string, errno = number.Explanation An internal TCP socket I/O error occurred.
Recommended Action Contact the Cisco TAC.
213002
Error Message %ASA-3-213002: PPTP tunnel hashtable insert failed, peer = IP_address.Explanation An internal software error occurred while creating a new PPTP tunnel.
Recommended Action Contact the Cisco TAC.
213003
Error Message %ASA-3-213003: PPP virtual interface interface_number isn't opened.Explanation An internal software error occurred while closing a PPP virtual interface.
Recommended Action Contact the Cisco TAC.
213004
Error Message %ASA-3-213004: PPP virtual interface interface_number client ip allocation failed.Explanation An internal software error occurred while allocating an IP address to the PPTP client when the IP local address pool was depleted.
Recommended Action Consider allocating a larger pool with the ip local pool command.
213005
Error Message %ASA-3-213005%: Dynamic-Access-Policy action (DAP) action abortedExplanation The DAP is dynamically created by selecting configured access policies based on the authorization rights of the user and the posture assessment results of the remote endpoint device. The resulting dynamic policy indicates that the session should be terminated.
Recommended Action None required.
213006
Error Message %ASA-3-213006%: Unable to read dynamic access policy record.Explanation There was either an error in retrieving the DAP policy record data, or the action configuration was missing.
Recommended Action A configuration change might have resulted in deleting a DAP record. Use ASDM to recreate the DAP record.
214001
Error Message %ASA-2-214001: Terminating manager session from IP_address on interface interface_name. Reason: incoming encrypted data (number bytes) longer than number bytesExplanation An incoming encrypted data packet destined for the ASA management port indicates a packet length exceeding the specified upper limit. This may be a hostile event. The ASA immediately terminates this management connection.
Recommended Action Ensure that the management connection was initiated by Cisco Secure Policy Manager.
215001
Error Message %ASA-2-215001:Bad route_compress() call, sdb = numberExplanation An internal software error occurred.
Recommended Action Contact the Cisco TAC.
217001
Error Message %ASA-2-217001: No memory for string in stringExplanation An operation failed because of low memory.
Recommended Action If sufficient memory exists, then send the error message, the configuration, and any details about the events leading up to the error to the Cisco TAC.
216001
Error Message %ASA-n-216001: internal error in: function: messageExplanation Various internal errors have occurred that should not appear during normal operation. The severity level varies depending on the cause of the message.
•
•
•
Recommended Action Search the Bug Toolkit for the specific text message and try to use the Output Interpreter to resolve the problem. If the problem persists, contact the Cisco TAC.
216002
Error Message ASA-3-216002: Unexpected event (major: major_id, minor: minor_id) received by task_string in function at line: line_numExplanation A task registers for event notification, but the task cannot handle the specific event. Events that can be watched include those associated with queues, booleans, and timer services. If any of the registered events occur, the scheduler wakes up the task to process the event. This message is generated if an unexpected event woke up the task, but it does not know how to handle the event.
If an event is left unprocessed, it can wake up the task very often to make sure that it is processed, but this should not occur under normal conditions. If this message appears, it does not necessarily mean the device is unusable, but something unusual has occurred and needs to be investigated.
•
•
•
•
•
Recommended Action If the problem persists, contact the Cisco TAC.
216003
Error Message %ASA-3-216003: Unrecognized timer timer_ptr, timer_id received by task_string in function at line: line_numExplanation An unexpected timer event woke up the task, but the task does not know how to handle the event. A task can register a set of timer services with the scheduler. If any of the timers expire, the scheduler wakes up the task to take action. This message is generated if the task is awakened by an unrecognized timer event.
An expired timer, if left unprocessed, wakes up the task continuously to make sure that it is processed, and this is undesirable. This should not occur under normal conditions. If this message appears, it does not necessarily mean the device is unusable, but something unusual has occurred and needs to be investigated.
•
•
•
•
•
Recommended Action If the problem persists, contact the Cisco TAC.
216004
Error Message %ASA-4-216004:prevented: error in function at file(line) - stack traceExplanation An internal logic error has occurred, which should not occur during normal operation.
•
- Exception
- Dereferencing null pointer
- Array index out of bounds
- Invalid buffer size
- Writing from input
- Source and destination overlap
- Invalid date
- Access offset from array indices
•
•
•
Recommended Action If the problem persists, contact the Cisco TAC.
216005
Error Message %ASA-1-216005: ERROR: Duplex-mismatch on interface_name resulted in transmitter lockup. A soft reset of the switch was performed.Explanation A duplex mismatch on the port caused a problem in which the port can no longer transmit packets. This condition was detected, and the switch was reset to autorecover. This message applies only to the ASA 5505.
•
Recommended Action A duplex mismatch exists between the specified port and the ASA 5505 that is connected to it. Correct the duplex mismatch by either setting both devices to autorecover, or hard coding the duplex mismatch for both devices to be the same.
218001
Error Message %ASA-2-218001: Failed Identification Test in slot# [fail#/res].Explanation The module in slot# of the ASA cannot be identified as a genuine Cisco product. Cisco warranties and support programs apply only to genuine Cisco products. If Cisco determines that the cause of a support issue is related to non-Cisco memory, SSM modules, SSC modules, or other modules, Cisco may deny support under your warranty or under a Cisco support program such as SmartNet.
Recommended Action If this message recurs, copy it exactly as it appears on the console or in the system log. Research and try to resolve the error using the Output Interpreter. Also perform a search with the Bug Toolkit. If the problem persists, contact the Cisco TAC.
218002
Error Message %ASA-2-218002: Module (slot#) is a registered proto-type for Cisco Lab use only, and not certified for live network operation.Explanation The hardware in the specified location is a prototype module that came from a Cisco lab.
Recommended Action If this message reoccurs, copy it exactly as it appears on the console or in the system log. Research and try to resolve the error using the Output Interpreter. Also perform a search with the Bug Toolkit. If the problem persists, contact the Cisco TAC.
218003
Error Message %ASA-2-218003: Module Version in slot# is obsolete. The module in slot = slot# is obsolete and must be returned via RMA to Cisco Manufacturing. If it is a lab unit, it must be returned to Proto Services for upgrade.Explanation Obsolete hardware has been detected or the show module command has been run for the module. This message is generated once per minute after it first appears.
Recommended Action If this message recurs, copy it exactly as it appears on the console or in the system log. Research and try to resolve the error using the Output Interpreter. Also perform a search with the Bug Toolkit. If the problem persists, contact the Cisco TAC.
218004
Error Message %ASA-2-218004: Failed Identification Test in slot# [fail#/res]Explanation Aproblem occurred while identifying hardware in the specified location.
Recommended Action If this message recurs, copy it exactly as it appears on the console or in the system log. Research and try to resolve the error using the Output Interpreter. Also perform a search with the Bug Toolkit. If the problem persists, contact the Cisco TAC.
219002
Error Message %ASA-3-219002: I2C_API_name error, slot = slot_number, device = device_number, address = address, byte count = count. Reason: reason_stringExplanation The I2C serial bus API has failed because of a hardware or software problem.
•
–
–
–
–
–
–
–
–
–
–
–
–
•
•
•
•
•
–
–
–
–
–
–
–
–
–
Recommended Action Perform the following steps:
1.
2.
3.
4.
Messages 302003 to 339009
This section includes messages from 302003 to 339009.
302003
Error Message %ASA-6-302003: Built H245 connection for foreign_address outside_address/outside_port local_address inside_address/inside_portExplanation An H.245 connection has been started from the outside_address to the inside_address. The ASA has detected the use of an Intel Internet Phone. The foreign port (outside_port) only appears on connections from outside the ASA. The local port value (inside_port) only appears on connections that were started on an internal interface.
Recommended Action None required.
302004
Error Message %ASA-6-302004: Pre-allocate H323 UDP backconnection for foreign_address outside_address/outside_port to local_address inside_address/inside_portExplanation An H.323 UDP back connection has been preallocated to the foreign address (outside_address) from the local address (inside_address). The ASA has detected the use of an Intel Internet Phone. The foreign port (outside_port) only appears on connections from outside the ASA. The local port value (inside_port) only appears on connections that were started on an internal interface.
Recommended Action None required.
302010
Error Message %ASA-6-302010: connections in use, connections most usedExplanation A TCP connection has restarted.
•
Recommended Action None required.
302012
Error Message %ASA-6-302012: Pre-allocate H225 Call Signalling Connection for faddr IP_address/port to laddr IP_addressExplanation An H.225 secondary channel has been preallocated.
Recommended Action None required.
302013
Error Message %ASA-6-302013: Built {inbound|outbound} TCP connection_id for interface:real-address/real-port (mapped-address/mapped-port) [(idfw_user)] to interface:real-address/real-port (mapped-address/mapped-port) [(idfw_user)] [(user)]Explanation A TCP connection slot between two hosts was created.
•
•
•
•
•
If inbound is specified, the original control connection was initiated from the outside. For example, for FTP, all data transfer channels are inbound if the original control channel is inbound. If outbound is specified, the original control connection was initiated from the inside.
Recommended Action None required.
302014
Error Message %ASA-6-302014: Teardown TCP connection id for interface:real-address/real-port [(idfw_user)] to interface:real-address/real-port [(idfw_user)] duration hh:mm:ss bytes bytes [reason] [(user)]Explanation A TCP connection between two hosts was deleted. The following list describes the message values:
•
•
•
•
•
•
•
Recommended Action None required.
302015
Error Message %ASA-6-302015: Built {inbound|outbound} UDP connection number for interface_name:real_address/real_port (mapped_address/mapped_port) [(idfw_user)] to interface_name:real_address/real_port (mapped_address/mapped_port)[(idfw_user)] [(user)]Explanation A UDP connection slot between two hosts was created. The following list describes the message values:
•
•
•
•
•
If inbound is specified, then the original control connection is initiated from the outside. For example, for UDP, all data transfer channels are inbound if the original control channel is inbound. If outbound is specified, then the original control connection is initiated from the inside.
Recommended Action None required.
302016
Error Message %ASA-6-302016: Teardown UDP connection number for interface:real-address/real-port [(idfw_user)] to interface:real-address/real-port [(idfw_user)] duration hh:mm:ss bytes bytes [(user)]Explanation A UDP connection slot between two hosts was deleted. The following list describes the message values:
•
•
•
•
•
•
•
•
•
•
Recommended Action None required.
302017
Error Message %ASA-6-302017: Built {inbound|outbound} GRE connection id from interface:real_address (translated_address) [(idfw_user)] to interface:real_address/real_cid (translated_address/translated_cid) [(idfw_user)] [(user)Explanation A GRE connection slot between two hosts was created. The id is an unique identifier. The interface, real_address, real_cid tuple identifies the one of the two simplex PPTP GRE streams. The parenthetical translated_address, translated_cid tuple identifies the translated value with NAT.
If inbound is indicated, then the connection can only be used inbound. If outbound is indicated, then the connection can only be used for outbound. The following list describes the message values:•
•
•
•
•
•
•
•
•
•
Recommended Action None required.
302018
Error Message %ASA-6-302018: Teardown GRE connection id from interface:real_address (translated_address) [(idfw_user)] to interface:real_address/real_cid (translated_address/translated_cid) [(idfw_user)] duration hh:mm:ss bytes bytes [(user)]Explanation A GRE connection slot between two hosts was deleted. The interface, real_address, real_port tuples identify the actual sockets. Duration identifies the lifetime of the connection. The following list describes the message values:
•
•
•
•
•
•
•
•
•
Recommended Action None required.
302019
Error Message %ASA-3-302019: H.323 library_name ASN Library failed to initialize, error code numberExplanation The specified ASN library that the ASA uses for decoding the H.323 messages failed to initialize; the ASA cannot decode or inspect the arriving H.323 packet. The ASA allows the H.323 packet to pass through without any modification. When the next H.323 message arrives, the ASA tries to initialize the library again.
Recommended Action If this message is generated consistently for a particular library, contact the Cisco TAC and provide them with all log messages (preferably with timestamps).
302020
Error Message %ASA-6-302020: Built {in | out}bound ICMP connection for faddr {faddr | icmp_seq_num} [(idfw_user)] gaddr {gaddr | cmp_type} laddr laddr [(idfw_user)]Explanation An ICMP session was established in the fast-path when stateful ICMP was enabled using the inspect icmp command.
Recommended Action None required.
302021
Error Message %ASA-6-302021: Teardown ICMP connection for faddr {faddr | icmp_seq_num} [(idfw_user)] gaddr {gaddr | cmp_type} laddr laddr [(idfw_user)]Explanation An ICMP session is removed in the fast-path when stateful ICMP is enabled using the inspect icmp command.
Recommended Action None required.
302033
Error Message %ASA-6-302033:Pre-allocated H323 GUP Connection for faddr interface:foreign address/foreign-port to laddr interface:local-address/local-portExplanation A GUP connection was started from the foreign address to the local address. The foreign port (outside port) only appears on connections from outside the security device. The local port value (inside port) only appears on connections started on an internal interface.
•
•
•
•
•
Recommended Action None required.
302034
Error Message %ASA-4-302034: Unable to pre-allocate H323 GUP Connection for faddr interface:foreign address/foreign-port to laddr interface:local-address/local-portExplanation The module failed to allocate RAM system memory while starting a connection or has no more address translation slots available.
•
•
•
•
•
Recommended Action If this message occurs periodically, it can be ignored. If it repeats frequently, contact the Cisco TAC. You can check the size of the global pool compared to the number of inside network clients. Alternatively, shorten the timeout interval of translations and connections. This message may also be caused by insufficient memory; try reducing the amount of memory usage, or purchasing additional memory.
302302
Error Message %ASA-3-302302: ACL = deny; no sa createdExplanation IPsec proxy mismatches have occurred. Proxy hosts for the negotiated SA correspond to a deny access-list command policy.
Recommended Action Check the access-list command statement in the configuration. Contact the administrator for the peer.
302303
Error Message %ASA-6-302303: Built TCP state-bypass connection conn_id from initiator_interface:real_ip/real_port(mapped_ip/mapped_port) to responder_interface:real_ip/real_port (mapped_ip/mapped_port)Explanation A new TCP connection has been created, and this connection is a TCP-state-bypass connection. This type of connection bypasses all the TCP state checks and additional security checks and inspections.
Recommended Action If you need to secure TCP traffic with all the normal TCP state checks as well as all other security checks and inspections, you can use the no set connection advanced-options tcp-state-bypass command to disable this feature for TCP traffic.
302304
Error Message %ASA-6-302304: Teardown TCP state-bypass connection conn_id from initiator_interface:ip/port to responder_interface:ip/port duration, bytes, teardown reason.Explanation A new TCP connection has been torn down, and this connection is a TCP-state-bypass connection. This type of connection bypasses all the TCP state checks and additional security checks and inspections.
•
•
•
Recommended Action If you need to secure TCP traffic with all the normal TCP state checks as well as all other security checks and inspections, you can use the no set connection advanced-options tcp-state-bypass command to disable this feature for TCP traffic.
303002
Error Message %ASA-6-303002: FTP connection from src_ifc:src_ip/src_port to dst_ifc:dst_ip/dst_port, user username action file filenameExplanation A client has uploaded or downloaded a file from the FTP server.
•
•
•
•
•
•
•
•
•
Recommended Action None required.
303004
Error Message %ASA-5-303004: FTP cmd_string command unsupported - failed strict inspection, terminating connection from source_interface:source_address/source_port to dest_interface:dest_address/dest_interfaceExplanation Strict FTP inspection on FTP traffic has been used, and an FTP request message contains a command that is not recognized by the device.
Recommended Action None required.
303005
Error Message %ASA-5-303005: Strict FTP inspection matched match_string in policy-map policy-name, action_string from src_ifc:sip/sport to dest_ifc:dip/dportExplanation When FTP inspection matches any of the following configured values: filename, file type, request command, server, or username, then the action specified by the action_string in this message occurs.
•
•
•
•
•
•
•
•
•
Recommended Action None required.
304001
Error Message %ASA-5-304001: user@source_address [(idfw_user)] Accessed URL dest_address: url.Explanation The specified host tried to access the specified URL.
Recommended Action None required.
304002
Error Message %ASA-5-304002: Access denied URL chars SRC IP_address [(idfw_user)] DEST IP_address: charsExplanation Access from the source address to the specified URL or FTP site was denied.
Recommended Action None required.
304003
Error Message %ASA-3-304003: URL Server IP_address timed out URL urlExplanation A URL server timed out.
Recommended Action None required.
304004
Error Message %ASA-6-304004: URL Server IP_address request failed URL urlExplanation A Websense server request failed.
Recommended Action None required.
304005
Error Message %ASA-7-304005: URL Server IP_address request pending URL urlExplanation A Websense server request is pending.
Recommended Action None required.
304006
Error Message %ASA-3-304006: URL Server IP_address not respondingExplanation The Websense server is unavailable for access, and the ASA attempts to either try to access the same server if it is the only server installed, or another server if there is more than one.
Recommended Action None required.
304007
Error Message %ASA-2-304007: URL Server IP_address not responding, ENTERING ALLOW mode.Explanation You used the allow option of the filter command, and the Websense servers are not responding. The ASA allows all web requests to continue without filtering while the servers are not available.
Recommended Action None required.
304008
Error Message %ASA-2-304008: LEAVING ALLOW mode, URL Server is up.Explanation You used the allow option of the filter command, and the ASA receives a response message from a Websense server that previously was not responding. With this response message, the ASA exits the allow mode, which enables the URL filtering feature again.
Recommended Action None required.
304009
Error Message %ASA-7-304009: Ran out of buffer blocks specified by url-block commandExplanation The URL pending buffer block is running out of space.
Recommended Action Change the buffer block size by entering the url-block block block_size command.
305005
Error Message %ASA-3-305005: No translation group found for protocol src interface_name: source_address/source_port [(idfw_user)] dst interface_name: dest_address/dest_port [(idfw_user)]Explanation A packet does not match any of the outbound nat command rules. If NAT is not configured for the specified source and destination systems, the message will be generated frequently.
Recommended Action This message indicates a configuration error. If dynamic NAT is desired for the source host, ensure that the nat command matches the source IP address. If static NAT is desired for the source host, ensure that the local IP address of the static command matches. If no NAT is desired for the source host, check the ACL bound to the NAT 0 ACL.
305006
Error Message %ASA-3-305006: {outbound static|identity|portmap|regular) translation creation failed for protocol src interface_name:source_address/source_port [(idfw_user)] dst interface_name:dest_address/dest_port [(idfw_user)]Explanation A protocol (UDP, TCP, or ICMP) failed to create a translation through the ASA. The ASA does not allow packets through that are destined for network or broadcast addresses. The ASA provides this checking for addresses that are explicitly identified with static commands. For inbound traffic, the ASA denies translations for an IP address identified as a network or broadcast address.
The ASA does not apply PAT to all ICMP message types; it only applies PAT ICMP echo and echo-reply packets (types 8 and 0). Specifically, only ICMP echo or echo-reply packets create a PAT translation. As a result, when the other ICMP messages types are dropped, this message is generated.
The ASA uses the global IP address and mask from configured static commands to differentiate regular IP addresses from network or broadcast IP addresses. If the global IP address is a valid network address with a matching network mask, then the ASA does not create a translation for network or broadcast IP addresses with inbound packets.
For example:
static (inside,outside) 10.2.2.128 10.1.1.128 netmask 255.255.255.128The ASA responds to global address 10.2.2.128 as a network address and to 10.2.2.255 as the broadcast address. Without an existing translation, the ASA denies inbound packets destined for 10.2.2.128 or 10.2.2.255, and logs this message.
When the suspected IP address is a host IP address, configure a separate static command with a host mask in front of the subnet static command (the first match rule for static commands). The following static commands cause the ASA to respond to 10.2.2.128 as a host address:
static (inside,outside) 10.2.2.128 10.2.2.128 netmask 255.255.255.255 static (inside,outside) 10.2.2.128 10.2.2.128 netmask 255.255.255.128The translation may be created by traffic started from the inside host with the IP address in question. Because the ASA views a network or broadcast IP address as a host IP address with an overlapped subnet static configuration, the network address translation for both static commands must be the same.
Recommended Action None required.
305007
Error Message %ASA-6-305007: addrpool_free(): Orphan IP IP_address on interface interface_numberExplanation The ASA has attempted to translate an address that it cannot find in any of its global pools. The ASA assumes that the address was deleted and drops the request.
Recommended Action None required.
305008
Error Message %ASA-3-305008: Free unallocated global IP address.Explanation The ASA kernel detected an inconsistency condition when trying to free an unallocated global IP address back to the address pool. This abnormal condition may occur if the ASA is running a Stateful Failover setup, and some of the internal states are momentarily out of sync between the active unit and the standby unit. This condition is not catastrophic, and the synchronization recovers automatically.
Recommended Action If the problem persists, contact the Cisco TAC.
305009
Error Message %ASA-6-305009: Built {dynamic|static} translation from interface_name [(acl-name)]:real_address [(idfw_user)] to interface_name:mapped_addressExplanation An address translation slot was created. The slot translates the source address from the local side to the global side. In reverse, the slot translates the destination address from the global side to the local side.
Recommended Action None required.
305010
Error Message %ASA-6-305010: Teardown {dynamic|static} translation from interface_name:real_address [(idfw_user)] to interface_name:mapped_address duration timeExplanation The address translation slot was deleted.
Recommended Action None required.
305011
Error Message %ASA-6-305011: Built {dynamic|static} {TCP|UDP|ICMP} translation from interface_name:real_address/real_port [(idfw_user)] to interface_name:mapped_address/mapped_portExplanation A TCP, UDP, or ICMP address translation slot was created. The slot translates the source socket from the local side to the global side. In reverse, the slot translates the destination socket from the global side to the local side.
Recommended Action None required.
305012
Error Message %ASA-6-305012: Teardown {dynamic|static} {TCP|UDP|ICMP} translation from interface_name [(acl-name)]:real_address/{real_port|real_ICMP_ID} [(idfw_user)] to interface_name:mapped_address/{mapped_port|mapped_ICMP_ID} duration timeExplanation The address translation slot was deleted.
Recommended Action None required.
305013
Error Message %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection protocol src interface_name:source_address/source_port [(idfw_user)] dst interface_name:dst_address/dst_port [(idfw_user)] denied due to NAT reverse path failure.Explanation An attempt to connect to a mapped host using its actual address was rejected.
Recommended Action When not on the same interface as the host using NAT, use the mapped address instead of the actual address to connect to the host. In addition, enable the inspect command if the application embeds the IP address.
308001
Error Message %ASA-6-308001: console enable password incorrect for number tries (from IP_address)Explanation This is a ASA management message. This message appears after the specified number of times a user incorrectly types the password to enter privileged mode. The maximum is three attempts.
Recommended Action Verify the password and try again.
308002
Error Message %ASA-4-308002: static global_address inside_address netmask netmask overlapped with global_address inside_addressExplanation The IP addresses in one or more static command statements overlap. global_address is the global address, which is the address on the lower security interface, and inside_address is the local address, which is the address on the higher security-level interface.
Recommended Action Use the show static command to view the static command statements in your configuration and fix the commands that overlap. The most common overlap occurs if you specify a network address such as 10.1.1.0, and in another static command you specify a host within that range, such as 10.1.1.5.
311001
Error Message %ASA-6-311001: LU loading standby startExplanation Stateful Failover update information was sent to the standby ASA when the standby ASA is first to be online.
Recommended Action None required.
311002
Error Message %ASA-6-311002: LU loading standby endExplanation Stateful Failover update information stopped sending to the standby ASA.
Recommended Action None required.
311003
Error Message %ASA-6-311003: LU recv thread upExplanation An update acknowledgment was received from the standby ASA.
Recommended Action None required.
311004
Error Message %ASA-6-311004: LU xmit thread upExplanation A Stateful Failover update was transmitted to the standby ASA.
Recommended Action None required.
312001
Error Message %ASA-6-312001: RIP hdr failed from IP_address: cmd=string, version=number domain=string on interface interface_nameExplanation The ASA received a RIP message with an operation code other than reply, the message has a version number different from what is expected on this interface, and the routing domain entry was nonzero. Another RIP device may not be configured correctly to communicate with the ASA.
Recommended Action None required.
313001
Error Message %ASA-3-313001: Denied ICMP type=number, code=code from IP_address on interface interface_nameExplanation When using the icmp command with an access list, if the first matched entry is a permit entry, the ICMP packet continues processing. If the first matched entry is a deny entry, or an entry is not matched, the ASA discards the ICMP packet and generates this message. The icmp command enables or disables pinging to an interface. With pinging disabled, the ASA cannot be detected on the network. This feature is also referred to as configurable proxy pinging.
Recommended Action Contact the administrator of the peer device.
313004
Error Message %ASA-4-313004:Denied ICMP type=icmp_type, from source_address on interface interface_name to dest_address:no matching sessionExplanation ICMP packets were dropped by the ASA because of security checks added by the stateful ICMP feature that are usually either ICMP echo replies without a valid echo request already passed across the ASA or ICMP error messages not related to any TCP, UDP, or ICMP session already established in the ASA.
Recommended Action None required.
313005
Error Message %ASA-4-313005: No matching connection for ICMP error message: icmp_msg_info on interface_name interface. Original IP payload: embedded_frame_info icmp_msg_info = icmp src src_interface_name:src_address [([idfw_user | FQDN_string], sg_info)] dst dest_interface_name:dest_address [([idfw_user | FQDN_string], sg_info)] (type icmp_type, code icmp_code) embedded_frame_info = prot src source_address/source_port [([idfw_user | FQDN_string], sg_info)] dst dest_address/dest_port [(idfw_user|FQDN_string), sg_info]Explanation ICMP error packets were dropped by the ASA because the ICMP error messages are not related to any session already established in the ASA.
Recommended Action If the cause is an attack, you can deny the host by using ACLs.
313008
Error Message %ASA-3-313008: Denied ICMPv6 type=number, code=code from IP_address on interface interface_nameExplanation When using the icmp command with an access list, if the first matched entry is a permit entry, the ICMPv6 packet continues processing. If the first matched entry is a deny entry, or an entry is not matched, the ASA discards the ICMPv6 packet and generates this message.
The icmp command enables or disables pinging to an interface. When pinging is disabled, the ASA is undetectable on the network. This feature is also referred to as "configurable proxy pinging."
Recommended Action Contact the administrator of the peer device.
313009
Error Message %ASA-4-313009: Denied invalid ICMP code icmp-code, for src-ifc:src-address/src-port (mapped-src-address/mapped-src-port) to dest-ifc:dest-address/dest-port (mapped-dest-address/mapped-dest-port) [user], ICMP id icmp-id, ICMP type icmp-typeExplanation An ICMP echo request/reply packet was received with a malformed code(non-zero).
Recommended Action If it is an intermittent event, no action is required. If the cause is an attack, you can deny the host using the ACLs.
314001
Error Message %ASA-6-314001: Pre-allocated RTSP UDP backconnection for src_intf:src_IP to dst_intf:dst_IP/dst_port.Explanation The ASA opened a UDP media channel for the RTSP client that was receiving data from the server.
•
•
•
•
•
Recommended Action None required.
314002
Error Message %ASA-6-314002: RTSP failed to allocate UDP media connection from src_intf:src_IP to dst_intf:dst_IP/dst_port: reason_string.Explanation The ASA cannot open a new pinhole for the media channel.
•
•
•
•
•
•
Recommended Action If the reason is unknown, check the free memory available by running the show memory command, or the number of connections used by running the show conn command, because the ASA is low on memory.
314003
Error Message %ASA-6-314003: Dropped RTSP traffic from src_intf:src_ip due to: reason.Explanation The RTSP message violated the user-configured RTSP security policy, either because it contains a port from the reserve port range, or it contains a URL with a length greater than the maximum limit allowed.
•
•
•
- Endpoint negotiating media ports in the reserved port range from 0 to 1024
- URL length of url length bytes exceeds the maximum url length limit bytes
Recommended Action Investigate why the RTSP client sends messages that violate the security policy. If the requested URL is legitimate, you can relax the policy by specifying a longer URL length limit in the RTSP policy map.
314004
Error Message %ASA-6-314004: RTSP client src_intf:src_IP accessed RTSP URL RTSP URLExplanation An RTSP client tried to access an RTSP server.
•
•
•
Recommended Action None required.
314005
Error Message %ASA-6-314005: RTSP client src_intf:src_IP denied access to URL RTSP_URL.Explanation An RTSP client tried to access a prohibited site.
•
•
•
Recommended Action None required.
314006
Error Message %ASA-6-314006: RTSP client src_intf:src_IP exceeds configured rate limit of rate for request_method messages.Explanation A specific RTSP request message exceeded the configured rate limit of RTSP policy.
•
•
•
•
Recommended Action Investigate why the specific RTSP request message from the client exceeded the rate limit.
315004
Error Message %ASA-3-315004: Fail to establish SSH session because RSA host key retrieval failed.Explanation The ASA cannot find the RSA host key, which is required for establishing an SSH session. The ASA host key may be absent because it was not generated or because the license for this ASA does not allow DES or 3DES encryption.
Recommended Action From the ASA console, enter the show crypto key mypubkey rsa command to verify that the RSA host key is present. If the host key is not present, enter the show version command to verify that DES or 3DES is allowed. If an RSA host key is present, restart the SSH session. To generate the RSA host key, enter the crypto key mypubkey rsa command.
315011
Error Message %ASA-6-315011: SSH session from IP_address on interface interface_name for user user disconnected by SSH server, reason: reasonExplanation An SSH session has ended. If a user enters quit or exit, the terminated normally message appears. If the session disconnected for another reason, the text describes the reason. Table 1-4 lists the possible reasons why a session disconnected.
Recommended Action None required.
316001
Error Message %ASA-3-316001: Denied new tunnel to IP_address. VPN peer limit (platform_vpn_peer_limit) exceededExplanation If more VPN tunnels (ISAKMP/IPsec) are concurrently trying to be established than are supported by the platform VPN peer limit, then the excess tunnels are aborted.
Recommended Action None required.
316002
Error Message %ASA-3-316002: VPN Handle error: protocol=protocol, src in_if_num:src_addr, dst out_if_num:dst_addrExplanation The ASA cannot create a VPN handle, because the VPN handle already exists.
•
•
•
•
•
Recommended Action This message may occur during normal operation; however, if the message occurs repeatedly and a major malfunction of VPN-based applications occurs, a software defect may be the cause. Enter the following commands to collect more information and contact the Cisco TAC to investigate the issue further:
capture name type asp-drop vpn-handle-errorshow asp table classify crypto detailshow asp table vpn-context317001
Error Message %ASA-3-317001: No memory available for limit_slowExplanation The requested operation failed because of a low-memory condition.
Recommended Action Reduce other system activity to ease memory demands. If conditions warrant, upgrade to a larger memory configuration.
317002
Error Message %ASA-3-317002: Bad path index of number for IP_address, number maxExplanation A software error occurred.
Recommended Action If the problem persists, contact the Cisco TAC.
317003
Error Message %ASA-3-317003: IP routing table creation failure - reasonExplanation An internal software error occurred, which prevented the creation of a new IP routing table.
Recommended Action Copy the message exactly as it appears, and report it to Cisco TAC.
317004
Error Message %ASA-3-317004: IP routing table limit warningExplanation The number of routes in the named IP routing table has reached the configured warning limit.
Recommended Action Reduce the number of routes in the table, or reconfigure the limit.
317005
Error Message %ASA-3-317005: IP routing table limit exceeded - reason, IP_address netmaskExplanation Additional routes will be added to the table.
Recommended Action Reduce the number of routes in the table, or reconfigure the limit.
317006
Error Message %ASA-3-317006: Pdb index error pdb, pdb_index, pdb_typeExplanation The index into the PDB is out of range.
•
•
•
Recommended Action If the problem persists, copy the error message exactly as it appears on the console or in the system log, contact the Cisco TAC, and provide the representative with the collected information.
317007
Error Message %ASA-6-317007: Added route_type route dest_address netmask via gateway_address [distance/metric] on interface_name route_typeExplanation A new route has been added to the routing table.
Routing protocol type:
C - connected, S - static, I - IGRP, R - RIP, M - mobile
B - BGP, D - EIGRP, EX - EIGRP external, O - OSPF
IA - OSPF inter area, N1 - OSPF NSSA external type 1
N2 - OSPF NSSA external type 2, E1 - OSPF external type 1
E2 - OSPF external type 2, E - EGP, i - IS-IS, L1 - IS-IS level-1
L2 - IS-IS level-2, ia - IS-IS inter area
•
•
•
•
•
•
Recommended Action None required.
317008
Error Message %ASA-6-317007: Deleted route_type route dest_address netmask via gateway_address [distance/metric] on interface_name route_typeExplanation A new route has been deleted from the routing table.
Routing protocol type:
C - connected, S - static, I - IGRP, R - RIP, M - mobile
B - BGP, D - EIGRP, EX - EIGRP external, O - OSPF
IA - OSPF inter area, N1 - OSPF NSSA external type 1
N2 - OSPF NSSA external type 2, E1 - OSPF external type 1
E2 - OSPF external type 2, E - EGP, i - IS-IS, L1 - IS-IS level-1
L2 - IS-IS level-2, ia - IS-IS inter area
•
•
•
•
•
•
Recommended Action None required.
318001
Error Message %ASA-3-318001: Internal error: reasonExplanation An internal software error occurred. This message occurs at five-second intervals.
Recommended Action Copy the message exactly as it appears, and report it to the Cisco TAC.
318002
Error Message %ASA-3-318002: Flagged as being an ABR without a backbone areaExplanation The router was flagged as an area border router without a backbone area configured in the router. This message occurs at five-second intervals.
Recommended Action Restart the OSPF process.
318003
Error Message %ASA-3-318003: Reached unknown state in neighbor state machineExplanation An internal software error occurred. This message occurs at five-second intervals.
Recommended Action Copy the message exactly as it appears, and report it to the Cisco TAC.
318004
Error Message %ASA-3-318004: area string lsid IP_address mask netmask adv IP_address type numberExplanation The OSPF process had a problem locating the link state advertisement, which might lead to a memory leak.
Recommended Action If the problem persists, contact the Cisco TAC.
318005
Error Message %ASA-3-318005: lsid ip_address adv IP_address type number gateway gateway_address metric number network IP_address mask netmask protocol hex attr hex net-metric numberExplanation OSPF found an inconsistency between its database and the IP routing table.
Recommended Action If the problem persists, contact the Cisco TAC.
318006
Error Message %ASA-3-318006: if interface_name if_state numberExplanation An internal error occurred.
Recommended Action Copy the message exactly as it appears, and report it to the Cisco TAC.
318007
Error Message %ASA-3-318007: OSPF is enabled on interface_name during idb initializationExplanation An internal error occurred.
Recommended Action Copy the message exactly as it appears, and report it to the Cisco TAC.
318008
Error Message %ASA-3-318008: OSPF process number is changing router-id. Reconfigure virtual link neighbors with our new router-idExplanation The OSPF process is being reset, and it is going to select a new router ID. This action will bring down all virtual links.
Recommended Action Change the virtual link configuration on all of the virtual link neighbors to reflect the new router ID.
318009
Error Message %ASA-3-318009: OSPF: Attempted reference of stale data encountered in function, line: line_numExplanation OSPF is running and has tried to reference some related data structures that have been removed elsewhere. Clearing interface and router configurations may resolve the problem. However, if this message appears, some sequence of steps caused premature deletion of data structures and this needs to be investigated.
•
•
Recommended Action If the problem persists, contact the Cisco TAC.
318101
Error Message %ASA-3-318101: Internal error: REASONExplanation An internal software error has occurred.
•
Recommended Action None required.
318102
Error Message %ASA-3-318102: Flagged as being an ABR without a backbone areaExplanation The router was flagged as an Area Border Router (ABR) without a backbone area in the router.
Recommended Action Restart the OSPF process.
318103
Error Message %ASA-3-318103: Reached unknown state in neighbor state machineExplanation An internal software error has occurred.
Recommended Action None required.
318104
Error Message %ASA-3-318104: DB already exist: area AREA_ID_STR lsid i adv i type 0x xExplanation OSPF has a problem locating the LSA, which could lead to a memory leak.
•
•
•
Recommended Action None required.
318105
Error Message %ASA-3-318105: lsid i adv i type 0x x gateway i metric d network i mask i protocol #x attr #x net-metric dExplanation OSPF found an inconsistency between its database and the IP routing table.
•
•
•
Recommended Action None required.
318106
Error Message %ASA-3-318106: if IF_NAME if_state dExplanation An internal error has occurred.
•
•
Recommended Action None required.
318107
Error Message %ASA-3-318107: OSPF is enabled on IF_NAME during idb initializationExplanation An internal error has occurred.
•
Recommended Action None required.
318108
Error Message %ASA-3-318108: OSPF process d is changing router-id. Reconfigure virtual link neighbors with our new router-idExplanation The OSPF process is being reset, and it is going to select a new router ID, which brings down all virtual links. To make them work again, you need to change the virtual link configuration on all virtual link neighbors.
•
Recommended Action Change the virtual link configuration on all the virtual link neighbors to include the new router ID.
318109
Error Message %ASA-3-318109: OSPFv3 has received an unexpected message: 0x / 0xExplanation OSPFv3 has received an unexpected interprocess message.
•
Recommended Action None required.
318110
Error Message %ASA-3-318110: Invalid encrypted key s.Explanation The specified encrypted key is not valid.
•
Recommended Action Either specify a clear text key and enter the service password-encryption command for encryption, or ensure that the specified encrypted key is valid. If the specified encrypted key is not valid, an error message appears during system configuration.
318111
Error Message %ASA-3-318111: SPI u is already in use with ospf process dExplanation An attempt was made to use a SPI that has already been used.
•
•
Recommended Action Choose a different SPI.
318112
Error Message %ASA-3-318112: SPI u is already in use by a process other than ospf process d.Explanation An attempt was made to use a SPI that has already been used.
•
•
Recommended Action Choose a different SPI. Enter the show crypto ipv6 ipsec sa command to view a list of SPIs that are already being used.
318113
Error Message %ASA-3-318113: s s is already configured with SPI u.Explanation An attempt was made to use a SPI that has already been used.
•
•
Recommended Action Unconfigure the SPI first, or choose a different one.
318114
Error Message %ASA-3-318114: The key length used with SPI u is not validExplanation The key length was incorrect.
•
Recommended Action Choose a valid IPsec key. An IPsec authentication key must be 32 (MD5) or 40 (SHA-1) hexidecimal digits long.
318115
Error Message %ASA-3-318115: s error occured when attempting to create an IPsec policy for SPI uExplanation An IPsec API (internal) error has occurred.
•
•
Recommended Action None required.
318116
Error Message %ASA-3-318116: SPI u is not being used by ospf process d.Explanation An attempt was made to unconfigure a SPI that is not being used with OSPFv3.
•
•
Recommended Action Enter a show command to see which SPIs are used by OSPFv3.
318117
Error Message %ASA-3-318117: The policy for SPI u could not be removed because it is in use.Explanation An attempt was made to remove the policy for the indicated SPI, but the policy was still being used by a secure socket.
•
Recommended Action None required.
318118
Error Message %ASA-3-318118: s error occured when attemtping to remove the IPsec policy with SPI uExplanation An IPsec API (internal) error has occurred.
•
•
Recommended Action None required.
318119
Error Message %ASA-3-318119: Unable to close secure socket with SPI u on interface sExplanation An IPsec API (internal) error has occurred.
•
•
Recommended Action None required.
318120
Error Message %ASA-3-318120: OSPFv3 was unable to register with IPsecExplanation An internal error has occurred.
Recommended Action None required.
318121
Error Message %ASA-3-318121: IPsec reported a GENERAL ERROR: message s, count dExplanation An internal error has occurred.
•
•
Recommended Action None required.
318122
Error Message %ASA-3-318122: IPsec sent a s message s to OSPFv3 for interface s. Recovery attempt dExplanation An internal error has occurred. The system is trying to reopen the secure socket and to recover.
•
•
Recommended Action None required.
318123
Error Message %ASA-3-318123: IPsec sent a s message s to OSPFv3 for interface IF_NAME. Recovery abortedExplanation An internal error has occurred. The maximum number of recovery attempts has been exceeded.
•
•
Recommended Action None required.
318125
Error Message %ASA-3-318125: Init failed for interface IF_NAMEExplanation The interface initialization failed. Possible reasons include the following:
•
•
•
Recommended Action Remove the configuration command that initializes the interface and then try it again.
318126
Error Message %ASA-3-318126: Interface IF_NAME is attached to more than one areaExplanation The interface is on the interface list for an area other than the one to which the interface links.
•
Recommended Action None required.
318127
Error Message %ASA-3-318127: Could not allocate or find the neighborExplanation An internal error has occurred.
Recommended Action None required.
319001
Error Message %ASA-3-319001: Acknowledge for arp update for IP address dest_address not received (number).Explanation The ARP process in the ASA lost internal synchronization because the ASA was overloaded.
Recommended Action None required. The failure is only temporary. Check the average load of the ASA and make sure that it is not used beyond its capabilities.
319002
Error Message %ASA-3-319002: Acknowledge for route update for IP address dest_address not received (number).Explanation The routing module in the ASA lost internal synchronization because the ASA was overloaded.
Recommended Action None required. The failure is only temporary. Check the average load of the ASA and make sure that it is not used beyond its capabilities.
319003
Error Message %ASA-3-319003: Arp update for IP address address to NPn failed.Explanation When an ARP entry has to be updated, a message is sent to the network processor (NP) in order to update the internal ARP table. If the module is experiencing high utilization of memory or if the internal table is full, the message to the NP may be rejected and this message generated.
Recommended Action Verify if the ARP table is full. If it is not full, check the load of the module by reviewing the CPU utilization and connections per second. If CPU utilization is high and/or there is a large number of connections per second, normal operations will resume when the load returns to normal.
319004
Error Message %ASA-3-319004: Route update for IP address dest_address failed (number).Explanation The routing module in the ASA lost internal synchronization because the system was overloaded.
Recommended Action None required. The failure is only temporary. Check the average load of the system and make sure that it is not used beyond its capabilities.
320001
Error Message %ASA-3-320001: The subject name of the peer cert is not allowed for connectionExplanation When the ASA is an easy VPN remote device or server, the peer certificate includes asubject name that does not match the output of the ca verifycertdn command. A man-in-the-middle attack might be occurring, where a device spoofs the peer IP address and tries to intercept a VPN connection from the ASA.
Recommended Action None required.
321001
Error Message %ASA-5-321001: Resource var1 limit of var2 reached.Explanation A configured resource usage or rate limit for the indicated resource was reached.
Recommended Action None required.
321002
Error Message %ASA-5-321002: Resource var1 rate limit of var2 reached.Explanation A configured resource usage or rate limit for the indicated resource was reached.
Recommended Action None required.
321003
Error Message %ASA-6-321003: Resource var1 log level of var2 reached.Explanation A configured resource usage or rate logging level for the indicated resource was reached.
Recommended Action None required.
321004
Error Message %ASA-6-321004: Resource var1 rate log level of var2 reachedExplanation A configured resource usage or rate logging level for the indicated resource was reached.
Recommended Action None required.
321005
Error Message %ASA-2-321005: System CPU utilization reached utilization %Explanation The system CPU utilization has reached 95 percent or more and remains at this level for five minutes.
•
Recommended Action If this message occurs periodically, you can ignore it. If it repeats frequently, check the output of the show cpu command and verify the CPU usage. If it is high, contact the Cisco TAC.
321006
Error Message %ASA-2-321006: System memory usage reached utilization %Explanation The system memory usage has reached 80 percent or more and remains at this level for five minutes.
•
Recommended Action If this message occurs periodically, you can ignore it. If it repeats frequently, check the output of the show memory command and verify the memory usage. If it is high, contact the Cisco TAC.
321007
Error Message %ASA-3-321007: System is low on free memory blocks of size block_size (free_blocks CNT out of max_blocks MAX)Explanation The system is low on free blocks of memory. Running out of blocks may result in traffic disruption.
•
•
•
Recommended Action Use the show blocks command to monitor the amount of free blocks in the CNT column of the output for the indicated block size. If the CNT column remains zero, or very close to it for an extended period of time, then the ASA may be overloaded or running into another issue that needs additional investigation.
322001
Error Message %ASA-3-322001: Deny MAC address MAC_address, possible spoof attempt on interface interfaceExplanation The ASA received a packet from the offending MAC address on the specified interface, but the source MAC address in the packet is statically bound to another interface in the configuration. Either a MAC-spoofing attack or a misconfiguration may be the cause.
Recommended Action Check the configuration and take appropriate action by either finding the offending host or correcting the configuration.
322002
Error Message %ASA-3-322002: ARP inspection check failed for arp {request|response} received from host MAC_address on interface interface. This host is advertising MAC Address MAC_address_1 for IP Address IP_address, which is {statically|dynamically} bound to MAC Address MAC_address_2.Explanation If the ARP inspection module is enabled, it checks whether a new ARP entry advertised in the packet conforms to the statically configured or dynamically learned IP-MAC address binding before forwarding ARP packets across the ASA. If this check fails, the ARP inspection module drops the ARP packet and generates this message. This situation may be caused by either ARP spoofing attacks in the network or an invalid configuration (IP-MAC binding).
Recommended Action If the cause is an attack, you can deny the host using the ACLs. If the cause is an invalid configuration, correct the binding.
322003
Error Message %ASA-3-322003:ARP inspection check failed for arp {request|response} received from host MAC_address on interface interface. This host is advertising MAC Address MAC_address_1 for IP Address IP_address, which is not bound to any MAC Address.Explanation If the ARP inspection module is enabled, it checks whether a new ARP entry advertised in the packet conforms to the statically configured IP-MAC address binding before forwarding ARP packets across the ASA. If this check fails, the ARP inspection module drops the ARP packet and generates this message. This situation may be caused by either ARP spoofing attacks in the network or an invalid configuration (IP-MAC binding).
Recommended Action If the cause is an attack, you can deny the host using the ACLs. If the cause is an invalid configuration, correct the binding.
322004
Error Message %ASA-6-322004: No management IP address configured for transparent firewall. Dropping protocol protocol packet from interface_in:source_address/source_port to interface_out:dest_address/dest_portExplanation The ASA dropped a packet because no management IP address was configured in the transparent mode.
•
•
•
•
•
•
•
Recommended Action Configure the device with the management IP address and mask values.
323001
Error Message %ASA-3-323001: Module module_id experienced a control channel communications failure.Error Message %ASA-3-323001: Module in slot slot_num experienced a control channel communications failure.Explanation The ASA is unable to communicate via control channel with the module installed (in the specified slot).
•
•
Recommended Action If the problem persists, contact the Cisco TAC.
323002
Error Message %ASA-3-323002: Module module_id is not able to shut down, shut down request not answered.Error Message %ASA-3-323002: Module in slot slot_num is not able to shut down, shut down request not answered.Explanation The module installed did not respond to a shutdown request.
•
•
Recommended Action If the problem persists, contact the Cisco TAC.
323003
Error Message %ASA-3-323003: Module module_id is not able to reload, reload request not answered.Error Message %ASA-3-323003: Module in slot slotnum is not able to reload, reload request not answered.Explanation The module installed did not respond to a reload request.
•
•
Recommended Action If the problem persists, contact the Cisco TAC.
323004
Error Message %ASA-3-323004: Module string one failed to write software newver (currently ver), reason. Hw-module reset is required before further use.Explanation The module failed to accept a software version, and will be transitioned to an UNRESPONSIVE state. The module is not usable until the software is updated.
•
•
•
•
- write failure
- failed to create a thread to write the image
Recommended Action If the module software cannot be updated, it will not be usable. If the problem persists, contact the Cisco TAC.
323005
Error Message %ASA-3-323005: Module module_id can not be started completelyError Message %ASA-3-323005: Module in slot slot_num can not be started completelyExplanation This message indicates that the module can not be started completely. The module will remain in the UNRESPONSIVE state until this condition is corrected. A module that is not fully seated in the slot is the most likely cause.
•
•
Recommended Action Verify that the module is fully seated and check to see if any status LEDs on the module are on. It may take a minute after fully reseating the module for the ASA to recognize that it is powered up. If this message appears after verifying that the module is seated and after resetting the module using either the sw-module module service-module-name reset command or the hw-module module slotnum reset command, contact the Cisco TAC.
323006
Error Message %ASA-1-323006: Module ips experienced a data channel communication failure, data channel is DOWN.Explanation A data channel communication failure occurred and the ASA was unable to forward traffic to the services module. This failure triggers a failover when the failure occurs on the active ASA in an HA configuration. The failure also results in the configured fail open or fail closed policy being enforced on traffic that would normally be sent to the services module. This message is generated whenever a communication problem over the ASA dataplane occurs between the system module and the services module, which can be caused when the services module stops, resets, is removed or disabled.
Recommended Action For software services modules such as IPS, recover the module using the sw-module module ips recover command. For hardware services modules, if this message is not the result of the SSM reloading or resetting and the corresponding syslog message 505010 is not seen after the SSM returns to an UP state, reset the module using the hw-module module 1 reset command.
323007
Error Message %ASA-3-323007: Module in slot slot experienced a firware failure and the recovery is in progress.Explanation An ASA with a 4GE-SSM installed experienced a short power surge, then rebooted. As a result, the 4GE-SSM may come online in an unresponsive state. The ASA has detected that the 4GE-SSM is unresponsive, and automatically restarts the 4GE-SSM.
Recommended Action None required.
324000
Error Message %ASA-3-324000: Drop GTPv version message msg_type from source_interface:source_address/source_port to dest_interface:dest_address/dest_port Reason: reasonExplanation The packet being processed did not meet the filtering requirements as described in the reason variable and is being dropped.
Recommended Action None required.
324001
Error Message %ASA-3-324001: GTPv0 packet parsing error from source_interface:source_address/source_port to dest_interface:dest_address/dest_port, TID: tid_value, Reason: reasonExplanation There was an error processing the packet. The following are possible reasons:
•
•
•
•
•
•
•
•
•
•
•
•
•
Recommended Action If this message is seen periodically, it can be ignored. If it is seen frequently, then the endpoint may be sending out bad packets as part of an attack.
324002
Error Message %ASA-3-324002: No PDP[MCB] exists to process GTPv0 msg_type from source_interface:source_address/source_port to dest_interface:dest_address/dest_port, TID: tid_valueExplanation If this message was preceded by message 321100, memory allocation error, the message indicates that there were not enough resources to create the PDP context. If not, it was not preceded by message 321100. For version 0, it indicates that the corresponding PDP context cannot be found. For version 1, if this message was preceded by message 324001, then a packet processing error occurred, and the operation stopped.
Recommended Action If the problem persists, determine why the source is sending packets without a valid PDP context.
324003
Error Message %ASA-3-324003: No matching request to process GTPv version msg_type from source_interface:source_address/source_port to source_interface:dest_address/dest_portExplanation The response received does not have a matching request in the request queue and should not be processed further.
Recommended Action If this message is seen periodically, it can be ignored. But if it is seen frequently, then the endpoint may be sending out bad packets as part of an attack.
324004
Error Message %ASA-3-324004: GTP packet with version%d from source_interface:source_address/source_port to dest_interface:dest_address/dest_port is not supportedExplanation The packet being processed has a version other than the currently supported version, which is 0 or 1. If the version number printed out is an incorrect number and is seen frequently, then the endpoint may be sending out bad packets as part of an attack.
Recommended Action None required.
324005
Error Message %ASA-3-324005: Unable to create tunnel from source_interface:source_address/source_port to dest_interface:dest_address/dest_portExplanation An error occurred while trying to create the tunnel for the transport protocol data units.
Recommended Action If this message occurs periodically, it can be ignored. If it repeats frequently, contact the Cisco TAC.
324006
Error Message %ASA-3-324006:GSN IP_address tunnel limit tunnel_limit exceeded, PDP Context TID tid failedExplanation The GPRS support node sending the request has exceeded the maximum allowed tunnels created, so no tunnel will be created.
Recommended Action Check to see whether the tunnel limit should be increased or if there is a possible attack on the network.
324007
Error Message %ASA-3-324007: Unable to create GTP connection for response from source_address/0 to dest_address/dest_portExplanation An error occurred while trying to create the tunnel for the transport protocol data units for a differentsServicing GPRS support node or gateway GPRS support node.
Recommended Action Check debugging messages to see why the connection was not created correctly. If the problem persists, contact the Cisco TAC.
324008
Error Message %ASA-3-324008: No PDP exists to update the data sgsn [ggsn] PDPMCB Info REID: teid_value, Request TEID; teid_value, Local GSN: IPaddress (VPIfNum), Remove GSN: IPaddress (VPIfNum)Explanation When a GTP HA message is received on the standby unit to update the PDP with data sgsn/ggsn PDPMCB information, the PDP is not found because of a previous PDP update message that was not successfully delivered or successfully processed on the standby unit.
Recommended Action If this message occurs periodically, you can ignore it. If it occurs frequently, contact the Cisco TAC.
324300
Error Message %ASA-3-324300: Radius Accounting Request from from_addr has an incorrect request authenticatorExplanation When a shared secret is configured for a host, the request authenticator is verified with that secret. If it fails, it is logged and packet processing stops.
•
Recommended Action Check to see that the correct shared secret was configured. If it is, double-check the source of the packet to make sure that it was not spoofed.
324301
Error Message %ASA-3-324301: Radius Accounting Request has a bad header length hdr_len, packet length pkt_lenExplanation The accounting request message has a header length that is not the same as the actual packet length, so packet processing stops.
•
•
Recommended Action Make sure the packet was not spoofed. If the packet is legitimate, then capture the packet and make sure the header length is incorrect, as indicated by the message. If the header length is correct, and if the problem persists, contact the Cisco TAC.
325001
Error Message %ASA-3-325001: Router ipv6_address on interface has conflicting ND (Neighbor Discovery) settingsExplanation Another router on the link sent router advertisements with conflicting parameters.
•
•
Recommended Action Verify that all IPv6 routers on the link have the same parameters in the router advertisement for hop_limit, managed_config_flag, other_config_flag, reachable_time and ns_interval, and that preferred and valid lifetimes for the same prefix, advertised by several routers, are the same. To list the parameters per interface, enter the show ipv6 interface command.
325002
Error Message %ASA-4-325002: Duplicate address ipv6_address/MAC_address on interfaceExplanation Another system is using your IPv6 address.
•
•
•
Recommended Action Change the IPv6 address of one of the two systems.
325004
Error Message %ASA-4-325004: IPv6 Extension Header hdr_type action configuration. protocol from src_int:src_ipv6_addr/src_port to dst_interface: dst_ipv6_addr/dst_port.Explanation A user has configured one or multiple actions over the specified IPv6 header extension.
•
ah—Configured action over the AH extension header
count—Configured action over the number of extension headers
destination-option—Configured action over the destination option extension header
esp—Configured action over the ESP extension header
fragment—Configured action over the fragment extension header
hop-by-hop—Configured action over the hop-by-hop extension header
routing-address count—Configured action over the number of addresses in the routing extension header
routing-type—Configured action over the routing type extension header
•
denied—The packet is denied.
denied/logged—The packet is denied and logged.
logged—The packet is logged.
Recommended Action If the configured action is not expected, under the policy-map command, check the action in the match header extension_header_type command and the parameters command, and make the correct changes. For example:
hostname (config)# policy-map type inspect ipv6 pnamehostname (config-pmap)# parametershostname (config-pmap-p)# no match header extension_header_type ! to remove the configurationhostname (config-pmap-p)# no drop ! so packets with the specified extension_header_type are not droppedhostname (config-pmap-p)# no log ! so packets with the specified extension_header_type are not loggedhostname (config-pmap-p)# no drop log ! so packets with the specified extension_header_type are not dropped or logged325005
Error Message %ASA-4-325005: Invalid IPv6 Extension Header Content: string. detail regarding protocol, ingress and egress interfaceExplanation An IPv6 packet with a bad extension header has been detected.
•
- wrong extension header order
- duplicate extension header
- routing extension header
Recommended Action Configure the capture command to record the dropped packet, then analyze the cause of the dropped packet. If the validity check of the IPv6 extension header can be ignored, disable the validity check in the IPv6 policy map by entering the following commands:
hostname (config)# policy-map type inspect ipv6 policy_namehostname (config-pmap)# parametershostname (config-pmap-p)# no verify-header type325006
Error Message %ASA-4-325006: IPv6 Extension Header not in order: Type hdr_type occurs after Type hdr_type. TCP prot from inside src_int: src_ipv6_addr/src_port to dst_interface:dst_ipv6_addr/dst_portExplanation An IPv6 packet with out-of-order extension headers has been detected.
Recommended Action Configure the capture command to record the dropped packet, then analyze the extension header order of the dropped packet. If out-of-order header extensions are allowed, disable the out-of-order check in the IPv6 type policy map by entering the following commands:
hostname (config)# policy-map type inspect ipv6 policy_namehostname (config-pmap)# parametershostname (config-pmap-p)# no verify-header order326001
Error Message %ASA-3-326001: Unexpected error in the timer library: error_messageExplanation A managed timer event was received without a context or a correct type, or no handler exists. Alternatively, if the number of events queued exceeds a system limit, an attempt to process them will occur at a later time.
Recommended Action If the problem persists, contact the Cisco TAC.
326002
Error Message %ASA-3-326002: Error in error_message: error_messageExplanation The IGMP process failed to shut down upon request. Events that are performed in preparation for this shutdown may be out-of-sync.
Recommended Action If the problem persists, contact the Cisco TAC.
326004
Error Message %ASA-3-326004: An internal error occurred while processing a packet queueExplanation The IGMP packet queue received a signal without a packet.
Recommended Action If the problem persists, contact the Cisco TAC.
326005
Error Message %ASA-3-326005: Mrib notification failed for (IP_address, IP_address)Explanation A packet triggering a data-driven event was received, and the attempt to notify the MRIB failed.
Recommended Action If the problem persists, contact the Cisco TAC.
326006
Error Message %ASA-3-326006: Entry-creation failed for (IP_address, IP_address)Explanation The MFIB received an entry update from the MRIB, but failed to create the entry related to the addresses displayed. The probable cause is insufficient memory.
Recommended Action If the problem persists, contact the Cisco TAC.
326007
Error Message %ASA-3-326007: Entry-update failed for (IP_address, IP_address)Explanation The MFIB received an interface update from the MRIB, but failed to create the interface related to the addresses displayed. The probable cause is insufficient memory.
Recommended Action If the problem persists, contact the Cisco TAC.
326008
Error Message %ASA-3-326008: MRIB registration failedExplanation The MFIB failed to register with the MRIB.
Recommended Action If the problem persists, contact the Cisco TAC.
326009
Error Message %ASA-3-326009: MRIB connection-open failedExplanation The MFIB failed to open a connection to the MRIB.
Recommended Action If the problem persists, contact the Cisco TAC.
326010
Error Message %ASA-3-326010: MRIB unbind failedExplanation The MFIB failed to unbind from the MRIB.
Recommended Action If the problem persists, contact the Cisco TAC.
326011
Error Message %ASA-3-326011: MRIB table deletion failedExplanation The MFIB failed to retrieve the table that was supposed to be deleted.
Recommended Action If the problem persists, contact the Cisco TAC.
326012
Error Message %ASA-3-326012: Initialization of string functionality failedExplanation The initialization of a specified functionality failed. This component might still operate without the functionality.
Recommended Action If the problem persists, contact the Cisco TAC.
326013
Error Message %ASA-3-326013: Internal error: string in string line %d (%s)Explanation A fundamental error occurred in the MRIB.
Recommended Action If the problem persists, contact the Cisco TAC.
326014
Error Message %ASA-3-326014: Initialization failed: error_message error_messageExplanation The MRIB failed to initialize.
Recommended Action If the problem persists, contact the Cisco TAC.
326015
Error Message %ASA-3-326015: Communication error: error_message error_messageExplanation The MRIB received a malformed update.
Recommended Action If the problem persists, contact the Cisco TAC.
326016
Error Message %ASA-3-326016: Failed to set un-numbered interface for interface_name (string)Explanation The PIM tunnel is not usable without a source address. This situation occurs because a numbered interface cannot be found, or because of an internal error.
Recommended Action If the problem persists, contact the Cisco TAC.
326017
Error Message %ASA-3-326017: Interface Manager error - string in string: stringExplanation An error occurred while creating a PIM tunnel interface.
Recommended Action If the problem persists, contact the Cisco TAC.
326019
Error Message %ASA-3-326019: string in string: stringExplanation An error occurred while creating a PIM RP tunnel interface.
Recommended Action If the problem persists, contact the Cisco TAC.
326020
Error Message %ASA-3-326020: List error in string: stringExplanation An error occurred while processing a PIM interface list.
Recommended Action If the problem persists, contact the Cisco TAC.
326021
Error Message %ASA-3-326021: Error in string: stringExplanation An error occurred while setting the SRC of a PIM tunnel interface.
Recommended Action If the problem persists, contact the Cisco TAC.
326022
Error Message %ASA-3-326022: Error in string: stringExplanation The PIM process failed to shut down upon request. Events that are performed in preparation for this shutdown may be out-of-sync.
Recommended Action If the problem persists, contact the Cisco TAC.
326023
Error Message %ASA-3-326023: string - IP_address: stringExplanation An error occurred while processing a PIM group range.
Recommended Action If the problem persists, contact the Cisco TAC.
326024
Error Message %ASA-3-326024: An internal error occurred while processing a packet queue.Explanation The PIM packet queue received a signal without a packet.
Recommended Action If the problem persists, contact the Cisco TAC.
326025
Error Message %ASA-3-326025: stringExplanation An internal error occurred while trying to send a message. Events scheduled to occur on the receipt of a message, such as deletion of the PIM tunnel IDB, may not occur.
Recommended Action If the problem persists, contact the Cisco TAC.
326026
Error Message %ASA-3-326026: Server unexpected error: error_messageExplanation The MRIB failed to register a client.
Recommended Action If the problem persists, contact the Cisco TAC.
326027
Error Message %ASA-3-326027: Corrupted update: error_messageExplanation The MRIB received a corrupt update.
Recommended Action If the problem persists, contact the Cisco TAC.
326028
Error Message %ASA-3-326028: Asynchronous error: error_messageExplanation An unhandled asynchronous error occurred in the MRIB API.
Recommended Action If the problem persists, contact the Cisco TAC.
327001
Error Message %ASA-3-327001: IP SLA Monitor: Cannot create a new processExplanation The IP SLA monitor was unable to start a new process.
Recommended Action Check the system memory. If memory is low, then this is probably the cause. Try to reenter the commands when memory is available. If the problem persists, contact the Cisco TAC.
327002
Error Message %ASA-3-327002: IP SLA Monitor: Failed to initialize, IP SLA Monitor functionality will not workExplanation The IP SLA monitor failed to initialize. This condition is caused by either the timer wheel function failing to initialize or a process not being created. Sufficient memory is probably not available to complete the task.
Recommended Action Check the system memory. If memory is low, then this is probably the cause. Try to reenter the commands when memory is available. If the problem persists, contact the Cisco TAC.
327003
Error Message %ASA-3-327003: IP SLA Monitor: Generic Timer wheel timer functionality failed to initializeExplanation The IP SLA monitor cannot initialize the timer wheel.
Recommended Action Check the system memory. If memory is low, then the timer wheel function did not initialize. Try to reenter the commands when memory is available. If the problem persists, contact the Cisco TAC.
328001
Error Message %ASA-3-328001: Attempt made to overwrite a set stub function in string.Explanation A single function can be set as a callback for when a stub with a check registry is invoked. An attempt to set a new callback failed because a callback function has already been set.
•
Recommended Action If the problem persists, contact the Cisco TAC.
329001
Error Message %ASA-3-329001: The string0 subblock named string1 was not removedExplanation A software error has occurred. IDB subblocks cannot be removed.
•
•
Recommended Action If the problem persists, contact the Cisco TAC.
331001
Error Message ASA-3-331001: Dynamic DNS Update for 'fqdn_name' = ip_address failedExplanation The dynamic DNS subsystem failed to update the resource records on the DNS server. This failure might occur if the ASA is unable to contact the DNS server or the DNS service is not running on the destination system.
•
•
Recommended Action Make sure that a DNS server is configured and reachable by the ASA. If the problem persists, contact the Cisco TAC.
331002
Error Message ASA-5-331002: Dynamic DNS type RR for ('fqdn_name' - ip_address | ip_address - 'fqdn_name') successfully updated in DNS server dns_server_ipExplanation A dynamic DNS update succeeded in the DNS server.
•
•
•
•
Recommended Action None required.
332001
Error Message %ASA-3-332001: Unable to open cache discovery socket, WCCP V2 closing down.Explanation An internal error that indicates the WCCP process was unable to open the UDP socket used to listen for protocol messages from caches.
Recommended Action Ensure that the IP configuration is correct and that at least one IP address has been configured.
332002
Error Message %ASA-3-332002: Unable to allocate message buffer, WCCP V2 closing down.Explanation An internal error that indicates the WCCP process was unable to allocate memory to hold incoming protocol messages.
Recommended Action Ensure that enough memory is available for all processes.
332003
Error Message %ASA-5-332003: Web Cache IP_address/service_ID acquiredExplanation A service from the web cache of the ASA was acquired.
•
•
Recommended Action None required.
332004
Error Message %ASA-1-332004: Web Cache IP_address/service_ID lostExplanation A service from the web cache of the ASA was lost.
•
•
Recommended Action Verify operation of the specified web cache.
333001
Error Message %ASA-6-333001: EAP association initiated - context: EAP-contextExplanation An EAP association has been initiated with a remote host.
•
Recommended Action None required.
333002
Error Message %ASA-5-333002: Timeout waiting for EAP response - context:EAP-contextExplanation A timeout occurred while waiting for an EAP response.
•
Recommended Action None required.
333003
Error Message %ASA-6-333003: EAP association terminated - context:EAP-contextExplanation The EAP association has been terminated with the remote host.
•
Recommended Action None required.
333004
Error Message %ASA-7-333004: EAP-SQ response invalid - context:EAP-contextExplanation The EAP-Status Query response failed basic packet validation.
•
Recommended Action If the problem persists, contact the Cisco TAC.
333005
Error Message %ASA-7-333005: EAP-SQ response contains invalid TLV(s) - context:EAP-contextExplanation The EAP-Status Query response has one or more invalid TLVs.
•
Recommended Action If the problem persists, contact the Cisco TAC.
333006
Error Message %ASA-7-333006: EAP-SQ response with missing TLV(s) - context:EAP-contextExplanation The EAP-Status Query response is missing one or more mandatory TLVs.
•
Recommended Action If the problem persists, contact the Cisco TAC.
333007
Error Message %ASA-7-333007: EAP-SQ response TLV has invalid length - context:EAP-contextExplanation The EAP-Status Query response includes a TLV with an invalid length.
•
Recommended Action If the problem persists, contact the Cisco TAC.
333008
Error Message %ASA-7-333008: EAP-SQ response has invalid nonce TLV - context:EAP-contextExplanation The EAP-Status Query response includes an invalid nonce TLV.
•
Recommended Action If the problem persists, contact the Cisco TAC.
333009
Error Message %ASA-6-333009: EAP-SQ response MAC TLV is invalid - context:EAP-contextExplanation The EAP-Status Query response includes a MAC that does not match the calculated MAC.
•
Recommended Action If the problem persists, contact the Cisco TAC.
333010
Error Message %ASA-5-333010: EAP-SQ response Validation Flags TLV indicates PV request - context:EAP-contextExplanation The EAP-Status Query response includes a validation flags TLV, which indicates that the peer requested a full posture validation.
Recommended Action None required.
334001
Error Message %ASA-6-334001: EAPoUDP association initiated - host-addressExplanation An EAPoUDP association has been initiated with a remote host.
•
Recommended Action None required.
334002
Error Message %ASA-5-334002: EAPoUDP association successfully established - host-addressExplanation An EAPoUDP association has been successfully established with the host.
•
Recommended Action None required.
334003
Error Message %ASA-5-334003: EAPoUDP association failed to establish - host-addressExplanation An EAPoUDP association has failed to establish with the host.
•
Recommended Action Verify the configuration of the Cisco Secure Access Control Server.
334004
Error Message %ASA-6-334004: Authentication request for NAC Clientless host - host-addressExplanation An authentication request was made for a NAC clientless host.
•
Recommended Action None required.
334005
Error Message %ASA-5-334005: Host put into NAC Hold state - host-addressExplanation The NAC session for the host was put into the Hold state.
•
Recommended Action None required.
334006
Error Message %ASA-5-334006: EAPoUDP failed to get a response from host - host-addressExplanation An EAPoUDP response was not received from the host.
•
Recommended Action None required.
334007
Error Message %ASA-6-334007: EAPoUDP association terminated - host-addressExplanation An EAPoUDP association has terminated with the host.
•
Recommended Action None required.
334008
Error Message %ASA-6-334008: NAC EAP association initiated - host-address, EAP context: EAP-contextExplanation EAPoUDP has initiated EAP with the host.
•
•
Recommended Action None required.
334009
Error Message %ASA-6-334009: Audit request for NAC Clientless host - Assigned_IP.Explanation An audit request is being sent for the specified assigned IP address.
•
Recommended Action None required.
335001
Error Message %ASA-6-335001: NAC session initialized - host-addressExplanation A NAC session has started for a remote host.
•
Recommended Action None required.
335002
Error Message %ASA-5-335002: Host is on the NAC Exception List - host-address, OS: oper-sysExplanation The client is on the NAC Exception List and is therefore not subject to posture validation.
•
•
Recommended Action None required.
335003
Error Message %ASA-5-335003: NAC Default ACL applied, ACL:ACL-name - host-addressExplanation The NAC default ACL has been applied for the client.
•
•
Recommended Action None required.
335004
Error Message %ASA-6-335004: NAC is disabled for host - host-addressExplanation NAC is disabled for the remote host.
•
Recommended Action None required.
335004
Error Message %ASA-6-335004: NAC is disabled for host - host-addressExplanation NAC is disabled for the remote host.
•
Recommended Action None required.
335005
Error Message %ASA-4-335005: NAC Downloaded ACL parse failure - host-addressExplanation Parsing of a downloaded ACL failed.
•
Recommended Action Verify the configuration of the Cisco Secure Access Control Server.
335006
Error Message %ASA-6-335006: NAC Applying ACL: ACL-name - host-addressExplanation The name of the ACL that is being applied as a result of NAC posture validation.
•
•
Recommended Action None required.
335007
Error Message %ASA-7-335007: NAC Default ACL not configured - host-addressExplanation A NAC default ACL has not been configured.
•
Recommended Action None required.
335008
Error Message %ASA-5-335008: NAC IPsec terminate from dynamic ACL: ACL-name - host-addressExplanation A dynamic ACL obtained as a result of PV requires IPsec termination.
•
•
Recommended Action None required.
335009
Error Message %ASA-6-335009: NAC Revalidate request by administrative action - host-addressExplanation A NAC Revalidate action was requested by the administrator.
•
Recommended Action None required.
335010
Error Message %ASA-6-335010: NAC Revalidate All request by administrative action - num sessionsExplanation A NAC Revalidate All action was requested by the administrator.
•
Recommended Action None required.
335011
Error Message %ASA-6-335011: NAC Revalidate Group request by administrative action for group-name group - num sessionsExplanation A NAC Revalidate Group action was requested by the administrator.
•
•
Recommended Action None required.
335012
Error Message %ASA-6-335012: NAC Initialize request by administrative action - host-addressExplanation A NAC Initialize action was requested by the administrator.
•
Recommended Action None required.
335013
Error Message %ASA-6-335013: NAC Initialize All request by administrative action - num sessionsExplanation A NAC Initialize All action was requested by the administrator.
•
Recommended Action None required.
335014
Error Message %ASA-6-335014: NAC Initialize Group request by administrative action for group-name group - num sessionsExplanation A NAC Initialize Group action was requested by the administrator.
•
•
Recommended Action None required.
336001
Error Message %ASA-3-336001 Route desination_network stuck-in-active state in EIGRP-ddb_name as_num. Cleaning upExplanation The SIA state means that an EIGRP router has not received a reply to a query from one or more neighbors within the time allotted (approximately three minutes). When this happens, EIGRP clears the neighbors that did not send a reply and logs an error message for the route that became active.
•
•
•
Recommended Action Check to see why the router did not get a response from all of its neighbors and why the route disappeared.
336002
Error Message %ASA-3-336002: Handle handle_id is not allocated in pool.Explanation The EIGRP router is unable to find the handle for the next hop.
•
Recommended Action If the problem persists, contact the Cisco TAC.
336003
Error Message %ASA-3-336003: No buffers available for bytes byte packetExplanation The DUAL software was unable to allocate a packet buffer. The ASA may be out of memory.
•
Recommended Action Check to see if the ASA is out of memory by entering the show mem or show tech command. If the problem persists, contact the Cisco TAC.
336004
Error Message %ASA-3-336004: Negative refcount in pakdesc pakdesc.Explanation The reference count packet count became negative.
•
Recommended Action If the problem persists, contact the Cisco TAC.
336005
Error Message %ASA-3-336005: Flow control error, error, on interface_name.Explanation The interface is flow blocked for multicast. Qelm is the queue element, and in this case, the last multicast packet on the queue for this particular interface.
•
•
Recommended Action If the problem persists, contact the Cisco TAC.
336006
Error Message %ASA-3-336006: num peers exist on IIDB interface_name.Explanation Peers still exist on a particular interface during or after cleanup of the IDB of the EIGRP.
•
•
Recommended Action If the problem persists, contact the Cisco TAC.
336007
Error Message %ASA-3-336007: Anchor count negativeExplanation An error occurred and the count of the anchor became negative when it was released.
Recommended Action If the problem persists, contact the Cisco TAC.
336008
Error Message %ASA-3-336008: Lingering DRDB deleting IIDB, dest network, nexthop address (interface), origin origin_strExplanation An interface is being deleted and some lingering DRDB exists.
•
•
•
•
Recommended Action If the problem persists, contact the Cisco TAC.
336009
Error Message %ASA-3-336009 ddb_name as_id: Internal ErrorExplanation An internal error occurred.
•
•
Recommended Action If the problem persists, contact the Cisco TAC.
336010
Error Message %ASA-5-336010 EIGRP-ddb_name tableid as_id: Neighbor address (%interface) is event_msg: msgExplanation A neighbor went up or down.
•
•
•
•
•
•
•
- resync: peer graceful-restart
- down: holding timer expired
- up: new adjacency
- down: Auth failure
- down: Stuck in Active
- down: Interface PEER-TERMINATION received
- down: K-value mismatch
- down: Peer Termination received
- down: stuck in INIT state
- down: peer info changed
- down: summary configured
- down: Max hopcount changed
- down: metric changed
- down: [No reason]
Recommended Action Check to see why the link on the neighbor is going down or is flapping. This may be a sign of a problem, or a problem may occur because of this.
336011
Error Message %ASA-6-336011: event eventExplanation A dual event occurred. The events can be one of the following:
•
•
Recommended Action If the problem persists, contact the Cisco TAC.
337001
Error Message %ASA-3-337001: Phone Proxy SRTP: Encryption failed on packet from in_ifc:src_ip/src_port to out_ifc:dest_ip/dest_portExplanation The crypto hardware was unable to do SRTP encryption.
•
•
•
•
•
Recommended Action If this message persists, call the Cisco TAC to debug the crypto hardware to determine why SRTP encryption is failing.
337002
Error Message %ASA-3-337002: Phone Proxy SRTP: Decryption failed on packet from in_ifc:src_ip/src_port to out_ifc:dest_ip/dest_portExplanation The crypto hardware was unable to do SRTP decryption.
•
•
•
•
•
Recommended Action If this message persists, call the Cisco TAC to debug the crypto hardware to determine why SRTP decryption is failing.
337003
Error Message %ASA-3-337003: Phone Proxy SRTP: Authentication tag generation failed on packet from in_ifc:src_ip/src_port to out_ifc:dest_ip/dest_portExplanation The authentication tag generation failed in the crypto hardware.
•
•
•
•
•
Recommended Action If this message persists, call the Cisco TAC to debug the crypto hardware to determine why SRTP generation of the authentication tag is failing.
337004
Error Message %ASA-3-337004: Phone Proxy SRTP: Authentication tag validation failed on packet from in_ifc:src_ip/src_port to out_ifc:dest_ip/dest_portExplanation The computed authentication tag is not the same as the authentication tag in the packet.
•
•
•
•
•
Recommended Action Check to see whether an attack is underway.
337005
Error Message %ASA-4-337005: Phone Proxy SRTP: Media session not found for media_term_ip/media_term_port for packet from in_ifc:src_ip/src_port to out_ifc:dest_ip/dest_portExplanation The ASA received an SRTP or RTP packet that was destined to go to the media termination IP address and port, but the corresponding media session to process this packet was not found.
•
•
•
•
•
•
Recommended Action If this message occurs at the end of the call, it is considered normal because the signaling messages may have released the media session, but the endpoint is continuing to send a few SRTP or RTP packets. If this message occurs for an odd-numbered media termination port, the endpoint is sending RTCP, which must be disabled from the CUCM. If this message happens continuously for a call, debug the signaling message transaction either using phone proxy debug commands or capture commands to determine if the signaling messages are being modified with the media termination IP address and port.
337006
Error Message %ASA-3-337006: Phone Proxy SRTP: Failed to sign file filename requested by UDP client cifc:caddr/cport for sifc:saddr/sportExplanation The crypto hardware was unable to perform encryption and create a signature for a file.
•
•
•
•
•
•
•
Recommended Action If this message persists, check associated messages for other errors related to the crypto hardware engine.
337007
Error Message %ASA-3-337007: Phone Proxy SRTP: Failed to find configuration file filename for UDP client cifc:caddr/cport by server sifc:saddr/sportExplanation The CUCM returns the File Not Found error when a phone requests its configuration file.
•
•
•
•
•
•
•
Recommended Action Check to make sure that this phone has been configured on the CUCM.
337008
Error Message %ASA-3-337008: Phone Proxy: Unable to allocate media port from media-termination address phone_proxy_ifc:media_term_IP for client_ifc:client_IP/client_port; call failed.Explanation The ASA cannot find a port to allocate for media when creating a new media session. This message may occur because the user has not provided a large enough range of ports for phone proxy use, which is determined in the media-termination address command, or that all available ports are already being used.
•
•
•
•
•
•
Recommended Action Check the phone-proxy configuration to see the range of media ports specified and allocate a larger range of media ports if the range was too small, provided the security policy allows it. The default port range is 16384-32767.
337009
Error Message %ASA-3-337009: Unable to create secure phone entry, interface:IPaddr is already configured for the same MAC mac_addr.Explanation You tried to register the same secure phone with a different IP address. Because an entry for the MAC address with the old IP address was already made, you cannot have multiple entries with the same MAC address and different IP addresses.
•
•
•
Recommended Action Check the output of the show phone-proxy secure-phones command. Use the clear command to clear the entry that is causing the issue, then register the phone with the new IP address.
338001
Error Message %ASA-4-338001: Dynamic filter monitored blacklisted protocol traffic from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to out_interface:dest_ip_addr/dest_port, (mapped-ip/mapped-port), source malicious address resolved from local or dynamic list: domain name, threat-level: level_value, category: category_nameExplanation Traffic from a blacklisted domain in the dynamic filter database has appeared. The threat level is a string that shows one of the following values: none, very-low, low, moderate, high, and very-high. The category is a string that shows the reason why a domain name is blacklisted (for example, botnet, Trojan, and spyware).
Recommended Action Access to a malicious site has been logged. Use the internal IP address to trace the infected machine, or enter the dynamic-filter drop blacklist command to automatically drop such traffic.
338002
Error Message %ASA-4-338002: Dynamic filter monitored blacklisted protocol traffic from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to out_interface:dest_ip_addr/dest_port (mapped-ip/mapped-port), destination malicious address resolved from local or dynamic list: domain name, threat-level: level_value, category: category_nameExplanation Traffic to a blacklisted domain name in the dynamic filter database has appeared. The threat level is a string that shows one of the following values: none, very-low, low, moderate, high, and very-high. The category is a string that shows the reason why a domain name is blacklisted (for example, botnet, Trojan, and spyware).
Recommended Action Access to a malicious site has been logged. Use the internal IP address to trace the infected machine, or enter the dynamic-filter drop blacklist command to automatically drop such traffic.
338003
Error Message %ASA-4-338003: Dynamic filter monitored blacklisted protocol traffic from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to out_interface:dest_ip_addr/dest_port, (mapped-ip/mapped-port), source malicious address resolved from local or dynamic list: ip address/netmask, threat-level: level_value, category: category_nameExplanation Traffic from a blacklisted IP address in the dynamic filter database has appeared. The threat level is a string that shows one of the following values: none, very-low, low, moderate, high, and very-high. The category is a string that shows the reason why a domain name is blacklisted (for example, botnet, Trojan, and spyware).
Recommended Action Access to a malicious site has been logged. Use the internal IP address to trace the infected machine, or enter the dynamic-filter drop blacklist command to automatically drop such traffic.
338004
Error Message %ASA-4-338004: Dynamic filter monitored blacklisted protocol traffic from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to out_interface:dest_ip_addr/dest_port (mapped-ip/mapped-port), destination malicious address resolved from local or dynamic list: ip address/netmask, threat-level: level_value, category: category_nameExplanation Traffic to a blacklisted IP address in the dynamic filter database has appeared. The threat level is a string that shows one of the following values: none, very-low, low, moderate, high, and very-high. The category is a string that shows the reason why a domain name is blacklisted (for example, botnet, Trojan, and spyware).
Recommended Action Access to a malicious site has been logged. Use the internal IP address to trace the infected machine, or enter the dynamic-filter drop blacklist command to automatically drop such traffic.
338005
Error Message %ASA-4-338005: Dynamic filter dropped blacklisted protocol traffic from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to out_interface:dest_ip_addr/dest_port (mapped-ip/mapped-port), source malicious address resolved from local or dynamic list: domain name, threat-level: level_value, category: category_nameExplanation Traffic from a black-listed domain name in the dynamic filter database was denied. The threat level is a string that shows one of the following values: none, very-low, low, moderate, high, and very-high. The category is a string that shows the reason why a domain name is blacklisted (for example, botnet, Trojan, and spyware).
Recommended Action None required.
338006
Error Message %ASA-4-338006: Dynamic filter dropped blacklisted protocol traffic from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to out_interface:dest_ip_addr/dest_port (mapped-ip/mapped-port), destination malicious address resolved from local or dynamic list: domain name, threat-level: level_value, category: category_nameExplanation Traffic to a blacklisted domain name in the dynamic filter database was denied. The threat level is a string that shows one of the following values: none, very-low, low, moderate, high, and very-high. The category is a string that shows the reason why a domain name is blacklisted (for example, botnet, Trojan, and spyware).
Recommended Action None required.
338007
Error Message %ASA-4-338007: Dynamic filter dropped blacklisted protocol traffic from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to out_interface:dest_ip_addr/dest_port (mapped-ip/mapped-port), source malicious address resolved from local or dynamic list: ip address/netmask, threat-level: level_value, category: category_nameExplanation Traffic from a blacklisted IP address in the dynamic filter database was denied. The threat level is a string that shows one of the following values: none, very-low, low, moderate, high, and very-high. The category is a string that shows the reason why a domain name is blacklisted (for example, botnet, Trojan, and spyware).
Recommended Action None required.
338008
Error Message %ASA-4-338008: Dynamic filter dropped blacklisted protocol traffic from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to out_interface:dest_ip_addr/dest_port (mapped-ip/mapped-port), destination malicious address resolved from local or dynamic list: ip address/netmask, threat-level: level_value, category: category_nameExplanation Traffic to a blacklisted IP address in the dynamic filter database was denied. The threat level is a string that shows one of the following values: none, very-low, low, moderate, high, and very-high. The category is a string that shows the reason why a domain name is blacklisted (for example, botnet, Trojan, and spyware).
Recommended Action None required.
338101
Error Message %ASA-4-338101: Dynamic filter action whitelisted protocol traffic from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to out_interface:dest_ip_addr/dest_port, (mapped-ip/mapped-port), source malicious address resolved from local or dynamic list: domain nameExplanation Traffic from a whitelisted domain in the dynamic filter database has appeared.
Recommended Action None required.
338102
Error Message %ASA-4-338102: Dynamic filter action whitelisted protocol traffic from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to out_interface:dest_ip_addr/dest_port (mapped-ip/mapped-port), destination malicious address resolved from local or dynamic list: domain nameExplanation Traffic to a whitelisted domain name in the dynamic filter database has appeared.
Recommended Action None required.
338103
Error Message %ASA-4-338103: Dynamic filter action whitelisted protocol traffic from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to out_interface:dest_ip_addr/dest_port, (mapped-ip/mapped-port), source malicious address resolved from local or dynamic list: ip address/netmaskExplanation Traffic from a whitelisted IP address in the dynamic filter database has appeared.
Recommended Action None required.
338104
Error Message %ASA-4-338104: Dynamic filter action whitelisted protocol traffic from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to out_interface:dest_ip_addr/dest_port (mapped-ip/mapped-port), destination malicious address resolved from local or dynamic list: ip address/netmaskExplanation Traffic to a whitelisted IP address in the dynamic filter database has appeared.
Recommended Action None required.
338201
Error Message %ASA-4-338201: Dynamic filter monitored greylisted protocol traffic from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to out_interface:dest_ip_addr/dest_port, (mapped-ip/mapped-port), source malicious address resolved from local or dynamic list: domain name, threat-level: level_value, category: category_nameExplanation Traffic from a greylisted domain in the dynamic filter database has appeared. The threat level is a string that shows one of the following values: none, very-low, low, moderate, high, and very-high. The category is a string that shows the reason why a domain name is blacklisted (for example, botnet, Trojan, and spyware).
Recommended Action Access to a malicious site has been logged. Use the internal IP address to trace the infected machine, or enter the dynamic-filter drop blacklist command and the dynamic-filter ambiguous-is-black command to automatically drop such traffic.
338202
Error Message %ASA-4-338202: Dynamic filter monitored greylisted protocol traffic from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to out_interface:dest_ip_addr/dest_port (mapped-ip/mapped-port), destination malicious address resolved from local or dynamic list: domain name, threat-level: level_value, category: category_nameExplanation Traffic to a greylisted domain name in the dynamic filter database has appeared. The threat level is a string that shows one of the following values: none, very-low, low, moderate, high, and very-high. The category is a string that shows the reason why a domain name is blacklisted (for example, botnet, Trojan, and spyware).
Recommended Action Access to a malicious site has been logged. Use the internal IP address to trace the infected machine, or enter the dynamic-filter drop blacklist command and the dynamic-filter ambiguous-is-black command to automatically drop such traffic.
338203
Error Message %ASA-4-338203: Dynamic filter dropped greylisted protocol traffic from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to out_interface:dest_ip_addr/dest_port (mapped-ip/mapped-port), source malicious address resolved from local or dynamic list: domain name, threat-level: level_value, category: category_nameExplanation Traffic from a greylisted domain name in the dynamic filter database was denied; however, the malicious IP address was also resolved to domain names that are unknown to the dynamic filter database. The threat level is a string that shows one of the following values: none, very-low, low, moderate, high, and very-high. The category is a string that shows the reason why a domain name is blacklisted (for example, botnet, Trojan, and spyware).
Recommended Action Access to a malicious site was dropped. If you do not want to automatically drop greylisted traffic whose IP address matches both blacklisted domain names and unknown domain names, disable the dynamic-filter ambiguous-is-black command.
338204
Error Message %ASA-4-338204: Dynamic filter dropped greylisted protocol traffic from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to out_interface:dest_ip_addr/dest_port (mapped-ip/mapped-port), destination malicious address resolved from local or dynamic list: domain name, threat-level: level_value, category: category_nameExplanation Traffic to a greylisted domain name in the dynamic filter database was denied; however, the malicious IP address was also resolved to domain names that are unknown to the dynamic filter database. The threat level is a string that shows one of the following values: none, very-low, low, moderate, high, and very-high. The category is a string that shows the reason why a domain name is blacklisted (for example, botnet, Trojan, and spyware).
Recommended Action Access to a malicious site was dropped. If you do not want to automatically drop greylisted traffic whose IP address matches both blacklisted domain names and unknown domain names, disable the dynamic-filter ambiguous-is-black command.
338301
Error Message %ASA-4-338301: Intercepted DNS reply for domain name from in_interface:src_ip_addr/src_port to out_interface:dest_ip_addr/dest_port, matched listExplanation A DNS reply that was present in an administrator whitelist, blacklist, or IronPort list was intercepted.
•
•
Recommended Action None required.
338302
Error Message %ASA-5-338302: Address ipaddr discovered for domain name from list, Adding ruleExplanation An IP address that was discovered from a DNS reply to the dynamic filter rule table was added.
•
•
•
Recommended Action None required.
338303
Error Message %ASA-5-338303: Address ipaddr (name) timed out, Removing ruleExplanation An IP address that was discovered from the dynamic filter rule table was removed.
•
•
Recommended Action None required.
338304
Error Message %ASA-6-338304: Successfully downloaded dynamic filter data file from updater server urlExplanation A new version of the data file has been downloaded.
•
Recommended Action None required.
338305
Error Message %ASA-3-338305: Failed to download dynamic filter data file from updater server urlExplanation The dynamic filter database has failed to download.
•
Recommended Action Make sure that you have a DNS configuration on the ASA so that the updater server URL can be resolved. If you cannot ping the server from the ASA, check with your network administrator for the correct network connection and routing configuration. If you are still having problems, contact the Cisco TAC.
338306
Error Message %ASA-3-338306: Failed to authenticate with dynamic filter updater server urlExplanation The ASA failed to authenticate with the dynamic filter updater server.
•
Recommended Action Contact the Cisco TAC.
338307
Error Message %ASA-3-338307: Failed to decrypt downloaded dynamic filter database fileExplanation The downloaded dynamic filter database file failed to decrypt.
Recommended Action Contact the Cisco TAC.
338308
Error Message %ASA-5-338308: Dynamic filter updater server dynamically changed from old_server_host: old_server_port to new_server_host: new_server_portExplanation The ASA was directed to a new updater server host or port.
•
•
Recommended Action None required.
338309
Error Message %ASA-3-338309: The license on this ASA does not support dynamic filter updater feature.Explanation The dynamic filter updater is a licensed feature; however, the license on the ASA does not support this feature.
Recommended Action None required.
338310
Error Message %ASA-3-338310: Failed to update from dynamic filter updater server url, reason: reason stringExplanation The ASA failed to receive an update from the dynamic filter updater server.
•
•
- Failed to connect to updater server
- Received invalid server response
- Received invalid server manifest
- Error in stored update file information
- Script error
- Function call error
- Out of memory
Recommended Action Check the network connection to the server. Try to ping the server URL, which is shown in the output of the show dynamic-filter updater-client command. Make sure that the port is allowed through your network. If the network connection is not the problem, contact your network administrator.
339001
Error Message %ASA-3-339001: UC-IME-SIG: Ticket not found in SIP %s from %s:%A/%d to %s:%A/%d, packet droppedExplanation For UC-IME SIP signaling, all dialog-forming SIP messages received from the outside must include the X-Cisco-ViPR-Ticket header. If this header is missing from the message, the message will be dropped during SIP inspection. This header is only required when an existing SIP session (as determined by current SIP inspection rules) cannot be found for the message being inspected.
•
•
•
•
•
•
•
Recommended Action Check to see if UC-IME calls are being spoofed.
339002
Error Message %ASA-3-339002: UC-IME-SIG: Invalid ticket in SIP %s from %s:%A/%d to %s:%A/%d, packet dropped, %sExplanation When UC-IME ticket inspection and validation are performed, several data checks for timestamp validity and epoch matching, among others, are performed. If any of these checks fail, the SIP message or packet will be dropped.
•
•
•
•
•
•
•
•
Recommended Action Check to see if UC-IME calls are being spoofed. Turn on UC-IME debug tracing to obtain more details about the error condition.
339003
Error Message %ASA-3-339003: UC-IME-SIG: Non-dialog forming SIP %s received from %s:%A/%d to %s:%A/%d, packet droppedExplanation When a SIP message is inspected by the UC-IME feature, checks are performed to see if the message belongs to an existing SIP session. In a non-UC-IME scenario, a SIP request received will create a SIP session (if permitted by a configured policy). However, for the UC-IME feature, nondialog-creating SIP messages are not permitted to create a SIP session in the ASA and are dropped.
•
•
•
•
•
•
•
Recommended Action Check to see if UC-IME calls are being spoofed.
339004
Error Message %ASA-3-339004: UC-IME-SIG: Dropping SIP %s received from %s:%A/%d to %s:%A/%d, route header validation failed, %sExplanation When an outbound SIP message is inspected by the UC-IME feature, the domain name included in the SIP route header is compared to the TLS certificate domain name. This comparison allows the UC-IME feature on the ASA to determine whether or not the SIP message is actually terminating at the intended enterprise. If a mismatch occurs, it implies that the remote end is not serving that domain, and the SIP session should be terminated.
•
•
•
•
•
•
•
•
Recommended Action Check to see if the remote enterprise is attempting to hijack UC-IME calls.
339005
Error Message %ASA-3-339005: UC-IME-SIG: Message received from %s:%A/%d to %s:%A/%d does not contain SRTP, message droppedExplanation For UC-IME SIP signaling, SIP messages received that have media content from the outside need to be SRTP. If this content is not SRTP, the message will be dropped during SIP inspection.
•
•
•
•
•
•
Recommended Action None required.
339006
Error Message %ASA-3-339006: UC-IME-Offpath: Failed to map remote UCM address %A:%d on %s interface, request from local UCM %A:%d on %s interface, reason %sExplanation For the UC-IME mapping service to work correctly, a correct configuration of global NAT must be in place. If a misconfiguration is detected, a message will be generated to inform the administrator. At the same time, all requests from UCM clients must conform to the mapping service stun message format. All nonconforming requests will be dropped silently, and a message will be generated to notify the administrator about this occurrence.
•
•
•
•
•
•
•
Recommended Action Check to see if the UC-IME Offpath and the UCM Offpath are configured correctly.
339007
Error Message %ASA-6-339007: UC-IME-Offpath: Mapped address %A:%d on %s interface for remote UCM %A:%d on %s interface, request from local UCM %A:%d on %s interfaceExplanation UC-IME mapping service calls are tracked based on the mapping service client (UCM) address (IP:port) and remote UCM address (IP:port). The administrator may use this information to help debug an offpath UC-IME call.
•
•
•
•
•
•
•
•
•
Recommended Action None required.
339008
Error Message %ASA-6-339008: UC-IME-Media: Media session with Call-ID %s and Session-ID %s terminated. RTP monitoring parameters: Failover state: %s, Refer msgs sent: %d, Codec payload format: %s, RTP ptime (ms): %d, Max RBLR pct( x100): %d, Max ITE count in 8 secs: %d, Max BLS (ms): %d, Max span PDV (usec): %d, Min span PDV (usec): %d, Mov avg span PDV (usec): %d, Total ITE count: %d, Total sec count: %d, Concealed sec count: %d, Severely concealed sec count: %d, Max call interval (ms): %dExplanation UC-IME media session termination is tracked based on the Call ID or Session ID. This message is triggered at the end of a media session. The parameters returned by the RTP monitoring algorithm are included so that an administrator can adjust sensitivity parameters to improve the quality of service for a call.
•
- No error, for an active session
- No media at startup timer expired
- Error in received sequence numbering
- Both ITE and BLS thresholds exceeded
- BLS threshold exceeded within Burst Interval
- RBLR threshold exceeded within last 8 sec
- Combination (> 3/4 RBLR + > 3/4 BLS) failover
- No media since last received packet exceeded
- ITE threshold exceeded
•
- UNKNOWN
- G722
- PCMU
- PCMA
- iLBC
- iSAC
Recommended Action None required.
339009
Error Message %ASA-6-339009: UC-IME: Ticket Password changed. Please update the same on UC-IME server.Explanation The ASA administrator is allowed to change the ticket password without knowing the old password. This message is generated to ensure that the administrator is aware of this change. The message also serves as a reminder to the administrator that if the UC-IME password is changed on the ASA, it should also be changed on the UC-IME server for everything to function correctly.
Recommended Action Verify that the ticket password has been changed on the UC-IME server to match the value configured on the ASA.
340001
Error Message %ASA-3-340001: Loopback-proxy error: error_string context id context_id, context type = version/request_type/address_type client socket (internal)= client_address_internal/client_port_internal server socket (internal)= server_address_internal/server_port_internal server socket (external)= server_address_external/server_port_external remote socket (external)= remote_address_external/remote_port_externalExplanation Loopback proxy allows third-party applications running on the ASA to access the network. The loopback proxy encountered an error.
•
•
•
•
•
•
•
•
•
Recommended Action Copy the syslog message and contact the Cisco TAC.
340002
Error Message %ASA-6-340002: Loopback-proxy info: error_string context id context_id, context type = version/request_type/address_type client socket (internal)= client_address_internal/client_port_internal server socket (internal)= server_address_internal/server_port_internal server socket (external)= server_address_external/server_port_external remote socket (external)= remote_address_external/remote_port_externalExplanation Loopback proxy allows third-party applications running on the ASA to access the network. The loopback proxy generated debugging information for use in troubleshooting.
•
•
•
•
•
•
•
•
•
Recommended Action Copy the syslog message and contact the Cisco TAC.
Messages 400000 to 450001
This section includes messages from 400000 to 450001.
4000nn
Error Message %ASA-4-4000nn: IPS:number string from IP_address to IP_address on interface interface_nameExplanation Messages 400000 through 400051 are Cisco Intrusion Prevention Service signature messages.
Recommended Action See the Cisco Intrusion Prevention Service User Guide on Cisco.com.
Not all signature messages are supported by the ASA in this release. IPS messages all start with 4-4000nn and have the following format:
For example:
%ASA-4-400013 IPS:2003 ICMP redirect from 10.4.1.2 to 10.2.1.1 on interface dmz%ASA-4-400032 IPS:4051 UDP Snork attack from 10.1.1.1 to 192.168.1.1 on interface outsideTable 1-5 lists the supported signature messages.
401001
Error Message %ASA-4-401001: Shuns clearedExplanation The clear shun command was entered to remove existing shuns from memory. An institution to keep a record of shunning activity was allowed.
Recommended Action None required.
401002
Error Message %ASA-4-401002: Shun added: IP_address IP_address port portExplanation A shun command was entered, where the first IP address is the shunned host. The other addresses and ports are optional and are used to terminate the connection if available. An institution to keep a record of shunning activity was allowed.
Recommended Action None required.
401003
Error Message %ASA-4-401003: Shun deleted: IP_addressExplanation A single shunned host was removed from the shun database. An institution to keep a record of shunning activity was allowed.
Recommended Action None required.
401004
Error Message %ASA-4-401004: Shunned packet: IP_address = IP_address on interface interface_nameExplanation A packet was dropped because the host defined by IP SRC is a host in the shun database. A shunned host cannot pass traffic on the interface on which it is shunned. For example, an external host on the Internet can be shunned on the outside interface. A record of the activity of shunned hosts was provided. This message and message %ASA-4-401005 can be used to evaluate further risk concerning this host.
Recommended Action None required.
401005
Error Message %ASA-4-401005: Shun add failed: unable to allocate resources for IP_address IP_address port portExplanation The ASA is out of memory; a shun cannot be applied.
Recommended Action The Cisco IPS should continue to attempt to apply this rule. Try to reclaim memory and reapply a shun manually, or wait for the Cisco IPS to do this.
402114
Error Message %ASA-4-402114: IPSEC: Received an protocol packet (SPI=spi, sequence number=seq_num) from remote_IP to local_IP with an invalid SPI.•
•
•
•
•
•
Explanation An IPsec packet was received that specifies an SPI that does not exist in the SA database. This may be a temporary condition caused by slight differences in aging of SAs between the IPsec peers, or it may be because the local SAs have been cleared. It may also indicate incorrect packets sent by the IPsec peer, which may be part of an attack. This message is rate limited to no more than one message every five seconds.
Recommended Action The peer may not acknowledge that the local SAs have been cleared. If a new connection is established from the local router, the two peers may then reestablish connection successfully. Otherwise, if the problem occurs for more than a brief period, either attempt to establish a new connection or contact the peer administrator.
402115
Error Message %ASA-4-402115: IPSEC: Received a packet from remote_IP to local_IP containing act_prot data instead of exp_prot data.Explanation An IPsec packet was received that is missing the expected ESP header. The peer is sending packets that do not match the negotiated security policy, which may indicate an attack. This message is rate limited to no more than one message every five seconds.
•
•
•
•
Recommended Action Contact the administrator of the peer.
402116
Error Message %ASA-4-402116: IPSEC: Received an protocol packet (SPI=spi, sequence number=seq_num) from remote_IP (username) to local_IP. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as pkt_daddr, its source as pkt_saddr, and its protocol as pkt_prot. The SA specifies its local proxy as id_daddr/id_dmask/id_dprot/id_dport and its remote proxy as id_saddr/id_smask/id_sprot/id_sport.Explanation A decapsulated IPsec packet does not match the negotiated identity. The peer is sending other traffic through this security association, which may be caused by a security association selection error by the peer, or it may be part of an attack. This message is rate limited to no more than one message every five seconds.
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Recommended Action Contact the administrator of the peer and compare policy settings.
402117
Error Message %ASA-4-402117: IPSEC: Received a non-IPsec (protocol) packet from remote_IP to local_IP.Explanation The received packet matched the crypto map ACL, but it is not IPsec-encapsulated. The IPsec peer is sending unencapsulated packets. This error can occur because of a policy setup error on the peer. For example, the firewall may be configured to only accept encrypted Telnet traffic to the outside interface port 23. If you attempt to use Telnet without IPsec encryption to access the outside interface on port 23, this message appears, but not with Telnet or traffic to the outside interface on ports other than 23. This error can also indicate an attack. This message is not generated except under these conditions (for example, it is not generated for traffic to the ASA interfaces themselves). See messages 710001, 710002, and 710003, which track TCP and UDP requests. This message is rate limited to no more than one message every five seconds.
•
•
•
Recommended Action Contact the administrator of the peer to compare policy settings.
402118
Error Message %ASA-4-402118: IPSEC: Received an protocol packet (SPI=spi, sequence number seq_num) from remote_IP (username) to local_IP containing an illegal IP fragment of length frag_len with offset frag_offset.Explanation A decapsulatd IPsec packet included an IP fragment with an offset less than or equal to 128 bytes. The latest version of the security architecture for IP RFC recommends 128 bytes as the minimum IP fragment offset to prevent reassembly attacks. This may be part of an attack. This message is rate limited to no more than one message every five seconds.
•
•
•
•
•
•
•
•
Recommended Action Contact the administrator of the remote peer to compare policy settings.
402119
Error Message %ASA-4-402119: IPSEC: Received an protocol packet (SPI=spi, sequence number=seq_num) from remote_IP (username) to local_IP that failed anti-replay checking.Explanation An IPsec packet was received with an invalid sequence number. The peer is sending packets including sequence numbers that may have been previously used. This message indicates that an IPsec packet has been received with a sequence number outside of the acceptable window. This packet will be dropped by IPsec as part of a possible attack. This message is rate limited to no more than one message every five seconds.
•
•
•
•
•
•
Recommended Action Contact the administrator of the peer.
402120
Error Message %ASA-4-402120: IPSEC: Received an protocol packet (SPI=spi, sequence number=seq_num) from remote_IP (username) to local_IP that failed authentication.Explanation An IPsec packet was received and failed authentication. The packet is dropped. The packet may have been corrupted in transit, or the peer may be sending invalid IPsec packets, which may indicate an attack if many of these packets were received from the same peer. This message is rate limited to no more than one message every five seconds.
•
•
•
•
•
•
Recommended Action Contact the administrator of the remote peer if many failed packets were received.
402121
Error Message %ASA-4-402121: IPSEC: Received an protocol packet (SPI=spi, sequence number=seq_num) from peer_addr (username) to lcl_addr that was dropped by IPsec (drop_reason).Explanation An IPsec packet to be decapsulated was received and subsequently dropped by the IPsec subsystem. This may indicate a problem with the ASA configuration or with the ASA itself.
•
•
•
•
•
•
•
Recommended Action If the problem persists, contact the Cisco TAC.
402122
Error Message %ASA-4-402122: Received a cleartext packet from src_addr to dest_addr that was to be encapsulated in IPsec that was dropped by IPsec (drop_reason).Explanation A packet to be encapsulated in IPsec was received and subsequently dropped by the IPsec subsystem. This may indicate a problem with the ASA configuration or with the ASA itself.
•
•
•
Recommended Action If the problem persists, contact the Cisco TAC.
402123
Error Message %ASA-4-402123: CRYPTO: The accel_type hardware accelerator encountered an error (code=error_string) while executing crypto command command.Explanation An error was detected while running a crypto command with a hardware accelerator, which may indicate a problem with the accelerator. This type of error may occur for a variety of reasons, and this message supplements the crypto accelerator counters to help determine the cause.
•
•
•
Recommended Action If the problem persists, contact the Cisco TAC.
402124
Error Message %ASA-4-402124: CRYPTO: The ASA hardware accelerator encountered an error (Hardware error address, Core, Hardware error code, IstatReg, PciErrReg, CoreErrStat, CoreErrAddr, Doorbell Size, DoorBell Outstanding, SWReset).Explanation The crypto hardware chip has reported a fatal error, indicating that the chip is inoperable. The information from this message captures the details to allow further analysis of the problem. The crypto chip is reset when this condition is detected to unobtrusively allow the ASA to continue functioning. Also, the crypto environment at the time this issue is detected is written to a crypto archive directory on flash to provide further debugging information. Various parameters related to the crypto hardware are included in this message, as follows:
•
•
•
•
•
•
•
•
•
•
Recommended Action Forward the message information to the Cisco TAC for further analysis.
402125
Error Message %ASA-4-402125: The ASA hardware accelerator ring timed out (parameters).Explanation The crypto driver has detected that either the IPSEC descriptor ring or SSL/Admin descriptor ring is no longer progressing, meaning the crypto chip no longer appears to be functioning. The crypto chip is reset when this condition is detected to unobtrusively allow the ASA to continue functioning. Also, the crypto environment at the time this issue was detected was written to a crypto archive directory on flash to provide further debugging information.
•
•
- Desc—Descriptor address
- CtrlStat—Control/status value
- ResultP—Success pointer
- ResultVal—Success value
- Cmd—Crypto command
- CmdSize—Command size
- Param—Command parameters
- Dlen—Data length
- DataP—Data pointer
- CtxtP—VPN context pointer
- SWReset—Number of crypto chip resets since boot
Recommended Action Forward the message information to the Cisco TAC for further analysis.
402126
Error Message %ASA-4-402126: CRYPTO: The ASA created Crypto Archive File Archive Filename as a Soft Reset was necessary. Please forward this archived information to Cisco.Explanation A functional problem with the hardware crypto chip was detected (see syslog messages 402124 and 402125). To further debug the crypto problem, a crypto archive file was generated that included the current crypto hardware environment (hardware registers and crypto description entries). At boot time, a crypto_archive directory was automatically created on the flash file system (if it did not exist previously). A maximum of two crypto archive files are allowed to exist in this directory.
•
Recommended Action Forward the crypto archive files to the Cisco TAC for further analysis.
402127
Error Message %ASA-4-402127: CRYPTO: The ASA is skipping the writing of latest Crypto Archive File as the maximum # of files, max_number, allowed have been written to archive_directory. Please archive & remove files from Archive Directory if you want more Crypto Archive Files saved.Explanation A functional problem with the hardware crypto chip was detected (see messages 4402124 and 4402125). This message indicates a crypto archive file was not written, because the maximum number of crypto archive files already existed.
•
•
Recommended Action Forward previously generated crypto archive files to the Cisco TAC. Remove the previously generated archive file(s) so that more can be written (if deemed necessary).
402128
Error Message %ASA-5-402128: CRYPTO: An attempt to allocate a large memory block failed, size: size, limit: limitExplanation An SSL connection is attempting to use more memory than allowed. The request has been denied.
•
•
Recommended Action If this message persists, an SSL denial of service attack may be in progress. Contact the remote peer administrator or upstream provider.
402129
Error Message %ASA-6-402129: CRYPTO: An attempt to release a DMA memory block failed, location: addressExplanation An internal software error has occurred.
•
Recommended Action Contact the Cisco TAC for assistance.
402130
Error Message %ASA-6-402130: CRYPTO: Received an ESP packet (SPI = 0x54A5C634, sequence number=0x7B) from 75.2.96.101 (user=user) to 85.2.96.10 with incorrect IPsec padding.Explanation The ASA crypto hardware accelerator detected an IPsec packet with invalid padding. The ATT VPN client sometimes pads IPsec packets incorrectly.
•
•
•
•
Recommended Action While this message is None required and does not indicate a problem with the ASA, customers using the ATT VPN client may wish to upgrade their VPN client software.
402131
Error Message %ASA-4-402131: CRYPTO: status changing the accel_instance hardware accelerator's configuration bias from old_config_bias to new_config_bias.Explanation The hardware accelerator configuration has been changed on the ASA. Some ASA platforms have multiple hardware accelerators. One syslog message is generated for each hardware accelerator change.
•
•
•
•
Recommended Action If any of the accelerators fails when attempting to change its configuration, collect logging information and contact the Cisco TAC. If a failure occurs, the software will retry the configuration change multiple times. The software will fall back to the original configuration bias if the retry attempts fail. If multiple attempts to reconfigure the hardware accelerator fail, it may indicate a hardware failure.
403101
Error Message %ASA-4-403101: PPTP session state not established, but received an XGRE packet, tunnel_id=number, session_id=numberExplanation The ASA received a PPTP XGRE packet without a corresponding control connection session.
Recommended Action If the problem persists, contact the Cisco TAC.
403102
Error Message %ASA-4-403102: PPP virtual interface interface_name rcvd pkt with invalid protocol: protocol, reason: reason.Explanation The module received an XGRE encapsulated PPP packet with an invalid protocol field.
Recommended Action If the problem persists, contact the Cisco TAC.
403103
Error Message %ASA-4-403103: PPP virtual interface max connections reached.Explanation The module cannot accept additional PPTP connections.Connections are allocated as soon as they are available.
Recommended Action None required.
403104
Error Message %ASA-4-403104: PPP virtual interface interface_name requires mschap for MPPE.Explanation The MPPE was configured, but MS-CHAP authentication was not.
Recommended Action Add MS-CHAP authentication with the vpdn group group_name ppp authentication command.
403106
Error Message %ASA-4-403106: PPP virtual interface interface_name requires RADIUS for MPPE.Explanation The MPPE was configured, but RADIUS authentication was not.
Recommended Action Add RADIUS authentication with the vpdn group group_name ppp authentication command.
403107
Error Message %ASA-4-403107: PPP virtual interface interface_name missing aaa server group infoExplanation The AAA server configuration information cannot be found.
Recommended Action Add the AAA server information with the vpdn group group_name client authentication aaa aaa_server_group command.
403108
Error Message %ASA-4-403108: PPP virtual interface interface_name missing client ip address optionExplanation The client IP address pool information is missing.
Recommended Action Add IP address pool information with the vpdn group group_name client configuration address local address_pool_name command.
403109
Error Message %ASA-4-403109: Rec'd packet not an PPTP packet. (ip) dest_address=dest_address, src_addr= source_address, data: string.Explanation The module received a spoofed PPTP packet, which may indicate a hostile event.
Recommended Action Contact the administrator of the peer to check the PPTP configuration settings.
403110
Error Message %ASA-4-403110: PPP virtual interface interface_name, user: user missing MPPE key from aaa server.Explanation The AAA server was not returning the MPPE key attributes required to set up the MPPE encryption policy.
Recommended Action Check the AAA server configuration. If the AAA server cannot return MPPE key attributes, use local authentication instead by entering the vpdn group group_name client authentication local command.
403500
Error Message %ASA-6-403500: PPPoE - Service name 'any' not received in PADO. Intf:interface_name AC:ac_name.Explanation The ASA requested the PPPoE service any from the access controller at the Internet service provider. The response from the service provider includes other services, but does not include the service any. This is a discrepancy in the implementation of the protocol. The PADO packet is processed normally, and connection negotiations continue.
Recommended Action None required.
403501
Error Message %ASA-3-403501: PPPoE - Bad host-unique in PADO - packet dropped. Intf:interface_name AC:ac_nameExplanation The ASA sent an identifier called the host-unique value to the access controller. The access controller responded with a different host-unique value. The ASA was unable to identify the corresponding connection request for this response. The packet was dropped, and connection negotiations were discontinued.
Recommended Action Contact the Internet service provider. Either the access controller at the service provider is mishandling the host-unique value, or the PADO packet is being forged.
403502
Error Message %ASA-3-403502: PPPoE - Bad host-unique in PADS - dropping packet. Intf:interface_name AC:ac_nameExplanation The ASA sent an identifier called the host-unique value to the access controller. The access controller responded with a different host-unique value. The ASA was unable to identify the corresponding connection request for this response. The packet was dropped, and connection negotiations were discontinued.
Recommended Action Contact the Internet service provider. Either the access controller at the service provider is mishandling the host-unique value, or the PADO packet is being forged.
403503
Error Message %ASA-3-403503: PPPoE:PPP link down:reasonExplanation The PPP link has gone down. There are many reasons why this can happen. The first format will display a reason if PPP provides one.
Recommended Action Check the network link to ensure that the link is connected. The access concentrator may be down. Make sure that your authentication protocol matches the access concentrator and that your name and password are correct. Verify this information with your ISP or network support person.
403504
Error Message %ASA-3-403504: PPPoE:No 'vpdn group group_name' for PPPoE is createdExplanation PPPoE requires a dial-out configuration before starting a PPPoE session. In general, the configuration should specify a dialing policy, the PPP authentication, the username, and a password. The following example configures the ASA for PPPoE dialout. The my-username and my-password commands are used to authenticate the access concentrator, using PAP if necessary.
For example:
hostname# vpdn group my-pppoe request dialout pppoehostname# vpdn group my-pppoe ppp authentication paphostname# vpdn group my-pppoe localname my-usernamehostname# vpdn username my-username password my-passwordhostname# ip address outside pppoe setrouteRecommended Action Configure a VPDN group for PPPoE.
403505
Error Message %ASA-4-403505: PPPoE:PPP - Unable to set default route to IP_address at interface_nameExplanation This message is usually followed by the message, default route already exists.
Recommended Action Remove the current default route or remove the setroute parameter so that there is no conflict between PPPoE and the manually configured route.
403506
Error Message %ASA-4-403506: PPPoE:failed to assign PPP IP_address netmask netmask at interface_nameExplanation This message is followed by one of the followings messages: subnet is the same as interface, or on failover channel.
Recommended Action In the first case, change the address causing the conflict. In the second case, configure the PPPoE on an interface other than the failover interface.
403507
Error Message %ASA-3-403507: PPPoE:PPPoE client on interface interface failed to locate PPPoE vpdn group group_nameExplanation You can configure the PPPoE client on an interface to use a particular VPDN group by entering the pppoe client vpdn group group_name command. If a PPPoE VPDN group of the configured name was not located during system startup, this message is generated.
•
•
Recommended Action Perform the following steps:
1.
2.
Note
405001
Error Message %ASA-4-405001: Received ARP {request | response} collision from IP_address/MAC_address on interface interface_name to IP_address/MAC_address on interface interface_nameExplanation The ASA received an ARP packet, and the MAC address in the packet differs from the ARP cache entry.
Recommended Action This traffic might be legitimate, or it might indicate that an ARP poisoning attack is in progress. Check the source MAC address to determine where the packets are coming from and to see if they belong to a valid host.
405101
Error Message %ASA-4-405101: Unable to Pre-allocate H225 Call Signalling Connection for foreign_address outside_address[/outside_port] to local_address inside_address[/inside_port]Explanation The module failed to allocate RAM system memory while starting a connection or has no more address translation slots available.
Recommended Action If this message occurs periodically, it can be ignored. You can check the size of the global pool compared to the number of inside network clients. A PAT address may be necessary. Alternatively, shorten the timeout interval of translates and connections. This error message may also be caused by insufficient memory; try reducing the amount of memory usage, or purchasing additional memory. If the problem persists, contact the Cisco TAC.
405002
Error Message %ASA-4-405002: Received mac mismatch collision from IP_address/MAC_address for authenticated hostExplanation This packet appears for one of the following conditions:
•
•
Recommended Action This traffic might be legitimate, or it might indicate that a spoofing attack is in progress. Check the source MAC address and IP address to determine where the packets are coming from and if they belong to a valid host.
405101
Error Message %ASA-4-405101: Unable to Pre-allocate H225 Call Signalling Connection for foreign_address outside_address[/outside_port] to local_address inside_address[/inside_port]Explanation The ASA failed to allocate RAM system memory while starting a connection or has no more address translation slots available.
Recommended Action Check the size of the global pool compared to the number of inside network clients. A PAT address may be necessary. Alternatively, shorten the timeout interval of translations and connections. Also, reduce the amount of memory usage, or purchase additional memory. If this message occurs periodically, it can be ignored. If the problem persists, contact the Cisco TAC.
405102
Error Message %ASA-4-405102: Unable to Pre-allocate H245 Connection for foreign_address outside_address[/outside_port] to local_address inside_address[/inside_port]Explanation The ASA failed to allocate RAM system memory while starting a connection or has no more address translation slots available.
Recommended Action Check the size of the global pool compared to the number of inside network clients. A PAT address may be necessary. Alternatively, shorten the timeout interval of translations and connections. In addition, reduce the amount of memory usage, or purchase additional memory. If this message occurs periodically, it can be ignored. If the problem persists, contact the Cisco TAC.
405103
Error Message %ASA-4-405103: H225 message from source_address/source_port to dest_address/dest_port contains bad protocol discriminator hexExplanation The ASA is expecting the protocol discriminator, 0x08, but it received something other than 0x08. The endpoint may be sending a bad packet, or received a message segment other than the first segment. The packet is allowed through.
Recommended Action None required.
405104
Error Message %ASA-4-405104: H225 message received from outside_address/outside_port to inside_address/inside_port before SETUPExplanation An H.225 message was received out of order, before the initial SETUP message, which is not allowed. The ASA must receive an initial SETUP message for that H.225 call signalling channel before accepting any other H.225 messages.
Recommended Action None required.
405105
Error Message %ASA-4-405105: H323 RAS message AdmissionConfirm received from source_address/source_port to dest_address/dest_port without an AdmissionRequestExplanation A gatekeeper has sent an ACF, but the ASA did not send an ARQ to the gatekeeper.
Recommended Action Check the gatekeeper with the specified source_address to determine why it sent an ACF without receiving an ARQ from the ASA.
405106
Error Message %ASA-4-405106: H323 num channel is not created from %I/%d to %I/%d %sExplanation The ASA tried to create a match condition on the H.323 media-type channel. See the match media-type command for more information.
Recommended Action None required.
405107
Error Message %ASA-4-405107: H245 Tunnel is detected and connection dropped from %I/%d to %I/%d %sExplanation An H.323 connection has been dropped because of an attempted H.245 tunnel control during call setup. See the
