Table Of Contents
System Log Messages
This chapter lists the FWSM system log messages. The messages are listed numerically by message code.
Note
The messages shown in this guide apply to software Version 3.1and higher. When a number is skipped from a sequence, the message is no longer in the security appliance code.
This chapter includes the following sections:
Messages 102001 to 199009
This section contains messages from 102001 to 199009.
102001
Error Message %FWSM-1-102001: (Primary) Power failure/System reload other side.Explanation This is a failover message. This message is logged if the primary unit detects a system reload or a power failure on the other unit. "Primary" can also be listed as "Secondary" for the secondary unit.
Recommended Action On the unit that experienced the reload, issue the show crashinfo command to determine if there is a traceback associated with the reload. Also verify that the unit is powered on and that power cables are properly connected.
103002
Error Message %FWSM-1-103002: (Primary) Other firewall network interface interface_number OK.Explanation This is a failover message. This message is displayed when the primary unit detects that the network interface on the secondary unit is okay. (Primary) can also be listed as (Secondary) for the secondary unit. Refer to Table 1-4 in Configuring Logging and SNMP for possible values for the interface_number variable.
Recommended Action None required.
103003
Error Message %FWSM-1-103003: (Primary) Other firewall network interface interface_number failed.Explanation This is a failover message. This message is displayed if the primary unit detects a bad network interface on the secondary unit. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action Check the network connections on the secondary unit and check the network hub connection. If necessary, replace the failed network interface.
103004
Error Message %FWSM-1-103004: (Primary) Other firewall reports this firewall failed.Explanation This is a failover message. This message is displayed if the primary unit receives a message from the secondary unit indicating that the primary has failed. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action Verify the status of the primary unit.
103005
Error Message %FWSM-1-103005: (Primary) Other firewall reporting failure.Explanation This is a failover message. This message is displayed if the secondary unit reports a failure to the primary unit. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action Verify the status of the secondary unit.
103006
Error Message %FWSM-1-103006: (Primary|Secondary) Mate version ver_num is not compatible with ours ver_numExplanation This message appears when the FWSM detects a peer unit that is running a different version from the local unit and is not compatible with the HA Hitless Upgrade feature.
•
Recommended Action Install the same or a compatible version image on both firewall units.
103007
Error Message %FWSM-1-103007: (Primary|Secondary) Mate version ver_num is not identical with ours ver_numExplanation This message appears when the FWSM detects a peer unit that is running a different (yet compatible) version from the local unit, but does support the HA Hitless Upgrade feature. The system performance could be degraded because the image version is not the same and you may encounter a stability issue if you run this version for an extended period.
•
Recommended Action Install the same version image on both firewall units as soon as possible.
104001, 104002
Error Message %FWSM-1-104001: (Primary) Switching to ACTIVE (cause: string).Error Message %FWSM-1-104002: (Primary) Switching to STNDBY (cause: string).Explanation Both instances are failover messages. These messages usually are logged when you force the pair to switch roles, either by entering the failover active command on the standby unit, or the no failover active command on the active unit. (Primary) can also be listed as (Secondary) for the secondary unit. Possible values for the string variable are as follows:
•
•
•
•
•
•
Recommended Action If the message occurs because of manual intervention, no action is required. Otherwise, use the cause reported by the secondary unit to verify the status of both units of the pair.
104003
Error Message %FWSM-1-104003: (Primary) Switching to FAILED.Explanation This is a failover message. This message is displayed when the primary unit fails.
Recommended Action Check the system log messages for the primary unit for an indication of the nature of the problem (see message 104001). (Primary) can also be listed as (Secondary) for the secondary unit.
104004
Error Message %FWSM-1-104004: (Primary) Switching to OK.Explanation This is a failover message. This message is displayed when a previously failed unit now reports that it is operating again. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action None required.
105001
Error Message %FWSM-1-105001: (Primary) Disabling failover.Explanation This is a failover message. This message is displayed when you enter the no failover command on the console. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action None required.
105002
Error Message %FWSM-1-105002: (Primary) Enabling failover.Explanation This is a failover message. This message is displayed when you enter the failover command with no arguments on the console, after having previously disabled failover. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action None required.
105003
Error Message %FWSM-1-105003: (Primary) Monitoring on interface interface_name waitingExplanation This is a failover message. The security appliance is testing the specified network interface with the other unit of the failover pair. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action None required. The security appliance monitors its network interfaces frequently during normal operations.
105004
Error Message %FWSM-1-105004: (Primary) Monitoring on interface interface_name normalExplanation This is a failover message. The test of the specified network interface was successful. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action None required.
105005
Error Message %FWSM-1-105005: (Primary) Lost Failover communications with mate on interface interface_name.Explanation This is a failover message. This message is displayed if this unit of the failover pair can no longer communicate with the other unit of the pair. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action Verify that the network connected to the specified interface is functioning correctly.
105006, 105007
Error Message %FWSM-1-105006: (Primary) Link status `Up' on interface interface_name.Error Message %FWSM-1-105007: (Primary) Link status `Down' on interface interface_name.Explanation Both instances are failover messages. These messages report the results of monitoring the link status of the specified interface. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action If the link status is down, verify that the network connected to the specified interface is operating correctly.
105008
Error Message %FWSM-1-105008: (Primary) Testing interface interface_name.Explanation This is a failover message. This message is displayed when the tests a specified network interface. This testing is performed only if the security appliance fails to receive a message from the standby unit on that interface after the expected interval. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action None required.
105010
Error Message %FWSM-3-105010: (Primary) Failover message block alloc failedExplanation Block memory was depleted. This is a transient message and the security appliance should recover. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action Use the show blocks command to monitor the current block memory.
105020
Error Message %FWSM-1-105020: (Primary) Incomplete/slow config replicationExplanation When a failover occurs, the active security appliance detects a partial configuration in memory. Normally, this is caused by an interruption in the replication service. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action Once the failover is detected by the security appliance, the security appliance automatically reloads itself and loads configuration from Flash memory and/or resynchronizes with another security appliance. If failovers happen continuously, check the failover configuration and make sure both security appliance units can communicate with each other.
105021
Error Message %FWSM-1-105021: (failover_unit) Standby unit failed to sync due to a locked context_name config. Lock held by lock_owner_nameExplanation During configuration synchronizing, a standby unit will reload itself if some other process locks the configuration for more than 5 minutes, which prevents the failover process from applying the new configuration. This can occur when an administrator pages through a running configuration on the standby unit while configuration synchronization is in process. See also the show running-config EXEC command and the pager lines num CONFIG command.
Recommended Action Avoid viewing or modifying configuration on standby unit when it first comes up and is in the process of establishing a failover connection with the active unit.
105031
Error Message %FWSM-1-105031: Failover LAN interface is upExplanation LAN failover interface link is up.
Recommended Action None required.
105032
Error Message %FWSM-1-105032: LAN Failover interface is downExplanation LAN failover interface link is down.
Recommended Action Check the connectivity of the LAN failover interface. Make sure that the speed/duplex setting is correct.
105034
Error Message %FWSM-1-105034: Receive a LAN_FAILOVER_UP message from peer.Explanation The peer has just booted and sent the initial contact message.
Recommended Action None required.
105035
Error Message %FWSM-1-105035: Receive a LAN failover interface down msg from peer.Explanation The peer LAN failover interface link is down. The unit switches to active mode if it is in standby mode.
Recommended Action Check the connectivity of the peer LAN failover interface.
105038
Error Message %FWSM-1-105038: (Primary) Interface count mismatchExplanation When a failover occurs, the active security appliance detects a partial configuration in memory. Normally, this is caused by an interruption in the replication service. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action Once the failover is detected by the security appliance, the security appliance automatically reloads itself and loads the configuration from Flash memory and/or resyncs with another security appliance. If failovers happen continuously, check the failover configuration and make sure that both security appliance units can communicate with each other.
105039
Error Message %FWSM-1-105039: (Primary) Unable to verify the Interface count with mate. Failover may be disabled in mate.Explanation Failover initially verifies that the number of interfaces configured on the primary and secondary security appliances are the same. This message indicates that the primary security appliance is not able to verify the number of interfaces configured on the secondary security appliance. This message indicates that the primary security appliance is not able communicate with the secondary security appliance over the failover interface. (Primary) can also be listed as (Secondary) for the secondary security appliance.
Recommended Action Verify the failover LAN, interface configuration, and status on the primary and secondary security appliances. Make sure that the secondary security appliance is running the security appliance application and that failover is enabled.
105040
Error Message %FWSM-1-105040: (Primary) Mate failover version is not compatible.Explanation The primary and secondary security appliance should run the same failover software version to act as a failover pair. This message indicates that the secondary security appliance failover software version is not compatible with the primary security appliance. Failover is disabled on the primary security appliance. (Primary) can also be listed as (Secondary) for the secondary security appliance.
Recommended Action Maintain consistent software versions between the primary and secondary security appliances to enable failover.
105042
Error Message %FWSM-1-105042: (Primary) Failover interface OKExplanation LAN failover interface link is up.
Explanation The interface used to send failover messages to the secondary security appliance is functioning. (Primary) can also be listed as (Secondary) for the secondary security appliance.
Recommended Action None required.
105043
Error Message %FWSM-1-105043: (Primary) Failover interface failedExplanation LAN failover interface link is down.
Recommended Action Check the connectivity of the LAN failover interface. Make sure that the speed/duplex setting is correct.
105044
Error Message %FWSM-1-105044: (Primary) Mate operational mode mode is not compatible with my mode mode.Explanation When the operational mode (single or multi) does not match between failover peers, failover will be disabled.
Recommended Action Configure the failover peers to have the same operational mode, and then reenable failover.
105045
Error Message %FWSM-1-105045: (Primary) Mate license (number contexts) is not compatible with my license (number contexts).Explanation When the feature licenses do not match between failover peers, failover will be disabled.
Recommended Action Configure the failover peers to have the same feature license, and then reenable failover.
105046
Error Message %FWSM-1-105046 (Primary|Secondary) Mate has a different chassisExplanation This message is issued when two failover units have a different type of chassis.
Recommended Action Make sure that the two failover units are the same.
105047
Error Message %FWSM-1-105047: Mate has a io_card_name1 card in slot slot_number which is different from my io_card_name2Explanation The two failover units have different types of cards in their respective slots.
Recommended Action Make sure that the card configurations for the failover units are the same.
106001
Error Message %FWSM-2-106001: Inbound TCP connection denied from IP_address/port to IP_address/port flags tcp_flags on interface interface_nameExplanation This is a connection-related message. This message occurs when an attempt to connect to an inside address is denied by your security policy. Possible tcp_flags values correspond to the flags in the TCP header that were present when the connection was denied. For example, a TCP packet arrived for which no connection state exists in the security appliance, and it was dropped. The tcp_flags in this packet are FIN and ACK.
The tcp_flags are as follows:
•
•
•
•
•
•
Recommended Action None required.
106002
Error Message %FWSM-2-106002: protocol Connection denied by outbound list acl_ID src inside_address dest outside_addressExplanation This is a connection-related message. This message is displayed if the specified connection fails because of an outbound deny command. The protocol variable can be ICMP, TCP, or UDP.
Recommended Action Use the show outbound command to check outbound lists.
106006
Error Message %FWSM-2-106006: Deny inbound UDP from outside_address/outside_port to inside_address/inside_port on interface interface_name.Explanation This is a connection-related message. This message is displayed if an inbound UDP packet is denied by your security policy.
Recommended Action None required.
106007
Error Message %FWSM-2-106007: Deny inbound UDP from outside_address/outside_port to inside_address/inside_port due to DNS {Response|Query}.Explanation This is a connection-related message. This message is displayed if a UDP packet containing a DNS query or response is denied.
Recommended Action If the inside port number is 53, the inside host probably is set up as a caching name server. Add an access-list command statement to permit traffic on UDP port 53. If the outside port number is 53, a DNS server was probably too slow to respond, and the query was answered by another server.
106010
Error Message %FWSM-3-106010: Deny inbound protocol src interface_name:dest_address/dest_port dst interface_name:source_address/source_portExplanation This is a connection-related message. This message is displayed if an inbound connection is denied by your security policy.
Recommended Action Modify the security policy if traffic should be permitted. If the message occurs at regular intervals, contact the remote peer administrator.
106011
Error Message %FWSM-3-106011: Deny inbound (No xlate) stringExplanation The message will appear under normal traffic conditions if there are internal users that are accessing the Internet through a web browser. Any time a connection is reset, when the host at the end of the connection sends a packet after the security appliance receives the reset, this message will appear. It can typically be ignored.
Recommended Action Prevent this system log message from getting logged to the syslog& server by entering the no logging message 106011 command.
106012
Error Message %FWSM-6-106012: Deny IP from IP_address to IP_address, IP options hex.Explanation This is a packet integrity check message. An IP packet was seen with IP options. Because IP options are considered a security risk, the packet was discarded.
Recommended Action Contact the remote host system administrator to determine the problem. Check the local site for loose source routing or strict source routing.
106013
Error Message %FWSM-2-106013: Dropping echo request from IP_address to PAT address IP_addressExplanation The security appliance discarded an inbound ICMP Echo Request packet with a destination address that corresponds to a PAT global address. The inbound packet is discarded because it cannot specify which PAT host should receive the packet.
Recommended Action None required.
106014
Error Message %FWSM-3-106014: Deny inbound icmp src interface_name: IP_address dst interface_name: IP_address (type dec, code dec)Explanation The security appliance denied any inbound ICMP packet access. By default, all ICMP packets are denied access unless specifically permitted.
Recommended Action None required.
106015
Error Message %FWSM-6-106015: Deny TCP (no connection) from IP_address/port to IP_address/port flags tcp_flags on interface interface_name.Explanation The security appliance discarded a TCP packet that has no associated connection in the security appliance connection table. The security appliance looks for a SYN flag in the packet, which indicates a request to establish a new connection. If the SYN flag is not set, and there is not an existing connection, the security appliance discards the packet.
Recommended Action None required unless the security appliance receives a large volume of these invalid TCP packets. If this is the case, trace the packets to the source and determine the reason these packets were sent.
106016
Error Message %FWSM-2-106016: Deny IP spoof from (IP_address) to IP_address on interface interface_name.Explanation The security appliance discarded a packet with an invalid source address. Invalid source addresses are those addresses belonging to the following:
•
•
•
To further enhance spoof packet detection, use the conduit command to configure the security appliance to discard packets with source addresses belonging to the internal network. Now that the icmp command has been implemented, the conduit command has been deprecated and is no longer guaranteed to work properly.
Recommended Action Determine if an external user is trying to compromise the protected network. Check for misconfigured clients.
106017
Error Message %FWSM-2-106017: Deny IP due to Land Attack from IP_address to IP_addressExplanation The security appliance received a packet with the IP source address equal to the IP destination, and the destination port equal to the source port. This message indicates a spoofed packet that is designed to attack systems. This attack is referred to as a Land Attack.
Recommended Action If this message persists, an attack may be in progress. The packet does not provide enough information to determine where the attack originates.
106018
Error Message %FWSM-2-106018: ICMP packet type ICMP_type denied by outbound list acl_ID src inside_address dest outside_addressExplanation The outgoing ICMP packet with the specified ICMP from local host (inside_address) to the foreign host (outside_address) was denied by the outbound ACL list.
Recommended Action None required.
106020
Error Message %FWSM-2-106020: Deny IP teardrop fragment (size = number, offset = number) from IP_address to IP_addressExplanation The security appliance discarded an IP packet with a teardrop signature containing either a small offset or fragment overlapping. This is a hostile event that circumvents the security appliance or an Intrusion Detection System.
Recommended Action Contact the remote peer administrator or escalate this issue according to your security policy.
106021
Error Message %FWSM-1-106021: Deny protocol reverse path check from source_address to dest_address on interface interface_nameExplanation An attack is in progress. Someone is attempting to spoof an IP address on an inbound connection. Unicast RPF, also known as reverse route lookup, detected a packet that does not have a source address represented by a route and assumes that it is part of an attack on your security appliance.
This message appears when you have enabled Unicast RPF with the ip verify reverse-path command. This feature works on packets input to an interface; if it is configured on the outside, then the security appliance checks packets arriving from the outside.
The security appliance looks up a route based on the source_address. If an entry is not found and a route is not defined, then this system log message appears and the connection is dropped.
If there is a route, the security appliance checks which interface it corresponds to. If the packet arrived on another interface, it is either a spoof or there is an asymmetric routing environment that has more than one path to a destination. The security appliance does not support asymmetric routing.
If the security appliance is configured on an internal interface, it checks static route command statements or RIP, and if the source_address is not found, then an internal user is spoofing their address.
Recommended Action Even though an attack is in progress, if this feature is enabled, no user action is required. The security appliance repels the attack.
106022
Error Message %FWSM-1-106022: Deny protocol connection spoof from source_address to dest_address on interface interface_nameExplanation A packet matching a connection arrives on a different interface from the interface that the connection began on.
For example, if a user starts a connection on the inside interface, but the security appliance detects the same connection arriving on a perimeter interface, the security appliance has more than one path to a destination. This is known as asymmetric routing and is not supported on the security appliance.
An attacker also might be attempting to append packets from one connection to another as a way to break into the security appliance. In either case, the security appliance displays this message and drops the connection.
Recommended Action This message appears when the ip verify reverse-path command is not configured. Check that the routing is not asymmetric.
106023
Error Message %FWSM-4-106023: Deny protocol src [interface_name:source_address/source_port] dst interface_name:dest_address/dest_port [type {string}, code {code}] by access_group acl_IDExplanation An IP packet was denied by the ACL. This message displays even if you do not have the log option enabled for an extended ACL.
Recommended Action If messages persist from the same source address, messages might indicate a foot-printing or port-scanning attempt. Contact the remote host administrators.
106024
Error Message %FWSM-2-106024: Access rules memory exhaustedExplanation The access list compilation process has run out of memory. All configuration information that has been added since the last successful access list was removed from the system, and the most recently compiled set of access lists will continue to be used.
Recommended Action Access lists, AAA, ICMP, SSH, Telnet, and other rule types are stored and compiled as access list rule types. Remove some of these rule types so that others can be added.
106025, 106026
Error Message %FWSM-6-106025: Failed to determine the security context for the packet:sourceVlan:source_address dest_address source_port dest_port protocolError Message %FWSM-6-106026: Failed to determine the security context for the packet:sourceVlan:source_address dest_address source_port dest_port protocolExplanation The security context of the packet in multiple context mode cannot be determined. Both messages can be generated for IP packets being dropped in either router and transparent mode.
Recommended Action None required.
106027
Error Message %FWSM-4-106027:Failed to determine the security context for the packet:vlansource Vlan#:ethertype src sourceMAC dst destMACExplanation The security context of the packet in multiple context mode cannot be determined. This message is generated for non-IP packets being dropped in transparent mode only.
Recommended Action None required.
106100
Error Message %FWSM-4-106100: access-list acl_ID {permitted | denied | est-allowed} protocol interface_name/source_address(source_port) -> interface_name/dest_address(dest_port) hit-cnt number ({first hit | number-second interval})Explanation If you configured the log option for the access-list command, the packets matched an ACL statement. The message level depends on the level set in the access-list command. The message indicates either the initial occurrence or the total number of occurrences during an interval. This message provides more information than message 106027, which only logs denied non-IP packets, and does not include the hit count or a configurable level. The following list describes the message values:
•
•
•
•
•
•
•
•
•
•
Recommended Action None required.
106101
</
