Table Of Contents
System Log Messages
This chapter lists the FWSM system log messages. The messages are listed numerically by message code.
Note
The messages shown in this guide apply to software Version 3.2 and higher. When a number is skipped in a sequence, the message is no longer in the software.
This chapter includes the following sections:
Messages 102001 to 199009
This section contains messages from 102001 to 199009.
102001
Error Message %FWSM-1-102001: (Primary) Power failure/System reload other side.Explanation This is a failover message, which is logged if the primary unit detects a system reload or a power failure on the other unit. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action On the unit that experienced the reload, issue the show crashinfo command to determine whether there is a traceback associated with the reload. Also verify that the unit is powered on and that power cables are connected correctly.
103001
Error Message %FWSM-1-103001: (Primary) No response from other firewall (reason code = code).Explanation This is a failover message, which is displayed if the primary unit is unable to communicate with the secondary unit over the failover cable. (Primary) can also be listed as (Secondary). for the secondary unit. Table 1-1 lists the reason codes and the descriptions to determine why the failover occurred.
Recommended Action Verify that the failover cable is connected correctly and both units have the same hardware, software, and configuration. If the problem persists, contact the Cisco TAC.
103002
Error Message %FWSM-1-103002: (Primary) Other firewall network interface interface_number OK.Explanation This is a failover message, which is displayed when the primary unit detects that the network interface on the secondary unit is okay. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action None required.
103003
Error Message %FWSM-1-103003: (Primary) Other firewall network interface interface_number failed.Explanation This is a failover message, which is displayed if the primary unit detects a bad network interface on the secondary unit. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action Check the network connections on the secondary unit and check the network hub connection. If necessary, replace the failed network interface.
103004
Error Message %FWSM-1-103004: (Primary) Other firewall reports this firewall failed.Explanation This is a failover message, which is displayed if the primary unit receives a message from the secondary unit indicating that the primary has failed. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action Verify the status of the primary unit.
103005
Error Message %FWSM-1-103005: (Primary) Other firewall reporting failure.Explanation This is a failover message, which is displayed if the secondary unit reports a failure to the primary unit. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action Verify the status of the secondary unit.
103006
Error Message %FWSM-1-103006: (Primary|Secondary) Mate version ver_num is not compatible with ours ver_numExplanation This message appears when the firewall detects that a peer unit is running a version that is not the same as the local unit and is not compatible with the HA Hitless Upgrade feature.
•
Recommended Action Install the same version or a compatible version image on both firewall units.
103007
Error Message %FWSM-1-103007: (Primary|Secondary) Mate version ver_num is not identical with ours ver_numExplanation This message appears when the firewall detects that a peer unit is running a version that is not identical, but does support Hitless Upgrade and is compatible with the local unit. The system performance could be degraded because the image version is not the same, and the peer unit could encounter a stability issue if running a different version for an extended period.
•
Recommended Action Install the same version image on both units as soon as possible.
104001, 104002
Error Message %FWSM-1-104001: (Primary) Switching to ACTIVE (cause: string).Error Message %FWSM-1-104002: (Primary) Switching to STNDBY (cause: string).Explanation Both instances are failover messages, which usually are logged when you force the pair to switch roles, either by entering the failover active command on the standby unit, or the no failover active command on the active unit. (Primary) can also be listed as (Secondary) for the secondary unit. Possible values for the string variable are as follows:
•
•
•
•
•
•
Recommended Action If the message occurs because of manual intervention, none required. Otherwise, use the cause reported by the secondary unit to verify the status of both units of the pair.
104003
Error Message %FWSM-1-104003: (Primary) Switching to FAILED.Explanation This is a failover message, which is displayed when the primary unit fails.
Recommended Action Check the system log messages for the primary unit for an indication of the nature of the problem (see message 104001). (Primary) can also be listed as (Secondary) for the secondary unit.
104004
Error Message %FWSM-1-104004: (Primary) Switching to OK.Explanation This is a failover message, which is displayed when a previously failed unit now reports that it is operating again. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action None required.
105001
Error Message %FWSM-1-105001: (Primary) Disabling failover.Explanation This is a failover message, which is displayed when you enter the no failover command on the console. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action None required.
105002
Error Message %FWSM-1-105002: (Primary) Enabling failover.Explanation This is a failover message, which is displayed when you enter the failover command with no arguments on the console, after having previously disabled failover. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action None required.
105003
Error Message %FWSM-1-105003: (Primary) Monitoring on interface interface_name waitingExplanation This is a failover message. The security appliance is testing the specified network interface with the other unit of the failover pair. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action None required. The security appliance monitors its network interfaces frequently during normal operations.
105004
Error Message %FWSM-1-105004: (Primary) Monitoring on interface interface_name normalExplanation This is a failover message. The test of the specified network interface was successful. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action None required.
105005
Error Message %FWSM-1-105005: (Primary) Lost Failover communications with mate on interface interface_name.Explanation This is a failover message, which is displayed if this unit of the failover pair can no longer communicate with the other unit of the pair. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action Verify that the network connected to the specified interface is functioning correctly.
105006, 105007
Error Message %FWSM-1-105006: (Primary) Link status Up on interface interface_name.Error Message %FWSM-1-105007: (Primary) Link status Down on interface interface_name.Explanation Both instances are failover messages, which report the results of monitoring the link status of the specified interface. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action If the link status is down, verify that the network connected to the specified interface is operating correctly.
105008
Error Message %FWSM-1-105008: (Primary) Testing interface interface_name.Explanation This is a failover message, which is displayed when the tests a specified network interface. This testing is performed only if the security appliance fails to receive a message from the standby unit on that interface after the expected interval. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action None required.
105010
Error Message %FWSM-3-105010: (Primary) Failover message block alloc failedExplanation Block memory was depleted. This is a transient message, and the security appliance should recover. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action Use the show blocks command to monitor the current block memory.
105020
Error Message %FWSM-1-105020: (Primary) Incomplete/slow config replicationExplanation When a failover occurs, the active security appliance detects a partial configuration in memory. Normally, this is caused by an interruption in the replication service. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action Once the failover is detected by the security appliance, the security appliance automatically reloads itself and loads configuration from Flash memory and/or resynchronizes with another security appliance. If failovers happen continuously, check the failover configuration and make sure both security appliance units can communicate with each other.
105021
Error Message %FWSM-1-105021: (failover_unit) Standby unit failed to sync due to a locked context_name config. Lock held by lock_owner_nameExplanation During configuration synchronization, a standby unit will reload itself if another process locks the configuration for more than five minutes, which prevents the failover process from applying the new configuration. This can occur when an administrator pages through a running configuration on the standby unit while configuration synchronization is in process. See the show running-config EXEC command and the pager lines num CONFIG command.
Recommended Action Avoid viewing or modifying the configuration on the standby unit when it first boots up and is establishing a failover connection with the active unit.
105031
Error Message %FWSM-1-105031: Failover LAN interface is upExplanation The LAN failover interface link is up.
Recommended Action None required.
105032
Error Message %FWSM-1-105032: LAN Failover interface is downExplanation The LAN failover interface link is down.
Recommended Action Check the connectivity of the LAN failover interface. Make sure that the speed/duplex setting is correct.
105034
Error Message %FWSM-1-105034: Receive a LAN_FAILOVER_UP message from peer.Explanation The peer has just booted and sent the initial contact message.
Recommended Action None required.
105035
Error Message %FWSM-1-105035: Receive a LAN failover interface down msg from peer.Explanation The peer LAN failover interface link is down. The unit switches to active mode if it is in standby mode.
Recommended Action Check the connectivity of the peer LAN failover interface.
105038
Error Message %FWSM-1-105038: (Primary) Interface count mismatchExplanation When a failover occurs, the active security appliance detects a partial configuration in memory. Normally, this is caused by an interruption in the replication service. (Primary) can also be listed as (Secondary) for the secondary unit.
Recommended Action Once the failover is detected by the security appliance, the security appliance automatically reloads the configuration from Flash memory and/or resynchronizes with another security appliance. If failovers happen continuously, check the failover configuration and make sure that both security appliances can communicate with each other.
105039
Error Message %FWSM-1-105039: (Primary) Unable to verify the Interface count with mate. Failover may be disabled in mate.Explanation Failover initially verifies that the number of interfaces configured on the primary and secondary security appliances are the same. This message indicates that the primary security appliance is not able to verify the number of interfaces configured on the secondary security appliance and that the primary security appliance is not able communicate with the secondary security appliance over the failover interface. (Primary) can also be listed as (Secondary) for the secondary security appliance.
Recommended Action Verify the failover LAN, interface configuration, and status on the primary and secondary security appliances. Make sure that the secondary security appliance is running the security appliance application and that failover is enabled.
105040
Error Message %FWSM-1-105040: (Primary) Mate failover version is not compatible.Explanation The primary and secondary security appliance should run the same failover software version to act as a failover pair. This message indicates that the secondary security appliance failover software version is not compatible with the primary security appliance. Failover is disabled on the primary security appliance. (Primary) can also be listed as (Secondary) for the secondary security appliance.
Recommended Action Maintain consistent software versions between the primary and secondary security appliances to enable failover.
105042
Error Message %FWSM-1-105042: (Primary) Failover interface OKExplanation LAN failover interface link is up.
Explanation The interface used to send failover messages to the secondary security appliance is functioning. (Primary) can also be listed as (Secondary) for the secondary security appliance.
Recommended Action None required.
105043
Error Message %FWSM-1-105043: (Primary) Failover interface failedExplanation The LAN failover interface link is down.
Recommended Action Check the connectivity of the LAN failover interface. Make sure that the speed/duplex setting is correct.
105044
Error Message %FWSM-1-105044: (Primary) Mate operational mode mode is not compatible with my mode mode.Explanation When the operational mode (single or multi) does not match between failover peers, failover will be disabled.
Recommended Action Configure the failover peers to have the same operational mode, and then reenable failover.
105045
Error Message %FWSM-1-105045: (Primary) Mate license (number contexts) is not compatible with my license (number contexts).Explanation When the feature licenses do not match between failover peers, failover will be disabled.
Recommended Action Configure the failover peers to have the same feature license, and then reenable failover.
105046
Error Message %FWSM-1-105046 (Primary|Secondary) Mate has a different chassisExplanation This message is issued when two failover units have a different type of chassis. For example, one has a three-slot chassis, and the other has a six-slot chassis.
Recommended Action Make sure that the two failover units are the same.
105047
Error Message %FWSM-1-105047: Mate has a io_card_name1 card in slot slot_number which is different from my io_card_name2Explanation The two failover units have different types of cards in their respective slots.
Recommended Action Make sure that the card configurations for the failover units are the same.
106001
Error Message %FWSM-2-106001: Inbound TCP connection denied from IP_address/port to IP_address/port flags tcp_flags on interface interface_nameExplanation This is a connection-related message, which occurs when an attempt to connect to an inside address is denied by your security policy. Possible tcp_flags values correspond to the flags in the TCP header that were present when the connection was denied. For example, a TCP packet arrived for which no connection state exists in the security appliance, and it was dropped. The tcp_flags in this packet are FIN and ACK.
The tcp_flags are as follows:
•
•
•
•
•
•
Recommended Action None required.
106002
Error Message %FWSM-2-106002: protocol Connection denied by outbound list acl_ID src inside_address dest outside_addressExplanation This is a connection-related message, which is displayed if the specified connection fails because of an outbound deny command. The protocol variable can be ICMP, TCP, or UDP.
Recommended Action Use the show outbound command to check outbound lists.
106006
Error Message %FWSM-2-106006: Deny inbound UDP from outside_address/outside_port to inside_address/inside_port on interface interface_name.Explanation This is a connection-related message, which is displayed if an inbound UDP packet is denied by your security policy.
Recommended Action None required.
106007
Error Message %FWSM-2-106007: Deny inbound UDP from outside_address/outside_port to inside_address/inside_port due to DNS {Response|Query}.Explanation This is a connection-related message, which is displayed if a UDP packet containing a DNS query or response is denied.
Recommended Action If the inside port number is 53, the inside host probably is set up as a caching name server. Add an access-list command statement to permit traffic on UDP port 53. If the outside port number is 53, a DNS server was probably too slow to respond, and the query was answered by another server.
106010
Error Message %FWSM-3-106010: Deny inbound protocol src interface_name:dest_address/dest_port dst interface_name:source_address/source_portExplanation This is a connection-related message, which is displayed if an inbound connection is denied by your security policy.
Recommended Action Modify the security policy if traffic should be permitted. If the message occurs at regular intervals, contact the remote peer administrator.
106011
Error Message %FWSM-3-106011: Deny inbound (No xlate) stringExplanation The message will appear under normal traffic conditions if there are internal users that are accessing the Internet through a web browser. This message will appear any time a connection is reset, when the host at the end of the connection sends a packet after the security appliance receives the reset. It can typically be ignored.
Recommended Action Prevent this system log message from getting logged to the syslog server by entering the no logging message 106011 command.
106012
Error Message %FWSM-6-106012: Deny IP from IP_address to IP_address, IP options hex.Explanation This is a packet integrity check message. An IP packet was seen with IP options. Because IP options are considered a security risk, the packet was discarded.
Recommended Action Contact the remote host system administrator to determine the problem. Check the local site for loose source routing or strict source routing.
106013
Error Message %FWSM-2-106013: Dropping echo request from IP_address to PAT address IP_addressExplanation The security appliance discarded an inbound ICMP Echo Request packet with a destination address that corresponds to a PAT global address. The inbound packet is discarded because it cannot specify which PAT host should receive the packet.
Recommended Action None required.
106014
Error Message %FWSM-3-106014: Deny inbound icmp src interface_name: IP_address dst interface_name: IP_address (type dec, code dec)Explanation The security appliance denied any inbound ICMP packet access. By default, all ICMP packets are denied access unless specifically permitted.
Recommended Action None required.
106015
Error Message %FWSM-6-106015: Deny TCP (no connection) from IP_address/port to IP_address/port flags tcp_flags on interface interface_name.Explanation The security appliance discarded a TCP packet that has no associated connection in the security appliance connection table. The security appliance looks for a SYN flag in the packet, which indicates a request to establish a new connection. If the SYN flag is not set, and there is not an existing connection, the security appliance discards the packet.
Recommended Action None required unless the security appliance receives a large volume of these invalid TCP packets. If this is the case, trace the packets to the source and determine the reason that these packets were sent.
106016
Error Message %FWSM-2-106016: Deny IP spoof from (IP_address) to IP_address on interface interface_name.Explanation The security appliance discarded a packet with an invalid source address. Invalid source addresses are those addresses belonging to the following:
•
•
•
To further enhance spoof packet detection, use the conduit command to configure the security appliance to discard packets with source addresses belonging to the internal network. Now that the icmp command has been implemented, the conduit command has been deprecated and is no longer guaranteed to work properly.
Recommended Action Determine if an external user is trying to compromise the protected network. Check for misconfigured clients.
106017
Error Message %FWSM-2-106017: Deny IP due to Land Attack from IP_address to IP_addressExplanation The security appliance received a packet with the IP source address equal to the IP destination, and the destination port equal to the source port. This message indicates a spoofed packet that is designed to attack systems. This attack is referred to as a Land Attack.
Recommended Action If this message persists, an attack may be in progress. The packet does not provide enough information to determine where the attack originates.
106018
Error Message %FWSM-2-106018: ICMP packet type ICMP_type denied by outbound list acl_ID src inside_address dest outside_addressExplanation The outgoing ICMP packet with the specified ICMP from local host (inside_address) to the foreign host (outside_address) was denied by the outbound ACL list.
Recommended Action None required.
106020
Error Message %FWSM-2-106020: Deny IP teardrop fragment (size = number, offset = number) from IP_address to IP_addressExplanation The security appliance discarded an IP packet with a teardrop signature containing either a small offset or fragment overlapping. This is a hostile event that circumvents the security appliance or an Intrusion Prevention Service.
Recommended Action Contact the remote peer administrator or escalate this issue according to your security policy.
106021
Error Message %FWSM-1-106021: Deny protocol reverse path check from source_address to dest_address on interface interface_nameExplanation An attack is in progress. Someone is attempting to spoof an IP address on an inbound connection. Unicast RPF, also known as reverse route lookup, detected a packet that does not have a source address represented by a route and assumes that it is part of an attack on your security appliance.
This message appears when you have enabled Unicast RPF with the ip verify reverse-path command. This feature works on packets input to an interface; if it is configured on the outside, then the security appliance checks packets arriving from the outside.
The security appliance looks up a route based on the source_address. If an entry is not found and a route is not defined, then this system log message appears and the connection is dropped.
If there is a route, the security appliance checks which interface it corresponds to. If the packet arrived on another interface, it is either a spoof or there is an asymmetric routing environment that has more than one path to a destination. The security appliance does not support asymmetric routing.
If the security appliance is configured on an internal interface, it checks static route command statements or RIP, and if the source_address is not found, then an internal user is spoofing their address.
Recommended Action Although an attack is in progress, if this feature is enabled, no user action is required. The security appliance repels the attack.
106022
Error Message %FWSM-1-106022: Deny protocol connection spoof from source_address to dest_address on interface interface_nameExplanation A packet matching a connection arrives on a different interface from the interface that the connection began on.
For example, if a user starts a connection on the inside interface, but the security appliance detects the same connection arriving on a perimeter interface, the security appliance has more than one path to a destination. This is known as asymmetric routing and is not supported on the security appliance.
An attacker also might be attempting to append packets from one connection to another as a way to break into the security appliance. In either case, the security appliance displays this message and drops the connection.
Recommended Action This message appears when the ip verify reverse-path command is not configured. Check that the routing is not asymmetric.
106023
Error Message %FWSM-4-106023: Deny protocol src [interface_name:source_address/source_port] dst interface_name:dest_address/dest_port [type {string}, code {code}] by access_group acl_IDExplanation An IP packet was denied by the ACL. This message displays even if you do not have the log option enabled for an extended ACL.
Recommended Action If messages persist from the same source address, messages might indicate a foot-printing or port-scanning attempt. Contact the remote host administrators.
106024
Error Message %FWSM-2-106024: Access rules memory exhaustedExplanation The access list compilation process has run out of memory. All configuration information that has been added since the last successful access list was removed from the system, and the most recently compiled set of access lists will continue to be used.
Recommended Action Access lists, AAA, ICMP, SSH, Telnet, and other rule types are stored and compiled as access list rule types. Remove some of these rule types so that others can be added.
106025, 106026
Error Message %FWSM-6-106025: Failed to determine the security context for the packet:sourceVlan:source_address dest_address source_port dest_port protocolError Message %FWSM-6-106026: Failed to determine the security context for the packet:sourceVlan:source_address dest_address source_port dest_port protocolExplanation The security context of the packet in multiple context mode cannot be determined. Both messages can be generated for IP packets being dropped in either router or transparent mode.
Recommended Action None required.
106027
Error Message %FWSM-4-106027:Failed to determine the security context for the packet:vlansource Vlan#:ethertype src sourceMAC dst destMACExplanation The security context of the packet in multiple context mode cannot be determined. This message is generated for non-IP packets being dropped in transparent mode only.
Recommended Action None required.
106100
Error Message %FWSM-6-106100: access-list acl_ID {permitted | denied | est-allowed} protocol interface_name/source_address(source_port) -> interface_name/dest_address(dest_port) hit-cnt number ({first hit | number-second interval})Explanation If you configured the log option for the access-list command, the packets matched an ACL statement. The message level depends on the level set in the access-list command.
The message indicates either the initial occurrence or the total number of occurrences during an interval. This message provides more information than Message 106027, which only logs denied non-IP packets, and does not include the hit count or a configurable level. The following list describes the message values:•
•
•
•
•
•
•
•
•
•
Recommended Action None required.
106101
Error Message %FWSM-1-106101 The number of ACL log deny-flows has reached limit (number).Explanation If you configured the log option for an ACL deny statement (access-list id deny command), and a traffic flow matches the ACL statement, the security appliance caches the flow information. This message indicates that the number of matching flows that are cached on the security appliance exceeds the user-configured limit (using the access-list deny-flow-max command).
•
Recommended Action None required. This message might be generated as a result of a DoS attack.
107001
Error Message %FWSM-1-107001: RIP auth failed from IP_address: version=number, type=string, mode=string, sequence=number on interface interface_nameExplanation This is an alert log message. The security appliance received a RIP reply message with bad authentication. This message might be caused by a misconfiguration on the router or the ASDM, or by an unsuccessful attempt to attack the routing table of the security appliance.
Recommended Action This message indicates a possible attack and should be monitored. If you are not familiar with the source IP address listed in this message, change your RIP authentication keys between trusted entities. An attacker might be trying to determine the existing keys.
107002
Error Message %FWSM-1-107002: RIP pkt failed from IP_address: version=number on interface interface_nameExplanation This is an alert log message, which could be caused by a router bug, a packet with non-RFC values inside, or a malformed entry. This should not happen, and may be an attempt to exploit the routing table of the security appliance.
Recommended Action This message indicates a possible attack and should be monitored. The packet has passed authentication, if enabled, and bad data is in the packet. Monitor the situation and change the keys if there are any doubts about the originator of the packet.
108002
Error Message %FWSM-2-108002: SMTP replaced string: out source_address in inside_address data: stringExplanation This is a Mail Guard (SMTP) message generated by the fixup protocol smtp command. This message is displayed if the security appliance replaces an invalid character in an e-mail address with a space.
Recommended Action None required.
108003
Error Message %FWSM-2-108003: Terminating ESMTP/SMTP connection; malicious pattern detected in the mail address from source_interface:source_address/source_port to dest_interface:dest_address/dset_port. Data:stringExplanation This message is generated by Mail Guard (SMTP), which is displayed if the security appliance detects malicious pattern in an e-mail address and drops the connection. This indicates an attack in progress.
Explanation None required.
109001
Error Message %FWSM-6-109001: Auth start for user user from inside_address/inside_port to outside_address/outside_portExplanation This is an authentication, authorization and accounting (AAA) message, which is displayed if the security appliance is configured for AAA and detects an authentication request by the specified user.
Recommended Action None required.
109002
Error Message %FWSM-6-109002: Auth from inside_address/inside_port to outside_address/outside_port failed (server IP_address failed) on interface interface_name.Explanation This is a AAA message and is displayed if an authentication request fails because the specified authentication server cannot be contacted by the module.
Recommended Action Check that the authentication daemon is running on the specified authentication server.
109003
Error Message %FWSM-6-109003: Auth from src_ip/src_port to dest_ip/dest_port failed (all servers failed) on interface interface_name, so marking all servers ACTIVE againExplanation This is a AAA message and is displayed when all authentication servers have failed. These servers are automatically marked as ACTIVE again and we continue to send authentication requests to each server, one request at a time.
Recommended Action Ping the authentication servers from the security appliance. Make sure that the daemons are running.
109005
Error Message %FWSM-6-109005: Authentication succeeded for user user from inside_address/inside_port to outside_address/outside_port on interface interface_name.Explanation This is a AAA message and is displayed when the specified authentication request succeeds.
Recommended Action None required.
109006
Error Message %FWSM-6-109006: Authentication failed for user user from inside_address/inside_port to outside_address/outside_port on interface interface_name.Explanation This is a AAA message and is displayed if the specified authentication request fails, possibly because of an incorrect password.
Recommended Action None required.
109007
Error Message %FWSM-6-109007: Authorization permitted for user user from inside_address/inside_port to outside_address/outside_port on interface interface_name.Explanation This is a AAA message and is displayed when the specified authorization request succeeds.
Recommended Action None required.
109008
Error Message %FWSM-6-109008: Authorization denied for user user from outside_address/outside_port to inside_address/ inside_port on interface interface_name.Explanation This is a AAA message and is displayed if a user is not authorized to access the specified address, possibly because of an incorrect password.
Recommended Action None required.
109010
Error Message %FWSM-3-109010: Auth from inside_address/inside_port to outside_address/outside_port failed (too many pending auths) on interface interface_name.Explanation This is a AAA message and is displayed if an authentication request cannot be processed because the server has too many requests pending.
Recommended Action Check to see if the authentication server is too slow to respond to authentication requests. Enable the Flood Defender feature with the floodguard enable command.
109011
Error Message %FWSM-2-109011: Authen Session Start: user 'user', sid numberExplanation An authentication session started between the host and the security appliance and has not yet completed.
Recommended Action None required.
109012
Error Message %FWSM-5-109012: Authen Session End: user 'user', sid number, elapsed number secondsExplanation The authentication cache has timed out. Users must reauthenticate on their next connection. You can change the duration of this timer with the timeout uauth command.
Recommended Action None required.
109013
Error Message %FWSM-3-109013: User must authenticate before using this serviceExplanation The user must be authenticated before using the service.
Recommended Action Authenticate using FTP, Telnet, or HTTP before using the service.
109014
Error Message %FWSM-7-109014: uauth_lookup_net fail for uauth_in()Explanation A request to authenticate did not have a corresponding request for authorization.
Recommended Action Ensure that both the aaa authentication and aaa authorization command statements are included in the configuration.
109016
Error Message %FWSM-3-109016: Can't find authorization ACL acl_ID for user 'user'Explanation The access control list specified on the AAA server for this user does not exist on the security appliance. This error can occur if you configure the AAA server before you configure the security appliance. The Vendor-Specific Attribute (VSA) on the AAA server might be one of the following values:
•
•
•
Recommended Action Add the ACL to the security appliance, making sure to use the same name specified on the AAA server.
109017
Error Message %FWSM-4-109017: User at IP_address exceeded auth proxy connection limit (max)Explanation A user has exceeded the user authentication proxy limit, and has opened too many connections to the proxy.
Recommended Action Increase the proxy limit by entering the proxy-limit proxy_limit command, or ask the user to close unused connections. If the error persists, it may indicate a possible DoS attack.
109018
Error Message %FWSM-3-109018: Downloaded ACL acl_ID is emptyExplanation The downloaded authorization access control list has no ACEs. This situation might be caused by misspelling the attribute string "ip:inacl#" or omitting the access-list command.
junk:junk# 1=permit tcp any any eq junk ip:inacl#1="Recommended Action Correct the ACL components that have the indicated error on the AAA server.
109019
Error Message %FWSM-3-109019: Downloaded ACL acl_ID has parsing error; ACE stringExplanation An error is encountered during parsing the sequence number NNN in the attribute string ip:inacl#NNN= of a downloaded authorization access control list. The reason is: - missing = - contains non-numeric, non-space characters between '#' and '=' - NNN is greater than 999999999.
For example:hostname# 1 permit tcp any anyhostname# 1junk2=permit tcp any anyhostname# 1000000000=permit tcp any anyRecommended Action Correct the ACL element that has the indicated error on the AAA server.
109020
Error Message %FWSM-3-109020: Downloaded ACL has config error; ACEExplanation One of the components of the downloaded authorization access control list has a configuration error. The entire text of the element is included in the system log message. This message is usually caused by an invalid access-list command statement.
Recommended Action Correct the ACL component that has the indicated error on the AAA server.
109021
Error Message %FWSM-7-109021: Uauth null proxy errorExplanation An internal User Authentication error has occurred.
Recommended Action None required. However, if this error appears repeatedly, contact Cisco TAC.
109022
Error Message %FWSM-4-109022: exceeded HTTPS proxy process limitExplanation For each HTTPS authentication, the security appliance dedicates a process to service the authentication request. When the number of concurrently running processes exceeds the system-imposed limit, the security appliance does not perform the authentication, and this message is displayed.
Recommended Action None required.
109023
Error Message %FWSM-3-109023: User from source_address/source_port to dest_address/dest_port on interface outside_interface must authenticate before using this service.Explanation This is a AAA message. Based on the configured policies, you need to be authenticated before you can use this service port.
Recommended Action Authenticate using Telnet, FTP, or HTTP before attempting to use this service port.
109024
Error Message %FWSM-6-109024: Authorization denied from source_address/source_port to dest_address/dest_port (not authenticated) on interface interface_name using protocolExplanation This is a AAA message. This message is displayed if the security appliance is configured for AAA and a user attempted to make a TCP connection across the security appliance without prior authentication.
Recommended Action None required.
109025
Error Message %FWSM-6-109025: Authorization denied (acl=acl_ID) for user 'user' from source_address/source_port to dest_address/dest_port on interface interface_name using protocolExplanation The access control list check failed. The check either matched a deny or did not match anything, such as an implicit deny. The connection was denied by the user access control list acl_ID, which was defined according to the AAA authorization policy on the Cisco Secure Access Control Server (ACS).
Recommended Action None required.
109026
Error Message %FWSM-3-109026: [aaa protocol] Invalid reply digest received; shared server key may be mismatched.Explanation The response from the AAA server could not be validated. It is likely that the configured server key is incorrect. This event may be generated during transactions with RADIUS or TACACS+ servers.
Recommended Action Verify that the server key, configured using the aaa-server command, is correct.
109027
Error Message %FWSM-4-109027: [aaa protocol] Unable to decipher response message Server = server_IP_address, User = userExplanation The response from the AAA server could not be validated. The configured server key is probably incorrect. This message may be displayed during transactions with RADIUS or TACACS+ servers. The server_IP_address is the IP address of the relevant AAA server. The user is the username associated with the connection.
Recommended Action Verify that the server key, configured using the aaa-server command, is correct.
109028
Error Message %FWSM-4-109028: aaa bypassed for same-security traffic from ingress_ interface:source_address/source_port to
egress_interface:dest_address/dest_portExplanation AAA is being bypassed for same security traffic that matches a configured AAA rule. This can only occur when traffic passes between two interfaces that have the same configured security level, when the same security traffic is permitted, and if the AAA configuration uses the include or exclude syntax.
Recommended Action None required.
109029
Error Message %FWSM-5-109029: Parsing downloaded ACL: stringExplanation A syntax error was encountered while parsing an access list that was downloaded from a RADIUS server during user authentication.
•
Recommended Action Use the information presented in this message to identify and correct the syntax error in the access list definition within the RADIUS server configuration.
109030
Error Message %FWSM-4-109030: Autodetect ACL convert wildcard did not convert ACL access_list source | dest netmask netmaskExplanation This message is displayed when a dynamic ACL that is configured on a RADIUS server is not converted by the mechanism for automatically detecting wildcard netmasks. The problem occurs because this mechanism could not determine if the netmask is a wildcard or a normal netmask.
•
•
•
•
Recommended Action Check the access list netmask on the RADIUS server for wildcard configuration. If it is meant to be a wildcard, and if all access list netmasks on that server are wildcard, then use the wildcard setting for acl-netmask-convert for the AAA server. Otherwise, change the netmask to a normal netmask or to a wildcard netmask that does not contain holes when the netmask presents consecutive binary 1s. For example, 00000000.00000000.00011111.11111111 or hex 0.0.31.255. If the mask is meant to be normal and all access list netmasks on that server are normal, then use the normal setting acl-netmask-convert for the AAA server.
109031
Error Message %FWSM-4-109031: NT Domain Authentication Failed: rejecting guest login for usernameExplanation This message is displayed when a user tries to authenticate to an NT Auth domain that was configured for guest account access and the username is not a valid username on the NT server. The connection is denied.
Recommended Action If the user is a valid user, add an account to the NT server. If the user is not allowed access, none required.
109032
Error Message %FWSM-3-109032: Unable to install ACL access_list, downloaded for user username; Error in ACE: ace.Explanation This message is displayed when an access control list is received from a RADIUS server during the authentication of a network user. The log event indicates a syntax error in one of the elements of the access list. When this occurs, the element is discarded, but the rest of access list is still applied. The entire text of the malformed element is included in the message. Note that this condition does not result in an authentication failure.
•
•
•
Recommended Action Correct the access list definition in the RADIUS server configuration.
109035
Error Message %FWSM-4-109035: Authentication failed for user username as the password expiredExplanation This message indicates that the password entered has expired. The user is prompted to change the password, and enters a new one.
Recommended Action None required.
109036
Error Message %FWSM-4-109036: Teardown protocol connection session_id for src_if:src_ip/src_port to dest_if:dest_ip/dest_port duration duration bytes bytes due to Uauth timeoutExplanation This message indicates that a connection has been closed because of a uauth timeout.
•
•
•
•
•
•
•
•
•
•
Recommended Action None required.
109037
Error Message %FWSM-4-109037: Authentication cannot be done for the user from src_ip to dest_ip for application since auth_proto client is too busyExplanation This message indicates that the client cannot authenticate when Radius and TACACS+ packet identifiers have run out, because of heavy traffic. The identifier has eight bits in the Radius and TACACS+ packet. Consequently, a maximum of 256 packets can be present at any time.
•
•
•
•
This system log message occurs in addition to the following messages on the client:
RADIUS client too busy - try laterTACACS+ client too busy - try laterRecommended Action None required. This behavior is normal with heavy traffic.
109039
Error Message %FWSM-4-109039: Func_ID: Uauth Unproxy Failed due to the reason: Failed_ReasonExplanation This message tracks the "Unproxy Failed" error message on the console and provides additional information about the reason for failure. The Func_ID variable indicates the function for which this message is being generated.
This message may occur in the following scenarios:
•
•
•
•
Recommended Action None required.
110001
Error Message %FWSM-6-110001: No route to dest_address from source_addressExplanation This message indicates a route lookup failure. A packet is looking for a destination IP address that is not in the routing table.
Recommended Action Check the routing table and make sure that a route to the destination exists.
111002
Error Message %FWSM-5-111002: Begin configuration: IP_address reading from deviceExplanation This message is displayed when you enter the <> command to read a configuration from a device (a floppy disk, Flash memory, TFTP, the failover standby unit, or the console terminal). The IP_address indicates whether the login was made at the console port or with a Telnet connection.
Recommended Action None required.
111003
Error Message %FWSM-5-111003: IP_address Erase configurationExplanation This is a management message. This message is displayed when you erase the contents of Flash memory by entering the write erase command at the console. The IP_address value indicates whether the login was made at the console port or through a Telnet connection.
Recommended Action After erasing the configuration, reconfigure the security appliance and save the new configuration. Alternatively, you can restore information from a configuration that was previously saved, on a floppy disk or on a TFTP server elsewhere on the network.
111004
Error Message %FWSM-5-111004: IP_address end configuration: {FAILED|OK}Explanation This message is displayed when you enter the config floppy/memory/ network command or the write floppy/memory/network/standby command. The IP_address value indicates whether the login was made at the console port or through a Telnet connection.
Recommended Action None required if the message ends with OK. If the message indicates a failure, try to fix the problem. For example, if writing to a floppy disk, ensure that the floppy disk is not write protected; if writing to a TFTP server, ensure that the server is up.
111005
Error Message %FWSM-5-111005: IP_address end configuration: OKExplanation This message is displayed when you exit the configuration mode. The IP_address value indicates whether the login was made at the console port or through a Telnet connection.
Recommended Action None required.
111007
Error Message %FWSM-5-111007: Begin configuration: IP_address reading from device.Explanation This message is displayed when you enter the reload or configure command to read in a configuration. The device text can be floppy, memory, net, standby, or terminal. The IP_address value indicates whether the login was made at the console port or through a Telnet connection.
Recommended Action None required.
111008
Error Message %FWSM-5-111008: User user executed the command stringExplanation The user entered a command that modified the configuration.
Recommended Action None required.
111009
Error Message %FWSM-7-111009:User user executed cmd:stringExplanation The user entered a command that does not modify the configuration.
Recommended Action None required.
111111
Error Message %FWSM-1-111111 error_messageExplanation A system or an infrastructure error has occurred.
Recommended Action Copy the error message and submit it to Cisco TAC, along with the configuration and any details about the events leading up to this error.
112001
Error Message %FWSM-2-112001: (string:dec) Clear complete.Explanation This message is displayed when a request to clear the module configuration is completed. The source file and line number are identified.
Recommended Action None required.
113001
Error Message %FWSM-3-113001: Unable to open AAA session. Session limit [limit] reached.Explanation A AAA operation on an IPSec tunnel could not be performed because of the unavailability of system resources. The limit value indicates the maximum number of concurrent AAA transactions.
Recommended Action Reduce the demand for AAA resources if possible.
113003
Error Message %FWSM-6-113003: AAA group policy for user user is being set to policy_name.Explanation The group policy that is associated with the tunnel-group is being overridden with a user specific policy, policy_name. The policy_name is specified using the username command when LOCAL authentication is configured or is returned in the RADIUS CLASS attribute when RADIUS authentication is configured.
Recommended Action None required.
113004
Error Message %FWSM-6-113004: AAA user aaa_type Successful: server = server_IP_address, User = userExplanation This is an indication that a AAA operation on an IPSec connection has been completed successfully. The AAA types are authentication, authorization, or accounting. The server_IP_address is the IP address of the relevant AAA server. The user is the username associated with the connection.
Recommended Action None required.
113005
Error Message %FWSM-6-113005: AAA user authentication Rejected: reason = string: server = server_IP_address, User = userExplanation This is an indication that either an authentication or authorization request for a user associated with an IPSec connection has been rejected. Details of why the request was rejected are provided in the reason variable. server_IP_address is the IP address of the relevant AAA server. user is the username associated with the connection. aaa_operation is either authentication or authorization.
Recommended Action None required.
113006
Error Message %FWSM-6-113006: User user locked out on exceeding number successive failed authentication attemptsExplanation A locally configured user is being locked out. This happens when a configured number of consecutive authentication failures have occurred for this user and indicates that all future authentication attempts by this user will be rejected until an administrator unlocks the user using the clear aaa local user lockout command. user is the user that is now locked and number is the consecutive failure threshold configured with the aaa local authentication attempts max-fail command.
Recommended Action Try unlocking the user using the clear_aaa_local_user_lockout command or adjusting the maximum number of consecutive authentication failures that are tolerated.
113007
Error Message %FWSM-6-113007: User user unlocked by administratorExplanation A locally configured user that was locked out after exceeding the maximum number of consecutive authentication failures set by the aaa local authentication attempts max-fail command has been unlocked by the indicated administrator.
Recommended Action None required.
113008
Error Message %FWSM-6-113008: AAA transaction status ACCEPT: user = userExplanation A AAA transaction for a user associated with an IPSec connection was completed successfully. The user is the username associated with the connection.
Recommended Action None required.
113009
Error Message %FWSM-6-113009: AAA retrieved default group policy policy for user userExplanation This message may be generated during the authentication or authorization of an IPSec connection. The attributes of the group policy that were specified with the tunnel-group commands have been retrieved.
Recommended Action None required.
113010
Error Message %FWSM-6-113010: AAA challenge received for user user from server server_IP_addressExplanation This message may be generated during the authentication of an IPSec connection when the authentication is done with a SecurID server. The user will be prompted to provide further information before being authenticated. The server _IP_address is the IP address of the relevant AAA server. The user is the username associated with the connection.
Recommended Action None required.
113011
Error Message %FWSM-6-113011: AAA retrieved user specific group policy policy for user userExplanation This event may be generated during the authentication or authorization of an IPSec connection. The attributes of the group policy that was specified with the tunnel-group commands have been retrieved.
Recommended Action None required.
113012
Error Message %FWSM-6-113012: AAA user authentication Successful: local database: user = userExplanation The user associated with a IPSec connection has been successfully authenticated to the local user database. The user is the username associated with the connection.
Recommended Action None required.
113013
Error Message %FWSM-6-113013: AAA unable to complete the request Error: reason = reason: user = userExplanation A AAA transaction for a user associated with an IPSec connection has failed because of an error or has been rejected because of a policy violation. Details are provided in the reason variable. The user is the username associated with the connection.
Recommended Action None required.
113014
Error Message %FWSM-6-113014: AAA authentication server not accessible: server = server_IP_address: user = userExplanation The device was unable to communicate with the configured AAA server during a AAA transaction associated with an IPSec connection. This may or may not result in a failure of the user connection attempt, depending on the backup servers configured in the aaa-server group and the availability of those servers.
Recommended Action Verify connectivity with the configured AAA servers.
113015
Error Message %FWSM-6-113015: AAA user authentication Rejected: reason = reason: local database: user = userExplanation A request for authentication to the local user database for a user associated with an IPSec connection has been rejected. Details of why the request was rejected are provided in the reason variable. The user is the username associated with the connection.
Recommended Action None required.
113016
Error Message %FWSM-6-113016: AAA credentials rejected: reason = reason: server = server_IP_address: user = userExplanation A AAA transaction for a user associated with an IPSec connection has failed because of an error or rejected because of a policy violation. Details are provided in the reason variable. The server_IP_address is the IP address of the relevant AAA server. The user is the username associated with the connection.
Recommended Action None required.
113017
Error Message %FWSM-6-113017: AAA credentials rejected: reason = reason: local database: user = user\Explanation This is an indication that a AAA transaction for a user associated with an IPSec connection has failed because of an error or rejected because of a policy violation. Details are provided in the reason variable. This event only appears when the AAA transaction is with the local user database rather than with an external AAA server. The user is the username associated with the connection.
Recommended Action None required.
113018
Error Message %FWSM-3-113018: User: user, Unsupported downloaded ACL Entry: ACL_entry, Action: actionExplanation An ACL entry in unsupported format was downloaded from the authentication server. The following list describes the message values:
•
•
•
Recommended Action The ACL entry on the authentication server has to be changed appropriately by the administrator to conform with the supported ACL entry formats.
113019
Error Message %FWSM-4-113019: Group = group, Username = user, IP = peer_address, Session disconnected. Session Type: type, Duration: duration, Bytes xmt: count, Bytes rcv: countExplanation This is an informational message.
•
•
•
•
•
•
Recommended Action None required.
199001
Error Message %FWSM-5-199001: Reload command executed from telnet (remote IP_address).Explanation This message logs the address of the host that is initiating a security appliance reboot with the reload command.
Recommended Action None required.
199002
Error Message %FWSM-6-199002: startup completed. Beginning operation.Explanation The security appliance finished its initial boot and the Flash memory reading sequence, and is ready to begin operating normally.
Note
Recommended Action None required.
199003
Error Message %FWSM-6-199003: Reducing link MTU dec.Explanation The security appliance received a packet from the outside network that uses a larger MTU than the inside network. The security appliance then sent an ICMP message to the outside host to negotiate an appropriate MTU. The log message includes the sequence number of the ICMP message.
Recommended Action None required.
199005
Error Message %FWSM-6-199005: Startup beginExplanation The security appliance started.
Recommended Action None required.
199006
Error Message %FWSM-5-199006: Orderly reload started at when by whom. Reload reason: reasonExplanation This message is generated when a reload operation is started.
•
•
•
Recommended Action None required.
199907
Error Message %FWSM-5-1999007:IP detected an attached application using port port while removing contextExplanation When an interface or context is removed, all applications should close all channels for that context or interface. This message indicates that an application had not closed all channels for a removed interface or application and is doing so now.
Recommended Action None required.
199908
Error Message %FWSM-5-1999008:Protocol detected an attached application using local port local_port and destination port dest_portExplanation When an interface or context is removed, all applications should close all channels for that context or interface. This message indicates that an application had not closed all channels for a removed interface or application and is doing so now.
Recommended Action None required.
199909
Error Message %FWSM-7-199009: ICMP detected an attached application while removing a contextExplanation When an interface or context is removed, all applications should close all channels for that context or interface. This message indicates that an application had not closed all channels for a removed interface or application and is doing so now.
Recommended Action None required.
Messages 201002 to 217001
This section contains messages from 201002 to 217001.
201002
Error Message %FWSM-3-201002: Too many TCP connections on {static|xlate} global_address! econns nconnsExplanation This is a connection-related message. This message is displayed when the maximum number of TCP connections to the specified global address was exceeded. The econns variable is the maximum number of embryonic connections and the nconns variable is the maximum number of connections permitted for the static or xlate.
Recommended Action Use the show static or show nat command to check the limit imposed on connections to a static address. The limit is configurable.
201003
Error Message %FWSM-2-201003: Embryonic limit exceeded nconns/elimit for outside_address/outside_port (global_address) inside_address/inside_port on interface interface_nameExplanation This is a connection-related message regarding traffic to the security appliance. This message is displayed when the number of embryonic connections from the specified foreign address with the specified static global address to the specified local address exceeds the embryonic limit. When the limit on embryonic connections to the security appliance is reached, the security appliance attempts to accept them anyway, but puts a time limit on the connections. This situation allows some connections to succeed even if the security appliance is very busy. The nconns variable lists the number of embryonic connections received and the elimit variable lists the maximum number of embryonic connections specified in the static or nat command.
Recommended Action This message indicates a more serious overload than message 201002. It could be caused by a SYN attack, or by a very heavy load of legitimate traffic. Use the show static command to check the limit imposed on embryonic connections to a static address.
201004
Error Message %FWSM-3-201004: Too many UDP connections on {static|xlate} global_address! udp connections limitExplanation This is a connection-related message. This message is displayed when the maximum number of UDP connections to the specified global address was exceeded. The udp conn limit variable is the maximum number of UDP connections permitted for the static or translation.
Recommended Action Use the show static or show nat command to check the limit imposed on connections to a static address. You can configure the limit.
201005
Error Message %FWSM-3-201005: FTP data connection failed for IP_address IP_addressExplanation The security appliance could not allocate a structure to track the data connection for FTP because of insufficient memory.
Recommended Action Reduce the amount of memory usage or purchase additional memory.
201006
Error Message %FWSM-3-201006: RCMD backconnection failed for IP_address/portExplanation This is a connection-related message. This message is displayed if the security appliance is unable to preallocate connections for inbound standard output for rsh commands because of insufficient memory.
Recommended Action Check the rsh client version; the security appliance only supports the Berkeley rsh. You can also reduce the amount of memory usage, or purchase additional memory.
201009
Error Message %FWSM-3-201009: TCP connection limit of number for host IP_address on interface_name exceededExplanation This is a connection-related message. This message is displayed when the maximum number of connections to the specified static address was exceeded. The number variable is the maximum of connections permitted for the host specified by the IP_address variable.
Recommended Action Use the show static and show nat commands to check the limit imposed on connections to an address. The limit is configurable.
202001
Error Message %FWSM-3-202001: Out of address translation slots!Explanation This is a connection-related message. This message is displayed if the security appliance has no more address translation slots available.
Recommended Action Check the size of the global pool compared to the number of inside network clients. A PAT address may be necessary. Alternatively, shorten the timeout interval of translates and connections. This error message could also be caused by insufficient memory; reduce the amount of memory usage, or purchase additional memory usage if possible.
202005
Error Message %FWSM-3-202005: Non-embryonic in embryonic list outside_address/outside_port inside_address/inside_portExplanation This is a connection-related message. This message is displayed when a connection object (xlate) is in the wrong list.
Recommended Action Contact Cisco TAC.
202011
Error Message %FWSM-3-202011: Connection limit exceeded econns/limit for dir packet from source_address/source_port to dest_address/dest_port on interface interface_nameExplanation This message is displayed when an attempt to create a TCP or UDP connection fails because of an exceeded connection limit which is configured with the set connection conn-max Modular Policy Framework command for a traffic class.
•
•
•
input— The first packet that initiates the connection is an input packet on the interface interface_name.
output— The first packet that initiates the connection is an output packet on the interface interface_name.•
•
•
Recommended Action None required.
208005
Error Message %FWSM-3-208005: (function:line_num) clear command return codeExplanation The security appliance received a nonzero value (an internal error) when attempting to clear the configuration in Flash memory. The message includes the reporting subroutine filename and line number.
Recommended Action For performance reasons, the end host should be configured to not inject IP fragments. This configuration change is probably because of NFS. Set the read and write size equal to the interface MTU for NFS.
209003
Error Message %FWSM-4-209003: Fragment database limit of number exceeded: src = source_address, dest = dest_address, proto = protocol, id = numberExplanation Too many IP fragments are currently awaiting reassembly. By default, the maximum number of fragments is 200 (refer to the fragment size command in the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference to raise the maximum). The security appliance limits the number of IP fragments that can be concurrently reassembled. This restriction prevents memory depletion at the security appliance under abnormal network conditions. In general, fragmented traffic should be a small percentage of the total traffic mix. An exception is in a network environment with NFS over UDP where a large percentage is fragmented traffic; if this type of traffic is relayed through the security appliance, consider using NFS over TCP instead. To prevent fragmentation, see the sysopt connection tcpmss bytes command in the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference.
Recommended Action If this message persists, a denial of service (DoS) attack might be in progress. Contact the remote peer administrator or upstream provider.
209004
Error Message %FWSM-4-209004: Invalid IP fragment, size = bytes exceeds maximum size = bytes: src = source_address, dest = dest_address, proto = protocol, id = numberExplanation An IP fragment is malformed. The total size of the reassembled IP packet exceeds the maximum possible size of 65,535 bytes.
Recommended Action A possible intrusion event may be in progress. If this message persists, contact the remote peer administrator or upstream provider.
209005
Error Message %FWSM-4-209005: Discard IP fragment set with more than number elements: src = Too many elements are in a fragment set.Explanation The security appliance disallows any IP packet that is fragmented into more than 24 fragments. For more information, see the fragment command in the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference.
Recommended Action A possible intrusion event may be in progress. If the message persists, contact the remote peer administrator or upstream provider. You can change the number of fragments per packet by using the fragment chain xxx interface_name command.
210001
Error Message %FWSM-3-210001: LU sw_module_name error = numberExplanation A Stateful Failover error occurred.
Recommended Action If this error persists after traffic lessens through the security appliance, report this error to Cisco TAC.
210002
Error Message %FWSM-3-210002: LU allocate block (bytes) failed.Explanation Stateful Failover could not allocate a block of memory to transmit stateful information to the standby security appliance.
Recommended Action Check the failover interface using the show interface command to make sure its transmission is normal. Also check the current block memory using the show block command. If current available count is 0 within any of the blocks of memory, then reload the security appliance software to recover the lost blocks of memory.
210003
Error Message %FWSM-3-210003: Unknown LU Object numberExplanation Stateful Failover received an unsupported Logical Update object and was unable to process it. This could be caused by corrupted memory, LAN transmissions, and other events.
Recommended Action If you see this error infrequently, none required. If this error occurs frequently, check the Stateful Failover link LAN connection. If the error was not caused by a faulty failover link LAN connection, determine if an external user is trying to compromise the protected network. Check for misconfigured clients.
210005
Error Message %FWSM-3-210005: LU allocate connection failedExplanation Stateful Failover cannot allocate a new connection on the standby unit. This may be caused by little or no RAM memory available within the security appliance.
Recommended Action Check the available memory using the show memory command to make sure that the security appliance has free memory in the system. If there is no available memory, add more physical memory to the security appliance.
210006
Error Message %FWSM-3-210006: LU look NAT for IP_address failedExplanation Stateful Failover was unable to locate a NAT group for the IP address on the standby unit. The active and standby security appliance units may be out of synchronization.
Recommended Action Use the write standby command on the active unit to synchronize system memory with the standby unit.
210007
Error Message %FWSM-3-210007: LU allocate xlate failedExplanation Stateful Failover failed to allocate a translation (xlate) slot record.
Recommended Action Check the available memory by using the show memory command to make sure that the security appliance has free memory in the system. If no memory is available, add more memory.
210008
Error Message %FWSM-3-210008: LU no xlate for inside_address/inside_port outside_address/outside_portExplanation Unable to find a translation slot (xlate) record for a Stateful Failover connection; unable to process the connection information.
Recommended Action Enter the write standby command on the active unit to synchronize system memory between the active and standby units.
210010
Error Message %FWSM-3-210010: LU make UDP connection for outside_address:outside_port inside_address:inside_port failedExplanation Stateful Failover was unable to allocate a new record for a UDP connection.
Recommended Action Check the available memory by using the show memory command to make sure that the security appliance has free memory in the system. If no memory is available, add more memory.
210020
Error Message %FWSM-3-210020: LU PAT port port reserve failedExplanation Stateful Failover is unable to allocate a specific PAT address which is in use.
Recommended Action Enter the write standby command on the active unit to synchronize system memory between the active and standby units.
210021
Error Message %FWSM-3-210021: LU create static xlate global_address ifc interface_name failedExplanation Stateful Failover is unable to create a translation slot (xlate).
Recommended Action Enter the write standby command on the active unit to synchronize system memory between the active and standby units.
210022
Error Message %FWSM-6-210022: LU missed number updatesExplanation Stateful Failover assigns a sequence number for each record sent to the standby unit. When a received record sequence number is out of sequence with the last updated record, the information in-between is assumed lost and this error message is sent.
Recommended Action Unless there are LAN interruptions, check the available memory on both security appliance units to ensure that enough memory is available to process the stateful information. Use the show failover command to monitor the quality of stateful information updates.
211001
Error Message %FWSM-3-211001: Memory allocation ErrorExplanation Failed to allocate RAM system memory.
Recommended Action If this message occurs periodically, it can be ignored. If it repeats frequently, contact Cisco TAC.
211003
Error Message %FWSM-3-211003: CPU utilization for number seconds = percentExplanation This message is displayed if the percentage of CPU usage is greater than 100 percent for the number of seconds.
Recommended Action If this message occurs periodically, it can be ignored. If it repeats frequently, contact Cisco TAC.
212001
Error Message %FWSM-3-212001: Unable to open SNMP channel (UDP port port) on interface interface_number, error code = codeExplanation This is an SNMP message, which reports that the security appliance is unable to receive SNMP requests destined for the security appliance from SNMP management stations located on this interface. This does not affect the SNMP traffic passing through the security appliance through any interface.
•
•
Recommended Action After the security appliance reclaims some of its resources when traffic is lighter, reenter the snmp-server host command for that interface.
212002
Error Message %FWSM-3-212002: Unable to open SNMP trap channel (UDP port port) on interface interface_number, error code = codeExplanation This is an SNMP message, which reports that the security appliance is unable to send its SNMP traps from the security appliance to SNMP management stations located on this interface. This does not affect the SNMP traffic passing through the security appliance through any interface.
•
•
Recommended Action After the security appliance reclaims some of its resources when traffic is lighter, reenter the snmp-server host command for that interface.
212003
Error Message %FWSM-3-212003: Unable to receive an SNMP request on interface interface_number, error code = code, will try againExplanation This is an SNMP message, which is displayed because of an internal error in receiving an SNMP request destined for the security appliance on the specified interface.
Recommended Action None required. The security appliance SNMP agent waits for the next SNMP request.
212004
Error Message %FWSM-3-212004: Unable to send an SNMP response to IP Address IP_address Port port interface interface_number, error code = codeExplanation This is an SNMP message, which is displayed because an internal error occurred in sending an SNMP response from the security appliance to the specified host on the specified interface.
Recommended Action None required.
212005
Error Message %FWSM-3-212005: incoming SNMP request (number bytes) on interface interface_name exceeds data buffer size, discarding this SNMP request.Explanation This is an SNMP message, which reports that the length of the incoming SNMP request destined for the security appliance exceeds the size of the internal data buffer (512 bytes) used for storing the request during internal processing. The security appliance is unable to process this request. This situation does not affect the SNMP traffic passing through the security appliance using any interface.
Recommended Action Have the SNMP management station resend the request with a shorter length. For example, instead of querying multiple MIB variables in one request, try querying only one MIB variable in a request. You may need to modify the configuration of the SNMP management software.
212006
Error Message %FWSM-3-212006: Dropping SNMP request from source_address/source_port to interface_name:dest_address/dest_port because: reasonExplanation This is a SNMP message, which is displayed if the device is unable to process a SNMP request for the following reasons:
•
•
Recommended Action Make sure that the SNMP daemon is entering by issuing the snmp-server enable command. Only SNMPv1 and v2c packets are handled by the device.
214001
Error Message %FWSM-2-214001: Terminating manager session from IP_address on interface interface_name. Reason: incoming encrypted data (number bytes) longer than number bytesExplanation An incoming encrypted data packet destined for the security appliance management port indicates a packet length exceeding the specified upper limit. This may be a hostile event. The security appliance immediately terminates this management connection.
Recommended Action Ensure that the management connection was initiated by Cisco Secure Policy Manager.
215001
Error Message %FWSM-2-215001:Bad route_compress() call, sdb= numberExplanation An internal software error occurred.
Recommended Action Contact Cisco TAC.
217001
Error Message %FWSM-2-217001: No memory for string in stringExplanation An operation failed because of low memory.
Recommended Action If sufficient memory exists, then copy the error message, the configuration, and any details about the events leading up to the error and send them to Cisco TAC.
Messages 302003 to 326028
This section contains messages from 302003 to 326028.
302003
Error Message %FWSM-6-302003: Built H245 connection for foreign_address outside_address/outside_port local_address inside_address/inside_portExplanation This is a connection-related message. This message is displayed when an H.245 connection is started from the outside_address to the inside_address. This message only occurs if the security appliance detects the use of an Intel Internet phone. The foreign port (outside port) only displays on connections from outside the security appliance. The local port value (inside port) only appears on connections started on an internal interface.
Recommended Action None required.
302004
Error Message %FWSM-6-302004: Pre-allocate H323 UDP backconnection for foreign_address outside_address/outside_port to local_address inside_address/inside_portExplanation A connection-related message that is displayed when an H.323 UDP back-connection is preallocated to the foreign address (outside_address) from the local address (inside_address). This message only occurs if the security appliance detects the use of an Intel Internet phone. The foreign port (outside_port) only displays on connections from outside the security appliance. The local port value (inside_port) only appears on connections started on an internal interface.
Recommended Action None required.
302009
Error Message %FWSM-6-302009: Rebuilt TCP connection number for foreign_address outside_address/outside_port global_address global_address/global_port local_address inside_address/inside_portExplanation A connection-related message that appears after a TCP connection is rebuilt after a failover. A sync packet is not sent to the other security appliance. The outside_address IP address is the foreign host, the global_address IP address is a global address on the lower security level interface, and the inside_address IP address is the local IP address "behind" the security appliance on the higher security level interface.
Recommended Action None required.
302010
Error Message %FWSM-6-302010: connections in use, connections most usedExplanation This is a connection-related message. This message appears after a TCP connection restarts. connections is the number of connections.
Recommended Action None required.
302012
Error Message %FWSM-6-302012: Pre-allocate H225 Call Signalling Connection for faddr IP_address/port to laddr IP_addressExplanation An H.225 secondary channel has been preallocated.
Recommended Action None required.
302013
Error Message %FWSM-6-302013: Built {inbound|outbound} TCP connection_id for source:real-address/real-port (mapped-address/mapped-port) to destination:real-address/real-port (mapped-address/mapped-port) [(user)]Explanation A TCP connection slot between two hosts was created.
•
•
•
•
If inbound is specified, the original control connection was initiated from the outside. For example, for FTP, all data transfer channels are inbound if the original control channel is inbound. If outbound is specified, the original control connection was initiated from the inside.
Recommended Action None required.
302014
Error Message %FWSM-6-302014: Teardown TCP connection id for interface:real-address/real-port to interface:real-address/real-port duration hh:mm:ss bytes bytes [reason] [(user)]Explanation A TCP connection between two hosts was deleted. The following list describes the message values:
•
•
•
•
•
The reason variable presents the action that causes the connection to terminate. Set the reason variable to one of the TCP termination reasons listed in Table 1-2.
Recommended Action None required.
302015
Error Message %FWSM-6-302015: Built {inbound|outbound} UDP connection number for interface_name:real_address/real_port (mapped_address/mapped_port) to interface_name:real_address/real_port (mapped_address/mapped_port) [(user)]Explanation A UDP connection slot between two hosts is created. The following list describes the message values:
•
•
•
•
If inbound is specified, then the original control connection is initiated from the outside. For example, for UDP, all data transfer channels are inbound if the original control channel is inbound. If outbound is specified, then the original control connection is initiated from the inside.
Recommended Action None required.
302016
Error Message %FWSM-6-302016: Teardown UDP connection number for interface:real-address/real-port to interface:real-address/real-port duration hh:mm:ss bytes bytes [(user)]Explanation A UDP connection slot between two hosts was deleted. The following list describes the message values:
•
•
•
•
•
•
•
•
•
Recommended Action None required.
302017
Error Message %FWSM-6-302017: Built {inbound|outbound}
GRE connection id from
interface:real_address (translated_address) to
interface:real_address/real_cid
(translated_address/translated_cid)[(user)Explanation A GRE connection slot between two hosts is created. The id is an unique identifier. The interface, real_address, real_cid tuple identifies one of the two simplex PPTP GRE streams. The parenthetical translated_address, translated_cid tuple identifies the translated value with NAT.
If inbound is indicated, then the connection can only be used inbound. If outbound is indicated, then the connection can only be used for outbound. The following list shows the message values:•
•
•
•
•
•
•
•
•
Recommended Action This is an informational message.
302018
Error Message %FWSM-6-302018: Teardown GRE connection id from
interface:real_address (translated_address) to
interface:real_address/real_cid
(translated_address/translated_cid)
duration hh:mm:ss bytes bytes [(user)]Explanation A GRE connection slot between two hosts is deleted. The interface, real_address, real_port tuple identifies the actual sockets. Duration accounts the lifetime of the connection. The following list shows the message values:
•
•
•
•
•
•
•
•
Recommended Action This is an informational message.
302019
Error Message %FWSM-3-302019: H.323 library_name ASN Library failed to initialize, error code numberExplanation The specified ASN library that the security appliance uses for decoding the H.323 messages failed to initialize; the security appliance cannot decode or inspect the arriving H.323 packet. The security appliance allows the H.323 packet to pass through without any modification. When the next H.323 message arrives, the security appliance attempts to initialize the library again.
Recommended Action If this message is generated consistently for a particular library, contact Cisco TAC and provide them with all log messages (preferably with timestamps).
302020
Error Message %FWSM-6-302020: Built {in | out}bound ICMP connection for faddr
{faddr | icmp_seq_num} gaddr {gaddr | cmp_type} laddr laddrExplanation An ICMP session was established in fast-path when stateful ICMP is enabled using the fixup protocol icmp command.
Recommended Action None required.
302021
Error Message %FWSM-6-302021: Teardown ICMP connection for faddr {faddr | icmp_seq_num} gaddr {gaddr | cmp_type} laddr laddrExplanation An ICMP session was removed in fast-path when stateful ICMP is enabled using the fixup protocol icmp command.
Recommended Action None required.
302022
Error Message %FWSM-6-302022: Built IP protocol 103 connection 219025360 for int_112:172.16.2.1 (172.16.2.1) to int_102:172.16.112.2 (172.16.112.2)Explanation A non-TCP/UDP connection slot between two hosts was created.
Recommended Action None required.
302023
Error Message %FWSM-6-302023: Teardown IP protocol 103 connection 219025359 for int_102:172.16.2.1 to int_112:172.16.112.2 duration 0:00:35 bytes 74Explanation A non-TCP/UDP connection slot between two hosts was deleted.
Recommended Action None required.
302024
Error Message %FWSM-6-302024: Pre-allocated H323 GUP connection for faddr intf: {foreign-address /foreign-port} to laddr intf: {local-address/local-port}Explanation A connection-related message that is displayed when a GUP connection is started from the foreign address to the local address. The foreign (outside) port only displays on connections outside the FWSM. The local (inside) port value only appears on connections that are started on an internal interface.
Recommended Action None required.
302025
Error Message %FWSM-4-302025: Unable to Pre-allocate H323 GUP Connection for faddr intf: {foreign-address/foreign-port} to laddr intf: {local-address/local-port}Explanation The module failed to allocate RAM system memory while starting a connection or has no more address translation slots available.
Recommended Action If this message occurs periodically, ignore it. If this message occurs frequently, contact Cisco TAC. You can check the size of the global pool compared to the number of inside network clients. Alternatively, you can shorten the timeout interval of translations and connections. Insufficient memory may also cause this message; try reducing the amount of memory used or purchasing more memory.
302302
Error Message %FWSM-3-302302: ACL = deny; no sa createdExplanation IPSec proxy mismatches. Proxy hosts for the negotiated SA correspond to a deny access-list command policy.
Recommended Action Check the access-list command statement in the configuration. Contact the administrator for the peer.
303002
Error Message %FWSM-6-303002: source_address {Stored|Retrieved} dest_address: mapped_addressExplanation This is an FTP/URL message. This message is displayed when the specified host attempts to store or retrieve data from the specified FTP site.
Recommended Action None required.
303003
Error Message %FWSM-6-303003: FTP cmd_name command denied - failed strict inspection, terminating connection from source_interface:source_address/source_port to dest_interface:dest_address/dest_portExplanation This message is generated when using strict inspection on FTP traffic. It is displayed if an FTP request command is denied by the strict FTP inspection policy from the ftp-map command.
Recommended Action None required.
303004
Error Message %FWSM-5-303004: FTP cmd_string command unsupported - failed strict inspection, terminating connection from source_interface:source_address/source_port to dest_interface:dest_address/dest_interfaceExplanation This message appears when using strict FTP inspection on FTP traffic. It is displayed if an FTP request message contains a command that is not recognized by the device.
Recommended Action None required.
304001
Error Message %FWSM-5-304001: user source_address Accessed {JAVA URL|URL} dest_address: url.Explanation This is an FTP/URL message that is generated for HTTPS traffic when it is inspected using the filter https command. The source and destination IP addresses are included in the message, but the URL is not included because it cannot be decrypted through inspection.
Recommended Action None required.
304002
Error Message %FWSM-5-304002: Access denied URL chars SRC IP_address DEST IP_address: charsExplanation This is an FTP/URL message. This message is displayed if access from the source address to the specified URL or FTP site is denied.
Recommended Action None required.
304003
Error Message %FWSM-3-304003: URL Server IP_address timed out URL urlExplanation A URL server timed out.
Recommended Action None required.
304004
Error Message %FWSM-6-304004: URL Server IP_address request failed URL urlExplanation This is an FTP/URL message. This message is displayed if a Websense server request fails.
Recommended Action None required.
304005
Error Message %FWSM-7-304005: URL Server IP_address request pending URL urlExplanation This is an FTP/URL message. This message is displayed when a Websense server request is pending.
Recommended Action None required.
304006
Error Message %FWSM-3-304006: URL Server IP_address not respondingExplanation This is an FTP/URL message. The Websense server is unavailable for access, and the security appliance attempts to either try to access the same server if it is the only server installed, or another server if there is more than one.
Recommended Action None required.
304007
Error Message %FWSM-2-304007: URL Server IP_address not responding, ENTERING ALLOW mode.Explanation This is an FTP/URL message. This message is displayed when you use the allow option of the filter command, and the Websense servers are not responding. The security appliance allows all web requests to continue without filtering while the servers are not available.
Recommended Action None required.
304008
Error Message %FWSM-2-304008: LEAVING ALLOW mode, URL Server is up.Explanation This is an FTP/URL message. This message is displayed when you use the allow option of the filter command, and the security appliance receives a response message from a Websense server that previously was not responding. With this response message, the security appliance exits the allow mode, which enables the URL filtering feature again.
Recommended Action None required.
304009
Error Message %FWSM-7-304009: Ran out of buffer blocks specified by url-block commandExplanation The URL pending buffer block is running out of space.
Recommended Action Change the buffer block size by entering the url-block block block_size command.
305005
Error Message %FWSM-3-305005: No translation group found for protocol src interface_name:dest_address/dest_port dst interface_name:source_address/source_portExplanation A packet does not match any of the outbound nat command rules.
Recommended Action This message indicates a configuration error. If dynamic NAT is desired for the source host, ensure that the nat command matches the source IP address. If static NAT is desired for the source host, ensure that the local IP address of the static command matches. If no NAT is desired for the source host, check the ACL bound to the NAT 0 ACL.
305006
Error Message %FWSM-3-305006: {outbound static|identity|portmap|regular) translation creation failed for protocol src interface_name:source_address/source_port dst interface_name:dest_address/dest_portExplanation A protocol (UDP, TCP, or ICMP) failed to create a translation through the firewall. The firewall provides this checking for addresses that are explicitly identified with static command statements. With the change, for inbound traffic, the firewall denies translations for a destined IP address identified as a network or broadcast address.
The firewall does not apply PAT to all ICMP message types; it only applies PAT ICMP echo and echo-reply packets (types 8 and 0). Specifically, only ICMP echo or echo-reply packets create a PAT xlate. So, when the other ICMP messages types are dropped, this message is generated.
The firewall uses the global IP and mask from configured static command statements to differentiate regular IP addresses from network or broadcast IP addresses. If the global IP address is a valid network address with a matching network mask, then the firewall does not create a translation for network or broadcast IP addresses with inbound packets.
For example:
static (inside,outside) 10.2.2.128 10.1.1.128 netmask 255.255.255.128
Global address 10.2.2.128 is responded to as a network address and 10.2.2.255 is responded to as the broadcast address. Without an existing translation, the firewall denies inbound packets destined for 10.2.2.128 or 10.2.2.255, and generates this system log message.
When the suspected IP is a host IP, configure a separated static command statement with a host mask in front of the subnet static (first match rule for static command statements). The following static command statements cause the firewall to respond to 10.2.2.128 as a host address:
static (inside,outside) 10.2.2.128 10.2.2.128 netmask 255.255.255.255
static (inside,outside) 10.2.2.128 10.2.2.128 netmask 255.255.255.128The translation may be created by traffic started with the inside host with the questioned IP address. Because the firewall views a network or broadcast IP address as a host IP address with overlapped subnet static configuration, the network address translation for both static command statements must be the same.
Recommended Action None required.
305007
Error Message %FWSM-6-305007: addrpool_free(): Orphan IP IP_address on interface interface_numberExplanation The security appliance has attempted to translate an address that it cannot find in any of its global pools. The security appliance assumes that the address was deleted and drops the request.
Recommended Action None required.
305008
Error Message %FWSM-3-305008: Free unallocated global IP address.Explanation The security appliance kernel detected an inconsistency condition when trying to free an unallocated global IP address back to the address pool. This abnormal condition may occur if the security appliance is running a Stateful Failover setup and some of the internal states are momentarily out of synchronization between the active unit and the standby unit. This condition is not catastrophic, and the synchronization recovers automatically.
Recommended Action Report this condition to Cisco TAC if you continue to see this message.
305009
Error Message %FWSM-6-305009: Built {dynamic|static} translation from interface_name [(acl-name)]:real_address to interface_name:mapped_addressExplanation An address translation slot was created. The slot translates the source address from the local side to the global side. In reverse, the slot translates the destination address from the global side to the local side.
Recommended Action None required.
305010
Error Message %FWSM-6-305010: Teardown {dynamic|static} translation from interface_name:real_address to interface_name:mapped_address duration timeExplanation The address translation slot was deleted.
Recommended Action None required.
305011
Error Message %FWSM-6-305011: Built {dynamic|static} {TCP|UDP|ICMP} translation from interface_name:real_address/real_port to interface_name:mapped_address/mapped_portExplanation A TCP, UDP, or ICMP address translation slot was created. The slot translates the source socket from the local side to the global side. In reverse, the slot translates the destination socket from the global side to the local side.
Recommended Action None required.
305012
Error Message %FWSM-6-305012: Teardown {dynamic|static} {TCP|UDP|ICMP} translation from interface_name [(acl-name)]:real_address/{real_port|real_ICMP_ID} to interface_name:mapped_address/{mapped_port|mapped_ICMP_ID} duration timeExplanation The address translation slot was deleted.
Recommended Action None required.
308001
Error Message %FWSM-6-308001: console enable password incorrect for number tries (from IP_address)Explanation This is a security appliance management message. This message is displayed after the specified number of times a user incorrectly types the password to enter privileged mode. The maximum is three attempts.
Recommended Action Verify the password and try again.
308002
Error Message %FWSM-4-308002: static global_address inside_address netmask netmask overlapped with global_address inside_addressExplanation The IP addresses in one or more static command statements overlap. global_address is the global address, which is the address on the lower security interface, and inside_address is the local address, which is the address on the higher security-level interface.
Recommended Action Use the show static command to view the static command statements in your configuration and fix the commands that overlap. The most common overlap occurs if you specify a network address such as 10.1.1.0, and in another static command you specify a host within that range such as 10.1.1.5.
311001
Error Message %FWSM-6-311001: LU loading standby startExplanation Stateful Failover update information was sent to the standby security appliance when the standby security appliance is first to be online.
Recommended Action None required.
311002
Error Message %FWSM-6-311002: LU loading standby endExplanation Stateful Failover update information stopped sending to the standby security appliance.
Recommended Action None required.
311003
Error Message %FWSM-6-311003: LU recv thread upExplanation An update acknowledgment was received from the standby security appliance.
Recommended Action None required.
311004
Error Message %FWSM-6-311004: LU xmit thread upExplanation This message appears when a Stateful Failover update is transmitted to the standby security appliance.
Recommended Action None required.
312001
Error Message %FWSM-6-312001: RIP hdr failed from IP_address: cmd=string, version=number domain=string on interface interface_nameExplanation The security appliance received a RIP message with an operation code other than reply, the message has a version number different from what is expected on this interface, and the routing domain entry was nonzero.
Recommended Action This message is informational, but it may also indicate that another RIP device is not configured correctly to communicate with the security appliance.
313001
Error Message %FWSM-3-313001: Denied ICMP type=number, code=code from IP_address on interface interface_nameExplanation When using the icmp command with an access list, if the first matched entry is a permit entry, the ICMP packet continues processing. If the first matched entry is a deny entry or an entry is not matched, the security appliance discards the ICMP packet and generates this system log message. The icmp command enables or disables pinging to an interface. With pinging disabled, the security appliance cannot be detected on the network. This feature is also referred to as configurable proxy pinging.
Recommended Action Contact the administrator of the peer device.
313003
Error Message %FWSM-4-313003: Invalid destination for ICMP errorExplanation The destination for the ICMP error message is different than the source of the IP packet that induced the ICMP error message.
Recommended Action If the message occurs frequently, this could be an active network probe, an attempt to use the ICMP error message as a covert channel, or a misbehaving IP host. Contact the administrator of the host that originated the ICMP error message.
313004
Error Message %FWSM-4-313004:Denied ICMP type=icmp_type, from source_address oninterface interface_name to dest_address:no matching sessionExplanation ICMP packets were dropped by the security appliance because of security checks added by the stateful ICMP feature that are usually either ICMP echo replies without a valid echo request already passed across the security appliance or ICMP error messages not related to any TCP, UDP, or ICMP session already established in the security appliance.
Recommended Action None required.
314001
Error Message %FWSM-6-314001: Pre-allocate RTSP UDP backconnection for foreign_address outside_address/outside_port to local_address inside_address/inside_portExplanation The security appliance opened an RTSP connection for the specified IP addresses and ports.
Recommended Action None required.
315004
Error Message %FWSM-3-315004: Fail to establish SSH session because RSA host key retrieval failed.Explanation The security appliance could not find the security appliance RSA host key, which is required for establishing an SSH session. The security appliance host key may be absent because it was not generated or because the license for this security appliance does not allow DES or 3DES.
Recommended Action From the console, enter the show ca mypubkey rsa command to verify that the security appliance RSA host key is present. If not, also enter the show version command to check whether the security appliance license allows DES or 3DES.
315011
Error Message %FWSM-6-315011: SSH session from IP_address on interface interface_name for user user disconnected by SSH server, reason: reasonExplanation This message appears after an SSH session completes. If a user enters quit or exit, the terminated normally message displays. If the session disconnected for another reason, the text describes the reason. Table 1-3 lists the possible reasons why a session disconnected.
Recommended Action None required.
316001
Error Message %FWSM-3-316001: Denied new tunnel to IP_address. VPN peer limit (platform_vpn_peer_limit) exceededExplanation If more VPN tunnels (ISAKMP/IPSec) are concurrently attempting to be established than supported by the platform VPN peer limit, then the excess tunnels are aborted.
Recommended Action None required.
317001
Error Message %FWSM-3-317001: No memory available for limit_slowExplanation The requested operation failed because of a low-memory condition.
Recommended Action Reduce other system activity to ease memory demands. If conditions warrant, upgrade to a larger memory configuration.
317002
Error Message %FWSM-3-317002: Bad path index of number for IP_address, number maxExplanation A software error occurred.
Recommended Action To determine the cause of the problem, contact Cisco TAC for assistance.
317003
Error Message %FWSM-3-317003: IP routing table creation failure - reasonExplanation An internal software error occurred, which prevented the creation of new IP routing table.
Recommended Action Copy the message exactly as it appears, and report it to Cisco TAC.
317004
Error Message %FWSM-3-317004: IP routing table limit warningExplanation The number of routes in the named IP routing table has reached the configured warning limit.
Recommended Action Reduce the number of routes in the table, or reconfigure the limit.
317005
Error Message %FWSM-3-317005: IP routing table limit exceeded - reason, IP_address netmaskExplanation Additional routes will be added to the table.
Recommended Action Reduce the number of routes in the table, or reconfigure the limit.
318001
Error Message %FWSM-3-318001: Internal error: reasonExplanation An internal software error occurred. This message occurs at five-second intervals.
Recommended Action To determine the cause of the problem, contact Cisco TAC for assistance.
318002
Error Message %FWSM-3-318002: Flagged as being an ABR without a backbone areaExplanation The router was flagged as an area border router (ABR) without a backbone area configured in the router. This message occurs at five-second intervals.
Recommended Action Restart the OSPF process.
318003
Error Message %FWSM-3-318003: Reached unknown state in neighbor state machineExplanation An internal software error occurred. This message occurs at five-second intervals.
Recommended Action None required.
318004
Error Message %FWSM-3-318004: area string lsid IP_address mask netmask adv IP_address type numberExplanation OSPF had a problem locating the link state advertisement (LSA), which might lead to a memory leak.
Recommended Action To determine the cause of the problem, contact Cisco TAC for assistance.
318005
Error Message %FWSM-3-318005: lsid ip_address adv IP_address type number gateway gateway_address metric number network IP_address mask netmask protocol hex attr hex net-metric numberExplanation OSPF found an inconsistency between its database and the IP routing table.
Recommended Action To determine the cause of the problem, contact Cisco TAC for assistance.
318006
Error Message %FWSM-3-318006: if interface_name if_state numberExplanation An internal error occurred.
Recommended Action To determine the cause of the problem, contact Cisco TAC for assistance.
318007
Error Message %FWSM-3-318007: OSPF is enabled on interface_name during idb initializationExplanation An internal error occurred.
Recommended Action To determine the cause of the problem, contact Cisco TAC for assistance.
318008
Error Message %FWSM-3-318008: OSPF process number is changing router-id. Reconfigure virtual link neighbors with our new router-idExplanation The OSPF process is being reset, and it is going to select a new router ID. This action will bring down all virtual links.
Recommended Action Change virtual link configuration on all of the virtual link neighbors to reflect the new router ID.
319001
Error Message %FWSM-3-319001: Acknowledge for arp update for IP address dest_address not received (number).Explanation The ARP process in the security appliance lost internal synchronization because the system was overloaded.
Recommended Action No immediate action is required. The failure is only temporary. Check the average load of the system and make sure it is not used beyond its capabilities.
319002
Error Message %FWSM-3-319002: Acknowledge for route update for IP address dest_address not received (number).Explanation The routing module in the security appliance lost internal synchronization because the system was overloaded.
Recommended Action No immediate action required. The failure is only temporary. Check the average load of the system and make sure it is not used beyond its capabilities.
319003
Error Message %FWSM-3-319003: Arp update for IP address address to NPn failed.Explanation When an ARP entry has to be updated, a message is sent to the network processor (NP) in order to update the internal ARP table. If the module is experiencing high utilization of memory or if the internal table is full, the message to the NP may be rejected and this message generated.
Recommended Action Verify if the ARP table is full. If it is not full, check the load of the module with respect to the CPU utilization and connections per second. If CPU utilization is high and/or there is a large number of connections per second, normal operations will resume when the load returns to normal.
319004
Error Message %FWSM-3-319004: Route update for IP address dest_address failed (number)Explanation The routing module in the FWSM lost internal synchronization because the system was overloaded.
Recommended Action No immediate action required. The failure is only temporary. Check the average load of the system and make sure it is not used beyond its capabilities.
320001
Error Message %FWSM-3-320001: The subject name of the peer cert is not allowed for connectionExplanation When the security appliance is an easy FWSM remote device or server, the peer certificate contains a subject name that does not match the ca verifycertdn command.
Recommended Action This message might indicate a "man-in-the-middle" attack, where a device spoofs the peer IP address and attempts to intercept a VPN connection from the security appliance.
321001
Error Message %FWSM-5-321001: Resource var1 limit of var2 reached.Explanation A configured resource usage or rate limit for the indicated resource was reached.
Recommended Action None required.
321002
Error Message %FWSM-5-321002: Resource var1 rate limit of var2 reached.Explanation A configured resource usage or rate limit for the indicated resource was reached.
Recommended Action None required.
321003
Error Message %FWSM-6-321003: Resource var1 log level of var2 reached.Explanation A configured resource usage or rate log level for the indicated resource was reached.
Recommended Action None required.
321004
Error Message %FWSM-6-321004: Resource var1 rate log level of var2 reachedExplanation A configured resource usage or rate log level for the indicated resource was reached.
Recommended Action None required.
322001
Error Message %FWSM-3-322001: Deny MAC address MAC_address, possible spoof attempt on interface interfaceExplanation The security appliance received a packet from the offending MAC address on the specified interface, but the source MAC address in the packet is statically bound to another interface in your configuration. This could be caused by either be a MAC-spoofing attack or a misconfiguration.
Recommended Action Check the configuration and take appropriate action by either finding the offending host or correcting the configuration.
322002
Error Message %FWSM-3-322002: ARP inspection check failed for arp {request|response} received from host MAC_address on interface interface. This host is advertising MAC Address MAC_address_1 for IP Address IP_address, which is {statically|dynamically} bound to MAC Address MAC_address_2.Explanation If the ARP inspection module is enabled, it checks whether a new ARP entry advertised in the packet conforms to the statically configured or dynamically learned IP-MAC address binding before forwarding ARP packets across the security appliance. If this check fails, the ARP inspection module drops the ARP packet and generates this message. This situation may be caused by either ARP spoofing attacks in the network or an invalid configuration (IP-MAC binding).
Recommended Action If the cause is an attack, you can deny the host using the ACLs. If the cause is an invalid configuration, correct the binding.
322003
Error Message %FWSM-3-322003:ARP inspection check failed for arp {request|response} received from host MAC_address on interface interface. This host is advertising MAC Address MAC_address_1 for IP Address IP_address, which is not bound to any MAC Address.Explanation If the ARP inspection module is enabled, it checks whether a new ARP entry advertised in the packet conforms to the statically configured IP-MAC address binding before forwarding ARP packets across the security appliance. If this check fails, the ARP inspection module drops the ARP packet and generates this message. This situation may be caused by either ARP spoofing attacks in the network or an invalid configuration (IP-MAC binding).
Recommended Action If the cause is an attack, you can deny the host using the ACLs. If the cause is an invalid configuration, correct the binding.
322004
Error Message %FWSM-6-322004: No management IP address configured for transparent firewall. Dropping protocol protocol packet from interface_in:source_address/source_port to interface_out:dest_address/dest_portExplanation The security appliance dropped a packet because no management IP address was configured in the transparent mode.
•
•
•
•
•
•
•
Recommended Action Configure the device with management IP address and mask values.
323004
Error Message %FWSM-3-323004: Module in slot slotnum failed to write software vnewver (currently vver), reason. Hw-module reset is required before further use.Explanation The module in the specified slot number failed to accept a software version, and will be transitioned to an UNRESPONSIVE state. The module is not usable until the software is updated.
•
•
•
•
—write failure.
—failed to create a thread to write the image.
Recommended Action The module must be reset by using the hw-module module slotnum reset command before further upgrade attempts will be made. Ensure the module is completely seated in the chassis. Contact Cisco TAC if further attempts to update the module software are not successful.
323005
Error Message %FWSM-3-323005: Module in slot slotnum can not be powered on completelyExplanation This message indicates that the module can not be powered up completely. The module will remain in the UNRESPONSIVE state until this condition is corrected. A likely cause of this is a module that is not fully seated in the slot.
•
Recommended Action Verify that the module is fully seated in the slot and check if any status LEDs on the module are on. It may take a minute after fully reseating the module for the system to recognize that it is powered up. If this message appears after verifying that the module is seated and after resetting the module using the hw-module module slotnum reset command, contact Cisco TAC.
324000
Error Message %FWSM-3-324000: Drop GTPv version message msg_type from source_interface:source_address/source_port to dest_interface:dest_address/dest_port Reason: reasonExplanation The packet being processed did not meet the filtering requirements as described in the reason variable and is being dropped.
Recommended Action None required.
324001
Error Message %FWSM-3-324001: GTPv0 packet parsing error from source_interface:source_address/source_port to dest_interface:dest_address/dest_port, TID: tid_value, Reason: reasonExplanation There was an error processing the packet. The following are possible reasons:
•
•
•
•
•
•
•
•
•
•
•
•
•
Recommended Action If this message is seen periodically, it can be ignored. If it is seen frequently, then the endpoint may be sending out bad packets as part of an attack.
324002
Error Message %FWSM-3-324002: No PDP[MCB] exists to process GTPv0 msg_type from source_interface:source_address/source_port to dest_interface:dest_address/dest_port, TID: tid_valueExplanation If this message was preceded by message 321100: Memory allocation Error, the message indicates that there were not enough resources to create the PDP Context. If it was not preceded by message 321100, for version 0 it indicates that the corresponding PDP context could not be found. For version 1, if this message was preceded by message 324001, then a packet-processing error occurred, and the operation stopped.
Recommended Action If this message repeats frequently because of the memory allocation error, contact Cisco TAC.
324003
Error Message %FWSM-3-324003: No matching request to process GTPv version msg_type from source_interface:source_address/source_port to source_interface:dest_address/dest_portExplanation The response received does not have a matching request in the request queue and should not be processed further.
Recommended Action If this message is seen periodically, it can be ignored. But if it is seen frequently, then the endpoint may be sending out bad packets as part of an attack.
324004
Error Message %FWSM-3-324004: GTP packet with version%d from source_interface:source_address/source_port to dest_interface:dest_address/dest_port is not supportedExplanation The packet being processed has a version other than the currently supported version, which is 0 or 1. If the version number printed out is an incorrect number and is seen frequently, then the endpoint may be sending out bad packets as part of an attack.
Recommended Action None required.
324005
Error Message %FWSM-3-324005: Unable to create tunnel from source_interface:source_address/source_port to dest_interface:dest_address/dest_portExplanation An error occurred while trying to create the tunnel for the TPDUs.
Recommended Action If this message occurs periodically, it can be ignored. If it repeats frequently, collect the necessary debugging messages and contact Cisco TAC.
324006
Error Message %FWSM-3-324006:GSN IP_address tunnel limit tunnel_limit exceeded, PDP Context TID tid failedExplanation The GSN sending the request has exceeded the maximum allowed tunnels created, so no tunnel will be created.
Recommended Action Check to see whether the tunnel limit should be increased or a possible attack on the network has occurred.
324007
Error Message %FWSM-3-324007: Unable to create GTP connection for response from source_interface:source_address/0 to dest_interface:dest_address/dest_portExplanation An error occurred while trying to create the tunnel for the TPDUs for a different SGSN or GGSN.
Recommended Action Check debugging messages to see why the connection was not created properly. If you are unable to resolve the problem, collect the necessary information and contact Cisco TAC.
325001
Error Message %FWSM-3-325001: Router ipv6_address on interface has conflicting ND (Neighbor Discovery) settingsExplanation Another router on the link sent router advertisements with conflicting parameters. ipv6_address is the IPv6 address of the other router. interface is the interface name of the link with the other router.
Recommended Action Verify that all IPv6 routers on the link have the same parameters in the router advertisement for hop_limit, managed_config_flag, other_config_flag, reachable_time and ns_interval, and that preferred and valid lifetimes for the same prefix, advertised by several routers are the same. To list the parameters per interface, enter the show ipv6 interface command.
325002
Error Message %FWSM-4-325002: Duplicate address ipv6_address/MAC_address on interfaceExplanation Another system is using your IPv6 address. ipv6_address is the IPv6 address of the other router. MAC_address is the MAC address of the other system if known, otherwise "unknown." interface is the interface name of the link with the other system.
Recommended Action Change the IPv6 address of one of the two systems.
326001
Error Message %FWSM-3-326001: Unexpected error in the timer library: error_messageExplanation A managed timer event was received without a context or a proper type or no handler exists. This message will also be displayed if the number of events queued exceed a system limit and will be attempted to be processed at a later time.
Recommended Action Copy the error message and submit it, the configuration, and any details about the events leading up to this error to Cisco TAC.
326002
Error Message %FWSM-3-326002: Error in error_message: error_messageExplanation The IGMP process failed to shut down upon request. Events that are performed in preparation for this shutdown may be out of synchronization.
Recommended Action Copy the error message and submit it, the configuration, and any details about the events leading up to this error to Cisco TAC.
326004
Error Message %FWSM-3-326004: An internal error occurred while processing a packet queueExplanation The IGMP packet queue received a signal without a packet.
Recommended Action Copy the error message and submit it, the configuration, and any details about the events leading up to this error to Cisco TAC.
326005
Error Message %FWSM-3-326005: Mrib notification failed for (IP_address, IP_address)Explanation A packet triggering a data-driven event was received, and the attempt to notify the MRIB failed.
Recommended Action If this message persists after the system is up, copy the error message and submit it, the configuration, and any details about the events leading up to this error to Cisco TAC.
326006
Error Message %FWSM-3-326006: Entry-creation failed for (IP_address, IP_address)Explanation The MFIB received an entry update from the MRIB, but failed to create the entry related to the addresses displayed, which can cause insufficient memory.
Recommended Action If sufficient memory exists, then copy the error message and submit it, the configuration, and any details about the events leading up to this error to Cisco TAC.
326007
Error Message %FWSM-3-326007: Entry-update failed for (IP_address, IP_address)Explanation The MFIB received an interface update from the MRIB, but failed to create the interface related to the addresses displayed. The likely result is insufficient memory.
Recommended Action If sufficient memory exists, then copy the error message and submit it, the configuration, and any details about the events leading up to this error to Cisco TAC.
326008
Error Message %FWSM-3-326008: MRIB registration failedExplanation The MFIB failed to register with the MRIB.
Recommended Action Copy the error message and submit it, the configuration, and any details about the events leading up to this error to Cisco TAC.
326009
Error Message %FWSM-3-326009: MRIB connection-open failedExplanation The MFIB failed to open a connection to the MRIB.
Recommended Action Copy the error message and submit it, the configuration, and any details about the events leading up to this error to Cisco TAC.
326010
Error Message %FWSM-3-326010: MRIB unbind failedExplanation The MFIB failed to unbind from the MRIB.
Recommended Action Copy the error message and submit it, the configuration, and any details about the events leading up to this error to Cisco TAC.
326011
Error Message %FWSM-3-326011: MRIB table deletion failedExplanation The MFIB failed to retrieve the table that was supposed to be deleted.
Recommended Action Copy the error message and submit it, the configuration, and any details about the events leading up to this error to Cisco TAC.
326012
Error Message %FWSM-3-326012: Initialization of string functionality failedExplanation The initialization of a functionality failed. This component might still operate without the functionality.
Recommended Action Copy the error message and submit it, the configuration, and any details about the events leading up to this error to Cisco TAC.
326013
Error Message %FWSM-3-326013: Internal error: string in string line %d (%s)Explanation A fundamental error occurred in the MRIB.
Recommended Action Copy the error message and submit it, the configuration, and any details about the events leading up to this error to Cisco TAC.
326014
Error Message %FWSM-3-326014: Initialization failed: error_message error_messageExplanation The MRIB failed to initialize.
Recommended Action Copy the error message and submit it, the configuration, and any details about the events leading up to this error to Cisco TAC.
326015
Error Message %FWSM-3-326015: Communication error: error_message error_messageExplanation The MRIB received a malformed update.
Recommended Action Copy the error message and submit it, the configuration, and any details about the events leading up to this error to Cisco TAC.
326016
Error Message %FWSM-3-326016: Failed to set un-numbered interface for interface_name (string)Explanation The PIM tunnel is not usable without a source address. This situation occurs because a numbered interface could not be found, or because of some internal error.
Recommended Action Copy the error message and submit it, the configuration, and any details about the events leading up to this error to Cisco TAC.
326017
Error Message %FWSM-3-326017: Interface Manager error - string in string: stringExplanation An error occurred while creating a PIM tunnel interface.
Recommended Action Copy the error message and submit it, the configuration, and any details about the events leading up to this error to Cisco TAC.
326019
Error Message %FWSM-3-326019: string in string: stringExplanation An error occurred while creating a PIM RP tunnel interface.
Recommended Action Copy the error message and submit it, the configuration, and any details about the events leading up to this error to Cisco TAC.
326020
Error Message %FWSM-3-326020: List error in string: stringExplanation An error occurred while processing a PIM interface list.
Recommended Action Copy the error message and submit it, the configuration, and any details about the events leading up to this error to Cisco TAC.
326021
Error Message %FWSM-3-326021: Error in string: stringExplanation An error occurred while setting the SRC of a PIM tunnel interface.
Recommended Action Copy the error message and submit it, the configuration, and any details about the events leading up to this error to Cisco TAC.
326022
Error Message %FWSM-3-326022: Error in string: stringExplanation The PIM process failed to shut down upon request. Events that are performed in preparation for this shut down may be out of synchronization.
Recommended Action Copy the error message and submit it, the configuration, and any details about the events leading up to this error to Cisco TAC.
326023
Error Message %FWSM-3-326023: string - IP_address: stringExplanation An error occurred while processing a PIM group range.
Recommended Action Copy the error message and submit it, the configuration, and any details about the events leading up to this error to Cisco TAC.
326024
Error Message %FWSM-3-326024: An internal error occurred while processing a packet queue.Explanation The PIM packet queue received a signal without a packet.
Recommended Action Copy the error message and submit it, the configuration, and any details about the events leading up to this error to Cisco TAC.
326025
Error Message %FWSM-3-326025: stringExplanation An internal error occurred while trying to send a message. Events scheduled to happen on receipt of the message such as deletion of the PIM tunnel IDB may not take place.
Recommended Action Copy the error message and submit it, the configuration, and any details about the events leading up to this error to Cisco TAC.
326026
Error Message %FWSM-3-326026: Server unexpected error: error_messsageExplanation The MRIB failed to register a client.
Recommended Action Copy the error message and submit it, the configuration, and any details about the events leading up to this error to Cisco TAC.
326027
Error Message %FWSM-3-326027: Corrupted update: error_messsageExplanation The MRIB received a corrupt update.
Recommended Action Copy the error message and submit it, the configuration, and any details about the events leading up to this error to Cisco TAC.
326028
Error Message %FWSM-3-326028: Asynchronous error: error_messsageExplanation An unhandled asynchronous error occurred in the MRIB API.
Recommended Action Copy the error message and submit it, the configuration, and any details about the events leading up to this error to Cisco TAC.
Messages 400000 to 418001
This section contains messages from 400000 to 420003.
402101
Error Message %FWSM-4-402101: decaps: rec'd IPSEC packet has invalid spi for destaddr=dest_address, prot=protocol, spi=numberExplanation The received IPSec packet specifies a security parameters index (SPI) that does not exist in the security association database (SADB). This may be a temporary condition, because of one of the following:
•
•
•
•
Recommended Action The peer may not acknowledge that the local SAs have been cleared. If a new connection is established from the local router, the two peers may then reestablish successfully. If the problem occurs for more than a brief period, try to establish a new connection or contact the peer administrator.
402102
Error Message %FWSM-4-402102: decapsulate: packet missing {AH|ESP}, destadr=dest_address, actual prot=protocolExplanation The received IPSec packet is missing an expected AH or ESP header. The peer is sending packets that do not match the negotiated security policy, which may indicate an attack.
Recommended Action Contact the peer administrator.
402103
Error Message %FWSM-4-402103: identity doesn't match negotiated identity (ip) dest_address= dest_address, src_addr= source_address, prot= protocol, (ident) local=inside_address, remote=remote_address, local_proxy=IP_address/IP_address/port/port, remote_proxy=IP_address/IP_address/port/portExplanation An unencapsulated IPSec packet does not match the negotiated identity. The peer is sending other traffic through this security association because of a security association selection error by the peer. This may be a hostile event.
Recommended Action Contact the peer administrator to compare policy settings.
402106
Error Message %FWSM-4-402106: Rec'd packet not an IPSEC packet (ip) dest_address= dest_address, src_addr= source_address, prot= protocolExplanation The received packet matched the crypto map ACL, but it is not IPSec-encapsulated; the IPSec peer is sending unencapsulated packets. This error can occur because of a policy setup error on the peer. For example, the security appliance only accepts encrypted Telnet traffic to the outside interface port 23. If you attempt to Telnet without IPSec encryption to the outside interface on port 23, this message appears. This error can also signify a hostile event. This system log message is not generated except under the conditions cited (for example, it is not generated for traffic to the security appliance interfaces themselves). To track TCP and UDP requests, see Messages 701001, 701002, and 710003.
Recommended Action Contact the peer administrator to compare policy settings.
404101
Error Message %FWSM-4-404101: ISAKMP: Failed to allocate address for client from pool stringExplanation ISAKMP failed to allocate an IP address for the VPN client from the pool that you specified with the ip local pool command.
Recommended Action Use the ip local pool command to specify additional IP addresses for the pool.
404102
Error Message %FWSM-3-404102: ISAKMP: Exceeded embryonic limitExplanation More than 500 embryonic security associations (SAs) exist, which could mean a DoS attack.
Recommended Action Enter the show crypto isakmp ca command to determine the origin of the attack. After the source is identified, deny access to the offending IP address or network.
405001
Error Message %FWSM-4-405001: Received ARP {request | response} collision from IP_address/MAC_address on interface interface_nameExplanation The security appliance received an ARP packet, and the MAC address in the packet differs from the ARP cache entry.
Recommended Action This traffic might be legitimate, or it might indicate that an ARP poisoning attack is in progress. Check the source MAC address to determine where the packets are coming from and check to see if it belongs to a valid host.
405101
Error Message %FWSM-4-405101: Unable to Pre-allocate H225 Call Signalling Connection for foreign_address outside_address[/outside_port] to local_address inside_address[/inside_port]Explanation The module failed to allocate RAM system memory while starting a connection or has no more address translation slots available.
Recommended Action If this message occurs periodically, it can be ignored. If it repeats frequently, contact Cisco TAC. You can check the size of the global pool compared to the number of inside network clients. A PAT address may be necessary. Alternatively, shorten the timeout interval of translates and connections. This error message may also be caused by insufficient memory; try reducing the amount of memory usage, or purchasing additional memory.
405002
Error Message %FWSM-4-405002: Received mac mismatch collision from IP_address/MAC_address for authenticated hostExplanation This packet appears for one of the following conditions:
•
•
Recommended Action This traffic might be legitimate, or it might indicate that a spoofing attack is in progress. Check the source MAC address and IP address to determine where the packets are coming from and whether they belong to a valid host.
405101
Error Message %FWSM-4-405101: Unable to Pre-allocate H225 Call Signalling Connection for foreign_address outside_address[/outside_port] to local_address inside_address[/inside_port]Explanation The security appliance failed to allocate RAM system memory while starting a connection or has no more address translation slots available.
Recommended Action Check the size of the global pool compared to the number of inside network clients. A PAT address may be necessary. Alternatively, shorten the timeout interval of xlates and connections. This could also be caused by insufficient memory; reduce the amount of memory usage, or purchase additional memory. If this message occurs periodically, it can be ignored. If it repeats frequently, contact Cisco TAC.
405102
Error Message %FWSM-4-405102: Unable to Pre-allocate H245 Connection for foreign_address outside_address[/outside_port] to local_address inside_address[/inside_port]Explanation The security appliance failed to allocate RAM system memory while starting a connection or has no more address translation slots available.
Recommended Action Check the size of the global pool compared to the number of inside network clients. A PAT address may be necessary. Alternatively, shorten the timeout interval of xlates and connections. This could also be caused by insufficient memory; reduce the amount of memory usage, or purchase additional memory. If this message occurs periodically, it can be ignored. If it repeats frequently, contact Cisco TAC.
405103
Error Message %FWSM-4-405103: H225 message from source_address/source_port to dest_address/dest_port contains bad protocol discriminator hexExplanation The security appliance is expecting the protocol discriminator, 0x08, but it received something other than 0x08. This might happen because the endpoint is sending a bad packet, or received a message segment other than the first segment.
Recommended Action None required. The packet is allowed through.
405104
Error Message %FWSM-4-405104: H225 message received from outside_address/outside_port to inside_address/inside_port before SETUPExplanation This message appears after an H.225 message is received out of order. The H.225 message was received before the initial SETUP message, which is not allowed. The security appliance must receive an initial SETUP message for that H.225 call signalling channel before accepting any other H.225 messages.
Recommended Action None required.
405105
Error Message %FWSM-4-405105: H323 RAS message AdmissionConfirm received from source_address/source_port to dest_address/dest_port without an AdmissionRequestExplanation A gatekeeper has sent an admission confirm (ACF), but the security appliance did not send an admission request (ARQ) to the gatekeeper.
Recommended Action Check the gatekeeper with the specified source_address to determine why it sent an ACF without receiving an ARQ from the security appliance.
405201
Error Message %FWSM-4-405201: ILS ILS_message_type from inside_interface:source_IP_address to outside_interface:/destination_IP_address has wrong embedded address embedded_IP_addressExplanation The embedded address in the ILS packet payload is not the same as the source IP address of the IP packet header.
Recommended Action Check the host with the specified source_IP_address to determine why it sent an ILS packet with an incorrect embedded IP address.
406001
Error Message %FWSM-4-406001: FTP port command low port: IP_address/port to IP_address on interface interface_nameExplanation A client entered an FTP port command and supplied a port less than 1024 (in the well-known port range typically devoted to server ports). This message is indicative of an attempt to avert the site security policy. The security appliance drops the packet, terminates the connection, and logs the event.
Recommended Action None required.
406002
Error Message %FWSM-4-406002: FTP port command different address: IP_address(IP_address) to IP_address on interface interface_nameExplanation A client issued an FTP port command and supplied an address other than the address used in the connection. This error message is indicative of an attempt to avert the site security policy. For example, an attacker might attempt to hijack an FTP session by changing the packet on the way, and entering different source information instead of the correct source information. The security appliance drops the packet, terminates the connection, and logs the event. The address in parentheses is the address from the port command.
Recommended Action None required.
407001
Error Message %FWSM-4-407001: Deny traffic for local-host interface_name:inside_address, license limit of number exceededExplanation The host limit was exceeded. An inside host is counted toward the limit when one of the following conditions is true:
•
•
Recommended Action The host limit is enforced on the low-end platforms. Use the show version command to view the host limit. Use the show local-host command to view the current active hosts and the inside users that have sessions at the security appliance. To forcefully disconnect one or more users, use the clear local-host command. To expire the inside users more quickly from the limit, set the xlate, connection, and uauth timeouts to the recommended values or lower, as shown in Table 1-4.
Table 1-4 Timeouts and Recommended Values
xlate
00:05:00 (five minutes)
conn
00:01:00 (one hour)
uauth
00:05:00 (five minutes)
407002
Error Message %FWSM-3-407002: Embryonic limit nconns/elimit for through connections exceeded.outside_address/outside_port to global_address (inside_address)/inside_port on interface interface_nameExplanation This message is about connections through the security appliance. This message is displayed when the number of connections from a specified foreign address over a specified global address to the specified local address exceeds the maximum embryonic limit for that state. The security appliance attempts to accept the connection if it can allocate memory for that connection. It proxies on behalf of local host and sends a SYN_ACK packet to the foreign host. The security appliance retains pertinent state information, drops the packet, and waits for the client's acknowledgment.
Recommended Action The message might indicate legitimate traffic, or indicate that a denial of service (DoS) attack is in progress. Check the source address to determine where the packets are coming from and whether it is a valid host.
407003
Error Message %FWSM-4-407003: Established limit for RPC services exceeded numberExplanation The security appliance tried to open a new hole for a pair of RPC servers or services that have already been configured after the maximum number of holes has been met.
Recommended Action Wait for other holes to be closed (through associated timeout expiration) or limit the number of active pairs of servers or services.
408001
Error Message %FWSM-4-408001: IP route counter negative - reason, IP_address Attempt: numberExplanation An attempt to decrement the IP route counter into a negative value failed.
Recommended Action Enter the clear ip route * command to reset the route counter. If the message continues to appear consistently, copy the message exactly as it appears, and report it to Cisco TAC.
408002
Error Message %FWSM-4-408002: ospf process id route type update address1 netmask1 [distance1/metric1] via source IP:interface1 address2 netmask2 [distance2/metric2] interface2Explanation A network update was received from a different interface with the same distance and a better metric than the existing route. The new route overrides the existing route that was installed through another interface. The new route is for redundancy purposes only and means that a path has shifted in the network. This change must be controlled through network topology and redistribution. Any existing connections affected by this change are probably disabled and will time out. This path shift only occurs if the network topology has been specifically designed to support path redundancy, in which case it is expected.
Recommended Action None required.
409001
Error Message %FWSM-4-409001: Database scanner: external LSA IP_address netmask is lost, reinstallsExplanation The software detected an unexpected condition. The router will take corrective action and continue.
Recommended Action None required.
409002
Error Message %FWSM-4-409002: db_free: external LSA IP_address netmaskExplanation An internal software error occurred.
Recommended Action None required.
409003
Error Message %FWSM-4-409003: Received invalid packet: reason from IP_address, interface_nameExplanation An invalid OSPF packet was received. Details are included in the error message. The cause might be an incorrect OSPF configuration or an internal error in the sender.
Recommended Action Check the OSPF configuration of the receiver and the sender configuration for inconsistency.
409004
Error Message %FWSM-4-409004: Received reason from unknown neighbor IP_addressExplanation The OSPF hello, database description, or database request packet was received, but the router could not identify the sender.
Recommended Action None required.
409005
Error Message %FWSM-4-409005: Invalid length number in OSPF packet from IP_address (ID IP_address), interface_nameExplanation The system received an OSPF packet with a variable length of less than normal header size or inconsistent with the size of the IP packet in which it arrived. This indicates a configuration error in the sender of the packet.
Recommended Action From a neighboring address, locate the problem router and reboot it.
409006
Error Message %FWSM-4-409006: Invalid lsa: reason Type number, LSID IP_address from IP_address, IP_address, interface_nameExplanation The router received an LSA with an invalid LSA type. The cause is either memory corruption or unexpected behavior on a router.
Recommended Action From a neighboring address, locate the problem router and reboot it. To determine what is causing this problem, contact Cisco TAC for assistance.
409007
Error Message %FWSM-4-409007: Found LSA with the same host bit set but using different mask LSA ID IP_address netmask New: Destination IP_address netmaskExplanation An internal software error occurred.
Recommended Action To determine what is causing this problem, contact Cisco TAC for assistance.
409008
Error Message %FWSM-4-409008: Found generating default LSA with non-zero mask LSA type : number Mask: netmask metric: number area: stringExplanation The router tried to generate a default LSA with the wrong mask and possibly wrong metric because of an internal software error.
Recommended Action To determine what is causing this problem, contact Cisco TAC for assistance.
409009
Error Message %FWSM-4-409009: OSPF process number cannot start. There must be at least one up IP interface, for OSPF to use as router IDExplanation OSPF failed while attempting to allocate a router ID from the IP address of one of its interfaces.
Recommended Action Make sure that there is at least one interface that is up and has a valid IP address. If there are multiple OSPF processes running on the router, each requires a unique router ID. You must have enough interfaces up so that each of them can obtain a router ID.
409010
Error Message %FWSM-4-409010: Virtual link information found in non-backbone area: stringExplanation An internal error occurred.
Recommended Action To determine what is causing this problem, contact Cisco TAC for assistance.
409011
Error Message %FWSM-4-409011: OSPF detected duplicate router-id IP_address from IP_address on interface interface_nameExplanation OSPF received a hello packet from a neighbor that has the same router ID as this routing process. A full adjacency cannot be established.
Recommended Action The OSPF router ID should be unique. Change the neighboring router ID.
409012
Error Message %FWSM-4-409012: Detected router with duplicate router ID IP_address in area stringExplanation OSPF received a hello packet from a neighbor that has the same router ID as this routing process. A full adjacency cannot be established.
Recommended Action The OSPF router ID should be unique. Change the neighboring router ID.
409013
Error Message %FWSM-4-409013: Detected router with duplicate router ID IP_address in Type-4 LSA advertised by IP_addressExplanation OSPF received a hello packet from a neighbor that has the same router ID as this routing process. A full adjacency cannot be established.
Recommended Action The OSPF router ID should be unique. Change the neighboring router ID.
409023
Error Message %FWSM-4-409023: Attempting AAA Fallback method method_name for request_type request for user user: Auth-server group server_tag unreachableExplanation An authentication or authorization attempt to an external server has failed and will now be performed using the local user database. The method_name is either authentication or authorization. The user is the user associated with the connection. The server_tag is the name of the AAA server group whose servers were unreachable.
Recommended Action Investigate any connectivity problems with the AAA servers configured in the first method. Ping the authentication servers from the security appliance. Make sure that the daemons are running on your AAA server.
410001
Error Message %FWSM-4-410001: UDP DNS request from source_interface:source_address/source_port to dest_interface:dest_address/dest_port; (label length | domain-name length) 52 bytes exceeds remaining packet length of 44 bytes.Explanation This message is printed when the domain-name length exceeds 255 bytes in a UDP DNS packet. For more information, see RFC 1035, section 3.1.
Recommended Action None required.
411001
Error Message %FWSM-4-411001:Line protocol on interface interface_name changed state to upExplanation The status of the line protocol has changed from down to up. If interface_name is a logical interface name such as "inside" and "outside," this message indicates that the logical interface line protocol has changed from down to up. If interface_name is a physical interface name such as "Ethernet0" and "GigabitEthernet0/1," this message indicates that the physical interface line protocol has changed from down to up.
Recommended Action None required.
411002
Error Message %FWSM-4-411002:Line protocol on interface interface_name changed state to downExplanation The status of the line protocol has changed from up to down. If interface_name is a logical interface name such as "inside" and "outside," this message indicates that the logical interface line protocol has changed from up to down. In this case, the physical interface line protocol status is not affected. If interface_name is a physical interface name such as "Ethernet0" and "GigabitEthernet0/1," this message indicates that the physical interface line protocol has changed from up to down.
Recommended Action If this is an unexpected event on the interface, check the physical line.
411003
Error Message %FWSM-4-411003: Configuration status on interface interface_name changed state to administratively downExplanation The configuration status of the interface has changed from up to administratively down.
Recommended Action None required.
411004
Error Message %FWSM-4-411004: Configuration status on interface interface_name changed state to upExplanation The configuration status of the interface has changed from down to up.
Recommended Action None required.
412001
Error Message %FWSM-4-412001:MAC MAC_address moved from interface_1 to interface_2Explanation This message is generated when a host move is detected from one module interface to another. In a transparent security appliance, mapping between the host (MAC) and security appliance port is maintained in a Layer 2 forwarding table. The table dynamically binds packet source MAC addresses to a security appliance port. In this process, whenever movement of a host from one interface to another interface is detected, this message is generated.
Recommended Action The host move might be valid or the host move might be an attempt to spoof host MACs on other interfaces. If it is a MAC spoof attempt, you can either locate vulnerable hosts on your network and remove them or configure static MAC entries, which will not allow MAC address and port binding to change. If it is a genuine host move, none required.
412002
Error Message %FWSM-4-412002:Detected bridge table full while inserting MAC MAC_address on interface interface. Number of entries = numExplanation This message is generated when the bridge table is full and an attempt is made to add one more entry. The security appliance maintains a separate Layer 2 forwarding table per context and the message is generated whenever a context exceeds its size limit. The MAC address will be added, but it will replace the oldest existing dynamic entry (if available) in the table.
Recommended Action This might be an attempted attack. Make sure that the new bridge table entries are valid. In case of attack, use EtherType ACLs to access control vulnerable hosts.
413001
Error Message %FWSM-4-413001: Module in slot slotnum is not able to shut down. Module Error: errnum messageExplanation The module in slotnum was not able to comply with a request from the FWSM system module to shut down. It may be performing a task that could not be interrupted, like a software upgrade. The errnum and message text describes the reason why the module could not shut down, and recommends action.
Recommended Action Wait for the task on the module to complete before shutting down the module, or use the session command to access the module CLI and stop the task that is preventing the module from shutting down.
413002
Error Message %FWSM-4-413002: Module in slot slotnum is not able to reload. Module Error: errnum messageExplanation The module in slotnum was not able to comply with a request from the FWSM system module to reload. It may be performing a task that could not be interrupted, like a software upgrade. The errnum and message text describes the reason why the module could not reload, and the recommended action.
Recommended Action Wait for the task on the module to complete before reloading the module, or use the session command to access the module's CLI and stop the task that is preventing the module from reloading.
413003
Error Message %FWSM-4-413003: Module in slot slotnum is not a recognized typeExplanation Generated whenever a card is detected that is not recognized as a valid card type.
Recommended Action Upgrade to a version of FWSM system software that supports the module type installed.
413004
Error Message %FWSM-4-413004: Module in slot slotnum failed to write software vnewver (currently vver), reason. Trying again.Explanation The module in the specified slot number failed to accept a software version, and will be transitioned to an UNRESPONSIVE state. Another attempt will be made to update the module software.
•
•
•
•
—write failure.
—failed to create a thread to write the image.
Recommended Action None required. Subsequent attempts will either generate a message indicating a successful update or failure. You may verify the module transitions to UP after a subsequent update attempt by using the show module slotnum command.
414001
Error Message %FWSM-3-414001: Failed to save logging buffer using file name filename to FTP server ftp_server_address on interface interface_name: [fail_reason]Explanation This system log message is generated when a logging module failed to save the logging buffer to an external FTP server.
Recommended Action Take appropriate action based on the reason for failure:
•
•
•
414002
Error Message %FWSM-3-414002: Failed to save logging buffer to flash:/syslog directory using file name: filename: [fail_reason]Explanation This system log message is generated when a logging module failed to save the logging buffer to the system Flash memory.
Recommended Action If the failure is because of insufficient space, check the system Flash free space, make sure that the configured limits of the logging flash-size command are set properly. If the error is a Flash file system IO error, then contact Cisco TAC for assistance.
415001
Error Message %FWSM-5-415001:internal_sig_id HTTP Tunnel detected - action tunnel_type from source_address to dest_addressExplanation This message is issued when the http-map port-misuse command is configured and a tunneling protocol is detected. The message indicates that a user was running a tunneling protocol over HTTP, which may violate policy.
•
•
•
•
•
Recommended Action None required.
415002
Error Message %FWSM-5-415002:internal_sig_id HTTP Instant Messenger detected - action instant_messenger_type from source_address to dest_addressExplanation This message is issued when the http-map port-misuse command is configured and an instant message protocol is detected. The message indicates that a user was running an instant messenger protocol over HTTP, which may violate policy.
•
•
•
•
•
Recommended Action None required.
415003
Error Message %FWSM-5-415003:internal_sig_id HTTP Peer-to-Peer detected - action peer_to_peer_type from source_address to dest_addressExplanation This message is issued when the http-map port-misuse command is configured and a peer-to-peer protocol is detected. The message indicates that a user was running a peer-to-peer protocol over HTTP, which may violate policy.
•
•
•
•
•
Recommended Action None required.
415004
Error Message %FWSM-1-415004:internal_sig_id Content type not found - action mime_type from source_address to dest_addressExplanation This system log message is issued when the http-map content-type-verification command is configured and a MIME type in the content-type HTTP header variable has not been found in the list of allowed content types, which may violate policy.
•
•
•
•
•
Recommended Action None required.
415005
Error Message %FWSM-5-415005:Internal_Sig_Id Content type does not match specified type - Action Content Verification Failed from source_address to Dst_IP_AddressExplanation This message is issued when the http-map content-type-verification command is configured and a MIME type in the content-type HTTP header variable is found in the list of policies of allowed types, but the body of the message does not include the correct magic number to identify a file of that type. This is an unusual message, which could indicate an attempt to smuggle contraband data over the connection.
This message is rate limited, which means that later violations are not logged.
•
•
•
•
Recommended Action None required.
415006
Error Message %FWSM-6-415006:internal_sig_id Content size size out of range - action content-length from source_address to dest_addressExplanation This message is issued when the http-map content-length command is configured and the content length exceeds the user-configured length. The message indicates that an attempt has been made to transmit more data than the user-configured policy allows.
•
•
•
•
•
•
Recommended Action None required.
415007
Error Message %FWSM-5-415007:internal_sig_id HTTP Extension method detected - action method_name from source_address to dest_addressExplanation This message is issued when the http-map request-method ext command is configured to log the specified extension method. The message indicates that an attempt has been made to use the extension method and an action has been taken based on the user-configured policy.
•
•
•
•
•
Recommended Action None required.
415008
Error Message %FWSM-5-415008:internal_sig_id HTTP RFC method detected - action method_name from source_address to dest_addressExplanation This message is issued when the http-map request-method rfc command is configured to log the specified RFC method. The message indicates that an attempt has been made to use the RFC method and an action has been taken based on the user-configured policy.
•
•
•
•
•
Recommended Action None required.
415009
Error Message %FWSM-6-415009:internal_sig_id HTTP Header length exceeded. Received length byte Header - action header length exceeded from source_address to dest_addressExplanation This message is issued when the http-map max-header-length command is configured and an HTTP header longer than the user-specified header length is detected. The message indicates that a header longer than the user-specified maximum length has been sent, which violates the user-configured policy.
•
•
•
•
•
Recommended Action None required.
415010
Error Message %FWSM-5-415010:internal_sig_id HTTP protocol violation detected - action HTTP Protocol not detected from source_address to dest_addressExplanation This message is issued when the http-map strict-http command is configured and the stream violates the implemented checks for RFC compliance. In this case, a user may be running a protocol over the port for HTTP transactions, which violates the user-configured policy.
•
•
•
•
Recommended Action None required.
415011
Error Message %FWSM-6-415011:internal_sig_id HTTP URL Length exceeded. Received size byte URL - action URI length exceeded from source_address to dest_addressExplanation his message is issued when the http-map max-url-length command is configured and a URL longer than the user-specified maximum URL length has been detected. An excessively long URL may indicate that an attack is being attempted.
•
•
•
•
•
Recommended Action None required.
415012
Error Message %FWSM-4-415012:internal_sig_id HTTP Deobfuscation signature detected - action HTTP deobfuscation detected IPS evasion technique from source_address to dest_addressExplanation This message is issued when the http-map strict-http command is configured and an HTTP evasion technique is detected. Hackers obfuscate URLs in an attempt to bypass security checks. This message indicates an attack.
•
•
•
•
Recommended Action None required.
415013
Error Message %FWSM-5-415013:internal_sig_id HTTP Transfer encoding violation detected - action Xfer_encode Transfer encoding not allowed from source_address to dest_addressExplanation his message is issued when the http-map transfer-encoding command is configured and a forbidden transfer encoding is detected. A user has sent a message that violated the user-configured policy.
•
•
•
•
•
Recommended Action None required.
415014
Error Message %FWSM-4-415014:internal_sig_id More than 10 unanswered HTTP requests exceeded from source_address to dest_addressExplanation This message is issued when the http-map strict-http command is configured and more than ten unanswered HTTP requests have been seen on a single connection. A user has sent multiple HTTP request messages that are not being answered, which may indicate an attack if an HTTP server does not exist on the server-side of the connection.
Note
•
•
•
•
Recommended Action None required.
416001
Error Message %FWSM-4-416001: Dropped UDP SNMP packet from source_interface: source_IP/source_port to dest_interface:dest_address/dest_port; version (prot_version) is not allowed through the firewallExplanation An SNMP packet was denied passage through the security appliance because of a bad packet format or because the prot_version is not allowed through the security appliance. The variable prot_version can be one of the following values: 1, 2, 2c, or 3.
Recommended Action Change the settings for SNMP inspection using the snmp-map command, which allows the user to permit or deny specific protocol versions.
417001
