This chapter lists the Cisco Application Control Engine (ACE) module system log messages. The messages are listed numerically by message code.
To view a list of the majority of variables used in ACE system log messages, seeTable 1-2 in Chapter 1, Configuring System Message Logging. To view ACE system log messages listed by severity level, see Chapter 3, Messages Listed by Severity Level.
This chapter includes the following sections:
This section contains messages from 100001 to 199006.
Error Message %ACE-2-100001: EOL function chars from library chars exited due to Signal dec
Explanation An error occured in the CLI end of line (EOL) function.
Recommended Action No action is required.
Error Message %ACE-1-106021: Deny protocol reverse path check from source_address to dest_address on interface interface_name
Explanation Someone is attempting to spoof an IP address on an inbound connection. Unicast reverse path forwarding (RPF), also known as reverse route lookup, detected a packet that does not have a source address represented by a route and assumes that it is part of an attack on the ACE.
This message appears when you have enabled Unicast RPF with the ip verify reverse-path command (see the Cisco Application Control Engine Module Security Configuration Guide. Reverse path forwarding works on packets that are sent to an interface. If you configure this command on the outside, then the ACE checks packets arriving from the outside.
The ACE looks up a route based on the source address. If an entry is not found and a route is not defined, then this system log message appears and the connection is discarded.
If a route is defined, the ACE checks which interface to which it corresponds. If the packet arrived on another interface, it is either a spoof or there is an asymmetric routing environment that has more than one path to a destination. The ACE does not support asymmetric routing.
If the ACE is configured on an internal interface, it checks static route command statements or RIP, and if the source address is not found, then an internal user is spoofing their address.
Recommended Action Even though someone is attempting to spoof an IP address on an inbound connection, if this feature is enabled no user action is required. The ACE repels the attack.
Error Message %ACE-4-106023: Deny protocol number | name src incoming-interface:src-ip dst outgoing-interface:dst-ip by access-group "acl-name"
Explanation An IP packet was denied by the ACL. This message displays even if you do not have the log option enabled for an ACL. If a packet hits an input ACL, the outgoing interface will not be known. In this case, the ACE prints the outgoing interface as undetermined. The source IP and destination IP addresses are the unmapped and mapped addresses for the input and output ACLs, respectively, when used with NAT.
Recommended Action If messages persist from the same source address, messages may indicate a foot-printing or port-scanning attempt. Contact the remote host administrators.
Error Message %ACE-1-106028: String Incomplete rule is currently applied on interface interface-name. Manual rollback to a previous access rule configuration on this interface is needed.
Explanation Possible String values are:
•WARNING: Access rules memory exhausted while processing component
•WARNING: Unknown error while processing component
Possible values for component are
•Access-list
•Service-policy
•Merged list
For example:
WARNING: Unknown error while processing service-policy. Incomplete rule is currently applied on interface VLAN100. Manual roll back to a previous access rule configuration on this interface is needed.
The access control list (ACL) compilation process has run out of memory, which does not allow new ACL entries to be applied to the specified interface. The ACL configuration downloaded in hardware for that interface may not be in a known state because of this failure.
Recommended Action The ACL configuration downloaded to the network processors is incomplete. Remove and recreate the affected interface to recover to a known state. If the message is "Access rules memory exhausted," either allocate more memory to that context or remove some of the access group or service policy configuration to reduce the memory usage. If the message is "Unknown error," then there may be an issue with the configuration manager or the ACL merge process.
Error Message %ACE-5-111008: User root executed the string command
Explanation This message is informational. The user entered a command that modified the configuration.
Recommended Action None required.
Error Message %ACE-7-111009: User user executed cmd:string
Explanation This message is informational. The user entered a command that does not modify the configuration.
Recommended Action None required.
Error Message %ACE-2-199006 : Orderly reload started at when by whom. Reload reason: reason
Explanation This message logs a reload record of the ACE and the reason for the reload.
The reason variable describes why the reload occurred. Possible reasons are as follows:
•reload command
•CF format
•hardware failure
The when variable specifies the time at which the orderly reload operation begins.
The whom variable specifies the name of the user who entered the reload command. If the reload is caused by other reasons, System is specified.
Recommended Action None required.
This section contains messages from 211001 to 255008.
Error Message %ACE-3-211001: Memory allocation Error
Explanation Failed to allocate RAM system memory.
Recommended Action If this message occurs periodically, it can be ignored. If it repeats frequently, contact Cisco TAC.
Error Message %ACE-2-212007: SNMPD initialization failed while Variable1
Explanation This is an SNMP message that is logged when the SNMP daemon fails to initialize. The SNMP daemon is created during device initialization.
The possible values of the Variable1 variable are as follows:
•loading mib module
•performing mts_bind
•performing mts_options_set
•initializing kernel memory map
•registering read/write file descriptor
•creating socket endpoint
•creating daemon process
Recommended Action Reboot the ACE (see the Cisco Application Control Engine Module Administration Guide for details). If the SNMP daemon still fails to initialize, contact Cisco TAC and provide them with the output of show processes and show np commands.
Error Message %ACE-3-212008: Failed while allocating memory in snmpd
Explanation This is an SNMP message that is logged after a memory allocation failure in the SNMPD process. When this error occurs, SNMPD processes (for example, SNMP Get/GetNext responses, trap generation, or SNMP CLI) may be affected.
Recommended Action Check for the system memory using the show system command. If the ACE is low on memory, reboot it (see the Cisco Application Control Engine Module Administration Guide for details). If the memory is not low, contact the Cisco TAC and provide them with the output of the show system resources and show processes cpu memory commands.
Error Message %ACE-3-251001: Probe configuration error, memory allocation failure.
Explanation The ACE does not have enough memory to support the specified probe configuration. When the Config Manager sends a probe configuration to the Health Monitor module, the Health Monitor module needs to reserve memory to set up the probe. If memory is not available when the Health Monitor is setting up the probe, the syslog message is sent.
Recommended Action Reduce the size of the probe configuration.
Error Message %ACE-4-251002: The configured health probe script script-name for server A.B.C.D on port P is empty
Explanation An empty script is configured for the scripted health probe for server A.B.C.D on port P.
Recommended Action Update the script file with appropriate probe information, unload, and then reload the script (see the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide for details). You can also reconfigure the health probe to use a nonempty script.
Error Message %ACE-3-251003: Could not load script script-name - File not found
Explanation The ACE is unable to find the script file that it needs to load.
Recommended Action Create a new script file, unload the old file, and then load the new file (see the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide for details).
Error Message %ACE-3-251004: Could not load script script-name - memory allocation failure
Explanation The ACE does not have sufficient memory to load the specified script file.
Recommended Action Reduce the size of the configuration or unload any unused script files.
Error Message %ACE-4-251005: Could not unload script script-name
Explanation The ACE is unable to load the specified script file due to an internal error.
Recommended Action Contact Cisco TAC if this error frequently occurs.
Error Message %ACE-3-251006: Health probe failed for server A.B.C.D on port P, internal error: error message
Explanation The configured service on port P of server A.B.C.D failed its health checks because the ACE encountered an internal error while performing the probe. Because the error is internal to the system, the real health of the server is unknown.
The possible values of the error message variable are as follows:
•failed to setup a socket
•forced disconnect
•failed to allocate memory
•failed to create SSL context
•failed to create SSL session
•failed to assign socket to SSL session
•failed to build a server query
•failed to initialize LDAP
•failed to bind to LDAP
•invalid probe request
•failed to set LDAP option
•failed to get LDAP option
Recommended Action Contact Cisco TAC if this error frequently occurs.
Error Message %ACE-3-251007: ICMP health probe failed for server A.B.C.D, internal error: error message
Explanation The configured service on port P of server A.B.C.D failed its health checks because the ACE encountered an internal error while performing the ICMP probe. Because the error is internal to the system, the real health of the server is unknown.
The possible values of the error message variable are as follows:
•general encap-decap failure
•write failure
•received bad file descriptor
•data entry being modified
•transmit queue is full
Recommended Action Contact Cisco TAC if this error frequently occurs.
Error Message %ACE-3-251008: Health probe failed for server A.B.C.D on port P, connectivity error: server open timeout (no SYN ACK)
Explanation The configured service on port P of server A.B.C.D failed its health checks because a probe was unable to reach the server due to network problem.
Recommended Action Verify network connectivity to the server, and then reprobe the server.
Error Message %ACE-3-251009: ICMP health probe failed for server A.B.C.D, connectivity error: error message
Explanation The configured real server A.B.C.D failed its health checks because an ICMP health probe was unable to reach the server due to a network connectivity problem.
The possible values of the error message variable are as follows:
•host unreachable, no route found to destination
•ARP not resolved for destination ip address
•network down
•interface has no ip address
•ICMP host unreachable
•ICMP destination unreachable
Recommended Action Verify network connectivity to the server, and then reprobe the server.
Error Message %ACE-3-251010: Health probe failed for server A.B.C.D on port P, error message
Explanation The configured service on port P of server A.B.C.D failed its health checks because the server response is not as expected.
The possible values of the error message variable are as follows:
•connection reset by server
•connection refused by server
•authentication failed
•unrecognized or invalid response
•server reply timeout
•graceful disconnect timeout (no FIN ACK)
•user defined Reg-Exp was not found in host response
•expect status code mismatch
•received invalid status code
•MD5 checksum mismatch
•invalid server greeting
•received Out-Of-Band data
Recommended Action Check the service running on the affected server.
Error Message %ACE-3-251011: ICMP health probe failed for server A.B.C.D, error message.
Explanation The configured real server A.B.C.D failed its health checks because the ICMP server response is not as expected.
The possible values of the error message variable are as follows:
•ICMP time exceeded
•ICMP redirect
•received ICMP Echo request
•received ICMP Stale packet
•received unexpected ICMP packet type
•received packet is too short
•received packet is too long
•server reply timeout
Recommended Action Check the service running on the affected server.
Error Message %ACE-3-251012: Could not load script script-name - Error reading script-file
Explanation The ACE is unable to read the script file that it is attempting to load. The file may be corrupted.
Recommended Action Verify if the file contents are correct. If correct, unload, and then reload the script file (see the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide for details). If necessary, create a new script file. Unload the old file, and then load the new file.
Error Message %ACE-3-251013: Could not load script script-name - Error getting file size
Explanation This message is logged when the ACE is unable to determine the script file size. Before a script file can be loaded, the ACE needs determine its size so the appropriate amount of memory can be allocated.
Recommended Action Verify if the file contents are correct. If correct, unload, and then reload the script file (see the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide for details). If necessary, create a new script file. Unload the old file, and then load the new file.
Error Message %ACE-3-251014: Could not probe server IP_address on port port_number for number consecutive tries - Internal error.
Explanation The health probe could not be sent because of an internal error. The probe is skipped.
Recommended Action Remove and then readd the probe to the real server or server farm.
Error Message %ACE-6-253001: Certificate certificate_information expired
Explanation This message is logged during the SSL handshake when client authentication is enabled. The ACE determines that the certificate has expired.
Recommended Action None required.
Error Message %ACE-6-253002: Certificate certificate_information not yet valid
Explanation This message is logged during the SSL handshake when client authentication is enabled. The ACE determines that the certificate is not currently valid.
Recommended Action None required.
Error Message %ACE-6-253003: Certificate client_information is signed by an unknown CA
Explanation This message is logged during the SSL handshake when a client attempts to connect with a certificate that was signed by an unknown CA (the certificate is not part of the authgroup for this VIP's SSL proxy).The client_information variable is the subject name of the client certificate.
Recommended Action None required.
Error Message %ACE-6-253004: Certificate subject_of_certificate revoked, ssl-proxy: proxy_name, reason: reason
Explanation This message is logged during the SSL handshake when client or server authentication is enabled. The ACE determines that the certificate has been revoked by the CA. The subject_of_certificate variable is the subject field of the certificate. The proxy_name variable is the name of the SSL proxy service. The reason variable is the reason for the revocation of the certificate and has one of the following messages:
•revoked
—The certificate is revoked by the CA.
•no workable cdps in cert
—The certificate does not have a workable CRL distribution point (CDP). A CDP indicates the location of the CRL in the form of a URL.
•crl download failure
—The download of the CRL failed.
Recommended Action None required.
Error Message %ACE-6-253005: Signature for certificate_information is invalid
Explanation This message is logged during the SSL handshake when client authentication is enabled. The ACE determines that the signature for the certificate is invalid.
Recommended Action None required.
Error Message %ACE-6-253006: Error peer sent invalid or nonexistent certificate subject_of_peer_certificate, reason: reason
Explanation This message is logged during the SSL handshake when client authentication is enabled. The ACE determines a certificate is invalid or nonexistent. The subject_of_peer_certificate variable is the subject field of the peer certificate. The reason variable is the reason for rejecting the certificate and can be one of the following messages:
–bad modulus length
–error in not before field
–error in not before field
Recommended Action None required.
Error Message %ACE-6-253007: Certificate in file file_name is expired
Explanation This message is logged when the ACE attempts to use a certificate that has expired. X509 certificates have a fixed lifetime. If the ACE uses an expired certificate in an SSL handshake, the client may reject the connection. The file_name variable is the name of the file where the certificate resides.
Recommended Action Obtain a new certificate and replace the expired one.
Error Message %ACE-6-253008: CRL crl_name could not be retrieved, reason: reason
Explanation This message is logged when the ACE failed to retrieve a CRL. If you define CRL checking for SSL client authentication, the ACE periodically retrieves a CRL. Due to a variety of reasons, these attempts can occasionally fail. The crl_name variable is the name of the CRL as defined by the crypto crl command. The reason variable is the reason for the CRL download failure. and can be one of the following messages:
–DNS error
–host conn timeoutmemory outage
–crl max size limit violation
–crl cache full
–crl data/file not found
–invalid format of data
–crl signature mismatch
–next update field erroneous
–next update field expired
–internal error
–not okay to download
–http connection error
–http file read error
–http request writing error
–ldap bind error
–ldap search error
Recommended Action Check to see if there is a network connectivity problem or if the server location of the CRL has changed.
Error Message %ACE-6-253009: Certificate in file file_name is not yet valid
Explanation X509 certificates have a fixed lifetime. This message is logged when a certificate that is not currently valid is used in an SSL handshake. This event may cause the client to reject the connection. The file_name variable is the name of the file where the certificate resides.
Recommended Action Use a certificate that is currently valid.
Error Message %ACE-3-253010: Configuration failure: Certificate in file certificate_name and key in file key_name do not match
Explanation This message is logged when the certificate and key do not match. As a result, the SSL handshake fails and the ACE does not download the unmatched certificate and key in the configuration. Note that a X509 certificate has a matching private key. The certificate_name variable is the name of the certificate file. The key_file variable is the name of the key file.
Recommended Action Verify that the correct certificate and key are in use in the SSL-proxy service. If necessary, modify the SSL-proxy service to contain the correct files.
Error Message %ACE-6-253011: The CRL crl_Name may not be from a trusted source. Signature mismatch detected for CRL.
Explanation When the ACE performs signature verification on a CRL with a CA certificate configured with the crypto crlparams command, it detects a signature mismatch. Either the CRL (crl_name) download failed or the CRL has been removed from the ACE.
Recommended Action Verify the CRL configuration for the crypto crlparams command.
Error Message %ACE-2-253012: Crypto file storage failure: All certificates/keys were removed. Error: text_string
Explanation A system failure deleted the SSL services internal database of certificates and keys. The text_string variable can be one of the following:
•Corrupted certificates/keys metadata found
•Out of resources while trying to store certificates/keys metadata
Recommended Action Contact Cisco TAC and send them the message output. Reimport the certificates and keys to maintain the integrity of the SSL services.
Error Message %ACE-4-254001: ACL resource usage beyond maximum limit for context context_id. Free up some resources.
Explanation This message indicates that ACL resources in use for the specified context (context_id) are above the maximum limit allowed by the resource class.
Recommended Action Decrease the minimum ACL usage in the specified context to below the maximum limit.
Error Message %ACE-4-254002: Minimum ACL resources could not be guaranteed for context context_id.
Explanation This message indicates that the requested minimum ACL resources could not be guaranteed in the specified context (context_id).
Recommended Action Contact the global administrator to request that other context administrators release ACL resources.
Error Message %ACE-5-255001: Backup for context ctx_name is successful
Explanation This message indicates that the backup of the context specified by the ctx_name variable was successful.
Recommended Action No user action is required. The backup archive was created in disk0:. For more details, enter the show backup status detail command.
Error Message %ACE-5-255002: Backup for all contexts is successful
Explanation This message indicates that the backup of the entire ACE performed from the Admin context was successful.
Recommended Action No user action is required.The backup archive was created in disk0:. For more details, enter the show backup status detail command.
Error Message %ACE-3-255003: Backup for context <ctx_name> failed for component <component> due to <reason>
Explanation This message indicates that the backup of the context specified by the ctx_name variable has failed. Possible values of the component variable are as follows:
•Startup-cfg
•Running-cfg
•Checkpoints
•Licenses
•Cert/Key
•Probe script
•Common—Indicates a failure that is not related to any of the above components
Possible values of the reason variable are as follows:
•Error, no space on disk0:
•Error, probe script <script_name> not found in disk0: or probe:
•Internal Error, cleanup for backup failed
•Internal Error, call for context name failed
•Internal Error, call for context list failed
•Internal Error, temp directory creation for backup failed
•Internal Error, cleanup failed for the empty archive
•Internal Error, couldn't store the archive name
•Internal Error, failed to delete the backup temp dir
•Internal Error, temp directory creation for single backup failed
•Internal Error, failed to generate startup config
•Internal Error, failed to get file list for checkpoint backup
•Internal Error, checkpoint copy failed
•Internal Error, failed to get file list for certs
•Internal error, SSL Cert <cert_name> backup failed
•Internal Error, SSL Cert <cert_name> copy for backup failed
•Internal Error, SSL Cert temp file for <cert_name> removal failed
•Internal Error, SSL Cert cleanup failed
•Internal Error, failed to get file list for keys
•Internal error, SSL Key <key_name> backup failed
•Internal Error, failed to encrypt the key file <key_name>
•Internal Error, failed to copy the encrypted key <key_name>
•Internal Error, failed to cleanup the key file <key_name>
•Internal Error, failed to copy the key to backup
•Internal Error, failed to remove the unencrypted key
•Internal Error, failed to get file list for licenses
•Internal Error, failed to copy license file <license_nam>
•Internal Error, couldn't obtain the script list
•Internal Error, invalid return data
•Internal Error, script <script_name> copy for backup failed
•Internal Error, couldn't remove last backup archive
•Internal Error, couldn't store the archive name
•Internal Error, archive information not updated to backup/restore database
Recommended Action To troubleshoot the backup failure, enter the show backup status and the show backup errors commands.
Error Message %ACE-3-255004: Backup for all contexts failed in context <ctx_name> for component <component> due to <reason>
Explanation This message indicates that the backup of all contexts in the ACE performed from the Admin context has failed. Possible values of the component variable are as follows:
•Startup-cfg
•Running-cfg
•Checkpoints
•Licenses
•Cert/Key
•Probe script
•Common—Indicates a failure that is not related to the above components
Possible values of the reason variable are as follows:
•Error, no space on disk0:
•Error, probe script <script_name> not found in disk0: or probe:
•Internal Error, cleanup for backup failed
•Internal Error, call for context name failed
•Internal Error, call for context list failed
•Internal Error, temp directory creation for backup failed
•Internal Error, cleanup failed for the empty archive
•Internal Error, couldn't store the archive name
•Internal Error, failed to delete the backup temp dir
•Internal Error, temp directory creation for single backup failed
•Internal Error, failed to generate startup config
•Internal Error, failed to get file list for checkpoint backup
•Internal Error, checkpoint copy failed
•Internal Error, failed to get file list for certs
•Internal error, SSL Cert <cert_name> backup failed
•Internal Error, SSL Cert <cert_name> copy for backup failed
•Internal Error, SSL Cert temp file for <cert_name> removal failed
•Internal Error, SSL Cert cleanup failed
•Internal Error, failed to get file list for keys
•Internal error, SSL Key <key_name> backup failed
•Internal Error, failed to encrypt the key file <key_name>
•Internal Error, failed to copy the encrypted key <key_name>
•Internal Error, failed to cleanup the key file <key_name>
•Internal Error, failed to copy the key to backup
•Internal Error, failed to remove the unencrypted key
•Internal Error, failed to get file list for licenses
•Internal Error, failed to copy license file <license_nam>
•Internal Error, couldn't obtain the script list
•Internal Error, invalid return data
•Internal Error, script <script_name> copy for backup failed
•Internal Error, couldn't remove last backup archive
•Internal Error, couldn't store the archive name
•Internal Error, archive information not updated to backup/restore database
Recommended Action To troubleshoot the backup failure, enter the show backup status and the show backup errors commands.
Error Message %ACE-5-255005: Restore for context ctx_name is successful
Explanation This message indicates that the restore of the context specified by the ctx_name variable was successful.
Recommended Action No user action is required. For more details, enter the show restore status detail command.
Error Message %ACE-5-255006: Restore for all contexts successful
Explanation This message indicates that the restore of all contexts in the ACE performed from the Admin context was successful.
Recommended Action No user action is required. For more details, enter the show restore status detail command.
Error Message %ACE-2-255007: Restore for context <ctx_name> failed for component <component> due to <reason>
Explanation This message indicates that the restore of the context specified by the ctx_name variable has failed. Possible values of the component variable are as follows:
•Startup-cfg
•Running-cfg
•Checkpoints
•Licenses
•Cert/Key
•Probe script
•Common—Indicates a failure that is not related to the above components
Possible values of the reason variable are as follows:
•Error, decipher failed for keys
•Error, running config file missing
•Error, running config apply failed
•Internal Error, invalid license name
•Internal Error, invalid script file name
•Internal Error, invalid checkpoint name
•Internal Error, invalid key file name
•Internal Error, invalid cert file name
•Internal Error, invalid config file name
•Internal Error, failed to get file list for licenses
•Internal Error, licenses clear error
•Internal Error, license copy to CF failed
•Internal Error, license copy to sram failed
•Internal error, MTS bind, cannot install licenses
•Internal Error, MTS send failed, cannot install licenses
•Internal Error, crypto clear all failed
•Internal Error, failed to restore keys
•Internal Error, failed to restore certs
•Internal Error, failed to get file list for tcl script
•Internal Error, script copy failed
•Internal Error, checkpoint clear error
•Internal Error, failed to get file list for checkpoints
•Internal Error, checkpoints copy failed
•Internal Error, starup-config copy failed
•Internal Error, failed to get file list for running config
•Internal Error, failed to generate running config
•Internal Error, failed to compute diff to confirm successful rollback
Recommended Action To troubleshoot the restore failure, enter the show restore status and the show restore errors commands.
Error Message %ACE-2-255008: Restore for all contexts failed in context <ctx_name> for component <component_name> due to <reason>
Explanation This message indicates that the restore of all contexts in the ACE performed from the Admin context has failed. Possible values of the component variable are as follows:
•Startup-cfg
•Running-cfg
•Checkpoints
•Licenses
•Cert/Key
•Probe script
•Common—Indicates a failure that is not related to the above components
Possible values of the reason variable are as follows:
•Error, decipher failed for keys
•Error, running config file missing
•Error, running config apply failed
•Internal Error, invalid license name
•Internal Error, invalid script file name
•Internal Error, invalid checkpoint name
•Internal Error, invalid key file name
•Internal Error, invalid cert file name
•Internal Error, invalid config file name
•Internal Error, failed to get file list for licenses
•Internal Error, licenses clear error
•Internal Error, license copy to CF failed
•Internal Error, license copy to sram failed
•Internal error, MTS bind, cannot install licenses
•Internal Error, MTS send failed, cannot install licenses
•Internal Error, crypto clear all failed
•Internal Error, failed to restore keys
•Internal Error, failed to restore certs
•Internal Error, failed to get file list for tcl script
•Internal Error, script copy failed
•Internal Error, checkpoint clear error
•Internal Error, failed to get file list for checkpoints
•Internal Error, checkpoints copy failed
•Internal Error, starup-config copy failed
•Internal Error, failed to get file list for running config
•Internal Error, failed to generate running config
•Internal Error, failed to compute diff to confirm successful rollback
Recommended Action To troubleshoot the restore failure, enter the show restore status and the show restore errors commands.
This section contains messages from 302022 to 327001.
Error Message %ACE-6-302022: Built TCP connection id for interface:real-address/real-port (mapped-address/mapped-port) to interface:real-address/real-port (mapped-address/mapped-port)
Explanation This informational message is logged when a TCP connection slot between two hosts is created.
Recommended Action None required.
Error Message %ACE-6-302023: Teardown TCP connection id for interface:real-address/real-port (mapped-address/mapped-port) to interface:real-address/real-port (mapped-address/mapped-port) duration hh:mm:ss bytes bytes [reason]
Explanation This informational message is logged when a TCP connection slot between two hosts is terminated.
The reason variable presents the action that causes the connection to terminate. Table 2-1 lists the TCP termination causes.
Recommended Action None required.
Error Message %ACE-6-302024: Built UDP connection id for interface:real-address/real-port (mapped-address/mapped-port) to interface:real-address/real-port (mapped-address/mapped-port)
Explanation A UDP connection slot between two hosts was added.
Recommended Action None required.
Error Message %ACE-6-302025: Teardown UDP connection id for interface:real-address/real-port to interface:real-address/real-port duration hh:mm:ss bytes bytes
Explanation A UDP connection slot between two hosts was deleted.
Recommended Action None required.
Error Message %ACE-6-302026: Built ICMP connection for faddr/NATed_ID gaddr/icmp_type laddr/icmpID
Explanation An ICMP session was established.
Recommended Action None required.
Error Message %ACE-6-302027: Teardown ICMP connection for faddr/NATed ID gaddr/icmp_type laddr/icmpID
Explanation An ICMP session was removed.
Recommended Action None required.
Error Message %ACE-6-302028: Built TCP connection id for interface: real-address/real-port (mapped-address/mapped-port) to interface: real-address/real-port (mapped-address/mapped-port)
Explanation A TCP connection slot between two hosts was created.
Recommended Action None required.
Error Message %ACE-6-302029: Teardown TCP connection id for interface: real-address/real-port to interface: real-address/real-port duration hh:mm:ss bytes bytes [reason]
Explanation A TCP connection between two hosts was terminated.
The reason variable presents the action that causes the connection to terminate. Table 2-1 lists the TCP termination causes.
Recommended Action None required.
Error Message %ACE-6-302030: Built UDP connection id for interface: real-address/real-port (mapped-address/mapped-port) to interface: real-address/real-port (mapped-address/mapped-port)
Explanation A UDP connection slot between two hosts was added.
Recommended Action None required.
Error Message %ACE-6-302031: Teardown UDP connection id for interface: real-address/real-port to interface: real-address/real-port duration hh:mm:ss bytes bytes
Explanation A UDP connection slot between two hosts was deleted.
Recommended Action None required.
Error Message %ACE-6-303003: FTP cmd_name command denied - failed strict inspection, terminating connection from source_interface:source_address/source_port to dest_interface:dest_address/dest_port
Explanation The ACE module is using strict inspection on FTP traffic. This message displays if an FTP request command is denied by the strict FTP inspection policy from the ftp-map command.
Recommended Action None required.
Error Message %ACE-5-303004: FTP cmd_string command unsupported - failed strict inspection, terminating connection from source_interface:source_address/source_port to dest_interface:dest_address/dest_interface
Explanation The ACE module is using strict FTP inspection on FTP traffic. This message displays if an FTP request message contains a command that is not recognized by the device.
Recommended Action None required.
Error Message %ACE-5-304001: user source_address Accessed {URL} dest_address: url.
Explanation This is a URL message that is logged when the specified host attempts to access the specified URL.
Recommended Action None required.
Error Message %ACE-6-305009: Built {dynamic|static} translation from interface_name [(acl-name)]:real_address to interface_name:mapped_address
Explanation An address translation slot was created. The slot translates the source address from the local side to the global side. In reverse, the slot translates the destination address from the global side to the local side.
Recommended Action None required.
Error Message %ACE-6-305010: Teardown {dynamic|static} translation from interface_name:real_address to interface_name:mapped_address duration time
Explanation An address translation slot was deleted. The duration time variable displays the total duration time, which is the time that the entry was created until it expired and applies to dynamic NAT or PAT only.
Recommended Action None required.
Error Message %ACE-6-305011: Built {dynamic|static} {TCP|UDP|ICMP} translation from interface_name:real_address/real_port to interface_name:mapped_address/mapped_port
Explanation A TCP, UDP, or ICMP address translation slot was created. The slot translates the source socket from the local side to the global side. In reverse, the slot translates the destination socket from the global side to the local side.
Recommended Action None required.
Error Message %ACE-6-305012: Teardown {dynamic|static} {TCP|UDP|ICMP} translation from interface_name:real_address/{real_port|real_ICMP_ID}to interface_name:mapped_address/{mapped_port|mapped_ICMP_ID} duration time
Explanation An address translation slot was deleted. The duration time variable displays the total duration time, which is the time that the entry was created until it expired and applies to dynamic NAT or PAT only.
Recommended Action None required.
Error Message %ACE-4-313004: Denied ICMP type=icmp_type, from source_address on interface interface_name to dest_address:no matching session
Explanation ICMP packets were discarded by the ACE because of security checks added by the stateful ICMP feature. These ICMP packets are discarded for any of the following reasons:
•ICMP echo replies are received without a valid echo request already passed across the ACE.
•ICMP error messages are received that are not related to any TCP, UDP, or ICMP session already established in the ACE.
Recommended Action None required.
Error Message %ACE-1-313006: ICMP Manager Initialization Failed. Reason : Variable1
Explanation The ICMP Manager running on the Control Plane of the ACE fails to start.
The possible values of the Variable1 variable are as follows:
•Timer creation failed.
•MTS initialization failed.
•Error while opening system call.
•Error while mapping buffer manager memory.
•Encap/Decap registration failed.
Recommended Action The ACE should automatically reboot the card. If not, try rebooting manually. If the problem still exists, contact Cisco TAC and provide them with the output of show tech-support command.
Error Message %ACE-1-313007: ICMP Manager Memory Problem. Reason: Variable1
Explanation The ACE reports ICMP-related memory failures.
The possible values of the Variable1 variable are as follows:
•No memory available to create ping free list.
•No memory from buffer manager. Cannot send packet.
•No memory available for ping block.
•Possible memory corruption.
Recommended Action Reboot the ACE (see the Cisco Application Control Engine Module Administration Guide for details). If the problem persists, contact Cisco TAC and provide them with the following command output:
•If the "No memory from buffer manager. Cannot send packet." message appears, provide the output generated from the show buffer usage and show buffer stats commands.
•If any other message is returned, provide the output generated from the show process cpu memory command.
Error Message %ACE-6-314001: Pre-allocate RTSP UDP backconnection for foreign_address outside_address/outside_port to local_address inside_address/inside_port
Explanation The Cisco ASA opened an RTSP connection for the specified IP addresses and ports.
Recommended Action None required.
Error Message %ACE-3-322001: Deny MAC address MAC_address, possible spoof attempt on interface interface
Explanation The ACE received a packet from the offending MAC address on the specified interface, but the source MAC address in the packet is statically bound to another interface in your configuration. This situation can be caused by either a MAC-spoofing attack or a misconfiguration.
Recommended Action Check the configuration and take appropriate action by either finding the offending host or modifying the configuration.
Error Message %ACE-3-322002: ARP inspection check failed for arp {request|response} received from host MAC_address on interface interface. This host is advertising MAC Address MAC_address_1 for IP Address IP_address, which is {statically|dynamically} bound to MAC Address MAC_address_2.
Explanation If ARP inspection is enabled, the ACE checks whether a new ARP entry advertised in the packet conforms to the statically configured or dynamically learned IP-MAC address binding before forwarding ARP packets. If this check fails, the ACE drops the ARP packet and generates this message. This situation can be caused by either ARP spoofing attacks in the network or an invalid configuration (IP-MAC binding).
Recommended Action If the cause is an ARP spoofing attack, deny the host by using an ACL. If the cause is an invalid configuration, correct the binding (see the Cisco Application Control Engine Module Routing and Bridging Configuration Guide for details).
Error Message %ACE-3-322003: ARP inspection check failed for arp {request|response} received from host MAC_address on interface interface. This host is advertising MAC Address MAC_address_1 for IP Address IP_address, which is not bound to any MAC Address.
Explanation If ARP inspection is enabled, the ACE checks whether a new ARP entry advertised in the packet conforms to the statically configured IP-MAC address binding before forwarding ARP packets. If this check fails, the ACE drops the ARP packet and generates this message. This situation may be caused by either ARP spoofing attacks in the network or an invalid configuration (IP-MAC binding).
Recommended Action If the cause is an attack, deny the host by using an ACL. If the cause is an invalid configuration, correct the binding (see the Cisco Application Control Engine Module Routing and Bridging Configuration Guide for details).
Error Message %ACE-3-327001: Detected Encap table Full when allocating encap entry for IP interface interface_name
Explanation The Encap table size is limited to 32,000 entries. This message is logged when trying to allocate an encap entry after the limit is reached.
Recommended Action Use the clear arp command to remove any unused or invalid table entries.
This section contains messages from 400000 to 444007.
Error Message %ACE-4-400000: IDS:1000 IP Option Bad Option List from IP_address to IP_address on interface interface_name
Explanation Cisco Intrusion Detection System signature message. The ACE does not support IP options. This IDS message is generated whenever the ACE detects IP options in a packet.
Recommended Action See the Cisco Intrusion Detection System User Guide.
Error Message %ACE-4-405001: Received ARP {request | response} collision from IP_address/mac_address on interface interface_name
Explanation The ACE received an ARP packet, and the MAC address in the packet differs from the ARP cache entry. This traffic may be legitimate, or it may indicate that an ARP poisoning attack is in progress.
Recommended Action Check the source MAC address to determine where the packets are coming from and determine if the host is valid.
Error Message %ACE-4-405201: ILS ctxid from vlan x:src_ip/src_prt to vlan y:dst_ip/dst_prt has wrong embedded address embedded addr in ILS payload
Explanation The embedded IP address in the ILS packet payload is not same as the source IP address of the IP packet header.
Recommended Action Check the host with the specified source IP address to determine why it sent an ILS packet with an incorrect embedded IP address.
Error Message %ACE-4-406001: FTP port command low port: IP_address/port to IP_address on interface interface_name
Explanation A client issued an FTP port command with a port number less than 1024; in the well-known port range, this number is typically devoted to server ports. This error message indicates an attempt to avert the site security policy. The Cisco ASA drops the packet, terminates the connection, and logs the event.
Recommended Action None required.
Error Message %ACE-4-406002: FTP port command different address: IP_address(IP_address) to IP_address on interface interface_name
Explanation A client issued an FTP port command with an address other than the address used in the connection. This error message indicates that an attempt was made to avert the site security policy. The address in parentheses is the address from the port command. For example, an attacker may attempt to hijack an FTP session by changing the transmitted packet and putting different source information instead of the correct source information. The security appliance drops the packet, terminates the connection, and logs the event.
Recommended Action None required.
Error Message %ACE-4-410001: Dropped UDP DNS packet_type from source_interface:source_address/source_port to dest_interface:dest_address/dest_port; error_length_type length length bytes exceeds max_length_type limit of maximum_length bytes.
Explanation The domain-name length exceeds 255 bytes in a UDP DNS packet. (See RFC 1035 section 3.1.)
Recommended Action None required.
Error Message %ACE-4-411001: Line protocol on interface interface_name changed state to up
Explanation The status of the line protocol has changed from down to up.
Recommended Action None required.
Error Message %ACE-4-411002: Line protocol on interface interface_name changed state to down
Explanation The status of the line protocol has changed from up to down.
Recommended Action If this event on the interface is unexpected, check the line.
Error Message %ACE-4-411003: Interface interface_name changed state to administratively up
Explanation The configuration status of the interface has changed from down to up.
Recommended Action If this event on the interface is unexpected, check the line.
Error Message %ACE-4-411004: Interface interface_name changed state to administratively down
Explanation The configuration status of the interface has changed from up to down.
Recommended Action None required.
Error Message %ACE-4-412001: MAC MAC_address moved from interface_1 to interface_2
Explanation The ACE detects that a host was moved from one appliance interface to another. In a transparent ACE, mapping between the host (MAC) and the ACE port is maintained in a Layer 2 forwarding table. The table dynamically binds packet source MAC addresses to an ACE port. When movement of a host from one interface to another interface is detected during this binding process, this error message is generated.
The host move may be valid or the host move may be an attempt to spoof host MACs on other interfaces.
Recommended Action You can take one of these actions:
•If it is a genuine host move, no action is required.
•If it is a MAC spoof attempt, you can either locate vulnerable hosts on your network and remove them or configure static MAC entries. Configuring static MAC entries will not allow MAC address and port binding to change.
Error Message %ACE-5-415004:HTTP - matched mime_type in policy-map policy_map_name, content-type verification failed from source_address to dest_address/port_num Connection connection_ID
Explanation The match content-type-verification command is configured and a MIME type in the content-type HTTP header field is found in the list of policies of allowed types. However, the expected number in the body of the message is not the correct number to identify a file of that type. This behavior is unusual and could indicate an attempt to smuggle contraband data over the connection.
Recommended Action None required.
Error Message %ACE-5-415006: HTTP - matched class_map_name in policy_map_name, URI matched connection_action from source_address/port_num to dest_address/port_num Connection connection_ID
Explanation The URI matches the regular expression that the user configured.
Recommended Action None required.
Error Message %ACE-5-415007: HTTP - matched class_map_name in policy-map policy_map_name, Body matched connection_action from IP_address/port_num to IP_address/port_num Connection connection_ID
Explanation The body matches the regular expression that the user configured.
Recommended Action None required.
Error Message %ACE-5-415008: HTTP - matched class_map_name in policy-map policy_map_name, Header matched connection_action from IP_address/port_num to IP_address/port_num Connection connection_ID
Explanation The header matches the regular expression that the user configured.
Recommended Action None required.
Error Message %ACE-5-415009: HTTP - matched class_map_name in policy-map policy_map_name, method matched - connection_action from IP_address/port_num to IP_address/port_num Connection connection_ID
Explanation The request method matches the regular expression that the user configured.
Recommended Action None required.
Error Message %ACE-5-415010: HTTP - matched class_map_name in policy-map policy_map_name, transfer encoding matched connection_action from IP_address/port_num to IP_address/port_num Connection connection_ID
Explanation The transfer or content encoding matches the regular expression that the user configured.
Recommended Action None required.
Error Message %ACE-5-415011: HTTP - policy-map policy_map_name:Protocol violation connection_action from IP_address/port_num to IP_address/port_num Connection connection_ID
Explanation The HTTP parser cannot detect a valid HTTP message in the first few bytes of an HTTP message. A user may be running a protocol over the port for HTTP transactions. This action violates the user-configured policy.
Recommended Action None required.
Error Message %ACE-5-415021: HTTP - matched class_map_name in policy-map policy_map_name, URI length range matched connection_action from source_address/port_num to dest_address/port_num Connection connection_ID
Explanation The URI length is within the range that the user configured.
Recommended Action None required.
Error Message %ACE-5-415022: HTTP - matched class_map_name in policy_map_name, Header length range matched connection_action from source_address/port_num to dest_address/port_num Connection connection_ID
Explanation The header length is within the range that the user configured.
Recommended Action None required.
Error Message %ACE-5-415023: HTTP - matched class_map_name in policy-map policy_map_name, body length range matched connection_action from source_interface:source_address/port_num to dest_interface:dest_address/port_num Connection connection_ID
Explanation The body length is within the range that the user configured.
Recommended Action None required.
Error Message %ACE-5-415024:HTTP - matched class_map_name in policy-map policy_map_name, Header content type matched connection_action from IP_address/port_num to IP_address/port_num Connection connection_ID
Explanation The header content type matches the regular expression that the user configured.
Recommended Action None required.
Error Message %ACE-5-415025: HTTP policy_map_name - Tunnel detected - connection_action from IP_address/port_num to IP_address/port_num connection connection_ID
Explanation A tunneling protocol is detected in the HTTP content. A user may be running a tunneling protocol using HTTP as the transport. This action violates the user-configured policy.
Recommended Action None required.
Error Message %ACE-5-415026: HTTP policy_map_name: Instant Messenger detected connection_action from IP_address/port_num to IP_address/port_num connection connection_ID
Explanation An instant messenger protocol is detected in the HTTP content. A user may be running an instant messenger protocol using HTTP as the transport. This action violates the user-configured policy.
Explanation None required.
Error Message %ACE-5-415027: HTTP policy_map_name: Peer-to-Peer detected connection_action from IP_address/port_num to IP_address/port_num connection connection_ID
Explanation A peer-to-peer protocol is detected in the HTTP content. A user may be running a peer-to-peer protocol using HTTP as the transport. This action violates the user-configured policy.
Recommended Action None required.
Error Message %ACE-3-440002: Addition failed for variable 1
Explanation An error occurred for the SNMP Shadow Table Addition. SNMP Get/Get-Next requests may fail on the table name specified by variable 1.
Recommended Action Check the memory-related information in the system. Enter the show processes cpu memory command and locate the MemAlloc column in the output.
Error Message %ACE-3-440003: Deletion failed for variable 2
Explanation An error occurred for the SNMP Shadow Table Deletion. A deletion failure may result in a memory leak or wrong or nonexistent values being returned for subsequent Get/Get-Next requests on the table name specified by variable 2.
Recommended Action Check the memory-related information in the system. Enter the show processes cpu memory command and locate the MemAlloc column in the output.
Error Message %ACE-5-441001: Serverfarm name failed over to backupServerfarm (backup_name) in policy_map (lb_Policy_Map). Number of failovers = count1, number of times back in service = count2
Explanation A serverfarm failover event has occurred. The name variable is the name of the serverfarm. The backup_name is the name of the backup serverfarm. The lb_Policy_Map is the name of the load-balancing policy map. The count1 variable is the number of times that the primary serverfarm failed over to the backup serverfarm. The count2 variable is the number of times the primary serverfarm returned to service.
Recommended Action None required.
Error Message %ACE-5-441002: Serverfarm name is back in service in policy_map (lb_Policy_Map). Number of failovers = count1, number of times back in service = count2
Explanation A serverfarm in service event has occurred. The name variable is the name of the serverfarm. The lb_Policy_Map is the name of the load-balancing policy map. The count1 variable is the number of times that the primary serverfarm failed over to the backup serverfarm. The count2 variable is the number of times the primary serverfarm returned to service.
Recommended Action None required.
Error Message %ACE-4-442001: Health probe probe name detected real_server_name (interface interface_name) in serverfarm sfarm_name changed state to UP
Explanation The state of a real server changed from down to up.
Recommended Action None required.
Error Message %ACE-4-442002: Health probe probe name detected real_server_name (interface interface_name) in serverfarm sfarm_name changed state to DOWN
Explanation The state of a real server changed from up to down.
Recommended Action None required.
Error Message %ACE-4-442003: Real Server real_server_name in serverfarm sfarm_name changed state to new state
Explanation This message reports a real server state change.
The new state variable can be one of the following:
•outOfService since max connection reached
•outOfService since retcode threshold reached
•outOfService in normal scenarios
Recommended Action None required.
Error Message %ACE-4-442004: Health probe probe name detected real_server_name (interface interface_name) changed state to UP
Explanation The state of a real server changed from down to up.
Recommended Action None required.
Error Message %ACE-4-442005: Health probe probe name detected real_server_name (interface interface_name) changed state to DOWN
Explanation The state of a real server changed from up to down.
Recommended Action None required.
Error Message %ACE-4-442006: Real Server Real Server name changed state to inService/outOfService>
Explanation Whenever a real server is manually placed in service or taken out of service, this syslog is generated. Also, this syslog is generated if there is an indication from the data plane about the state change of the real server.
Recommended Action No action is required. This syslog is for informational purposes only.
Error Message %ACE-2-443001: System experienced fatal failure. Char, reloading system
Explanation If the ACE encounters a fatal error and reloads, it displays the module or service name and reboots. The Char variable can be one of the following:
•tar system call failed
•Sysmgr core not present
•Service name:Sysmgr(1234) has terminated on receiving signal 11
Recommended Action Check the core file. The show version command output displays the reason for the failure in the last boot reason field.
Error Message %ACE-2-444001: License checkout failure for feature feature_name reason
Explanation A license checkout error has occurred for a specified feature due to the reported reason.
Recommended Action Contact Cisco TAC.
Error Message %ACE-5-444002: Installed license file license_file_name
Explanation The license installation completed for the specified license filename.
Recommended Action Use the show license usage command to verify that this license installed.
Error Message %ACE-5-444003: Uninstalled license file license_file_name
Explanation The license uninstall completed for the specified license filename.
Recommended Action Use the show license usage command to verify that the license uninstalled.
Error Message %ACE-2-444004: Evaluation license expired for feature feature_name
Explanation The license for the specified feature has exceeded the evaluation time period. All the licensed feature specific configurations are removed.
Recommended Action Install a new license for this feature to use it.
Error Message %ACE-4-444005: Evaluation license for feature feature_name will expire in num_days days num_hours hours
Explanation The specified license will exceed its evaluation time period after specified duration as designated in the days and hours remaining. All the licensed feature specific configurations will be removed after the license expires.
Recommended Action Install new license to continue to use the feature without any interruption.
Error Message %ACE-1-444006: License manager exiting: reason
Explanation The license manager exits due to the reported reason.
Recommended Action Contact Cisco TAC.
Error Message %ACE-4-444007: Installed feature_name license on Revision 6 or older hardware, will not take effect until next reboot.
Explanation The installed 16G throughput license on Revision 6 or older hardware does not take effect until the next ACE reboot.
Recommended Action Reboot the ACE after saving the current running configuration.
This section contains messages from 504001 to 504002.
Error Message %ACE-5-504001: Security context context-name was added to the system
Explanation A security context was successfully added to the system.
Recommended Action None required.
Error Message %ACE-5-504002: Security context context-name was removed from the system
Explanation A security context was successfully removed from the system.
Recommended Action None required.
This section contains messages from 607001 to 615004.
Error Message %ACE-6-607001: Pre-allocate SIP media secondary channel for source_interface:source_address/source_port to destination_interface:destination_address/destination_port from message_id message
Explanation This message is generated when a connection is prealloacted to allow media streams negotiated on a Session Initiation Protocol (SIP) session.
Recommended Action None required.
Error Message %ACE-6-607003: SIP Classification: Action_type and log SIP message_id from source_interface:source_address/source_port to destination_interface:destination_address/destination_port
Explanation This message is generated when the ACE permits or drops a SIP packet or resets the SIP control connection (if it is over TCP), and a log action is configured.
Recommended Action None required.
Error Message %ACE-6-608001: Pre-allocate Skinny connection_type secondary channel for source_interface:source_address/source_port to destination_interface:destination_address/destination_port from message_id message
Explanation This message is generated when a connection is preallocated to allow media streams negotiated on a Skinny Client Control Protocol (SCCP) session.
Recommended Action None required.
Error Message %ACE-4-608002: Dropping Skinny message for source_interface:source_address/source_port to destination_interface:destination_address/destination_port, SCCPPrefix length prefex_length too small
Explanation This message appears when using SCCP inspection on SCCP traffic. It is displayed if a SCCP message is too small to carry the SCCP payload.
Recommended Action None required.
Error Message %ACE-4-608003: Dropping Skinny message for source_interface:source_address/source_port to destination_interface:destination_address/destination_port, SCCPPrefix length prefex_length too large
Explanation This message appears when using SCCP inspection on SCCP traffic. It is displayed if a SCCP message is larger than the maximum configured size.
Recommended Action None required.
Error Message %ACE-4-608004: Dropping Skinny message for source_interface:source_address/source_port to destination_interface:destination_address/destination_port, message id message_id not allowed
Explanation This message is generated when using inspection on SCCP traffic. It is displayed if a Skinny command is denied by the SCCP inspection policy.
Recommended Action None required.
Error Message %ACE-4-608005: Dropping Skinny message for source_interface:source_address/source_port to destination_interface:destination_address/destination_port, message id message_id registration not complete
Explanation This message is generated when using inspection on SCCP traffic. It is displayed if a Skinny command that is not allowed before registration is seen before the IP phone has successfully registered with the Cisco Call Manager (CCM).
Recommended Action None required.
Error Message %ACE-6-615003: VLAN VLAN-number not available for configuring an interface
Explanation The specified VLAN number is no longer assigned to the ACE. If an interface is configured with that VLAN number on the module, it will be kept in a shutdown state. If an interface is already configured with that VLAN and is up, it will change the state to shutdown.
Recommended Action If the VLAN specified in the log message is not required for the ACE, delete all interfaces that use this VLAN from the module configuration.
Error Message %ACE-6-615004: VLAN VLAN-number available for configuring an interface
Explanation The specified VLAN number is now assigned to the ACE. The module can use the VLAN to configure an interface and to receive traffic.
Recommended Action To use the new VLAN, configure interfaces on the ACE using the new VLAN.
This section contains messages from 727001 to 750002.
Error Message %ACE-1-727001: HA: Peer IP address is not reachable. Error: error str.
Explanation An active or standby device cannot reach its redundant peer. This message is displayed on both devices and causes a switchover on the standby device. After the switchover occurs, both devices are no longer redundant. The error str value can be one of the following:
•Heartbeat stopped. Ping on alternate interface failed.
•Heartbeat stopped. No alternate interface configured.
Recommended Action Verify connectivity between the peers. If a peer device is physically up but connectivity is the problem, you may end up with two active devices. If connectivity is lost due to the peer going down, reboot the peer to restore redundancy between the two devices.
Error Message %ACE-1-727002: HA: FT interface interface name to reach peer IP address is down. Error: error str
Explanation A peer device is not reachable on an FT interface. In this situation the standby device does not switchover to active, which prevents two actives in the network. The error str value can be one of the following:
•Heartbeats stopped. Peer is reachable via alternate interface.
•Heartbeats are up but cannot use the Telnet connection to the peer device.
Recommended Action Verify connectivity between the two devices over the FT interface. Ping or use Telnet to the peer IP address to confirm connectivity.
Error Message %ACE-1-727003: HA: Mismatch in context names detected for FT group FTgroupID. Cannot be redundant.
Explanation Redundancy is enabled for a particular context, but both devices are unable to become active or standby because of a mismatch in context names.
Recommended Action Check the FT group configuration on both devices. Make sure that both devices are associated with the same context.
Error Message %ACE-1-727004: HA: Two actives have been detected for FT group FTgroupID.
Explanation Both devices were detected to be active for the same FT group. At this point, one of the two devices automatically relinquishes control and switches over to standby.
Recommended Action None required.
Error Message %ACE-1-727005: HA: Config replication failed for context ctx name. Error : error str
Explanation A configuration could not be synchronized to the peer device due to the error condition returned by the error str value. The error str value can be one of the following:
•Error on Standby device when applying Configuration file replicated from Active.
•Failed to transfer Configuration file to standby. TFTP Failed.
•Failed to generate Running Configuration for peer device. "show running peer" failed.
•Failed to convert Configuration to peer version. Flip of peer addresses failed.
•Failed to retrieve Context Information.
•Failed to rollback Running Configuration on Standby device.
•Failed to sync Running Configuration to Standby device.
•Failed to sync Startup Configuration to Standby device.
•Failed to send MTS message to peer to communicate config status.
Recommended Action Check the running and startup configurations on both devices. To recover, disable configuration synchronization, and then manually apply the configuration on each device.
Error Message %ACE-1-727006: HA: Peer is incompatible due to error str. Cannot be Redundant.
Explanation A peer device failed to become compatible. This can be a result of Software Relationship Graph (SRG) version inconsistency or a mismatch in licenses between the devices. The error string indicates the reason for the failure.
The error str value can be one of the following:
•License Compatibility Mismatch.
•SRG Compatibility Mismatch.
Recommended Action Verify version and license compatibility on both the devices.
Error Message %ACE-1-727007: HA: Module Initialization failure - Error Error str.
Explanation An initialization error occurred for one of the redundant modules. The Error str variable indicates the reason for the failure.
The Error str vraiable can be one of the following:
•MTS Init Failure
•TNRPC Failure
•Select Call Failure
•Timer Creation Failure
Recommended Action Contact Cisco TAC.
Error Message %ACE-1-727008: HA: Failed to send heartbeats to peer. Internal error: Error str
Explanation The device is unable to send heartbeats to its peer due to an internal error. The error string indicates the reason for the failure.
The Error str variable can be one of the following:
•Failed to setup UDP Connection to Peer for Heartbeats.
•Failed to create Encap for Peer.
•Failed to communicate to IXP.
Recommended Action Contact Cisco TAC.
Error Message %ACE-1-727009: HA: Communication failure for Peer Peer id Event: error str
Explanation The device is unable to establish a TCP connection to the peer. The error str variable is "Failed to establish TCP connection to Peer device."
Recommended Action Contact Cisco TAC.
Error Message %ACE-2-727010: HA: Data replication failed for context ctx name. Error code error str
Explanation Data replication fails and data could not be successfully synchronized to the peer device. The next periodic synchronization will correct the failure and update the lost records. The Error str variable indicates the reason for the failure.
The error str variable can be one of the following:
•Failed to bulk sync Connection Records.
•Failed to bulk sync Load Balancer Records.
Recommended Action None required.
Error Message %ACE-2-727011: HA: Configuration replication for context ctx name will not happen. Error: Error str
Explanation The configuration synchronization does not occur for a context. The error string indicates the reason for the failure.
The Error str value can be:
•Failed to open Startup Configuration File. It does not exist.
•HA election timed out.
•Configuration sync to peer not initiated because Peer doesn't exist.
•HA has not been configured for context.
Recommended Action None required.
Error Message %ACE-2-727012: HA: FT Group group ID changed state to NewState. Reason: reason str.
Explanation This message displays the state transitions made by an HA state (redundancy) device for a context.
Table 2-2 lists the values for the NewState variable.
.
Values returned for the reason str variable can be one of the following:
•FSM_FT_EV_PEER_DOWN
•FSM_FT_EV_PEER_FT_VLAN_DOWN
•FSM_FT_EV_PEER_SOFT_RESET
•FSM_FT_EV_STATE
•FSM_FT_EV_TIMEOUT
•FSM_FT_EV_CFG_SYNC_STATUS
•FSM_FT_EV_BULK_SYNC_STATUS
•FSM_FT_EV_COUP
•FSM_FT_EV_RELINQUISH
•FSM_FT_EV_TRACK_STATUS
•FSM_FT_EV_UPDATE
•FSM_FT_EV_ENABLE_INSERVICE
•FSM_FT_EV_DISABLE_INSERVICE
•FSM_FT_EV_SWITCHOVER
•FSM_FT_EV_PEER_COMPATIBLE
•FSM_FT_EV_MAINT_MODE_OFF
•FSM_FT_EV_MAINT_MODE_PARTIAL
•FSM_FT_EV_MAINT_MODE_FULL
Recommended Action None required.
Error Message %ACE-2-727013: HA: Peer Peer # is UP and reachable.
Explanation The peer is now reachable. Heartbeats are flowing successfully between the two peers.
Recommended Action None required.
Error Message %ACE-2-727014: HA: Heartbeats from Peer Peer id have become unidirectional.
Explanation Redundancy heartbeats from a peer have become unidirectional. That is, the peer cannot receive (only send) heartbeats. This problem occurs if one of the network processors has a problem.
Recommended Action Collect network processor drop counters, and then contact Cisco TAC.
Error Message %ACE-2-727015: HA: Detected mismatch in heartbeat interval from Peer peer id. Modified interval to interval.
Explanation The redundancy heartbeat received from one peer differs from the value of the second peer. This condition can occur when you choose to dynamically change the heartbeat interval. The modified heartbeat interval that is displayed shows the adjusted interval. This value is the greater of the two values.
Recommended Action None required.
Error Message %ACE-2-727016: HA: Replication for context ctx name has started. Status - status.
The replication is being carried out to a peer. The status variable indicates the synchronization status.
Values for the status variable can be one of the following:
•Running Configuration sync has started to peer.
•Startup Configuration sync has started to peer.
•Startup Configuration sync has completed to peer.
•Running Configuration sync has completed to peer.
•Data Replication has completed to peer.
•Startup configuration has been applied successfully for context.
Recommended Action None required.
Error Message %ACE-2-727017: HA: FT Track track type track name is UP.
Explanation The FT track is up.
The track type variable can be one of the following:
•Interface
•HSRP
•Host
Recommended Action None required.
Error Message %ACE-2-727018: HA: FT Track track type track name is DOWN.
Explanation The FT track is down.
The track type variable can be one of the following:
•Interface
•HSRP
•Host
Recommended Action None required.
Error Message %ACE-5-727019: HA: Started alternate ping to IP address ip addr
Explanation ICMP pings have started on the alternate interface to check the health of the peer. This process starts when heartbeats from the peer are no longer received. The standby device issues an alternate ping to the peer to determine whether the peer is still alive. If it is alive, it does not switchover, which prevents two active states on the network.
Recommended Action None required.
Error Message %ACE-5-727020: HA: Stopped alternate ping to IP address ip addr.
Explanation ICMP pings have stopped on the alternate interface. This occurs when heartbeats from the peer are received and the peer is up and reachable.
Recommended Action None required.
Error Message %ACE-5-727021: HA: Peer is compatible.
Explanation The two devices are in a compatible state and can be configured for redundancy.
Recommended Action None required.
Error Message %ACE-5-727022: HA: Started sending heartbeats to peer Peer id interval value and count cnt
Explanation The redundancy connections to the peer have been successfully established and heartbeats have been started to the peer with the configured interval and count.
The interval variable specifies interval in milliseconds. The count variable specifies the number of missed heartbeat intervals before the peer is declared down.
Recommended Action None required.
Error Message %ACE-5-727023: HA: Stopped sending heartbeats to peer Peer id.
Explanation Redundancy heartbeats to the peer have been stopped. This can occur if you reconfigure redundancy or make changes to basic connection parameters such as the peer IP address.
Recommended Action None required.
Error Message %ACE-1-728001: Initialization failure (general) type variable1
Explanation Initialization of the ACE load-balancing process is aborted due to a failure of a general nature (for example, lack of memory, failure to spawn threads, failure to establish a communication channel, and so on).
variable1 specifies the exact failure location in the code base.
Recommended Action Document the syslog message, and then reboot the ACE (see the Cisco Application Control Engine Module Administration Guide for details). Contact Cisco TAC with the documented message text.
Error Message %ACE-1-728002: Initialization failure (sticky) type variable1
Explanation Initialization of the ACE load-balancing process is aborted because of a failure in the sticky subsystem (for example, memory alignment failure, failure to spawn threads, failure to a establish communication channel.)
variable1 specifies the exact failure location in the code base.
Recommended Action Document the syslog message, and then reboot the ACE (see the Cisco Application Control Engine Module Administration Guide for details). Contact Cisco TAC with the documented message text.
Error Message %ACE-1-728003: Initialization failure (sticky hash) variable1 entries, variable2 min, variable3 max type variable4
Explanation Initialization of the ACE load-balancing process is aborted because of a failure when allocating entries for the sticky database (for example, the database is not allocated.)
The variables displayed in this message represent the following:
•variable1—Specifies the requested number of sticky entries.
•variable2—Specifies the minimum number of sticky entries required for successful operation of the hash algorithm.
•variable3—Specifies the maximum number of entries that can be allocated.
•variable4—Specifies the exact failure location in the code base.
Recommended Action Document the syslog message, and then reboot the ACE (see the Cisco Application Control Engine Module Administration Guide for details). Contact Cisco TAC with the documented message text.
Error Message %ACE-5-728004: Internal communications notice (general) type variable1
Explanation The ACE load-balancing process detects a spurious or unintelligible internal message that cannot be dispatched. Under high load, message loss may occur.
variable1 specifies the exact failure location in the code base.
Recommended Action If this message occurs frequently, or in conjunction with problems in load balancing under normal system load, contact Cisco TAC.
Error Message %ACE-3-728005: Failed to transmit variable1 decision for connection from client variable2 type variable3
Explanation A load-balancing decision was lost internally. No server connection can be initiated, and the identified client connection is reset. At this point, the client can attempt reconnection.
variable1 specifies the connection type. Possible values are as follows:
•destination (determined by load balancer)
•drop (connection discarded)
•forwarded (not load balanced)
variable2 specifies the address of client from whom the connection originated.
variable3 specifies the unique identifier for the line of code where the error was logged.
Recommended Action If this message occurs frequently, document the syslog message, and then contact Cisco TAC.
Error Message %ACE-5-728006: Internal communications error (messaging) msg subType variable1 -- type variable2
During load balancing, the ACE received an internal message that cannot be identified. This message is discarded without processing.
The variables displayed in this message represent the following:
•variable1—Specifies the message type (decimal) that could not be processed.
•variable2—Specifies the unique identifier for the line of code where the error was logged.
Recommended Action If this message occurs frequently, document the syslog message, and then contact Cisco TAC.
Error Message %ACE-3-728007: Internal configuration communications error (sticky) type variable1
Explanation During load balancing, the ACE received a configuration request for sticky database resources that cannot be honored. The resources may exceed the permitted amounts or the resources cannot be located.
variable1 specifies the unique identifier for the line of code where the error was logged.
Recommended Action Verify that the requested resources are available within the chosen context. If the requested resources are available and are allowed by the configuration, an internal error exists. Contact Cisco TAC.
Error Message %ACE-3-728008: Internal communications error (sticky) /source processor variable1 destination processor variable2 -- type variable3
Explanation During load balancing, the ACE detected an error in communication between the two network processors. As a result, sticky load balancing may not occur for some client connections.
The variables displayed in this message represent the following:
•variable1—Specifies the received decimal identifier of source processor.
•variable2—Specifies the received decimal identifier of destination processor.
•variable3—Specifies the unique identifier for the line of code where the error was logged.
Recommended Action Contact Cisco TAC.
Error Message %ACE-3-728009: Context ID variable1 requested variable2 of variable3 sticky entries. No action taken. -- type variable4
Explanation This message is reported from the Admin context. A configuration request from the context identified by variable1 cannot be responded to because it exceeds the permitted resources for the sticky entries.
The variables displayed in this message represent the following:
•variable1—Specifies the context requesting the sticky entry action.
•variable2—Specifies the requested action.
•variable3—Specifies the number of sticky entries requested.
•variable4—Specifies the unique identifier for the line of code where the error was logged.
Recommended Action Contact Cisco TAC.
Error Message %ACE-4-728011: Context ID variable1 being variable2 should not have variable3 associated sticky groups -- type variable4
Explanation This message is reported from the Admin context and appears when adding or removing a context that has associated sticky groups. When this condition exists and the error message is logged, the addition or removal of the context still occurs.
•variable1—specifies the context identifier to be added or removed.
•variable2—specifies the requested action. Possible values are added or removed.
•variable3—specifies the number of associated sticky groups detected.
•variable4—specifies the unique identifier for the line of code where the error was logged.
Recommended Action Before adding or removing a context, make sure there are no sticky groups associated with that context.
Error Message %ACE-5-728012: Context ID variable1 failed to receive return data -- type variable2
Explanation Data collected in response to a show command at the CLI was not successfully returned from the network processor to the CLI.
The variables displayed in this message represent the following:
•variable1—Specifies the context identifier for the context that made the request.
•variable2—Specifies the unique identifier for the line of code where the error was logged.
Recommended Action Reenter the show command. If the problem persists, contact Cisco TAC.
Error Message %ACE-4-728013: A cache alignment error variable1 was detected during initialization -- type variable2
Explanation A cache alignment error was detected during the load-balancing initialization. This may impact performance, but load balancing will still be correctly performed.
The variables displayed in this message represent the following:
•variable1 specifies the cache alignment return code.
•variable2 specifies the unique identifier for the line of code where the error was logged.
Recommended Action If you see this error message frequently, contact Cisco TAC.
Error Message %ACE-3-728014: Internal cross-processor communications error (sticky) type variable1
Explanation During load-balancing, the ACE could not parse a message from the second network processor on the ACE. This can result in the loss of sticky information between the two processors, resulting in a sticky server-connection loss for some clients.
variable1 specifies the unique identifier for the line of code where the error was logged.
Recommended Action Contact Cisco TAC.
Error Message %ACE-3-728015: Internal channel communications error (sticky) type variable1
Explanation During load-balancing operations, the ACE was unable to open or use an internal communications channel to process a load-balancing configuration or a display directive. The specific directive on which the failure occurred is not be completed (although it may be retried).
variable1 specifies the unique identifier for the line of code where the error was logged.
Recommended Action Contact Cisco TAC.
Error Message %ACE-4-728016: HA data receive failure (type variable1)
Explanation This message is logged when an redundancy message received from the redundant peer cannot be understood and is subsequently discarded.
variable1 specifies the unique identifier for the line of code where the error was logged.
Recommended Action Use the show ft stats group_id command to display load-balancing statistics for the FT group:
•If the type variable returned a value of 90 (decimal), then monitor the "Number of Sticky Entries Dropped" value. Contact Cisco TAC if the values continue to increase over time.
•If the type variable returned a value of 99 (decimal), then monitor the "Number of Receive Failures" value. Contact Cisco TAC if the values continue to increase over time.
Error Message %ACE-3-728017: Internal communications error (ha) -- type variable1
Explanation This message is reported from the current context. An attempt to send a redundancy message to the redundant peer was unsuccessful because the message could not be sent.
variable1 specifies the unique identifier for the line of code where the error was logged.
Recommended Action Use the show ft stats group_id command to display load-balancing statistics for the FT group. Monitor the "Number of Send Failures" value. Contact Cisco TAC if the problem persists.
Error Message %ACE-5-728018: Proxy connection variable1 rebalanced to server variable2
Explanation The ACE has determined that the server side of a connection should be rebalanced to another server. This is an informational message issued in the context in which the rebalance occurs.
The variables displayed in this message represent the following:
•variable1 specifies the identifier of the proxy connection.
•variable2 specifies the index of the realServer to which the connection was rebalanced.
Recommended Action None required.
Error Message %ACE-4-728019: Sticky resources were not variable1 for this context -- type variable2
Explanation A sticky request (lookup, configure, or delete a sticky entry) was not honored because the sticky group could not locate any configured sticky entries. This is not the result of exceeding the configuration limits, but indicates an unexpected sticky group lookup result.
variable1 specifies the requested sticky action. Possible values are as follows:
•discovered
•inserted
•removed
variable2 specifies the unique identifier for the line of code where the error was logged.
Recommended Action Contact Cisco TAC.
Error Message %ACE-6-728020: LB is configured to consume variable1 bytes of memory.
Explanation The message indicates the amount of physical memory that is mapped by the ACE during load-balancing initialization and indicates that the mapping was successful.
variable1 specifies the bytes of mapped physical memory.
Recommended Action None required.
Error Message %ACE-6-728021: Found inconsistent sticky entry. Terminating variable1.
Explanation Various commands processed by the ACE during load balancing require searching the sticky database to find all relevant sticky entries. An unexpected finding of no further sticky entries generates this message. The indicated action is terminated, but further requests of the same type (or of other types) are completed.
variable1 specifies the terminated action. Possible values are as follows:
•show screen (user request)
•resetting timestamps (aging sticky entries)
•HA share (updating database with entries learned via HA)
Recommended Action None required. This message is useful in troubleshooting sticky issues.
Error Message %ACE-6-728022: Invalid hash table index (variable1) used for variable2
Explanation The specified action was aborted because of an invalid hash index.
variable1 specifies the value of the invalid hash table index.
variable2 specifies the index table use. Possible values are as follows:
•LookupRealServerId
•InsertNewEntry
Recommended Action None required.
Error Message %ACE-6-728023: variable1 variable2 sticky entries from ContextId variable3.
Explanation Sticky entries have been added or removed from a context as a result of a resource limit change.
variable1 specifies the action. Possible values are as follows:
•Added
•Removed
variable2 specifies the number of sticky entries moved.
variable3 specifies the context ID from which the entries were added or removed.
Recommended Action None required.
Error Message %ACE-4-728024: Received an unknown variable1 type message (variable2) for Sticky from remote IXP variable3!
Explanation A request or reply from the second network processor indicates an unknown operation type. The request or reply is not responded to and is discarded.
variable1 specifies the message class. Possible values are as follows:
•request
•reply
variable2 specifies the numerical value of the operation type that could not be identified.
variable3 specifies the identifier of the IXP (network processor) that sent the message.
Recommended Action None required. This message is useful when troubleshooting sticky database synchronization problems with the network processors.
Error Message %ACE-6-728025: Dropped variable1 'variable2' messages (variable3 total) from IXP variable4 to IXP variable5!
Explanation Sticky messages between network processors (sticky insert, sticky lookup, or sticky connection close) were lost.
variable1 specifies the number of lost messages.
variable2 specifies the message type. Possible values are as follows:
•request
•response
variable3 specifies the total number of messages discarded (includes both lost messages and messages which were discarded because they could not be sent).
variable4 specifies the source network processor identifier.
variable5 specifies the destination network processor identifier.
Recommended Action None required. This information may be useful when troubleshooting problems with sticky functionality.
Error Message %ACE-6-728026: Attempting to use invalid lookup key for variable1 processing.
Explanation The message indicates that a connection close notification was not sent to the remote network processor because of an invalid key. Variable1 specifies the type of processing (connection close).
Recommended Action None required. This information may be useful in troubleshooting problems with sticky functionality.
Error Message %ACE-3-728027: Received unhandled message of type variable1 from CP SrcSAP variable2.
Explanation An unrecognized message was received from the control processor (CP) during load-balancing operations. The message is discarded.
The variables displayed in this message represent the following:
•variable1—Specifies the raw (decimal) unrecognized message type that is received.
•variable2—Specifies the (decimal) source SAP on the CP from which this message was sent.
Recommended Action None required. This message is useful when troubleshooting commands or configuration directives from the control processor that are ignored by the ACE.
Error Message %ACE-5-728028: Sticky mapping failed: variable1 variable2
Explanation Information received from an redundant peer cannot be mapped locally. The associated sticky entry information is discarded.
variable1 specifies the reason for the mapping failure. Possible values are as follows:
•Invalid sticky group id
•Invalid real server id
•Sticky group not active
variable2 specifies the (decimal) identifier of the invalid entity. If the entry is an "invalid real server id," the value of the real server ID is displayed. Otherwise, the invalid or inactive sticky group ID is displayed.
Recommended Action Use the show ft stats group_id command to display load-balancing statistics for the FT group. Monitor the "Number of Sticky Entries Dropped" value. Contact Cisco TAC if the values continue to increase over time.
Error Message %ACE-6-728029: HA state for FtGroup variable1 changed from variable2 to variable3 State variable4.
Explanation This message tracks state changes received from the redundant peer. Events that are not relevant to load balancing are ignored.
variable1 specifies the (decimal) fault tolerant group ID.
variable2 and variable3 specify the previous and current state change event. Possible values are as follows:
•Active
•StartCfgSync
•StartBulkSync
•StartPeriodicSync
•StopSync
•StdbyCfg
•StdbyBulk
•StdbyHot
•StdbyCold
•StdbyWarm
•BulkSyncDone
•NonRedundant
•None
•"???" (specifies an unidentified event)
variable4 specifies the state change action. Possible values are as follows:
•handled
•ignored
Recommended Action None required. This message is useful when tracking redundancy state changes to troubleshoot redundant peer synchronization problems.
Error Message %ACE-6-728030: Silently discarding HA data: variable1
Explanation Redundancy data must be discarded during load-balancing operations because the ACE could not process the data. The discarding of the data could affect seamless failover.
variable1 specifies the reason for discarding data from the redundant peer. Possible values are as follows:
•Received unknown message type
•Received data packet in wrong HA state
Recommended Action None required. This message is useful when troubleshooting redundant peer problems.
Error Message %ACE-3-728031: Memory mapping for debug logging failed.
Explanation Memory mapping fails during initialization for debug logging. Load balancing continues, but no debug logging will occur, even if invoked from the command line.
Recommended Action Reboot the ACE to reinitialize the debug logging component (see the Cisco Application Control Engine Module Administration Guide for details). Rebooting may correct a transient mapping issue. If this error persists, contact Cisco TAC.
Error Message %ACE-LB_General-4-728032: Real Server variable1 in Serverfarm variable2 has reached configured threshold for HTTP retcode variable3
Explanation HTTP return codes were configured on a server farm and a specific real server has reached the configured return code threshold.
The variables displayed in this message represent the following:
•variable1—Specifies the name of the real server within the server farm.
•variable2—Specifies the name of the server farm.
•variable3—Specifies the HTTP return code value returned by the server which caused this message to be logged.
Recommended Action Review the types of client HTTP requests that cause these server return code responses. Look for return codes that indicate possible problems, for example, missing content or incorrect search paths.
Error Message %ACE-4-729002: Regex resource usage beyond maximum limit for context context_id. Free up some resources.
Explanation This syslog message indicates that regex resources in use for the specified context (context_id) are above the maximum limit allowed by the resource class.
Recommended Action Decrease the minimum regex usage in the specified context to below the maximum limit.
Error Message %ACE-4-729003: Minimum regex resources could not be guaranteed for context context_id.
Explanation This syslog message indicates that the requested minimum regex resources could not be guaranteed in the specified context (context_id).
Recommended Action Contact the global administrator to request that other context administrators release regex resources.
Error Message %ACE-4-750001: Sticky resource usage beyond maximum limit for context ctx id
Explanation The sticky resources in use for the context have exceeded the configured limit for that context.
Recommended Action Free up resources in the context to keep them within the configured limit. For details about managing resources, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
Error Message %ACE-4-750002: Minimum sticky resources could not be guaranteed for context ctx id
Explanation .When configuring a sticky resource limit for a particular context, the ACE was not able to guarantee the resource limit.
Recommended Action Free up resources in all other contexts that have exceeded their configured limits. For details about managing resources, see the Cisco Application Control Engine Module Virtualization Configuration Guide.