Table Of Contents
System Log Messages
This chapter lists the PIX Firewall system log messages. The messages are listed numerically by message code.
Note
The messages shown in this guide only apply to PIX Firewall version 5.2 and later. When a number is skipped from a sequence, for example, 106004 or 110001, the message is no longer in the PIX Firewall code.
This chapter includes the following sections:
Syslog message 100000 is for Cisco Secure Intrusion Detection System (NetRanger) signatures. PIX Firewall provides access to the following single-packet (called "atomic") IDS signatures.
Messages 100001 to 105020
%PIX-1-101001: (Primary) Failover cable OK.Explanation This is a failover message. This message reports that the failover cable is present and functioning correctly. "(Primary)" can also be listed as "(Secondary)" for the Secondary unit.
Action None required.
%PIX-1-101002: (Primary) Bad failover cable.Explanation This is a failover message. This message reports that the failover cable is present but not functioning correctly. "(Primary)" can also be listed as "(Secondary)" for the Secondary unit.
Action Replace the failover cable.
%PIX-1-101003: (Primary) Failover cable not connected (this unit).%PIX-1-101004: (Primary) Failover cable not connected (other unit).Explanation Both instances are failover messages. These messages are logged when failover mode has been enabled, but the failover cable is not connected to one unit of the failover pair. "(Primary)" can also be listed as "(Secondary)" for the Secondary unit.
Action Connect the failover cable to both units of the failover pair.
%PIX-1-101005: (Primary) Error reading failover cable status.Explanation This is a failover message. This message is logged if the failover cable is connected, but the primary unit is unable to determine its status.
Action Replace the cable.
%PIX-1-102001: (Primary) Power failure/System reload other side.Explanation This is a failover message. This message is logged if the primary unit detects a power failure on the other unit. "(Primary)" can also be listed as "(Secondary)" for the Secondary unit.
Action Verify that the secondary unit is powered on and that power cables are properly connected.
%PIX-1-103001: (Primary) No response from other firewall (reason code = code).Explanation This is a failover message. This message is logged if the primary unit is unable to communicate with the secondary unit over the failover cable. "(Primary)" can also be listed as "(Secondary)" for the Secondary unit.
Action Verify that the secondary unit has the exact same hardware, software version level, and configuration as the primary unit.
%PIX-1-103002: (Primary) Other firewall network interface interface_number OK.Explanation This is a failover message. This message is logged when the primary unit detects that the network interface on the secondary unit is okay. "(Primary)" can also be listed as "(Secondary)" for the Secondary unit. Refer to Table 1-3 in "Introduction," for possible values for the interface_number variable.
Action None required.
%PIX-1-103003: (Primary) Other firewall network interface interface_number failed.Explanation This is a failover message. This message is logged if the primary unit detects a bad network interface on the secondary unit. "(Primary)" can also be listed as "(Secondary)" for the Secondary unit. Refer to Table 1-3 in "Introduction," for possible values for the interface_number variable.
Action Check the network connections on the secondary unit. Also, check the network hub connection. If necessary, replace the failed network interface.
%PIX-1-103004: (Primary) Other firewall reports this firewall failed.Explanation This is a failover message. This message is logged if the primary unit receives a message from the secondary unit indicating that the primary has failed. "(Primary)" can also be listed as "(Secondary)" for the Secondary unit.
Action Verify the status of the primary unit.
%PIX-1-103005: (Primary) Other firewall reporting failure.Explanation This is a failover message. This message is logged if the secondary unit reports a failure to the primary unit. "(Primary)" can also be listed as "(Secondary)" for the Secondary unit.
Action Verify the status of the secondary unit.
%PIX-1-104001: (Primary) Switching to ACTIVE (cause: reason).%PIX-1-104002: (Primary) Switching to STNDBY (cause: reason).Explanation Both instances are failover messages. These messages usually are logged when you force the pair to switch roles, either by entering the failover active command on the secondary unit, or the no failover active command on the primary unit. "(Primary)" can also be listed as "(Secondary)" for the Secondary unit. Possible values for the reason variable are as follows:
–
–
–
–
–
–
Action If the message occurs because of manual intervention, no action is required. Otherwise, use the cause reported by the secondary unit to verify the status of both units of the pair.
%PIX-1-104003: (Primary) Switching to FAILED.Explanation This is a failover message. This message is logged when the primary unit fails.
Action Check the system log messages for the primary unit for an indication of the nature of the problem (see message 104001). "(Primary)" can also be listed as "(Secondary)" for the Secondary unit.
%PIX-1-104004: (Primary) Switching to OK.Explanation This is a failover message. This message is logged when a previously failed unit now reports that it is operating again. "(Primary)" can also be listed as "(Secondary)" for the Secondary unit.
Action None required.
%PIX-1-105001: (Primary) Disabling failover.Explanation This is a failover message. This message is logged when you enter the no failover command on the console. "(Primary)" can also be listed as "(Secondary)" for the Secondary unit.
Action None required.
%PIX-1-105002: (Primary) Enabling failover.Explanation This is a failover message. This message is logged when you enter the failover command with no arguments on the console, after having previously disabled failover. "(Primary)" can also be listed as "(Secondary)" for the Secondary unit.
Action None required.
%PIX-1-105003: (Primary) Monitoring on interface int_name waitingExplanation This is a failover message. The PIX Firewall is testing the specified network interface with the other unit of the failover pair. Refer to Table 1-3 in "Introduction," for possible values for the interface_number variable. "(Primary)" can also be listed as "(Secondary)" for the Secondary unit.
Action None required. The PIX Firewall monitors its network interfaces frequently during normal operations.
%PIX-1-105004: (Primary) Monitoring on interface int_name normalExplanation This is a failover message. The test of the specified network interface was successful. "(Primary)" can also be listed as "(Secondary)" for the Secondary unit.
Action None required.
%PIX-1-105005: (Primary) Lost Failover communications with mate on interface int_name.Explanation This is a failover message. This message is logged if this unit of the failover pair can no longer communicate with the other unit of the pair. "(Primary)" can also be listed as "(Secondary)" for the Secondary unit.
Action Verify that the network connected to the specified interface is functioning correctly.
%PIX-1-105006: (Primary) Link status `Up' on interface int_name.%PIX-1-105007: (Primary) Link status `Down' on interface int_name.Explanation Both instances are failover messages. These messages report the results of monitoring the link status of the specified interface. "(Primary)" can also be listed as "(Secondary)" for the Secondary unit.
Action If the link status is down, verify that the network connected to the specified interface is operating correctly.
%PIX-1-105008: (Primary) Testing interface int_name.Explanation This is a failover message. This message is logged when the PIX Firewall tests a specified network interface. This testing is performed only if the PIX Firewall fails to receive a message from the Standby unit on that interface after the expected interval. "(Primary)" can also be listed as "(Secondary)" for the Secondary unit.
Action None required.
%PIX-1-105009: (Primary) Testing on interface int_name result.Explanation This is a failover message. This message reports the result (either "Passed" or "Failed") of a previous interface test. "(Primary)" can also be listed as "(Secondary)" for the Secondary unit.
Action None required if the result is "Passed." If the result is "Failed," you should check to be sure the network cable is properly connected to both failover units and that the network itself is functioning correctly, and verify the status of the Standby unit.
%PIX-3-105010: (Primary) Failover message block alloc failedExplanation Block memory has been depleted. This is a transient message and the PIX Firewall should recover. "(Primary)" can also be listed as "(Secondary)" for the Secondary unit.
Action Use the show blocks command to monitor the current block memory.
%PIX-1-105011: (Primary) Failover cable communication failureExplanation The failover cable is not permitting communication between the Primary and Secondary units. "(Primary)" can also be listed as "(Secondary)" for the Secondary unit.
Action Ensure that the cable is properly connected.
%PIX-1-105020: (Primary) Incomplete/slow config replicationExplanation When a failover occurs, the active PIX Firewall detects a partial configuration in memory. Normally, this is caused by an interruption in the replication service. "(Primary)" can also be listed as "(Secondary)" for the Secondary unit.
Action Once the failover is detected by the PIX Firewall, the PIX Firewall automatically reloads itself and loads configuration from Flash and/or resyncs with another PIX Firewall. If failovers happen continuously, check the failover configuration and make sure both PIX Firewalls can communicate with each other.
Messages 106001 to 112001
%PIX-2-106001: Inbound TCP connection denied from IP_addr/port to IP_addr/port flags TCP_flags on interface int_nameExplanation This is a connection-related message. This message occurs when an attempt to connect to an inside address is denied by your security policy. Possible TCP_flags values correspond to the flags in the TCP header that were present when the connection was denied. For example, a TCP packet arrived for which no connection state exists in the PIX Firewall, and it was dropped. The TCP_flags in this packet are FIN,ACK.
The TCP_flags are as follows:–
–
–
–
–
–
Action None required.
%PIX-2-106002: protocol Connection denied by outbound list list_ID src laddr dest faddrExplanation This is a connection-related message. This message is logged if the specified connection fails because of an outbound deny command statement. The protocol variable can be ICMP, TCP, or UDP.
Action Use the show outbound command to check outbound lists.
%PIX-2-106006: Deny inbound UDP from faddr/fport to laddr/lport on interface int_name.Explanation This is a connection-related message. This message is logged if an inbound UDP packet is denied by your security policy.
Action None required.
%PIX-2-106007: Deny inbound UDP from faddr/fport to laddr/lport due to DNS flag.Explanation This is a connection-related message. This message is logged if a UDP packet containing a DNS query or response is denied. The flag variable is either Response or Query.
Action If the inside port number is 53, it is likely that the inside host is set up as a caching nameserver. Add an access-list command statement to permit traffic on UDP port 53. If the outside port number is 53, the most likely cause is that a DNS server was too slow to respond, and the query was answered by another server.
%PIX-3-106010: Deny inbound from outside: IP_addr to inside: IP_addr chars.Explanation This is a connection-related message. This message is logged if an inbound connection is denied by your security policy.
Action None required.
%PIX-7-106011: Deny inbound (No xlate) charsExplanation This is a connection-related message. This message occurs when a packet is sent to the same interface that it arrived on. This usually indicates that a security breach is occurring. When the PIX Firewall receives a packet, it tries to establish a translation slot based on the security policy you set with the global and conduit commands, and your routing policy set with the route command.
Failing both policies, PIX Firewall allows the packet to flow from the higher priority network to a lower priority network, if it is consistent with the security policy. If a packet comes from a lower priority network and the security policy does not allow it, PIX Firewall routes the packet back to the same interface.
To provide access from an interface with a higher security to a lower security, use the nat and global commands. For example, use the nat command to let inside users access outside servers, to let inside users access perimeter servers, and to let perimeter users access outside servers.
To provide access from an interface with a lower security to higher security, use the static and conduit commands. For example, use the static and conduit commands to let outside users access inside servers, outside users access perimeter servers, or perimeter servers access inside servers.Action Fix your configuration to reflect your security policy for handling these attack events.
%PIX-2-106012: Deny IP from IP_addr to IP_addr, IP options hex.Explanation This is a connection-related message. A IP packet was seen with IP options. Because IP options are considered a security risk, the packet was discarded.
Action A security breach was probably attempted. Check the local site for loose source or strict source routing.
%PIX-2-106013: Dropping echo request from IP_addr to PAT address IP_AddrExplanation This message is logged when the PIX Firewall discards an inbound ICMP Echo Request packet with a destination address that corresponds to a PAT global address. It is discarded because the inbound packet can not specify which PAT host should receive the packet.
Action None required.
%PIX-3-106014: Deny inbound icmp src interface name: IP_addr dst interface name: IP_addr (type dec, code dec)Explanation This message is logged when the PIX Firewall denies any inbound ICMP packet access. By default, all ICMP packets are denied access unless specifically permitted using the conduit permit icmp command.
Action None required.
%PIX-6-106015: Deny TCP (no connection) from IP_addr/port to IP_addr/port flags flags on interface int_name.Explanation This message is logged when the PIX Firewall discards a TCP packet that has no associated connection in the PIX Firewall unit's connection table. PIX Firewall looks for a SYN flag in the packet, which indicates a request to establish a new connection. If the SYN flag is not set, and there is not an existing connection, the PIX Firewall discards the packet.
Action None required unless the PIX Firewall receives a large volume of these invalid TCP packets. If this is the case, trace the packets to the source and determine the reason these packets were sent.
%PIX-2-106016: Deny IP spoof from (IP_addr) to IP_addr on interface int_name.Explanation This message is logged when the PIX Firewall discards a packet with an invalid source address. Invalid sources addresses are those addresses belonging to the following:
•
•
•
Furthermore, if sysopt connection enforcesubnet is enabled, PIX Firewall discards packets with a source address belonging to the destination subnet from traversing the PIX Firewall and logs this message.
To further enhance spoof packet detection, use the conduit command to configure the PIX Firewall to discard packets with source addresses belonging to the internal network.Action Determine if an external user is trying to compromise the protected network. Check for misconfigured clients.
%PIX-2-106017: Deny IP due to Land Attack from IP_addr to IP_addrExplanation This message appears when PIX Firewall receives a packet with the IP source address equal to the IP destination and the destination port equal to the source port. This indicates a spoofed packet designed to attack systems. This attack is referred to as a Land Attack.
Action If this message persists, an attack may be in progress. The packet does not provide enough information to determine where the attack originates.
%PIX-2-106018: ICMP packet type ICMP_type denied by outbound list list_ID src laddr dest faddrExplanation This message is logged because outgoing ICMP packet with type ICMP_type from local host laddr to foreign host faddr is denied by outbound list list_ID.
Action None required.
%PIX-4-106019: IP packet from src_addr to dest_addr, protocol protocol received from interface int_name deny by access-group acl_IDExplanation This message is logged when an IP packet is denied by the parameters you specified in the access list with the ID acl_ID.
Action None required.
%PIX-2-106020: Deny IP teardrop fragment (size = num, offset = num) from IP_addr to IP_addrExplanation The PIX Firewall discarded an IP packet with a teardrop signature containing either a small offset or fragment overlapping. This is a hostile event to circumvent the PIX Firewall or an Intrusion Detection System.
Action Contact the remote peer administrator or escalate this issue according to your security policy.
%PIX-1-106021: Deny protocol reverse path check from src_addr to dest_addr on interface int_nameExplanation Someone is attempting to spoof an IP address on an inbound connection. Unicast Reverse Path Forwarding, also known as reverse route lookup, detected a packet that does not have a source address represented by a route and assumes it to be part of an attack on your PIX Firewall.
Action This message appears when you have enabled Unicast Reverse Path Forwarding with the ip verify reverse-path command. This feature works on packets input to an interface; if it is configured on the outside, then PIX Firewall checks packets arriving from the outside.
PIX Firewall looks up a route based on the src_addr. If an entry is not found and a route is not defined, then this syslog message appears and the connection is dropped.
If there is a route, PIX Firewall checks which interface it corresponds to. If the packet arrived on another interface, then it is a spoof or there is an asymmetric routing environment. PIX Firewall does not support asymmetric routing (where there is more than one path to a destination).
If configured on an internal interface, PIX Firewall checks static route command statements or RIP and if the src_addr is not found, then an internal user is spoofing their address.
An attack is in progress. With this feature enabled, no user action is required. PIX Firewall repels the attack.
%PIX-1-106022: Deny protocol connection spoof from src_addr to dest_addr on interface int_nameExplanation This message only happens if a connection exists and a packet matching the connection arrives on a different interface than what interfaces the connection began on. For example, if a user starts a connection on the inside interface, but the PIX Firewall detects the same connection arriving on a perimeter interface, then either the PIX Firewall has more than one path to a destination, which is known as asymmetric routing and is not supported on the PIX Firewall, or an attacker is attempting to append packets from one connection to another as a way to break into the PIX Firewall. In either case, PIX Firewall displays this message and drops the connection.
Action This message appears when ip verify reverse-path is not configured. Ensure routing is not asymmetric.
%PIX-1-107001: RIP auth failed from IP_addr: version=vers, type=type, mode=mode, sequence=seq on interface int_nameExplanation This is an alert log message. PIX Firewall received a RIP reply message with bad authentication. This could be due to misconfiguration on the router or the PIX Firewall or it could be a unsuccessful attempt to attack the PIX Firewall unit's routing table.
Action This may be an attack and should be monitored. If you are not familiar with the source IP address listed in this message, change your RIP authentication keys between trusted entities. An attacker may be trying to deduce the existing keys.
%PIX-1-107002: RIP pkt failed from IP_addr: version=vers on interface int_nameExplanation This is an alert message. This could be a router bug, a packet with non-RFC values inside, or malformed entries. This should not happen and may be an attempt to exploit the PIX Firewall unit's routing table.
Action This may be an attack and should be monitored. The packet has passed authentication, if enabled, and bad data is in the packet. The situation should be monitored and the keys should be changed if there are any doubts as to the originator of the packets.
%PIX-2-108002: SMTP replaced chars: out src_addr in laddr data: charsExplanation This is a Mail Guard (SMTP) message generated by the fixup protocol smtp command. This message is logged if the PIX Firewall replaces an invalid character in an email address with a space.
Action None required.
%PIX-6-109001: Auth start for user `username' from laddr/lport to faddr/fportExplanation This is an AAA message. This message is logged if the PIX Firewall is configured for AAA and detects an authentication request by the specified user.
Action None required.
%PIX-6-109002: Auth from laddr/lport to faddr/fport failed (server IP_addr failed) on interface int_name.Explanation This is an AAA message. This message is logged if an authentication request fails because the specified authentication server cannot be contacted by the PIX Firewall.
Action Check to be sure the authentication daemon is running on the specified authentication server.
%PIX-6-109003: Auth from laddr to faddr/fport failed (all servers failed) on interface int_name.Explanation This is an AAA message. This message is logged if no authentication server can be found.
Action Ping the authentication server(s) from the PIX Firewall. Make sure the daemon(s) are running.
%PIX-6-109005: Authentication succeeded for user `user' from laddr/lport to faddr/fport on interface int_name.Explanation This is an AAA message. This message is logged when the specified authentication request succeeds.
Action None required.
%PIX-6-109006: Authentication failed for user `user' from laddr/lport to faddr/fport on interface int_name.Explanation This is an AAA message. This message is logged if the specified authentication request fails, possibly because of a misstyped password.
Action None required.
%PIX-6-109007: Authorization permitted for user `user' from laddr/lport to faddr/fport on interface int_name.Explanation This is an AAA message. This message is logged when the specified authorization request succeeds.
Action None required.
%PIX-6-109008: Authorization denied for user `user' from faddr/fport to laddr/lport on interface int_name.Explanation This is an AAA message. This message is logged if a user is not authorized to access the specified address, possibly because of a misstyped password.
Action None required.
%PIX-6-109009: Authorization denied from laddr/lport to faddr/fport (not authenticated) on interface int_name.Explanation This is an AAA message. This message is logged if the PIX Firewall is configured for AAA and a user attempted to make a TCP connection across the PIX Firewall without prior authentication.
Action None required.
%PIX-3-109010: Auth from laddr/lport to faddr/fport failed (too many pending auths) on interface int_name.Explanation This is an AAA message. This message is logged if an authentication request cannot be processed because the server has too many requests pending.
Action Check to see if the authentication server is too slow to respond to authentication requests. Enable floodguard with the floodguard enable command.
%PIX-2-109011: Authen Session Start: user 'user', sid session_numExplanation An authentication session started between the host and the PIX Firewall and has not yet completed.
Action None required.
%PIX-5-109012: Authen Session End: user 'user', sid session_num, elapsed num secondsExplanation The authentication cache has timed out. Users will need to reauthenticate on their next connection. You can change the duration of this timer with the timeout uauth command.
Action None required.
%PIX-3-109013: User must authenticate before using this serviceExplanation The user must be authenticated before using the service.
Action Authenticate using FTP, Telnet, or HTTP before using the service.
%PIX-7-109014: uauth_lookup_net fail for uauth_in()Explanation A request to authenticate did not have a corresponding request for authorization.
Action Ensure that both the aaa authentication and aaa authorization command statements are provided in the configuration.
%PIX-6-109015: Authorization denied (acl=acl_ID) for user 'username' from src_addr/src_port to dest_addr/dest_port on interface int_nameExplanation The access list check failed; either it matched a deny, or it matched nothing, such as an implicit deny. Connection denied by user access list acl_ID, which was defined per the AAA authorization policy on CiscoSecure ACS.
Action None required.
%PIX-3-109016: Downloaded authorization access-list acl_ID not found for user 'username'Explanation The AAA authorization access-list command statement ID acl=acl_ID defined on the remote AAA server has not been configured on the PIX Firewall unit. This error can occur if you configure the AAA server before configuring the PIX Firewall.
Action Use the same access-list command statement ID on the PIX Firewall as you specified on the AAA server.
%PIX-6-110001: No route to dest_addr from src_addrExplanation This message indicates a route lookup failure. A packet is looking for a destination IP address which is not in the routing table.
Action Check the routing table and make sure there is a route to the destination.
%PIX-3-110002: No ARP for host IP_addrExplanation This is a routing message. This message is logged if the PIX Firewall cannot resolve the address of a host on one of its immediately connected networks. This usually occurs if the specified host does not exist or is not reachable on the network the PIX Firewall expects it to be on, for example, if the host's address is incorrectly subnetted.
Action Check the ARP table and ensure the host is available. If necessary, add a static ARP statement with the arp command or set the arp timeout value lower so the ARP table will refresh sooner.
Also, check to be sure that the host's IP address is appropriate to the network topology and your subnet scheme. Verify that the host is reachable by pinging it from another host. Use the show arp command to display the PIX Firewall unit's ARP table. At the very least, the
PIX Firewall must be able to resolve the addresses of its SNMP server, routers, and syslog host.%PIX-5-111001: Begin configuration: IP_addr writing to deviceExplanation This message is logged when you enter the write command to store your configuration on a device (either floppy, Flash memory, TFTP, the failover Standby unit, or the console terminal). The IP_addr indicates whether the login was made at the console port or via a Telnet connection.
Action None required.
%PIX-5-111003: IP_addr Erase configurationExplanation This is a PIX Firewall Manager message. This message is logged when you erase the contents of Flash memory, either by entering the write erase command at the console, or by clicking OK to clear Flash memory in the PIX Firewall Manager. The IP_addr indicates whether the login was made at the console port or via a Telnet connection.
Action After erasing the configuration, you must reconfigure the PIX Firewall and save the new configuration. Alternatively, you can restore information from a configuration that was previously saved, either on floppy or on a TFTP server elsewhere on the network.
%PIX-5-111004: IP_addr end configuration: [FAILED]|[OK]Explanation This is a PIX Firewall Manager message. This message is logged when you enter the config floppy/memory/ network command, or the write floppy/memory/network/standby command. The IP_addr indicates whether the login was made at the console port or via a Telnet connection.
Action None required if the message ends with OK. If the message indicates a failure, try to fix the problem. For example, if writing to a floppy, ensure that the floppy is not write protected; if writing to a TFTP server, ensure that the server is up.
%PIX-5-111005: IP_addr end configuration: OKExplanation This is a PIX Firewall Manager message. This message is logged when you exit configuration mode. The IP_addr indicates whether the login was made at the console port or via a Telnet connection.
Action None required.
%PIX-5-111006: Console Login from user at IP_addrExplanation This is a PIX Firewall Manager message. This message is logged when you connect to the PIX Firewall. If authentication is enabled, the username is reported; otherwise, the string "nobody" appears. The IP_addr indicates whether the login was made at the console port or via a Telnet connection.
Action None required.
%PIX-5-111007: Begin configuration: IP_addr reading from device.Explanation This is a PIX Firewall Manager message. This message is logged when you enter the reload or configure command to read in a configuration. The device text can be floppy, memory, net, standby, or terminal. The IP_addr indicates whether the login was made at the console port or via a Telnet connection.
Action None required.
%PIX-5-111008: User 'user' executed the 'cmd' command.Explanation This message indicates that a command change to the configuration has been made from an AAA authenticated session.
Action None required.
%PIX-2-112001: (chars:dec) pix clear finished.Explanation This is a PIX Firewall Manager message. This message is logged when a request to clear the PIX Firewall configuration has finished. The source file and line number are identified.
Action None required.
Messages 199001 to 209005
%PIX-5-199001: PIX reload command executed from IP_addr.Explanation This is a PIX Firewall Manager message. This message logs the address of the host initiating a PIX Firewall reboot with the reload command.
Action None required.
%PIX-6-199002: PIX startup completed. Beginning operation.Explanation This is a PIX Firewall Manager message. This message is logged after the PIX Firewall finishes its initial boot and Flash memory reading sequence, and is ready to begin operating normally.
Note
Action None required.
%PIX-6-199003: Reducing Link MTU dec.Explanation This is a PIX Firewall Manager message. This message is logged when the
PIX Firewall receives a packet from the outside network that uses a larger MTU than the inside network. The PIX Firewall then sends an ICMP message to the outside host to negotiate an appropriate MTU. The log message includes the ICMP message's sequence number.Action None required.
%PIX-6-199005: PIX Startup beginExplanation This message is logged when the PIX Firewall starts.
Action None required.
%PIX-3-201002: Too many connections on static|xlate gaddr! econns nconnsExplanation This is a connection-related message. This is a connection-related message. This message is logged when the maximum number of connections to the specified static address has been exceeded. The econns variable is the maximum number of embryonic connections and nconns is the maximum number of connections permitted for the static or xlate.
Action Use the show static command to check the limit imposed on connections to a static address. The limit is configurable.
%PIX-2-201003: Embryonic limit exceeded neconns/elimit for faddr/fport (gaddr) laddr/lport on interface int_nameExplanation This is a connection-related message. This message is logged when the maximum number of embryonic connections from the specified foreign address via the specified static global address to the specified local address has been exceeded. When the limit on embryonic connections is reached, the PIX Firewall attempts to accept them anyway, but puts a time limit on the connections. This allows some connections to succeed even if the PIX Firewall is very busy. The neconns variable lists the number of embryonic connections received and elimit lists the maximum number of embryonic connections specified in the static or nat command.
Action This message indicates a more serious overload than message 201002. It could be caused by a SYN attack, or simply a very heavy load of legitimate traffic. Use the show static command to check the limit imposed on embryonic connections to a static address.
%PIX-3-201005: FTP data connection failed for IP_addrExplanation This is a connection-related message. This message is logged when the PIX Firewall is unable to allocate a structure to track the data connection for FTP because of insufficient memory.
Action Reduce the amount of memory usage, or purchase additional memory.
%PIX-3-201006: RCMD backconnection failed for IP_addr/portExplanation This is a connection-related message. This message is logged if the PIX Firewall is unable to preallocate connections for inbound standard output for rsh commands due to insufficient memory.
Action Check the rsh client version; the PIX Firewall only supports the Berkeley rsh. Also, reduce the amount of memory usage, or purchase additional memory.
%PIX-3-201008: The PIX is disallowing new connections.Explanation This message occurs when you have enabled TCP syslogging and the syslog server cannot be reached, or when using PFSS (PIX Firewall Syslog Server) and the disk on the Windows NT system is full.
Action Disable TCP syslogging. If using PFSS, free up space on the Windows NT system where PFSS resides. Also make sure that the syslog host is up and you can ping the host from the PIX Firewall console. Then restart TCP syslogging to allow traffic.
%PIX-3-202001: Out of address translation slots!Explanation This is a connection-related message. This message is logged if the PIX Firewall has no more address translation slots available.
Action Check the size of the global pool compared to the number of inside network clients. A PAT address may be necessary. Alternatively, shorten the timeout interval of xlates and connections. This could also be caused by insufficient memory; reduce the amount of memory usage, or purchase additional memory.
%PIX-3-202005: Non-embryonic in embryonic list faddr/fport laddr/lportExplanation This is a connection-related message. This message is logged when a connection object (xlate) is in the wrong list.
Action Contact customer support. This should never happen.
%PIX-3-208005: (function:line_num) pix clear command return return_codeExplanation The PIX Firewall received a non-zero value (an internal error) when attempting to clear the configuration in Flash memory. The message includes the reporting subroutine's filename and line number.
Action For performance reasons, the end host should be configured to not inject IP fragments. This is most likely due to NFS. Set the read and write size to be the interface MTU for NFS.
%PIX-4-209003: Fragment database limit of bytes exceeded: src = IP_addr,
dest = IP_addr, proto = protocol, id = IDExplanation Too many IP fragments are currently awaiting reassembly. The PIX Firewall limits the number of IP fragments that can be concurrently reassembled. This restriction prevents memory depletion at the firewall under abnormal network conditions. In general, fragmented traffic should be a small percentage of the total traffic mix. A noticeable exception is in the network environment with NFS over UDP. Consider NFS over TCP in such environment, if such traffic is to be relayed through the PIX Firewall. Refer to the sysopt connection tcpmss bytes command page in
Chapter 5, "Command Reference" of the Configuration Guide for the Cisco Secure PIX Firewall Version 5.2 for more information.Action If this message persists, a DoS (denial of service) attack might be in progress. Contact the remote peer's administrator or upstream provider.
%PIX-4-209004: Invalid IP fragment, size = bytes exceeds maximum size = bytes: src = IP_addr, dest = IP_addr, proto = protocol, id = IDExplanation An IP fragment is malformed. The total size of the reassembled IP packet exceeds the maximum possible size of 65,535 bytes.
Action A possible intrusion event may be in progress. If this message persists, contact the remote peer's administrator or upstream provider.
%PIX-4-209005: Discard IP fragment set with more than number elements:
src = IP_addr, dest = IP_addr, proto = protocol, id = IDExplanation Too many elements are in a fragment set. The PIX Firewall disallows any IP packet that is fragmented into more than 12 fragments.
Action A possible intrusion event may be in progress. If the message persists, contact the remote peer's administrator or upstream provider.
Messages 210001 to 213004
%PIX-3-210001: LU SW_Module_Name error = error_codeExplanation This message is logged if a Stateful Failover error occurred.
Action If this error persists after traffic lessens through the PIX Firewall, report this error to customer support.
%PIX-3-210002: LU allocate block (size) failed.Explanation Stateful Failover could not allocate a block of memory to transmit stateful information to the Standby PIX Firewall.
Action Check the failover interface to make sure its xmit is normal using the show interface command. Also check the current block memory using the show block command. If current available count is 0 within any of the blocks of memory, then reload the PIX Firewall software to recover the lost blocks of memory.
%PIX-3-210003: Unknown LU Object IDExplanation Stateful Failover received an unsupported Logical Update object and therefore was unable to process it. This could be caused by corrupted memory, LAN transmissions, and other events.
Action If you see this error infrequently, then no action is required. If this error occurs frequently, check the Stateful Failover link LAN connection. If the error was not caused by a faulty failover link LAN connection, determine if an external user is trying to compromise the protected network. Check for misconfigured clients.
%PIX-3-210005: LU allocate connection failedExplanation Stateful Failover cannot allocate a new connection on the Standby unit. This may be caused by little or no RAM memory available within the PIX Firewall.
Action Check the available memory using the show mem command to make sure the PIX Firewall has free memory in the system. If there is no available memory, add more physical memory to the PIX Firewall.
%PIX-3-210006: LU look NAT for IP_addr failedExplanation Stateful Failover was unable to locate an NAT group for the ip_address on the Standby unit. Most likely, the active and standby PIX Firewall units are out of sync.
Action Use the write standby command on the Active unit to synchronize system memory with the Standby unit.
%PIX-3-210007: LU allocate xlate failedExplanation Stateful Failover failed to allocate an translation slot (xlate) record.
Action Check the available memory using the show mem command to make sure the PIX Firewall has free memory in the system. If memory has been used up, you may need to add more physical memory.
%PIX-3-210008: LU no xlate for laddr/l_port faddr/f_portExplanation Unable to find an translation slot (xlate) record for a Stateful Failover connection; unable to process the connection information.
Action Enter the write standby command on the Active unit to synchronize system memory between the Active and Standby units.
%PIX-3-210010: LU make UDP connection for faddr:f_port laddr:l_port failedExplanation Stateful Failover was unable to allocate a new record for a UDP connection.
Action Check the available memory with the show memory command to make sure the PIX Firewall has free memory in the system. If memory has been used up, you may need to add more physical memory.
%PIX-3-210020: LU PAT port port_number reserve failedExplanation Stateful Failover is unable to allocate a specific PAT address which is in use.
Action If this error repeats frequently, use the write standby command on the Active unit to synchronize system memory between the Active and Standby units.
%PIX-3-210021: LU create static xlate global_IP ifc int_name failedExplanation Stateful Failover is unable to create a translation slot (xlate).
Action If this error repeats frequently, use the write standby command on the Active unit to synchronize system memory between the Active and Standby units.
%PIX-6-210022: LU missed number updatesExplanation Stateful Failover assigns a sequence number for each record sent to the Standby unit. When a received record sequence number is out of sequence with the last updated record, the information in between is assumed lost and this error message is sent.
Action Unless there are LAN interruptions, check the available memory on both PIX Firewall units to ensure there is enough memory to process the stateful information. Use the show failover command to monitor the quality of stateful information updates.
%PIX-3-211001: Memory allocation ErrorExplanation Failed to allocate RAM system memory.
Action If this message occurs periodically, it can be ignored. If it repeats frequently, contact customer support.
%PIX-3-212001: Unable to open SNMP channel (UDP port udp_port) on interface interface_number, error code = codeExplanation This is an SNMP message. This message reports that the PIX Firewall is unable to receive SNMP requests destined for the PIX Firewall from SNMP management stations located on this interface. This does not affect the SNMP traffic passing through the PIX Firewall via any interface.
An error code of -1 indicates that PIX Firewall could not open the SNMP transport for the interface, an error code of -2 indicates that PIX Firewall could not bind the SNMP transport for the interface.Action Once the PIX Firewall reclaims some of its resources when traffic is lighter, use the snmp-server host command for that interface again.
%PIX-3-212002: Unable to open SNMP trap channel (UDP port udp_port) on interface interface_number, error code = codeExplanation This is an SNMP message. This message reports that the PIX Firewall will be unable to send its SNMP traps from the PIX Firewall to SNMP management stations located on this interface. This does not affect the SNMP traffic passing through the PIX Firewall via any interface.
An error code of -1 indicates that PIX Firewall could not open the SNMP trap transport for the interface, an error code of -2 indicates that PIX Firewall could not bind the SNMP trap transport for the interface.Action Once the PIX Firewall reclaims some of its resources when traffic is lighter, issue the snmp-server host command for that interface again.
%PIX-3-212003: Unable to receive an SNMP request on interface interface_number, error code = code, will try again.Explanation This is an SNMP message. This message is logged because of an internal error in receiving an SNMP request destined for the PIX Firewall on the specified interface.
Action None required. The PIX Firewall SNMP agent will go back to wait for the next SNMP request.
%PIX-3-212004: Unable to send an SNMP response to IP Address IP_addr Port port interface interface_number, error code = codeExplanation This is an SNMP message. This message is logged because of an internal error in sending an SNMP response from the PIX Firewall to the specified host on the specified interface.
Action None required.
%PIX-3-212005: incoming SNMP request (number bytes) on interface int_name exceeds data buffer size, discarding this SNMP request.Explanation This is an SNMP message. This message reports that the length of the incoming SNMP request, destined for the PIX Firewall, exceeds the size of the internal data buffer (512 bytes) used for storing the request during internal processing; therefore, PIX Firewall is unable to process this request. This does not affect the SNMP traffic passing through the PIX Firewall via any interface.
Action Have the SNMP management station resend the request with a shorter length, for example, instead of querying multiple MIB variables in one request, try querying only one MIB variable in a request. This may involve modifying the configuration of the SNMP manager software.
%PIX-3-213001: PPTP control daemon socket io string, errno = num.Explanation An internal TCP socket I/O error occurred.
Action Report the problem to customer support.
%PIX-3-213002: PPTP tunnel hashtable insert failed, peer = IP_addr.Explanation An internal software error occurred while creating a new PPTP tunnel.
Action Report the problem to customer support.
%PIX-3-213003: PPP virtual interface number isn't opened.Explanation An internal software error occurred while closing a PPP virtual interface.
Action Report the problem to customer support.
%PIX-3-213004: PPP virtual interface number client ip allocation failed.Explanation An internal software error occurred while allocating an IP address to the PPTP client.
Action This error occurs when the IP local address pool has been depleted. Consider allocating a larger pool with the ip local pool command.
Messages 302001 to 315011
%PIX-6-302001: Built inbound|outbound TCP connection id for faddr faddr/fport gaddr gaddr/gport laddr laddr/lport (username)Explanation This is a connection-related message. This message reports that an authenticated inbound or outbound TCP connection was started to foreign address faddr using the global address gaddr from local address laddr. If the connection required authentication, the username is reported in the last field of the message.
Action None required.
%PIX-6-302002: Teardown TCP connection id for faddr IP_addr/port gaddr IP_addr/port laddr IP_addr/port (username) duration time bytes num (chars).Explanation This is a connection-related message. This message is logged when a TCP connection is terminated. The duration and byte count for the session are reported. If the connection required authentication, the username is reported in the last field of the message. This message is used by the PIX Firewall Manager to generate reports.
Action None required.
The reason variable presents the action that causes the connection to terminate, as listed in Table 1-2.
%PIX-6-302003: Built H245 connection for faddr faddr/fport laddr laddr/lportExplanation This is a connection-related message. This message is logged when an H.245 connection is started from foreign address faddr to local address laddr. This message only occurs if the PIX Firewall detects the use of an Intel Internet phone. The foreign port (fport) only displays on connections from outside the PIX Firewall. The local port value (lport) only appears on connections started on an internal interface.
Action None required.
%PIX-6-302004: Pre-allocate H323 UDP backconnection for faddr faddr/fport to laddr laddr/lportExplanation This is a connection-related message. This message is logged when an H.323 UDP back-connection is preallocated to foreign address faddr from local address laddr. This message is only generated if the PIX Firewall detects the use of an Intel Internet phone. The foreign port (fport) only displays on connections from outside the PIX Firewall. The local port value (lport) only appears on connections started on an internal interface.
Action None required.
%PIX-6-302005: Built UDP connection for faddr faddr/fport gaddr gaddr/gport laddr laddr/lportExplanation This is a connection-related message. This message is logged when a UDP connection is started to foreign address faddr using the global address gaddr from local address laddr.
Action None required.
%PIX-6-302006: Teardown UDP connection for faddr faddr/fport gaddr gaddr/gport laddr laddr/lportExplanation This is a connection-related message. This message is logged when a UDP connection is terminated. If the connection required authentication, the username is also reported in the last field of the message. This message is used by the PIX Firewall Manager to generate reports.
Action None required.
%PIX-6-302009: Rebuilt TCP connection id for faddr faddr/fport gaddr gaddr/gport laddr laddr/lportExplanation This is a connection-related message. This message appears after a TCP connection is rebuilt after a failover. A sync packet is not sent to the other PIX Firewall. The faddr IP address is the foreign host, the gaddr IP address is a global address on the lower security level interface, and the laddr IP address is the local IP address "behind" the PIX Firewall on the higher security level interface.
Action None required.
%PIX-6-302010: conns in use, conns most usedExplanation This is a connection-related message. This message appears after a TCP connection restarts. conns is the number of connections.
Action None required.
%PIX-3-302302: ACL = deny; no sa createdExplanation Proxy mismatches. Proxy hosts for the negotiated SA correspond to a deny access-list command policy.
Action Check access-list command statement in the configuration. Contact the administrator for the peer.
%PIX-6-303002: src_addr Stored|Retrieved dest_addr: nat_addrsExplanation This is an FTP/URL message. This message is logged when the specified host successfully stores or retrieves data from the specified FTP site. This message is used by the PIX Firewall Manager to generate reports.
Action None required.
%PIX-5-304001: user src_addr Accessed JAVA URL|URL dest_addr: url.Explanation This is an FTP/URL message. This message is logged when the specified host successfully accesses the specified URL. This message is used by the PIX Firewall Manager to generate reports.
Action None required.
%PIX-5-304002: Access denied URL chars SRC IP_addr DEST IP_addr: charsExplanation This is an FTP/URL message. This message is logged if access from the source address to the specified URL or FTP site is denied.
Action None required.
%PIX-3-304003: URL Server IP_addr timed out URL stringExplanation This message logs when a URL server times out.
Action None required.
%PIX-6-304004: URL Server IP_addr request failed URL charsExplanation This is an FTP/URL message. This message is logged if a Websense server request fails.
Action None required.
%PIX-7-304005: URL Server IP_addr request pending URL charsExplanation This is an FTP/URL message. This message is logged when a Websense server request is pending.
Action None required.
%PIX-3-304006: URL Server IP_addr not respondingExplanation This is an FTP/URL message. The Websense server is unavailable for access, and the PIX Firewall attempts to either try to access the same server if it is the only server installed, or another server if there is more than one.
Action None required.
%PIX-2-304007: URL Server IP_addr not responding, ENTERING ALLOW mode.Explanation This is an FTP/URL message. This message is logged when you use the allow option of the filter command, and the Websense server(s) are not responding. The PIX Firewall allows all Web requests to continue without filtering while the server(s) are not available.
Action None required.
%PIX-2-304008: LEAVING ALLOW mode, URL Server is up.Explanation This is an FTP/URL message. This message is logged when you use the allow option of the filter command, and the PIX Firewall receives a response message from a Websense server that previously was not responding. With this response message, the PIX Firewall exits the allow mode enabling once again the URL filtering feature.
Action None required.
%PIX-6-305001: Portmapped translation built for gaddr IP_addr/port laddr IP_addr/portExplanation This is a connection-related message. This message is logged when an xlate is created for outbound traffic using a PAT global address. This applies to UDP, TCP, and ICMP packets.
Action None required.
%PIX-6-305002: Translation built for gaddr IP_addr to laddr IP_addrExplanation This is a connection-related message. This message is logged when an xlate is created for outbound traffic using a global address, or for either outbound or inbound traffic using a static address.
Action None required.
%PIX-6-305003: Teardown translation for global IP_addr local IP_addrExplanation This is a connection-related message. This message is logged when the PIX Firewall clears a dynamically allocated translation after the xlate timeout expires.
Action None required.
%PIX-6-305004: Teardown portmap translation for global IP_addr/port local IP_addr/portExplanation This message is logged when a portmapped translation (PAT xlate) no longer in use has been reclaimed.
Action None required.
%PIX-3-305005: No translation group found for protocol.Explanation This message logs when a nat and global command cannot be found for a protocol. The protocol can be TCP, UDP, or ICMP.
Action This message can be either an internal error or an error in the configuration.
%PIX-3-305006: Invalid dst is network/broadcast IP, translation creation failed for protocol src int_name:IP_addr dst int_name:IP_addrExplanation A protocol (UDP, TCP, or ICMP) failed to create a translation through the PIX Firewall. This message appears as a fix to caveat CSCdr0063 that requested that PIX Firewall not allow packets destined to network or broadcast addresses. PIX Firewall provides this checking for addresses that are explicitly identified with static command statements. With the change, for inbound traffic, PIX Firewall denies translations for a destined IP address identified as a network or broadcast address.
PIX Firewall utilizes the global IP and mask from configured static command statements to differ regular IP addresses from network or broadcast IP addresses. If the global IP address is a valid network address with a matching network mask, then the PIX Firewall will not create an xlate for network or broadcast IP addresses with inbound packets. For example:
static (inside,outside) 10.2.2.128 10.1.1.128 netmask 255.255.255.128Global address 10.2.2.128 is treated as a network address and 10.2.2.255 as the broadcast address. Without an existing xlate, PIX Firewall denies inbound packets destined for 10.2.2.128 or 10.2.2.255, and logs this syslog message.
In case the suspected IP is really a host IP, a separated static command statement with a host mask needs to be configured and in front of the subnet static (first match rule for static command statements). The following static causes PIX Firewall to treat 10.2.2.128 as a host address:
static (inside,outside) 10.2.2.128 10.2.2.128 netmask 255.255.255.255static (inside,outside) 10.2.2.128 10.2.2.128 netmask 255.255.255.128The xlate may be created by traffic started with the inside host with the questioned IP address. PIX Firewall treats a network or broadcast IP address as a host IP address with overlapped subnet static config, the network address translation for both static need be the same.
Action This message can be either an internal error or an error in the configuration.
%PIX-6-305007: Orphan IP IP_addr on interface interface_numberExplanation This message logs after the PIX Firewall attempts to translate an address that it cannot find in any of its global pools. The PIX Firewall assumes that the address has been deleted and drops the request.
Action None required.
%PIX-6-307001: Denied Telnet login session from IP_addr on interface int_name.Explanation This is a PIX Firewall management message. This message is logged when the PIX Firewall denies an attempt to connect to the Telnet port from the specified IP address on the inside network.
Action From the console, enter the show telnet command to verify that the PIX Firewall is configured to permit Telnet access from that host or network. From the PIX Firewall Manager, select Administration>Telnet Hosts for host information.
%PIX-6-307002: Permitted Telnet login session from IP_addrExplanation This is a PIX Firewall management message. This message logs a successful Telnet connection to the PIX Firewall.
Action None required.
%PIX-6-307003: telnet login session failed from IP_addr (num attempts) on interface int_name.Explanation This is a PIX Firewall management message. The PIX Firewall logs this message after an incorrect Telnet password was entered num times for the same connection. Up to three attempts are allowed to log into a console Telnet session.
Action Verify the password and try again.
%PIX-6-308001: PIX console enable password incorrect for num tries (from IP_addr).Explanation This is a PIX Firewall management message. This message is logged after the num number of times a user miss types the password to enter privileged mode. The maximum is three attempts.
Action The privileged mode password is not necessarily the same as the password for Telnet access to the PIX Firewall. Verify the password and try again.
%PIX-4-308002: static gaddr1 laddr1 netmask mask1 overlapped with gaddr2 laddr2Explanation This message occurs if the IP addresses in one or more static command statements overlap. gaddr is the global address, which is the address on the lower security interface and laddr is the local address, which is the address on the higher security level interface.
Action Use the show static command to view the static command statements in your configuration and fix the commands that overlap. The most common overlap occurs if you specify a network address such as 10.1.1.0 and in another static command statement, specify a host within that range such as 10.1.1.5.
%PIX-3-309001: Denied manager connection from IP_addr.Explanation This is a PIX Firewall management message. This message is logged when the PIX Firewall Manager denies an attempt to connect to its Telnet port from the specified IP address on the inside network.
Action None required.
%PIX-6-309002: Permitted manager connection from IP_addr.Explanation This is a PIX Firewall management message. This message logs a successful PIX Firewall Manager connection.
Action None required.
%PIX-6-311001: LU loading standby startExplanation This message appears when Stateful Failover update information is sent to the Standby PIX Firewall unit when the Standby unit is first coming online.
Action None required.
%PIX-6-311002: LU loading standby endExplanation This message appears when Stateful Failover update information is done being sent to the Standby unit.
Action None required.
%PIX-6-311003: LU recv thread upExplanation This message appears when an update acknowledgment has been received from the Standby unit.
Action None required.
%PIX-6-311004: LU xmit thread upExplanation This message appears when a Stateful Failover update is transmitted to the Standby unit.
Action None required.
%PIX-6-312001: RIP hdr failed from IP_addr: cmd=cmd, version=vers domain=name on interface int_nameExplanation PIX Firewall received a RIP message with an operation code other than reply, the message has a version number different than what is expected on this interface, and the routing domain entry was non-zero.
Action This message is informational, but may also indicate that another RIP device is not configured correctly to communicate with the PIX Firewall.
%PIX-3-313001: Denied ICMP type=icmp_type, code=type_code from IP_addr on interface int_nameExplanation When using the icmp command with an access list, if the first matched entry is a permit entry, ICMP packet
