Cisco Reader Comment Card
General Information1 Years of networking experience: Years of experience with Cisco products:
2 I have these network types: LAN Backbone WAN
Other:
3 I have these Cisco products: Switches Routers
Other (specify models):
4 I perform these types of tasks: H/W installation and/or maintenance S/W configuration
Network management Other:
5 I use these types of documentation: H/W installation H/W configuration S/W configuration
Command reference Quick reference Release notes Online help
Other:
6 I access this information through: Cisco.com (CCO) CD-ROM
Printed docs Other:
7 I prefer this access method:
8 I use the following three product features the most:
Document Information
Document Title: Cisco PIX Firewall System Log Messages
Part Number: 78-15168-01 S/W Release (if applicable): Version 6.3 On a scale of 1–5 (5 being the best), please let us know how we rate in the following areas:
Please comment on our lowest scores:
Mailing Information
Company Name Date
Contact Name Job Title
Mailing Address
City State/Province ZIP/Postal Code
Country Phone ( ) Extension
Fax ( ) E-mail
Can we contact you further concerning our documentation? Yes No The document is written at my technical
level of understanding.
The information is accurate.
The document is complete. The information I wanted was easy to find. The information is well organized. The information I found was useful to my job.
% %
BUSINESS REPLY MAIL
FIRST-CLASS MAIL PERMIT NO. 4631 SAN JOSE CA
POSTAGE WILL BE PAID BY ADDRESSEE
ATTN DOCUMENT RESOURCE CONNECTION
CISCO SYSTEMS INC
170 WEST TASMAN DRIVE
SAN JOSE CA 95134-9883
Corporate Headquarters Cisco Systems, Inc.
170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100
Cisco PIX Firewall System Log Messages
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Cisco PIX Firewall System Log Messages
Copyright © 2003 Cisco Systems, Inc. All rights reserved.
g y g y g
Scorecard, Networking Academy, and ScriptShare are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, The Fastest Way to Increase Your Internet Quotient, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, LightStream, MGX, MICA, the Networkers logo, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, SlideCast, SMARTnet, StrataView Plus, Stratm, SwitchProbe, TeleRouter, TransPath, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries.
C O N T E N T S
About This Guide
xiiiDocument Objectives
xiiiAudience
xiiiDocument Organization
xivDocument Conventions
xivRelated Documentation
xivObtaining Documentation
xivCisco.com
xvDocumentation CD-ROM
xvOrdering Documentation
xvDocumentation Feedback
xviObtaining Technical Assistance
xviCisco.com
xviTechnical Assistance Center
xviObtaining Additional Publications and Information
xviiiC H A P T E R 1
Introduction
1-1New and Deleted Messages
1-1EMBLEM Format Option in Version 6.3.1
1-1New and Deleted Messages in Version 6.3.1
1-2New and Changed Messages in Version 6.3.2
1-5Logging Command Overview
1-6Enabling Logging
1-9Testing the Logging Output
1-9Setting the Syslog Output Location
1-10Sending Syslog Messages to the Buffer
1-10Sending Syslog Messages to a Telnet Console Session
1-11Sending Syslog Messages to a Syslog Server
1-12Sending Syslog Messages to an SNMP Management Station
1-13Disabling and Enabling Specific Syslog Messages
1-14Disabling Specific Syslog Messages
1-14Viewing a List of Disabled Syslog Messages
1-14Reenabling Specific Disabled Syslog Messages
1-14Contents
Understanding Log Messages
1-15Log Message Format
1-15Severity Levels
1-16Variables
1-16Other Remote Management and Monitoring Tools
1-19Cisco PIX Device Manager
1-19Cisco Secure Policy Manager
1-19SNMP Traps
1-20Telnet
1-20C H A P T E R 2
System Log Messages
2-1Contents
613002
2-87613003
2-87614001
2-87614002
2-88620001
2-88620002
2-88Messages 701001 to 710006
2-89701001
2-89702301
2-89702302
2-89702303
2-89703001
2-90703002
2-90709001, 709002
2-90709003
2-90709004
2-91709005
2-91709006
2-91709007
2-91710001
2-92710002
2-92710003
2-92710004
2-93710005
2-93710006
2-93A P P E N D I X A
Messages Listed by Severity Level
A- 1Alert Messages, User-Defined Severity
A- 1Alert Messages, Severity 1
A- 1Critical Messages, Severity 2
A- 3Error Messages, Severity 3
A- 4Warning Messages, Severity 4
A- 6Notification Messages, Severity 5
A- 8Informational Messages, Severity 6
A- 9Debugging Messages, Severity 7
A- 13About This Guide
This preface describes:
• Document Objectives, page xiii • Audience, page xiii
• Document Organization, page xiv • Document Conventions, page xiv • Related Documentation, page xiv • Obtaining Documentation, page xiv • Obtaining Technical Assistance, page xvi
Document Objectives
This guide describes the system log (syslog) messages generated by the Cisco PIX Firewall software Version 6.3. Messages that display on the console from non-syslog errors are not listed. See the “New and Deleted Messages” section on page 1-1 for a list of new and deleted messages in recent versions of the software.
Audience
This guide is intended for network managers who perform any of the following tasks: • Managing network security
• Configuring, administering, and troubleshooting firewalls
This guide assumes that you are familiar with the commands and configuration options described in the
Cisco PIX Firewall Command Reference. In addition, you should be familiar with the network within
About This Guide Document Organization
Document Organization
This guide is organized as follows:
• Chapter 1, “Introduction” describes the system log message function, and explains the format of log messages.
• Chapter 2, “System Log Messages” lists the system log messages, indicates the probable cause of each message, and provides instructions for resolving the condition that caused the log message. • Appendix A, “Messages Listed by Severity Level” lists message numbers and text by each severity
level.
Document Conventions
This guide uses the following conventions:
• Filenames, directory names, and arguments for which you supply values are in italics.
• The symbol ^ represents the key labeled Ctrl (control). To enter a control key; for example, ^z, hold down the Ctrl key while you press the z key.
• Command names, keys, buttons, and keywords in text are shown in boldface. The PIX Firewall commands are described in detail in the Cisco PIX Firewall Command Reference.
• Variables in command syntax descriptions are shown in italics. Command options in square brackets [ ] can be optionally entered, and parameters separated by a vertical bar ( | ) require you to enter one parameter, but not the other(s).
• Examples depict screen displays and the command line in screen font.
• Information you need to enter in examples is shown in boldface screen font. • Variables that require you to supply a value are shown in italic screen font. • Selecting a menu item (or screen) is indicated by the following convention:
Click screen1>screen2>screen3.
Note Means reader take note. Notes contain helpful suggestions or references to material not covered in the manual.
Related Documentation
Use this document with the PIX Firewall documentation set, which is available online at the following website:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix_sw/index.htm
Obtaining Documentation
About This Guide
Obtaining Documentation
Cisco.com
You can access the most current Cisco documentation on the World Wide Web at this URL: http://www.cisco.com/univercd/home/home.htm
You can access the Cisco website at this URL: http://www.cisco.com
International Cisco web sites can be accessed from this URL: http://www.cisco.com/public/countries_languages.shtml
Documentation CD-ROM
Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which may have shipped with your product. The Documentation CD-ROM is updated monthly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual subscription.
Registered Cisco.com users can order the Documentation CD-ROM (product number DOC-CONDOCCD=) through the online Subscription Store:
http://www.cisco.com/go/subscription
Ordering Documentation
You can find instructions for ordering documentation at this URL: http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm You can order Cisco documentation in these ways:
• Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Networking Products MarketPlace:
http://www.cisco.com/en/US/partner/ordering/index.shtml
• Registered Cisco.com users can order the Documentation CD-ROM (Customer Order Number DOC-CONDOCCD=) through the online Subscription Store:
http://www.cisco.com/go/subscription
About This Guide Obtaining Technical Assistance
Documentation Feedback
You can submit comments electronically on Cisco.com. On the Cisco Documentation home page, click Feedback at the top of the page.
You can email your comments to bug-doc@cisco.com.
You can submit your comments by mail by using the response card behind the front cover of your document or by writing to the following address:
Cisco Systems
Attn: Customer Document Ordering 170 West Tasman Drive
San Jose, CA 95134-9883 We appreciate your comments.
Obtaining Technical Assistance
Cisco provides Cisco.com, which includes the Cisco Technical Assistance Center (TAC) Website, as a starting point for all technical assistance. Customers and partners can obtain online documentation, troubleshooting tips, and sample configurations from the Cisco TAC website. Cisco.com registered users have complete access to the technical support resources on the Cisco TAC website, including TAC tools and utilities.
Cisco.com
Cisco.com offers a suite of interactive, networked services that let you access Cisco information, networking solutions, services, programs, and resources at any time, from anywhere in the world. Cisco.com provides a broad range of features and services to help you with these tasks:
• Streamline business processes and improve productivity • Resolve technical issues with online support
• Download and test software packages
• Order Cisco learning materials and merchandise
• Register for online skill assessment, training, and certification programs
To obtain customized information and service, you can self-register on Cisco.com at this URL: http://www.cisco.com
Technical Assistance Center
About This Guide
Obtaining Technical Assistance
We categorize Cisco TAC inquiries according to urgency:
• Priority level 4 (P4)—You need information or assistance concerning Cisco product capabilities, product installation, or basic product configuration.
• Priority level 3 (P3)—Your network performance is degraded. Network functionality is noticeably impaired, but most business operations continue.
• Priority level 2 (P2)—Your production network is severely degraded, affecting significant aspects of business operations. No workaround is available.
• Priority level 1 (P1)—Your production network is down, and a critical impact to business operations will occur if service is not restored quickly. No workaround is available.
Cisco TAC Website
You can use the Cisco TAC website to resolve P3 and P4 issues yourself, saving both cost and time. The site provides around-the-clock access to online tools, knowledge bases, and software. To access the Cisco TAC website, go to this URL:
http://www.cisco.com/tac
All customers, partners, and resellers who have a valid Cisco service contract have complete access to the technical support resources on the Cisco TAC website. Some services on the Cisco TAC website require a Cisco.com login ID and password. If you have a valid service contract but do not have a login ID or password, go to this URL to register:
http://tools.cisco.com/RPF/register/register.do
If you are a Cisco.com registered user, and you cannot resolve your technical issues by using the Cisco TAC website, you can open a case online at this URL:
http://www.cisco.com/en/US/support/index.html
If you have Internet access, we recommend that you open P3 and P4 cases through the Cisco TAC website so that you can describe the situation in your own words and attach any necessary files.
Cisco TAC Escalation Center
The Cisco TAC Escalation Center addresses priority level 1 or priority level 2 issues. These
classifications are assigned when severe network degradation significantly impacts business operations. When you contact the TAC Escalation Center with a P1 or P2 problem, a Cisco TAC engineer
automatically opens a case.
To obtain a directory of toll-free Cisco TAC telephone numbers for your country, go to this URL: http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
About This Guide Obtaining Additional Publications and Information
Obtaining Additional Publications and Information
Information about Cisco products, technologies, and network solutions is available from various online and printed sources.
• The Cisco Product Catalog describes the networking products offered by Cisco Systems as well as ordering and customer support services. Access the Cisco Product Catalog at this URL:
http://www.cisco.com/en/US/products/products_catalog_links_launch.html
• Cisco Press publishes a wide range of networking publications. Cisco suggests these titles for new and experienced users: Internetworking Terms and Acronyms Dictionary, Internetworking
Technology Handbook, Internetworking Troubleshooting Guide, and the Internetworking Design Guide. For current Cisco Press titles and other information, go to Cisco Press online at this URL:
http://www.ciscopress.com
• Packet magazine is the Cisco monthly periodical that provides industry professionals with the latest
information about the field of networking. You can access Packet magazine at this URL: http://www.cisco.com/en/US/about/ac123/ac114/about_cisco_packet_magazine.html
• iQ Magazine is the Cisco monthly periodical that provides business leaders and decision makers
with the latest information about the networking industry. You can access iQ Magazine at this URL: http://business.cisco.com/prod/tree.taf%3fasset_id=44699&public_view=true&kbns=1.html • Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering
professionals involved in the design, development, and operation of public and private internets and intranets. You can access the Internet Protocol Journal at this URL:
http://www.cisco.com/en/US/about/ac123/ac147/about_cisco_the_internet_protocol_journal.html • Training—Cisco offers world-class networking training, with current offerings in network training
listed at this URL:
C H A P T E R
1
Introduction
This chapter lists new and deleted messages in recent versions of the PIX Firewall software. It also describes how to view and manage syslog messages, how to understand the messages, and which other remote management and monitoring tools are available.
Note Not all system log messages represent error conditions. Some messages simply report normal events.
This chapter includes the following sections: • New and Deleted Messages, page 1-1 • Logging Command Overview, page 1-6 • Enabling Logging, page 1-9
• Setting the Syslog Output Location, page 1-10
• Disabling and Enabling Specific Syslog Messages, page 1-14 • Understanding Log Messages, page 1-15
• Other Remote Management and Monitoring Tools, page 1-19
New and Deleted Messages
This section lists new and deleted messages for each software release: • EMBLEM Format Option in Version 6.3.1, page 1-1
• New and Deleted Messages in Version 6.3.1, page 1-2 • New and Changed Messages in Version 6.3.2, page 1-5
EMBLEM Format Option in Version 6.3.1
This feature enables you to log messages to a syslog server in Cisco EMBLEM format. EMBLEM syslog format is designed to be consistent with the Cisco IOS format and is more compatible with CiscoWorks management applications.
Example:
Chapter 1 Introduction New and Deleted Messages
• UDP only
—
EMBLEM format logging is available for UDP syslog messages only (because the RME syslog analyzer only supports UDP syslog messages). If you use the option with TCP/port# an error is generated. If EMBLEM format logging is enabled for a particular syslog host, then EMBLEM format messages are sent to that host.• logging host
—
The logging host ip_address format emblem command enables EMBLEM format logging on a per-syslog-server basis.• timestamp
—
The EMBLEM format is available for both messages with and without timestamp. If the logging timestamp option is also enabled, then EMBLEM format messages with a time stamp are sent.• device-id
—
The logging device-id command displays a unique device ID in non-EMBLEM format syslog messages that are sent to the syslog server. This command is available in PIX Firewall software Version 6.2.2.115 and higher. If enabled, the PIX Firewall displays the device ID in all non-EMBLEM-formatted syslog messages. However, it does not affect the syslog message text that is in EMBLEM format.New and Deleted Messages in Version 6.3.1
The following sections list messages that were added or deleted in Version 6.3.1: • New Messages in Version 6.3.1, page 1-2
• Deleted Messages in Version 6.3.1, page 1-5
New Messages in Version 6.3.1
The following messages were added in Version 6.3.1.
• %PIX-n-106100: access-list acl_ID {permitted | denied | est-allowed} protocol
interface_name/source_address(source_port) -> interface_name/dest_address(dest_port) hit-cnt number ({first hit | number-second interval})
• %PIX-1-106101 The number of ACL log deny-flows has reached limit (number). • %PIX-7-109021: Uauth null proxy error
• %PIX-4-109022: exceeded HTTPS proxy process limit • %PIX-2-215001:Bad route_compress() call, sdb= number
• %PIX-3-302019: H.323 library_name ASN Library failed to initialize, error code number • %PIX-3-317001: No memory available for limit_slow
• %PIX-3-317002: Bad path index of number for IP_address, number max • %PIX-3-317003: IP routing table creation failure - reason
• %PIX-3-317004: IP routing table limit warning
• %PIX-3-317005: IP routing table limit exceeded - reason, IP_address netmask • %PIX-3-318001: Internal error: reason
• %PIX-3-318002: Flagged as being an ABR without a backbone area • %PIX-3-318003: Reached unknown state in neighbor state machine
Chapter 1 Introduction
New and Deleted Messages
• %PIX-3-318005: lsid IP_address adv IP_address type number gateway gateway_address metric number network IP_address mask netmask protocol hex attr hex net-metric number
• %PIX-3-318006: if interface_name if_state number
• %PIX-3-318007: OSPF is enabled on interface_name during idb initialization
• %PIX-3-318008: OSPF process number is changing router-id. Reconfigure virtual link neighbors with our new router-id
• %PIX-3-320001: The subject name of the peer cert is not allowed for connection
• %PIX-4-405001: Received ARP {request | response} collision from IP_address/mac_address on interface interface_name, page 2-61
• %PIX-4-405002: Received mac mismatch collision from IP_address/mac_address for authenticated host, page 2-62
• %PIX-4-408001: IP route counter negative - reason, IP_address Attempt: number • %PIX-4-409001: Database scanner: external LSA IP_address netmask is lost, reinstalls • %PIX-4-409002: db_free: external LSA IP_address netmask
• %PIX-4-409003: Received invalid packet: reason from IP_address, interface_name • %PIX-4-409004: Received reason from unknown neighbor IP_address
• %PIX-4-409005: Invalid length number in OSPF packet from IP_address (ID IP_address), interface_name
• %PIX-4-409006: Invalid lsa: reason Type number, LSID IP_address from IP_address, IP_address, interface_name
• %PIX-4-409007: Found LSA with the same host bit set but using different mask LSA ID IP_address netmask New: Destination IP_address netmask
• %PIX-4-409008: Found generating default LSA with non-zero mask LSA type : number Mask : IP_address metric : number area : string
• %PIX-4-409009: OSPF process number cannot start. There must be at least one up IP interface, for OSPF to use as router ID
• %PIX-4-409010: Virtual link information found in non-backbone area: string
• %PIX-4-409011: OSPF detected duplicate router-id IP_address from IP_address on interface interface_name
• %PIX-4-409012: Detected router with duplicate router ID IP_address in area string
• %PIX-4-409013: Detected router with duplicate router ID IP_address in Type-4 LSA advertised by IP_address
• %PIX-4-410001: UDP DNS packet dropped due to domainname length check of 255 bytes: actual length:<n> bytes, page 2-68
• %PIX-5-503001: Process number, Nbr IP_address on interface_name from string to string, reason • %PIX-5-611104: Serial console idle timeout exceeded
• %PIX-6-605004: Login denied from {source_address/source_port | serial} to {interface_name:dest_address/service | console} for user "user"
• %PIX-6-605005: Login permitted from {source_address/source_port | serial} to {interface_name:dest_address/service | console} for user "user"
Chapter 1 Introduction New and Deleted Messages
• %PIX-6-611314: VPNClient: Load Balancing Cluster with Virtual IP: IP_address has redirected the PIX to server IP_address
• %PIX-6-611315: VPNClient: Disconnecting from Load Balancing Cluster member IP_address • %PIX-6-611316: VPNClient: Secure Unit Authentication Enabled
• %PIX-6-611317: VPNClient: Secure Unit Authentication Disabled
• %PIX-6-611318: VPNClient: User Authentication Enabled: Auth Server IP: IP_address Auth Server Port: port Idle Timeout: time
• %PIX-6-611319: VPNClient: User Authentication Disabled • %PIX-6-611320: VPNClient: Device Pass Thru Enabled • %PIX-6-611321: VPNClient: Device Pass Thru Disabled
• %PIX-6-611322: VPNClient: Extended XAUTH conversation initiated when SUA disabled • %PIX-6-611323: VPNClient: Duplicate split nw entry
• %PIX-6-613001: Checksum Failure in database in area string Link State Id IP_address Old Checksum number New Checksum number
• %PIX-6-613002: interface interface_name has zero bandwidth
• %PIX-6-613003: IP_address netmask changed from area string to area string • %PIX-6-620001: Pre-allocate CTIQBE {RTP | RTCP} secondary channel for
interface_name:outside_address[/outside_port] to interface_name:inside_address[/inside_port] from CTIQBE_message_name message
• %PIX-4-620002: Unsupported CTIQBE version: hex: from interface_name:IP_address/port to interface_name:IP_address/port
• %PIX-7-703001: H.225 message received from interface_name:ip_address/port to interface_name:ip_address/port is using an unsupported version number
• %PIX-7-703002: Received H.225 Release Complete with newConnectionNeeded for interface_name:ip_address to interface_name:ip_address/port
• %PIX-7-710001: TCP access requested from source_address/source_port to interface_name:dest_address/service
• %PIX-7-710002: {TCP|UDP} access permitted from source_address/source_port to interface_name:dest_address/service
• %PIX-3-710003: {TCP|UDP} access denied by ACL from source_address/source_port to interface_name:dest_address/service
• %PIX-4-710004: TCP connection limit exceeded from source_address/source_port to interface_name:dest_address/service
• %PIX-7-710005: {TCP|UDP} request discarded from source_address/source_port to interface_name:dest_address/service
Chapter 1 Introduction
New and Deleted Messages
Deleted Messages in Version 6.3.1
Table 1-1 lists messages that were deleted from Version 6.3.1:
New and Changed Messages in Version 6.3.2
The following sections list messages that were added or deleted in Version 6.3.2: • New Messages in Version 6.3.2, page 1-5
• Changed Messages in Version 6.3.2, page 1-6
New Messages in Version 6.3.2
The following messages were added in Version 6.3.2:
• %PIX-4-411001:Line protocol on interface interface_name changed state to up • %PIX-4-411002:Line protocol on interface interface_name changed state to down Table 1-1 Deleted Messages from Version 6.3.1
Message Reason Deleted
%PIX-5-111006: Console Login from user at IP_addr Replaced by message number 605005 %PIX-6-307001: Denied Telnet login session from
IP_addr on interface int_name
Replaced by message number 710003
%PIX-6-307002: Permitted Telnet login session from IP_addr
Replaced by message number 605005
%PIX-6-307003: telnet login session failed from IP_addr (num attempts) on interface int_name
Replaced by message number 605004
%PIX-4-307004: Telnet session limit exceeded. Connection request from IP_addr on interface int_name
Replaced by message number 710004
%PIX-3-309001: Denied manager connection from IP_addr.
Replaced by message number 710003
%PIX-4-309004: Manager session limit exceeded. Connection request from IP_addr on interface int_name
Replaced by message number 710004
%PIX-3-315001: Denied SSH session from IP_addr on interface int_name
Replaced by message number 710003
%PIX-6-315002: Permitted SSH session from IP_addr on interface int_name for user user_id
Replaced by message number 605005
%PIX-6-315003: SSH login session failed from IP_addr on (num attempts) on interface int_name by user user_id
Replaced by message number 605004
%PIX-4-315005: SSH session limit exceeded. Connection request from IP_addr on interface int_name
Replaced by message number 710004
%PIX-6-605001: HTTP daemon interface interface_name: connection denied from IP_address
Replaced by message number 710003
%PIX-6-605002: HTTP daemon connection limit exceeded Replaced by message number 710004 %PIX-6-605003: HTTP daemon: Login failed from
IP_address for user user
Chapter 1 Introduction Logging Command Overview
Changed Messages in Version 6.3.2
The following messages were changed in Version 6.3.2:
• %PIX-6-305009: Built {dynamic|static} translation from interface_name [(<acl-name>)]:real_address to interface_name:mapped_address
• %PIX-6-305010: Teardown {dynamic|static} translation from interface_name [(<acl-name>)]:real_address to interface_name:mapped_address duration time
• %PIX-6-305011: Built {dynamic|static} {TCP|UDP|ICMP} translation from interface_name [(<acl-name>)]:real_address/real_port to interface_name:mapped_address/mapped_port
• %PIX-6-305012: Teardown {dynamic|static} {TCP|UDP|ICMP} translation from interface_name [(<acl-name>)]:real_address/{real_port|real_ICMP_ID}to
interface_name:mapped_address/{mapped_port|mapped_ICMP_ID} duration time
Logging Command Overview
Table 1-2 lists the PIX Firewall logging commands that you can use to configure and manage logging. See the Cisco PIX Firewall Command Reference for detailed descriptions and additional logging commands. To use the logging command, access the configuration mode on the PIX Firewall by entering the configure terminal command.
Many of the logging commands require that you specify a severity level threshold to indicate which syslog messages can be sent to the output locations. The lower the level number, the more severe the error. The default severity level is 3. Specify the severity level as either a number or a keyword as described in Table 1-3. The level you specify causes PIX Firewall to send messages of that level or lower to the output location; for example, if you specify severity level 3, PIX Firewall sends severity level 1, 2, and 3 messages to the output location.
PIX Firewall has a fixed number of blocks in memory that can be allocated for buffering syslog messages. The number of blocks required depends on the length of the message queue and the number of syslog hosts specified. If the available memory is exceeded, the following message appears:
Warning: failed to register nnn blocks for logging
Where nnn is the number of 256-byte blocks that could not be allocated. To resolve this problem, reduce the number of buffered messages using the logging queue command or reduce the number of syslog hosts specified.
Some commands support the format emblem option. EMBLEM syslog format is designed to be consistent with the Cisco IOS format and is more compatible with CiscoWorks management applications.
Chapter 1 Introduction
Logging Command Overview
Table 1-2 PIX Firewall Logging Commands
Type Command Description
Enabling Logging logging on Enables transmission of syslog messages to all output
locations. You can disable sending syslog messages with the no logging on command.
You must also set a logging output location to see any logs. show logging Lists the current syslog messages and which logging command
options are enabled. Setting the Message Level
or Disabling Messages
logging message
message_number level severity_level
Sets the severity level of a specific syslog message. Use the no logging message message_number level severity_level command to use the default level.
no logging message
message_number
Disables specific syslog messages. Use the logging message
message_number command to resume logging of specific
disabled messages.
Chapter 1 Introduction Logging Command Overview
Specifying and Managing Output Locations
logging buffered severity_level Stores syslog messages in the PIX Firewall so you can view them with the show logging command.
clear logging Clears the message buffer created with the logging buffered command.
logging console severity_level Enables syslog messages to display on the PIX Firewall console as they occur.
Set the severity_level from 1 to 7. You can also enter the level name. See Table 1-3 for more information.
Use this command when you are debugging problems or when there is minimal load on the network. Do not use this command when the network is busy, as it can reduce PIX Firewall performance.
logging monitor severity_level Enables syslog messages to display as they occur when accessing the PIX Firewall console with Telnet.
Set the severity_level from 1 to 7. You can also enter the level name. See Table 1-3 for more information.
You must also enter the terminal monitor command to enable logging for each Telnet session.
logging trap severity_level Enables syslog messages to be sent to a syslog server (see the logging host command to identify the server).
Set the severity_level from 1 to 7. You can also enter the level name. See Table 1-3 for more information.
logging host [interface_name]
ip_address
[tcp[/port] | udp[/port]] [format emblem]
Specifies a host that receives the syslog messages (a syslog server). The PIX Firewall can send messages across UDP or TCP. The default protocol and port are UDP/514. The default TCP port (if specified) is 1468. The format emblem option enables EMBLEM formatting (UDP only).
logging facility number Sets the logging facility for a syslog server. The default is 20. logging history severity_level Enables syslog messages for SNMP .
Set the severity_level from 1 to 7. You can also enter the level name. See Table 1-3 for more information.
Logging Options logging device-id {hostname | ipaddress if_name | string text}
If enabled, the PIX Firewall displays the device ID in all syslog messages sent to a syslog server. The device ID does not appear in EMBLEM-formatted messages, SNMP traps, or on the firewall console, management session, or buffer. If you use the ipaddress option, the device ID becomes the specified PIX Firewall interface IP address, regardless of the interface from which the message is sent. This option provides a single consistent device ID for all messages sent from the device. logging queue msg_count Specifies the number of syslog messages that can appear in the
message queue while awaiting processing. The default is 512 messages; set to 0 (zero) to specify unlimited messages. Use the show logging queue command to view queue statistics. Table 1-2 PIX Firewall Logging Commands (continued)
Chapter 1 Introduction
Enabling Logging
Enabling Logging
To enable logging, follow these steps. These steps enable logging; however, you must also set an output location to view the log messages. See the “Setting the Syslog Output Location” section on page 1-10 for more information.
Step 1 To enable logging, enter:
logging on
By default, the logging level is set to 3 (error). Step 2 To change the logging level, enter:
logging trap severity_level (1-7)
Step 3 To view your logging settings, enter:
show logging
Testing the Logging Output
To test the logging output, follow these steps:
Step 1 To initiate a log message to be sent to the console, enter:
logging console 7 quit
This test generates the following syslog message:
111005: nobody End configuration: OK
This message states that you exited configuration mode. “111005” is the message identifier number (see Chapter 2, “System Log Messages,” for more information about this message). The term “nobody” indicates you are accessing the PIX Firewall console from the serial console port.
Step 2 To disable logging to the console, enter:
no logging console 7 quit
Chapter 1 Introduction Setting the Syslog Output Location
Setting the Syslog Output Location
This section includes the following topics:
• Sending Syslog Messages to the Buffer, page 1-10
• Sending Syslog Messages to a Telnet Console Session, page 1-11 • Sending Syslog Messages to a Syslog Server, page 1-12
• Sending Syslog Messages to an SNMP Management Station, page 1-13
You can configure the PIX Firewall system software to send syslog messages to the output location of your choice. The PIX Firewall provides several output locations for sending syslog messages:
• The console
We recommend sending syslog messages directly to the console only during testing. See the “Testing the Logging Output” section.
• The buffer
• A Telnet connection
• A host running a syslog server • An SNMP management station.
Note You can also view syslog messages using the Monitoring tab within the Cisco PIX Device Manager (PDM). Refer to the PDM online Help for additional information.
Sending Syslog Messages to the Buffer
Follow these steps to send syslog messages to the logging buffer, and then view the buffer on the PIX Firewall console:
Step 1 To store messages for display, enter the following command:
logging buffered severity_level (1-7)
Step 2 To view the messages on the console, enter the following command:
show logging
Step 3 To clear the buffer so that viewing new messages is easier, enter:
clear logging
Step 4 To disable message logging, enter:
no logging buffered
Chapter 1 Introduction
Setting the Syslog Output Location
Sending Syslog Messages to a Telnet Console Session
Follow these steps to view syslog messages in a Telnet console session:
Step 1 If you have not done so already, configure the PIX Firewall to let a host on the inside interface access the PIX Firewall.
a. Enter:
telnet ip_address [subnet_mask] [if_name]
For example, if a host has the IP address 192.168.1.2, the command is:
telnet 192.168.1.2 255.255.255.255
b. You should also set the duration that a Telnet session can be idle before PIX Firewall disconnects the session to a value greater than the default of 5 minutes. A good value is at least 15 minutes, which you can set as follows:
telnet timeout 15
Step 2 Start Telnet on your host and specify the inside interface of the PIX Firewall. When Telnet connects, the PIX Firewall prompts you with PIX passwd:.
Step 3 Enter the Telnet password, which is cisco by default. Step 4 To enable configuration mode, enter:
enable
(Enter your password at the prompt)
configure terminal
Step 5 To start message logging, enter:
logging monitor severity_level (1-7)
Step 6 To send logs to this Telnet session, enter:
terminal monitor
This command enables logging only for the current Telnet session. The logging monitor command sets the logging preferences for all Telnet sessions, while the terminal monitor (and terminal no monitor) commands control logging for each individual Telnet session.
Step 7 Trigger some events by pinging a host or starting a web browser. The syslog messages then appear in the Telnet session window.
Step 8 When done, disable this feature with the following commands:
Chapter 1 Introduction Setting the Syslog Output Location
Sending Syslog Messages to a Syslog Server
If you send messages to a host, they are sent using either UDP or TCP. The host must run a program (known as a server) called syslogd. UNIX provides a syslog server as part of its operating system. For Windows 95 or Windows 98, obtain a syslog server from another vendor.
See the Cisco PIX Firewall and VPN Configuration Guide for the procedure to configure syslogd. On the logging server, you can specify actions to execute when certain types of messages are logged; for example, sending email, saving records to a log file, or displaying messages on a workstation. Follow these steps to configure the firewall to send messages to a syslog server:
Step 1 To designate a host to receive the messages, enter:
logging host [interface] ip_address [tcp[/port] | udp[/port]] [format emblem]
For example:
logging host dmz1 192.168.1.5
You can enter this command multiple times to specify additional servers so that if one goes offline, another is available to receive messages.
Step 2 To set the logging level, enter:
logging trap severity_level (1-7)
We recommend that you use the debugging (7) level during initial setup and during testing. Thereafter, set the level from debugging to errors (3) for production use.
Step 3 If you want to include the device ID in each message, enter:
logging device-id {hostname | ipaddress if_name | string text}
The message includes the specified device ID (either the hostname, and IP address of the specified interface (even if the message comes from another interface), or a string) in messages sent to a syslog server. The device ID does not appear in EMBLEM-formatted messages, SNMP traps, or on the firewall console, management session, or buffer.
Step 4 If needed, set the logging facility to a value other than its default of 20. Most UNIX systems expect the messages to arrive at facility 20:
logging facility number
Chapter 1 Introduction
Setting the Syslog Output Location
Sending Syslog Messages to an SNMP Management Station
To receive Syslog messages on an SNMP management station, complete the following procedures: • Receiving SNMP Requests, page 1-13
• Sending SNMP Traps, page 1-13
Receiving SNMP Requests
Follow these steps for the PIX Firewall to receive requests from an SNMP management station: Step 1 To set the IP address of the SNMP management station, enter:
snmp-server host [if_name] ip_addr
Step 2 Set other snmp server settings as required:
snmp-server location text snmp-server contact text snmp-server community key
See the Cisco PIX Firewall Command Reference for more information.
Sending SNMP Traps
Follow these steps to send log messages as traps from the PIX Firewall to an SNMP management station (cold start, link up, and link down generic traps are already enabled by the “Receiving SNMP Requests” procedure):
Step 1 Enter:
snmp-server enable traps
Step 2 To set the logging level, enter:
logging history severity_level (1-7)
We recommend that you use the debugging (7) level during initial setup and during testing. Thereafter, set the level from debugging to a lower value for production use.
Step 3 To disable sending syslog traps, enter:
Chapter 1 Introduction Disabling and Enabling Specific Syslog Messages
Disabling and Enabling Specific Syslog Messages
The following sections describe how to disable, reenable, or view disabled syslog messages: • Disabling Specific Syslog Messages, page 1-14
• Viewing a List of Disabled Syslog Messages, page 1-14 • Reenabling Specific Disabled Syslog Messages, page 1-14 • Reenabling All Disabled Syslog Messages, page 1-14
Disabling Specific Syslog Messages
Enter the following command to disable specific syslog messages:
no logging message message_number
where message_number is the specific message you want to disable.
Note The following message cannot be disabled:
%PIX-6-199002: PIX startup completed. Beginning operation.
Viewing a List of Disabled Syslog Messages
To view a list of disabled syslog messages, enter the following command:
show logging disabled
Reenabling Specific Disabled Syslog Messages
To reenable disabled syslog messages, enter the following command:
logging message message_number
where message_number is the specific message you want to reenable.
Reenabling All Disabled Syslog Messages
To reenable all disabled syslog messages, enter the following command:
Chapter 1 Introduction
Understanding Log Messages
Understanding Log Messages
This section includes the following topics: • Log Message Format, page 1-15 • Severity Levels, page 1-16 • Variables, page 1-16
Log Message Format
System log messages begin with a percent sign (%) and are structured as follows:
%PIX-Level-Message_number: Message_text
See the following descriptions:
Note Syslog messages received at the PIX Firewall serial console contain only the code portion of the message. When you view the message description in Chapter 2, “System Log Messages,” the description also provides the severity level.
PIX Identifies the message facility code for messages generated by the PIX Firewall. This value is always PIX.
Level 1-7. The level reflects the severity of the condition described by the message. The
lower the number, the more severe the condition. See Table 1-3 for more information.
Message_number A unique 6-digit number that identifies the message.
Message_text A text string describing the condition. This portion of the message sometimes
Chapter 1 Introduction Understanding Log Messages
Severity Levels
Table 1-3 lists the severity levels. Logging is set to level 3 (error) by default.
Note Syslog does not generate level 0 emergency messages. This level is provided in the logging command for compatibility with the UNIX syslog feature, but is not used by PIX Firewall.
Appendix A, “Messages Listed by Severity Level” lists which messages occur at each severity level.
Variables
Log messages often contain variables. Table 1-4 lists most variables that are used in this guide to describe log messages. Some variables that appear in only one log message are not listed.
Table 1-3 Log Message Severity Levels Level
Number Level Keyword Description 0 emergency System unusable.
1 alert Immediate action needed.
2 critical Critical condition.
3 error Error condition.
4 warning Warning condition.
Chapter 1 Introduction
Understanding Log Messages
Table 1-4 Variable Fields in Syslog Messages Type Variable Type of Information Misc. acl_ID An ACL name.
command A command name.
command_modifier The command_modifier is one of the following strings:
• cmd (this string means the command has no modifier) • clear
• no • show
connection_type The connection type: • SIGNALLING UDP • SIGNALLING TCP • SUBSCRIBE UDP • SUBSCRIBE TCP • Via UDP • Route • RTP • RTCP
device The memory storage device. For example, the floppy disk, Flash
memory, TFTP, the failover standby unit, or the console terminal.
filename A filename of the type PIX Firewall image, PDM file, or
configuration.
privilege_level The user privilege level.
reason A text string describing the reason for the message.
string Text string (for example, a username).
tcp_flags Flags in the TCP header such as:
Chapter 1 Introduction Understanding Log Messages
Numbers number A number. The exact form depends on the log message.
bytes The number of bytes.
code A decimal number returned by the message to indicate the cause or source of the error, depending on the message.
connections The number of connections.
elimit Number of embryonic connections specified in the static or nat
command.
econns Number of embryonic connections.
nconns Number of connections permitted for the static or xlate table.
time Duration, in the format hh:mm:ss.
dec Decimal number.
hex Hexadecimal number.
octal Octal number.
Addresses IP_address IP address in the form n.n.n.n, where n is an integer from 1 to 255.
MAC_address The MAC address.
outside_address Outside (or foreign) IP address, an address of a host typically on a lower security level interface in a network beyond the outside router.
inside_address Inside (or local) IP address, an address on a higher security level interface.
global_address Global IP address, an address on a lower security level interface.
source_address The source address of a packet.
dest_address The destination address of a packet.
real_address The real IP address, before Network Address Translation (NAT).
mapped_address The translated IP address.
gateway_address The network gateway IP address.
netmask The subnet mask.
Interfaces interface_number The interface number, 1 to n, where the number is determined by the order the interfaces load in the PIX Firewall. For example, see the sample show nameif command output:
show nameif
nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif token0 outside security20 nameif ethernet2 inside security30
In this example, ethernet0 would appear in a syslog message as interface 0, ethernet1 would be interface 1, token0 would be interface 2, and ethernet2 would be interface 3.
interface_name The name assigned to the interface. Use the show nameif command to view the interfaces and their names.
Chapter 1 Introduction
Other Remote Management and Monitoring Tools
Other Remote Management and Monitoring Tools
In addition to the system log function, you can remotely monitor the PIX Firewall using other tools, which are described in the following topics:
• Cisco PIX Device Manager, page 1-19 • Cisco Secure Policy Manager, page 1-19 • SNMP Traps, page 1-20
• Telnet, page 1-20
Cisco PIX Device Manager
The Cisco PIX Device Manager (PDM) is a browser-based configuration tool designed to help you set up, configure, and monitor your PIX Firewall graphically, without requiring an extensive knowledge of the PIX Firewall command-line interface (CLI). PDM ships with every PIX Firewall running software Version 6.0(1) and higher. Refer to the Cisco PIX Device Manager Installation Guide for more information.
Cisco Secure Policy Manager
Cisco Secure Policy Manager (CSPM) is a security policy management system that enables you to define, distribute, enforce, and audit network-wide security policies from a central location. CSPM streamlines the tasks of managing complicated network security events, such as perimeter access control, Network Address Translation (NAT), IDS, and IPSec-based VPNs. CSPM provides system-auditing functions, including monitoring, event notification, and web-based reporting. CSPM can receive syslog messages from the PIX Firewall and provide notifications including email, paging, and scripting for designated syslogs. CSPM also provides reports of PIX Firewall syslogs, including the top ten users and top ten websites. These reports can be provided both on-demand and by schedule. Reports can be emailed or viewed remotely from an SSL-enabled web browser.
Ports, Services, and Protocols
port The TCP or UDP port number.
outside_port The outside port number.
inside_port The inside port number.
source_port The source port number.
dest_port The destination port number.
real_port The real port number, before NAT.
mapped_port The translated port number.
global_port The global port number.
protocol The protocol of the packet, for example, ICMP, TCP, or UDP.
service The service specified by the packet, for example, SNMP or Telnet.
Chapter 1 Introduction Other Remote Management and Monitoring Tools
Refer to the following websites for more information: http://www.cisco.com/go/policymanager
http://www.cisco.com/univercd/cc/td/doc/product/ismg/policy/index.htm
SNMP Traps
The PIX Firewall events can be reported using SNMP. This feature requires loading the Cisco SYSLOG MIB and the Cisco SMI MIB onto the SNMP management station.
Telnet
C H A P T E R
2
System Log Messages
This chapter lists the Cisco PIX Firewall system log messages. The messages are listed numerically by message code.
Note The messages shown in this guide apply to Cisco PIX Firewall Version 6.3 and higher. When a number is skipped from a sequence, the message is no longer in the PIX Firewall code.
This chapter includes the following sections: • Messages 101001 to 199005, page 2-1 • Messages 201002 to 215001, page 2-25 • Messages 302003 to 320001, page 2-35 • Messages 400000 to 409013, page 2-52 • Messages 410001 to 410001, page 2-68 • Messages 411001 to 411002, page 2-69 • Messages 602101 to 620002, page 2-72 • Messages 701001 to 710006, page 2-89
Messages 101001 to 199005
This section contains messages from 101001 to 199005.
101001
Error Message %PIX-1-101001: (Primary) Failover cable OK.
Chapter 2 System Log Messages Messages 101001 to 199005
101002
Error Message %PIX-1-101002: (Primary) Bad failover cable.
Explanation This is a failover message. This message reports that the failover cable is present but not functioning correctly. “(Primary)” can also be listed as “(Secondary)” for the secondary unit. Recommended Action Replace the failover cable.
101003, 101004
Error Message %PIX-1-101003: (Primary) Failover cable not connected (this unit). Error Message %PIX-1-101004: (Primary) Failover cable not connected (other unit).
Explanation Both instances are failover messages. These messages are logged when failover mode is enabled, but the failover cable is not connected to one unit of the failover pair. “(Primary)” can also be listed as “(Secondary)” for the secondary unit.
Recommended Action Connect the failover cable to both units of the failover pair.
101005
Error Message %PIX-1-101005: (Primary) Error reading failover cable status.
Explanation This is a failover message. This message is logged if the failover cable is connected, but the primary unit is unable to determine its status.
Recommended Action Replace the cable.
102001
Chapter 2 System Log Messages
Messages 101001 to 199005
103001
Error Message %PIX-1-103001: (Primary) No response from other firewall (reason code = code).
Explanation This is a failover message. This message is logged if the primary unit is unable to communicate with the secondary unit over the failover cable. “(Primary)” can also be listed as “(Secondary)” for the secondary unit. Table 2-1 lists the Reason Codes and the descriptions to determine why the failover occurred.
Recommended Action Verify the failover cable is connected properly and both units have the same hardware, software, and configuration; otherwise contact Cisco TAC.
103002
Error Message %PIX-1-103002: (Primary) Other firewall network interface interface_number OK.
Explanation This is a failover message. This message is logged when the primary unit detects that the network interface on the secondary unit is okay. “(Primary)” can also be listed as “(Secondary)” for the secondary unit. Refer to Table 1-4 in Chapter 1, “Introduction,” for possible values for the
interface_number variable.
Recommended Action None required.
103003
Error Message %PIX-1-103003: (Primary) Other firewall network interface interface_number failed.
Explanation This is a failover message. This message is logged if the primary unit detects a bad network interface on the secondary unit. “(Primary)” can also be listed as “(Secondary)” for the secondary unit. Refer to Table 1-4 on page 1-17 for possible values for the interface_number variable.
Recommended Action Check the network connections on the secondary unit. Also, check the network hub connection. If necessary, replace the failed network interface.
Table 2-1 Reason Codes Reason Code Description
1 No failover hello seen on Serial cable for 30 + seconds. This ensures that failover is running properly on the other firewall unit.
2 An interface did not pass one of the 4 failover tests. The 4 tests are: 1) Link Up, 2) Monitor for Network Traffic, 3) ARP test, 4) Broadcast Ping test.
Chapter 2 System Log Messages Messages 101001 to 199005
103004
Error Message %PIX-1-103004: (Primary) Other firewall reports this firewall failed. Explanation This is a failover message. This message is logged if the primary unit receives a message from the secondary unit indicating that the primary has failed. “(Primary)” can also be listed as “(Secondary)” for the secondary unit.
Recommended Action Verify the status of the primary unit.
103005
Error Message %PIX-1-103005: (Primary) Other firewall reporting failure.
Explanation This is a failover message. This message is logged if the secondary unit reports a failure to the primary unit. “(Primary)” can also be listed as “(Secondary)” for the secondary unit.
Recommended Action Verify the status of the secondary unit.
104001, 104002
Error Message %PIX-1-104001: (Primary) Switching to ACTIVE (cause: string). Error Message %PIX-1-104002: (Primary) Switching to STNDBY (cause: string).
Explanation Both instances are failover messages. These messages usually are logged when you force the pair to switch roles, either by entering the failover active command on the secondary unit, or the no failover active command on the primary unit. “(Primary)” can also be listed as “(Secondary)” for the secondary unit. Possible values for the string variable are as follows:
– state check
– bad/incompleted config
– ifc [interface] check, mate is healthier – the otherside want me standby – in failed state, cannot be active – switch to failed state
Chapter 2 System Log Messages
Messages 101001 to 199005
104003
Error Message %PIX-1-104003: (Primary) Switching to FAILED.
Explanation This is a failover message. This message is logged when the primary unit fails. Recommended Action Check the system log messages for the primary unit for an indication of the nature of the problem (see message 104001). “(Primary)” can also be listed as “(Secondary)” for the secondary unit.
104004
Error Message %PIX-1-104004: (Primary) Switching to OK.
Explanation This is a failover message. This message is logged when a previously failed unit now reports that it is operating again. “(Primary)” can also be listed as “(Secondary)” for the secondary unit.
Recommended Action None required.
105001
Error Message %PIX-1-105001: (Primary) Disabling failover.
Explanation This is a failover message. This message is logged when you enter the no failover command on the console. “(Primary)” can also be listed as “(Secondary)” for the secondary unit. Recommended Action None required.
105002
Error Message %PIX-1-105002: (Primary) Enabling failover.
Explanation This is a failover message. This message is logged when you enter the failover command with no arguments on the console, after having previously disabled failover. “(Primary)” can also be listed as “(Secondary)” for the secondary unit.
Chapter 2 System Log Messages Messages 101001 to 199005
105003
Error Message %PIX-1-105003: (Primary) Monitoring on interface interface_name waiting
Explanation This is a failover message. The firewall is testing the specified network interface with the other unit of the failover pair. “(Primary)” can also be listed as “(Secondary)” for the secondary unit. Recommended Action None required. The firewall monitors its network interfaces frequently during normal operations.
105004
Error Message %PIX-1-105004: (Primary) Monitoring on interface interface_name normal Explanation This is a failover message. The test of the specified network interface was successful. “(Primary)” can also be listed as “(Secondary)” for the secondary unit.
Recommended Action None required.
105005
Error Message %PIX-1-105005: (Primary) Lost Failover communications with mate on interface interface_name.
Explanation This is a failover message. This message is logged if this unit of the failover pair can no longer communicate with the other unit of the pair. “(Primary)” can also be listed as “(Secondary)” for the secondary unit.
Recommended Action Verify that the network connected to the specified interface is functioning correctly.
105006, 105007
Error Message %PIX-1-105006: (Primary) Link status ‘Up’ on interface interface_name. Error Message %PIX-1-105007: (Primary) Link status ‘Down’ on interface
interface_name.
Explanation Both instances are failover messages. These messages report the results of monitoring the link status of the specified interface. “(Primary)” can also be listed as “(Secondary)” for the secondary unit.
Chapter 2 System Log Messages
Messages 101001 to 199005
105008
Error Message %PIX-1-105008: (Primary) Testing interface interface_name.
Explanation This is a failover message. This message is logged when the firewall tests a specified network interface. This testing is performed only if the firewall fails to receive a message from the standby unit on that interface after the expected interval. “(Primary)” can also be listed as
“(Secondary)” for the secondary unit. Recommended Action None required.
105009
Error Message %PIX-1-105009: (Primary) Testing on interface interface_name {Passed|Failed}.
Explanation This is a failover message. This message reports the result (either “Passed” or “Failed”) of a previous interface test. “(Primary)” can also be listed as “(Secondary)” for the secondary unit. Recommended Action None required if the result is “Passed.” If the result is “Failed,” you should check the network cable connection to both failover units, that the network itself is functioning correctly, and verify the status of the standby unit.
105010
Error Message %PIX-3-105010: (Primary) Failover message block alloc failed
Explanation Block memory was depleted. This is a transient message and the firewall should recover. “(Primary)” can also be listed as “(Secondary)” for the secondary unit.
Recommended Action Use the show blocks command to monitor the current block memory.
105011
Error Message %PIX-1-105011: (Primary) Failover cable communication failure
Explanation The failover cable is not permitting communication between the primary and secondary units. “(Primary)” can also be listed as “(Secondary)” for the secondary unit.
Chapter 2 System Log Messages Messages 101001 to 199005
105020
Error Message %PIX-1-105020: (Primary) Incomplete/slow config replication Explanation When a failover occurs, the active PIX Firewall detects a partial configuration in memory. Normally, this is caused by an interruption in the replication service. “(Primary)” can also be listed as “(Secondary)” for the secondary unit.
Recommended Action Once the failover is detected by the PIX Firewall, the PIX Firewall
automatically reloads itself and loads configuration from Flash memory and/or resyncs with another PIX Firewall. If failovers happen continuously, check the failover configuration and make sure both PIX Firewall units can communicate with each other.
105031
Error Message %PIX-1-105031: Failover LAN interface is up Explanation LAN failover interface link is up.
Recommended Action None required.
105032
Error Message %PIX-1-105032: LAN Failover interface is down Explanation LAN failover interface link is down.
Recommended Action Check the connectivity of the LAN failover interface. Make sure the speed/duplex setting is correct.
105034
Error Message %PIX-1-105034: Receive a LAN_FAILOVER_UP message from peer. Explanation The peer has just booted and sent the initial contact message.