• No results found

Cisco Reader Comment Card

N/A
N/A
Protected

Academic year: 2021

Share "Cisco Reader Comment Card"

Copied!
154
0
0

Loading.... (view fulltext now)

Full text

(1)

Cisco Reader Comment Card

General Information

1 Years of networking experience: Years of experience with Cisco products:

2 I have these network types: LAN Backbone WAN

Other:

3 I have these Cisco products: Switches Routers

Other (specify models):

4 I perform these types of tasks: H/W installation and/or maintenance S/W configuration

Network management Other:

5 I use these types of documentation: H/W installation H/W configuration S/W configuration

Command reference Quick reference Release notes Online help

Other:

6 I access this information through: Cisco.com (CCO) CD-ROM

Printed docs Other:

7 I prefer this access method:

8 I use the following three product features the most:

Document Information

Document Title: Cisco PIX Firewall System Log Messages

Part Number: 78-15168-01 S/W Release (if applicable): Version 6.3 On a scale of 1–5 (5 being the best), please let us know how we rate in the following areas:

Please comment on our lowest scores:

Mailing Information

Company Name Date

Contact Name Job Title

Mailing Address

City State/Province ZIP/Postal Code

Country Phone ( ) Extension

Fax ( ) E-mail

Can we contact you further concerning our documentation? Yes No The document is written at my technical

level of understanding.

The information is accurate.

The document is complete. The information I wanted was easy to find. The information is well organized. The information I found was useful to my job.

% %

(2)

BUSINESS REPLY MAIL

FIRST-CLASS MAIL PERMIT NO. 4631 SAN JOSE CA

POSTAGE WILL BE PAID BY ADDRESSEE

ATTN DOCUMENT RESOURCE CONNECTION

CISCO SYSTEMS INC

170 WEST TASMAN DRIVE

SAN JOSE CA 95134-9883

(3)

Corporate Headquarters Cisco Systems, Inc.

170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100

Cisco PIX Firewall System Log Messages

(4)

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT

LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Cisco PIX Firewall System Log Messages

Copyright © 2003 Cisco Systems, Inc. All rights reserved.

g y g y g

Scorecard, Networking Academy, and ScriptShare are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, The Fastest Way to Increase Your Internet Quotient, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, LightStream, MGX, MICA, the Networkers logo, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, SlideCast, SMARTnet, StrataView Plus, Stratm, SwitchProbe, TeleRouter, TransPath, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries.

(5)

C O N T E N T S

About This Guide

xiii

Document Objectives

xiii

Audience

xiii

Document Organization

xiv

Document Conventions

xiv

Related Documentation

xiv

Obtaining Documentation

xiv

Cisco.com

xv

Documentation CD-ROM

xv

Ordering Documentation

xv

Documentation Feedback

xvi

Obtaining Technical Assistance

xvi

Cisco.com

xvi

Technical Assistance Center

xvi

Obtaining Additional Publications and Information

xviii

C H A P T E R 1

Introduction

1-1

New and Deleted Messages

1-1

EMBLEM Format Option in Version 6.3.1

1-1

New and Deleted Messages in Version 6.3.1

1-2

New and Changed Messages in Version 6.3.2

1-5

Logging Command Overview

1-6

Enabling Logging

1-9

Testing the Logging Output

1-9

Setting the Syslog Output Location

1-10

Sending Syslog Messages to the Buffer

1-10

Sending Syslog Messages to a Telnet Console Session

1-11

Sending Syslog Messages to a Syslog Server

1-12

Sending Syslog Messages to an SNMP Management Station

1-13

Disabling and Enabling Specific Syslog Messages

1-14

Disabling Specific Syslog Messages

1-14

Viewing a List of Disabled Syslog Messages

1-14

Reenabling Specific Disabled Syslog Messages

1-14

(6)

Contents

Understanding Log Messages

1-15

Log Message Format

1-15

Severity Levels

1-16

Variables

1-16

Other Remote Management and Monitoring Tools

1-19

Cisco PIX Device Manager

1-19

Cisco Secure Policy Manager

1-19

SNMP Traps

1-20

Telnet

1-20

C H A P T E R 2

System Log Messages

2-1

(7)
(8)
(9)
(10)
(11)
(12)
(13)
(14)

Contents

613002

2-87

613003

2-87

614001

2-87

614002

2-88

620001

2-88

620002

2-88

Messages 701001 to 710006

2-89

701001

2-89

702301

2-89

702302

2-89

702303

2-89

703001

2-90

703002

2-90

709001, 709002

2-90

709003

2-90

709004

2-91

709005

2-91

709006

2-91

709007

2-91

710001

2-92

710002

2-92

710003

2-92

710004

2-93

710005

2-93

710006

2-93

A P P E N D I X A

Messages Listed by Severity Level

A- 1

Alert Messages, User-Defined Severity

A- 1

Alert Messages, Severity 1

A- 1

Critical Messages, Severity 2

A- 3

Error Messages, Severity 3

A- 4

Warning Messages, Severity 4

A- 6

Notification Messages, Severity 5

A- 8

Informational Messages, Severity 6

A- 9

Debugging Messages, Severity 7

A- 13

(15)

About This Guide

This preface describes:

Document Objectives, page xiii Audience, page xiii

Document Organization, page xiv Document Conventions, page xiv Related Documentation, page xiv Obtaining Documentation, page xiv Obtaining Technical Assistance, page xvi

Document Objectives

This guide describes the system log (syslog) messages generated by the Cisco PIX Firewall software Version 6.3. Messages that display on the console from non-syslog errors are not listed. See the “New and Deleted Messages” section on page 1-1 for a list of new and deleted messages in recent versions of the software.

Audience

This guide is intended for network managers who perform any of the following tasks: Managing network security

Configuring, administering, and troubleshooting firewalls

This guide assumes that you are familiar with the commands and configuration options described in the

Cisco PIX Firewall Command Reference. In addition, you should be familiar with the network within

(16)

About This Guide Document Organization

Document Organization

This guide is organized as follows:

Chapter 1, “Introduction” describes the system log message function, and explains the format of log messages.

Chapter 2, “System Log Messages” lists the system log messages, indicates the probable cause of each message, and provides instructions for resolving the condition that caused the log message. Appendix A, “Messages Listed by Severity Level” lists message numbers and text by each severity

level.

Document Conventions

This guide uses the following conventions:

Filenames, directory names, and arguments for which you supply values are in italics.

The symbol ^ represents the key labeled Ctrl (control). To enter a control key; for example, ^z, hold down the Ctrl key while you press the z key.

Command names, keys, buttons, and keywords in text are shown in boldface. The PIX Firewall commands are described in detail in the Cisco PIX Firewall Command Reference.

Variables in command syntax descriptions are shown in italics. Command options in square brackets [ ] can be optionally entered, and parameters separated by a vertical bar ( | ) require you to enter one parameter, but not the other(s).

Examples depict screen displays and the command line in screen font.

Information you need to enter in examples is shown in boldface screen font. Variables that require you to supply a value are shown in italic screen font. Selecting a menu item (or screen) is indicated by the following convention:

Click screen1>screen2>screen3.

Note Means reader take note. Notes contain helpful suggestions or references to material not covered in the manual.

Related Documentation

Use this document with the PIX Firewall documentation set, which is available online at the following website:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix_sw/index.htm

Obtaining Documentation

(17)

About This Guide

Obtaining Documentation

Cisco.com

You can access the most current Cisco documentation on the World Wide Web at this URL: http://www.cisco.com/univercd/home/home.htm

You can access the Cisco website at this URL: http://www.cisco.com

International Cisco web sites can be accessed from this URL: http://www.cisco.com/public/countries_languages.shtml

Documentation CD-ROM

Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which may have shipped with your product. The Documentation CD-ROM is updated monthly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual subscription.

Registered Cisco.com users can order the Documentation CD-ROM (product number DOC-CONDOCCD=) through the online Subscription Store:

http://www.cisco.com/go/subscription

Ordering Documentation

You can find instructions for ordering documentation at this URL: http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm You can order Cisco documentation in these ways:

Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Networking Products MarketPlace:

http://www.cisco.com/en/US/partner/ordering/index.shtml

Registered Cisco.com users can order the Documentation CD-ROM (Customer Order Number DOC-CONDOCCD=) through the online Subscription Store:

http://www.cisco.com/go/subscription

(18)

About This Guide Obtaining Technical Assistance

Documentation Feedback

You can submit comments electronically on Cisco.com. On the Cisco Documentation home page, click Feedback at the top of the page.

You can email your comments to bug-doc@cisco.com.

You can submit your comments by mail by using the response card behind the front cover of your document or by writing to the following address:

Cisco Systems

Attn: Customer Document Ordering 170 West Tasman Drive

San Jose, CA 95134-9883 We appreciate your comments.

Obtaining Technical Assistance

Cisco provides Cisco.com, which includes the Cisco Technical Assistance Center (TAC) Website, as a starting point for all technical assistance. Customers and partners can obtain online documentation, troubleshooting tips, and sample configurations from the Cisco TAC website. Cisco.com registered users have complete access to the technical support resources on the Cisco TAC website, including TAC tools and utilities.

Cisco.com

Cisco.com offers a suite of interactive, networked services that let you access Cisco information, networking solutions, services, programs, and resources at any time, from anywhere in the world. Cisco.com provides a broad range of features and services to help you with these tasks:

Streamline business processes and improve productivity Resolve technical issues with online support

Download and test software packages

Order Cisco learning materials and merchandise

Register for online skill assessment, training, and certification programs

To obtain customized information and service, you can self-register on Cisco.com at this URL: http://www.cisco.com

Technical Assistance Center

(19)

About This Guide

Obtaining Technical Assistance

We categorize Cisco TAC inquiries according to urgency:

Priority level 4 (P4)—You need information or assistance concerning Cisco product capabilities, product installation, or basic product configuration.

Priority level 3 (P3)—Your network performance is degraded. Network functionality is noticeably impaired, but most business operations continue.

Priority level 2 (P2)—Your production network is severely degraded, affecting significant aspects of business operations. No workaround is available.

Priority level 1 (P1)—Your production network is down, and a critical impact to business operations will occur if service is not restored quickly. No workaround is available.

Cisco TAC Website

You can use the Cisco TAC website to resolve P3 and P4 issues yourself, saving both cost and time. The site provides around-the-clock access to online tools, knowledge bases, and software. To access the Cisco TAC website, go to this URL:

http://www.cisco.com/tac

All customers, partners, and resellers who have a valid Cisco service contract have complete access to the technical support resources on the Cisco TAC website. Some services on the Cisco TAC website require a Cisco.com login ID and password. If you have a valid service contract but do not have a login ID or password, go to this URL to register:

http://tools.cisco.com/RPF/register/register.do

If you are a Cisco.com registered user, and you cannot resolve your technical issues by using the Cisco TAC website, you can open a case online at this URL:

http://www.cisco.com/en/US/support/index.html

If you have Internet access, we recommend that you open P3 and P4 cases through the Cisco TAC website so that you can describe the situation in your own words and attach any necessary files.

Cisco TAC Escalation Center

The Cisco TAC Escalation Center addresses priority level 1 or priority level 2 issues. These

classifications are assigned when severe network degradation significantly impacts business operations. When you contact the TAC Escalation Center with a P1 or P2 problem, a Cisco TAC engineer

automatically opens a case.

To obtain a directory of toll-free Cisco TAC telephone numbers for your country, go to this URL: http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml

(20)

About This Guide Obtaining Additional Publications and Information

Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online and printed sources.

The Cisco Product Catalog describes the networking products offered by Cisco Systems as well as ordering and customer support services. Access the Cisco Product Catalog at this URL:

http://www.cisco.com/en/US/products/products_catalog_links_launch.html

Cisco Press publishes a wide range of networking publications. Cisco suggests these titles for new and experienced users: Internetworking Terms and Acronyms Dictionary, Internetworking

Technology Handbook, Internetworking Troubleshooting Guide, and the Internetworking Design Guide. For current Cisco Press titles and other information, go to Cisco Press online at this URL:

http://www.ciscopress.com

Packet magazine is the Cisco monthly periodical that provides industry professionals with the latest

information about the field of networking. You can access Packet magazine at this URL: http://www.cisco.com/en/US/about/ac123/ac114/about_cisco_packet_magazine.html

iQ Magazine is the Cisco monthly periodical that provides business leaders and decision makers

with the latest information about the networking industry. You can access iQ Magazine at this URL: http://business.cisco.com/prod/tree.taf%3fasset_id=44699&public_view=true&kbns=1.html Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering

professionals involved in the design, development, and operation of public and private internets and intranets. You can access the Internet Protocol Journal at this URL:

http://www.cisco.com/en/US/about/ac123/ac147/about_cisco_the_internet_protocol_journal.html Training—Cisco offers world-class networking training, with current offerings in network training

listed at this URL:

(21)

C H A P T E R

1

Introduction

This chapter lists new and deleted messages in recent versions of the PIX Firewall software. It also describes how to view and manage syslog messages, how to understand the messages, and which other remote management and monitoring tools are available.

Note Not all system log messages represent error conditions. Some messages simply report normal events.

This chapter includes the following sections: New and Deleted Messages, page 1-1 Logging Command Overview, page 1-6 Enabling Logging, page 1-9

Setting the Syslog Output Location, page 1-10

Disabling and Enabling Specific Syslog Messages, page 1-14 Understanding Log Messages, page 1-15

Other Remote Management and Monitoring Tools, page 1-19

New and Deleted Messages

This section lists new and deleted messages for each software release: EMBLEM Format Option in Version 6.3.1, page 1-1

New and Deleted Messages in Version 6.3.1, page 1-2 New and Changed Messages in Version 6.3.2, page 1-5

EMBLEM Format Option in Version 6.3.1

This feature enables you to log messages to a syslog server in Cisco EMBLEM format. EMBLEM syslog format is designed to be consistent with the Cisco IOS format and is more compatible with CiscoWorks management applications.

Example:

(22)

Chapter 1 Introduction New and Deleted Messages

UDP only

EMBLEM format logging is available for UDP syslog messages only (because the RME syslog analyzer only supports UDP syslog messages). If you use the option with TCP/port# an error is generated. If EMBLEM format logging is enabled for a particular syslog host, then EMBLEM format messages are sent to that host.

logging host

The logging host ip_address format emblem command enables EMBLEM format logging on a per-syslog-server basis.

timestamp

The EMBLEM format is available for both messages with and without timestamp. If the logging timestamp option is also enabled, then EMBLEM format messages with a time stamp are sent.

device-id

The logging device-id command displays a unique device ID in non-EMBLEM format syslog messages that are sent to the syslog server. This command is available in PIX Firewall software Version 6.2.2.115 and higher. If enabled, the PIX Firewall displays the device ID in all non-EMBLEM-formatted syslog messages. However, it does not affect the syslog message text that is in EMBLEM format.

New and Deleted Messages in Version 6.3.1

The following sections list messages that were added or deleted in Version 6.3.1: New Messages in Version 6.3.1, page 1-2

Deleted Messages in Version 6.3.1, page 1-5

New Messages in Version 6.3.1

The following messages were added in Version 6.3.1.

%PIX-n-106100: access-list acl_ID {permitted | denied | est-allowed} protocol

interface_name/source_address(source_port) -> interface_name/dest_address(dest_port) hit-cnt number ({first hit | number-second interval})

%PIX-1-106101 The number of ACL log deny-flows has reached limit (number). %PIX-7-109021: Uauth null proxy error

%PIX-4-109022: exceeded HTTPS proxy process limit %PIX-2-215001:Bad route_compress() call, sdb= number

%PIX-3-302019: H.323 library_name ASN Library failed to initialize, error code number %PIX-3-317001: No memory available for limit_slow

%PIX-3-317002: Bad path index of number for IP_address, number max %PIX-3-317003: IP routing table creation failure - reason

%PIX-3-317004: IP routing table limit warning

%PIX-3-317005: IP routing table limit exceeded - reason, IP_address netmask %PIX-3-318001: Internal error: reason

%PIX-3-318002: Flagged as being an ABR without a backbone area %PIX-3-318003: Reached unknown state in neighbor state machine

(23)

Chapter 1 Introduction

New and Deleted Messages

%PIX-3-318005: lsid IP_address adv IP_address type number gateway gateway_address metric number network IP_address mask netmask protocol hex attr hex net-metric number

%PIX-3-318006: if interface_name if_state number

%PIX-3-318007: OSPF is enabled on interface_name during idb initialization

%PIX-3-318008: OSPF process number is changing router-id. Reconfigure virtual link neighbors with our new router-id

%PIX-3-320001: The subject name of the peer cert is not allowed for connection

%PIX-4-405001: Received ARP {request | response} collision from IP_address/mac_address on interface interface_name, page 2-61

%PIX-4-405002: Received mac mismatch collision from IP_address/mac_address for authenticated host, page 2-62

%PIX-4-408001: IP route counter negative - reason, IP_address Attempt: number %PIX-4-409001: Database scanner: external LSA IP_address netmask is lost, reinstalls %PIX-4-409002: db_free: external LSA IP_address netmask

%PIX-4-409003: Received invalid packet: reason from IP_address, interface_name %PIX-4-409004: Received reason from unknown neighbor IP_address

%PIX-4-409005: Invalid length number in OSPF packet from IP_address (ID IP_address), interface_name

%PIX-4-409006: Invalid lsa: reason Type number, LSID IP_address from IP_address, IP_address, interface_name

%PIX-4-409007: Found LSA with the same host bit set but using different mask LSA ID IP_address netmask New: Destination IP_address netmask

%PIX-4-409008: Found generating default LSA with non-zero mask LSA type : number Mask : IP_address metric : number area : string

%PIX-4-409009: OSPF process number cannot start. There must be at least one up IP interface, for OSPF to use as router ID

%PIX-4-409010: Virtual link information found in non-backbone area: string

%PIX-4-409011: OSPF detected duplicate router-id IP_address from IP_address on interface interface_name

%PIX-4-409012: Detected router with duplicate router ID IP_address in area string

%PIX-4-409013: Detected router with duplicate router ID IP_address in Type-4 LSA advertised by IP_address

%PIX-4-410001: UDP DNS packet dropped due to domainname length check of 255 bytes: actual length:<n> bytes, page 2-68

%PIX-5-503001: Process number, Nbr IP_address on interface_name from string to string, reason %PIX-5-611104: Serial console idle timeout exceeded

%PIX-6-605004: Login denied from {source_address/source_port | serial} to {interface_name:dest_address/service | console} for user "user"

%PIX-6-605005: Login permitted from {source_address/source_port | serial} to {interface_name:dest_address/service | console} for user "user"

(24)

Chapter 1 Introduction New and Deleted Messages

%PIX-6-611314: VPNClient: Load Balancing Cluster with Virtual IP: IP_address has redirected the PIX to server IP_address

%PIX-6-611315: VPNClient: Disconnecting from Load Balancing Cluster member IP_address %PIX-6-611316: VPNClient: Secure Unit Authentication Enabled

%PIX-6-611317: VPNClient: Secure Unit Authentication Disabled

%PIX-6-611318: VPNClient: User Authentication Enabled: Auth Server IP: IP_address Auth Server Port: port Idle Timeout: time

%PIX-6-611319: VPNClient: User Authentication Disabled %PIX-6-611320: VPNClient: Device Pass Thru Enabled %PIX-6-611321: VPNClient: Device Pass Thru Disabled

%PIX-6-611322: VPNClient: Extended XAUTH conversation initiated when SUA disabled %PIX-6-611323: VPNClient: Duplicate split nw entry

%PIX-6-613001: Checksum Failure in database in area string Link State Id IP_address Old Checksum number New Checksum number

%PIX-6-613002: interface interface_name has zero bandwidth

%PIX-6-613003: IP_address netmask changed from area string to area string %PIX-6-620001: Pre-allocate CTIQBE {RTP | RTCP} secondary channel for

interface_name:outside_address[/outside_port] to interface_name:inside_address[/inside_port] from CTIQBE_message_name message

%PIX-4-620002: Unsupported CTIQBE version: hex: from interface_name:IP_address/port to interface_name:IP_address/port

%PIX-7-703001: H.225 message received from interface_name:ip_address/port to interface_name:ip_address/port is using an unsupported version number

%PIX-7-703002: Received H.225 Release Complete with newConnectionNeeded for interface_name:ip_address to interface_name:ip_address/port

%PIX-7-710001: TCP access requested from source_address/source_port to interface_name:dest_address/service

%PIX-7-710002: {TCP|UDP} access permitted from source_address/source_port to interface_name:dest_address/service

%PIX-3-710003: {TCP|UDP} access denied by ACL from source_address/source_port to interface_name:dest_address/service

%PIX-4-710004: TCP connection limit exceeded from source_address/source_port to interface_name:dest_address/service

%PIX-7-710005: {TCP|UDP} request discarded from source_address/source_port to interface_name:dest_address/service

(25)

Chapter 1 Introduction

New and Deleted Messages

Deleted Messages in Version 6.3.1

Table 1-1 lists messages that were deleted from Version 6.3.1:

New and Changed Messages in Version 6.3.2

The following sections list messages that were added or deleted in Version 6.3.2: New Messages in Version 6.3.2, page 1-5

Changed Messages in Version 6.3.2, page 1-6

New Messages in Version 6.3.2

The following messages were added in Version 6.3.2:

%PIX-4-411001:Line protocol on interface interface_name changed state to up %PIX-4-411002:Line protocol on interface interface_name changed state to down Table 1-1 Deleted Messages from Version 6.3.1

Message Reason Deleted

%PIX-5-111006: Console Login from user at IP_addr Replaced by message number 605005 %PIX-6-307001: Denied Telnet login session from

IP_addr on interface int_name

Replaced by message number 710003

%PIX-6-307002: Permitted Telnet login session from IP_addr

Replaced by message number 605005

%PIX-6-307003: telnet login session failed from IP_addr (num attempts) on interface int_name

Replaced by message number 605004

%PIX-4-307004: Telnet session limit exceeded. Connection request from IP_addr on interface int_name

Replaced by message number 710004

%PIX-3-309001: Denied manager connection from IP_addr.

Replaced by message number 710003

%PIX-4-309004: Manager session limit exceeded. Connection request from IP_addr on interface int_name

Replaced by message number 710004

%PIX-3-315001: Denied SSH session from IP_addr on interface int_name

Replaced by message number 710003

%PIX-6-315002: Permitted SSH session from IP_addr on interface int_name for user user_id

Replaced by message number 605005

%PIX-6-315003: SSH login session failed from IP_addr on (num attempts) on interface int_name by user user_id

Replaced by message number 605004

%PIX-4-315005: SSH session limit exceeded. Connection request from IP_addr on interface int_name

Replaced by message number 710004

%PIX-6-605001: HTTP daemon interface interface_name: connection denied from IP_address

Replaced by message number 710003

%PIX-6-605002: HTTP daemon connection limit exceeded Replaced by message number 710004 %PIX-6-605003: HTTP daemon: Login failed from

IP_address for user user

(26)

Chapter 1 Introduction Logging Command Overview

Changed Messages in Version 6.3.2

The following messages were changed in Version 6.3.2:

%PIX-6-305009: Built {dynamic|static} translation from interface_name [(<acl-name>)]:real_address to interface_name:mapped_address

%PIX-6-305010: Teardown {dynamic|static} translation from interface_name [(<acl-name>)]:real_address to interface_name:mapped_address duration time

%PIX-6-305011: Built {dynamic|static} {TCP|UDP|ICMP} translation from interface_name [(<acl-name>)]:real_address/real_port to interface_name:mapped_address/mapped_port

%PIX-6-305012: Teardown {dynamic|static} {TCP|UDP|ICMP} translation from interface_name [(<acl-name>)]:real_address/{real_port|real_ICMP_ID}to

interface_name:mapped_address/{mapped_port|mapped_ICMP_ID} duration time

Logging Command Overview

Table 1-2 lists the PIX Firewall logging commands that you can use to configure and manage logging. See the Cisco PIX Firewall Command Reference for detailed descriptions and additional logging commands. To use the logging command, access the configuration mode on the PIX Firewall by entering the configure terminal command.

Many of the logging commands require that you specify a severity level threshold to indicate which syslog messages can be sent to the output locations. The lower the level number, the more severe the error. The default severity level is 3. Specify the severity level as either a number or a keyword as described in Table 1-3. The level you specify causes PIX Firewall to send messages of that level or lower to the output location; for example, if you specify severity level 3, PIX Firewall sends severity level 1, 2, and 3 messages to the output location.

PIX Firewall has a fixed number of blocks in memory that can be allocated for buffering syslog messages. The number of blocks required depends on the length of the message queue and the number of syslog hosts specified. If the available memory is exceeded, the following message appears:

Warning: failed to register nnn blocks for logging

Where nnn is the number of 256-byte blocks that could not be allocated. To resolve this problem, reduce the number of buffered messages using the logging queue command or reduce the number of syslog hosts specified.

Some commands support the format emblem option. EMBLEM syslog format is designed to be consistent with the Cisco IOS format and is more compatible with CiscoWorks management applications.

(27)

Chapter 1 Introduction

Logging Command Overview

Table 1-2 PIX Firewall Logging Commands

Type Command Description

Enabling Logging logging on Enables transmission of syslog messages to all output

locations. You can disable sending syslog messages with the no logging on command.

You must also set a logging output location to see any logs. show logging Lists the current syslog messages and which logging command

options are enabled. Setting the Message Level

or Disabling Messages

logging message

message_number level severity_level

Sets the severity level of a specific syslog message. Use the no logging message message_number level severity_level command to use the default level.

no logging message

message_number

Disables specific syslog messages. Use the logging message

message_number command to resume logging of specific

disabled messages.

(28)

Chapter 1 Introduction Logging Command Overview

Specifying and Managing Output Locations

logging buffered severity_level Stores syslog messages in the PIX Firewall so you can view them with the show logging command.

clear logging Clears the message buffer created with the logging buffered command.

logging console severity_level Enables syslog messages to display on the PIX Firewall console as they occur.

Set the severity_level from 1 to 7. You can also enter the level name. See Table 1-3 for more information.

Use this command when you are debugging problems or when there is minimal load on the network. Do not use this command when the network is busy, as it can reduce PIX Firewall performance.

logging monitor severity_level Enables syslog messages to display as they occur when accessing the PIX Firewall console with Telnet.

Set the severity_level from 1 to 7. You can also enter the level name. See Table 1-3 for more information.

You must also enter the terminal monitor command to enable logging for each Telnet session.

logging trap severity_level Enables syslog messages to be sent to a syslog server (see the logging host command to identify the server).

Set the severity_level from 1 to 7. You can also enter the level name. See Table 1-3 for more information.

logging host [interface_name]

ip_address

[tcp[/port] | udp[/port]] [format emblem]

Specifies a host that receives the syslog messages (a syslog server). The PIX Firewall can send messages across UDP or TCP. The default protocol and port are UDP/514. The default TCP port (if specified) is 1468. The format emblem option enables EMBLEM formatting (UDP only).

logging facility number Sets the logging facility for a syslog server. The default is 20. logging history severity_level Enables syslog messages for SNMP .

Set the severity_level from 1 to 7. You can also enter the level name. See Table 1-3 for more information.

Logging Options logging device-id {hostname | ipaddress if_name | string text}

If enabled, the PIX Firewall displays the device ID in all syslog messages sent to a syslog server. The device ID does not appear in EMBLEM-formatted messages, SNMP traps, or on the firewall console, management session, or buffer. If you use the ipaddress option, the device ID becomes the specified PIX Firewall interface IP address, regardless of the interface from which the message is sent. This option provides a single consistent device ID for all messages sent from the device. logging queue msg_count Specifies the number of syslog messages that can appear in the

message queue while awaiting processing. The default is 512 messages; set to 0 (zero) to specify unlimited messages. Use the show logging queue command to view queue statistics. Table 1-2 PIX Firewall Logging Commands (continued)

(29)

Chapter 1 Introduction

Enabling Logging

Enabling Logging

To enable logging, follow these steps. These steps enable logging; however, you must also set an output location to view the log messages. See the “Setting the Syslog Output Location” section on page 1-10 for more information.

Step 1 To enable logging, enter:

logging on

By default, the logging level is set to 3 (error). Step 2 To change the logging level, enter:

logging trap severity_level (1-7)

Step 3 To view your logging settings, enter:

show logging

Testing the Logging Output

To test the logging output, follow these steps:

Step 1 To initiate a log message to be sent to the console, enter:

logging console 7 quit

This test generates the following syslog message:

111005: nobody End configuration: OK

This message states that you exited configuration mode. “111005” is the message identifier number (see Chapter 2, “System Log Messages,” for more information about this message). The term “nobody” indicates you are accessing the PIX Firewall console from the serial console port.

Step 2 To disable logging to the console, enter:

no logging console 7 quit

(30)

Chapter 1 Introduction Setting the Syslog Output Location

Setting the Syslog Output Location

This section includes the following topics:

Sending Syslog Messages to the Buffer, page 1-10

Sending Syslog Messages to a Telnet Console Session, page 1-11 Sending Syslog Messages to a Syslog Server, page 1-12

Sending Syslog Messages to an SNMP Management Station, page 1-13

You can configure the PIX Firewall system software to send syslog messages to the output location of your choice. The PIX Firewall provides several output locations for sending syslog messages:

The console

We recommend sending syslog messages directly to the console only during testing. See the “Testing the Logging Output” section.

The buffer

A Telnet connection

A host running a syslog server An SNMP management station.

Note You can also view syslog messages using the Monitoring tab within the Cisco PIX Device Manager (PDM). Refer to the PDM online Help for additional information.

Sending Syslog Messages to the Buffer

Follow these steps to send syslog messages to the logging buffer, and then view the buffer on the PIX Firewall console:

Step 1 To store messages for display, enter the following command:

logging buffered severity_level (1-7)

Step 2 To view the messages on the console, enter the following command:

show logging

Step 3 To clear the buffer so that viewing new messages is easier, enter:

clear logging

Step 4 To disable message logging, enter:

no logging buffered

(31)

Chapter 1 Introduction

Setting the Syslog Output Location

Sending Syslog Messages to a Telnet Console Session

Follow these steps to view syslog messages in a Telnet console session:

Step 1 If you have not done so already, configure the PIX Firewall to let a host on the inside interface access the PIX Firewall.

a. Enter:

telnet ip_address [subnet_mask] [if_name]

For example, if a host has the IP address 192.168.1.2, the command is:

telnet 192.168.1.2 255.255.255.255

b. You should also set the duration that a Telnet session can be idle before PIX Firewall disconnects the session to a value greater than the default of 5 minutes. A good value is at least 15 minutes, which you can set as follows:

telnet timeout 15

Step 2 Start Telnet on your host and specify the inside interface of the PIX Firewall. When Telnet connects, the PIX Firewall prompts you with PIX passwd:.

Step 3 Enter the Telnet password, which is cisco by default. Step 4 To enable configuration mode, enter:

enable

(Enter your password at the prompt)

configure terminal

Step 5 To start message logging, enter:

logging monitor severity_level (1-7)

Step 6 To send logs to this Telnet session, enter:

terminal monitor

This command enables logging only for the current Telnet session. The logging monitor command sets the logging preferences for all Telnet sessions, while the terminal monitor (and terminal no monitor) commands control logging for each individual Telnet session.

Step 7 Trigger some events by pinging a host or starting a web browser. The syslog messages then appear in the Telnet session window.

Step 8 When done, disable this feature with the following commands:

(32)

Chapter 1 Introduction Setting the Syslog Output Location

Sending Syslog Messages to a Syslog Server

If you send messages to a host, they are sent using either UDP or TCP. The host must run a program (known as a server) called syslogd. UNIX provides a syslog server as part of its operating system. For Windows 95 or Windows 98, obtain a syslog server from another vendor.

See the Cisco PIX Firewall and VPN Configuration Guide for the procedure to configure syslogd. On the logging server, you can specify actions to execute when certain types of messages are logged; for example, sending email, saving records to a log file, or displaying messages on a workstation. Follow these steps to configure the firewall to send messages to a syslog server:

Step 1 To designate a host to receive the messages, enter:

logging host [interface] ip_address [tcp[/port] | udp[/port]] [format emblem]

For example:

logging host dmz1 192.168.1.5

You can enter this command multiple times to specify additional servers so that if one goes offline, another is available to receive messages.

Step 2 To set the logging level, enter:

logging trap severity_level (1-7)

We recommend that you use the debugging (7) level during initial setup and during testing. Thereafter, set the level from debugging to errors (3) for production use.

Step 3 If you want to include the device ID in each message, enter:

logging device-id {hostname | ipaddress if_name | string text}

The message includes the specified device ID (either the hostname, and IP address of the specified interface (even if the message comes from another interface), or a string) in messages sent to a syslog server. The device ID does not appear in EMBLEM-formatted messages, SNMP traps, or on the firewall console, management session, or buffer.

Step 4 If needed, set the logging facility to a value other than its default of 20. Most UNIX systems expect the messages to arrive at facility 20:

logging facility number

(33)

Chapter 1 Introduction

Setting the Syslog Output Location

Sending Syslog Messages to an SNMP Management Station

To receive Syslog messages on an SNMP management station, complete the following procedures: Receiving SNMP Requests, page 1-13

Sending SNMP Traps, page 1-13

Receiving SNMP Requests

Follow these steps for the PIX Firewall to receive requests from an SNMP management station: Step 1 To set the IP address of the SNMP management station, enter:

snmp-server host [if_name] ip_addr

Step 2 Set other snmp server settings as required:

snmp-server location text snmp-server contact text snmp-server community key

See the Cisco PIX Firewall Command Reference for more information.

Sending SNMP Traps

Follow these steps to send log messages as traps from the PIX Firewall to an SNMP management station (cold start, link up, and link down generic traps are already enabled by the “Receiving SNMP Requests” procedure):

Step 1 Enter:

snmp-server enable traps

Step 2 To set the logging level, enter:

logging history severity_level (1-7)

We recommend that you use the debugging (7) level during initial setup and during testing. Thereafter, set the level from debugging to a lower value for production use.

Step 3 To disable sending syslog traps, enter:

(34)

Chapter 1 Introduction Disabling and Enabling Specific Syslog Messages

Disabling and Enabling Specific Syslog Messages

The following sections describe how to disable, reenable, or view disabled syslog messages: Disabling Specific Syslog Messages, page 1-14

Viewing a List of Disabled Syslog Messages, page 1-14 Reenabling Specific Disabled Syslog Messages, page 1-14 Reenabling All Disabled Syslog Messages, page 1-14

Disabling Specific Syslog Messages

Enter the following command to disable specific syslog messages:

no logging message message_number

where message_number is the specific message you want to disable.

Note The following message cannot be disabled:

%PIX-6-199002: PIX startup completed. Beginning operation.

Viewing a List of Disabled Syslog Messages

To view a list of disabled syslog messages, enter the following command:

show logging disabled

Reenabling Specific Disabled Syslog Messages

To reenable disabled syslog messages, enter the following command:

logging message message_number

where message_number is the specific message you want to reenable.

Reenabling All Disabled Syslog Messages

To reenable all disabled syslog messages, enter the following command:

(35)

Chapter 1 Introduction

Understanding Log Messages

Understanding Log Messages

This section includes the following topics: Log Message Format, page 1-15 Severity Levels, page 1-16 Variables, page 1-16

Log Message Format

System log messages begin with a percent sign (%) and are structured as follows:

%PIX-Level-Message_number: Message_text

See the following descriptions:

Note Syslog messages received at the PIX Firewall serial console contain only the code portion of the message. When you view the message description in Chapter 2, “System Log Messages,” the description also provides the severity level.

PIX Identifies the message facility code for messages generated by the PIX Firewall. This value is always PIX.

Level 1-7. The level reflects the severity of the condition described by the message. The

lower the number, the more severe the condition. See Table 1-3 for more information.

Message_number A unique 6-digit number that identifies the message.

Message_text A text string describing the condition. This portion of the message sometimes

(36)

Chapter 1 Introduction Understanding Log Messages

Severity Levels

Table 1-3 lists the severity levels. Logging is set to level 3 (error) by default.

Note Syslog does not generate level 0 emergency messages. This level is provided in the logging command for compatibility with the UNIX syslog feature, but is not used by PIX Firewall.

Appendix A, “Messages Listed by Severity Level” lists which messages occur at each severity level.

Variables

Log messages often contain variables. Table 1-4 lists most variables that are used in this guide to describe log messages. Some variables that appear in only one log message are not listed.

Table 1-3 Log Message Severity Levels Level

Number Level Keyword Description 0 emergency System unusable.

1 alert Immediate action needed.

2 critical Critical condition.

3 error Error condition.

4 warning Warning condition.

(37)

Chapter 1 Introduction

Understanding Log Messages

Table 1-4 Variable Fields in Syslog Messages Type Variable Type of Information Misc. acl_ID An ACL name.

command A command name.

command_modifier The command_modifier is one of the following strings:

cmd (this string means the command has no modifier) clear

no show

connection_type The connection type: SIGNALLING UDP SIGNALLING TCP SUBSCRIBE UDP SUBSCRIBE TCP Via UDP Route RTP RTCP

device The memory storage device. For example, the floppy disk, Flash

memory, TFTP, the failover standby unit, or the console terminal.

filename A filename of the type PIX Firewall image, PDM file, or

configuration.

privilege_level The user privilege level.

reason A text string describing the reason for the message.

string Text string (for example, a username).

tcp_flags Flags in the TCP header such as:

(38)

Chapter 1 Introduction Understanding Log Messages

Numbers number A number. The exact form depends on the log message.

bytes The number of bytes.

code A decimal number returned by the message to indicate the cause or source of the error, depending on the message.

connections The number of connections.

elimit Number of embryonic connections specified in the static or nat

command.

econns Number of embryonic connections.

nconns Number of connections permitted for the static or xlate table.

time Duration, in the format hh:mm:ss.

dec Decimal number.

hex Hexadecimal number.

octal Octal number.

Addresses IP_address IP address in the form n.n.n.n, where n is an integer from 1 to 255.

MAC_address The MAC address.

outside_address Outside (or foreign) IP address, an address of a host typically on a lower security level interface in a network beyond the outside router.

inside_address Inside (or local) IP address, an address on a higher security level interface.

global_address Global IP address, an address on a lower security level interface.

source_address The source address of a packet.

dest_address The destination address of a packet.

real_address The real IP address, before Network Address Translation (NAT).

mapped_address The translated IP address.

gateway_address The network gateway IP address.

netmask The subnet mask.

Interfaces interface_number The interface number, 1 to n, where the number is determined by the order the interfaces load in the PIX Firewall. For example, see the sample show nameif command output:

show nameif

nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif token0 outside security20 nameif ethernet2 inside security30

In this example, ethernet0 would appear in a syslog message as interface 0, ethernet1 would be interface 1, token0 would be interface 2, and ethernet2 would be interface 3.

interface_name The name assigned to the interface. Use the show nameif command to view the interfaces and their names.

(39)

Chapter 1 Introduction

Other Remote Management and Monitoring Tools

Other Remote Management and Monitoring Tools

In addition to the system log function, you can remotely monitor the PIX Firewall using other tools, which are described in the following topics:

Cisco PIX Device Manager, page 1-19 Cisco Secure Policy Manager, page 1-19 SNMP Traps, page 1-20

Telnet, page 1-20

Cisco PIX Device Manager

The Cisco PIX Device Manager (PDM) is a browser-based configuration tool designed to help you set up, configure, and monitor your PIX Firewall graphically, without requiring an extensive knowledge of the PIX Firewall command-line interface (CLI). PDM ships with every PIX Firewall running software Version 6.0(1) and higher. Refer to the Cisco PIX Device Manager Installation Guide for more information.

Cisco Secure Policy Manager

Cisco Secure Policy Manager (CSPM) is a security policy management system that enables you to define, distribute, enforce, and audit network-wide security policies from a central location. CSPM streamlines the tasks of managing complicated network security events, such as perimeter access control, Network Address Translation (NAT), IDS, and IPSec-based VPNs. CSPM provides system-auditing functions, including monitoring, event notification, and web-based reporting. CSPM can receive syslog messages from the PIX Firewall and provide notifications including email, paging, and scripting for designated syslogs. CSPM also provides reports of PIX Firewall syslogs, including the top ten users and top ten websites. These reports can be provided both on-demand and by schedule. Reports can be emailed or viewed remotely from an SSL-enabled web browser.

Ports, Services, and Protocols

port The TCP or UDP port number.

outside_port The outside port number.

inside_port The inside port number.

source_port The source port number.

dest_port The destination port number.

real_port The real port number, before NAT.

mapped_port The translated port number.

global_port The global port number.

protocol The protocol of the packet, for example, ICMP, TCP, or UDP.

service The service specified by the packet, for example, SNMP or Telnet.

(40)

Chapter 1 Introduction Other Remote Management and Monitoring Tools

Refer to the following websites for more information: http://www.cisco.com/go/policymanager

http://www.cisco.com/univercd/cc/td/doc/product/ismg/policy/index.htm

SNMP Traps

The PIX Firewall events can be reported using SNMP. This feature requires loading the Cisco SYSLOG MIB and the Cisco SMI MIB onto the SNMP management station.

Telnet

(41)

C H A P T E R

2

System Log Messages

This chapter lists the Cisco PIX Firewall system log messages. The messages are listed numerically by message code.

Note The messages shown in this guide apply to Cisco PIX Firewall Version 6.3 and higher. When a number is skipped from a sequence, the message is no longer in the PIX Firewall code.

This chapter includes the following sections: Messages 101001 to 199005, page 2-1 Messages 201002 to 215001, page 2-25 Messages 302003 to 320001, page 2-35 Messages 400000 to 409013, page 2-52 Messages 410001 to 410001, page 2-68 Messages 411001 to 411002, page 2-69 Messages 602101 to 620002, page 2-72 Messages 701001 to 710006, page 2-89

Messages 101001 to 199005

This section contains messages from 101001 to 199005.

101001

Error Message %PIX-1-101001: (Primary) Failover cable OK.

(42)

Chapter 2 System Log Messages Messages 101001 to 199005

101002

Error Message %PIX-1-101002: (Primary) Bad failover cable.

Explanation This is a failover message. This message reports that the failover cable is present but not functioning correctly. “(Primary)” can also be listed as “(Secondary)” for the secondary unit. Recommended Action Replace the failover cable.

101003, 101004

Error Message %PIX-1-101003: (Primary) Failover cable not connected (this unit). Error Message %PIX-1-101004: (Primary) Failover cable not connected (other unit).

Explanation Both instances are failover messages. These messages are logged when failover mode is enabled, but the failover cable is not connected to one unit of the failover pair. “(Primary)” can also be listed as “(Secondary)” for the secondary unit.

Recommended Action Connect the failover cable to both units of the failover pair.

101005

Error Message %PIX-1-101005: (Primary) Error reading failover cable status.

Explanation This is a failover message. This message is logged if the failover cable is connected, but the primary unit is unable to determine its status.

Recommended Action Replace the cable.

102001

(43)

Chapter 2 System Log Messages

Messages 101001 to 199005

103001

Error Message %PIX-1-103001: (Primary) No response from other firewall (reason code = code).

Explanation This is a failover message. This message is logged if the primary unit is unable to communicate with the secondary unit over the failover cable. “(Primary)” can also be listed as “(Secondary)” for the secondary unit. Table 2-1 lists the Reason Codes and the descriptions to determine why the failover occurred.

Recommended Action Verify the failover cable is connected properly and both units have the same hardware, software, and configuration; otherwise contact Cisco TAC.

103002

Error Message %PIX-1-103002: (Primary) Other firewall network interface interface_number OK.

Explanation This is a failover message. This message is logged when the primary unit detects that the network interface on the secondary unit is okay. “(Primary)” can also be listed as “(Secondary)” for the secondary unit. Refer to Table 1-4 in Chapter 1, “Introduction,” for possible values for the

interface_number variable.

Recommended Action None required.

103003

Error Message %PIX-1-103003: (Primary) Other firewall network interface interface_number failed.

Explanation This is a failover message. This message is logged if the primary unit detects a bad network interface on the secondary unit. “(Primary)” can also be listed as “(Secondary)” for the secondary unit. Refer to Table 1-4 on page 1-17 for possible values for the interface_number variable.

Recommended Action Check the network connections on the secondary unit. Also, check the network hub connection. If necessary, replace the failed network interface.

Table 2-1 Reason Codes Reason Code Description

1 No failover hello seen on Serial cable for 30 + seconds. This ensures that failover is running properly on the other firewall unit.

2 An interface did not pass one of the 4 failover tests. The 4 tests are: 1) Link Up, 2) Monitor for Network Traffic, 3) ARP test, 4) Broadcast Ping test.

(44)

Chapter 2 System Log Messages Messages 101001 to 199005

103004

Error Message %PIX-1-103004: (Primary) Other firewall reports this firewall failed. Explanation This is a failover message. This message is logged if the primary unit receives a message from the secondary unit indicating that the primary has failed. “(Primary)” can also be listed as “(Secondary)” for the secondary unit.

Recommended Action Verify the status of the primary unit.

103005

Error Message %PIX-1-103005: (Primary) Other firewall reporting failure.

Explanation This is a failover message. This message is logged if the secondary unit reports a failure to the primary unit. “(Primary)” can also be listed as “(Secondary)” for the secondary unit.

Recommended Action Verify the status of the secondary unit.

104001, 104002

Error Message %PIX-1-104001: (Primary) Switching to ACTIVE (cause: string). Error Message %PIX-1-104002: (Primary) Switching to STNDBY (cause: string).

Explanation Both instances are failover messages. These messages usually are logged when you force the pair to switch roles, either by entering the failover active command on the secondary unit, or the no failover active command on the primary unit. “(Primary)” can also be listed as “(Secondary)” for the secondary unit. Possible values for the string variable are as follows:

state check

bad/incompleted config

ifc [interface] check, mate is healthier the otherside want me standby in failed state, cannot be active switch to failed state

(45)

Chapter 2 System Log Messages

Messages 101001 to 199005

104003

Error Message %PIX-1-104003: (Primary) Switching to FAILED.

Explanation This is a failover message. This message is logged when the primary unit fails. Recommended Action Check the system log messages for the primary unit for an indication of the nature of the problem (see message 104001). “(Primary)” can also be listed as “(Secondary)” for the secondary unit.

104004

Error Message %PIX-1-104004: (Primary) Switching to OK.

Explanation This is a failover message. This message is logged when a previously failed unit now reports that it is operating again. “(Primary)” can also be listed as “(Secondary)” for the secondary unit.

Recommended Action None required.

105001

Error Message %PIX-1-105001: (Primary) Disabling failover.

Explanation This is a failover message. This message is logged when you enter the no failover command on the console. “(Primary)” can also be listed as “(Secondary)” for the secondary unit. Recommended Action None required.

105002

Error Message %PIX-1-105002: (Primary) Enabling failover.

Explanation This is a failover message. This message is logged when you enter the failover command with no arguments on the console, after having previously disabled failover. “(Primary)” can also be listed as “(Secondary)” for the secondary unit.

(46)

Chapter 2 System Log Messages Messages 101001 to 199005

105003

Error Message %PIX-1-105003: (Primary) Monitoring on interface interface_name waiting

Explanation This is a failover message. The firewall is testing the specified network interface with the other unit of the failover pair. “(Primary)” can also be listed as “(Secondary)” for the secondary unit. Recommended Action None required. The firewall monitors its network interfaces frequently during normal operations.

105004

Error Message %PIX-1-105004: (Primary) Monitoring on interface interface_name normal Explanation This is a failover message. The test of the specified network interface was successful. “(Primary)” can also be listed as “(Secondary)” for the secondary unit.

Recommended Action None required.

105005

Error Message %PIX-1-105005: (Primary) Lost Failover communications with mate on interface interface_name.

Explanation This is a failover message. This message is logged if this unit of the failover pair can no longer communicate with the other unit of the pair. “(Primary)” can also be listed as “(Secondary)” for the secondary unit.

Recommended Action Verify that the network connected to the specified interface is functioning correctly.

105006, 105007

Error Message %PIX-1-105006: (Primary) Link status ‘Up’ on interface interface_name. Error Message %PIX-1-105007: (Primary) Link status ‘Down’ on interface

interface_name.

Explanation Both instances are failover messages. These messages report the results of monitoring the link status of the specified interface. “(Primary)” can also be listed as “(Secondary)” for the secondary unit.

(47)

Chapter 2 System Log Messages

Messages 101001 to 199005

105008

Error Message %PIX-1-105008: (Primary) Testing interface interface_name.

Explanation This is a failover message. This message is logged when the firewall tests a specified network interface. This testing is performed only if the firewall fails to receive a message from the standby unit on that interface after the expected interval. “(Primary)” can also be listed as

“(Secondary)” for the secondary unit. Recommended Action None required.

105009

Error Message %PIX-1-105009: (Primary) Testing on interface interface_name {Passed|Failed}.

Explanation This is a failover message. This message reports the result (either “Passed” or “Failed”) of a previous interface test. “(Primary)” can also be listed as “(Secondary)” for the secondary unit. Recommended Action None required if the result is “Passed.” If the result is “Failed,” you should check the network cable connection to both failover units, that the network itself is functioning correctly, and verify the status of the standby unit.

105010

Error Message %PIX-3-105010: (Primary) Failover message block alloc failed

Explanation Block memory was depleted. This is a transient message and the firewall should recover. “(Primary)” can also be listed as “(Secondary)” for the secondary unit.

Recommended Action Use the show blocks command to monitor the current block memory.

105011

Error Message %PIX-1-105011: (Primary) Failover cable communication failure

Explanation The failover cable is not permitting communication between the primary and secondary units. “(Primary)” can also be listed as “(Secondary)” for the secondary unit.

(48)

Chapter 2 System Log Messages Messages 101001 to 199005

105020

Error Message %PIX-1-105020: (Primary) Incomplete/slow config replication Explanation When a failover occurs, the active PIX Firewall detects a partial configuration in memory. Normally, this is caused by an interruption in the replication service. “(Primary)” can also be listed as “(Secondary)” for the secondary unit.

Recommended Action Once the failover is detected by the PIX Firewall, the PIX Firewall

automatically reloads itself and loads configuration from Flash memory and/or resyncs with another PIX Firewall. If failovers happen continuously, check the failover configuration and make sure both PIX Firewall units can communicate with each other.

105031

Error Message %PIX-1-105031: Failover LAN interface is up Explanation LAN failover interface link is up.

Recommended Action None required.

105032

Error Message %PIX-1-105032: LAN Failover interface is down Explanation LAN failover interface link is down.

Recommended Action Check the connectivity of the LAN failover interface. Make sure the speed/duplex setting is correct.

105034

Error Message %PIX-1-105034: Receive a LAN_FAILOVER_UP message from peer. Explanation The peer has just booted and sent the initial contact message.

References

Related documents

the Kargali and the Rajrappa, the Mn substance introduce in process effluent was 2.8 and 2.5 mg/l which is higher than that present in raw water (i.e. 0.018 mg/l) and

Creating the Keys list Create the Server Key Create the Client Key(s) Add VPN to the list Add Clients to Server Setup New Client on Server Start your VPN Server.. Setup

Computer Net Lab/Praktikum Datenverarbeitung 2 23 VPN behind Firewall VPN behind Firewall Internet Firewall VPN-Gateway VPN Client VPN LAN (branch office) LAN (center) decrypted

bleaching powder at open wells and piped water systems in some villages in India, and the use of community slow sand filters was noted in two control villages in

Drivers who purchased those coverages on their personal automobile insurance policy may be surprised to find that because they used their personal vehicle “for hire” or for

The American NLST, in finding a 20% relative reduction in mortality from screening with LDCT, in comparison to plain chest radiography, which itself is ineffective,

o You will be dropped from the course if you fail to participate in the discussion forum for three (3) consecutive weeks OR fail to submit three (assignments). **NOTE:

Commissioner Hoke made a motion, seconded by Commissioner Reilly and unanimously carried to approve an intergovernmental agreement for automobile theft/motor vehicle insurance