Messages 101001 to 109213
This section includes messages from 101001 to 109213.
101001
Error Message
%ASA-1-101001: (Primary) Failover cable OK.
Explanation The failover cable is present and functioning correctly. Primary can also be listed as Secondary for the secondary unit.
Recommended Action None required.
101002
Error Message
%ASA-1-101002: (Primary) Bad failover cable.
Explanation The failover cable is present, but not functioning correctly. Primary can also be listed as Secondary for the secondary unit.
Recommended Action Replace the failover cable.
101003, 101004
Error Message
%ASA-1-101003: (Primary) Failover cable not connected (this unit).
Error Message %ASA-1-101004: (Primary) Failover cable not connected (other unit).
Explanation Failover mode is enabled, but the failover cable is not connected to one unit of the failover pair. Primary can also be listed as Secondary for the secondary unit.
Recommended Action Connect the failover cable to both units of the failover pair.
101005
Error Message
%ASA-1-101005: (Primary) Error reading failover cable status.
Explanation The failover cable is connected, but the primary unit is unable to determine its status.
Recommended Action Replace the cable.
103001
Error Message
%ASA-1-103001: (Primary) No response from other firewall (reason code = code).
Explanation The primary unit is unable to communicate with the secondary unit over the failover cable. Primary can also be listed as Secondary for the secondary unit. The following table lists the reason codes and the descriptions to determine why the failover occurred.
Reason Code |
Description |
---|---|
1 |
The local unit is not receiving the hello packet on the failover LAN interface when LAN failover occurs or on the serial failover cable when serial failover occurs, and declares that the peer is down. |
2 |
An interface did not pass one of the four failover tests, which are as follows: 1) Link Up, 2) Monitor for Network Traffic, 3) ARP, and 4) Broadcast Ping. |
3 |
No proper ACK for 15+ seconds after a command was sent on the serial cable. |
4 |
The failover LAN interface is down, and other data interfaces are not responding to additional interface testing. In addition, the local unit is declaring that the peer is down. |
5 |
The standby peer went down during the configuration synchronization process. |
6 |
Replication is not complete; the failover unit is not synchronized. |
Recommended Action Verify that the failover cable is connected correctly and both units have the same hardware, software, and configuration. If the problem persists, contact the Cisco TAC.
103002
Error Message
%ASA-1-103002: (Primary) Other firewall network interface interface_number OK.
Explanation The primary unit has detected that the network interface on the secondary unit is okay. Primary can also be listed as Secondary for the secondary unit.
Recommended Action None required.
103003
Error Message
%ASA-1-103003: (Primary) Other firewall network interface interface_number failed.
Explanation The primary unit has detected a bad network interface on the secondary unit. Primary can also be listed as Secondary for the secondary unit.
Recommended Action Check the network connections on the secondary unit and the network hub connection. If necessary, replace the failed network interface.
103004
Error Message
%ASA-1-103004: (Primary) Other firewall reports this firewall failed. Reason: reason-string
Explanation The primary unit received a message from the secondary unit indicating that the primary unit has failed. Primary can also be listed as Secondary for the secondary unit. The reason can be one of the following:
- Missed poll packets on failover command interface exceeded threshold.
- LAN failover interface failed.
- Peer failed to enter Standby Ready state.
- Failed to complete configuration replication. This firewall's configuration may be out of sync.
- Failover message transmit failure and no ACK for busy condition received.
Recommended Action Verify the status of the primary unit.
103005
Error Message
%ASA-1-103005: (Primary) Other firewall reporting failure. Reason: SSM card failure
Explanation The secondary unit has reported an SSM card failure to the primary unit. Primary can also be listed as Secondary for the secondary unit.
Recommended Action Verify the status of the secondary unit.
103006
Error Message
%ASA-1-103006: (Primary|Secondary) Mate version ver_num is not compatible with ours ver_num
Explanation The Secure Firewall ASA has detected a peer unit that is running a version that is different than the local unit and is not compatible with the HA Hitless Upgrade feature.
-
ver_num —Version number.
Recommended Action Install the same or a compatible version image on both units.
103007
Error Message
%ASA-1-103007: (Primary|Secondary) Mate version ver_num is not identical with ours ver_num
Explanation The Secure Firewall ASA has detected that the peer unit is running a version that is not identical, but supports Hitless Upgrade and is compatible with the local unit. The system performance may be degraded because the image version is not identical, and the Secure Firewall ASA may develop a stability issue if the nonidentical image runs for an extended period.
- ver_num—Version number
Recommended Action Install the same image version on both units as soon as possible.
103008
Error Message
%ASA-1-103008: Mate hwdib index is not compatible
Explanation The number of interfaces on the active and standby units is not the same.
Recommended Action Verify that the units have the same number of interfaces. You might need to install additional interface modules, or use different devices. After the physical interfaces match, force a configuration sync by entering the write standby command.
104001, 104002
Error Message
%ASA-1-104001: (Primary) Switching to ACTIVE (cause: string ).
Error Message
%ASA-1-104002: (Primary) Switching to STANDBY (cause: string ).
Explanation You have forced the failover pair to switch roles, either by entering the failover active command on the standby unit, or the no failover active command on the active unit. Primary can also be listed as Secondary for the secondary unit. Possible values for the string variable are as follows:
- state check
- bad/incomplete config
- ifc [interface] check, mate is healthier
- the other side wants me to standby
- in failed state, cannot be active
- switch to failed state
- other unit set to active by CLI config command fail active
Recommended Action If the message occurs because of manual intervention, no action is required. Otherwise, use the cause reported by the secondary unit to verify the status of both units of the pair.
104003
Error Message
%ASA-1-104003: (Primary) Switching to FAILED.
Explanation The primary unit has failed.
Recommended Action Check the messages for the primary unit for an indication of the nature of the problem (see message 104001). Primary can also be listed as Secondary for the secondary unit.
104004
Error Message
%ASA-1-104004: (Primary) Switching to OK.
Explanation A previously failed unit reports that it is operating again. Primary can also be listed as Secondary for the secondary unit.
Recommended Action None required.
104500
Error Message
%ASA-1-104500: (Primary|Secondary) Switching to ACTIVE (cause: reason)
Explanation
This HA unit is assuming the Active role for the Cloud HA pair. Possible values for the reason string are:
-
no existing Active unit present
-
unable to send message to Active unit
-
no response to Hello message received from Active unit
-
user initiated failover on this unit
-
user initiated failover on peer unit
-
invalid message received on failover connection
Recommended Action None required.
104501
Error Message
%ASA-1-104501: (Primary|Secondary) Switching to BACKUP (cause: reason).
Explanation This HA unit is assuming the Backup role for the Cloud HA pair. Possible values for the reason string are:
-
existing Active unit present
-
user initiated failover on this unit
-
user initiated failover on peer unit
Recommended Action None required.
104502
Error Message
%ASA-1-104502: (Primary|Secondary) Becoming Backup unit failed.
Explanation This HA unit failed to assume the Backup role for the Cloud HA pair. The reason being the same as that of 104500 and 104501.
Recommended Action None required.
105001
Error Message
%ASA-1-105001: (Primary) Disabling failover.
Explanation In version 7.x and later, this message may indicate the following: failover has been automatically disabled because of a mode mismatch (single or multiple), a license mismatch (encryption or context), or a hardware difference (one unit has an IPS SSM installed, and its peer has a CSC SSM installed). Primary can also be listed as Secondary for the secondary unit.
Recommended Action None required.
105002
Error Message
%ASA-1-105002: (Primary) Enabling failover.
Explanation You have used the failover command with no arguments on the console, after having previously disabled failover. Primary can also be listed as Secondary for the secondary unit.
Recommended Action None required.
105003
Error Message
%ASA-1-105003: (Primary) Monitoring on interface interface_name waiting
Explanation The Secure Firewall ASA is testing the specified network interface with the other unit of the failover pair. Primary can also be listed as Secondary for the secondary unit.
Note |
There could be delay in the logging of syslog when compared to the actual status change. This delay is due to the poll time and hold time that is configured for the interface monitoring. |
Recommended Action None required. The Secure Firewall ASA monitors its network interfaces frequently during normal operation.
105004
Error Message
%ASA-1-105004: (Primary) Monitoring on interface interface_name normal
Explanation The test of the specified network interface was successful. Primary can also be listed as Secondary for the secondary unit.
Note |
There could be delay in the logging of syslog when compared to the actual status change. This delay is due to the poll time and hold time that is configured for the interface monitoring. |
Recommended Action None required.
105005
Error Message
%ASA-1-105005: (Primary) Lost Failover communications with mate on interface interface_name.
Explanation One unit of the failover pair can no longer communicate with the other unit of the pair. Primary can also be listed as Secondary for the secondary unit.
Recommended Action Verify that the network connected to the specified interface is functioning correctly.
105006, 105007
Error Message %ASA-1-105006: (Primary) Link status Up on interface interface_name.
Error Message %ASA-1-105007: (Primary) Link status Down on interface interface_name.
Explanation The results of monitoring the link status of the specified interface have been reported. Primary can also be listed as Secondary for the secondary unit.
Recommended Action If the link status is down, verify that the network connected to the specified interface is operating correctly.
105008
Error Message
%ASA-1-105008: (Primary) Testing interface interface_name.
Explanation Testing of a specified network interface has occurred. This testing is performed only if the Secure Firewall ASA fails to receive a message from the standby unit on that interface after the expected interval. Primary can also be listed as Secondary for the secondary unit.
Recommended Action None required.
105009
Error Message
%ASA-1-105009: (Primary) Testing on interface interface_name {Passed|Failed}.
Explanation The result (either Passed or Failed) of a previous interface test has been reported. Primary can also be listed as Secondary for the secondary unit.
Recommended Action None required if the result is Passed. If the result is Failed, you should check the network cable connection to both failover units, that the network itself is functioning correctly, and verify the status of the standby unit.
105010
Error Message
%ASA-3-105010: (Primary) Failover message block alloc failed.
Explanation Block memory was depleted. This is a transient message and the Secure Firewall ASA should recover. Primary can also be listed as Secondary for the secondary unit.
Recommended Action Use the show blocks command to monitor the current block memory.
105011
Error Message
%ASA-1-105011: (Primary) Failover cable communication failure
Explanation The failover cable is not permitting communication between the primary and secondary units. Primary can also be listed as Secondary for the secondary unit.
Recommended Action Ensure that the cable is connected correctly.
105020
Error Message
%ASA-1-105020: (Primary) Incomplete/slow config replication
Explanation When a failover occurs, the active Secure Firewall ASA detects a partial configuration in memory. Normally, this is caused by an interruption in the replication service. Primary can also be listed as Secondary for the secondary unit.
Recommended Action After the Secure Firewall ASA detects the failover, the Secure Firewall ASA automatically reboots and loads the configuration from flash memory and/or resynchronizes with another Secure Firewall ASA. If failovers occurs continuously, check the failover configuration and make sure that both Secure Firewall ASAs can communicate with each other.
105021
Error Message
%ASA-1-105021: (failover_unit ) Standby unit failed to sync due to a locked context_name config. Lock held by lock_owner_name
Explanation During configuration synchronization, a standby unit will reload itself if some other process locks the configuration for more than five minutes, which prevents the failover process from applying the new configuration. This can occur when an administrator pages through a running configuration on the standby unit while configuration synchronization is in process. See also the show running-config command in privileged EXEC mode and the pager lines num command in global configuration mode in the Command Reference Guides .
Recommended Action Avoid viewing or modifying the configuration on the standby unit when it first boots up and is in the process of establishing a failover connection with the active unit.
105022
Error Message
%ASA-1-105022: (host) Config replication failed with reason = (reason)
Explanation When high availability replication fails, the message is generated. Where,
-
host—Indicates the current failover unit, namely, primary or secondary.
-
reason—The time out expiry reason for termination of the failover configuration replication:
-
CFG_SYNC_TIMEOUT—Where, the 60-second timer for the configuration to be replicated from active to standby lapses, and the device starts to reboot.
-
CFG_PROGRESSION_TIMEOUT—Where, the interval timer of 6 hours which governs the high availability configuration replication lapses.
-
Recommended Action None.
105031
Error Message
%ASA-1-105031: Failover LAN interface is up
Explanation The LAN failover interface link is up.
Recommended Action None required.
105032
Error Message
%ASA-1-105032: LAN Failover interface is down
Explanation The LAN failover interface link is down.
Recommended Action Check the connectivity of the LAN failover interface. Make sure that the speed or duplex setting is correct.
105033
Error Message
%ASA-1-105033: LAN FO cmd Iface down and up again
Explanation LAN interface of failover gone down.
Recommended Action Verify the failover link, might be a communication problem.
105034
Error Message
%ASA-1-105034: Receive a LAN_FAILOVER_UP message from peer.
Explanation The peer has just booted and sent the initial contact message.
Recommended Action None required.
105035
Error Message
%ASA-1-105035: Receive a LAN failover interface down msg from peer.
Explanation The peer LAN failover interface link is down. The unit switches to active mode if it is in standby mode.
Recommended Action Check the connectivity of the peer LAN failover interface.
105036
Error Message
%ASA-1-105036: dropped a LAN Failover command message.
Explanation The Secure Firewall ASA dropped an unacknowledged LAN failover command message, indicating a connectivity problem exists on the LAN failover interface.
Recommended Action Check that the LAN interface cable is connected.
105037
Error Message
%ASA-1-105037: The primary and standby units are switching back and forth as the active unit.
Explanation The primary and standby units are switching back and forth as the active unit, indicating a LAN failover connectivity problem or software bug exists.
Recommended Action Make sure that the LAN interface cable is connected.
105038
Error Message
%ASA-1-105038: (Primary) Interface count mismatch
Explanation When a failover occurs, the active Secure Firewall ASA detects a partial configuration in memory. Normally, this is caused by an interruption in the replication service. Primary can also be listed as Secondary for the secondary unit.
Recommended Action Once the failover is detected by the Secure Firewall ASA, the Secure Firewall ASA automatically reboots and loads the configuration from flash memory and/or resynchronizes with another Secure Firewall ASA. If failovers occur continuously, check the failover configuration and make sure that both Secure Firewall ASAs can communicate with each other.
105039
Error Message
%ASA-1-105039: (Primary) Unable to verify the Interface count with mate. Failover may be disabled in mate.
Explanation Failover initially verifies that the number of interfaces configured on the primary and secondary Secure Firewall ASAs are the same. This message indicates that the primary Secure Firewall ASA is not able to verify the number of interfaces configured on the secondary Secure Firewall ASA. This message indicates that the primary Secure Firewall ASA is not able to communicate with the secondary Secure Firewall ASA over the failover interface. Primary can also be listed as Secondary for the secondary unit.
Recommended Action Verify the failover LAN, interface configuration, and status on the primary and secondary Secure Firewall ASAs. Make sure that the secondary Secure Firewall ASA is running the Secure Firewall ASA application and that failover is enabled.
105040
Error Message
%ASA-1-105040: (Primary) Mate failover version is not compatible.
Explanation The primary and secondary Secure Firewall ASAs should run the same failover software version to act as a failover pair. This message indicates that the secondary Secure Firewall ASA failover software version is not compatible with the primary Secure Firewall ASA. Failover is disabled on the primary Secure Firewall ASA. Primary can also be listed as Secondary for the secondary Secure Firewall ASA.
Recommended Action Maintain consistent software versions between the primary and secondary Secure Firewall ASAs to enable failover.
105041
Error Message
%ASA-1-105041: cmd failed during sync
Explanation Replication of the nameif command failed, because the number of interfaces on the active and standby units is not the same.
Recommended Action Verify that the units have the same number of interfaces. You might need to install additional interface modules, or use different devices. After the physical interfaces match, force a configuration sync by entering the write standby command.
105042
Error Message
%ASA-1-105042: (Primary) Failover interface OK
Explanation The interface that sends failover messages could go down when physical status of the failover link is down or when L2 connectivity between the failover peers is lost resulting in dropping of ARP packets. This message is generated after restoring the L2 ARP connectivity.
Recommended Action None required.
105043
Error Message
%ASA-1-105043: (Primary) Failover interface failed
Explanation This syslog is generated when physical status of the failover link is down or when L2 connectivity between the failover peers is lost. The disconnection results in loss of ARP packets flowing between the units.
Recommended Action
-
Check the physical status of the failover link, ensure its physical and operational status is functional.
-
Ensure ARP packets flow through the transit path of the failover links between the failover pairs.
105044
Error Message
%ASA-1-105044: (Primary) Mate operational mode mode is not compatible with my mode mode.
Explanation When the operational mode (single or multiple) does not match between failover peers, failover will be disabled.
Recommended Action Configure the failover peers to have the same operational mode, and then reenable failover.
105045
Error Message
%ASA-1-105045: (Primary) Mate license (number contexts) is not compatible with my license (number contexts).
Explanation When the feature licenses do not match between failover peers, failover will be disabled.
Recommended Action Configure the failover peers to have the same feature license, and then reenable failover.
105046
Error Message
%ASA-1-105046: (Primary|Secondary) Mate has a different chassis
Explanation Two failover units have a different type of chassis. For example, one has a three-slot chassis; the other has a six-slot chassis.
Recommended Action Make sure that the two failover units are the same.
105047
Error Message %ASA-1-105047: Mate has a io_card_name1 card in slot slot_number which is different from my io_card_name2
Explanation The two failover units have different types of cards in their respective slots.
Recommended Action Make sure that the card configurations for the failover units are the same.
105048
Error Message
%ASA-1-105048: (unit ) Mate’s service module (application ) is different from mine (application )
Explanation The failover process detected that different applications are running on the service modules in the active and standby units. The two failover units are incompatible if different service modules are used.
- unit—Primary or secondary
- application—The name of the application, such as InterScan Security Card
Recommended Action Make sure that both units have identical service modules before trying to reenable failover.
105050
Error Message
%ASA-3-105050: ASAv ethernet interface mismatch
Explanation Number of Ethernet interfaces on standby unit is less than that on active unit.
Recommended Action Secure Firewall ASA with same number of interfaces should be paired up with each other. Verify that the units have the same number of interfaces. You might need to install additional interface modules, or use different devices. After the physical interfaces match, force a configuration sync by entering the write standby command.
105052
Error Message
%ASA-3-105052 HA: cipher in use algorithm name strong encryption is AVAILABLE, please reboot to use strong cipher and preferably change the key in use.
Explanation When the failover key is configured prior to a license update, the weaker cipher is not switched to a stronger cipher automatically. This syslog is generated, every 30 seconds to alert that a weaker cipher is still being used when a stronger cipher is available.
Example %ASA-3-105052 HA cipher in use DES strong encryption is AVAILABLE, please reboot to use strong cipher and preferably change the key in use.
Recommended Action Remove the failover key configuration and reconfigure the key. Reload the standby, and then reload the active device.
105500
Error Message
%ASA-5-105500: (Primary|Secondary) Started HA.
Explanation Cloud HA has been enabled on this ASA virtual.
Recommended Action None required.
105501
Error Message
%ASA-5-105501: (Primary|Secondary) Stopped HA.
Explanation Cloud HA has been disabled on this ASA virtual.
Recommended Action None required.
105502
Error Message
%ASA-1-105502: (Primary|Secondary) Restarting Cloud HA on this unit, reason: string.
Explanation An error occurred and caused this HA unit to restart Cloud HA. Possible values for the reason string are:
-
failed to become Backup unit
-
unable to create failover connection
Recommended Action None required.
105503
Error Message
%ASA-5-105503: (Primary|Secondary) Internal state change from previous_state to new_state
Explanation There was a change to the internal HA state.
Recommended Action None required.
105504
Error Message
%ASA-5-105504: (Primary|Secondary) Connected to peer peer-ip:port
Explanation This HA unit has established communication with its HA peer.
Recommended Action None required.
105505
Error Message
%ASA-4-105505: (Primary|Secondary) Failed to connect to peer unit peer-ip:port
Explanation This HA unit has failed to establish communication with its HA peer.
Recommended Action
This may occur if there is no HA peer present. If there is an HA peer present with failover enabled there could be connectivity issue between peers. Verify using the show failover command that:
-
The peer IP address configured on each unit is matches an interface IP address on the peer
-
The peer port number on each unit matches the failover control (server) port on the peer
-
The interfaces used for the peer connection are not shutdown
-
Any IP routes required for IP connectivity are present
105506
Error Message
%ASA-2-105506: (Primary|Secondary) Unable to create socket on port port for (failover connection | load balancer probes),
error: error_string
Explanation An internal error occurred while attempting to create a socket needed for the failover connection or resonding to Azure load balancer probes.
Recommended Action Copy the error message, the configuration, and any details about the events leading up to the error, and contact Cisco TAC.
105507
Error Message
%ASA-2-105507: (Primary|Secondary) Unable to bind socket on port port for (failover connection | load balancer probes), error:
error_string
Explanation An internal error occurred while attempting to start a socket needed for the failover connection or resonding to Azure load balancer probes.
Recommended Action Copy the error message, the configuration, and any details about the events leading up to the error, and contact Cisco TAC.
105508
Error Message
%ASA-2-105508: (Primary|Secondary) Error creating failover connection socket on port port
Explanation An internal error occurred while attempting to create a socket on the Active unit for exchanging failover control messages with the Backup unit.
Recommended Action This message is preceeded by a 104509 or 104510 message. Follow the Recommended Action for the message that precedes this one.
105509
Error Message
%ASA-3-105509: (Primary|Secondary) Error sending message_name message to peer unit peer-ip, error: error_string
Explanation An error occurred while attempting to send a failover control message to the peer unit.
Recommended Action If the error was not caused by the failure of the peer unit, copy the error message, the configuration, and any details about the events leading up to the error, and contact Cisco TAC.
105510
Error Message
%ASA-3-105510: (Primary|Secondary) Error receiving message from peer unit peer-ip, error: error_string
Explanation An error occurred while attempting to receive a failover control message to the peer unit.
Recommended Action If the error was not caused by the failure of the peer unit, copy the error message, the configuration, and any details about the events leading up to the error, and contact Cisco TAC.
105511
Error Message
%ASA-3-105511: (Primary|Secondary) Incomplete read of message header of message from peer unit peer-ip: bytes bytes read of
expected header_length header bytes.
Explanation An error occurred while attempting to receive a failover control message to the peer unit.
Recommended Action If the error was not caused by the failure of the peer unit, copy the error message, the configuration, and any details about the events leading up to the error, and contact Cisco TAC.
105512
Error Message
%ASA-3-105512: (Primary|Secondary) Error receiving message body of message from peer unit peer-ip, error: error_string
Explanation An error occurred while attempting to receive a failover control message to the peer unit.
Recommended Action If the error was not caused by the failure of the peer unit, copy the error message, the configuration, and any details about the events leading up to the error, and contact Cisco TAC.
105513
Error Message
%ASA-3-105513: (Primary|Secondary) Incomplete read of message body of message from peer unit peer-ip: bytes bytes read of
expected message_length message body bytes
Explanation An error occurred while attempting to receive a failover control message to the peer unit.
Recommended Action If the error was not caused by the failure of the peer unit, copy the error message, the configuration, and any details about the events leading up to the error, and contact Cisco TAC.
105514
Error Message
%ASA-3-105514: (Primary|Secondary) Error occurred when responding to message_name message received from peer unit peer-ip,
error: error_string
Explanation An error occurred while attempting to receive a failover control message to the peer unit.
Recommended Action If the error was not caused by the failure of the peer unit, copy the error message, the configuration, and any details about the events leading up to the error, and contact Cisco TAC.
105515
Error Message
%ASA-3-105515: (Primary|Secondary) Error receiving message_name message from peer unit peer-ip, error: error_string
Explanation An error occurred while attempting to receive a failover control message to the peer unit.
Recommended Action If the error was not caused by the failure of the peer unit, copy the error message, the configuration, and any details about the events leading up to the error, and contact Cisco TAC.
105516
Error Message
%ASA-3-105516: (Primary|Secondary) Incomplete read of message header of message_name message from peer unit peer-ip: bytes
bytes read of expected header_length header bytes
Explanation An error occurred while attempting to receive a failover control message to the peer unit.
Recommended Action If the error was not caused by the failure of the peer unit, copy the error message, the configuration, and any details about the events leading up to the error, and contact Cisco TAC.
105517
Error Message
%ASA-3-105517: (Primary|Secondary) Error receiving message body of message_name message from peer unit peer-ip, error: error_string
Explanation An error occurred while attempting to receive a failover control message to the peer unit.
Recommended Action If the error was not caused by the failure of the peer unit, copy the error message, the configuration, and any details about the events leading up to the error, and contact Cisco TAC.
105518
Error Message
%ASA-3-105518: (Primary|Secondary) Incomplete read of message body of message_name message from peer unit peer-ip: bytes bytes
read of expected message_length message body bytes
Explanation An error occurred while attempting to receive a failover control message to the peer unit.
Recommended Action If the error was not caused by the failure of the peer unit, copy the error message, the configuration, and any details about the events leading up to the error, and contact Cisco TAC.
105519
Error Message
%ASA-3-105519: (Primary|Secondary) Invalid response to message_name message received from peer unit peer-ip: type message_type,
version message_version, length message_length
Explanation An unexpected message was received in response to a failover control message.
Recommended Action Copy the error message, the configuration, and any details about the events leading up to the error, and contact Cisco TAC.
105520
Error Message
%ASA-5-105520: (Primary|Secondary) Responding to Azure Load Balancer probes
Explanation The Active unit has begun responding to Azure Load Balancer probes.
Recommended Action None required
105521
Error Message
%ASA-5-105521: (Primary|Secondary) No longer responding to Azure Load Balancer probes
Explanation The Backup unit has stopped responding to Azure Load Balancer probes.
Recommended Action None required
105522
Error Message
%ASA-5-105522: (Primary|Secondary) Updating route route_table_name
Explanation The Active unit has started the process of updating an Azure route-table.
Recommended Action None required
105523
Error Message
%ASA-5-105523: (Primary|Secondary) Updated route route_table_name
Explanation The Active unit has completed the process of updating an Azure route-table.
Recommended Action None required
105524
Error Message
%ASA-4-105524: (Primary|Secondary) Transitioning to Negotiating state due to the presence of another Active HA unit.
Explanation Another Active HA unit was detected, transitioning unit to negotiating state.
Recommended Action None required
105524
Error Message
%ASA-4-105524: (Primary|Secondary) Transitioning to Negotiating state due to the presence of another Active HA unit.
Explanation Another Active HA unit was detected, transitioning unit to negotiating state.
Recommended Action None required
105525
Error Message
%ASA-2-105525: (Primary|Secondary) Incomplete configuration to initiate access token change request.
Explanation An attempt was made to acquire an access token but there was not enough configuration information need to initiate the request.
Recommended Action Ensure that an Azure authentication client ID, tenant ID and secret key are all present in the ASA configuration.
105526
Error Message
%ASA-2-105526: (Primary|Secondary) Unexpected status in response to access token request: status_string.
Explanation A response to an Azure access token request was received but the HTTP status code in the response was not 200 (OK).
Recommended Action Ensure that the Azure authentication client ID, tenant ID and secret key are all correct in the ASA configuration.
105527
Error Message
%ASA-2-105527: (Primary|Secondary) Failure reading response to access token request
Explanation An internal error occurred while receiving a response to an Azure access token request.
Recommended Action Copy the error message, the configuration, and any details about the events leading up to the error, and contact Cisco TAC.
105528
Error Message
%ASA-2-105528: (Primary|Secondary) No access token in response to access token request
Explanation A response to an Azure route change request was received but it did not contain an access_token value.
Recommended Action Verify that the Azure authentication client ID, tenant ID and secret key are all correct in the ASA configuration.
105529
Error Message
%ASA-2-105529: (Primary|Secondary) Error creating authentication header from access token
Explanation An internal error occurred while attempting to create an authentication header needed for changing Azure routes.
Recommended Action Copy the error message, the configuration, and any details about the events leading up to the error, and contact Cisco TAC.
105530
Error Message
%ASA-2-105530: (Primary|Secondary) No response to access token request url
Explanation Azure route-table information was not able to be obtained for an Azure route-table change.
Recommended Action Verify route-table name is correct in ASA configuration and exists in Azure.
105531
Error Message
%ASA-2-105531: (Primary|Secondary) Failed to obtain route-table information needed for change request for route-table route_table_name
Explanation Azure route-table information was not able to be obtained for an Azure route-table change.
Recommended Action Verify route-table name is correct in ASA configuration and exists in Azure.
105532
Error Message
%ASA-2-105532: (Primary|Secondary) Unexpected status in response to route-table change request for route-table route_table_name:
status_string
Explanation A response to an Azure route-tablechange request was received but the HTTP status code in the response was not 200 (OK).
Recommended Action Verify that the configured Azure subscription ID, route-table name and route-table resource group are correct.
105533
Error Message
%ASA-2-105533: (Primary|Secondary) Failure reading response to route-table change request for route-table route_table_name
Explanation An internal error occurred while receiving a response to an Azure route-table change request.
Recommended Action Copy the error message, the configuration, and any details about the events leading up to the error, and contact Cisco TAC.
105534
Error Message
%ASA-2-105534: (Primary|Secondary) No provisioning state in response to route-table change request route-table route_table_name
Explanation A response to an Azure route-table change request was received but it did not contain a provisioningState value containing the route-table change status.
Recommended Action Copy the error message, the configuration, and any details about the events leading up to the error, and contact Cisco TAC.
105535
Error Message
%ASA-2-105535: (Primary|Secondary) No response to route-table change request for route-table route_table_name from url
Explanation No response was received to an Azure route-table change request.
Recommended Action Verify that management.azure.com is reachable from the ASA virtual.
105536
Error Message
%ASA-2-105536: (Primary|Secondary) Failed to obtain Azure authentication header for route status request for route route_name
Explanation An Azure access token was not able to be obtained for an Azure route status query.
Recommended Action See the Recommended Action of access token related message that preceeds this message.
105537
Error Message
%ASA-2-105537: (Primary|Secondary) Unexpected status in response to route state request for route route_name: status_string
Explanation A response to an Azure route state request was received but the HTTP status code in the response was not 200 (OK).
Recommended Action Verify that the configured Azure subscription ID, route table name and route table resource group are correct.
105538
Error Message
%ASA-2-105538: (Primary|Secondary) Failure reading response to route state request for route route_name
Explanation An internal error occurred while receiving a response to an Azure route state request.
Recommended Action Copy the error message, the configuration, and any details about the events leading up to the error, and contact Cisco TAC.
105539
Error Message
%ASA-2-105539: (Primary|Secondary) No response to route state request for route route_name from url
Explanation No response was received to an Azure route state request.
Recommended Action Verify that management.azure.com is reachable from the ASA virtual.
105540
Error Message
%ASA-2-105540: (Primary|Secondary) No route-tables configured
Explanation No Azure route-tables were detected to change.
Recommended Action Confirm that route-tables are correctly configured in ASA configuration.
105541
Error Message
%ASA-2-105541: (Primary|Secondary) Failed to update route-table route_table_name, provisioning state: state_string
Explanation A response to an Azure route-table state request was received that contained a provisioningState that indicated a failure to update the route-table.
Recommended Action The Active unit will make three attempts to update an Azure route-table. If all three attempts fail, copy the error message, the configuration, and any details about the events leading up to the error, and contact Cisco TAC.
105542
Error Message
%ASA-5-105542: (Primary|Secondary) Enabling load balancer probe responses
Explanation The Active unit is will now respond to probes from the Azure Load Balancer.
Recommended Action None required.
105543
Error Message
%%ASA-5-105543: (Primary|Secondary) Disabling load balancer probe responses
Explanation The Active unit is no longer responding to probes from the Azure Load Balancer.
Recommended Action None required.
105544
Error Message
%ASA-2-105544: (Primary|Secondary) Error creating load balancer probe socket on port port
Explanation An internal error occurred while attempting to create a socket for responding to probes from an Azure Load Balancer.
Recommended Action This message will be preceeded by a 104509 or 104510 message. Follow the Recommended Action for the message that precedes this one.
105545
Error Message
%ASA-3-105545: (Primary|Secondary) Error starting load balancer probe socket on port port, error code: error_code
Explanation An internal error occurred while attempting to start receiving probes from an Azure Load Balancer. The Active unit will continue to attempt to enable the receiving of probes.
Recommended Action If this condition persists copy the error message, the configuration, and any details about the events leading up to the error, and contact Cisco TAC.
105546
Error Message
%ASA-3-105546: (Primary|Secondary) Error starting load balancer probe handler
Explanation An internal error occurred while attempting to create a process for receiving probes from an Azure Load Balancer.
Recommended Action Copy the error message, the configuration, and any details about the events leading up to the error, and contact Cisco TAC.
105547
Error Message
%ASA-3-105547: (Primary|Secondary) Error generating encryption key for Azure secret key
Explanation An internal error occurred while attempting to generate the encryption key used for encrypting the Azure secret key in the configuration.
Recommended Action Copy the error message, the configuration, and any details about the events leading up to the error, and contact Cisco TAC.
105548
Error Message
%ASA-3-105548: (Primary|Secondary) Error storing encryption key for Azure secret key
Explanation An internal error occurred while attempting to store the encryption key used for encrypting the Azure secret key in the configuration.
Recommended Action Copy the error message, the configuration, and any details about the events leading up to the error, and contact Cisco TAC.
105549
Error Message
%ASA-3-105549: (Primary|Secondary) Error retrieving encryption key for Azure secret key
Explanation An internal error occurred while attempting to retrieve the encryption key used for encrypting the Azure secret key in the configuration.
Recommended Action Copy the error message, the configuration, and any details about the events leading up to the error, and contact Cisco TAC.
105550
Error Message
%ASA-3-105550: (Primary|Secondary) Error encrypting Azure secret key
Explanation An internal error occurred while encrypting the Azure secret key in the configuration.
Recommended Action Copy the error message, the configuration, and any details about the events leading up to the error, and contact Cisco TAC.
105551
Error Message
%ASA-3-105551: (Primary|Secondary) Error encrypting Azure secret key
Explanation An internal error occurred while decrypting the Azure secret key in the configuration.
Recommended Action Copy the error message, the configuration, and any details about the events leading up to the error, and contact Cisco TAC.
105552
Error Message
%ASA-5-105552: (Primary|Secondary) Stopped HA
Explanation Cloud HA has been disabled on this ASA virtual.
Recommended Action None required.
105553
Error Message
%ASA-4-105553: (Primary|Secondary) Detected another Active HA unit
Explanation Another Active HA unit was detected.
Recommended Action None required
106001
Error Message
%ASA-2-106001: Inbound TCP connection denied from IP_address/port to IP_address/port flags tcp_flags on interface interface_name
Explanation An attempt was made to connect to an inside address is denied by the security policy that is defined for the specified traffic type. The IP address displayed is the real IP address instead of the IP address that appears through NAT. Possible tcp_flags values correspond to the flags in the TCP header that were present when the connection was denied. For example, a TCP packet arrived for which no connection state exists in the Secure Firewall ASA, and it was dropped. The tcp_flags in this packet are FIN and ACK.
The tcp_flags are as follows:
- ACK—The acknowledgment number was received
- FIN—Data was sent
- PSH—The receiver passed data to the application
- RST—The connection was reset
- SYN—Sequence numbers were synchronized to start a connection
- URG—The urgent pointer was declared valid
Recommended Action None required.
106002
Error Message %ASA-2-106002: protocol Connection denied by outbound list acl_ID src inside_address dest outside_address
Explanation The specified connection failed because of an outbound deny command. The protocol variable can be ICMP, TCP, or UDP.
Recommended Action Use the show outbound command to check outbound lists.
106006
Error Message
%ASA-2-106006: Deny inbound UDP from outside_address/outside_port to inside_address/inside_port on interface interface_name.
Explanation An inbound UDP packet was denied by the security policy that is defined for the specified traffic type.
Recommended Action None required.
106007
Error Message
%ASA-2-106007: Deny inbound UDP from outside_address/outside_port to inside_address/inside_port due to DNS {Response|Query}.
Explanation A UDP packet containing a DNS query or response was denied.
Recommended Action If the inside port number is 53, the inside host probably is set up as a caching name server. Add an access-list command statement to permit traffic on UDP port 53 and a translation entry for the inside host. If the outside port number is 53, a DNS server was probably too slow to respond, and the query was answered by another server.
106010
Error Message %ASA-3-106010: Deny inbound protocol
src [interface_name : source_address/source_port ] [([idfw_user | FQDN_string ], sg_info )] dst [interface_name : dest_address /dest_port }[([idfw_user | FQDN_string ], sg_info )]
Explanation An inbound connection was denied by your security policy.
Recommended Action Modify the security policy if traffic should be permitted. If the message occurs at regular intervals, contact the remote peer administrator.
106011
Error Message %ASA-3-106011: Deny inbound (No xlate) protocol src Interface:IP/port dst Interface-nameif:IP/port
Explanation The message appears under normal traffic conditions if there are internal users that are accessing the Internet through a web browser. Any time a connection is reset, when the host at the end of the connection sends a packet after the Secure Firewall ASA receives the connection reset, this message appears. It can typically be ignored.
Recommended Action Prevent this message from getting logged to the syslog server by entering the no logging message 106011 command.
106012
Error Message %ASA-6-106012: Deny IP from IP_address to IP_address , IP options hex.
Explanation An IP packet was seen with IP options. Because IP options are considered a security risk, the packet was discarded.
Recommended Action Contact the remote host system administrator to determine the problem. Check the local site for loose source routing or strict source routing.
106013
Error Message
%ASA-2-106013: Dropping echo request from IP_address to PAT address IP_address
Explanation The Secure Firewall ASA discarded an inbound ICMP Echo Request packet with a destination address that corresponds to a PAT global address. The inbound packet is discarded because it cannot specify which PAT host should receive the packet.
Recommended Action None required.
106014
Error Message %ASA-3-106014: Deny inbound icmp src
interface_name : IP_address [([idfw_user | FQDN_string ], sg_info )] dst interface_name : IP_address [([idfw_user | FQDN_string ], sg_info )] (type dec , code dec )
Explanation The Secure Firewall ASA denied any inbound ICMP packet access. By default, all ICMP packets are denied access unless specifically allowed.
Recommended Action None required.
106015
Error Message
%ASA-6-106015: Deny TCP (no connection) from IP_address /port to IP_address /port flags tcp_flags on interface interface_name.
Explanation The Secure Firewall ASA discarded a TCP packet that has no associated connection in the Secure Firewall ASA connection table. The Secure Firewall ASA looks for a SYN flag in the packet, which indicates a request to establish a new connection. If the SYN flag is not set, and there is no existing connection, the Secure Firewall ASA discards the packet.
Recommended Action None required unless the Secure Firewall ASA receives a large volume of these invalid TCP packets. If this is the case, trace the packets to the source and determine the reason these packets were sent.
106016
Error Message %ASA-2-106016: Deny IP spoof from (IP_address ) to IP_address on interface interface_name.
Explanation A packet arrived at the Secure Firewall ASA interface that has a destination IP address of 0.0.0.0 and a destination MAC address of the Secure Firewall ASA interface. In addition, this message is generated when the Secure Firewall ASA discarded a packet with an invalid source address, which may include one of the following or some other invalid address:
- Loopback network (127.0.0.0)
- Broadcast (limited, net-directed, subnet-directed, and all-subnets-directed)
- The destination host (land.c)
To further enhance spoof packet detection, use the icmp command to configure the Secure Firewall ASA to discard packets with source addresses belonging to the internal network, because the access-list command has been deprecated and is no longer guaranteed to work correctly.
Recommended Action Determine if an external user is trying to compromise the protected network. Check for misconfigured clients.
106017
Error Message %ASA-2-106017: Deny IP due to Land Attack from IP_address to IP_address
Explanation The Secure Firewall ASA received a packet with the IP source address equal to the IP destination, and the destination port equal to the source port. This message indicates a spoofed packet that is designed to attack systems. This attack is referred to as a Land Attack.
Recommended Action If this message persists, an attack may be in progress. The packet does not provide enough information to determine where the attack originates.
106018
Error Message %ASA-2-106018: ICMP packet type ICMP_type denied by outbound list acl_ID src inside_address dest outside_address
Explanation The outgoing ICMP packet with the specified ICMP from local host (inside_address) to the foreign host (outside_address) was denied by the outbound ACL list.
Recommended Action None required.
106020
Error Message
%ASA-2-106020: Deny IP teardrop fragment (size = number, offset = number) from IP_address to IP_address
Explanation The Secure Firewall ASA discarded an IP packet with a teardrop signature containing either a small offset or fragment overlapping. This is a hostile event that circumvents the Secure Firewall ASA or an Intrusion Detection System.
Recommended Action Contact the remote peer administrator or escalate this issue according to your security policy.
106021
Error Message %ASA-1-106021: Deny protocol reverse path check from source_address to dest_address on interface interface_name
Explanation An attack is in progress. Someone is attempting to spoof an IP address on an inbound connection. Unicast RPF, also known as reverse route lookup, detected a packet that does not have a source address represented by a route and assumes that it is part of an attack on your Secure Firewall ASA.
This message appears when you have enabled Unicast RPF with the ip verify reverse-path command. This feature works on packets input to an interface; if it is configured on the outside, then the Secure Firewall ASA checks packets arriving from the outside.
The Secure Firewall ASA looks up a route based on the source_address. If an entry is not found and a route is not defined, then this message appears and the connection is dropped.
If there is a route, the Secure Firewall ASA checks which interface it corresponds to. If the packet arrived on another interface, it is either a spoof or there is an asymmetric routing environment that has more than one path to a destination. The Secure Firewall ASA does not support asymmetric routing.
If the Secure Firewall ASA is configured on an internal interface, it checks static route command statements or RIP, and if the source_address is not found, then an internal user is spoofing their address.
Recommended Action Even though an attack is in progress, if this feature is enabled, no user action is required. The Secure Firewall ASA repels the attack.
106022
Error Message
%ASA-1-106022: Deny protocol connection spoof from source_address to dest_address on interface interface_name
Explanation A packet matching a connection arrived on a different interface from the interface on which the connection began. In addition, the ip verify reverse-path command is not configured.
For example, if a user starts a connection on the inside interface, but the Secure Firewall ASA detects the same connection arriving on a perimeter interface, the Secure Firewall ASA has more than one path to a destination. This is known as asymmetric routing and is not supported on the Secure Firewall ASA.
An attacker also might be attempting to append packets from one connection to another as a way to break into the Secure Firewall ASA. In either case, the Secure Firewall ASA shows this message and drops the connection.
Recommended Action Check that the routing is not asymmetric.
106023
Error Message %ASA-4-106023: Deny protocol src [interface_name :source_address /source_port ] [([idfw_user |FQDN_string ], sg_info )] dst interface_name :dest_address /dest_port [([idfw_user |FQDN_string ], sg_info )] [type {string }, code {code }] by access_group acl_ID [0x8ed66b60, 0xf8852875]
Explanation A real IP packet was denied by the ACL. This message appears even if you do not have the log option enabled for an ACL. The IP address is the real IP address instead of the values that display through NAT. Both user identity information and FQDN information is provided for the IP addresses if a matched one is found. The Secure Firewall ASA logs either identity information (domain\user) or FQDN (if the username is not available). If the identity information or FQDN is available, the Secure Firewall ASA logs this information for both the source and destination.
Recommended Action If messages persist from the same source address, a footprinting or port scanning attempt might be occurring. Contact the remote host administrator.
106024
Error Message
%ASA-2-106024: Access rules memory exhausted
Explanation The access list compilation process has run out of memory. All configuration information that has been added since the last successful access list was removed from the Secure Firewall ASA, and the most recently compiled set of access lists will continue to be used.
Recommended Action Access lists, AAA, ICMP, SSH, Telnet, and other rule types are stored and compiled as access list rule types. Remove some of these rule types so that others can be added.
106025, 106026
Error Message
%ASA-6-106025: Failed to determine the security context for the packet:sourceVlan:source_address dest_address source_port dest_port
protocol
Error Message %ASA-6-106026: Failed to determine the security context for the packet:sourceVlan:source_address dest_address source_port dest_port
protocol
Explanation The security context of the packet in multiple context mode cannot be determined. Both messages can be generated for IP packets being dropped in either router and transparent mode.
Recommended Action None required.
106027
Error Message %ASA-4-106027:acl_ID: Deny src [source address] dst [destination address] by access-group “access-list name"
Explanation An non IP packet was denied by the ACL. This message is displayed even if you do not have the log option enabled for an extended ACL.
Recommended Action If messages persist from the same source address, it might indicate a foot-printing or port-scanning attempt. Contact the remote host administrator.
106100
Error Message %ASA-6-106100: access-list acl_ID {permitted | denied | est-allowed} protocol
interface_name /source_address (source_port ) (idfw_user , sg_info ) interface_name /dest_address (dest_port ) (idfw_user , sg_info ) hit-cnt number ({first hit | number -second interval}) hash codes
Explanation The initial occurrence or the total number of occurrences during an interval are listed. This message provides more information than message 106023, which only logs denied packets, and does not include the hit count or a configurable level.
When an access-list line has the log argument, it is expected that this message ID might be triggered because of a nonsynchronized packet reaching the Secure Firewall ASA and being evaluated by the access list. For example, if an ACK packet is received on the Secure Firewall ASA (for which no TCP connection exists in the connection table), the Secure Firewall ASA might generate message 106100, indicating that the packet was permitted; however, the packet is later correctly dropped because of no matching connection.
The following list describes the message values:
- permitted | denied | est-allowed—These values specify if the packet was permitted or denied by the ACL. If the value is est-allowed, the packet was denied by the ACL but was allowed for an already established session (for example, an internal user is allowed to accesss the Internet, and responding packets that would normally be denied by the ACL are accepted).
- protocol —TCP, UDP, ICMP, or an IP protocol number.
- interface_name —The interface name for the source or destination of the logged flow. The VLAN interfaces are supported.
- source_address —The source IP address of the logged flow. The IP address is the real IP address instead of the values that display through NAT.
- dest_address —The destination IP address of the logged flow. The IP address is the real IP address instead of the values that display through NAT.
- source_port —The source port of the logged flow (TCP or UDP). For ICMP, the number after the source port is the message type.
- idfw_user— The user identity username, including the domain name that is added to the existing syslog when the Secure Firewall ASA can find the username for the IP address.
- sg_info— The security group tag that is added to the syslog when the Secure Firewall ASA can find a security group tag for the IP address. The security group name is displayed with the security group tag, if available.
- dest_port —The destination port of the logged flow (TCP or UDP). For ICMP, the number after the destination port is the ICMP message code, which is available for some message types. For type 8, it is always 0. For a list of ICMP message types, see the following URL: http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xml.
- hit-cnt number —The number of times this flow was permitted or denied by this ACL entry in the configured time interval. The value is 1 when the Secure Firewall ASA generates the first message for this flow.
- first hit—The first message generated for this flow.
- number -second interval—The interval in which the hit count is accumulated. Set this interval using the access-list command with the interval option.
- hash codes—Two are always printed for the object group ACE and the constituent regular ACE. Values are determined on which ACE that the packet hit. To display these hash codes, enter the show-access list command.
Recommended Action None required.
106101
Error Message %ASA-1-106101 Number of cached deny-flows for ACL log has reached limit (number ).
Explanation If you configured the log option for an ACL deny statement (access-list id deny command), and a traffic flow matches the ACL statement, the Secure Firewall ASA caches the flow information. This message indicates that the number of matching flows that are cached on the Secure Firewall ASA exceeds the user-configured limit (using the access-list deny-flow-max command). This message might be generated as a result of a DoS attack.
- number— The limit configured using the access-list deny-flow-max command
Recommended Action None required.
106102
Error Message %ASA-6-106102: access-list acl_ID {permitted|denied} protocol for user username
interface_name /source_address
source_port
interface_name /dest_address dest_port hit-cnt number {first hit|number -second interval} hash codes
Explanation A packet was either permitted or denied by an access-list that was applied through a VPN filter. This message is the VPN/AAA filter equivalent of message 106100.
Recommended Action None required.
106103
Error Message %ASA-4-106103: access-list acl_ID denied protocol for user username
interface_name /source_address
source_port interface_name /dest_address dest_port hit-cnt number first hit hash codes
Explanation A packet was denied by an access-list that was applied through a VPN filter. This message is the VPN/AAA filter equivalent of message106023.
Recommended Action None required.
107001
Error Message %ASA-1-107001: RIP auth failed from IP_address : version=number, type=string, mode=string, sequence=number on interface interface_name
Explanation The Secure Firewall ASA received a RIP reply message with bad authentication. This message might be caused by a misconfiguration on the router or the Secure Firewall ASA or by an unsuccessful attempt to attack the routing table of the Secure Firewall ASA.
Recommended Action This message indicates a possible attack and should be monitored. If you are not familiar with the source IP address listed in this message, change your RIP authentication keys between trusted entities. An attacker might be trying to determine the existing keys.
107002
Error Message%ASA-1-107002: RIP pkt failed from
IP_address : version=number on interface interface_name
Explanation A router bug, a packet with non-RFC values inside, or a malformed entry may have caused this message to appear. This should not happen, and may be an attempt to exploit the routing table of the ASA.
Recommended Action This message indicates a possible attack and should be monitored. The packet has passed authentication, if enabled, and bad data is in the packet. Monitor the situation and change the keys if there are any doubts about the originator of the packet.
108002
Error Message
%ASA-2-108002: SMTP replaced string: out source_address in
inside_address data: string
Explanation A Mail Guard (SMTP) message has been generated by the inspect esmtp command. The ASA has replaced an invalid character in an e-mail address with a space.
Recommended Action None required.
108003
Error Message%ASA-2-108003: Terminating ESMTP/SMTP
connection; malicious pattern detected in the mail address from
source_interface:source_address/source_port to
dest_interface:dest_address/dset_port . Data:string
Explanation The ASA has detected a malicious pattern in an e-mail address and drops the connection. An attack is in progress.
Recommended Action None required.
108004
Error Message %ASA-4-108004:
action_class: action
ESMTP req_resp
from src_ifc:sip |sport
to dest_ifc:dip |dport;further_info
Explanation An ESMTP classification is performed on an ESMTP message, and the specified criteria are satisfied. The configured action is taken.
- action_class—The class of action: ESMTP Classification for ESMTP match commands; ESMTP Parameter for parameter commands
- action—Action taken: Dropped, Dropped connection for, Reset connection for, or Masked header flags for
- req_resp—Request or Response
- src_ifc—Source interface name
- sip|sport—Source IP address or source port
- dest_ifc—Destination interface name
- dip|dport—Destination IP address or destination port
- further info—One of the following:
For a single match command: matched Class id : match_command (for example, matched Class 1234: match body length 100).
For parameter commands: parameter-command : descriptive-message (for example, mail-relay: No Mail Relay allowed)
Recommended Action None required.
108005
Error Message%ASA-6-108005:
action_class:
Received
ESMTP req_resp
from src_ifc:sip |sport
to dest_ifc:dip |dport;further_info
Explanation An ESMTP classification is performed on an ESMTP message, and the specified criteria are satisfied. The standalone log action is taken.
- action_class—The class of action: ESMTP Classification for ESMTP match commands; ESMTP Parameter for parameter commands
- req_resp—Request or Response
- src_ifc—Source interface name
- sip|sport—Source IP address or source port
- dest_ifc—Destination interface name
- dip|dport—Destination IP address or destination port
- further info—One of the following:
For a single match command: matched Class id : match_command (for example, matched Class 1234: match body length 100)
For parameter commands (commands under the parameter section): parameter-command : descriptive-message (for example, mail-relay: No Mail Relay allowed)
Recommended Action None required.
108006
Error Message %ASA-7-108006: Detected ESMTP size violation
from src_ifc:sip |sport
to dest_ifc:dip |dport; declared size is:
decl_size,
actual size is act_size.
Explanation This event is generated when an ESMTP message size exceeds the size declared in the RCPT command.
- src_ifc—Source interface name
- sip|sport—Source IP address or source port
- dest_ifc—Destination interface name
- dip|dport—Destination IP address or destination port
- decl_size—Declared size
- act_size—Actual size
Recommended Action None required.
108007
Error Message
%ASA-6-108007: TLS started on ESMTP session between client
client-side interface-name :
client IP address /client port and server
server-side interface-name :
server IP address /server port
Explanation On an ESMTP connection, the server has responded with a 220 reply code to the client STARTTLS command. The ESMTP inspection engine no longer inspects the traffic on this connection.
- client-side interface-name —The name for the interface that faces the client side
- client IP address —The IP address of the client
- client port —The TCP port number for the client
- server-side interface-name —The name for the interface that faces the server side
- server IP address —The IP address of the server
- server port —The TCP port number for the server
Recommended Action Log and review the message. Check whether the ESMTP policy map associated with this connection has the allow-tls action log setting. If not, contact the Cisco TAC.
109001
Error Message
%ASA-6-109001: Auth start for user user from
inside_address/inside_port to outside_address/outside_port
Explanation The ASA is configured for AAA and detects an authentication request by the specified user.
Recommended Action None required.
109002
Error Message
%ASA-6-109002: Auth from inside_address/inside_port to
outside_address/outside_port failed (server
IP_address failed) on interface interface_name.
Explanation An authentication request failed because the specified authentication server cannot be contacted by the module.
Recommended Action Check that the authentication daemon is running on the specified authentication server.
109003
Error Message
%ASA-6-109003: Auth from inside_address to
outside_address/outside_port failed (all servers failed) on interface
interface_name, so marking all servers ACTIVE again.
Explanation No authentication server can be found.
Recommended Action Ping the authentication servers from the ASA. Make sure that the daemons are running.
109005
Error Message
%ASA-6-109005: Authentication succeeded for user user from
inside_address/inside_port to outside_address/outside_port on interface
interface_name.
Explanation The specified authentication request succeeded.
Recommended Action None required.
109006
Error Message%ASA-6-109006: Authentication failed for user
user from inside_address/inside_port to outside_address/outside_port on
interface interface_name.
Explanation The specified authentication request failed, possibly because of an incorrect password. The username is hidden when invalid or unknown, but appears when valid or the no logging hide username command has been configured.
Recommended Action None required.
109007
Error Message
%ASA-6-109007: Authorization permitted for user user from
inside_address/inside_port to outside_address/outside_port on interface
interface_name.
Explanation The specified authorization request succeeded.
Recommended Action None required.
109008
Error Message
%ASA-6-109008: Authorization denied for user user from
outside_address/outside_port to inside_address/ inside_port on interface
interface_name.
Explanation A user is not authorized to access the specified address, possibly because of an incorrect password.
Recommended Action None required.
109010
Error Message
%ASA-3-109010: Auth from inside_address/inside_port to
outside_address/outside_port failed (too many pending auths) on interface
interface_name.
Explanation An authentication request cannot be processed because the server has too many requests pending.
Recommended Action Check to see if the authentication server is too slow to respond to authentication requests. Enable the Flood Defender feature with the floodguard enable command.
109011
Error Message
%ASA-2-109011: Authen Session Start: user 'user ', sid number
Explanation An authentication session started between the host and the Secure Firewall ASA and has not yet completed.
Recommended Action None required.
109012
Error Message
%ASA-5-109012: Authen Session End: user 'user', sid number, elapsed number seconds
Explanation The authentication cache has timed out. Users must reauthenticate on their next connection. You can change the duration of this timer with the timeout uauth command.
Recommended Action None required.
109013
Error Message
%ASA-3-109013: User must authenticate before using this service
Explanation The user must be authenticated before using the service.
Recommended Action Authenticate using FTP, Telnet, or HTTP before using the service.
109014
Error Message
%ASA-7-109014: A non-Telnet connection was denied to the
configured virtual Telnet IP address.
Explanation A request to authenticate did not have a corresponding request for authorization.
Recommended Action Ensure that both the aaa authentication and aaa authorization command statements are included in the configuration.
109016
Error Message
%ASA-3-109016: Can't find authorization ACL acl_ID for user 'user '
Explanation The specified on the AAA server for this user does not exist on the Secure Firewall ASA. This error can occur if you configure the AAA server before you configure the Secure Firewall ASA. The Vendor-Specific Attribute (VSA) on your AAA server might be one of the following values:
- acl=acl_ID
- shell:acl=acl_ID
- ACS:CiscoSecured-Defined-ACL=acl_ID
Recommended Action Add the ACL to the Secure Firewall ASA, making sure to use the same name specified on the AAA server.
109017
Error Message
%ASA-4-109017: User at
IP_address exceeded auth proxy connection limit (max)
Explanation A user has exceeded the user authentication proxy limit, and has opened too many connections to the proxy.
Recommended Action Increase the proxy limit by entering the proxy-limit proxy_limit command, or ask the user to close unused connections. If the error persists, it may indicate a possible DoS attack.
109018
Error Message %ASA-3-109018: Downloaded ACL acl_ID is empty
Explanation The downloaded authorization has no ACEs. This situation might be caused by misspelling the attribute string ip:inacl# or omitting the access-list command.
junk:junk# 1=permit tcp any any eq junk ip:inacl#1=”
Recommended Action Correct the ACL components that have the indicated error on the AAA server.
109019
Error Message
%ASA-3-109019: Downloaded ACL acl_ID has parsing error; ACE string
Explanation An error occurred during parsing the sequence number NNN in the attribute string ip:inacl#NNN= of a downloaded authorization. The reasons include: - missing = - contains nonnumeric, nonpace characters between # and = - NNN is greater than 999999999.
ip:inacl# 1 permit tcp any any
ip:inacl# 1junk2=permit tcp any any
ip:inacl# 1000000000=permit tcp any any
Recommended Action Correct the ACL element that has the indicated error on the AAA server.
109020
Error Message
%ASA-3-109020: Downloaded ACL has config error; ACE
Explanation One of the components of the downloaded authorization has a configuration error. The entire text of the element is included in the message. This message is usually caused by an invalid access-list command statement.
Recommended Action Correct the ACL component that has the indicated error on the AAA server.
109021
Error Message
%ASA-7-109021: Uauth null proxy error
Explanation An internal user authentication error has occurred.
Recommended Action None required. However, if this error appears repeatedly, contact the Cisco TAC.
109022
Error Message
%ASA-4-109022: exceeded HTTPS proxy process limit
ExplanationFor each HTTPS authentication, the ASA dedicates a process to service the authentication request. When the number of concurrently running processes exceeds the system-imposed limit, the ASA does not perform the authentication, and this message appears.
Recommended Action None required.
109023
Error Message
%ASA-3-109023: User from
source_address /source_port to
dest_address /dest_port on interface
outside_interface must authenticate before using this
service.
Explanation Based on the configured policies, you need to be authenticated before you can use this service port.
Recommended Action Authenticate using Telnet, FTP, or HTTP before attempting to use this service port.
109024
Error Message
%ASA-6-109024: Authorization denied from
source_address /source_port to
dest_address /dest_port (not authenticated) on interface
interface_name using
protocol
Explanation The ASA is configured for AAA and a user attempted to make a TCP connection across the ASA without prior authentication.
Recommended Action None required.
109025
Error Message
%ASA-6-109025: Authorization denied
(acl=acl_ID) for user
'user' from
source_address /source_port to
dest_address /dest_port on interface
interface_name using
protocol
ExplanationThe check failed. The check either matched a deny or did not match anything, such as an implicit deny. The connection was denied by the user acl_ID, which was defined according to the AAA authorization policy on the Cisco Secure Access Control Server (ACS).
Recommended Action None required.
109026
Error Message
%ASA-3-109026: [aaa protocol ] Invalid reply digest received; shared server key may be mismatched.
Explanation The response from the AAA server cannot be validated. The configured server key is probably incorrect. This message may be generated during transactions with RADIUS or TACACS+ servers.
Verify that the server key, configured using the aaa-server command, is correct.
109027
Error Message
%ASA-4-109027: [aaa protocol] Unable to decipher response message Server = server_IP_address , User = user
Explanation The response from the AAA server cannot be validated. The configured server key is probably incorrect. This message may be displayed during transactions with RADIUS or TACACS+ servers. The server_IP_address is the IP address of the relevant AAA server. The user is the user name associated with the connection.
Recommended Action Verify that the server key, configured using the aaa-server command, is correct.
109028
Error Message
%ASA-4-109028: aaa bypassed for same-security traffic from ingress_ interface:source_address/source_port to egress_interface:dest_address/dest_port
ExplanationAAA is being bypassed for same security traffic that matches a configured AAA rule. This can only occur when traffic passes between two interfaces that have the same configured security level, when the same security traffic is permitted, and if the AAA configuration uses the include or exclude syntax.
Recommended Action None required.
109029
Error Message
%ASA-5-109029: Parsing downloaded ACL: string
Explanation A syntax error occurred while parsing an access list that was downloaded from a RADIUS server during user authentication.
- string —An error message detailing the syntax error that prevented the access list from parsing correctly
Recommended Action Use the information presented in this message to identify and correct the syntax error in the access list definition within the RADIUS server configuration.
109030
Error Message
%ASA-4-109030: Autodetect ACL convert wildcard did not convert ACL access_list source |dest netmask netmask .
ExplanationA dynamic ACL that is configured on a RADIUS server is not converted by the mechanism for automatically detecting wildcard netmasks. The problem occurs because this mechanism cannot determine if the netmask is a wildcard or a normal netmask.
- access_list—The access list that cannot be converted
- source—The source IP address
- dest—The destination IP address
- netmask—The subnet mask for the destination or source address in dotted-decimal notation
Recommended Action Check the access list netmask on the RADIUS server for the wildcard configuration. If the netmask is supposed to be a wildcard, and if all access list netmasks on that server are wildcards, then use the wildcard setting for acl-netmask-convert for the AAA server. Otherwise, change the netmask to a normal netmask or to a wildcard netmask that does not contain holes (that is, where the netmask presents consecutive binary 1s. For example, 00000000.00000000.00011111.11111111 or hex 0.0.31.255). If the mask is supposed to be normal and all access list netmasks on that server are normal, then use the normal setting for acl-netmask-convert for the AAA server.
109031
Error Message
%ASA-4-109031: NT Domain Authentication Failed: rejecting guest
login for
username .
Explanation A user has tried to authenticate to an NT domain that was configured for guest account access and the username is not a valid username on the NT server. The connection is denied.
Recommended Action If the user is a valid user, add an account to the NT server. If the user is not allowed access, no action is required.
109032
Error Message
%ASA-3-109032: Unable to install ACL access_list , downloaded for user username ; Error in ACE: ace .
Explanation The Secure Firewall ASA received an access control list from a RADIUS server to apply to a user connection, but an entry in the list contains a syntax error. Th euse of a list containing an error could result in the violation of a security policy, so the Secure Firewall ASA failed to authenticate the user.
- access_list —The name assigned to the dynamic access list as it would appear in the output of the show access-list command
- username —The name of the user whose connection will be subject to this access list
- ace —The access list entry that was being processed when the error was detected
Recommended Action Correct the access list definition in the RADIUS server configuration.
109033
Error Message
%ASA-4-109033: Authentication failed for admin user user from src_IP . Interactive challenge processing is not supported for protocol connections
Explanation AAA challenge processing was triggered during authentication of an administrative connection, but the Secure Firewall ASA cannot initiate interactive challenge processing with the client application. When this occurs, the authentication attempt will be rejected and the connection denied.
- user —The name of the user being authenticated
- src_IP —The IP address of the client host
- protocol —The client connection protocol (SSH v1 or administrative HTTP)
Recommended Action Reconfigure AAA so that challenge processing does not occur for these connection types. This generally means to avoid authenticating these connection types to RSA SecurID servers or to any token-based AAA server via RADIUS.
109034
Error Message
%ASA-4-109034: Authentication failed for network user user from src_IP/port to dst_IP/port . Interactive challenge processing is not supported for protocol connections
Explanation AAA challenge processing was triggered during authentication of a network connection, but the Secure Firewall ASA cannot initiate interactive challenge processing with the client application. When this occurs, the authentication attempt will be rejected and the connection denied.
- user —The name of the user being authenticated
- src_IP/port —The IP address and port of the client host
- dst_IP/port —The IP address and port of the server to which the client is attempting to connect
- protocol —The client connection protocol (for example, FTP)
Recommended Action Reconfigure AAA so that challenge processing does not occur for these connection types. This generally means to avoid authenticating these connection types to RSA SecurID servers or to any token-based AAA server via RADIUS.
109035
Error Message
%ASA-3-109035: Exceeded maximum number (<max_num>) of DAP attribute instances for user <user>
Explanation This log is generated when the number of DAP attributes received from the RADIUS server exceeds the maximum number allowed when authenticating a connection for the specified user.
Recommended Action Modify the DAP attribute configuration to reduce the number of DAP attributes below the maximum number allowed as specified in the log so that the specified user can connect.
109036
Error Message
%ASA-6-109036: Exceeded 1000 attribute values for the attribute name attribute for user username .
Explanation The LDAP response message contains an attribute that has more than 1000 values.
- attribute_name —The LDAP attribute name
- username —The username at login
Recommended Action None required.
109037
Error Message
%ASA-3-109037: Exceeded 5000 attribute values for the attribute name attribute for user username .
Explanation The Secure Firewall ASA supports multiple values of the same attribute received from a AAA server. If the AAA server sends a response containing more than 5000 values for the same attribute, then the Secure Firewall ASA treats this response message as being malformed and rejects the authentication. This condition has only been seen in lab environments using specialized test tools. It is unlikely that the condition would occur in a real-world production network.
- attribute_name —The LDAP attribute name
- username —The username at login
Recommended Action Capture the authentication traffic between the Secure Firewall ASA and AAA server using a protocol sniffer (such as WireShark), then forward the trace file to the Cisco TAC for analysis.
109038
Error Message
%ASA-3-109038: Attribute internal-attribute-name value string-from-server from AAA server could not be parsed as a type
internal-attribute-name string representation of the attribute name
Explanation The AAA subsystem tried to parse an attribute from the AAA server into an internal representation and failed.
- string-from-server— String received from the AAA server, truncated to 40 characters.
- type —The type of the specified attribute
Recommended Action Verify that the attribute is being generated correctly on the AAA server. For additional information, use the debug ldap and debug radius commands.
109039
Error Message
%ASA-5-109039: AAA Authentication:Dropping an unsupported IPv6/IP46/IP64 packet from lifc :laddr to fifc :faddr
Explanation A packet containing IPv6 addresses or IPv4 addresses translated to IPv6 addresses by NAT requires AAA authentication or authorization. AAA authentication and authorization do not support IPv6 addresses. The packet is dropped.
- lifc —The ingress interface
- laddr —The source IP address
- fifc —The egress interface
- faddr —The destination IP address after NAT translation, if any
Recommended Action None required.
109040
Error Message
%ASA-4-109040: User at
IP exceeded auth proxy rate limit of 10 connections/sec
Explanation A connection attempt has been rejected because the ASA has detected a high frequency of HTTPS authentication requests from the same host.
- IP —The IP address of the host from which the connection was initiated
Recommended Action Limit the number of cut-through proxy authentication attempts from users.
109100
Error Message
%ASA-6-109100: Received CoA update from coa-source-ip for user username , with session ID: audit-session-id , changing authorization attributes
Explanation The Secure Firewall ASA has successfully processed the CoA policy update request from coa-source-ip for user username with session id audit-session-id . This syslog message is generated after a change of authorization policy update has been received by the Secure Firewall ASA, validated and applied. In a non-error case, this is the only syslog message that is generated when a change of authorization is received and processed.
- coa-source-ip —Originating IP address of the change of authorization request
- username —User whose session is being changed
- audit-session-id —The global ID of the session being modified
Recommended Action None required.
109101
Error Message
%ASA-6-109101: Received CoA disconnect request from coa-source-ip for user username , with audit-session-id: audit-session-id
Explanation The Secure Firewall ASA has received a correctly formatted Disconnect-Request for an active VPN session and has successfully terminated the connection.
- coa-source-ip —Originating IP address of the change of authorization request
- username —User whose session is being changed
- audit-session-id —The global ID of the session being modified
Recommended Action None required.
109102
Error Message
%ASA-4-109102: Received CoA action-type from coa-source-ip , but cannot find named session audit-session-id
Explanation The Secure Firewall ASA has received a valid change of authorization request, but the session ID specified in the request does not match any active sessions on the Secure Firewall ASA. This could be the result of the change of authorization server attempting to issue a change of authorization on a session that has already been closed by the user.
- action-type —The requested change of authorization action (update or disconnect)
- coa-source-ip —Originating IP address of the change of authorization request
- audit-session-id —The global ID of the session being modified
Recommended Action None required.
109103
Error Message
%ASA-3-109103: CoA action-type from coa-source-ip failed for user username , with session ID: audit-session-id .
Explanation The Secure Firewall ASA has received a correctly formatted change of authorization request, but was unable to process it successfully.
- action-type —The requested change of authorization action (update or disconnect)
- coa-source-ip —Originating IP address of the change of authorization request
- username —User whose session is being changed
- audit-session-id —The global ID of the session being modified
Recommended Action Investigate the relevant VPN subsystem logs to determine why the updated attributes could not be applied or why the session could not be terminated.
109104
Error Message
%ASA-3-109104: CoA action-type from coa-source-ip failed for user username , session ID: audit-session-id . Action not supported.
Explanation The Secure Firewall ASA has received a correctly formatted change of authorization request, but did not process it because the indicated action is not supported by the Secure Firewall ASA.
- action-type —The requested change of authorization action (update or disconnect)
- coa-source-ip —Originating IP address of the change of authorization request
- username —User whose session is being changed
- audit-session-id —The global ID of the session being modified
Recommended Action None required.
109105
Error Message
%ASA-3-109105: Failed to determine the egress interface for locally generated traffic destined to <protocol> <IP>:<port>.
Explanation It is necessary for Secure Firewall ASA to log a syslog if no routes are present when the interface is BVI. Apparently, if default route is present and it does not route packet to the correct interface then it becomes impossible to track it.
Recommended Action It is highly recommended to add default route for correct destination or add static routes.
109201
Error Message
%ASA-5-109201: UAUTH Session session, User username, Assigned IP IP Address, Succeeded adding entry.
Explanation When a VPN user is sucessfully added, this message is generated.
Recommended Action None.
109202
Error Message
%ASA-6-109202: UAUTH Session session, User username, Assigned IP IP Address, Succeeded incrementing entry use.
Explanation The VPN user account already exists and successfully incremented the reference count.
Recommended Action None.
109203
Error Message
%ASA-3-109203: UAUTH Session session, User username, Assigned IP IP Address, Failed adding entry.
Explanation This message is generated when the device failed to apply ACL rules for newly created user entry.
Recommended Action Try to reconnect.
109204
Error Message
%ASA-5-109204: UAUTH Session session, User username, Assigned IP IP Address, Succeeded applying filter.
Explanation This message is generated when the device failed to apply ACL rules for newly created user entry.
Recommended Action None.
109205
Error Message
%ASA-3-109205: UAUTH Session session, User username, Assigned IP IP Address, Failed applying filter.
Explanation This message is generated when the user entry already exists and failed to apply new rules to session on interface.
Recommended Action Try to reconnect.
109206
Error Message
%ASA-3-109206: UAUTH Session session, User username, Assigned IP IP Address, Removing stale entry added hours ago.
Explanation This message is generated when the device failed to add user entry due to collision and has removed stale entry.
Recommended Action Try to reconnect.
109207
Error Message
%ASA-5-109207: UAUTH Session session, User username, Assigned IP IP Address, Succeeded updating entry.
Explanation This message is generated when the device has successfully applied rules for user on interface.
Recommended Action None.
109208
Error Message
%ASA-3-109208: UAUTH Session session, User username, Assigned IP IP Address, Failed updating entry - no entry.
Explanation This message is generated when the device has failed to update user entry with new rules.
Recommended Action Try to reconnect again.
109209
Error Message
%ASA-3-109209: UAUTH Session session, User username, Assigned IP IP Address, Failed updating filter for entry.
Explanation This message is generated when the device has failed to update the rules in user entry due to collision.
Recommended Action Try to reconnect again.
109210
Error Message
%ASA-5-109210: UAUTH Session session, User username, Assigned IP IP Address, Successfully removed the rules for user during tunnel torn down.
Explanation This message is generated when the device has successfully removed the rules for user during tunnel torn down.
Recommended Action None.
109211
Error Message
%ASA-6-109211: UAUTH Session session, User username, Assigned IP IP Address, Successfully removed the rules for user during tunnel torn down.
Explanation This message is generated when the reference count decremented successfully after tunnel removal.
Recommended Action None.
109212
Error Message
%ASA-3-109212: UAUTH Session session, User username, Assigned IP IP Address, Failed removing entry.
Explanation This message is generated when the device fails to delete due to invalid address or bad entry.
Recommended Action Try to disconnect again.
109213
Error Message
%ASA-3-109213: UAUTH Session session, User username, Assigned IP IP Address, Failed removing entry.
Explanation This message is generated when the device fails to delete due to collision in user entry.
Recommended Action Try to disconnect again.