Messages 302003 to 319004
This chapter includes messages from 302003 to 319004 .
302003
Error Message
%FTD-6-302003: Built H245 connection for foreign_address outside_address /outside_port local_address inside_address /inside_port
Explanation An H.245 connection has been started from the outside_address to the inside_address. The Secure Firewall Threat Defense device has detected the use of an Intel Internet Phone. The foreign port (outside_port ) only appears on connections from outside the Secure Firewall Threat Defense device. The local port value (inside_port ) only appears on connections that were started on an internal interface.
Recommended Action None required.
302004
Error Message %FTD-6-302004: Pre-allocate H323 UDP backconnection for foreign_address outside_address /outside_port to local_address inside_address /inside_port
Explanation An H.323 UDP back connection has been preallocated to the foreign address (outside_address) from the local address (inside_address). The Secure Firewall Threat Defense device has detected the use of an Intel Internet Phone. The foreign port (outside_port) only appears on connections from outside the Secure Firewall Threat Defense device. The local port value (inside_port) only appears on connections that were started on an internal interface.
Recommended Action None required.
302010
Error Message %FTD-6-302010: connections in use, connections most used
Explanation Provides information on the number of connections that are in use and most used.
- connections—The number of connections
Recommended Action None required.
302012
Error Message %FTD-6-302012: Pre-allocate H225 Call Signalling Connection for faddr IP_address /port to laddr IP_address
Explanation An H.225 secondary channel has been preallocated.
Recommended Action None required.
302013
Error Message%FTD-6-302013: Built {inbound|outbound} [Probe] TCP connection_id for interface :real-address /real-port (mapped-address/mapped-port ) [(idfw_user )] to interface :real-address /real-port (mapped-address/mapped-port ) [(idfw_user )] [(user )]
Explanation A TCP connection slot between two hosts was created.
-
probe—Indicates the TCP connection is a probe connection
- connection_id —A unique identifier
- interface, real-address, real-port—The actual sockets
- mapped-address, mapped-port—The mapped sockets
- user—The AAA name of the user
- idfw_user—The name of the identity firewall user
If inbound is specified, the original control connection was initiated from the outside. For example, for FTP, all data transfer channels are inbound if the original control channel is inbound. If outbound is specified, the original control connection was initiated from the inside.
Recommended Action None required.
302014
Error Message %FTD-6-302014: Teardown [Probe] TCP connection id for interface :real-address /real-port [(idfw_user )] to interface :real-address /real-port [(idfw_user )]
duration hh:mm:ss bytes bytes [reason [from teardown-initiator]] [(user )]
Explanation A TCP connection between two hosts was deleted. The following list describes the message values:
-
probe—Indicates the TCP connection is a probe connection
-
id —A unique identifier
-
interface, real-address, real-port—The actual socket
-
duration—The lifetime of the connection
-
bytes— The data transfer of the connection
-
User—The AAA name of the user
-
idfw_user —The name of the identity firewall user
-
reason—The action that causes the connection to terminate. Set the reason variable to one of the TCP termination reasons listed in the following table.
-
teardown-initiator—Interface name of the side that initiated the teardown.
Reason |
Description |
||
---|---|---|---|
Conn-timeout |
The connection ended when a flow is closed because of the expiration of its inactivity timer. |
||
Deny Terminate |
Flow was terminated by application inspection. |
||
Failover primary closed |
The standby unit in a failover pair deleted a connection because of a message received from the active unit. |
||
FIN Timeout |
Force termination after 10 minutes awaiting the last ACK or after half-closed timeout. |
||
Flow closed by inspection |
Flow was terminated by the inspection feature. |
||
Flow terminated by IPS |
Flow was terminated by IPS. |
||
Flow reset by IPS |
Flow was reset by IPS. |
||
Flow terminated by TCP Intercept |
Flow was terminated by TCP Intercept. |
||
Flow timed out |
Flow has timed out. |
||
Flow timed out with reset |
Flow has timed out, but was reset. |
||
Flow is a loopback |
Flow is a loopback. |
||
Free the flow created as result of packet injection |
The connection was built because the packet tracer feature sent a simulated packet through the Secure Firewall Threat Defense device. |
||
Invalid SYN |
The SYN packet was not valid. |
||
IPS fail-close |
Flow was terminated because the IPS card is down. |
||
No interfaces associated with zone |
Flows were torn down after the “no nameif” or “no zone-member” leaves a zone with no interface members. |
||
No valid adjacency |
This counter is incremented when the Secure Firewall Threat Defense device tried to obtain an adjacency and could not obtain the MAC address for the next hop. The packet is dropped. |
||
Pinhole Timeout |
The counter is incremented to report that the Secure Firewall Threat Defense device opened a secondary flow, but no packets passed through this flow within the timeout interval, and so it was removed. An example of a secondary flow is the FTP data channel that is created after successful negotiation on the FTP control channel. |
||
Probe maximum retries of retransmission exceeded |
The connection was torn down because the TCP packet exceeded maximum probe retries of retransmission. |
||
Probe maximum retransmission time elapsed |
The connection was torn down because the maximum probing time for TCP packet had elapsed. |
||
Probe received RST |
The connection was torn down because probe connection received RST from server. |
||
Probe received FIN |
The connection was torn down because probe connection received FIN from server and complete FIN closure process was completed. |
||
Probe completed |
The probe connection was successful. |
||
Route change |
When the Secure Firewall Threat Defense device adds a lower cost (better metric) route, packets arriving that match the new route cause their existing connection to be torn down after the user-configured timeout (floating-conn) value. Subsequent packets rebuild the connection out of the interface with the better metric. To prevent the addition of lower cost routes from affecting active flows, you can set the floating-conn configuration timeout value to 0:0:0. |
||
SYN Control |
A back channel initiation occurred from the wrong side. |
||
SYN Timeout |
Force termination after 30 seconds, awaiting three-way handshake completion. |
||
TCP bad retransmission |
The connection was terminated because of a bad TCP retransmission. |
||
TCP FINs |
A normal close-down sequence occurred. |
||
TCP Invalid SYN |
Invalid TCP SYN packet. |
||
TCP Reset - APPLIANCE |
The flow is closed when a TCP reset is generated by the Secure Firewall Threat Defense device. |
||
TCP Reset - I |
Reset was from the inside. |
||
TCP Reset - O |
Reset was from the outside. |
||
TCP segment partial overlap |
A partially overlapping segment was detected. |
||
TCP unexpected window size variation |
A connection was terminated due to variation in the TCP window size. |
||
Tunnel has been torn down |
Flow was terminated because the tunnel is down. |
||
Unauth Deny |
An authorization was denied by a URL filter.
|
||
Unknown |
An unknown error has occurred. |
||
VPN reclassify failed |
When connections fail to be reclassified for passing through a VPN tunnel. |
||
Xlate Clear |
A command line was removed. |
Recommended Action None required.
302015
Error Message %FTD-6-302015: Built {inbound|outbound} UDP connection number for interface_name :real_address /real_port (mapped_address /mapped_port ) [(idfw_user )] to interface_name :real_address /real_port (mapped_address /mapped_port )[(idfw_user )] [(user )]
Explanation A UDP connection slot between two hosts was created. The following list describes the message values:
- number—A unique identifier
- interface, real_address, real_port—The actual sockets
- mapped_address and mapped_port—The mapped sockets
- user—The AAA name of the user
- idfw_user —The name of the identity firewall user
If inbound is specified, then the original control connection is initiated from the outside. For example, for UDP, all data transfer channels are inbound if the original control channel is inbound. If outbound is specified, then the original control connection is initiated from the inside.
Recommended Action None required.
302016
Error Message %FTD-6-302016: Teardown UDP connection number for interface :real-address /real-port [(idfw_user )] to interface :real-address /real-port [(idfw_user )] duration hh :mm :ss bytes bytes [(user )]
Explanation A UDP connection slot between two hosts was deleted. The following list describes the message values:
- number—A unique identifier
- interface, real_address, real_port—The actual sockets
- time—The lifetime of the connection
- bytes—The data transfer of the connection
- id—A unique identifier
- interface, real-address, real-port—The actual sockets
- duration— The lifetime of the connection
- bytes—The data transfer of the connection
- user—The AAA name of the user
- idfw_user —The name of the identity firewall user
Recommended Action None required.
302017
Error Message %FTD-6-302017: Built {inbound|outbound} GRE connection id from interface :real_address (translated_address ) [(idfw_user )] to interface :real_address /real_cid (translated_address /translated_cid ) [(idfw_user )] [(user )
Explanation A GRE connection slot between two hosts was created. The id is an unique identifier. The interface, real_address, real_cid tuple identifies the one of the two simplex PPTP GRE streams. The parenthetical translated_address, translated_cid tuple identifies the translated value with NAT. If inbound is indicated, then the connection can only be used inbound. If outbound is indicated, then the connection can only be used for outbound. The following list describes the message values:
- id—Unique number identifying the connection
- inbound—Control connection is for inbound PPTP GRE flow
- outbound—Control connection is for outbound PPTP GRE flow
- interface_name—The interface name
- real_address—IP address of the actual host
- real_cid—Untranslated call ID for the connection
- translated_address—IP address after translation
- translated_cid—Translated call
- user—AAA user name
- idfw_user —The name of the identity firewall user
Recommended Action None required.
302018
Error Message %FTD-6-302018: Teardown GRE connection id from interface :real_address (translated_address ) [(idfw_user )] to interface :real_address /real_cid (translated_address /translated_cid ) [(idfw_user )] duration hh :mm :ss bytes bytes [(user )]
Explanation A GRE connection slot between two hosts was deleted. The interface, real_address, real_port tuples identify the actual sockets. Duration identifies the lifetime of the connection. The following list describes the message values:
- id—Unique number identifying the connection
- interface—The interface name
- real_address—IP address of the actual host
- real_port—Port number of the actual host.
- hh:mm:ss—Time in hour:minute:second format
- bytes—Number of PPP bytes transferred in the GRE session
- reason—Reason why the connection was terminated
- user—AAA user name
- idfw_user —The name of the identity firewall user
Recommended Action None required.
302019
Error Message %FTD-3-302019: H.323 library_name ASN Library failed to initialize, error code number
Explanation The specified ASN librar y that the Secure Firewall Threat Defense device uses for decoding the H.323 messages failed to initialize; the Secure Firewall Threat Defense device cannot decode or inspect the arriving H.323 packet. The Secure Firewall Threat Defense device allows the H.323 packet to pass through without any modification. When the next H.323 message arrives, the Secure Firewall Threat Defense device tries to initialize the library again.
Recommended Action If this message is generated consistently for a particular library, contact the Cisco TAC and provide them with all log messages (preferably with timestamps).
302020
Error Message %FTD-6-302020: Built {in | out} bound ICMP connection for faddr {faddr | icmp_seq_num } [(idfw_user )] gaddr {gaddr | icmp_type } laddr laddr [(idfw_user )] type {type } code {code } Rx [{circular_buffer_size }]
Explanation This message is gnerated when an ICMP session was established in the fast-path. The following list describes the message values:
- faddr —Specifies the IP address of the foreign host
- gaddr —Specifies the IP address of the global host
- laddr —Specifies the IP address of the local host
- idfw_user —The name of the identity firewall user
- user —The username associated with the host from where the connection was initiated
- type —Specifies the ICMP type
- code —Specifies the ICMP code
- Rx—Specifies the received data circular-buffer size, where the buffer is overwritten, starting from the beginning, when the buffer is full.
Recommended Action None required.
302021
Error Message %FTD-6-302021: Teardown ICMP connection for faddr {faddr | icmp_seq_num } [(idfw_user )] gaddr {gaddr | icmp_type } laddr laddr [(idfw_user )] type {type } code {code } Rx [{circular_buffer_size }]
Explanation This message is generated when an ICMP session is removed in the fast-path. The following list describes the message values:
- faddr —Specifies the IP address of the foreign host
- gaddr —Specifies the IP address of the global host
- laddr —Specifies the IP address of the local host
- idfw_user —The name of the identity firewall user
- user —The username associated with the host from where the connection was initiated
- type —Specifies the ICMP type
- code—Specifies the ICMP code
-
Rx—Specifies the received data circular-buffer size, where the buffer is overwritten, starting from the beginning, when the buffer is full.
Recommended Action None required.
302022
Error Message %FTD-6-302022: Built role stub TCP connection for interface :real-address /real-port (mapped-address /mapped-port ) to interface :real-address /real-port (mapped-address /mapped-port)
Explanation A TCP director/backup/forwarder flow has been created.
Recommended Action None required.
302023
Error Message %FTD-6-302023: Teardown stub TCP connection for interface :real-address /real-port to interface :real-address /real-port duration hh:mm:ss forwarded bytes bytes
reason
Explanation A TCP director/backup/forwarder flow has been torn down.
Recommended Action None required.
302024
Error Message %FTD-6-302024: Built role stub UDP connection for interface :real-address /real-port (mapped-address /mapped-port ) to interface :real-address /real-port (mapped-address /mapped-port )
Explanation A UDP director/backup/forwarder flow has been created.
Recommended Action None required.
302025
Error Message
%FTD-6-302025: Teardown stub UDP connection for interface :real-address /real-port to interface :real-address /real-port duration hh:mm:ss forwarded bytes bytes
reason
Explanation A UDP director/backup/forwarder flow has been torn down.
Recommended Action None required.
302026
Error Message
%FTD-6-302026: Built role stub ICMP connection for interface :real-address /real-port (mapped-address ) to interface :real-address /real-port (mapped-address )
Explanation An ICMP director/backup/forwarder flow has been created.
Recommended Action None required.
302027
Error Message
%FTD-6-302027: Teardown stub ICMP connection for interface :real-address /real-port to interface :real-address /real-port duration hh:mm:ss forwarded bytes bytes
reason
Explanation An ICMP director/backup/forwarder flow has been torn down.
Recommended Action None required.
302033
Error Message
%FTD-6-302033:Pre-allocated H323 GUP Connection for faddr interface :foreign address /foreign-port to laddr interface :local-address /local-port
Explanation A GUP connection was started from the foreign address to the local address. The foreign port (outside port) only appears on connections from outside the security device. The local port value (inside port) only appears on connections started on an internal interface.
- interface—The interface name
- foreign-address —IP address of the foreign host
- foreign-port —Port number of the foreign host
- local-address —IP address of the local host
- local-port —Port number of the local host
Recommended Action None required.
302034
Error Message
%FTD-4-302034: Unable to pre-allocate H323 GUP Connection for faddr interface :foreign address /foreign-port to laddr interface :local-address /local-port
Explanation The module failed to allocate RAM system memory while starting a connection or has no more address translation slots available.
- interface—The interface name
- foreign-address —IP address of the foreign host
- foreign-port —Port number of the foreign host
- local-address —IP address of the local host
- local-port —Port number of the local host
Recommended Action If this message occurs periodically, it can be ignored. If it repeats frequently, contact the Cisco TAC. You can check the size of the global pool compared to the number of inside network clients. Alternatively, shorten the timeout interval of translations and connections. This message may also be caused by insufficient memory; try reducing the amount of memory usage, or purchasing additional memory.
302302
Error Message
%FTD-3-302302: ACL = deny; no sa created
Explanation IPsec proxy mismatches have occurred. Proxy hosts for the negotiated SA correspond to a deny access-list command policy.
Recommended Action Check the access-list command statement in the configuration. Contact the administrator for the peer.
302303
Error Message
%FTD-6-302303: Built TCP state-bypass connection conn_id from initiator_interface :real_ip /real_port (mapped_ip /mapped_port ) to responder_interface :real_ip /real_port (mapped_ip /mapped_port )
Explanation A new TCP connection has been created, and this connection is a TCP-state-bypass connection. This type of connection bypasses all the TCP state checks and additional security checks and inspections.
Recommended Action If you need to secure TCP traffic with all the normal TCP state checks as well as all other security checks and inspections, you can use the no set connection advanced-options tcp-state-bypass command to disable this feature for TCP traffic.
302304
Error Message
%FTD-6-302304: Teardown TCP state-bypass connection conn_id from initiator_interface :ip/port to responder_interface :ip/port duration , bytes , teardown reason
.
Explanation A new TCP connection has been torn down, and this connection is a TCP-state-bypass connection. This type of connection bypasses all the TCP state checks and additional security checks and inspections.
- duration —The duration of the TCP connection
- bytes —The total number of bytes transmitted over the TCP connection
- teardown reason —The reason for the teardown of the TCP connection
Recommended Action If you need to secure TCP traffic with all the normal TCP state checks as well as all other security checks and inspections, you can use the no set connection advanced-options tcp-state-bypass command to disable this feature for TCP traffic.
4302310
Error Message %FTD-4-302310: SCTP packet received from src_ifc:src_ip/src_port to dst_ifc:dst_ip/dst_port contains unsupported Hostname Parameter.
Explanation A init/init-ack packet is received with the hostname parameter.
- packet init/init-ack—The message carrying the hostname parameter
- src-ifc— Indicates the ingress interface
- src-ip/src-port— Indicates the Source IP and Port in the packet
- dst-ifc—Indicates the egress interface
- dst_ip/dst_port—Indicates the Source IP and Port in the packet
Recommended Action Use the real IP addresses of endpoints rather than the hostname. Disable the hostname parameter.
302311
Error Message %FTD-4-302311: Failed to create a new protocol connection from ingress interface:source IP/source port to egress interface:destination IP/destination port due to application cache memory allocation failure. The app-cache memory threshold level is threshold% and threshold check is enabled/disabled.
Explanation A new connection could not be created due to app-cache memory allocation failure. The failure could be due to system running out of memory or exceeding app-cache memory threshold.
- protocol—The name of the protocol used to create the connection
- ingress interface—The interface name
-
source IP—The source IP address
-
source port—The source port number
-
egress interface—The interface name
-
destination IP— The destination address
-
destination port—The destination port number
-
threshold%—The percentage value of memory threshold
-
enabled/disabled—app-cache memory threshold feature enabled/disabled
Recommended Action Disable memory intensive features on the device or reduce the number of through-the-box connections.
303002
Error Message
%FTD-6-303002: FTP connection from src_ifc :src_ip /src_port to dst_ifc :dst_ip /dst_port , user username
action file filename
Explanation A client has uploaded or downloaded a file from the FTP server.
- src_ifc—The interface where the client resides.
- src_ip—The IP address of the client.
- src_port—The client port.
- dst_ifc—The interface where the server resides.
- dst_ip—The IP address of the FTP server.
- dst_port—The server port.
- username—The FTP username.
- action—The stored or retrieved actions.
- filename—The file stored or retrieved.
Recommended Action None required.
303004
Error Message
%FTD-5-303004: FTP cmd_string command unsupported - failed strict inspection, terminating connection from source_interface :source_address /source_port to dest_interface :dest_address/dest_interface
Explanation Strict FTP inspection on FTP traffic has been used, and an FTP request message contains a command that is not recognized by the device.
Recommended Action None required.
303005
Error Message
%FTD-5-303005: Strict FTP inspection matched match_string in policy-map policy-name , action_string from src_ifc :sip /sport to dest_ifc :dip /dport
Explanation When FTP inspection matches any of the following configured values: filename, file type, request command, server, or username, then the action specified by the action_string in this message occurs.
- match_string —The match clause in the policy map
- policy-name—The policy map that matched
- action_string—The action to take; for example, Reset Connection
- src_ifc—The source interface name
- sip—The source IP address
- sport—The source port
- dest_ifc—The destination interface name
- dip—The destination IP address
- dport—The destination port
Recommended Action None required.
305006
Error Message
%FTD-3-305006: {outbound static|identity|portmap|regular) translation creation failed for protocol src interface_name:source_address/source_port [(idfw_user )] dst interface_name:dest_address/dest_port [(idfw_user )]
Explanation The ICMP error inspection was enabled and the following conditions were met:
-
There was a connection established through the device with forward and reverse flows having different protocols. For example, forward flow is UDP or TCP, reverse flow is ICMP. The switch in protocols occurs when either the receiver or any intermediary device in the path returns ICMP error messages, for example type 3 code 3.
-
There was a dynamic NAT/PAT statement that matched the packets of the reverse flow and failed to translate the outer header IP addresses because the device does not apply PAT to all ICMP message types; it only applies PAT ICMP echo and echo-reply packets (types 8 and 0).
Recommended Action None required.
305009
Error Message
%FTD-6-305009: Built {dynamic|static} translation from interface_name [(acl-name)]:real_address [(idfw_user )] to interface_name :mapped_address
Explanation An address translation slot was created. The slot translates the source address from the local side to the global side. In reverse, the slot translates the destination address from the global side to the local side.
Recommended Action None required.
305010
Error Message
%FTD-6-305010: Teardown {dynamic|static} translation from interface_name :real_address [(idfw_user )] to interface_name :mapped_address duration time
Explanation The address translation slot was deleted.
Recommended Action None required.
305011
Error Message
%FTD-6-305011: Built {dynamic|static} {TCP|UDP|ICMP} translation from interface_name :real_address/real_port [(idfw_user )] to interface_name :mapped_address/mapped_port
Explanation A TCP, UDP, or ICMP address translation slot was created. The slot translates the source socket from the local side to the global side. In reverse, the slot translates the destination socket from the global side to the local side.
Recommended Action None required.
305012
Error Message
%FTD-6-305012: Teardown {dynamic|static} {TCP|UDP|ICMP} translation from interface_name [(acl-name )]:real_address /{real_port |real_ICMP_ID } [(idfw_user )] to interface_name :mapped_address /{mapped_port |mapped_ICMP_ID } duration time
Explanation The address translation slot was deleted.
Recommended Action None required.
305013
Error Message
%FTD-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection protocol src interface_name :source_address /source_port [(idfw_user )] dst interface_name :dst_address /dst_port [(idfw_user )] denied due to NAT reverse path failure.
Explanation An attempt to connect to a mapped host using its actual address was rejected.
Recommended Action When not on the same interface as the host using NAT, use the mapped address instead of the actual address to connect to the host. In addition, enable the inspect command if the application embeds the IP address.
305014
Error Message
%FTD-6-305014: Allocated block of ports for translation from real_interface :real_host_ip /real_source_port to real_dest_interface :real_dest_ip /real_dest_port.
Explanation When CGNAT “block-allocation” is configured, this syslog will be generated on allocation of a new port block.
Recommended Action None.
305015
Error Message
%FTD-6-305015: Released block of ports for translation from real_interface :real_host_ip /real_source_port to real_dest_interface :real_dest_ip /real_dest_port.
Explanation When CGNAT “block-allocation” is configured, this syslog will be generated on release of an allocated port block.
Recommended Action None.
305016
Error Message
%FTD-3-305016: Unable to create protocol connection from real_interface :real_host_ip /real_source_port to real_dest_interface :real_dest_ip /real_dest_port due to reason .
Explanation The maximum port blocks per host limit has been reached for a host or the port blocks have been exhausted.
-
reason —May be
one of the following:
- reaching per-host PAT port block limit of value
- port block exhaustion in PAT pool
Recommended Action For reaching the per-host PAT port block limit, review the maximum blocks per host limit by entering the following command:
xlate block-allocation maximum-per-host 4
For the port block exhaustion in the PAT pool, we recommend increasing the pool size. Also, review the block size by entering the following command:
xlate block-allocation size 512
305017
Error Message
%FTD-3-305017: Pba-interim-logging: Active ICMP block of ports for translation from <source device IP> to <destination device IP>/<Active Port Block>
Explanation When CGNAT interim logging feature is turned on. This syslog specifies the Active Port Block from a particular source IP address to a destination IP address at that time.
Recommended ActionNone.
305021
Error Message
%FTD-4-305021: Ports exhausted in pre-allocated PAT pool IP mapped_ip_address for host real_host_ip. Allocating from new PAT pool IP mapped_ip_address.
Explanation This message is generated when all ports are exhausted in the sticky IP on a cluster node and allocation moves to the next available IP with free ports.
Example:
%FTD-4-305021: Ports exhausted in pre-allocated PAT pool IP 174.0.1.1 for host 192.168.1.20. Allocating from new PAT pool IP 174.0.1.2.
Recommended Action None.
305022
Error Message
%FTD-4-305022: Cluster unit unit_name has been allocated num_of_port_blocks port blocks for PAT usage. All units should have at least min_num_of_port_blocks port blocks.
Explanation This message is generated on a node when it joins cluster and does not get any or unequal share of port blocks.
Examples
%FTD-4-305022: Cluster unit FTD-4 has been allocated 0 port blocks for PAT usage. All units should have at least 32 port blocks.
%FTD-4-305022: Cluster unit FTD-4 has been allocated 12 port blocks for PAT usage. All units should have at least 32 port blocks.
Recommended Action None.
308001
Error Message
%FTD-6-308001: console enable password incorrect for number tries (from IP_address )
Explanation This is a Secure Firewall Threat Defense management message. This message appears after the specified number of times a user incorrectly types the password to enter privileged mode. The maximum is three attempts.
Recommended Action Verify the password and try again.
308002
Error Message
%FTD-4-308002: static global_address inside_address netmask netmask overlapped with global_address inside_address
Explanation The IP addresses in one or more static command statements overlap. global_address is the global address, which is the address on the lower security interface, and inside_address is the local address, which is the address on the higher security-level interface.
Recommended Action Use the show static command to view the static command statements in your configuration and fix the commands that overlap. The most common overlap occurs if you specify a network address such as 10.1.1.0, and in another static command you specify a host within that range, such as 10.1.1.5.
311001
Error Message
%FTD-6-311001: LU loading standby start
Explanation Stateful Failover update information was sent to the standby Secure Firewall Threat Defense device when the standby Secure Firewall Threat Defense device is first to be online.
Recommended Action None required.
311002
Error Message
%FTD-6-311002: LU loading standby end
Explanation Stateful Failover update information stopped sending to the standby Secure Firewall Threat Defense device.
Recommended Action None required.
311003
Error Message
%FTD-6-311003: LU recv thread up
Explanation An update acknowledgment was received from the standby Secure Firewall Threat Defense device.
Recommended Action None required.
311004
Error Message
%FTD-6-311004: LU xmit thread up
Explanation A Stateful Failover update was transmitted to the standby Secure Firewall Threat Defense device.
Recommended Action None required.
312001
Error Message
%FTD-6-312001: RIP hdr failed from IP_address : cmd=string , version=number domain=string on interface interface_name
Explanation The Secure Firewall Threat Defense device received a RIP message with an operation code other than reply, the message has a version number different from what is expected on this interface, and the routing domain entry was nonzero. Another RIP device may not be configured correctly to communicate with the Secure Firewall Threat Defense device.
Recommended Action None required.
313001
Error Message
%FTD-3-313001: Denied ICMP type=number , code=code from IP_address on interface interface_name
Explanation When using the icmp command with an access list, if the first matched entry is a permit entry, the ICMP packet continues processing. If the first matched entry is a deny entry, or an entry is not matched, the Secure Firewall Threat Defense device discards the ICMP packet and generates this message. The icmp command enables or disables pinging to an interface. With pinging disabled, the Secure Firewall Threat Defense device cannot be detected on the network. This feature is also referred to as configurable proxy pinging.
Recommended Action Contact the administrator of the peer device.
313004
Error Message
%FTD-4-313004:Denied ICMP type=icmp_type , from source_address on interface interface_name to dest_address :no matching session
Explanation ICMP packets were dropped by the Secure Firewall Threat Defense device because of security checks added by the stateful ICMP feature that are usually either ICMP echo replies without a valid echo request already passed across the Secure Firewall Threat Defense device or ICMP error messages not related to any TCP, UDP, or ICMP session already established in the Secure Firewall Threat Defense device.
Recommended Action None required.
313005
Error Message
%FTD-4-313005: No matching connection for ICMP error message: icmp_msg_info on interface_name interface. Original IP payload: embedded_frame_info icmp_msg_info = icmp src src_interface_name :src_address [([idfw_user | FQDN_string ], sg_info )] dst dest_interface_name :dest_address [([idfw_user | FQDN_string ], sg_info )] (type icmp_type, code icmp_code ) embedded_frame_info = prot src source_address /source_port [([idfw_user | FQDN_string ], sg_info )] dst dest_address /dest_port [(idfw_user |FQDN_string ), sg_info ]
Explanation ICMP error packets were dropped by the Secure Firewall Threat Defense device because the ICMP error messages are not related to any session already established in the Secure Firewall Threat Defense device.
Recommended Action If the cause is an attack, you can deny the host by using ACLs.
313008
Error Message
%FTD-3-313008: Denied ICMPv6 type=number , code=code from IP_address on interface interface_name
Explanation When using the icmp command with an access list, if the first matched entry is a permit entry, the ICMPv6 packet continues processing. If the first matched entry is a deny entry, or an entry is not matched, the Secure Firewall Threat Defense device discards the ICMPv6 packet and generates this message.
The icmp command enables or disables pinging to an interface. When pinging is disabled, the Secure Firewall Threat Defense device is undetectable on the network. This feature is also referred to as “configurable proxy pinging.”
Recommended Action Contact the administrator of the peer device.
313009
Error Message
%FTD-4-313009: Denied invalid ICMP code icmp-code , for src-ifc :src-address /src-port (mapped-src-address/mapped-src-port) to dest-ifc :dest-address /dest-port (mapped-dest-address/mapped-dest-port) [user ], ICMP id icmp-id , ICMP type icmp-type
Explanation An ICMP echo request/reply packet was received with a malformed code(non-zero).
Recommended Action If it is an intermittent event, no action is required. If the cause is an attack, you can deny the host using the ACLs.
314001
Error Message
%FTD-6-314001: Pre-allocated RTSP UDP backconnection for src_intf :src_IP to dst_intf :dst_IP /dst_port.
Explanation The Secure Firewall Threat Defense device opened a UDP media channel for the RTSP client that was receiving data from the server.
- src_intf —Source interface name
- src_IP —Source interface IP address
- dst_intf —Destination interface name
- dst_IP —Destination IP address
- dst_port —Destination port
Recommended Action None required.
314002
Error Message
%FTD-6-314002: RTSP failed to allocate UDP media connection from src_intf :src_IP to dst_intf :dst_IP /dst_port : reason_string.
Explanation The Secure Firewall Threat Defense device cannot open a new pinhole for the media channel.
- src_intf —Source interface name
- src_IP —Source interface IP address
- dst_intf —Destination interface name
- dst_IP —Destination IP address
- dst_port —Destination port
- reason_string —Pinhole already exists/Unknown
Recommended Action If the reason is unknown, check the free memory available by running the show memory command, or the number of connections used by running the show conn command, because the Secure Firewall Threat Defense device is low on memory.
316001
Error Message
%FTD-3-316001: Denied new tunnel to IP_address . VPN peer limit (platform_vpn_peer_limit) exceeded
Explanation If more VPN tunnels (ISAKMP/IPsec) are concurrently trying to be established than are supported by the platform VPN peer limit, then the excess tunnels are aborted.
Recommended Action None required.
316002
Error Message
%FTD-3-316002: VPN Handle error: protocol=protocol , src in_if_num :src_addr , dst out_if_num :dst_addr
Explanation The Secure Firewall Threat Defense device cannot create a VPN handle, because the VPN handle already exists.
- protocol —The protocol of the VPN flow
- in_if_num —The ingress interface number of the VPN flow
- src_addr —The source IP address of the VPN flow
- out_if_num —The egress interface number of the VPN flow
- dst_addr —The destination IP address of the VPN flow
Recommended Action This message may occur during normal operation; however, if the message occurs repeatedly and a major malfunction of VPN-based applications occurs, a software defect may be the cause. Enter the following commands to collect more information and contact the Cisco TAC to investigate the issue further:
capture
name
type asp-drop vpn-handle-error
show asp table classify crypto detail
show asp table vpn-context
317001
Error Message
%FTD-3-317001: No memory available for limit_slow
Explanation The requested operation failed because of a low-memory condition.
Recommended Action Reduce other system activity to ease memory demands. If conditions warrant, upgrade to a larger memory configuration.
317002
Error Message
%FTD-3-317002: Bad path index of number for IP_address , number max
Explanation A software error occurred.
Recommended Action If the problem persists, contact the Cisco TAC.
317003
Error Message
%FTD-3-317003: IP routing table creation failure - reason
Explanation An internal software error occurred, which prevented the creation of a new IP routing table.
Recommended Action Copy the message exactly as it appears, and report it to Cisco TAC.
317004
Error Message
%FTD-3-317004: IP routing table limit warning
Explanation The number of routes in the named IP routing table has reached the configured warning limit.
Recommended Action Reduce the number of routes in the table, or reconfigure the limit.
317005
Error Message
%FTD-3-317005: IP routing table limit exceeded - reason , IP_address netmask
Explanation Additional routes will be added to the table.
Recommended Action Reduce the number of routes in the table, or reconfigure the limit.
317006
Error Message
%FTD-3-317006: Pdb index error pdb , pdb_index , pdb_type
Explanation The index into the PDB is out of range.
- pdb—Protocol Descriptor Block, the descriptor of the PDB index error
- pdb_index—The PDB index identifier
- pdb_type—The type of the PDB index error
Recommended Action If the problem persists, copy the error message exactly as it appears on the console or in the system log, contact the Cisco TAC, and provide the representative with the collected information.
317007
Error Message
%FTD-6-317007: Added route_type route dest_address
netmask via gateway_address [distance /metric ] on interface_name route_type
Explanation A new route has been added to the routing table.
Routing protocol type:
C – connected, S – static, I – IGRP, R – RIP, M – mobile
B – BGP, D – EIGRP, EX - EIGRP external, O - OSPF
IA - OSPF inter area, N1 - OSPF NSSA external type 1
N2 - OSPF NSSA external type 2, E1 - OSPF external type 1
E2 - OSPF external type 2, E – EGP, i - IS-IS, L1 - IS-IS level-1
L2 - IS-IS level-2, ia - IS-IS inter area
- dest_address —The destination network for this route
- netmask —The netmask for the destination network
- gateway_address —The address of the gateway by which the destination network is reached
- distance —Administrative distance for this route
- metric —Metric for this route
- interface_name —Network interface name through which the traffic is routed
Recommended Action None required.
317008
Error Message
%FTD-6-317008: Community list check with bad list list_number
Explanation When an out of range community list is identified, this message is generated along with the list number.
Recommended Action None required.
317012
Error Message
%FTD-3-317012: Interface IP route counter negative - nameif-string-value
Explanation Indicates that the interface route count is negative.
-
nameif-string-value—The interface name as specified by the nameif command
Recommended Action None required.
317077
Error Message
%FTD-6-317077: Added <protocol_name> route <destination_address/subnet-mask> via <gateway-address> on <inf_name>
Explanation This message is generated when a route is added successfully on the Secure Firewall Threat Defense device.
Recommended Action None required.
317078
Error Message
%FTD-6-317078: Deleted <protocol_name> route <destination_address/subnet-mask> via <gateway-address> on <inf_name>
Explanation This message is generated when a route is deleted from the Secure Firewall Threat Defense device.
Recommended Action None required.
318001
Error Message
%FTD-3-318001: Internal error: reason
Explanation An internal software error occurred. This message occurs at five-second intervals.
Recommended Action Copy the message exactly as it appears, and report it to the Cisco TAC.
318002
Error Message
%FTD-3-318002: Flagged as being an ABR without a backbone area
Explanation The router was flagged as an area border router without a backbone area configured in the router. This message occurs at five-second intervals.
Recommended Action Restart the OSPF process.
318003
Error Message
%FTD-3-318003: Reached unknow n state in neighbor state machine
Explanation An internal software error occurred. This message occurs at five-second intervals.
Recommended Action Copy the message exactly as it appears, and report it to the Cisco TAC.
318004
Error Message
%FTD-3-318004: area string lsid IP_address mask netmask adv IP_address type number
Explanation The OSPF process had a problem locating the link state advertisement, which might lead to a memory leak.
Recommended Action If the problem persists, contact the Cisco TAC.
318005
Error Message
%FTD-3-318005: lsid ip_address adv IP_address type number gateway gateway_address metric number network IP_address mask netmask protocol hex attr hex net-metric number
Explanation OSPF found an inconsistency between its database and the IP routing table.
Recommended Action If the problem persists, contact the Cisco TAC.
318006
Error Message
%FTD-3-318006: if interface_name if_state number
Explanation An internal error occurred.
Recommended Action Copy the message exactly as it appears, and report it to the Cisco TAC.
318007
Error Message
%FTD-3-318007: OSPF is enabled on interface_name during idb initialization
Explanation An internal error occurred.
Recommended Action Copy the message exactly as it appears, and report it to the Cisco TAC.
318008
Error Message
%FTD-3-318008: OSPF process number is changing router-id. Reconfigure virtual link neighbors with our new router-id
Explanation The OSPF process is being reset, and it is going to select a new router ID. This action will bring down all virtual links.
Recommended Action Change the virtual link configuration on all of the virtual link neighbors to reflect the new router ID.
318009
Error Message
%FTD-3-318009: OSPF: Attempted reference of stale data encountered in function , line: line_num
Explanation OSPF is running and has tried to reference some related data structures that have been removed elsewhere. Clearing interface and router configurations may resolve the problem. However, if this message appears, some sequence of steps caused premature deletion of data structures and this needs to be investigated.
- function —The function that received the unexpected event
- line_num —Line number in the code
Recommended Action If the problem persists, contact the Cisco TAC.
318101
Error Message
%FTD-3-318101: Internal error: REASON
Explanation An internal software error has occurred.
- REASON —The detailed cause of the event
Recommended Action None required.
318102
Error Message
%FTD-3-318102: Flagged as being an ABR without a backbone area
Explanation The router was flagged as an Area Border Router (ABR) without a backbone area in the router.
Recommended Action Restart the OSPF process.
318103
Error Message
%FTD-3-318103: Reached unknown state in neighbor state machine
Explanation An internal software error has occurred.
Recommended Action None required.
318104
Error Message
%FTD-3-318104: DB already exist: area AREA_ID_STR lsid i adv i type 0x x
Explanation OSPF has a problem locating the LSA, which could lead to a memory leak.
- AREA_ID_STR —A string representing the area
- i —An integer value
- x —A hexadecimal representation of an integer value
Recommended Action None required.
318105
Error Message
%FTD-3-318105: lsid i adv i type 0x x gateway i metric d network i mask i protocol #x attr #x net-metric d
Explanation OSPF found an inconsistency between its database and the IP routing table.
- i —An integer value
- x —A hexadecimal representation of an integer value
- d —A number
Recommended Action None required.
318106
Error Message
%FTD-3-318106: if IF_NAME if_state d
Explanation An internal error has occurred.
- IF_NAME— The name of the affected interface
- d —A number
Recommended Action None required.
318107
Error Message
%FTD-3-318107: OSPF is enabled on IF_NAME during idb initialization
Explanation An internal error has occurred.
- IF_NAME— The name of the affected interface
Recommended Action None required.
318108
Error Message
%FTD-3-318108: OSPF process d is changing router-id. Reconfigure virtual link neighbors with our new router-id
Explanation The OSPF process is being reset, and it is going to select a new router ID, which brings down all virtual links. To make them work again, you need to change the virtual link configuration on all virtual link neighbors.
- d —A number representing the process ID
Recommended Action Change the virtual link configuration on all the virtual link neighbors to include the new router ID.
318109
Error Message
%FTD-3-318109: OSPFv3 has received an unexpected message: 0x / 0x
Explanation OSPFv3 has received an unexpected interprocess message.
- x —A hexadecimal representation of an integer value
Recommended Action None required.
318110
Error Message
%FTD-3-318110: Invalid encrypted key s .
Explanation The specified encrypted key is not valid.
- s —A string representing the encrypted key
Recommended Action Either specify a clear text key and enter the service password-encryption command for encryption, or ensure that the specified encrypted key is valid. If the specified encrypted key is not valid, an error message appears during system configuration.
318111
Error Message
%FTD-3-318111: SPI u is already in use with ospf process d
Explanation An attempt was made to use a SPI that has already been used.
- u —A number representing the SPI
- d —A number representing the process ID
Recommended Action Choose a different SPI.
318112
Error Message
%FTD-3-318112: SPI u is already in use by a process other than ospf process d .
Explanation An attempt was made to use a SPI that has already been used.
- u —A number representing the SPI
- d —A number representing the process ID
Recommended Action Choose a different SPI. Enter the show crypto ipv6 ipsec sa command to view a list of SPIs that are already being used.
318113
Error Message
%FTD-3-318113: s s is already configured with SPI u .
Explanation An attempt was made to use a SPI that has already been used.
- s— A string representing an interface
- u —A number representing the SPI
Recommended Action Unconfigure the SPI first, or choose a different one.
318114
Error Message
%FTD-3-318114: The key length used with SPI u is not valid
Explanation The key length was incorrect.
- u —A number representing the SPI
Recommended Action Choose a valid IPsec key. An IPsec authentication key must be 32 (MD5) or 40 (SHA-1) hexidecimal digits long.
318115
Error Message
%FTD-3-318115: s error occured when attempting to create an IPsec policy for SPI u
Explanation An IPsec API (internal) error has occurred.
- s— A string representing the error
- u —A number representing the SPI
Recommended Action None required.
318116
Error Message
%FTD-3-318116: SPI u is not being used by ospf process d .
Explanation An attempt was made to unconfigure a SPI that is not being used with OSPFv3.
- u —A number representing the SPI
- d —A number representing the process ID
Recommended Action Enter a show command to see which SPIs are used by OSPFv3.
318117
Error Message
%FTD-3-318117: The policy for SPI u could not be removed because it is in use.
Explanation An attempt was made to remove the policy for the indicated SPI, but the policy was still being used by a secure socket.
- u —A number representing the SPI
Recommended Action None required.
318118
Error Message
%FTD-3-318118: s error occured when attemtping to remove the IPsec policy with SPI u
Explanation An IPsec API (internal) error has occurred.
- s —A string representing the specified error
- u —A number representing the SPI
Recommended Action None required.
318119
Error Message
%FTD-3-318119: Unable to close secure socket with SPI u on interface s
Explanation An IPsec API (internal) error has occurred.
- u —A number representing the SPI
- s —A string representing the specified interface
Recommended Action None required.
318120
Error Message
%FTD-3-318120: OSPFv3 was unable to register with IPsec
Explanation An internal error has occurred.
Recommended Action None required.
318121
Error Message
%FTD-3-318121: IPsec reported a GENERAL ERROR: message s , count d
Explanation An internal error has occurred.
- s —A string representing the specified message
- d —A number representing the total number of generated messages
Recommended Action None required.
318122
Error Message
%FTD-3-318122: IPsec sent a s message s to OSPFv3 for interface s . Recovery attempt d
Explanation An internal error has occurred. The system is trying to reopen the secure socket and to recover.
- s —A string representing the specified message and specified interface
- d —A number representing the total number of recovery attempts
Recommended Action None required.
318123
Error Message
%FTD-3-318123: IPsec sent a s message s to OSPFv3 for interface IF_NAME . Recovery aborted
Explanation An internal error has occurred. The maximum number of recovery attempts has been exceeded.
- s —A string representing the specified message
- IF_NAME —The specified interface
Recommended Action None required.
318125
Error Message
%FTD-3-318125: Init failed for interface IF_NAME
Explanation The interface initialization failed. Possible reasons include the following:
- The area to which the interface is being attached is being deleted.
- It was not possible to create the link scope database.
- It was not possible to create a neighbor datablock for the local router.
Recommended Action Remove the configuration command that initializes the interface and then try it again.
318126
Error Message
%FTD-3-318126: Interface IF_NAME is attached to more than one area
Explanation The interface is on the interface list for an area other than the one to which the interface links.
- IF_NAME —The specified interface
Recommended Action None required.
318127
Error Message
%FTD-3-318127: Could not allocate or find the neighbor
Explanation An internal error has occurred.
Recommended Action None required.