Error Message %FTD-4-401001: Shuns cleared

Explanation The clear shun command was entered to remove existing shuns from memory. An institution to keep a record of shunning activity was allowed.

Recommended Action None required.

Error Message %FTD-4-401002: Shun added: IP_address IP_address port port

Explanation A shun command was entered, where the first IP address is the shunned host. The other addresses and ports are optional and are used to terminate the connection if available. An institution to keep a record of shunning activity was allowed.

Recommended Action None required.

Error Message %FTD-4-401003: Shun deleted: IP_address

ExplanationA single shunned host was removed from the shun database. An institution to keep a record of shunning activity was allowed.

Recommended Action None required.

Error Message %FTD-4-401004: Shunned packet: IP_address = IP_address on interface interface_name

ExplanationA packet was dropped because the host defined by IP SRC is a host in the shun database. A shunned host cannot pass traffic on the interface on which it is shunned. For example, an external host on the Internet can be shunned on the outside interface. A record of the activity of shunned hosts was provided. This message and message %threat defense-4-401005 can be used to evaluate further risk concerning this host.

Recommended Action None required.

Error Message %FTD-4-401005: Shun add failed: unable to allocate resources for IP_address IP_address port port

ExplanationThe Secure Firewall Threat Defense device is out of memory; a shun cannot be applied.

Recommended ActionThe Cisco IPS should continue to attempt to apply this rule. Try to reclaim memory and reapply a shun manually, or wait for the Cisco IPS to do this.

Error Message %FTD-4-402114: IPSEC: Received an protocol packet (SPI=spi , sequence number=seq_num ) from remote_IP to local_IP with an invalid SPI.

• >protocol— IPsec protocol
• >spi— IPsec Security Parameter Index
• seq_num>— IPsec sequence number
• remote_IP>— IP address of the remote endpoint of the tunnel
• >username— Username associated with the IPsec tunnel
• local_IP>— IP address of the local endpoint of the tunnel

ExplanationAn IPsec packet was received that specifies an SPI that does not exist in the SA database. This may be a temporary condition caused by slight differences in aging of SAs between the IPsec peers, or it may be because the local SAs have been cleared. It may also indicate incorrect packets sent by the IPsec peer, which may be part of an attack. This message is rate limited to no more than one message every five seconds.

Recommended ActionThe peer may not acknowledge that the local SAs have been cleared. If a new connection is established from the local router, the two peers may then reestablish connection successfully. Otherwise, if the problem occurs for more than a brief period, either attempt to establish a new connection or contact the peer administrator.

Error Message %FTD-4-402115: IPSEC: Received a packet from remote_IP to local_IP containing act_prot data instead of exp_prot data.

Explanation An IPsec packet was received that is missing the expected ESP header. The peer is sending packets that do not match the negotiated security policy, which may indicate an attack. This message is rate limited to no more than one message every five seconds.

• remote_IP>— IP address of the remote endpoint of the tunnel
• local_IP>— IP address of the local endpoint of the tunnel
• >act_prot— Received IPsec protocol
• >exp_prot— Expected IPsec protocol

Recommended Action Contact the administrator of the peer.

Error Message %FTD-4-402116: IPSEC: Received an protocol packet (SPI=spi , sequence number=seq_num ) from remote_IP (username ) to local_IP . The decapsulated inner packet doesn’t match the negotiated policy in the SA. The packet specifies its destination as pkt_daddr , its source as pkt_saddr , and its protocol as pkt_prot . The SA specifies its local proxy as id_daddr /id_dmask /id_dprot /id_dport and its remote proxy as id_saddr /id_smask /id_sprot /id_sport .

ExplanationA decapsulated IPsec packet does not match the negotiated identity. The peer is sending other traffic through this security association, which may be caused by a security association selection error by the peer, or it may be part of an attack. This message is rate limited to no more than one message every five seconds.

• >protocol— IPsec protocol
• >spi— IPsec Security Parameter Index
• seq_num>— IPsec sequence number
• remote_IP>— IP address of the remote endpoint of the tunnel
• >username— Username associated with the IPsec tunnel
• local_IP>— IP address of the local endpoint of the tunnel
• pkt_daddr>— Destination address from the decapsulated packet
• pkt_saddr>— Source address from the decapsulated packet
• pkt_prot>— Transport protocol from the decapsulated packet
• id_daddr>— Local proxy IP address
• id_dmask>— Local proxy IP subnet mask
• id_dprot>— Local proxy transport protocol
• id_dport>— Local proxy port
• id_saddr>— Remote proxy IP address
• id_smask>— Remote proxy IP subnet mask
• id_sprot>— Remote proxy transport protocol
• id_sport>— Remote proxy port

Recommended ActionContact the administrator of the peer and compare policy settings.

Error Message %FTD-4-402117: IPSEC: Received a non-IPsec (protocol ) packet from remote_IP to local_IP .

ExplanationThe received packet matched the crypto map ACL, but it is not IPsec-encapsulated. The IPsec peer is sending unencapsulated packets. This error can occur because of a policy setup error on the peer. For example, the firewall may be configured to only accept encrypted Telnet traffic to the outside interface port 23. If you attempt to use Telnet without IPsec encryption to access the outside interface on port 23, this message appears, but not with Telnet or traffic to the outside interface on ports other than 23. This error can also indicate an attack. This message is not generated except under these conditions (for example, it is not generated for traffic to the Secure Firewall Threat Defense interfaces themselves). See messages 710001, 710002, and 710003, which track TCP and UDP requests. This message is rate limited to no more than one message every five seconds.

• >protocol— IPsec protocol
• remote_IP>— IP address of the remote endpoint of the tunnel
• local_IP>— IP address of the local endpoint of the tunnel

Recommended ActionContact the administrator of the peer to compare policy settings.

Error Message %FTD-4-402118: IPSEC: Received an protocol packet (SPI=spi , sequence number seq_num ) from remote_IP (username ) to local_IP containing an illegal IP fragment of length frag_len with offset frag_offset .

Explanation A decapsulatd IPsec packet included an IP fragment with an offset less than or equal to 128 bytes. The latest version of the security architecture for IP RFC recommends 128 bytes as the minimum IP fragment offset to prevent reassembly attacks. This may be part of an attack. This message is rate limited to no more than one message every five seconds.

• >protocol— IPsec protocol
• >spi— IPsec Security Parameter Index
• seq_num>— IPsec sequence number
• remote_IP>— IP address of the remote endpoint of the tunnel
• >username— Username associated with the IPsec tunnel
• local_IP>— IP address of the local endpoint of the tunnel
• frag_len>— IP fragment length
• frag_offset>— IP fragment offset in bytes

Recommended Action Contact the administrator of the remote peer to compare policy settings.

Error Message %FTD-4-402119: IPSEC: Received an protocol packet (SPI=spi , sequence number=seq_num ) from remote_IP (username ) to local_IP that failed anti-replay checking.

ExplanationAn IPsec packet was received with an invalid sequence number. The peer is sending packets including sequence numbers that may have been previously used. This message indicates that an IPsec packet has been received with a sequence number outside of the acceptable window. This packet will be dropped by IPsec as part of a possible attack. This message is rate limited to no more than one message every five seconds.

• >protocol— IPsec protocol
• >spi— IPsec Security Parameter Index
• seq_num>— IPsec sequence number
• remote_IP>— IP address of the remote endpoint of the tunnel
• >username— Username associated with the IPsec tunnel
• local_IP>— IP address of the local endpoint of the tunnel

Recommended ActionContact the administrator of the peer.

Error Message %FTD-4-402120: IPSEC: Received an protocol packet (SPI=spi , sequence number=seq_num ) from remote_IP (username ) to local_IP that failed authentication.

Explanation An IPsec packet was received and failed authentication. The packet is dropped. The packet may have been corrupted in transit, or the peer may be sending invalid IPsec packets, which may indicate an attack if many of these packets were received from the same peer. This message is rate limited to no more than one message every five seconds.

• >protocol— IPsec protocol
• >spi— IPsec Security Parameter Index
• seq_num>— IPsec sequence number
• remote_IP>— IP address of the remote endpoint of the tunnel
• >username— Username associated with the IPsec tunnel
• local_IP>— IP address of the local endpoint of the tunnel

Recommended Action Contact the administrator of the remote peer if many failed packets were received.

Error Message %FTD-4-402121: IPSEC: Received an protocol packet (SPI=spi , sequence number=seq_num ) from peer_addr (username ) to lcl_addr that was dropped by IPsec (drop_reason ).

Explanation An IPsec packet to be decapsulated was received and subsequently dropped by the IPsec subsystem. This may indicate a problem with the Secure Firewall Threat Defense configuration or with the Secure Firewall Threat Defense device itself.

• >protocol— IPsec protocol
• >spi— IPsec Security Parameter Index
• seq_num>— IPsec sequence number
• peer_addr>— IP address of the remote endpoint of the tunnel
• >username— Username associated with the IPsec tunnel
• lcl_addr>— IP address of the local endpoint of the tunnel
• drop_reason>— Reason that the packet was dropped

Recommended Action If the problem persists, contact the Cisco TAC.

Error Message %FTD-4-402122: Received a cleartext packet from src_addr to dest_addr that was to be encapsulated in IPsec that was dropped by IPsec (drop_reason ).

Explanation A packet to be encapsulated in IPsec was received and subsequently dropped by the IPsec subsystem. This may indicate a problem with the Secure Firewall Threat Defense configuration or with the Secure Firewall Threat Defense device itself.

• src_addr >— Source IP address
• dest_addr >— Destination> IP address
• drop_reason>— Reason that the packet was dropped

Recommended Action If the problem persists, contact the Cisco TAC.

Error Message %FTD-4-402123: CRYPTO: The accel_type hardware accelerator encountered an error (code=error_string ) while executing crypto command command .

Explanation An error was detected while running a crypto command with a hardware accelerator, which may indicate a problem with the accelerator. This type of error may occur for a variety of reasons, and this message supplements the crypto accelerator counters to help determine the cause.

• accel_type—Hardware accelerator type
• >error_string— Code indicating the type of error
• command—Crypto command that generated the error

Recommended Action If the problem persists, contact the Cisco TAC.

Error Message %FTD-4-402124: CRYPTO: The threat defense hardware accelerator encountered an error (Hardware error address, Core, Hardware error code, IstatReg, PciErrReg, CoreErrStat, CoreErrAddr, Doorbell Size, DoorBell Outstanding, SWReset).

Explanation The crypto hardware chip has reported a fatal error, indicating that the chip is inoperable. The information from this message captures the details to allow further analysis of the problem. The crypto chip is reset when this condition is detected to unobtrusively allow the Secure Firewall Threat Defense device to continue functioning. Also, the crypto environment at the time this issue is detected is written to a crypto archive directory on flash to provide further debugging information. Various parameters related to the crypto hardware are included in this message, as follows:

• HWErrAddr>— Hardware address (set by crypto chip)
• Core>— Crypto core experiencing the error
• HwErrCode>— Hardware error code (set by crypto chip)
• IstatReg>— Interrupt status register (set by crypto chip)
• PciErrReg>— PCI error register (set by crypto chip)
• CoreErrStat>— Core error status (set by crypto chip)
• CoreErrAddr>— Core error address (set by crypto chip)
• Doorbell Size>— Maximum crypto commands allowed
• DoorBell Outstanding>— Crypto commands outstanding
• SWReset>— Number of crypto chip resets since boot

Note

The %threat defense-vpn-4-402124: CRYPTO: The threat defense hardware accelerator encountered an error (HWErrAddr= 0x40EE9800, Core= 0, HwErrCode= 23, IstatReg= 0x8, PciErrReg= 0x0, CoreErrStat= 0x41, CoreErrAddr= 0x844E9800, Doorbell Size[0]= 2048, DoorBell Outstanding[0]= 0, Doorbell Size[1]= 0, DoorBell Outstanding[1]= 0, SWReset= 99) error message indicates a AnyConnect problem and the workaround for this to upgrade to AnyConnect 3.1.x.

Recommended Action Forward the message information to the Cisco TAC for further analysis.

Error Message %FTD-4-402125: The threat defense hardware accelerator ring timed out (parameters ).

Explanation The crypto driver has detected that either the IPSEC descriptor ring or SSL/Admin descriptor ring is no longer progressing, meaning the crypto chip no longer appears to be functioning. The crypto chip is reset when this condition is detected to unobtrusively allow the Secure Firewall Threat Defense device to continue functioning. Also, the crypto environment at the time this issue was detected was written to a crypto archive directory on flash to provide further debugging information.

• >ring— IPSEC or Admin ring
• parameters >— Include the following:

- Desc>— Descriptor address

- CtrlStat>— Control/status value

- ResultP>— Success pointer

- ResultVal>— Success value

- Cmd>— Crypto command

- CmdSize>— Command size

- Param>— Command parameters

- Dlen>— Data length

- DataP>— Data pointer

- CtxtP>— VPN context pointer

- SWReset>— Number of crypto chip resets since boot

Recommended Action Forward the message information to the Cisco TAC for further analysis.

Error Message %FTD-4-402126: CRYPTO: The threat defense created Crypto Archive File Archive Filename as a Soft Reset was necessary. Please forward this archived information to Cisco.

Explanation A functional problem with the hardware crypto chip was detected (see syslog messages 402124 and 402125). To further debug the crypto problem, a crypto archive file was generated that included the current crypto hardware environment (hardware registers and crypto description entries). At boot time, a crypto_archive directory was automatically created on the flash file system (if it did not exist previously). A maximum of two crypto archive files are allowed to exist in this directory.

• >Archive Filename— The name of the crypto archive file name. The crypto archive file names are of the form, crypto_arch_x.bin, where x = (1 or 2).

Recommended Action Forward the crypto archive files to the Cisco TAC for further analysis.

Error Message %FTD-4-402127: CRYPTO: The threat defense is skipping the writing of latest Crypto Archive File as the maximum # of files, max_number, allowed have been written to archive_directory . Please archive & remove files from Archive Directory if you want more Crypto Archive Files saved.

Explanation A functional problem with the hardware crypto chip was detected (see messages 4402124 and 4402125). This message indicates a crypto archive file was not written, because the maximum number of crypto archive files already existed.

• max_number >— Maximum number of files allowed in the archive directory; currently set to two
• >archive_directory— Name of the archive directory

Recommended Action Forward previously generated crypto archive files to the Cisco TAC. Remove the previously generated archive file(s) so that more can be written (if deemed necessary).

Error Message %FTD-5-402128: CRYPTO: An attempt to allocate a large memory block failed, size: size , limit: limit

Explanation An SSL connection is attempting to use more memory than allowed. The request has been denied.

• size —The size of the memory block being allocated
• limit —The maximum size of allocated memory permitted

Recommended Action If this message persists, an SSL denial of service attack may be in progress. Contact the remote peer administrator or upstream provider.

Error Message %FTD-6-402129: CRYPTO: An attempt to release a DMA memory block failed, location: address

Explanation An internal software error has occurred.

• address —The address being freed

Recommended Action Contact the Cisco TAC for assistance.

Error Message %FTD-6-402130: CRYPTO: Received an ESP packet (SPI = xxxxxxxxxx, sequence number=xxxx) from 172.16.0.1 (user=user) to 192.168.0.2 with incorrect IPsec padding.

Explanation The Secure Firewall Threat Defense device crypto hardware accelerator detected an IPsec packet with invalid padding. The ATT VPN client sometimes pads IPsec packets incorrectly.

• SPI —The SPI associated with the packet

• sequence number —The sequence number associated with the packet

• user —Username string

• padding —Padding data from the packet

Recommended Action While this message is None required and does not indicate a problem with the Secure Firewall Threat Defense device, customers using the ATT VPN client may wish to upgrade their VPN client software.

Error Message %FTD-4-402131: CRYPTO: status changing the accel_instance hardware accelerator's configuration bias from old_config_bias to new_config_bias .

Explanation The hardware accelerator configuration has been changed on the Secure Firewall Threat Defense device. Some Secure Firewall Threat Defense platforms have multiple hardware accelerators. One syslog message is generated for each hardware accelerator change.

• status —Indicates success or failure
• accel_instance —The instance of the hardware accelerator
• old_config_bias —The old configuration
• new_config_bias —The new configuration

Recommended Action If any of the accelerators fails when attempting to change its configuration, collect logging information and contact the Cisco TAC. If a failure occurs, the software will retry the configuration change multiple times. The software will fall back to the original configuration bias if the retry attempts fail. If multiple attempts to reconfigure the hardware accelerator fail, it may indicate a hardware failure.

Error Message %FTD-3-402140: CRYPTO: RSA key generation error: modulus len len

Explanation An error occurred during an RSA public key pair generation.

• len —The prime modulus length in bits

Recommended Action Contact the Cisco TAC for assistance.

Error Message %FTD-3-402141: CRYPTO: Key zeroization error: key set type , reason reason

Explanation An error occurred during an RSA public key pair generation.

• type —The key set type, which can be any of the following: DH, RSA, DSA, or unknown
• reason —The unexpected crypto session type

Recommended Action Contact the Cisco TAC for assistance.

Error Message %FTD-3-402142: CRYPTO: Bulk data op error: algorithm alg , mode mode

Explanation An error occurred during a symmetric key operation.

• op —The operation, which can be either encryption or decryption
• alg —The encryption algorithm, which can be any of the following: DES, 3DES, AES, or RC4
• mode —The mode, which can be any of the following: CBC, CTR, CFB, ECB, stateful-RC4, or stateless-RC4

Recommended Action Contact the Cisco TAC for assistance.

Error Message %FTD-3-402143: CRYPTO: alg type key op

Explanation An error occurred during an asymmetric key operation.

• alg —The encryption algorithm, which can be either RSA or DSA
• type —The key type, which can be either public or private
• op —The operation, which can be either encryption or decryption

Recommended Action Contact the Cisco TAC for assistance.

Error Message %FTD-3-402144: CRYPTO: Digital signature error: signature algorithm sig , hash algorithm hash

Explanation An error occurred during digital signature generation.

• sig —The signature algorithm, which can be either RSA or DSA
• hash —The hash algorithm, which can be any of the following: MD5, SHA1, SHA256, SHA384, or SHA512

Recommended Action Contact the Cisco TAC for assistance.

Error Message %FTD-3-402145: CRYPTO: Hash generation error: algorithm hash

Explanation A hash generation error occurred.

• hash —The hash algorithm, which can be any of the following: MD5, SHA1, SHA256, SHA384, or SHA512

Recommended Action Contact the Cisco TAC for assistance.

Error Message %FTD-3-402146: CRYPTO: Keyed hash generation error: algorithm hash , key len len

Explanation A keyed hash generation error occurred.

• hash —The hash algorithm, which can be any of the following: MD5, SHA1, SHA256, SHA384, or SHA512
• len —The key length in bits

Recommended Action Contact the Cisco TAC for assistance.

Error Message %FTD-3-402147: CRYPTO: HMAC generation error: algorithm alg

Explanation An HMAC generation error occurred.

• alg —The HMAC algorithm, which can be any of the following: HMAC-MD5, HMAC-SHA1, HMAC-SHA2, or AES-XCBC

Recommended Action Contact the Cisco TAC for assistance.

Error Message %FTD-3-402148: CRYPTO: Random Number Generator error

Explanation A random number generator error occurred.

Recommended Action Contact the Cisco TAC for assistance.

Error Message %FTD-3-402149: CRYPTO: weak encryption type (length ). Operation disallowed. Not FIPS 140-2 compliant

Explanation The Secure Firewall Threat Defense device tried to use an RSA key that is less than 2048 bits or DH groups 1, 2, or 5.

• encryption type —The encryption type
• length —The RSA key length or DH group number

Recommended Action Configure the Secure Firewall Threat Defense device or external application to use an RSA key that is at least 2048 bits, or to configure a DH group that is not 1, 2, or 5.

Error Message %FTD-3-402150: CRYPTO: Deprecated hash algorithm used for RSA operation (hash alg ). Operation disallowed. Not FIPS 140-2 compliant

Explanation An unacceptable hashing algorithm has been used for digital certificate signing or verification for FIPS 140-2 certification.

• operation —Sign or verify
• hash alg —The name of the unacceptable hashing algorithm

Recommended Action Make sure that you use the minimum acceptable hashing algorithm for digital certificate signing or verification for FIPS 140-2 certification. These include SHA-256, SHA-384, and SHA-512.

Error Message %FTD-6-403500: PPPoE - Service name 'any' not received in PADO. Intf:interface_name AC:ac_name .

Explanation The Secure Firewall Threat Defense device requested the PPPoE service any from the access controller at the Internet service provider. The response from the service provider includes other services, but does not include the service any . This is a discrepancy in the implementation of the protocol. The PADO packet is processed normally, and connection negotiations continue.

Recommended Action None required.

Error Message %FTD-3-403501: PPPoE - Bad host-unique in PADO - packet dropped. Intf:interface_name AC:ac_name

Explanation The Secure Firewall Threat Defense device sent an identifier called the host-unique value to the access controller. The access controller responded with a different host-unique value. The Secure Firewall Threat Defense device was unable to identify the corresponding connection request for this response. The packet was dropped, and connection negotiations were discontinued.

Recommended Action Contact the Internet service provider. Either the access controller at the service provider is mishandling the host-unique value, or the PADO packet is being forged.

Error Message %FTD-3-403502: PPPoE - Bad host-unique in PADS - dropping packet. Intf:interface_name AC:ac_name

Explanation The Secure Firewall Threat Defense device sent an identifier called the host-unique value to the access controller. The access controller responded with a different host-unique value. The Secure Firewall Threat Defense device was unable to identify the corresponding connection request for this response. The packet was dropped, and connection negotiations were discontinued.

Recommended Action Contact the Internet service provider. Either the access controller at the service provider is mishandling the host-unique value, or the PADO packet is being forged.

Error Message %FTD-3-403503: PPPoE:PPP link down:reason

Explanation The PPP link has gone down. There are many reasons why this can happen. The first format will display a reason if PPP provides one.

Recommended Action Check the network link to ensure that the link is connected. The access concentrator may be down. Make sure that your authentication protocol matches the access concentrator and that your name and password are correct. Verify this information with your ISP or network support person.

Error Message %FTD-3-403504: PPPoE:No 'vpdn group group_name ' for PPPoE is created

Explanation PPPoE requires a dial-out configuration before starting a PPPoE session. In general, the configuration should specify a dialing policy, the PPP authentication, the username, and a password. The following example configures the Secure Firewall Threat Defense device for PPPoE dialout. The my-username and my-password commands are used to authenticate the access concentrator, using PAP if necessary.

For example:

ciscoftd# vpdn group my-pppoe request dialout pppoe
ciscoftd# vpdn group my-pppoe ppp authentication pap
ciscoftd# vpdn group my-pppoe localname my-username
ciscoftd# vpdn username my-username password my-password
ciscoftd# ip address outside pppoe setroute

Recommended Action Configure a VPDN group for PPPoE.

Error Message %FTD-4-403505: PPPoE:PPP - Unable to set default route to IP_address at interface_name

Explanation This message is usually followed by the message, default route already exists.

Recommended Action Remove the current default route or remove the setroute parameter so that there is no conflict between PPPoE and the manually configured route.

Error Message %FTD-4-403506: PPPoE:failed to assign PPP IP_address netmask netmask at interface_name

Explanation This message is followed by one of the followings messages: subnet is the same as interface, or on failover channel.

Recommended Action In the first case, change the address causing the conflict. In the second case, configure the PPPoE on an interface other than the failover interface.

Error Message %FTD-3-403507: PPPoE:PPPoE client on interface interface failed to locate PPPoE vpdn group group_name

Explanation You can configure the PPPoE client on an interface to use a particular VPDN group by entering the pppoe client vpdn group group_name command. If a PPPoE VPDN group of the configured name was not located during system startup, this message is generated.

• interface —The interface on which the PPPoE client failed
• group_name —The VPDN group name of the PPPoe client on the interface

Recommended Action Perform the following steps:

1. Add the required VPDN group by entering the vpdn group group_name command. Request dialout PPPoE in global configuration mode, and add all the group properties.
2. Remove the pppoe client vpdn group group_name command from the interface indicated. In this case, the PPPoE client will attempt to use the first PPPoE VPDN group defined.

Note	All changes take effect only after the PPPoE client on the interface is restarted by entering the ip address pppoe command.

Error Message %FTD-4-405001: Received ARP {request | response} collision from IP_address /MAC_address on interface interface_name with existing ARP entry IP_address /MAC_address

Explanation The Secure Firewall Threat Defense device received an ARP packet, and the MAC address in the packet differs from the ARP cache entry.

Recommended Action This traffic might be legitimate, or it might indicate that an ARP poisoning attack is in progress. Check the source MAC address to determine where the packets are coming from and to see if they belong to a valid host.

Error Message %FTD-4-405002: Received mac mismatch collision from IP_address /MAC_address for authenticated host

Explanation This packet appears for one of the following conditions:

• The Secure Firewall Threat Defense device received a packet with the same IP address, but a different MAC address from one of its uauth entries.
• You configured the vpnclient mac-exempt command on the Secure Firewall Threat Defense device, and the Secure Firewall Threat Defense device received a packet with an exempt MAC address, but a different IP address from the corresponding uauth entry.

Recommended Action This traffic might be legitimate, or it might indicate that a spoofing attack is in progress. Check the source MAC address and IP address to determine where the packets are coming from and if they belong to a valid host.

Error Message %FTD-4-405003: IP address collision detected between host IP_address at MAC_address and interface interface_name , MAC_address .

Explanation A client IP address in the network is the same as the Secure Firewall Threat Defense interface IP address.

Recommended Action Change the IP address of the client.

Error Message %FTD-4-405101: Unable to Pre-allocate H225 Call Signalling Connection for foreign_address outside_address [/outside_port ] to local_address inside_address [/inside_port ]

Explanation The module failed to allocate RAM system memory while starting a connection or has no more address translation slots available.

Recommended Action If this message occurs periodically, it can be ignored. You can check the size of the global pool compared to the number of inside network clients. A PAT address may be necessary. Alternatively, shorten the timeout interval of translates and connections. This error message may also be caused by insufficient memory; try reducing the amount of memory usage, or purchasing additional memory. If the problem persists, contact the Cisco TAC.

Error Message %FTD-4-405102: Unable to Pre-allocate H245 Connection for foreign_address outside_address [/outside_port ] to local_address inside_address [/inside_port ]

Explanation The Secure Firewall Threat Defense device failed to allocate RAM system memory while starting a connection or has no more address translation slots available.

Recommended Action Check the size of the global pool compared to the number of inside network clients. A PAT address may be necessary. Alternatively, shorten the timeout interval of translations and connections. In addition, reduce the amount of memory usage, or purchase additional memory. If this message occurs periodically, it can be ignored. If the problem persists, contact the Cisco TAC.

Error Message %FTD-4-405103: H225 message from source_address/source_port to dest_address /dest_port contains bad protocol discriminator hex

Explanation The Secure Firewall Threat Defense device is expecting the protocol discriminator, 0x08, but it received something other than 0x08. The endpoint may be sending a bad packet, or received a message segment other than the first segment. The packet is allowed through.

Recommended Action None required.

Error Message %FTD-4-405104: H225 message received from outside_address /outside_port to inside_address /inside_port before SETUP

Explanation An H.225 message was received out of order, before the initial SETUP message, which is not allowed. The Secure Firewall Threat Defense device must receive an initial SETUP message for that H.225 call signalling channel before accepting any other H.225 messages.

Recommended Action None required.

Error Message %FTD-4-405105: H323 RAS message AdmissionConfirm received from source_address /source_port to dest_address /dest_port without an AdmissionRequest

Explanation A gatekeeper has sent an ACF, but the Secure Firewall Threat Defense device did not send an ARQ to the gatekeeper.

Recommended Action Check the gatekeeper with the specified source_address to determine why it sent an ACF without receiving an ARQ from the Secure Firewall Threat Defense device.

Error Message %FTD-4-406001: FTP port command low port: IP_address /port to IP_address on interface interface_name

Explanation A client entered an FTP port command and supplied a port less than 1024 (in the well-known port range usually devoted to server ports). This is indicative of an attempt to avert the site security policy. The Secure Firewall Threat Defense device drops the packet, terminates the connection, and logs the event.

Recommended Action None required.

Error Message %FTD-4-406002: FTP port command different address: IP_address(IP_address ) to IP_address on interface interface_name

Explanation A client entered an FTP port command and supplied an address other than the address used in the connection. An attempt to avert the site security policy occurred. For example, an attacker might attempt to hijack an FTP session by changing the packet on the way, and putting different source information instead of the correct source information. The Secure Firewall Threat Defense device drops the packet, terminates the connection, and logs the event. The address in parentheses is the address from the port command.

Recommended Action None required.

Error Message %FTD-4-407001: Deny traffic for local-host interface_name :inside_address , license limit of number exceeded

Explanation The host limit was exceeded. An inside host is counted toward the limit when one of the following conditions is true:

• The inside host has forwarded traffic through the Secure Firewall Threat Defense device within the last five minutes.
• The inside host has reserved an xlate connection or user authentication at the Secure Firewall Threat Defense device.

Recommended Action The host limit is enforced on the low-end platforms. Use the show version command to view the host limit. Use the show local-host command to view the current active hosts and the inside users that have sessions at the Secure Firewall Threat Defense device. To forcefully disconnect one or more users, use the clear local-host command. To expire the inside users more quickly from the limit, set the xlate, connection, and uauth timeouts to the recommended values or lower as given in the table below:

Error Message %FTD-4-407002: Embryonic limit nconns /elimit for through connections exceeded.outside_address /outside_port to global_address (inside_address )/inside_port on interface interface_name

Explanation The number of connections from a specified foreign address over a specified global address to the specified local address exceeded the maximum embryonic limit for that static. The Secure Firewall Threat Defense device tries to accept the connection if it can allocate memory for that connection. It proxies on behalf of the local host and sends a SYN_ACK packet to the foreign host. The Secure Firewall Threat Defense device retains pertinent state information, drops the packet, and waits for the acknowledgment from the client. The message might indicate legitimate traffic or that a DoS attack is in progress.

Recommended Action Check the source address to determine where the packets are coming from and whether or not a valid host is sending them.

Error Message %FTD-4-407003: Established limit for RPC services exceeded number

Explanation The Secure Firewall Threat Defense device tried to open a new hole for a pair of RPC servers or services that have already been configured after the maximum number of holes has been met.

Recommended Action Wait for other holes to be closed (through associated timeout expiration), or limit the number of active pairs of servers or services.

Error Message %FTD-4-408001: IP route counter negative - reason , IP_address Attempt: number

Explanation An attempt to decrement the IP route counter into a negative value failed.

Recommended Action Enter the clear ip route command to reset the route counter. If the problem persists, contact the Cisco TAC.

Error Message %FTD-4-408002: ospf process id route type update address1 netmask1 [distance1/metric1 ] via source IP :interface1 address2 netmask2 [distance2 /metric2 ] interface2

Explanation A network update was received from a different interface with the same distance and a better metric than the existing route. The new route overrides the existing route that was installed through another interface. The new route is for redundancy purposes only and means that a path has shifted in the network. This change must be controlled through topology and redistribution. Any existing connections affected by this change are probably disabled and will time out. This path shift only occurs if the network topology has been specifically designed to support path redundancy, in which case it is expected.

Recommended Action None required.

Error Message %FTD-4-408003: can't track this type of object hex

Explanation A component of the tracking system has encountered an object type that is not supported by the component. A STATE object was expected.

• hex —A hexidecimal value(s) depicting variable value(s) or addresses in memory

Recommended Action Reconfigure the track object to make it a STATE object.

Error Message %FTD-4-408101: KEYMAN : Type encrption_type encryption unknown. Interpreting keystring as literal.

Explanation The format type was not recognized by the system. A keystring format type value of 0 (unencrypted keystring) or 7 (hidden keystring), followed by a space, can precede the actual keystring to indicate its format. An unknown type value will be accepted, but the system will consider the keystring as being unencrypted.

Recommended Action Use the correct format for the value type or remove the space following the value type.

Error Message %FTD-4-408102: KEYMAN : Bad encrypted keystring for key id key_id.

Explanation The system could not successfully decrypt an encrypted keystring. The keystring may have been corrupted during system configuration.

Recommended Action Re-enter the key-string command, and reconfigure the key string.

Error Message %FTD-4-409001: Database scanner: external LSA IP_address netmask is lost, reinstalls

Explanation The software detected an unexpected condition. The router will take corrective action and continue.

Recommended Action None required.

Error Message %FTD-4-409002: db_free: external LSA IP_address netmask

Explanation An internal software error occurred.

Recommended Action None required.

Error Message %FTD-4-409003: Received invalid packet: reason from IP_address , interface_name

Explanation An invalid OSPF packet was received. Details are included in the error message. The cause might be an incorrect OSPF configuration or an internal error in the sender.

Recommended Action Check the OSPF configuration of the receiver and the sender configuration for inconsistency.

Error Message %FTD-4-409004: Received reason from unknown neighbor IP_address

Explanation The OSPF hello, database description, or database request packet was received, but the router cannot identify the sender.

Recommended Action None required.

Error Message %FTD-4-409005: Invalid length number in OSPF packet from IP_address (ID IP_address ), interface_name

Explanation The Secure Firewall Threat Defense device received an OSPF packet with a field length of less than normal header size or that was inconsistent with the size of the IP packet in which it arrived. This indicates a configuration error in the sender of the packet.

Recommended Action From a neighboring address, locate the problem router and reboot it.

Error Message %FTD-4-409006: Invalid lsa: reason Type number , LSID IP_address from IP_address , IP_address , interface_name

Explanation The router received an LSA with an invalid LSA type. The cause is either memory corruption or unexpected behavior on a router.

Recommended Action From a neighboring address, locate the problem router and reboot it. If the problem persists, contact the Cisco TAC.

Error Message %FTD-4-409007: Found LSA with the same host bit set but using different mask LSA ID IP_address netmask New: Destination IP_address netmask

Explanation An internal software error occurred.

Recommended Action Copy the message exactly as it appears, and report it to the Cisco TAC.

Error Message %FTD-4-409008: Found generating default LSA with non-zero mask LSA type: number Mask: netmask metric: number area: string

Explanation The router tried to generate a default LSA with an incorrect mask and possibly incorrect metric because an internal software error occurred.

Recommended Action Copy the message exactly as it appears, and report it to the Cisco TAC.

Error Message %FTD-4-409009: OSPF process number cannot start. There must be at least one up IP interface, for OSPF to use as router ID

Explanation OSPF failed while attempting to allocate a router ID from the IP address of one of its interfaces.

Recommended Action Make sure that there is at least one interface that is up and has a valid IP address. If there are multiple OSPF processes running on the router, each requires a unique router ID. You must have enough interfaces up so that each of them can obtain a router ID.

Error Message %FTD-4-409010: Virtual link information found in non-backbone area: string

Explanation An internal error occurred.

Recommended Action Copy the message exactly as it appears, and report it to the Cisco TAC.

Error Message %FTD-4-409011: OSPF detected duplicate router-id IP_address from IP_address on interface interface_name

Explanation OSPF received a hello packet from a neighbor that has the same router ID as this routing process. A full adjacency cannot be established.

Recommended Action The OSPF router ID should be unique. Change the neighbor router ID.

Error Message %FTD-4-409012: Detected router with duplicate router ID IP_address in area string

Explanation OSPF received a hello packet from a neighbor that has the same router ID as this routing process. A full adjacency cannot be established.

Recommended Action The OSPF router ID should be unique. Change the neighbor router ID.

Error Message %FTD-4-409013: Detected router with duplicate router ID IP_address in Type-4 LSA advertised by IP_address

Explanation OSPF received a hello packet from a neighbor that has the same router ID as this routing process. A full adjacency cannot be established.

Recommended Action The OSPF router ID should be unique. Change the neighbor router ID.

Error Message %threat defense-4-409014: No valid authentication send key is available on interface nameif.

Explanation The authentication key configured on the interface is not valid.

Recommended Action Configure a new key.

Error Message %threat defense-4-409015: Key ID key-id received on interface nameif.

Explanation The ID is not found in the configured key chain.

Recommended Action Configure a new security association with the Key ID.

Error Message %threat defense-4-409016: Key chain name key-chain-name on nameif is invalid.

Explanation The key-chain name configured under OSPF interface does not match global key chain configuration.

Recommended ActionFix configuration. Either remove OSPF authentication command or configure key chain in global configuration mode.

Error Message %threat defense-4-409017: Key ID key-id in key chain key-chain-name is invalid.

Explanation The Key ID configured in the key chain is out of range for OSPF. This may happen because the key chain allows Key ID values of the range which is not acceptable for OSPF.

Recommended Action Configure a new security association with a Key ID that is in the range 1-255.

Error Message %FTD-4-409023: Attempting AAA Fallback method method_name for request_type request for user user :Auth-server group server_tag unreachable

Explanation An authentication or authorization attempt to an external server has failed and will be performed using the local user database.

• aaa_operation—Either authentication or authorization
• username—The user associated with the connection
• server_group—The name of the AAA server whose servers were unreachable

Recommended Action Investigate any connectivity problems with the AAA servers configured in the first method. Ping the authentication servers from the Secure Firewall Threat Defense device. Make sure that the daemons are running on the AAA server.

Error Message %FTD-4-409101: Received invalid packet: s from P , s

Explanation An invalid OSPF packet was received. Details are included in the error message. The cause might be a misconfigured OSPF or an internal error in the sender.

Recommended Action Check the OSPF configuration of the receiver and the sender for inconsistencies.

Error Message %FTD-4-409102: Received packet with incorrect area from P , s , area AREA_ID_STR , packet area AREA_ID_STR

Explanation An OSPF packet was received with an area ID in its header that does not match the area of this interface.

Recommended Action Check the OSPF configuration of the receiver and the sender for inconsistencies.

Error Message %FTD-4-409103: Received s from unknown neighbor i

Explanation An OSPF hello, database description, or database request packet was received, but the router could not identify the sender.

Recommended Action None required.

Error Message %FTD-4-409104: Invalid length d in OSPF packet type d from P (ID i ), s

Explanation The system received an OSPF packet with a length field of less than normal header size or inconsistent with the size of the IP packet in which it arrived. An error in the sender of the packet has occurred.

Recommended Action None required.

Error Message %FTD-4-409105: Invalid lsa: s : Type 0x x , Length 0x x , LSID u from i

Explanation The router received an LSA with invalid data. The LSA includes an invalid LSA type, incorrect checksum, or incorrect length, which is caused by either memory corruption or unexpected behavior on a router.

Recommended Action From a neighboring address, locate the problem router and do the following:

• Collect a running configuration of the router by entering the show running-config command.
• Enter the show ipv6 ospf database command to gather data that may help identify the nature of the error.
• Enter the show ipv6 ospf database link-state-id command. The link-state-id argument is the IP address of the invalid LSA.
• Enter the show logging command to gather data that may help identify the nature of the error.
• Reboot the router.

If you cannot determine the nature of the error from the collected information, contact the Cisco TAC and provide the gathered information.

Error Message %FTD-4-409106: Found generating default LSA with non-zero mask LSA type: 0x x Mask: i metric: lu area: AREA_ID_STR

Explanation The router tried to generate the default LSA with the incorrect mask and possibly an incorrect metric because of an internal software error.

Recommended Action None required.

Error Message %FTD-4-409107: OSPFv3 process d could not pick a router-id, please configure manually

Explanation OSPFv3 failed while attempting to allocate a router ID from the IP address of one of its interfaces.

Recommended Action Make sure that there is at least one interface that is up and has a valid IP address. If there are multiple OSPF processes running on the router, each requires a unique router ID. You must have enough up interfaces so that each of them can obtain a router ID.

Error Message %FTD-4-409108: Virtual link information found in non-backbone area: AREA_ID_STR

Explanation An internal error has occurred.

Recommended Action None required.

Error Message %FTD-4-409109: OSPF detected duplicate router-id i from P on interface IF_NAME

Explanation OSPF received a hello packet from a neighbor that has the same router ID as this routing process. A full adjacency cannot be established. The OSPF router ID should be unique.

Recommended Action Change the neighbor router ID.

Error Message %FTD-4-409110: Detected router with duplicate router ID i in area AREA_ID_STR

Explanation OSPF received a hello packet from a neighbor that has the same router ID as this routing process. A full adjacency cannot be established. The OSPF router ID should be unique.

Recommended Action Change the neighbor router ID.

Error Message %FTD-4-409111: Multiple interfaces (IF_NAME /IF_NAME ) on a single link detected.

Explanation OSPFv3 enabled on multiple interfaces that are on the same link is not supported.

Recommended Action OSPFv3 should be disabled or made passive on all except one of the interfaces.

Error Message %FTD-4-409112: Packet not written to the output queue

Explanation An internal error has occurred.

Recommended Action None required.

Error Message %FTD-4-409113: Doubly linked list linkage is NULL

Explanation An internal error has occurred.

Recommended Action None required.

Error Message %FTD-4-409114: Doubly linked list prev linkage is NULL x

Explanation An internal error has occurred.

Recommended Action None required.

Error Message %FTD-4-409115: Unrecognized timer d in OSPF s

Explanation An internal error has occurred.

Recommended Action None required.

Error Message %FTD-4-409116: Error for timer d in OSPF process s

Explanation An internal error has occurred.

Recommended Action None required.

Error Message %FTD-4-409117: Can't find LSA database type x , area AREA_ID_STR , interface x

ExplanationAn internal error has occurred.

Recommended Action None required.

Error Message %FTD-4-409118: Could not allocate DBD packet

ExplanationAn internal error has occurred.

Recommended Action None required.

Error Message %FTD-4-409119: Invalid build flag x for LSA i , type 0x x

ExplanationAn internal error has occurred.

Recommended ActionNone required.

Error Message %FTD-4-409120: Router-ID i is in use by ospf process d

Explanation The Secure Firewall Threat Defense device attempted to assign a router ID that is in use by another process.

Recommended ActionConfigure another router ID for one of the processes.

Error Message %FTD-4-409121: Router is currently an ASBR while having only one area which is a stub area

Explanation An ASBR must be attached to an area that can carry AS External or NSSA LSAs.

Recommended ActionMake the area to which the router is attached into an NSSA or regular area.

Error Message %FTD-4-409122: Could not select a global IPv6 address. Virtual links require at least one global IPv6 address.

ExplanationA virtual link was configured. For the virtual link to function, a global IPv6 address must be available. However, no global IPv6 address could be found on the router.

Recommended ActionConfigure a global IPv6 address on an interface on this router.

Error Message %FTD-4-409123: Neighbor command allowed only on NBMA networks

ExplanationThe neighbor command is allowed only on NBMA networks.

Recommended ActionCheck the configuration options for the neighbor command, and correct the options or the network type for the neighbor interface.

Error Message %FTD-4-409125: Can not use configured neighbor: poll and priority options are allowed only for a NBMA network

ExplanationThe configured neighbor was found on a point-to-multipoint network and either the poll or priority option was configured. These options are only allowed on NBMA type networks.

Recommended ActionCheck the configuration options for the neighbor command, and correct the options or the network type for the neighbor interface.

Error Message %FTD-4-409128: OSPFv3-d Area AREA_ID_STR : Router i originating invalid type 0x x LSA, ID u , Metric d on Link ID d Link Type d

ExplanationThe router indicated in this message has originated an LSA with an invalid metric. If this is a router LSA and the link metric is zero, a risk of routing loops and traffic loss exists in the network.

Recommended ActionConfigure a valid metric for the given LSA type and link type on the router that originated the reported LSA.

Error Message %FTD-4-410001: UDP DNS request from source_interface :source_address /source_port to dest_interface :dest_address /dest_port ; (label length | domain-name length)number bytes exceeds remaining packet length of 63 bytes.

Explanation The label length exceeds bytes in a UDP DNS packet. See RFC 1035, section 2.3.4 for more information. .

Recommended Action Create the policy-map and add a custom DNS class-map to match traffic and exclude it from inspection to allow packets exceeding the label length.

Error Message %FTD-4-411001: Line protocol on interface interface_name changed state to up

Explanation The status of the line protocol has changed from down to up . If interface_name is a logical interface name such as inside and outside, this message indicates that the logical interface line protocol has changed from down to up . If interface_name is a physical interface name such as Ethernet0 and GigabitEthernet0/1, this message indicates that the physical interface line protocol has changed from down to up .

Recommended Action None required.

Error Message %FTD-4-411002:Line protocol on interface interface_name changed state to down

Explanation The status of the line protocol has changed from up to down. If interface_name is a logical interface name such as inside and outside, this message indicates that the logical interface line protocol has changed from up to down. In this case, the physical interface line protocol status is not affected. If interface_name is a physical interface name such as Ethernet0 and GigabitEthernet0/1, this message indicates that the physical interface line protocol has changed from up to down.

Recommended Action If this is an unexpected event on the interface, check the physical line.

Error Message %FTD-4-411003: Configuration status on interface interface_name changed state to downup

Explanation The configuration status of the interface has changed from down to up.

Recommended Action If this is an unexpected event, check the physical line.

Error Message %FTD-4-411004: Configuration status on interface interface_name changed state to up

Explanation The configuration status of the interface has changed from down to up.

Recommended Action None required.

Error Message %FTD-4-411005: Interface variable 1 experienced a hardware transmit hang. The interface has been reset.

Explanation The interface experienced a hardware transmit freeze that required a reset of the Ethernet controller to restore the interface to full operation.

• variable 1 —The interface name, such as GigabitEthernet0/0

Recommended Action None required.

Error Message %FTD-4-412001:MAC MAC_address moved from interface_1 to interface_2

Explanation A host move was detected from one module interface to another. In a transparent Secure Firewall Threat Defense, mapping between the host (MAC) and Secure Firewall Threat Defense port is maintained in a Layer 2 forwarding table. The table dynamically binds packet source MAC addresses to an Secure Firewall Threat Defense port. In this process, whenever movement of a host from one interface to another interface is detected, this message is generated.

Recommended Action The host move might be valid or might be an attempt to spoof host MACs on other interfaces. If it is a MAC spoof attempt, you can either locate vulnerable hosts on your network and remove them or configure static MAC entries, which will not allow MAC address and port binding to change. If it is a genuine host move, no action is required.

Error Message %FTD-4-412002:Detected bridge table full while inserting MAC MAC_address on interface interface . Number of entries = num

Explanation The bridge table was full and an attempt was made to add one more entry. The Secure Firewall Threat Defense device maintains a separate Layer 2 forwarding table per context and the message is generated whenever a context exceeds its size limit. The MAC address will be added, but it will replace the oldest existing dynamic entry (if available) in the table. This might be an attempted attack.

Recommended Action Make sure that the new bridge table entries are valid. In case of attack, use EtherType ACLs to control access to vulnerable hosts.

Error Message %FTD-4-413001: Module module_id is not able to shut down. Module Error: errnum message

Explanation The module identified by module_id was not able to comply with a request from the Secure Firewall Threat Defense system module to shut down. It may be performing a task that cannot be interrupted, such as a software upgrade. The errnum and message text describes the reason why the module cannot shut down, and the recommended corrective action.

Recommended Action Wait for the task on the module to complete before shutting down the module, or use the session command to access the CLI on the module, and stop the task that is preventing the module from shutting down.

Error Message %FTD-4-413002: Module module_id is not able to reload. Module Error: errnum message

Explanation The module identified by module_id was not able to comply with a request from the Secure Firewall Threat Defense module to reload. It may be performing a task that cannot be interrupted, such as a software upgrade. The errnum and message text describes the reason why the module cannot reload, and the recommended corrective action.

Recommended Action Wait for the task on the module to complete before reloading the module, or use the session command to access the CLI on the module and stop the task that is preventing the module from reloading.

Error Message %FTD-4-413003: Module string one is not a recognized type

Explanation A module was detected that is not recognized as a valid module type.

Recommended Action Upgrade to a version of Secure Firewall Threat Defense software that supports the module type installed.

Error Message %FTD-4-413004: Module string one failed to write software newver (currently ver ), reason . Trying again.

Explanation The module failed to accept a software version, and will be transitioned to an UNRESPONSIVE state. Another attempt will be made to update the module software.

• >string one— The text string that specifies the module
• >newver —The new version number of software that was not successfully written to the module (for example, 1.0(1)0)
• >ver —The current version number of the software on the module (for example, 1.0(1)0)
• >reason —The reason the new version cannot be written to the module. The possible values for >reason include the following:

- write failure

- failed to create a thread to write the image

Recommended Action None required. Subsequent attempts will either generate a message indicating a successful update or failure. You may verify the module transitions to UP after a subsequent update attempt by using the show module command.

Error Message %FTD-4-413005: Module module_id , application is not supported app_name version app_vers type app_type

Error Message %FTD-4-413005: Module prod_id in slot slot_num , application is not supported app_name version app_vers type app_type

Explanation The module installed in slot slot_num was running an unsupported application version or type.

• module_id— The name of the software services module
• prod_id —Product ID string
• slot_num —The slot number in which the module is installed. Slot 0 indicates the system main board, and slot 1 indicates the module installed in the expansion slot.
• app_name —Application name (string)
• app_vers —Application version (string)
• app_type —Application type (decimal)

Recommended Action If the problem persists, contact the Cisco TAC.

Error Message %FTD-4-413006: prod-id Module software version mismatch; slot slot is prod-id version running-vers . Slot slot prod-id requires required-vers .

Explanation The version of software running on the module in slot slot was not the version required by another module.

• slot —Slot 0 indicates the system main board. Slot 1 indicates the module installed in the expansion slot.
• prod_id —Product ID string for the device installed in slot slot
• running_vers —Version of software currently running on the module installed in slot slot
• required_vers —Version of software required by the module in slot slot

Recommended Action If the problem persists, contact the Cisco TAC.

Error Message %FTD-3-414001: Failed to save logging buffer using file name filename to FTP server ftp_server_address on interface interface_name : [fail_reason ]

Explanation The logging module failed to save the logging buffer to an external FTP server.

Recommended Action Take applicable actions based on the failed reason:

• Protocol error—Make sure no connectivity issue exists between the FTP server and Secure Firewall Threat Defense device, and that the FTP sever can accept the FTP port command and PUT requests.
• Invalid username or password—Make sure that the configured FTP client username and password are correct.
• All other errors—If the problem persists, contact the Cisco TAC.

Error Message %FTD-3-414002: Failed to save logging buffer to flash:/syslog directory using file name: filename : [fail_reason ]

Explanation The logging module failed to save the logging buffer to system flash.

Recommended Action If the failed reason is caused by insufficient space, check the flash free space, and make sure that the configured limits of the logging flash-size command are set correctly. If the error is a flash file system I/O error, then contact the Cisco TAC for assistance.

Error Message %FTD-3-414003: TCP Syslog Server intf : IP_Address /port not responding. New connections are [permitted|denied] based on logging permit-hostdown policy.

Explanation The TCP syslog server for remote host logging was successful, is connected to the server, and new connections are permitted or denied based on the logging permit-hostdown policy. If the logging permit-hostdown policy is configured, a new connection is permitted. If not configured, a new connection is denied.

• intf —Interface of the Secure Firewall Threat Defense device to which the server is connected
• IP_Address —IP address of the remote TCP syslog server
• port —Port of the remote TCP syslog server

Recommended Action Validate that the configured TCP syslog server is up. To permit new connections, configure the logging permit-hostdown policy. To deny new connections, do not configure the logging permit-hostdown policy.

Error Message %FTD-3-414005: TCP Syslog Server intf : IP_Address /port connected, New connections are permitted based on logging permit-hostdown policy

Explanation The TCP syslog server for remote host logging was successful, is connected to the server, and new connections are permitted based on the logging permit-hostdown policy. If the logging permit-hostdown policy is configured, a new connection is permitted.

• intf —Interface of the Secure Firewall Threat Defense device to which the server is connected
• IP_Address —IP address of the remote TCP syslog server
• port —Port of the remote TCP syslog server

Recommended Action None required.

Error Message %FTD-3-414006: TCP Syslog Server configured and logging queue is full. New connections denied based on logging permit-hostdown policy.

Explanation The logging queue is close to reaching the configured limit, so there is a risk that syslog messages will be discarded.

Recommended Action See the "Configuring the Logging Queue" section in the CLI configuration guide for information about how to tune the queue size to avoid this situation. If you want to deny new connections in this case, use the no logging permit-hostdown command. If you want to allow new connections in this case, use the logging permit-hostdown command.

Error Message %FTD-5-415020: HTTP - matched matched_string in policy-map map_name , a non-ASCII character was matched connection_action from int_type :IP_address /port_num to int_type :IP_address /port_num

Explanation A non-ASCII character was found.

• matched_string—The matched string is one of the following:

- The class map ID, followed by the name of the class map. This string appears when the class map is user configured.

- The actual match command that initiated the message. This string appears when the class map is internal.

• map_name —The name of the policy map
• connection_action —Dropping the connection or resetting the connection
• interface_type —The type of interface (for example, DMZ or outside)
• IP_address —The IP address of the interface
• port_num —The port number

Recommended Action Enter the match {request | response} header non-ascii command to correct the problem.

Error Message %FTD-4-417001: Unexpected event received: number

Explanation A process received a signal, but no handler was found for the event.

Recommended Action If the problem persists, contact the Cisco TAC.

Error Message %FTD-4-417004: Filter violation error: conn number (string :string ) in string

Explanation A client tried to modify a route attribute that the client does not own.

Recommended Action If the problem persists, contact the Cisco TAC.

Error Message %FTD-4-417006: No memory for string ) in string . Handling: string

Explanation An operation failed because of low memory, but will be handled with another mechanism.

Recommended Action If the problem persists, contact the Cisco TAC.

Error Message %FTD-4-418001: Through-the-device packet to/from management-only network is denied: protocol_string from interface_name IP_address (port) [([idfw_user |FQDN_string ], sg_info )] to interface_name IP_address (port) [(idfw_user |FQDN_string ), sg_info ]

Explanation A packet from the specified source to the destination was dropped because it is traversing the Secure Firewall Threat Defense device to and from the management-only network.

• protocol_string—TCP, UDP, ICMP, or protocol ID as a number in decimal
• interface_name— Interface name
• IP_address—IP address
• port—Port number
• sg_info —Security group name or tag for the specified IP address

Recommended Action Determine who is generating this packet and why.

Error Message %FTD-4-419001: Dropping TCP packet from src_ifc :src_IP /src_port to dest_ifc :dest_IP /dest_port , reason : MSS exceeded, MSS size , data size

Explanation The length of the TCP packet exceeded the MSS advertised in the three-way handshake.

• >src_ifc— Input interface name
• >src_IP— The source IP address of the packet
• >src_port— The source port of the packet
• >dest_ifc— The output interface name
• >dest_IP— The destination IP address of the packet
• >dest_port— The destination port of the packet

Recommended Action If there is a need to allow packets that exceed the MSS, create a TCP map using the exceed-mss command, as in the following example:

ciscoftd# access-list http-list permit tcp any host server_ip eq 80
ciscoftd# class-map http
 ciscoftd# match access-list http-list
 ciscoftd# tcp-map tmap
ciscoftd# exceed-mss allow
ciscoftd# policy-map global_policy
ciscoftd# class http
ciscoftd# set connection advanced-options tmap

Error Message %FTD-4-419002: Received duplicate TCP SYN from in_interface :src_address /src_port to out_interface :dest_address /dest_port with different initial sequence number.

Explanation A duplicate TCP SYN was received during the three-way-handshake that has a different initial sequence number from the SYN that opened the embryonic connection. This may indicate that SYNs are being spoofed. This message occurs in Release 7.0.4.1 and later.

• in_interface—The input interface
• src_address—The source IP address of the packet
• src_port—The source port of the packet
• out_interface—The output interface
• dest_address—The destination IP address of the packet
• dest_port—The destination port of the packet

Recommended Action None required.

Error Message %FTD-4-419003: Cleared TCP urgent flag from out_ifc :src_ip /src_port to in_ifc :dest_ip /dest_port.

Explanation A duplicate TCP SYN was received during the three-way-handshake that has a different initial sequence number from the SYN that opened the embryonic connection. This may indicate that SYNs are being spoofed. This message occurs in Release 7.0.4.1 and later.

• in_ifc—The input interface
• src_ip—The source IP address of the packet
• src_port—The source port of the packet
• out_ifc—The output interface
• dest_ip—The destination IP address of the packet
• dest_port—The destination port of the packet

Recommended Action If you need to keep the urgent flag in TCP headers, use the urgent-flag allow command in TCP map configuration mode.

Error Message %FTD-7-419003: Cleared TCP urgent flag.

Explanation This syslog is displayed when urgent flag or urgent pointer of tcp packet is cleared. This could be due to user configuration (tcp-map) or having some value for the urgent pointer in a tcp packet but the urgent flag is not set.

Recommended Action Verify if the tcp-map configurations whether the urget flag is set to clear.

Error Message %FTD-6-419004: TCP connection ID from src_ifc:src_ip/src_port to dst_ifc:dst_ip/dst_port is probed by DCD

Explanation

A TCP connection was probed by Dead Connection Detection (DCD) to determine if connection was still valid.

Recommended Action None.

Error Message %FTD-6-419005: TCP connection ID from src_ifc:src_ip/src_port duration hh:mm:ss data bytes,  is kept open by DCD as valid connection

Explanation

A TCP connection was kept open by Dead Connection Detection (DCD) as a valid connection.

Recommended Action None.

Error Message %FTD-6-419006:TCP connection ID from src_ifc:src_ip/src_port to dst_ifc:dst_ip/dst_port durationhh:mm:ss data bytes,  DCD probe was not responded from client/server interface ifc_name

Explanation

A TCP connection was closed by Dead Connection Detection (DCD) as it is no longer required.

Recommended Action None.

Error Message %FTD-6-421005: interface_name :IP_address is counted as a user of application

Explanation A host has been counted toward the license limit. The specified host was counted as a user of application. The total number of users in 24 hours is calculated at midnight for license validation.

• interface_name—The interface name
• IP_address—The IP address
• application—The CSC SSM

Recommended Action None required. However, if the overall count exceeds the user license that you have purchased, contact the Cisco TAC to upgrade your license.

Error Message %FTD-3-421007: TCP|UDP flow from interface_name :IP_address /port to interface_name :IP_address /port is skipped because application has failed.

Explanation A flow was skipped because the service module application has failed. By default, this message is rate limited to 1 message every 10 seconds.

• IP_address—The IP address
• port—The port number
• interface_name—The name of the interface on which the policy is applied
• application—The CSC SSM

Recommended Action Determine the problem with the service module.

Error Message %FTD-4-422004: IP SLA Monitor number0 : Duplicate event received. Event number number1

Explanation The IP SLA monitor process has received a duplicate event. Currently, this message applies to destroy events. Only one destroy request will be applied. This is only a warning message.

• number0 —The SLA operation number
• number1 —The SLA operation event ID

Recommended Action If this recurs, enter the show sla monitor configuration SLA_operation_id command and copy the output of the command. Copy the message as it appears on the console or in the system log. Then contact the Cisco TAC and provide the representative with the information that you have, along with information about the application that is configuring and polling the SLA probes.

Error Message %FTD-4-422005: IP SLA Monitor Probe(s) could not be scheduled because clock is not set.

Explanation One or more IP SLA monitor probes cannot be scheduled because the system clock was not set.

Recommended Action Make sure that the system clock is functional by using NTP or another mechanism.

Error Message %FTD-4-422006: IP SLA Monitor Probe number : string

Explanation The IP SLA monitor probe cannot be scheduled. Either the configured starting time has already occurred or the starting time is invalid.

• number —The SLA operation ID
• string —A string describing the error

Recommended Action Reschedule the failed probe with a valid start time.

Error Message %FTD-4-424001: Packet denied protocol_string intf_in :src_ip /src_port [([idfw_user | FQDN_string ], sg_info )] intf_out :dst_ip /dst_port [([idfw_user | FQDN_string ], sg_info )]. [Ingress|Egress] interface is in a backup state.

Explanation A packet was dropped because it was traversing the Secure Firewall Threat Defense device to or from a redundant interface. Interface functionality is limited on low-end platforms. The interface specified by the backup interface command can only be a backup for the primary interface configured. If the default route to the primary interface is up, any traffic through the Secure Firewall Threat Defense device from the backup interface will be denied. Conversely, if the default route to the primary interface is down, traffic through the Secure Firewall Threat Defense device from the primary interface will be denied.

• protocol_string —The protocol string; for example, TCP or protocol ID (a decimal number)
• intf_in —The input interface name
• src_ip —The source IP address of the packet
• src_port —The source port of the packet
• intf_out —The output interface name
• dst_ip —The destination IP address of the packet
• dst_port —The destination port of the packet
• sg_info —The security group name or tag for the specified IP address

Recommended Action Determine the source of the denied packet.

Error Message %FTD-4-424002: Connection to the backup interface is denied: protocol_string intf :src_ip /src_port intf :dst_ip /dst_port

Explanation A connection was dropped because it is in a backup state. Interface functionality is limited on low-end platforms. The backup interface can only be a backup for the primary interface specified by the backup interface command. If the default route to the primary interface is up, any connection to the Secure Firewall Threat Defense device through the backup interface will be denied. Conversely, if the default route to the primary interface is down, connections to the Secure Firewall Threat Defense device through the primary interface will be denied.

• protocol_string —The protocol string; for example, TCP or protocol ID (a decimal number)
• intf_in —The input interface name
• src_ip —The source IP address of the packet
• src_port —The source port of the packet
• intf_out —The output interface name
• dst_ip —The destination IP address of the packet
• dst_port —The destination port of the packet

Recommended Action Determine the source of the denied packet.

Error Message %FTD-6-425001 Redundant interface redundant _interface_name created.

Explanation The specified redundant interface was created in the configuration.

• redundant_interface_name —Redundant interface name

Recommended Action None required.

Error Message %FTD-6-425002 Redundant interface redundant _interface_name removed.

Explanation The specified redundant interface was removed from the configuration.

• redundant_interface_name —Redundant interface name

Recommended Action None required.

Error Message %FTD-6-425003 Interface interface_name added into redundant interface redundant _interface_name .

Explanation The specified physical interface was added to the specified redundant interface as a member interface.

• interface_name —An interface name
• redundant_interface_name —Redundant interface name

Recommended Action None required.

Error Message %FTD-6-425004 Interface interface_name removed from redundant interface redundant _interface_name .

Explanation The specified redundant interface was removed from the specified redundant interface.

• interface_name —An interface name
• redundant_interface_name —Redundant interface name

Recommended Action None required.

Error Message %FTD-5-425005 Interface interface_name become active in redundant interface redundant _interface_name

Explanation Within a redundant interface, one member interface is the active member. Traffic only passes through the active member interface. The specified physical interface became the active member of the specified redundant interface. Member interface switchover occurs when one of the following is true:

• • The redundant-interface interface-name active-member interface-name command was executed.
  • The active member interface is down, while the standby member interface is up.
  • The standby member interface comes up (from down), while the active member interface remains down.
• interface_name —An interface name
• redundant_interface_name —Redundant interface name

Recommended Action Check the status of the member interfaces.

Error Message %FTD-3-425006 Redundant interface redundant _interface_name switch active member to interface_name failed.

Explanation An error occurred when member interface switchover was attempted.

• redundant_interface_name —Redundant interface name
• interface_name —An interface name

Recommended Action If the problem persists, contact the Cisco TAC.

Error Message %FTD-6-426001: PORT-CHANNEL:Interface ifc_name bundled into EtherChannel interface Port-channel num

Explanation The interface port-channel num or the channel-group num mode mode command has been used on a nonexistent port channel.

• ifc_name —The EtherChannel interface name
• num —The port channel number

Recommended Action None required.

Error Message %FTD-6-426002: PORT-CHANNEL:Interface ifc_name unbundled from EtherChannel interface Port-channel num

Explanation The no interface port-channel num command has been used.

• ifc_name —The EtherChannel interface name
• num— The port channel number

Recommended Action None required.

Error Message %FTD-6-426003: PORT-CHANNEL:Interface ifc_name1 has become standby in EtherChannel interface Port-channel num

Explanation The channel-group num mode mode command has been used.

• ifc_name1 —The EtherChannel interface name
• num —The port channel number

Recommended Action None required.

Error Message %FTD-4-426004: PORT-CHANNEL: Interface ifc_name1 is not compatible with ifc_name and will be suspended (speed of ifc_name1 is X Mbps, Y is 1000 Mbps).

Error Message %FTD-4-426004: Interface ifc_name1 is not compatible with ifc_name1 and will be suspended (ifc_name1 is Full-duplex, ifc_name1 is Half-duplex)

Explanation The channel-group num mode mode command is executed on a physical interface and there is a speed or duplex mismatch of this physical interface with that of the port channel.

• ifc_name —The interface that is being added to the port channel
• ifc_name1 —The interface that is already in the port channel and in a bundled state

Recommended Action Do one of the following:

• Change the speed of the physical interface to that of the port channel and execute the channel-group num mode mode command again.
• Leave the member interface in a suspended state. When the last active member is removed, then that member will try to reestablish LACP on the suspended member.

Error Message %FTD-6-426101: PORT-CHANNEL:Interface ifc_name is allowed to bundle into EtherChannel interface port-channel id by CLACP

Explanation A port has been bundled in a span-cluster channel group.

Recommended Action None required.

Error Message %FTD-6-426102: PORT-CHANNEL:Interface ifc_name is moved to standby in EtherChannel interface port-channel id by CLACP

Explanation A port has been moved to hot-standby state in a span-cluster channel group.

Recommended Action None required.

Error Message %FTD-6-426103: PORT-CHANNEL:Interface ifc_name is selected to move from standby to bundle in EtherChannel interface port-channel id by CLACP

Explanation A standby port has been selected to move to bundled state in a span-cluster channel group.

Recommended Action None required.

Error Message %FTD-6-426104: PORT-CHANNEL:Interface ifc_name is unselected in EtherChannel interface port-channel id by CLACP

Explanation A bundled port has been unbundled in a span-cluster channel group to obtain space for other ports to be bundled.

Recommended Action None required.

Error Message %FTD-6-428002: WAAS confirmed from in_interface :src_ip_addr/src_port to out_interface :dest_ip_addr/dest_port , inspection services bypassed on this connection.

Explanation WAAS optimization was detected on a connection. All layer 7 inspection services, including IPS, are bypassed on WAAS-optimized connections.

Recommended Action No action is required if the network includes WAE devices; otherwise, the network administrator should investigate the use of the WAAS option on this connection.

Error Message %FTD-4-429008: Unable to respond to VPN query from CX for session 0x%x . Reason %s

Explanation The CX sent a VPN session query to the Secure Firewall Threat Defense device, but it did not respond either because of an invalid session ID or another reason. Valid reasons can be any of the following:

• TLV length is invalid
• TLV memory allocation failed
• VPN session query message enqueue failed
• VPN session ID is invalid

Recommended Action None required.

Error Message %FTD-4-434001: SFR card not up and fail-close mode used, dropping protocol packet from ingress interface:source IP address /source port to egress interface :destination IP address /destination port

Explanation A packet has been dropped because of a fail-close configuration for the module. Your loss of connectivity for all the flows is caused by redirecting them to the module, because the fail-close configuration is designed to drop all the flows if the module is down.

Recommended Action Try to understand the reason for failure and restore services. Alternatively, you can use the fail-open option even if the card does not recover immediately. Note that in the fail-open configuration, all packets to the module are bypassed if the card status is down.

Error Message %FTD-5-434004: SFR requested threat defense to bypass further packet redirection and process flow from %s:%A/%d to %s:%A/%d locally

Explanation SourceFire (SFR) has determined not to inspect more traffic of a flow and requests the Secure Firewall Threat Defense device to stop redirecting the flow of traffic to SFR.

Recommended Action None Required.

Error Message %FTD-4-446003: Denied TLS Proxy session from src_int :src_ip /src_port to dst_int :dst_ip /dst_port , UC-IME license is disabled.

Explanation The UC-IME license is either on or off. Once enabled, UC-IME can use any number of available TLS sessions, according to the Secure Firewall Threat Defense limit and the K8 export limit.

• src_int —The source interface name (inside or outside)
• src_ip —The source IP address
• src_port —The source port
• dst_int —The destination interface name (inside or outside)
• dst_ip —The destination IP address
• dst_port —The destination port

Recommended Action Check to see if UC-IME is disabled. If so, activate it.

Error Message %FTD-4-447001: ASP DP to CP queue_name was full. Queue length length , limit limit

Explanation This message indicates a particular data path (DP) to control point (CP) event queue is full, and one or more multiple enqueue actions have failed. If the event contains a packet block, such as for CP application inspection, the packet will be dropped by the DP, and a counter from the show asp drop command will increment. If the event is for punt to CP, a typical counter is the Punt no memory ASP-drop counter.

• queue —The name of the DP-CP event queue.
• length —The current number of events on the queue.
• limit —The maximum number of events that are allowed on the queue.

Recommended Action The queue-full condition reflects the fact that the load on the CP has exceeded the CP processing ability, which may or may not be a temporary condition. You should consider reducing the feature load on the CP if this message appears repeatedly. Use the show asp event dp-cp command to identify the features that contribute the most load on the event queue.

Error Message %FTD-4-448001: Denied SRTP crypto session setup on flow from src_int :src_ip /src_port to dst_int :dst_ip /dst_port , licensed K8 SRTP crypto session of limit exceeded

Explanation For a K8 platform, the limit of 250 SRTP crypto sessions is enforced. Each pair of SRTP encrypt or decrypt sessions is counted as one SRTP crypto session. A call is counted toward this limit only when encryption or decryption is required for a medium, which means that if the pass-through is set for the call, even if both legs use SRTP, they are not counted toward this limit.

• src_int —The source interface name (inside or outside)
• src_ip —The source IP address
• src_port —The source port
• dst_int —The destination interface name (inside or outside)
• dst_ip —The destination IP address
• dst_port —The destination port
• limit —The K8 limit of SRTP crypto sessions (250)

Recommended Action None required. You can set up new SRTP crypto sessions only when existing SRTP crypto sessions have been released.