Messages 602101 to 609002
This section includes messages from 602101 to 609002.
602101
Error Message
%FTD-6-602101: PMTU-D packet number bytes greater than effective mtu number dest_addr=dest_address , src_addr=source_address , prot=protocol
Explanation The Secure Firewall Threat Defense device sent an ICMP destination unreachable message and fragmentation is needed.
Recommended Action Make sure that the data is sent correctly.
602103
Error Message %FTD-6-602103: IPSEC: Received an ICMP Destination Unreachable from src_addr with suggested PMTU of rcvd_mtu; PMTU updated for
SA with peer peer_addr, SPI spi, tunnel name username, old PMTU old_mtu, new PMTU new_mtu.
Explanation The MTU of an SA was changed. When a packet is received for an IPsec tunnel, the corresponding SA is located and the MTU is updated based on the MTU suggested in the ICMP packet. If the suggested MTU is greater than 0 but less than 256, then the new MTU is set to 256. If the suggested MTU is 0, the old MTU is reduced by 256 or it is set to 256—whichever value is greater. If the suggested MTU is greater than 256, then the new MTU is set to the suggested value.
- src_addr—IP address of the PMTU sender
- rcvd_mtu—Suggested MTU received in the PMTU message
- peer_addr—IP address of the IPsec peer
- spi—IPsec Security Parameter Index
- username—Username associated with the IPsec tunnel
- old_mtu—Previous MTU associated with the IPsec tunnel
- new_mtu—New MTU associated with the IPsec tunnel
Recommended Action None required.
602104
Error Message %FTD-6-602104: IPSEC: Received an ICMP Destination Unreachable from src_addr , PMTU is unchanged because suggested PMTU of rcvd_mtu is equal to or greater than the current PMTU of curr_mtu , for SA with peer peer_addr , SPI spi , tunnel name username .
Explanation An ICMP message was received indicating that a packet sent over an IPsec tunnel exceeded the path MTU, and the suggested MTU was greater than or equal to the current MTU. Because the MTU value is already correct, no MTU adjustment is made. This may happen when multiple PMTU messages are received from different intermediate stations, and the MTU is adjusted before the current PMTU message is processed.
- src_addr—IP address of the PMTU sender
- rcvd_mtu—Suggested MTU received in the PMTU message
- curr_mtu—Current MTU associated with the IPsec tunnel
- peer_addr—IP address of the IPsec peer
- spi—IPsec Security Parameter Index
- username —Username associated with the IPsec tunnel
Recommended Action None required.
602303
Error Message %FTD-6-602303: IPSEC: An direction tunnel_type SA (SPI=spi ) between local_IP and remote_IP (username ) has been created.
Explanation A new SA was created.
- direction—SA direction (inbound or outbound)
- tunnel_type—SA type (remote access or L2L)
- spi—IPsec Security Parameter Index
- local_IP—IP address of the tunnel local endpoint
- remote_IP—IP address of the tunnel remote endpoint
- >username —Username associated with the IPsec tunnel
Recommended Action None required.
602304
Error Message %FTD-6-602304: IPSEC: An direction tunnel_type SA (SPI=spi ) between local_IP and remote_IP (username ) has been deleted.
Explanation An SA was deleted.
- direction—SA direction (inbound or outbound)
- tunnel_type—SA type (remote access or L2L)
- spi—IPsec Security Parameter Index
- local_IP—IP address of the tunnel local endpoint
- remote_IP—IP address of the tunnel remote endpoint
- >username —Username associated with the IPsec tunnel
Recommended Action None required.
602305
Error Message %FTD-3-602305: IPSEC: SA creation error, source source address , destination destination address , reason error string
Explanation An error has occurred while creating an IPsec security association.
Recommended Action This is typically a transient error condition. If this message occurs consistently, contact the Cisco TAC.
602306
Error Message %FTD-3-602306: IPSEC: SA change peer IP error, SPI: IPsec SPI, (src {original src IP address | original src port}, dest {original dest IP address| original dest port} => src {new src IP address | new src port}, dest: {new dest IP address | new dest port}), reason failure reason
Explanation An error has occurred while updating an IPsec tunnel’s peer address for Mobile IKE and the peer address could not be changed.
Recommended Action This is typically a transient error condition. If this message occurs consistently, contact the Cisco TAC.
604101
Error Message
%FTD-6-604101: DHCP client interface interface_name : Allocated ip = IP_address , mask = netmask , gw = gateway_address
Explanation The Secure Firewall Threat Defense DHCP client successfully obtained an IP address from a DHCP server. The dhcpc command statement allows the Secure Firewall Threat Defense device to obtain an IP address and network mask for a network interface from a DHCP server, as well as a default route. The default route statement uses the gateway address as the address of the default router.
Recommended Action None required.
604102
Error Message %FTD-6-604102: DHCP client interface interface_name : address released
Explanation The Secure Firewall Threat Defense DHCP client released an allocated IP address back to the DHCP server.
Recommended Action None required.
604103
Error Message %FTD-6-604103: DHCP daemon interface interface_name : address granted MAC_address (IP_address )
Explanation The Secure Firewall Threat Defense DHCP server granted an IP address to an external client.
Recommended Action None required.
604104
Error Message %FTD-6-604104: DHCP daemon interface interface_name : address released build_number (IP_address )
Explanation An external client released an IP address back to the Secure Firewall Threat Defense DHCP server.
Recommended Action None required.
604105
Error Message %FTD-4-604105: DHCPD: Unable to send DHCP reply to client hardware_address on interface interface_name . Reply exceeds options field size (options_field_size ) by number_of_octets octets.
Explanation An administrator can configure the DHCP options to return to the DHCP client. Depending on the options that the DHCP client requests, the DHCP options for the offer could exceed the message length limits. A DHCP offer cannot be sent, because it will not fit within the message limits.
- hardware_address —The hardware address of the requesting client.
- interface_name— The interface to which server messages are being sent and received
- options_field_size —The maximum options field length. The default is 312 octets, which includes 4 octets to terminate.
- number_of_octets —The number of exceeded octets.
Recommended Action Reduce the size or number of configured DHCP options.
604201
Error Message %FTD-6-604201: DHCPv6 PD client on interface <pd-client-iface> received delegated prefix <prefix> from DHCPv6 PD server <server-address>
with preferred lifetime <in-seconds> seconds and valid lifetime <in-seconds> seconds.
Explanation This syslog is displayed whenever DHCPv6 PD client is received with delegated prefix from PD server as part of initial 4-way exchange. In the case of multiple prefixes, the syslog is displayed for each prefix.
- pd-client-iface—The interface name on which the DHCPv6 PD client is enabled.
- prefix—Prefix received from DHCPv6 PD server.
- server-address—DHCPv6 PD server address.
- in-seconds—Associated preferred and valid lifetime in seconds for delegated prefixes.
Recommended Action None.
604202
Error Message %FTD-6-604202: DHCPv6 PD client on interface <pd-client-iface> releasing delegated prefix <prefix> received from DHCPv6 PD server
<server-address>.
Explanation This syslog is displayed whenever DHCPv6 PD Client is releasing delegated prefix(s) received from PD Server upon no configuration. In the case of multiple prefixes, the syslog is displayed for each prefix.
- pd-client-iface—The interface name on which the DHCPv6 PD client is enabled.
- prefix—Prefix received from DHCPv6 PD server.
- server-address—DHCPv6 PD server address.
Recommended Action None.
604203
Error Message %FTD-6-604203: DHCPv6 PD client on interface <pd-client-iface> renewed delegated prefix <prefix> from DHCPv6 PD server <server-address>
with preferred lifetime <in-seconds> seconds and valid lifetime <in-seconds> seconds.
Explanation This syslog is displayed whenever DHCPv6 PD Client initiate renewal of previously allocated delegated prefix from PD Server and upon successful. In the case of multiple prefixes, the syslog is displayed for each prefix.
- pd-client-iface—The interface name on which the DHCPv6 PD client is enabled.
- prefix—Prefix received from DHCPv6 PD server.
- server-address—DHCPv6 PD server address.
- in-seconds—Associated preferred and valid lifetime in seconds for delegated prefixes.
Recommended Action None.
604204
Error Message %FTD-6-604204: DHCPv6 delegated prefix <delegated prefix> got expired on interface <pd-client-iface>, received from DHCPv6 PD
server <server-address>.
Explanation This syslog is displayed whenever DHCPv6 PD Client received delegated prefix is getting expired.
- pd-client-iface—The interface name on which the DHCPv6 PD client is enabled.
- prefix—Prefix received from DHCPv6 PD server.
- delegated prefix—The delegated prefix received from DHCPv6 PD server.
Recommended Action None.
604205
Error Message %FTD-6-604205: DHCPv6 client on interface <client-iface> allocated address <ipv6-address> from DHCPv6 server <server-address>
with preferred lifetime <in-seconds> seconds and valid lifetime <in-seconds> seconds
Explanation This syslog is displayed whenever DHCPv6 Client address is received from DHCPv6 Server as part of initial 4-way exchange and is valid. In the case of multiple addresses, the syslog is displayed for each received address.
- client-iface—The interface name on which the DHCPv6 client address is enabled.
- ipv6-address—IPv6 Address received from DHCPv6 server.
- server-address—DHCPv6 server address.
- in-seconds—Associated preferred and valid lifetime in seconds for client address.
Recommended Action None.
604207
Error Message %FTD-6-604207: DHCPv6 client on interface <client-iface> renewed address <ipv6-address> from DHCPv6 server <server-address> with
preferred lifetime <in-seconds> seconds and valid lifetime <in-seconds> seconds.
Explanation This syslog is displayed whenever DHCPv6 client initiates renewal of previously allocated address from DHCPv6 server. In the case of multiple addresses, the syslog is displayed for each renewed address.
- client-iface—The interface name on which the DHCPv6 client address is enabled.
- ipv6-address—IPv6 Address received from DHCPv6 server.
- server-address—DHCPv6 server address.
- in-seconds—Associated preferred and valid lifetime in seconds for client address.
Recommended Action None.
604206
Error Message %FTD-6-604206: DHCPv6 client on interface <client-iface> releasing address <ipv6-address> received from DHCPv6 server <server-address>.
Explanation DHCPv6 Client is releasing received client address whenever no configuration of DHCPv6 client address is performed. In the case of multiple addresses release, the syslog is displayed for each address.
- client-iface—The interface name on which the DHCPv6 client address is enabled.
- ipv6-address—IPv6 address received from DHCPv6 server.
- server-address—DHCPv6 server address.
Recommended Action None.
604208
Error Message %FTD-6-604208: DHCPv6 client address <ipv6-address> got expired on interface <client-iface>, received from DHCPv6 server <server-address>
Explanation This syslog is displayed whenever DHCPv6 client received address is getting expired.
- client-iface—The interface name on which the DHCPv6 client address is enabled.
- ipv6-address—IPv6 Address received from DHCPv6 server.
- server-address—DHCPv6 server address.
Recommended Action None.
605004
Error Message
%FTD-6-605004: Login denied from source-address/source-port to interface:destination/service for user “username ”
Explanation The following form of the message appears when the user attempts to log in to the console:
Login denied from serial to console for user “username”
An incorrect login attempt or a failed login to the Secure Firewall Threat Defense device occurred. For all logins, three attempts are allowed per session, and the session is terminated after three incorrect attempts. For SSH and Telnet logins, this message is generated after the third failed attempt or if the TCP session is terminated after one or more failed attempts. For other types of management sessions, this message is generated after every failed attempt. The username is hidden when invalid or unknown, but appears when valid or the no logging hide username command has been configured.
- source-address— Source address of the login attempt
- source-port— Source port of the login attempt
- interface— Destination management interface
- destination— Destination IP address
- service— Destination service
- username — Destination management interface
Recommended Action If this message appears infrequently, no action is required. If this message appears frequently, it may indicate an attack. Communicate with the user to verify the username and password.
605005
Error Message %FTD-6-605005: Login permitted from source-address /source-port to interface:destination /service for user “username ”
The following form of the message appears when the user logs in to the console:
Login permitted from serial to console for user “username”
Explanation A user was authenticated successfully, and a management session started.
- source-address— Source address of the login attempt
- source-port— Source port of the login attempt
- interface— Destination management interface
- destination— Destination IP address
- service— Destination service
- username— Destination management interface
Recommended Action None required.
607001
Error Message %FTD-6-607001: Pre-allocate SIP connection_type secondary channel for interface_name:IP_address/port to interface_name:IP_address from string message
Explanation The fixup sip command preallocated a SIP connection after inspecting a SIP message . The connection_type is one of the following strings:
- SIGNALLING UDP
- SIGNALLING TCP
- SUBSCRIBE UDP
- SUBSCRIBE TCP
- Via UDP
- Route
- RTP
- RTCP
Recommended Action None required.
607002
Error Message
%FTD-4-607002: action_class : action SIP req_resp
req_resp_info from src_ifc :sip /sport to dest_ifc :dip /dport ; further_info
Explanation A SIP classification was performed on a SIP message, and the specified criteria were satisfied. As a result, the configured action occurs.
- action_class —The class of the action: SIP Classification for SIP match commands or SIP Parameter for parameter commands
- action —The action taken: Dropped, Dropped connection for, Reset connection for, or Masked header flags for
- req_resp —Request or Response
- req_resp_info —The SIP method name if the type is Request: INVITE or CANCEL. The SIP response code if the type is Response: 100, 183, 200.
- src_ifc —The source interface name
- sip —The source IP address
- sport —The source port
- dest_ifc —The destination interface name
- dip —The destination IP address
- dport —The destination port
- further_info —More information appears for SIP match and SIP parameter commands, as follows:
For SIP match commands:
matched Class id: class-name
For example:
matched Class 1234: my_class
For SIP parameter commands:
parameter-command: descriptive-message
For example:
strict-header-validation: Mandatory header field Via is missing
state-checking: Message CANCEL is not permitted to create a Dialog.
Recommended Action None required.
607003
Error Message
%FTD-6-607003: action_class : Received SIP req_resp
req_resp_info from src_ifc :sip /sport to dest_ifc :dip /dport ; further_info
Explanation A SIP classification was performed on a SIP message, and the specified criteria were satisfied. As a result, the standalone log action occurs.
- action_class —SIP classification for SIP match commands or SIP parameter for parameter commands
- req_resp —Request or Response
- req_resp_info —The SIP method name if the type is Request: INVITE or CANCEL. The SIP response code if the type is Response: 100, 183, 200.
- src_ifc —The source interface name
- sip —The source IP address
- sport —The source port
- dest_ifc —The destination interface name
- dip —The destination IP address.
- dport —The destination port.
- further_info —More information appears for SIP match and SIP parameter commands, as follows:
For SIP match commands:
matched Class id: class-name
For example:
matched Class 1234: my_class
For SIP parameter commands:
parameter-command: descriptive-message
For example:
strict-header-validation: Mandatory header field Via is missing
state-checking: Message CANCEL is not permitted to create a Dialog.
Recommended Action None required.
607004
Error Message
%FTD-4-607004: Phone Proxy: Dropping SIP message from src_if:src_ip /src_port to dest_if :dest_ip /dest_port with source MAC mac_address due to secure phone database mismatch.
Explanation The MAC address in the SIP message is compared with the secure database entries in addition to the IP address and interface. If they do not match, then the particular message is dropped.
Recommended Action None required.
608001
Error Message %FTD-6-608001: Pre-allocate Skinny connection_type secondary channel for interface_name:IP_address to interface_name:IP_address from string message
Explanation The inspect skinny command preallocated a Skinny connection after inspecting a Skinny message . The connection_type is one of the following strings:
- SIGNALLING UDP
- SIGNALLING TCP
- SUBSCRIBE UDP
- SUBSCRIBE TCP
- Via UDP
- Route
- RTP
- RTCP
Recommended Action None required.
608002
Error Message %FTD-4-608002: Dropping Skinny message for in_ifc :src_ip /src_port to out_ifc :dest_ip /dest_port , SCCP Prefix length value too small
Explanation A Skinny (SSCP) message was received with an SCCP prefix length less than the minimum length configured.
- in_ifc —The input interface
- src_ip —The source IP address of the packet
- src_port —The source port of the packet
- out_ifc —The output interface
- dest_ip —The destination IP address of the packet
- dest_port —The destination port of the packet
- value —The SCCP prefix length of the packet
Recommended Action If the SCCP message is valid, then customize the Skinny policy map to increase the minimum length value of the SSCP prefix.
608003
Error Message %FTD-4-608003: Dropping Skinny message for in_ifc :src_ip /src_port to out_ifc :dest_ip /dest_port , SCCP Prefix length value too large
Explanation A Skinny (SSCP) message was received with an SCCP prefix length greater than the maximum length configured.
- in_ifc —The input interface
- src_ip —The source IP address of the packet
- src_port —The source port of the packet
- out_ifc —The output interface
- dest_ip —The destination IP address of the packet
- dest_port —The destination port of the packet
- value —The SCCP prefix length of the packet
Recommended Action If the SCCP message is valid, then customize the Skinny policy map to increase the maximum length value of the SCCP prefix.
609001
Error Message %FTD-7-609001: Built local-host zone-name/* :ip-address
Explanation A network state container was reserved for host ip-address connected to zone zone-name . The zone-name/* parameter is used if the interface on which the host is created is part of a zone. The asterisk symbolizes all interfaces because hosts do not belong to any one interface.
Recommended Action None required.
609002
Error Message %FTD-7-609002: Teardown local-host zone-name/* :ip-address duration time
Explanation A network state container for host ip-address connected to zone zone-name was removed. The zone-name/* parameter is used if the interface on which the host is created is part of a zone. The asterisk symbolizes all interfaces because hosts do not belong to any one interface.
Recommended Action None required.