Messages 701001 to 713109
This section includes messages from 701001 to 713109.
701001
Error Message
%FTD-7-701001:
alloc_user() out of Tcp_user objects
Explanation A AAA message that appears if the user authentication rate is too high for the module to handle new AAA requests.
Recommended Action Enable Flood Defender with the floodguard enable command.
701002
Error Message %FTD-7-701002: alloc_user() out of Tcp_proxy objects
Explanation A AAA message that appears if the user authentication rate is too high for the module to handle new AAA requests.
Recommended Action Enable Flood Defender with the floodguard enable command.
703001
Error Message %FTD-7-703001: H.225 message received from interface_name :IP_address /port to interface_name :IP_address /port is using an unsupported version number
Explanation The Secure Firewall Threat Defense device received an H.323 packet with an unsupported version number. The Secure Firewall Threat Defense device might reencode the protocol version field of the packet to the highest supported version.
Recommended Action Use the version of H.323 that the Secure Firewall Threat Defense device supports in the VoIP network.
703002
Error Message %FTD-7-703002: Received H.225 Release Complete with newConnectionNeeded for interface_name :IP_address to interface_name :IP_address /port
Explanation The Secure Firewall Threat Defense device received the specified H.225 message, and the Secure Firewall Threat Defense device opened a new signaling connection object for the two specified H.323 endpoints.
Recommended Action None required.
703008
Error Message %FTD-7-703008: Allowing early-message: %s before SETUP from %s:%Q/%d to %s:%Q/%d
Explanation This message indicates that an outside endpoint requested an incoming call to an inside host and wants the inside host to send FACILITY message before SETUP message towards Gatekeeper and wants to follow H.460.18.
Recommended Action Ensure that the setup indeed intends to allow early FACILITY message before SETUP message for incoming H323 calls as described in H.640.18.
709001, 709002
Error Message %FTD-7-709001: FO replication failed: cmd=command returned=code
Error Message
%FTD-7-709002: FO unreplicable: cmd=
command
Explanation Failover messages that only appear during the development debugging and testing phases.
Recommended Action None required.
709003
Error Message
%FTD-1-709003: (Primary) Beginning configuration replication: Sending to mate.
Explanation A failover message that appears when the active unit starts replicating its configuration to the standby unit. Primary can also be listed as Secondary for the secondary unit.
Recommended Action None required.
709004
Error Message %FTD-1-709004: (Primary) End Configuration Replication (ACT)
Explanation A failover message that appears when the active unit completes replication of its configuration on the standby unit. Primary can also be listed as Secondary for the secondary unit.
Recommended Action None required.
709005
Error Message %FTD-1-709005: (Primary) Beginning configuration replication: Receiving from mate.
Explanation The standby Secure Firewall Threat Defense device received the first part of the configuration replication from the active Secure Firewall Threat Defense device. Primary can also be listed as Secondary for the secondary unit.
Recommended Action None required.
709006
Error Message %FTD-1-709006: (Primary) End Configuration Replication (STB)
Explanation A failover message that appears when the standby unit completes replication of a configuration sent by the active unit. Primary can also be listed as Secondary for the secondary unit.
Recommended Action None required.
709007
Error Message
%FTD-2-709007: Configuration replication failed for command
Explanation A failover message that appears when the standby unit is unable to complete replication of a configuration sent by the active unit. The command that caused the failure appears at the end of the message.
Recommended Action If the problem persists, contact the Cisco TAC.
709008
Error Message %FTD-4-709008: (Primary | Secondary) Configuration sync in progress. Command: ‘command ’ executed from (terminal/http) will not be replicated to or executed by the standby unit.
Explanation A command was issued during the configuration sync, which triggered an interactive prompt to indicate that this command would not be issued on the standby unit. To continue, note that the command will be issued on the active unit only and will not be replicated on the standby unit.
-
Primary | Secondary—The device is either primary or secondary
-
command —The command issued while the configuration sync is in progress
-
terminal/http—Issued from the terminal or via HTTP.
Recommended Action None.
709009
Error Message %FTD-6-709009: (unit-role) Configuration on Active and Standby is matching. No config sync. Time elapsed time-elapsed ms
Explanation This message is generated when the hash computed on both the active and joining unit matches. It also displays the time elapsed, from the time of sending the hash request to the time of getting and comparing the hash response..
Recommended Action None.
709010
Error Message %FTD-6-709010: Configuration between units doesn't match. Going for config sync. Time elapsed time-elapsed ms.
Explanation This syslog message is generated when the hash that is computed on both the active and joining unit does not match. It also displays the time elapsed, from the time of sending the hash request to the time of getting and comparing the hash response.
Recommended Action None.
709011
Error Message %FTD-6-709011: Total time to sync the config time ms.
Explanation This message displays the time taken to synchronize the config, in the case of hash not matching, and therefore going for a full configuration sync process.
Recommended Action None.
709012
Error Message %FTD-6-709012: Skip configuration replication from mate as configuration on Active and Standby is matching.
Explanation This message is generated when the configuration replication is skipped because, the configuration between active and joining unit matches.
Recommended Action None.
709013
Error Message %FTD-4-709013: Failover configuration replication hash comparison timeout expired.
Explanation This syslog message is generated when the hash computation, transfer, and comparison has timed out. Due to the timeout, the full configuration sync operation is trigerred. The timeout value is 60 secs and you cannot modify this value.
Recommended Action None.
709015
Error Message %FTD-3-709015: Command sync Error: Sync failed for command no nameif with error code = code
Explanation The messages appear on HA joining unit during failure of configuration sync, delta sync, or dynamic ACL sync commands.
Recommended Action None required.
710003
Error Message %FTD-3-710003: {TCP|UDP} access denied by ACL from source_IP/source_port to interface_name :dest_IP/service
Explanation The Secure Firewall Threat Defense device denied an attempt to connect to the interface service. For example, the Secure Firewall Threat Defense device received an SNMP request from an unauthorized SNMP management station. If this message appears frequently, it can indicate an attack.
For example:
%threat defense-3-710003: UDP access denied by ACL from 95.1.1.14/5000 to outside:95.1.1.13/1005
Recommended Action Use the show run http, show run ssh, or show run telnet commands to verify that the Secure Firewall Threat Defense device is configured to permit the service access from the host or network.
710004
Error Message
%FTD-7-710004: TCP connection limit exceeded from Src_ip /Src_port to In_name :Dest_ip /Dest_port (current connections/connection limit = Curr_conn/Conn_lmt)
Explanation The maximum number of Secure Firewall Threat Defense management connections for the service was exceeded. The Secure Firewall Threat Defense device permits at most five concurrent management connections per management service. Alternatively, an error may have occurred in the to-the-box connection counter.
- Src_ip —The source IP address of the packet
- Src_por t—The source port of the packet
- In_ifc —The input interface
- Dest_ip —The destination IP address of the packet
- Dest_port —The destination port of the packet
- Curr_conn —The number of current to-the-box admin connections
- Conn_lmt —The connection limit
Recommended Action From the console, use the kill command to release the unwanted session. If the message was generated because of an error in the to-the-box counter, run the show conn all command to display connection details.
710005
Error Message %FTD-7-710005: {TCP|UDP|SCTP} request discarded from source_address /source_port to interface_name :dest_address /service
Explanation The Secure Firewall Threat Defense device does not have a UDP server that services the UDP request. Also, a TCP packet that does not belong to any session on the Secure Firewall Threat Defense device may have been discarded. In addition, this message appears (with the SNMP service) when the Secure Firewall Threat Defense device receives an SNMP request with an empty payload, even if it is from an authorized host. When the service is SNMP, this message occurs a maximum of once every 10 seconds so that the log receiver is not overwhelmed. This message is also applicable for SCTP packets.
Recommended Action In networks that use broadcasting services such as DHCP, RIP, or NetBIOS extensively, the frequency of this message can be high. If this message appears in excessive numbers, it may indicate an attack.
710006
Error Message %FTD-7-710006: protocol request discarded from source_address to interface_name :dest_address
Explanation The Secure Firewall Threat Defense device does not have an IP server that services the IP protocol request; for example, the Secure Firewall Threat Defense device receives IP packets that are not TCP or UDP, and the Secure Firewall Threat Defense device cannot service the request.
Recommended Action In networks that use broadcasting services such as DHCP, RIP, or NetBIOS extensively, the frequency of this message can be high. If this message appears in excessive numbers, it may indicate an attack.
710007
Error Message %FTD-7-710007: NAT-T keepalive received from 86.1.161.1/1028 to outside:86:1.129.1/4500
Explanation The Secure Firewall Threat Defense device received NAT-T keepalive messages.
Recommended Action None required.
711001
Error Message %FTD-7-711001: debug_trace_msg
Explanation You have entered the logging debug-trace command for the logging feature. When the logging debug-trace command is enabled, all debugging messages will be redirected to the message for processing. For security reasons, the message output must be encrypted or sent over a secure out-of-band network.
Recommended Action None required.
711002
Error Message %FTD-4-711002: Task ran for elapsed_time msecs, process = process_name , PC = PC Tracebeback = traceback
Explanation A process used the CPU for more than 100 milliseconds. This message is used for debugging CPU purposes, and can appear once every five seconds for each offending process.
- PC—Instruction pointer of the CPU hogging process
- traceback—Stack trace of the CPU hogging process, which can include up to 12 addresses
Recommended Action None required.
711003
Error Message %FTD-7-711003: Unknown/Invalid interface identifier(vpifnum ) detected.
Explanation An internal inconsistency that should not occur during normal operation has occurred. However, this message is not harmful if it rarely occurs. If it occurs frequently, it might be worthwhile debugging.
- vpifnum —The 32-bit value corresponding to the interface
Recommended Action If the problem persists, contact the Cisco TAC.
711004
Error Message
%FTD-4-711004: Task ran for msec msec, Process = process_name , PC = pc , Call stack = call stack
Explanation A process used the CPU for more than 100 milliseconds. This message is used for debugging CPU purposes, and can appear once every five seconds for each offending process.
- msec—Length of the detected CPU hog in milliseconds
- process_name —Name of the hogging process
- pc—Instruction pointer of the CPU hogging process
- call stack—Stack trace of the CPU hogging process, which can include up to 12 addresses
Recommended Action None required.
711005
Error Message %FTD-5-711005: Traceback: call_stack
Explanation An internal software error that should not occur has occurred. The device can usually recover from this error, and no harmful effect to the device results.
- call_stack —The EIPs of the call stack
Recommended Action Contact the Cisco TAC.
711006
Error Message
%FTD-7-711006: CPU profiling has started for n-samples samples. Reason: reason-string .
Explanation CPU profiling has started.
- n-samples —The specified number of CPU profiling samples
- reason-string —The possible values are:
“CPU utilization passed cpu-utilization %”
“Process process-name CPU utilization passed cpu-utilization %”
Recommended Action “None specified”
Recommended Action Collect CPU profiling results and provide them to Cisco TAC.
713004
Error Message %FTD-3-713004: device scheduled for reboot or shutdown, IKE key acquire message on interface interface num , for Peer IP_address ignored
Explanation The Secure Firewall Threat Defense device has received an IKE packet from a remote entity trying to initiate a tunnel. Because the Secure Firewall Threat Defense device is scheduled for a reboot or shutdown, it does not allow any more tunnels to be established. The IKE packet is ignored and dropped.
Recommended Action None required.
713201
Error Message %FTD-5-713201: Duplicate Phase Phase packet detected. Action
Explanation The Secure Firewall Threat Defense device has received a duplicate of a previous Phase 1 or Phase 2 packet, and will transmit the last message. A network performance or connectivity issue may have occurred, in which the peer is not receiving sent packets in a timely manner.
- Phase—Phase 1 or 2
- Action—Retransmitting last packet, or No last packet to transmit.
Recommended Action Verify network performance or connectivity.
713202
Error Message %FTD-6-713202: Duplicate IP_addr packet detected.
Explanation The Secure Firewall Threat Defense device has received a duplicate first packet for a tunnel that the Secure Firewall Threat Defense device is already aware of and negotiating, which indicates that the Secure Firewall Threat Defense device probably received a retransmission of a packet from the peer.
- IP_addr—The IP address of the peer from which the duplicate first packet was received
Recommended Action None required, unless the connection attempt is failing. If this is the case, debug further and diagnose the problem.
713006
Error Message %FTD-5-713006: Failed to obtain state for message Id message_number , Peer Address: IP_address
Explanation The Secure Firewall Threat Defense device does not know about the received message ID. The message ID is used to identify a specific IKE Phase 2 negotiation. An error condition on the Secure Firewall Threat Defense device may have occurred, and may indicate that the two IKE peers are out-of-sync.
Recommended Action None required.
713008
Error Message
%FTD-3-713008: Key ID in ID payload too big for pre-shared IKE tunnel
Explanation A key ID value was received in the ID payload, which was longer than the maximum allowed size of a group name for this IKE session using preshared keys authentication. This is an invalid value, and the session is rejected. Note that the key ID specified would never work because a group name of that size cannot be created in the Secure Firewall Threat Defense device.
Recommended Action Make sure that the client peer (most likely an Altiga remote access client) specifies a valid group name. Notify the user to change the incorrect group name on the client. The current maximum length for a group name is 32 characters.
713009
Error Message %FTD-3-713009: OU in DN in ID payload too big for Certs IKE tunnel
Explanation An OU value in the DN was received in the ID payload, which was longer than the maximum allowed size of a group name for this IKE session using Certs authentication. This OU is skipped, and another OU or other criteria may find a matching group.
Recommended Action For the client to be able to use an OU to find a group in the Secure Firewall Threat Defense device, the group name must be a valid length. The current maximum length of a group name is 32 characters.
713010
Error Message
%FTD-5-713010: IKE area: failed to find centry for message Id
message_number
An attempt was made to locate a conn_entry (IKE phase 2 structure that corresponds to an IPsec SA) using the unique message ID, which failed. The internal structure was not found, which may occur if a session was terminated in a nonstandard way, but it is more likely that an internal error occurred.
If this problem persists, investigate the peer.
713012
Error Message %FTD-3-713012: Unknown protocol (protocol ). Not adding SA w/spi=SPI value
Explanation An illegal or unsupported IPsec protocol has been received from the peer.
Recommended Action Check the ISAKMP Phase 2 configuration on the peer(s) to make sure it is compatible with the Secure Firewall Threat Defense device.
713014
Error Message
%FTD-3-713014: Unknown Domain of Interpretation (DOI): DOI value
Explanation The ISAKMP DOI received from the peer is unsupported.
Recommended Action Check the ISAKMP DOI configuration on the peer.
713016
Error Message
%FTD-3-713016: Unknown identification type, Phase 1 or 2, Type ID_Type
Explanation The ID received from the peer is unknown. The ID can be an unfamiliar valid ID or an invalid or corrupted ID.
Recommended Action Check the configuration on the headend and peer.
713017
Error Message %FTD-3-713017: Identification type not supported, Phase 1 or 2, Type ID_Type
Explanation The Phase 1 or Phase 2 ID received from the peer is legal, but not supported.
Recommended Action Check the configuration on the headend and peer.
713018
Error Message %FTD-3-713018: Unknown ID type during find of group name for certs, Type ID_Type
Explanation Tn internal software error has occurred.
Recommended Action If the problem persists, contact the Cisco TAC.
713020
Error Message %FTD-3-713020: No Group found by matching OU(s) from ID payload: OU_value
Explanation Tn internal software error has occurred.
Recommended Action If the problem persists, contact the Cisco TAC.
713022
Error Message %FTD-3-713022: No Group found matching peer_ID or IP_address for Pre-shared key peer IP_address
Explanation group exists in the group database with the same name as the value (key ID or IP address) specified by the peer.
Recommended Action Verify the configuration on the peer.
713024
Error Message
%FTD-7-713024: Group group IP ip Received local Proxy Host data in ID Payload: Address IP_address , Protocol protocol , Port port
Explanation The Secure Firewall Threat Defense device has received the Phase 2 local proxy ID payload from the remote peer.
Recommended Action None required.
713025
Error Message %FTD-7-713025: Received remote Proxy Host data in ID Payload: Address IP_address , Protocol protocol , Port port
Explanation The Secure Firewall Threat Defense device has received the Phase 2 local proxy ID payload from the remote peer.
Recommended Action None required.
713028
Error Message %FTD-7-713028: Received local Proxy Range data in ID Payload: Addresses IP_address - IP_address , Protocol protocol , Port port
Explanation The Secure Firewall Threat Defense device has received the Phase 2 local proxy ID payload of the remote peer, which includes an IP address range.
Recommended Action None required.
713029
Error Message %FTD-7-713029: Received remote Proxy Range data in ID Payload: Addresses IP_address - IP_address , Protocol protocol , Port port
Explanation The Secure Firewall Threat Defense device has received the Phase 2 local proxy ID payload of the remote peer, which includes an IP address range.
Recommended Action None required.
713032
Error Message %FTD-3-713032: Received invalid local Proxy Range IP_address - IP_address
Explanation The local ID payload included the range ID type, and the specified low address was not less than the high address. A configuration problem may exist.
Recommended Action Check the configuration of ISAKMP Phase 2 parameters.
713033
Error Message %FTD-3-713033:
Received invalid remote Proxy Range IP_address - IP_address
Explanation The remote ID payload included the range ID type, and the specified low address was not less than the high address. A configuration problem may exist.
Recommended Action Check the configuration of ISAKMP Phase 2 parameters.
713034
Error Message %FTD-7-713034: Received local IP Proxy Subnet data in ID Payload: Address IP_address , Mask netmask , Protocol protocol , Port port
Explanation The local IP proxy subnet data has been received in the Phase 2 ID payload.
Recommended Action None required.
713035
Error Message %FTD-7-713035: Group group IP ip Received remote IP Proxy Subnet data in ID Payload: Address IP_address , Mask netmask , Protocol protocol , Port port
Explanation The remote IP proxy subnet data has been received in the Phase 2 ID payload.
Recommended Action None required.
713039
Error Message %FTD-7-713039: Send failure: Bytes (number ), Peer: IP_address
Explanation An internal software error has occurred, and the ISAKMP packet cannot be transmitted.
Recommended Action If the problem persists, contact the Cisco TAC.
713040
Error Message
%FTD-7-713040: Could not find connection entry and can not encrypt: msgid message_number
Explanation An internal software error has occurred, and a Phase 2 data structure cannot be found.
Recommended Action If the problem persists, contact the Cisco TAC.
713041
Error Message %FTD-5-713041: IKE Initiator: new or rekey Phase 1 or 2, Intf interface_number , IKE Peer IP_address local Proxy Address IP_address , remote Proxy Address IP_address , Crypto map (crypto map tag )
Explanation Secure Firewall Threat Defense device is negotiating a tunnel as the initiator.
Recommended Action None required.
713042
Error Message
%FTD-3-713042: IKE Initiator unable to find policy: Intf interface_number , Src: source_address , Dst: dest_address
Explanation The IPsec fast path processed a packet that triggered IKE, but the IKE policy lookup failed. This error may be timing related. The ACLs that triggered IKE might have been deleted before IKE processed the initiation request. This problem will most likely correct itself.
Recommended Action If the condition persists, check the L2L configuration, paying special attention to the type of ACL associated with crypto maps.
713043
Error Message
%FTD-3-713043: Cookie/peer address IP_address session already in progress
Explanation IKE has been triggered again while the original tunnel is in progress.
Recommended Action None required.
713048
Error Message
%FTD-3-713048: Error processing payload: Payload ID: id
Explanation A packet has been received with a payload that cannot be processed.
Recommended Action If this problem persists, a misconfiguration may exist on the peer.
713049
Error Message %FTD-5-713049: Security negotiation complete for tunnel_type type (group_name ) Initiator /Responder , Inbound SPI = SPI , Outbound SPI = SPI
Explanation An IPsec tunnel has been started.
Recommended Action None required.
713050
Error Message
%FTD-5-713050: Connection terminated for peer IP_address . Reason: termination reason Remote Proxy IP_address , Local Proxy IP_address
Explanation An IPsec tunnel has been terminated. Possible termination reasons include:
- IPsec SA Idle Timeout
- IPsec SA Max Time Exceeded
- Administrator Reset
- Administrator Reboot
- Administrator Shutdown
- Session Disconnected
- Session Error Terminated
- Peer Terminate
Recommended Action None required.
713052
Error Message %FTD-7-713052: User (user ) authenticated.
Explanation remote access user was authenticated.
Recommended Action None required.
713056
Error Message %FTD-3-713056: Tunnel rejected: SA (SA_name ) not found for group (group_name )!
Explanation The IPsec SA was not found.
Recommended Action If this is a remote access tunnel, check the group and user configuration, and verify that a tunnel group and group policy have been configured for the specific user group. For externally authenticated users and groups, check the returned authentication attributes.
713060
Error Message %FTD-3-713060: Tunnel Rejected: User (user ) not member of group (group_name ), group-lock check failed.
Explanation The user is configured for a different group than what was sent in the IPsec negotiation.
Recommended Action If you are using the Cisco VPN client and preshared keys, make sure that the group configured on the client is the same as the group associated with the user on the Secure Firewall Threat Defense device. If you are using digital certificates, the group is dictated either by the OU field of the certificate, or the user automatically defaults to the remote access default group.
713061
Error Message %FTD-3-713061: Tunnel rejected: Crypto Map Policy not found for Src:source_address , Dst: dest_address !
Explanation The Secure Firewall Threat Defense device was not able to find security policy information for the private networks or hosts indicated in the message. These networks or hosts were sent by the initiator and do not match any crypto ACLs at the Secure Firewall Threat Defense device. This is most likely a misconfiguration.
Recommended Action Check the protected network configuration in the crypto ACLs on both sides and make sure that the local net on the initiator is the remote net on the responder and vice-versa. Pay special attention to wildcard masks, and host addresses versus network addresses. Non-Cisco implementations may have the private addresses labeled as proxy addresses or red networks.
713062
Error Message %FTD-3-713062: IKE Peer address same as our interface address IP_address
Explanation The IP address configured as the IKE peer is the same as the IP address configured on one of the Secure Firewall Threat Defense IP interfaces.
Recommended Action Check the L2L and IP interface configurations.
713063
Error Message
%FTD-3-713063: IKE Peer address not configured for destination IP_address
Explanation The IKE peer address is not configured for an L2L tunnel.
Recommended Action Check the L2L configuration.
713065
Error Message %FTD-3-713065: IKE Remote Peer did not negotiate the following: proposal attribute
Explanation An internal software error has occurred.
Recommended Action If the problem persists, contact the Cisco TAC.
713066
Error Message
%FTD-7-713066: IKE Remote Peer configured for SA: SA_name
Explanation The crypto policy settings of the peer have been configured.
Recommended Action None required.
713068
Error Message %FTD-5-713068: Received non-routine Notify message: notify_type (notify_value)
Explanation Notification messages that caused this event are not explicitly handled in the notify processing code.
Recommended Action Examine the specific reason to determine the action to take. Many notification messages indicate a configuration mismatch between the IKE peers.
713072
Error Message
%FTD-3-713072: Password for user (user ) too long, truncating to number characters
Explanation The password of the user is too long.
Recommended Action Correct password lengths on the authentication server.
713073
Error Message %FTD-5-713073: Responder forcing change of Phase 1 /Phase 2 rekeying duration from larger_value to smaller_value seconds
Explanation Rekeying durations are always set to the lower of the values proposed by IKE peers. The value of the initiator is the lower one.
Recommended Action None required.
713074
Error Message %FTD-5-713074: Responder forcing change of IPsec rekeying duration from larger_value to smaller_value Kbs
Explanation Rekeying durations are always set to the lower of the values proposed by IKE peers. The value of the initiator is the lower one.
Recommended Action None required.
713075
Error Message %FTD-5-713075: Overriding Initiator's IPsec rekeying duration from larger_value to smaller_value seconds
Explanation Rekeying durations are always set to the lower of the values proposed by IKE peers. The value of the responder is the lower one.
Recommended Action None required.
713076
Error Message %FTD-5-713076: Overriding Initiator's IPsec rekeying duration from larger_value to smaller_value Kbs
Explanation Rekeying durations are always set to the lower of the values proposed by IKE peers. The value of the responder is the lower one.
Recommended Action None required.
713078
Error Message %FTD-2-713078: Temp buffer for building mode config attributes exceeded: bufsize available_size , used value
Explanation An internal software error has occurred while processing modecfg attributes.
Recommended Action Disable any unnecessary tunnel group attributes, or shorten any text messages that are excessively long. If the problem persists, contact the Cisco TAC.
713081
Error Message %FTD-3-713081: Unsupported certificate encoding type encoding_type
Explanation One of the loaded certificates is unreadable, and may be an unsupported encoding scheme.
Recommended Action Check the configuration of digital certificates and trustpoints.
713082
Error Message
%FTD-3-713082: Failed to retrieve identity certificate
Explanation The identity certificate for this tunnel cannot be found.
Recommended Action Check the configuration of digital certificates and trustpoints.
713083
Error Message %FTD-3-713083: Invalid certificate handle
Explanation The identity certificate for this tunnel cannot be found.
Recommended Action Check the configuration of digital certificates and trustpoints.
713084
Error Message
%FTD-3-713084: Received invalid phase 1 port value (port ) in ID payload
Explanation The port value received in the IKE phase 1 ID payload was incorrect. Acceptable values are 0 or 500 (ISAKMP is also known as IKE).
Recommended Action Make sure that a peer conforms to the IKE standards to avoid a network problem resulting in corrupted packets.
713085
Error Message %FTD-3-713085: Received invalid phase 1 protocol (protocol ) in ID payload
Explanation The protocol value received in the IKE phase 1 ID payload was incorrect. Acceptable values are 0 or 17 (UDP).
Recommended Action Make sure that a peer conforms to the IKE standards to avoid a network problem resulting in corrupted packets.
713086
Error Message
%FTD-3-713086: Received unexpected Certificate payload Possible invalid Auth Method (Auth method (auth numerical value))
Explanation A certificate payload was received, but our internal certificate handle indicates that we do not have an identity certificate. The certificate handle was not obtained through a normal enrollment method. One likely reason this can happen is that the authentication method is not made through RSA or DSS signatures, although the IKE SA negotiation should fail if each side is misconfigured.
Recommended Action Check the trustpoint and ISAKMP configuration settings on the Secure Firewall Threat Defense device and its peer.
713088
Error Message %FTD-3-713088: Set Cert filehandle failure: no IPsec SA in group group_name
Explanation The tunnel group cannot be found, based on the digital certificate information.
Recommended Action Verify that the tunnel group is set up correctly to handle the certificate information of the peer.
713092
Error Message %FTD-5-713092: Failure during phase 1 rekeying attempt due to collision
Explanation An internal software error has occurred. This is often a benign event.
Recommended Action If the problem persists, contact the Cisco TAC.
713094
Error Message
%FTD-7-713094: Cert validation failure: handle invalid for Main /Aggressive Mode Initiator /Responder !
Explanation An internal software error has occurred.
Recommended Action You may have to reenroll the trustpoint. If the problem persists, contact the Cisco TAC.
713098
Error Message %FTD-3-713098: Aborting: No identity cert specified in IPsec SA (SA_name )!
Explanation An attempt was made to establish a certificate-based IKE session, but no identity certificate has been specified in the crypto policy.
Recommended Action Specify the identity certificate or trustpoint that you want to transmit to peers.
713099
Error Message %FTD-7-713099: Tunnel Rejected: Received NONCE length number is out of range!
Explanation An internal software error has occurred.
Recommended Action If the problem persists, contact the Cisco TAC.
713102
Error Message
%FTD-3-713102: Phase 1 ID Data length number too long - reject tunnel!
Explanation IKE has received an ID payload that includes an identification data field of 2 K or larger.
Recommended Action None required.
713103
Error Message %FTD-7-713103: Invalid (NULL) secret key detected while computing hash
Explanation An internal software error has occurred.
Recommended Action If the problem persists, contact the Cisco TAC.
713104
Error Message %FTD-7-713104: Attempt to get Phase 1 ID data failed while hash computation
Explanation An internal software error has occurred.
Recommended Action If the problem persists, contact the Cisco TAC.
713105
Error Message %FTD-3-713105: Zero length data in ID payload received during phase 1 or 2 processing
Explanation A peer sent an ID payload without including any ID data, which is invalid.
Recommended Action Check the configuration of the peer.
713107
Error Message %FTD-3-713107: IP_Address request attempt failed!
Explanation An internal software error has occurred.
Recommended Action If the problem persists, contact the Cisco TAC.
713109
Error Message %FTD-3-713109: Unable to process the received peer certificate
Explanation The Secure Firewall Threat Defense device was unable to process the certificate received from the remote peer, which can occur if the certificate data was malformed (for example, if the public key size is larger than 4096 bits) or if the data in the certificate cannot be stored by the Secure Firewall Threat Defense device.
Recommended Action Try to reestablish the connection using a different certificate on the remote peer.