Messages 401001 to 409128
This chapter includes messages from 401001 to 409128.
401001
Error Message
%FTD-4-401001: Shuns cleared
Explanation The clear shun command was entered to remove existing shuns from memory. An institution to keep a record of shunning activity was allowed.
Recommended Action None required.
401002
Error Message
%FTD-4-401002: Shun added: IP_address IP_address port port
Explanation A shun command was entered, where the first IP address is the shunned host. The other addresses and ports are optional and are used to terminate the connection if available. An institution to keep a record of shunning activity was allowed.
Recommended Action None required.
401003
Error Message
%FTD-4-401003: Shun deleted: IP_address
ExplanationA single shunned host was removed from the shun database. An institution to keep a record of shunning activity was allowed.
Recommended Action None required.
401004
Error Message
%FTD-4-401004: Shunned packet: IP_address = IP_address on interface interface_name
ExplanationA packet was dropped because the host defined by IP SRC is a host in the shun database. A shunned host cannot pass traffic on the interface on which it is shunned. For example, an external host on the Internet can be shunned on the outside interface. A record of the activity of shunned hosts was provided. This message and message %threat defense-4-401005 can be used to evaluate further risk concerning this host.
Recommended Action None required.
401005
Error Message
%FTD-4-401005: Shun add failed: unable to allocate resources for IP_address IP_address port port
ExplanationThe Secure Firewall Threat Defense device is out of memory; a shun cannot be applied.
Recommended ActionThe Cisco IPS should continue to attempt to apply this rule. Try to reclaim memory and reapply a shun manually, or wait for the Cisco IPS to do this.
402114
Error Message %FTD-4-402114: IPSEC: Received an protocol packet (SPI=spi , sequence number=seq_num ) from remote_IP to local_IP with an invalid SPI.
- >protocol— IPsec protocol
- >spi— IPsec Security Parameter Index
- seq_num>— IPsec sequence number
- remote_IP>— IP address of the remote endpoint of the tunnel
- >username— Username associated with the IPsec tunnel
- local_IP>— IP address of the local endpoint of the tunnel
ExplanationAn IPsec packet was received that specifies an SPI that does not exist in the SA database. This may be a temporary condition caused by slight differences in aging of SAs between the IPsec peers, or it may be because the local SAs have been cleared. It may also indicate incorrect packets sent by the IPsec peer, which may be part of an attack. This message is rate limited to no more than one message every five seconds.
Recommended ActionThe peer may not acknowledge that the local SAs have been cleared. If a new connection is established from the local router, the two peers may then reestablish connection successfully. Otherwise, if the problem occurs for more than a brief period, either attempt to establish a new connection or contact the peer administrator.
402115
Error Message %FTD-4-402115: IPSEC: Received a packet from remote_IP to local_IP containing act_prot data instead of exp_prot data.
Explanation An IPsec packet was received that is missing the expected ESP header. The peer is sending packets that do not match the negotiated security policy, which may indicate an attack. This message is rate limited to no more than one message every five seconds.
- remote_IP>— IP address of the remote endpoint of the tunnel
- local_IP>— IP address of the local endpoint of the tunnel
- >act_prot— Received IPsec protocol
- >exp_prot— Expected IPsec protocol
Recommended Action Contact the administrator of the peer.
402116
Error Message
%FTD-4-402116: IPSEC: Received an protocol packet (SPI=spi , sequence number=seq_num ) from remote_IP (username ) to local_IP . The decapsulated inner packet doesn’t match the negotiated policy in the SA. The packet specifies its destination as pkt_daddr , its source as pkt_saddr , and its protocol as pkt_prot . The SA specifies its local proxy as id_daddr /id_dmask /id_dprot /id_dport and its remote proxy as id_saddr /id_smask /id_sprot /id_sport .
ExplanationA decapsulated IPsec packet does not match the negotiated identity. The peer is sending other traffic through this security association, which may be caused by a security association selection error by the peer, or it may be part of an attack. This message is rate limited to no more than one message every five seconds.
- >protocol— IPsec protocol
- >spi— IPsec Security Parameter Index
- seq_num>— IPsec sequence number
- remote_IP>— IP address of the remote endpoint of the tunnel
- >username— Username associated with the IPsec tunnel
- local_IP>— IP address of the local endpoint of the tunnel
- pkt_daddr>— Destination address from the decapsulated packet
- pkt_saddr>— Source address from the decapsulated packet
- pkt_prot>— Transport protocol from the decapsulated packet
- id_daddr>— Local proxy IP address
- id_dmask>— Local proxy IP subnet mask
- id_dprot>— Local proxy transport protocol
- id_dport>— Local proxy port
- id_saddr>— Remote proxy IP address
- id_smask>— Remote proxy IP subnet mask
- id_sprot>— Remote proxy transport protocol
- id_sport>— Remote proxy port
Recommended ActionContact the administrator of the peer and compare policy settings.
402117
Error Message
%FTD-4-402117: IPSEC: Received a non-IPsec (protocol ) packet from remote_IP to local_IP .
ExplanationThe received packet matched the crypto map ACL, but it is not IPsec-encapsulated. The IPsec peer is sending unencapsulated packets. This error can occur because of a policy setup error on the peer. For example, the firewall may be configured to only accept encrypted Telnet traffic to the outside interface port 23. If you attempt to use Telnet without IPsec encryption to access the outside interface on port 23, this message appears, but not with Telnet or traffic to the outside interface on ports other than 23. This error can also indicate an attack. This message is not generated except under these conditions (for example, it is not generated for traffic to the Secure Firewall Threat Defense interfaces themselves). See messages 710001, 710002, and 710003, which track TCP and UDP requests. This message is rate limited to no more than one message every five seconds.
- >protocol— IPsec protocol
- remote_IP>— IP address of the remote endpoint of the tunnel
- local_IP>— IP address of the local endpoint of the tunnel
Recommended ActionContact the administrator of the peer to compare policy settings.
402118
Error Message %FTD-4-402118: IPSEC: Received an protocol packet (SPI=spi , sequence number seq_num ) from remote_IP (username ) to local_IP containing an illegal IP fragment of length frag_len with offset frag_offset .
Explanation A decapsulatd IPsec packet included an IP fragment with an offset less than or equal to 128 bytes. The latest version of the security architecture for IP RFC recommends 128 bytes as the minimum IP fragment offset to prevent reassembly attacks. This may be part of an attack. This message is rate limited to no more than one message every five seconds.
- >protocol— IPsec protocol
- >spi— IPsec Security Parameter Index
- seq_num>— IPsec sequence number
- remote_IP>— IP address of the remote endpoint of the tunnel
- >username— Username associated with the IPsec tunnel
- local_IP>— IP address of the local endpoint of the tunnel
- frag_len>— IP fragment length
- frag_offset>— IP fragment offset in bytes
Recommended Action Contact the administrator of the remote peer to compare policy settings.
402119
Error Message %FTD-4-402119: IPSEC: Received an protocol packet (SPI=spi , sequence number=seq_num ) from remote_IP (username ) to local_IP that failed anti-replay checking.
ExplanationAn IPsec packet was received with an invalid sequence number. The peer is sending packets including sequence numbers that may have been previously used. This message indicates that an IPsec packet has been received with a sequence number outside of the acceptable window. This packet will be dropped by IPsec as part of a possible attack. This message is rate limited to no more than one message every five seconds.
- >protocol— IPsec protocol
- >spi— IPsec Security Parameter Index
- seq_num>— IPsec sequence number
- remote_IP>— IP address of the remote endpoint of the tunnel
- >username— Username associated with the IPsec tunnel
- local_IP>— IP address of the local endpoint of the tunnel
Recommended ActionContact the administrator of the peer.
402120
Error Message %FTD-4-402120: IPSEC: Received an protocol packet (SPI=spi , sequence number=seq_num ) from remote_IP (username ) to local_IP that failed authentication.
Explanation An IPsec packet was received and failed authentication. The packet is dropped. The packet may have been corrupted in transit, or the peer may be sending invalid IPsec packets, which may indicate an attack if many of these packets were received from the same peer. This message is rate limited to no more than one message every five seconds.
- >protocol— IPsec protocol
- >spi— IPsec Security Parameter Index
- seq_num>— IPsec sequence number
- remote_IP>— IP address of the remote endpoint of the tunnel
- >username— Username associated with the IPsec tunnel
- local_IP>— IP address of the local endpoint of the tunnel
Recommended Action Contact the administrator of the remote peer if many failed packets were received.
402121
Error Message %FTD-4-402121: IPSEC: Received an protocol packet (SPI=spi , sequence number=seq_num ) from peer_addr (username ) to lcl_addr that was dropped by IPsec (drop_reason ).
Explanation An IPsec packet to be decapsulated was received and subsequently dropped by the IPsec subsystem. This may indicate a problem with the Secure Firewall Threat Defense configuration or with the Secure Firewall Threat Defense device itself.
- >protocol— IPsec protocol
- >spi— IPsec Security Parameter Index
- seq_num>— IPsec sequence number
- peer_addr>— IP address of the remote endpoint of the tunnel
- >username— Username associated with the IPsec tunnel
- lcl_addr>— IP address of the local endpoint of the tunnel
- drop_reason>— Reason that the packet was dropped
Recommended Action If the problem persists, contact the Cisco TAC.
402122
Error Message %FTD-4-402122: Received a cleartext packet from src_addr to dest_addr that was to be encapsulated in IPsec that was dropped by IPsec (drop_reason ).
Explanation A packet to be encapsulated in IPsec was received and subsequently dropped by the IPsec subsystem. This may indicate a problem with the Secure Firewall Threat Defense configuration or with the Secure Firewall Threat Defense device itself.
- src_addr >— Source IP address
- dest_addr >— Destination> IP address
- drop_reason>— Reason that the packet was dropped
Recommended Action If the problem persists, contact the Cisco TAC.
402123
Error Message %FTD-4-402123: CRYPTO: The accel_type hardware accelerator encountered an error (code=error_string ) while executing crypto command command .
Explanation An error was detected while running a crypto command with a hardware accelerator, which may indicate a problem with the accelerator. This type of error may occur for a variety of reasons, and this message supplements the crypto accelerator counters to help determine the cause.
- accel_type—Hardware accelerator type
- >error_string— Code indicating the type of error
- command—Crypto command that generated the error
Recommended Action If the problem persists, contact the Cisco TAC.
402124
Error Message %FTD-4-402124: CRYPTO: The threat defense hardware accelerator encountered an error (Hardware error address, Core, Hardware error code, IstatReg, PciErrReg, CoreErrStat,
CoreErrAddr, Doorbell Size, DoorBell Outstanding, SWReset).
Explanation The crypto hardware chip has reported a fatal error, indicating that the chip is inoperable. The information from this message captures the details to allow further analysis of the problem. The crypto chip is reset when this condition is detected to unobtrusively allow the Secure Firewall Threat Defense device to continue functioning. Also, the crypto environment at the time this issue is detected is written to a crypto archive directory on flash to provide further debugging information. Various parameters related to the crypto hardware are included in this message, as follows:
- HWErrAddr>— Hardware address (set by crypto chip)
- Core>— Crypto core experiencing the error
- HwErrCode>— Hardware error code (set by crypto chip)
- IstatReg>— Interrupt status register (set by crypto chip)
- PciErrReg>— PCI error register (set by crypto chip)
- CoreErrStat>— Core error status (set by crypto chip)
- CoreErrAddr>— Core error address (set by crypto chip)
- Doorbell Size>— Maximum crypto commands allowed
- DoorBell Outstanding>— Crypto commands outstanding
- SWReset>— Number of crypto chip resets since boot
Note |
The %threat defense-vpn-4-402124: CRYPTO: The threat defense hardware accelerator encountered an error (HWErrAddr= 0x40EE9800, Core= 0, HwErrCode= 23, IstatReg= 0x8, PciErrReg= 0x0, CoreErrStat= 0x41, CoreErrAddr= 0x844E9800, Doorbell Size[0]= 2048, DoorBell Outstanding[0]= 0, Doorbell Size[1]= 0, DoorBell Outstanding[1]= 0, SWReset= 99) error message indicates a AnyConnect problem and the workaround for this to upgrade to AnyConnect 3.1.x. |
Recommended Action Forward the message information to the Cisco TAC for further analysis.
402125
Error Message
%FTD-4-402125: The threat defense hardware accelerator ring timed out (parameters ).
Explanation The crypto driver has detected that either the IPSEC descriptor ring or SSL/Admin descriptor ring is no longer progressing, meaning the crypto chip no longer appears to be functioning. The crypto chip is reset when this condition is detected to unobtrusively allow the Secure Firewall Threat Defense device to continue functioning. Also, the crypto environment at the time this issue was detected was written to a crypto archive directory on flash to provide further debugging information.
- >ring— IPSEC or Admin ring
- parameters >— Include the following:
- Desc>— Descriptor address
- CtrlStat>— Control/status value
- ResultP>— Success pointer
- ResultVal>— Success value
- Cmd>— Crypto command
- CmdSize>— Command size
- Param>— Command parameters
- Dlen>— Data length
- DataP>— Data pointer
- CtxtP>— VPN context pointer
- SWReset>— Number of crypto chip resets since boot
Recommended Action Forward the message information to the Cisco TAC for further analysis.
402126
Error Message %FTD-4-402126: CRYPTO: The threat defense created Crypto Archive File Archive Filename as a Soft Reset was necessary. Please forward this archived information to Cisco.
Explanation A functional problem with the hardware crypto chip was detected (see syslog messages 402124 and 402125). To further debug the crypto problem, a crypto archive file was generated that included the current crypto hardware environment (hardware registers and crypto description entries). At boot time, a crypto_archive directory was automatically created on the flash file system (if it did not exist previously). A maximum of two crypto archive files are allowed to exist in this directory.
- >Archive Filename— The name of the crypto archive file name. The crypto archive file names are of the form, crypto_arch_x.bin, where x = (1 or 2).
Recommended Action Forward the crypto archive files to the Cisco TAC for further analysis.
402127
Error Message
%FTD-4-402127: CRYPTO: The threat defense is skipping the writing of latest Crypto Archive File as the maximum # of files, max_number, allowed have been written to archive_directory . Please archive & remove files from Archive Directory if you want more Crypto Archive Files saved.
Explanation A functional problem with the hardware crypto chip was detected (see messages 4402124 and 4402125). This message indicates a crypto archive file was not written, because the maximum number of crypto archive files already existed.
- max_number >— Maximum number of files allowed in the archive directory; currently set to two
- >archive_directory— Name of the archive directory
Recommended Action Forward previously generated crypto archive files to the Cisco TAC. Remove the previously generated archive file(s) so that more can be written (if deemed necessary).
402128
Error Message
%FTD-5-402128: CRYPTO: An attempt to allocate a large memory block failed, size: size , limit: limit
Explanation An SSL connection is attempting to use more memory than allowed. The request has been denied.
- size —The size of the memory block being allocated
- limit —The maximum size of allocated memory permitted
Recommended Action If this message persists, an SSL denial of service attack may be in progress. Contact the remote peer administrator or upstream provider.
402129
Error Message %FTD-6-402129: CRYPTO: An attempt to release a DMA memory block failed, location: address
Explanation An internal software error has occurred.
- address —The address being freed
Recommended Action Contact the Cisco TAC for assistance.
402130
Error Message %FTD-6-402130: CRYPTO: Received an ESP packet (SPI = xxxxxxxxxx, sequence number=xxxx) from 172.16.0.1 (user=user) to 192.168.0.2
with incorrect IPsec padding.
Explanation The Secure Firewall Threat Defense device crypto hardware accelerator detected an IPsec packet with invalid padding. The ATT VPN client sometimes pads IPsec packets incorrectly.
-
SPI —The SPI associated with the packet
-
sequence number —The sequence number associated with the packet
-
user —Username string
-
padding —Padding data from the packet
Recommended Action While this message is None required and does not indicate a problem with the Secure Firewall Threat Defense device, customers using the ATT VPN client may wish to upgrade their VPN client software.
402131
Error Message %FTD-4-402131: CRYPTO: status changing the accel_instance hardware accelerator's configuration bias from old_config_bias to new_config_bias .
Explanation The hardware accelerator configuration has been changed on the Secure Firewall Threat Defense device. Some Secure Firewall Threat Defense platforms have multiple hardware accelerators. One syslog message is generated for each hardware accelerator change.
- status —Indicates success or failure
- accel_instance —The instance of the hardware accelerator
- old_config_bias —The old configuration
- new_config_bias —The new configuration
Recommended Action If any of the accelerators fails when attempting to change its configuration, collect logging information and contact the Cisco TAC. If a failure occurs, the software will retry the configuration change multiple times. The software will fall back to the original configuration bias if the retry attempts fail. If multiple attempts to reconfigure the hardware accelerator fail, it may indicate a hardware failure.
402140
Error Message %FTD-3-402140: CRYPTO: RSA key generation error: modulus len len
Explanation An error occurred during an RSA public key pair generation.
- len —The prime modulus length in bits
Recommended Action Contact the Cisco TAC for assistance.
402141
Error Message %FTD-3-402141: CRYPTO: Key zeroization error: key set type , reason reason
Explanation An error occurred during an RSA public key pair generation.
- type —The key set type, which can be any of the following: DH, RSA, DSA, or unknown
- reason —The unexpected crypto session type
Recommended Action Contact the Cisco TAC for assistance.
402142
Error Message
%FTD-3-402142: CRYPTO: Bulk data op error: algorithm alg , mode mode
Explanation An error occurred during a symmetric key operation.
- op —The operation, which can be either encryption or decryption
- alg —The encryption algorithm, which can be any of the following: DES, 3DES, AES, or RC4
- mode —The mode, which can be any of the following: CBC, CTR, CFB, ECB, stateful-RC4, or stateless-RC4
Recommended Action Contact the Cisco TAC for assistance.
402143
Error Message %FTD-3-402143: CRYPTO: alg type key op
Explanation An error occurred during an asymmetric key operation.
- alg —The encryption algorithm, which can be either RSA or DSA
- type —The key type, which can be either public or private
- op —The operation, which can be either encryption or decryption
Recommended Action Contact the Cisco TAC for assistance.
402144
Error Message
%FTD-3-402144: CRYPTO: Digital signature error: signature algorithm sig , hash algorithm hash
Explanation An error occurred during digital signature generation.
- sig —The signature algorithm, which can be either RSA or DSA
- hash —The hash algorithm, which can be any of the following: MD5, SHA1, SHA256, SHA384, or SHA512
Recommended Action Contact the Cisco TAC for assistance.
402145
Error Message
%FTD-3-402145: CRYPTO: Hash generation error: algorithm hash
Explanation A hash generation error occurred.
- hash —The hash algorithm, which can be any of the following: MD5, SHA1, SHA256, SHA384, or SHA512
Recommended Action Contact the Cisco TAC for assistance.
402146
Error Message
%FTD-3-402146: CRYPTO: Keyed hash generation error: algorithm hash , key len len
Explanation A keyed hash generation error occurred.
- hash —The hash algorithm, which can be any of the following: MD5, SHA1, SHA256, SHA384, or SHA512
- len —The key length in bits
Recommended Action Contact the Cisco TAC for assistance.
402147
Error Message
%FTD-3-402147: CRYPTO: HMAC generation error: algorithm alg
Explanation An HMAC generation error occurred.
- alg —The HMAC algorithm, which can be any of the following: HMAC-MD5, HMAC-SHA1, HMAC-SHA2, or AES-XCBC
Recommended Action Contact the Cisco TAC for assistance.
402148
Error Message %FTD-3-402148: CRYPTO: Random Number Generator error
Explanation A random number generator error occurred.
Recommended Action Contact the Cisco TAC for assistance.
402149
Error Message %FTD-3-402149: CRYPTO: weak encryption type (length ). Operation disallowed. Not FIPS 140-2 compliant
Explanation The Secure Firewall Threat Defense device tried to use an RSA key that is less than 2048 bits or DH groups 1, 2, or 5.
- encryption type —The encryption type
- length —The RSA key length or DH group number
Recommended Action Configure the Secure Firewall Threat Defense device or external application to use an RSA key that is at least 2048 bits, or to configure a DH group that is not 1, 2, or 5.
402150
Error Message %FTD-3-402150: CRYPTO: Deprecated hash algorithm used for RSA operation (hash alg ). Operation disallowed. Not FIPS 140-2 compliant
Explanation An unacceptable hashing algorithm has been used for digital certificate signing or verification for FIPS 140-2 certification.
- operation —Sign or verify
- hash alg —The name of the unacceptable hashing algorithm
Recommended Action Make sure that you use the minimum acceptable hashing algorithm for digital certificate signing or verification for FIPS 140-2 certification. These include SHA-256, SHA-384, and SHA-512.
403500
Error Message
%FTD-6-403500: PPPoE - Service name 'any' not received in PADO. Intf:interface_name AC:ac_name .
Explanation The Secure Firewall Threat Defense device requested the PPPoE service any from the access controller at the Internet service provider. The response from the service provider includes other services, but does not include the service any . This is a discrepancy in the implementation of the protocol. The PADO packet is processed normally, and connection negotiations continue.
Recommended Action None required.
403501
Error Message %FTD-3-403501: PPPoE - Bad host-unique in PADO - packet dropped. Intf:interface_name AC:ac_name
Explanation The Secure Firewall Threat Defense device sent an identifier called the host-unique value to the access controller. The access controller responded with a different host-unique value. The Secure Firewall Threat Defense device was unable to identify the corresponding connection request for this response. The packet was dropped, and connection negotiations were discontinued.
Recommended Action Contact the Internet service provider. Either the access controller at the service provider is mishandling the host-unique value, or the PADO packet is being forged.
403502
Error Message
%FTD-3-403502: PPPoE - Bad host-unique in PADS - dropping packet. Intf:interface_name AC:ac_name
Explanation The Secure Firewall Threat Defense device sent an identifier called the host-unique value to the access controller. The access controller responded with a different host-unique value. The Secure Firewall Threat Defense device was unable to identify the corresponding connection request for this response. The packet was dropped, and connection negotiations were discontinued.
Recommended Action Contact the Internet service provider. Either the access controller at the service provider is mishandling the host-unique value, or the PADO packet is being forged.
403503
Error Message %FTD-3-403503: PPPoE:PPP link down:reason
Explanation The PPP link has gone down. There are many reasons why this can happen. The first format will display a reason if PPP provides one.
Recommended Action Check the network link to ensure that the link is connected. The access concentrator may be down. Make sure that your authentication protocol matches the access concentrator and that your name and password are correct. Verify this information with your ISP or network support person.
403504
Error Message %FTD-3-403504: PPPoE:No 'vpdn group group_name ' for PPPoE is created
Explanation PPPoE requires a dial-out configuration before starting a PPPoE session. In general, the configuration should specify a dialing policy, the PPP authentication, the username, and a password. The following example configures the Secure Firewall Threat Defense device for PPPoE dialout. The my-username and my-password commands are used to authenticate the access concentrator, using PAP if necessary.
For example:
ciscoftd# vpdn group my-pppoe request dialout pppoe
ciscoftd# vpdn group my-pppoe ppp authentication pap
ciscoftd# vpdn group my-pppoe localname my-username
ciscoftd# vpdn username my-username password my-password
ciscoftd# ip address outside pppoe setroute
Recommended Action Configure a VPDN group for PPPoE.
403505
Error Message
%FTD-4-403505: PPPoE:PPP - Unable to set default route to IP_address at interface_name
Explanation This message is usually followed by the message, default route already exists.
Recommended Action Remove the current default route or remove the setroute parameter so that there is no conflict between PPPoE and the manually configured route.
403506
Error Message
%FTD-4-403506: PPPoE:failed to assign PPP IP_address netmask netmask at interface_name
Explanation This message is followed by one of the followings messages: subnet is the same as interface, or on failover channel.
Recommended Action In the first case, change the address causing the conflict. In the second case, configure the PPPoE on an interface other than the failover interface.
403507
Error Message %FTD-3-403507: PPPoE:PPPoE client on interface interface failed to locate PPPoE vpdn group group_name
Explanation You can configure the PPPoE client on an interface to use a particular VPDN group by entering the pppoe client vpdn group group_name command. If a PPPoE VPDN group of the configured name was not located during system startup, this message is generated.
- interface —The interface on which the PPPoE client failed
- group_name —The VPDN group name of the PPPoe client on the interface
Recommended Action Perform the following steps:
- Add the required VPDN group by entering the vpdn group group_name command. Request dialout PPPoE in global configuration mode, and add all the group properties.
- Remove the pppoe client vpdn group group_name command from the interface indicated. In this case, the PPPoE client will attempt to use the first PPPoE VPDN group defined.
Note |
All changes take effect only after the PPPoE client on the interface is restarted by entering the ip address pppoe command. |
405001
Error Message %FTD-4-405001: Received ARP {request | response} collision from IP_address /MAC_address on interface interface_name with existing ARP entry IP_address /MAC_address
Explanation The Secure Firewall Threat Defense device received an ARP packet, and the MAC address in the packet differs from the ARP cache entry.
Recommended Action This traffic might be legitimate, or it might indicate that an ARP poisoning attack is in progress. Check the source MAC address to determine where the packets are coming from and to see if they belong to a valid host.
405002
Error Message %FTD-4-405002: Received mac mismatch collision from IP_address /MAC_address for authenticated host
Explanation This packet appears for one of the following conditions:
- The Secure Firewall Threat Defense device received a packet with the same IP address, but a different MAC address from one of its uauth entries.
- You configured the vpnclient mac-exempt command on the Secure Firewall Threat Defense device, and the Secure Firewall Threat Defense device received a packet with an exempt MAC address, but a different IP address from the corresponding uauth entry.
Recommended Action This traffic might be legitimate, or it might indicate that a spoofing attack is in progress. Check the source MAC address and IP address to determine where the packets are coming from and if they belong to a valid host.
405003
Error Message %FTD-4-405003: IP address collision detected between host IP_address at MAC_address and interface interface_name , MAC_address .
Explanation A client IP address in the network is the same as the Secure Firewall Threat Defense interface IP address.
Recommended Action Change the IP address of the client.
405101
Error Message
%FTD-4-405101: Unable to Pre-allocate H225 Call Signalling Connection for foreign_address outside_address [/outside_port ] to local_address inside_address [/inside_port ]
Explanation The module failed to allocate RAM system memory while starting a connection or has no more address translation slots available.
Recommended Action If this message occurs periodically, it can be ignored. You can check the size of the global pool compared to the number of inside network clients. A PAT address may be necessary. Alternatively, shorten the timeout interval of translates and connections. This error message may also be caused by insufficient memory; try reducing the amount of memory usage, or purchasing additional memory. If the problem persists, contact the Cisco TAC.
405102
Error Message %FTD-4-405102: Unable to Pre-allocate H245 Connection for foreign_address outside_address [/outside_port ] to local_address inside_address [/inside_port ]
Explanation The Secure Firewall Threat Defense device failed to allocate RAM system memory while starting a connection or has no more address translation slots available.
Recommended Action Check the size of the global pool compared to the number of inside network clients. A PAT address may be necessary. Alternatively, shorten the timeout interval of translations and connections. In addition, reduce the amount of memory usage, or purchase additional memory. If this message occurs periodically, it can be ignored. If the problem persists, contact the Cisco TAC.
405103
Error Message
%FTD-4-405103: H225 message from source_address/source_port to dest_address /dest_port contains bad protocol discriminator hex
Explanation The Secure Firewall Threat Defense device is expecting the protocol discriminator, 0x08, but it received something other than 0x08. The endpoint may be sending a bad packet, or received a message segment other than the first segment. The packet is allowed through.
Recommended Action None required.
405104
Error Message %FTD-4-405104: H225 message received from outside_address /outside_port to inside_address /inside_port before SETUP
Explanation An H.225 message was received out of order, before the initial SETUP message, which is not allowed. The Secure Firewall Threat Defense device must receive an initial SETUP message for that H.225 call signalling channel before accepting any other H.225 messages.
Recommended Action None required.
405105
Error Message %FTD-4-405105: H323 RAS message AdmissionConfirm received from source_address /source_port to dest_address /dest_port without an AdmissionRequest
Explanation A gatekeeper has sent an ACF, but the Secure Firewall Threat Defense device did not send an ARQ to the gatekeeper.
Recommended Action Check the gatekeeper with the specified source_address to determine why it sent an ACF without receiving an ARQ from the Secure Firewall Threat Defense device.
406001
Error Message %FTD-4-406001: FTP port command low port: IP_address /port to IP_address on interface interface_name
Explanation A client entered an FTP port command and supplied a port less than 1024 (in the well-known port range usually devoted to server ports). This is indicative of an attempt to avert the site security policy. The Secure Firewall Threat Defense device drops the packet, terminates the connection, and logs the event.
Recommended Action None required.
406002
Error Message
%FTD-4-406002: FTP port command different address: IP_address(IP_address ) to IP_address on interface interface_name
Explanation A client entered an FTP port command and supplied an address other than the address used in the connection. An attempt to avert the site security policy occurred. For example, an attacker might attempt to hijack an FTP session by changing the packet on the way, and putting different source information instead of the correct source information. The Secure Firewall Threat Defense device drops the packet, terminates the connection, and logs the event. The address in parentheses is the address from the port command.
Recommended Action None required.
407001
Error Message %FTD-4-407001: Deny traffic for local-host interface_name :inside_address , license limit of number exceeded
Explanation The host limit was exceeded. An inside host is counted toward the limit when one of the following conditions is true:
- The inside host has forwarded traffic through the Secure Firewall Threat Defense device within the last five minutes.
- The inside host has reserved an xlate connection or user authentication at the Secure Firewall Threat Defense device.
Recommended Action The host limit is enforced on the low-end platforms. Use the show version command to view the host limit. Use the show local-host command to view the current active hosts and the inside users that have sessions at the Secure Firewall Threat Defense device. To forcefully disconnect one or more users, use the clear local-host command. To expire the inside users more quickly from the limit, set the xlate, connection, and uauth timeouts to the recommended values or lower as given in the table below:
Timeout |
Recommended Value |
---|---|
xlate |
00:05:00 (five minutes) |
conn |
00:01:00 (one hour) |
uauth |
00:05:00 (five minutes) |
407002
Error Message %FTD-4-407002: Embryonic limit nconns /elimit for through connections exceeded.outside_address /outside_port to global_address (inside_address )/inside_port on interface interface_name
Explanation The number of connections from a specified foreign address over a specified global address to the specified local address exceeded the maximum embryonic limit for that static. The Secure Firewall Threat Defense device tries to accept the connection if it can allocate memory for that connection. It proxies on behalf of the local host and sends a SYN_ACK packet to the foreign host. The Secure Firewall Threat Defense device retains pertinent state information, drops the packet, and waits for the acknowledgment from the client. The message might indicate legitimate traffic or that a DoS attack is in progress.
Recommended Action Check the source address to determine where the packets are coming from and whether or not a valid host is sending them.
407003
Error Message
%FTD-4-407003: Established limit for RPC services exceeded number
Explanation The Secure Firewall Threat Defense device tried to open a new hole for a pair of RPC servers or services that have already been configured after the maximum number of holes has been met.
Recommended Action Wait for other holes to be closed (through associated timeout expiration), or limit the number of active pairs of servers or services.
408001
Error Message %FTD-4-408001: IP route counter negative - reason , IP_address Attempt: number
Explanation An attempt to decrement the IP route counter into a negative value failed.
Recommended Action Enter the clear ip route command to reset the route counter. If the problem persists, contact the Cisco TAC.
408002
Error Message %FTD-4-408002: ospf process id route type update address1 netmask1 [distance1/metric1 ] via source IP :interface1 address2 netmask2 [distance2 /metric2 ] interface2
Explanation A network update was received from a different interface with the same distance and a better metric than the existing route. The new route overrides the existing route that was installed through another interface. The new route is for redundancy purposes only and means that a path has shifted in the network. This change must be controlled through topology and redistribution. Any existing connections affected by this change are probably disabled and will time out. This path shift only occurs if the network topology has been specifically designed to support path redundancy, in which case it is expected.
Recommended Action None required.
408003
Error Message %FTD-4-408003: can't track this type of object hex
Explanation A component of the tracking system has encountered an object type that is not supported by the component. A STATE object was expected.
- hex —A hexidecimal value(s) depicting variable value(s) or addresses in memory
Recommended Action Reconfigure the track object to make it a STATE object.
408101
Error Message
%FTD-4-408101: KEYMAN : Type encrption_type encryption unknown. Interpreting keystring as literal.
Explanation The format type was not recognized by the system. A keystring format type value of 0 (unencrypted keystring) or 7 (hidden keystring), followed by a space, can precede the actual keystring to indicate its format. An unknown type value will be accepted, but the system will consider the keystring as being unencrypted.
Recommended Action Use the correct format for the value type or remove the space following the value type.
408102
Error Message
%FTD-4-408102: KEYMAN : Bad encrypted keystring for key id key_id.
Explanation The system could not successfully decrypt an encrypted keystring. The keystring may have been corrupted during system configuration.
Recommended Action Re-enter the key-string command, and reconfigure the key string.
409001
Error Message %FTD-4-409001: Database scanner: external LSA IP_address netmask is lost, reinstalls
Explanation The software detected an unexpected condition. The router will take corrective action and continue.
Recommended Action None required.
409002
Error Message
%FTD-4-409002: db_free: external LSA IP_address netmask
Explanation An internal software error occurred.
Recommended Action None required.
409003
Error Message %FTD-4-409003: Received invalid packet: reason from IP_address , interface_name
Explanation An invalid OSPF packet was received. Details are included in the error message. The cause might be an incorrect OSPF configuration or an internal error in the sender.
Recommended Action Check the OSPF configuration of the receiver and the sender configuration for inconsistency.
409004
Error Message %FTD-4-409004: Received reason from unknown neighbor IP_address
Explanation The OSPF hello, database description, or database request packet was received, but the router cannot identify the sender.
Recommended Action None required.
409005
Error Message
%FTD-4-409005: Invalid length number in OSPF packet from IP_address (ID IP_address ), interface_name
Explanation The Secure Firewall Threat Defense device received an OSPF packet with a field length of less than normal header size or that was inconsistent with the size of the IP packet in which it arrived. This indicates a configuration error in the sender of the packet.
Recommended Action From a neighboring address, locate the problem router and reboot it.
409006
Error Message %FTD-4-409006: Invalid lsa: reason Type number , LSID IP_address from IP_address , IP_address , interface_name
Explanation The router received an LSA with an invalid LSA type. The cause is either memory corruption or unexpected behavior on a router.
Recommended Action From a neighboring address, locate the problem router and reboot it. If the problem persists, contact the Cisco TAC.
409007
Error Message %FTD-4-409007: Found LSA with the same host bit set but using different mask LSA ID IP_address netmask New: Destination IP_address netmask
Explanation An internal software error occurred.
Recommended Action Copy the message exactly as it appears, and report it to the Cisco TAC.
409008
Error Message %FTD-4-409008: Found generating default LSA with non-zero mask LSA type: number Mask: netmask metric: number area: string
Explanation The router tried to generate a default LSA with an incorrect mask and possibly incorrect metric because an internal software error occurred.
Recommended Action Copy the message exactly as it appears, and report it to the Cisco TAC.
409009
Error Message %FTD-4-409009: OSPF process number cannot start. There must be at least one up IP interface, for OSPF to use as router ID
Explanation OSPF failed while attempting to allocate a router ID from the IP address of one of its interfaces.
Recommended Action Make sure that there is at least one interface that is up and has a valid IP address. If there are multiple OSPF processes running on the router, each requires a unique router ID. You must have enough interfaces up so that each of them can obtain a router ID.
409010
Error Message
%FTD-4-409010: Virtual link information found in non-backbone area: string
Explanation An internal error occurred.
Recommended Action Copy the message exactly as it appears, and report it to the Cisco TAC.
409011
Error Message
%FTD-4-409011: OSPF detected duplicate router-id IP_address from IP_address on interface interface_name
Explanation OSPF received a hello packet from a neighbor that has the same router ID as this routing process. A full adjacency cannot be established.
Recommended Action The OSPF router ID should be unique. Change the neighbor router ID.
409012
Error Message %FTD-4-409012: Detected router with duplicate router ID IP_address in area string
Explanation OSPF received a hello packet from a neighbor that has the same router ID as this routing process. A full adjacency cannot be established.
Recommended Action The OSPF router ID should be unique. Change the neighbor router ID.
409013
Error Message %FTD-4-409013: Detected router with duplicate router ID IP_address in Type-4 LSA advertised by IP_address
Explanation OSPF received a hello packet from a neighbor that has the same router ID as this routing process. A full adjacency cannot be established.
Recommended Action The OSPF router ID should be unique. Change the neighbor router ID.
409014
Error Message
%threat defense-4-409014: No valid authentication send key is available on interface nameif.
Explanation The authentication key configured on the interface is not valid.
Recommended Action Configure a new key.
409015
Error Message
%threat defense-4-409015: Key ID key-id
received on interface nameif.
Explanation The ID is not found in the configured key chain.
Recommended Action Configure a new security association with the Key ID.
409016
Error Message
%threat defense-4-409016: Key chain name key-chain-name on nameif is invalid.
Explanation The key-chain name configured under OSPF interface does not match global key chain configuration.
Recommended ActionFix configuration. Either remove OSPF authentication command or configure key chain in global configuration mode.
409017
Error Message
%threat defense-4-409017: Key ID key-id in key chain key-chain-name is invalid.
Explanation The Key ID configured in the key chain is out of range for OSPF. This may happen because the key chain allows Key ID values of the range which is not acceptable for OSPF.
Recommended Action Configure a new security association with a Key ID that is in the range 1-255.
409023
Error Message %FTD-4-409023: Attempting AAA Fallback method method_name for request_type request for user user :Auth-server group server_tag unreachable
Explanation An authentication or authorization attempt to an external server has failed and will be performed using the local user database.
- aaa_operation—Either authentication or authorization
- username—The user associated with the connection
- server_group—The name of the AAA server whose servers were unreachable
Recommended Action Investigate any connectivity problems with the AAA servers configured in the first method. Ping the authentication servers from the Secure Firewall Threat Defense device. Make sure that the daemons are running on the AAA server.
409101
Error Message %FTD-4-409101: Received invalid packet: s from P , s
Explanation An invalid OSPF packet was received. Details are included in the error message. The cause might be a misconfigured OSPF or an internal error in the sender.
Recommended Action Check the OSPF configuration of the receiver and the sender for inconsistencies.
409102
Error Message %FTD-4-409102: Received packet with incorrect area from P , s , area AREA_ID_STR , packet area AREA_ID_STR
Explanation An OSPF packet was received with an area ID in its header that does not match the area of this interface.
Recommended Action Check the OSPF configuration of the receiver and the sender for inconsistencies.
409103
Error Message
%FTD-4-409103: Received s from unknown neighbor i
Explanation An OSPF hello, database description, or database request packet was received, but the router could not identify the sender.
Recommended Action None required.
409104
Error Message %FTD-4-409104: Invalid length d in OSPF packet type d from P (ID i ), s
Explanation The system received an OSPF packet with a length field of less than normal header size or inconsistent with the size of the IP packet in which it arrived. An error in the sender of the packet has occurred.
Recommended Action None required.
409105
Error Message %FTD-4-409105: Invalid lsa: s : Type 0x x , Length 0x x , LSID u from i
Explanation The router received an LSA with invalid data. The LSA includes an invalid LSA type, incorrect checksum, or incorrect length, which is caused by either memory corruption or unexpected behavior on a router.
Recommended Action From a neighboring address, locate the problem router and do the following:
- Collect a running configuration of the router by entering the show running-config command.
- Enter the show ipv6 ospf database command to gather data that may help identify the nature of the error.
- Enter the show ipv6 ospf database link-state-id command. The link-state-id argument is the IP address of the invalid LSA.
- Enter the show logging command to gather data that may help identify the nature of the error.
- Reboot the router.
If you cannot determine the nature of the error from the collected information, contact the Cisco TAC and provide the gathered information.
409106
Error Message %FTD-4-409106: Found generating default LSA with non-zero mask LSA type: 0x x Mask: i metric: lu area: AREA_ID_STR
Explanation The router tried to generate the default LSA with the incorrect mask and possibly an incorrect metric because of an internal software error.
Recommended Action None required.
409107
Error Message %FTD-4-409107: OSPFv3 process d could not pick a router-id, please configure manually
Explanation OSPFv3 failed while attempting to allocate a router ID from the IP address of one of its interfaces.
Recommended Action Make sure that there is at least one interface that is up and has a valid IP address. If there are multiple OSPF processes running on the router, each requires a unique router ID. You must have enough up interfaces so that each of them can obtain a router ID.
409108
Error Message
%FTD-4-409108: Virtual link information found in non-backbone area: AREA_ID_STR
Explanation An internal error has occurred.
Recommended Action None required.
409109
Error Message %FTD-4-409109: OSPF detected duplicate router-id i from P on interface IF_NAME
Explanation OSPF received a hello packet from a neighbor that has the same router ID as this routing process. A full adjacency cannot be established. The OSPF router ID should be unique.
Recommended Action Change the neighbor router ID.
409110
Error Message %FTD-4-409110: Detected router with duplicate router ID i in area AREA_ID_STR
Explanation OSPF received a hello packet from a neighbor that has the same router ID as this routing process. A full adjacency cannot be established. The OSPF router ID should be unique.
Recommended Action Change the neighbor router ID.
409111
Error Message
%FTD-4-409111: Multiple interfaces (IF_NAME /IF_NAME ) on a single link detected.
Explanation OSPFv3 enabled on multiple interfaces that are on the same link is not supported.
Recommended Action OSPFv3 should be disabled or made passive on all except one of the interfaces.
409112
Error Message %FTD-4-409112: Packet not written to the output queue
Explanation An internal error has occurred.
Recommended Action None required.
409113
Error Message %FTD-4-409113: Doubly linked list linkage is NULL
Explanation An internal error has occurred.
Recommended Action None required.
409114
Error Message %FTD-4-409114: Doubly linked list prev linkage is NULL x
Explanation An internal error has occurred.
Recommended Action None required.
409115
Error Message
%FTD-4-409115: Unrecognized timer d in OSPF s
Explanation An internal error has occurred.
Recommended Action None required.
409116
Error Message %FTD-4-409116: Error for timer d in OSPF process s
Explanation An internal error has occurred.
Recommended Action None required.
409117
Error Message
%FTD-4-409117: Can't find LSA database type x , area AREA_ID_STR , interface x
ExplanationAn internal error has occurred.
Recommended Action None required.
409118
Error Message
%FTD-4-409118: Could not allocate DBD packet
ExplanationAn internal error has occurred.
Recommended Action None required.
409119
Error Message
%FTD-4-409119: Invalid build flag x for LSA i , type 0x x
ExplanationAn internal error has occurred.
Recommended ActionNone required.
409120
Error Message %FTD-4-409120: Router-ID i is in use by ospf process d
Explanation The Secure Firewall Threat Defense device attempted to assign a router ID that is in use by another process.
Recommended ActionConfigure another router ID for one of the processes.
409121
Error Message
%FTD-4-409121: Router is currently an ASBR while having only one area which is a stub area
Explanation An ASBR must be attached to an area that can carry AS External or NSSA LSAs.
Recommended ActionMake the area to which the router is attached into an NSSA or regular area.
409122
Error Message %FTD-4-409122: Could not select a global IPv6 address. Virtual links require at least one global IPv6 address.
ExplanationA virtual link was configured. For the virtual link to function, a global IPv6 address must be available. However, no global IPv6 address could be found on the router.
Recommended ActionConfigure a global IPv6 address on an interface on this router.
409123
Error Message
%FTD-4-409123: Neighbor command allowed only on NBMA networks
ExplanationThe neighbor command is allowed only on NBMA networks.
Recommended ActionCheck the configuration options for the neighbor command, and correct the options or the network type for the neighbor interface.
409125
Error Message %FTD-4-409125: Can not use configured neighbor: poll and priority options are allowed only for a NBMA network
ExplanationThe configured neighbor was found on a point-to-multipoint network and either the poll or priority option was configured. These options are only allowed on NBMA type networks.
Recommended ActionCheck the configuration options for the neighbor command, and correct the options or the network type for the neighbor interface.
409128
Error Message
%FTD-4-409128: OSPFv3-d Area AREA_ID_STR : Router i originating invalid type 0x x LSA, ID u , Metric d on Link ID d Link Type d
ExplanationThe router indicated in this message has originated an LSA with an invalid metric. If this is a router LSA and the link metric is zero, a risk of routing loops and traffic loss exists in the network.
Recommended ActionConfigure a valid metric for the given LSA type and link type on the router that originated the reported LSA.