Scribd
Upload
54 views653 pages

HPE FlexFabric 5950 System Log Messages Reference-C05349961

Uploaded by

Dream CCIE
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
54 views653 pages

HPE FlexFabric 5950 System Log Messages Reference-C05349961

Uploaded by

Dream CCIE
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 653

HPE FlexFabric 5950 Switch Series

System Log messages Reference

Part number: 5200-2841


Document version: 6W100-20161031

The information in this document is subject to change without notice.


© Copyright 2016 Hewlett Packard Enterprise Development LP
© Copyright 2016 Hewlett Packard Enterprise Development LP
The information contained herein is subject to change without notice. The only warranties for Hewlett Packard
Enterprise products and services are set forth in the express warranty statements accompanying such
products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett
Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use, or
copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software
Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s
standard commercial license.
Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard
Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise
website.
Acknowledgments
Intel®, Itanium®, Pentium®, Intel Inside®, and the Intel Inside logo are trademarks of Intel Corporation in the
United States and other countries.
Microsoft® and Windows® are trademarks of the Microsoft group of companies.
Adobe® and Acrobat® are trademarks of Adobe Systems Incorporated.
Java and Oracle are registered trademarks of Oracle and/or its affiliates.
UNIX® is a registered trademark of The Open Group.

i
Contents
Introduction ·····················································································1
System log message format ··········································································································· 1
Managing and obtaining system log messages ·················································································· 3
Obtaining log messages from the console terminal ······································································ 3
Obtaining log messages from the log buffer ················································································ 3
Obtaining log messages from a monitor terminal ········································································· 3
Obtaining log messages from the log file···················································································· 3
Obtaining log messages from a log host ···················································································· 4
Software module list ····················································································································· 4
Using this document ····················································································································· 7
AAA messages ················································································9
AAA_FAILURE ···························································································································· 9
AAA_LAUNCH ···························································································································· 9
AAA_SUCCESS ························································································································ 10
ACL messages ·············································································· 11
ACL_ACCELERATE_NO_RES ···································································································· 11
ACL_ACCELERATE_NONCONTIGUOUSMASK ············································································· 11
ACL_ACCELERATE_NOT_SUPPORT ·························································································· 11
ACL_ACCELERATE_NOT_SUPPORTHOPBYHOP ········································································· 12
ACL_ACCELERATE_NOT_SUPPORTMULTITCPFLAG ··································································· 12
ACL_ACCELERATE_UNK_ERR ·································································································· 12
ACL_IPV6_STATIS_INFO ··········································································································· 13
ACL_NO_MEM ·························································································································· 13
ACL_STATIS_INFO ··················································································································· 13
PFILTER_GLB_IPV4_DACT_NO_RES ·························································································· 14
PFILTER_GLB_IPV4_DACT_UNK_ERR ························································································ 14
PFILTER_GLB_IPV6_DACT_NO_RES ·························································································· 14
PFILTER_GLB_IPV6_DACT_UNK_ERR ························································································ 15
PFILTER_GLB_MAC_DACT_NO_RES ·························································································· 15
PFILTER_GLB_MAC_DACT_UNK_ERR ························································································ 15
PFILTER_GLB_NO_RES ············································································································ 16
PFILTER_GLB_NOT_SUPPORT ·································································································· 16
PFILTER_GLB_ RES_CONFLICT ································································································· 17
PFILTER_GLB_UNK_ERR ·········································································································· 17
PFILTER_IF_IPV4_DACT_NO_RES ····························································································· 18
PFILTER_IF_IPV4_DACT_UNK_ERR ··························································································· 18
PFILTER_IF_IPV6_DACT_NO_RES ····························································································· 19
PFILTER_IF_IPV6_DACT_UNK_ERR ··························································································· 19
PFILTER_IF_MAC_DACT_NO_RES ····························································································· 20
PFILTER_IF_MAC_DACT_UNK_ERR ··························································································· 20
PFILTER_IF_NO_RES ··············································································································· 21
PFILTER_IF_NOT_SUPPORT ····································································································· 21
PFILTER_IF_RES_CONFLICT ····································································································· 22
PFILTER_IF_UNK_ERR ············································································································· 22
PFILTER_IPV6_STATIS_INFO ···································································································· 23
PFILTER_STATIS_INFO ············································································································· 23
PFILTER_VLAN_IPV4_DACT_NO_RES ························································································ 24
PFILTER_VLAN_IPV4_DACT_UNK_ERR ······················································································ 24
PFILTER_VLAN_IPV6_DACT_NO_RES ························································································ 25
PFILTER_VLAN_IPV6_DACT_UNK_ERR ······················································································ 25
PFILTER_VLAN_MAC_DACT_NO_RES ························································································ 26
PFILTER_VLAN_MAC_DACT_UNK_ERR ······················································································ 26
PFILTER_VLAN_NO_RES ·········································································································· 27
PFILTER_VLAN_NOT_SUPPORT ································································································ 27
PFILTER_VLAN_RES_CONFLICT ································································································ 28

i
PFILTER_VLAN_UNK_ERR ········································································································ 28
ANCP messages ············································································ 29
ANCP_INVALID_PACKET ··········································································································· 29
APMGR messages ········································································· 30
APMGR_AC_MEM_ALERT ········································································································· 30
APMGR_ADD_AP_FAIL ············································································································· 30
APMGR_ADDBAC_INFO ············································································································ 30
APMGR_AP_OFFLINE ··············································································································· 31
APMGR_AP_ONLINE ················································································································· 31
APMGR_CWC_IMG_DOWNLOAD_COMPLETE ············································································· 31
APMGR_CWC_IMG_DOWNLOAD_START ···················································································· 32
APMGR_CWC_IMG_NO_ENOUGH_SPACE ·················································································· 32
APMGR_CWC_LOCAL_AC_DOWN······························································································ 33
APMGR_CWC_LOCAL_AC_UP ··································································································· 33
APMGR_CWC_REBOOT ············································································································ 34
APMGR_CWC_RUN_DOWNLOAD_COMPLETE ············································································ 34
APMGR_CWC_RUN_DOWNLOAD_START ··················································································· 34
APMGR_CWC_RUN_NO_ENOUGH_SPACE ················································································· 35
APMGR_CWC_TUNNEL_DOWN ································································································· 35
APMGR_CWC_TUNNEL_UP ······································································································· 36
APMGR_CWS_LOCAL_AC_DOWN ······························································································ 36
APMGR_CWS_LOCAL_AC_UP ··································································································· 37
APMGR_CWS_IMG_DOWNLOAD_COMPLETE ············································································· 37
APMGR_CWS_IMG_DOWNLOAD_START ···················································································· 37
APMGR_CWS_RUN_DOWNLOAD_COMPLETE ············································································ 38
APMGR_CWS_RUN_DOWNLOAD_START ··················································································· 38
APMGR_CWS_TUNNEL_DOWN ································································································· 39
APMGR_CWS_TUNNEL_UP ······································································································· 39
APMGR_DELBAC_INFO ············································································································· 40
APMGR_LOCAL_AC_OFFLINE ··································································································· 40
APMGR_LOCAL_AC_ONLINE ····································································································· 40
ARP messages ·············································································· 41
ARP_ACTIVE_ACK_NO_REPLY ·································································································· 41
ARP_ACTIVE_ACK_NOREQUESTED_REPLY ··············································································· 41
ARP_BINDRULETOHW_FAILED ·································································································· 42
ARP_ENTRY_CONFLICT ··········································································································· 43
ARP_HOST_IP_CONFLICT ········································································································· 43
ARP_RATE_EXCEEDED ············································································································ 44
ARP_SENDER_IP_INVALID ········································································································ 44
ARP_SENDER_MAC_INVALID ···································································································· 44
ARP_SENDER_SMACCONFLICT ································································································ 45
ARP_SENDER_SMACCONFLICT_VSI ·························································································· 45
ARP_SRC_MAC_FOUND_ATTACK ······························································································ 46
ARP_TARGET_IP_INVALID ········································································································ 46
DUPIFIP ··································································································································· 46
DUPIP ····································································································································· 47
DUPVRRPIP ····························································································································· 47
ATK messages ·············································································· 48
ATK_ICMP_ADDRMASK_REQ ···································································································· 48
ATK_ICMP_ADDRMASK_REQ_RAW ··························································································· 49
ATK_ICMP_ADDRMASK_RPL ····································································································· 50
ATK_ICMP_ADDRMASK_RPL_RAW ···························································································· 51
ATK_ICMP_ECHO_RPL ············································································································· 52
ATK_ICMP_ECHO_RPL_RAW ···································································································· 53
ATK_ICMP_ECHO_REQ ············································································································· 54
ATK_ICMP_ECHO_REQ_RAW ···································································································· 55
ATK_ICMP_FLOOD ··················································································································· 55
ATK_ICMP_INFO_REQ ·············································································································· 56

ii
ATK_ICMP_INFO_REQ_RAW ····································································································· 57
ATK_ICMP_INFO_RPL ··············································································································· 58
ATK_ICMP_INFO_RPL_RAW ······································································································ 59
ATK_ICMP_LARGE ··················································································································· 60
ATK_ICMP_LARGE_RAW ··········································································································· 60
ATK_ICMP_PARAPROBLEM······································································································· 61
ATK_ICMP_PARAPROBLEM_RAW ······························································································ 62
ATK_ICMP_PINGOFDEATH ········································································································ 63
ATK_ICMP_PINGOFDEATH_RAW ······························································································· 64
ATK_ICMP_REDIRECT ·············································································································· 65
ATK_ICMP_REDIRECT_RAW ····································································································· 66
ATK_ICMP_SMURF ··················································································································· 67
ATK_ICMP_SMURF_RAW ·········································································································· 68
ATK_ICMP_SOURCEQUENCH···································································································· 69
ATK_ICMP_SOURCEQUENCH_RAW ··························································································· 70
ATK_ICMP_TIMEEXCEED ·········································································································· 71
ATK_ICMP_TIMEEXCEED_RAW ································································································· 72
ATK_ICMP_TRACEROUTE ········································································································· 73
ATK_ICMP_TRACEROUTE_RAW ································································································ 73
ATK_ICMP_TSTAMP_REQ ········································································································· 74
ATK_ICMP_TSTAMP_REQ_RAW ································································································ 75
ATK_ICMP_TSTAMP_RPL ·········································································································· 76
ATK_ICMP_TSTAMP_RPL_RAW ································································································· 77
ATK_ICMP_TYPE ······················································································································ 78
ATK_ICMP_TYPE_RAW ············································································································· 79
ATK_ICMP_UNREACHABLE ······································································································· 80
ATK_ICMP_UNREACHABLE_RAW ······························································································ 81
ATK_ICMPV6_DEST_UNREACH ································································································· 82
ATK_ICMPV6_DEST_UNREACH_RAW ························································································ 82
ATK_ICMPV6_ECHO_REQ ········································································································· 83
ATK_ICMPV6_ECHO_REQ_RAW ································································································ 83
ATK_ICMPV6_ECHO_RPL·········································································································· 84
ATK_ICMPV6_ECHO_RPL_RAW ································································································· 84
ATK_ICMPV6_FLOOD ··············································································································· 85
ATK_ICMPV6_GROUPQUERY ···································································································· 85
ATK_ICMPV6_GROUPQUERY_RAW ··························································································· 86
ATK_ICMPV6_GROUPREDUCTION ····························································································· 86
ATK_ICMPV6_GROUPREDUCTION_RAW ···················································································· 87
ATK_ICMPV6_GROUPREPORT ·································································································· 87
ATK_ICMPV6_GROUPREPORT_RAW ························································································· 88
ATK_ICMPV6_LARGE ················································································································ 88
ATK_ICMPV6_LARGE_RAW ······································································································· 89
ATK_ICMPV6_PACKETTOOBIG ·································································································· 89
ATK_ICMPV6_PACKETTOOBIG_RAW ························································································· 90
ATK_ICMPV6_PARAPROBLEM ··································································································· 90
ATK_ICMPV6_PARAPROBLEM_RAW ·························································································· 91
ATK_ICMPV6_TIMEEXCEED ······································································································ 91
ATK_ICMPV6_TIMEEXCEED_RAW ····························································································· 92
ATK_ICMPV6_TRACEROUTE ····································································································· 92
ATK_ICMPV6_TRACEROUTE_RAW ···························································································· 93
ATK_ICMPV6_TYPE ·················································································································· 94
ATK_ICMPV6_TYPE_RAW ········································································································· 94
ATK_IP4_ACK_FLOOD ·············································································································· 95
ATK_IP4_DIS_PORTSCAN ········································································································· 95
ATK_IP4_DNS_FLOOD ·············································································································· 96
ATK_IP4_FIN_FLOOD ················································································································ 96
ATK_IP4_FRAGMENT ················································································································ 97
ATK_IP4_FRAGMENT_RAW ······································································································· 98
ATK_IP4_HTTP_FLOOD ············································································································· 99
ATK_IP4_IMPOSSIBLE ············································································································ 100
ATK_IP4_IMPOSSIBLE_RAW···································································································· 101
ATK_IP4_IPSWEEP ················································································································· 101

iii
ATK_IP4_PORTSCAN ·············································································································· 102
ATK_IP4_RST_FLOOD ············································································································ 102
ATK_IP4_SYN_FLOOD ············································································································ 103
ATK_IP4_SYNACK_FLOOD ······································································································ 103
ATK_IP4_TCP_ALLFLAGS········································································································ 104
ATK_IP4_TCP_ALLFLAGS_RAW ······························································································· 105
ATK_IP4_TCP_FINONLY ·········································································································· 106
ATK_IP4_TCP_FINONLY_RAW ································································································· 107
ATK_IP4_TCP_INVALIDFLAGS ································································································· 108
ATK_IP4_TCP_INVALIDFLAGS_RAW ························································································ 109
ATK_IP4_TCP_LAND ··············································································································· 110
ATK_IP4_TCP_LAND_RAW ······································································································ 111
ATK_IP4_TCP_NULLFLAG ······································································································· 112
ATK_IP4_TCP_NULLFLAG_RAW ······························································································ 113
ATK_IP4_TCP_SYNFIN ············································································································ 114
ATK_IP4_TCP_SYNFIN_RAW ··································································································· 115
ATK_IP4_TCP_WINNUKE········································································································· 116
ATK_IP4_TCP_WINNUKE_RAW ································································································ 117
ATK_IP4_TEARDROP ·············································································································· 118
ATK_IP4_TEARDROP_RAW ····································································································· 119
ATK_IP4_TINY_FRAGMENT ····································································································· 120
ATK_IP4_TINY_FRAGMENT_RAW ···························································································· 121
ATK_IP4_UDP_BOMB ·············································································································· 122
ATK_IP4_UDP_BOMB_RAW ····································································································· 123
ATK_IP4_UDP_FLOOD ············································································································ 123
ATK_IP4_UDP_FRAGGLE ········································································································ 124
ATK_IP4_UDP_FRAGGLE_RAW ······························································································· 125
ATK_IP4_UDP_SNORK ············································································································ 126
ATK_IP4_UDP_SNORK_RAW ··································································································· 127
ATK_IP6_ACK_FLOOD ············································································································ 127
ATK_IP6_DIS_PORTSCAN ······································································································· 128
ATK_IP6_DNS_FLOOD ············································································································ 128
ATK_IP6_FIN_FLOOD ·············································································································· 129
ATK_IP6_FRAGMENT ·············································································································· 130
ATK_IP6_FRAGMENT_RAW ····································································································· 131
ATK_IP6_HTTP_FLOOD ··········································································································· 131
ATK_IP6_IMPOSSIBLE ············································································································ 132
ATK_IP6_IMPOSSIBLE_RAW···································································································· 133
ATK_IP6_IPSWEEP ················································································································· 133
ATK_IP6_PORTSCAN ·············································································································· 134
ATK_IP6_RST_FLOOD ············································································································ 134
ATK_IP6_SYN_FLOOD ············································································································ 135
ATK_IP6_SYNACK_FLOOD ······································································································ 135
ATK_IP6_TCP_ALLFLAGS········································································································ 136
ATK_IP6_TCP_ALLFLAGS_RAW ······························································································· 136
ATK_IP6_TCP_FINONLY ·········································································································· 137
ATK_IP6_TCP_FINONLY_RAW ································································································· 137
ATK_IP6_TCP_INVALIDFLAGS ································································································· 138
ATK_IP6_TCP_INVALIDFLAGS_RAW ························································································ 139
ATK_IP6_TCP_LAND ··············································································································· 140
ATK_IP6_TCP_LAND_RAW ······································································································ 140
ATK_IP6_TCP_NULLFLAG ······································································································· 141
ATK_IP6_TCP_NULLFLAG_RAW ······························································································ 141
ATK_IP6_TCP_SYNFIN ············································································································ 142
ATK_IP6_TCP_SYNFIN_RAW ··································································································· 142
ATK_IP6_TCP_WINNUKE········································································································· 143
ATK_IP6_TCP_WINNUKE_RAW ································································································ 143
ATK_IP6_UDP_FLOOD ············································································································ 144
ATK_IP6_UDP_FRAGGLE ········································································································ 144
ATK_IP6_UDP_FRAGGLE_RAW ······························································································· 145
ATK_IP6_UDP_SNORK ············································································································ 145
ATK_IP6_UDP_SNORK_RAW ··································································································· 146

iv
ATK_IP_OPTION ····················································································································· 147
ATK_IP_OPTION_RAW ············································································································ 148
ATK_IPOPT_ABNORMAL ········································································································· 149
ATK_IPOPT_ABNORMAL_RAW ································································································ 150
ATK_IPOPT_LOOSESRCROUTE ······························································································· 151
ATK_IPOPT_LOOSESRCROUTE_RAW ······················································································ 152
ATK_IPOPT_RECORDROUTE ·································································································· 153
ATK_IPOPT_RECORDROUTE_RAW·························································································· 154
ATK_IPOPT_ROUTEALERT ······································································································ 155
ATK_IPOPT_ROUTEALERT_RAW ····························································································· 156
ATK_IPOPT_SECURITY ··········································································································· 157
ATK_IPOPT_SECURITY_RAW ·································································································· 158
ATK_IPOPT_STREAMID ·········································································································· 159
ATK_IPOPT_STREAMID_RAW ·································································································· 160
ATK_IPOPT_STRICTSRCROUTE ······························································································ 161
ATK_IPOPT_STRICTSRCROUTE_RAW ····················································································· 162
ATK_IPOPT_TIMESTAMP ········································································································ 163
ATK_IPOPT_TIMESTAMP_RAW ································································································ 164
ATK_IPV6_EXT_HEADER ········································································································ 165
ATK_IPV6_EXT_HEADER_RAW ································································································ 166
ATK_ICMP_ADDRMASK_REQ_SZ····························································································· 167
ATK_ICMP_ADDRMASK_REQ_RAW_SZ ···················································································· 168
ATK_ICMP_ADDRMASK_RPL_SZ ····························································································· 169
ATK_ICMP_ADDRMASK_RPL_RAW_SZ ···················································································· 170
ATK_ICMP_ECHO_RPL_SZ ······································································································ 171
ATK_ICMP_ECHO_RPL_RAW_SZ ····························································································· 172
ATK_ICMP_ECHO_REQ_SZ ····································································································· 173
ATK_ICMP_ECHO_REQ_RAW_SZ ···························································································· 174
ATK_ICMP_FLOOD_SZ ············································································································ 174
ATK_ICMP_INFO_REQ_SZ······································································································· 175
ATK_ICMP_INFO_REQ_RAW_SZ ······························································································ 176
ATK_ICMP_INFO_RPL_SZ ······································································································· 177
ATK_ICMP_INFO_RPL_RAW_SZ ······························································································ 178
ATK_ICMP_LARGE_SZ ············································································································ 179
ATK_ICMP_LARGE_RAW_SZ ··································································································· 179
ATK_ICMP_PARAPROBLEM_SZ ······························································································· 180
ATK_ICMP_PARAPROBLEM_RAW_SZ ······················································································ 181
ATK_ICMP_PINGOFDEATH_SZ ································································································ 182
ATK_ICMP_PINGOFDEATH_RAW_SZ ······················································································· 183
ATK_ICMP_REDIRECT_SZ······································································································· 184
ATK_ICMP_REDIRECT_RAW_SZ ······························································································ 185
ATK_ICMP_SMURF_SZ ··········································································································· 186
ATK_ICMP_SMURF_RAW_SZ··································································································· 187
ATK_ICMP_SOURCEQUENCH_SZ ···························································································· 188
ATK_ICMP_SOURCEQUENCH_RAW_SZ ··················································································· 189
ATK_ICMP_TIMEEXCEED_SZ ·································································································· 190
ATK_ICMP_TIMEEXCEED_RAW_SZ·························································································· 191
ATK_ICMP_TRACEROUTE_SZ ································································································· 192
ATK_ICMP_TRACEROUTE_RAW_SZ ························································································ 192
ATK_ICMP_TSTAMP_REQ_SZ ································································································· 193
ATK_ICMP_TSTAMP_REQ_RAW_SZ ························································································· 194
ATK_ICMP_TSTAMP_RPL_SZ ·································································································· 195
ATK_ICMP_TSTAMP_RPL_RAW_SZ ························································································· 196
ATK_ICMP_TYPE_SZ ·············································································································· 197
ATK_ICMP_TYPE_RAW_SZ ····································································································· 198
ATK_ICMP_UNREACHABLE_SZ ······························································································· 199
ATK_ICMP_UNREACHABLE_RAW_SZ ······················································································ 200
ATK_ICMPV6_DEST_UNREACH_SZ·························································································· 201
ATK_ICMPV6_DEST_UNREACH_RAW_SZ ················································································· 201
ATK_ICMPV6_ECHO_REQ_SZ ································································································· 202
ATK_ICMPV6_ECHO_REQ_RAW_SZ························································································· 202
ATK_ICMPV6_ECHO_RPL_SZ ·································································································· 203

v
ATK_ICMPV6_ECHO_RPL_RAW_SZ ························································································· 203
ATK_ICMPV6_FLOOD_SZ ········································································································ 204
ATK_ICMPV6_GROUPQUERY_SZ ···························································································· 204
ATK_ICMPV6_GROUPQUERY_RAW_SZ···················································································· 205
ATK_ICMPV6_GROUPREDUCTION_SZ ····················································································· 205
ATK_ICMPV6_GROUPREDUCTION_RAW_SZ ············································································ 206
ATK_ICMPV6_GROUPREPORT_SZ··························································································· 206
ATK_ICMPV6_GROUPREPORT_RAW_SZ ·················································································· 207
ATK_ICMPV6_LARGE_SZ ········································································································ 207
ATK_ICMPV6_LARGE_RAW_SZ ······························································································· 208
ATK_ICMPV6_PACKETTOOBIG_SZ ·························································································· 208
ATK_ICMPV6_PACKETTOOBIG_RAW_SZ·················································································· 209
ATK_ICMPV6_PARAPROBLEM_SZ ··························································································· 209
ATK_ICMPV6_PARAPROBLEM_RAW_SZ ·················································································· 210
ATK_ICMPV6_TIMEEXCEED_SZ ······························································································· 210
ATK_ICMPV6_TIMEEXCEED_RAW_SZ ······················································································ 211
ATK_ICMPV6_TRACEROUTE_SZ ····························································································· 211
ATK_ICMPV6_TRACEROUTE_RAW_SZ····················································································· 212
ATK_ICMPV6_TYPE_SZ ·········································································································· 213
ATK_ICMPV6_TYPE _RAW_SZ ································································································· 213
ATK_IP4_ACK_FLOOD_SZ ······································································································· 214
ATK_IP4_DIS_PORTSCAN_SZ ································································································· 214
ATK_IP4_DNS_FLOOD_SZ······································································································· 215
ATK_IP4_FIN_FLOOD_SZ ········································································································ 215
ATK_IP4_FRAGMENT_SZ ········································································································ 216
ATK_IP4_FRAGMENT_RAW_SZ ······························································································· 217
ATK_IP4_HTTP_FLOOD_SZ ····································································································· 217
ATK_IP4_IMPOSSIBLE_SZ ······································································································· 218
ATK_IP4_IMPOSSIBLE_RAW_SZ ······························································································ 219
ATK_IP4_IPSWEEP_SZ ··········································································································· 219
ATK_IP4_PORTSCAN_SZ ········································································································ 220
ATK_IP4_RST_FLOOD_SZ ······································································································· 220
ATK_IP4_SYN_FLOOD_SZ ······································································································· 221
ATK_IP4_SYNACK_FLOOD_SZ ································································································ 221
ATK_IP4_TCP_ALLFLAGS_SZ ·································································································· 222
ATK_IP4_TCP_ALLFLAGS_RAW_SZ ························································································· 223
ATK_IP4_TCP_FINONLY_SZ ···································································································· 224
ATK_IP4_TCP_FINONLY_RAW_SZ ··························································································· 225
ATK_IP4_TCP_INVALIDFLAGS_SZ···························································································· 226
ATK_IP4_TCP_INVALIDFLAGS_RAW_SZ ··················································································· 227
ATK_IP4_TCP_LAND_SZ ········································································································· 228
ATK_IP4_TCP_LAND_RAW_SZ ································································································ 229
ATK_IP4_TCP_NULLFLAG_SZ ·································································································· 230
ATK_IP4_TCP_NULLFLAG_RAW_SZ ························································································· 231
ATK_IP4_TCP_SYNFIN_SZ ······································································································ 232
ATK_IP4_TCP_SYNFIN_RAW_SZ ····························································································· 233
ATK_IP4_TCP_WINNUKE_SZ ··································································································· 234
ATK_IP4_TCP_WINNUKE_RAW_SZ ·························································································· 235
ATK_IP4_TEARDROP_SZ ········································································································ 236
ATK_IP4_TEARDROP_RAW_SZ ······························································································· 237
ATK_IP4_TINY_FRAGMENT_SZ ······························································································· 238
ATK_IP4_TINY_FRAGMENT_RAW_SZ ······················································································· 239
ATK_IP4_UDP_BOMB_SZ ········································································································ 240
ATK_IP4_UDP_BOMB_RAW_SZ ······························································································· 241
ATK_IP4_UDP_FLOOD_SZ······································································································· 241
ATK_IP4_UDP_FRAGGLE_SZ··································································································· 242
ATK_IP4_UDP_FRAGGLE_RAW_SZ ·························································································· 243
ATK_IP4_UDP_SNORK_SZ ······································································································ 244
ATK_IP4_UDP_SNORK_RAW_SZ ····························································································· 245
ATK_IP6_ACK_FLOOD_SZ ······································································································· 245
ATK_IP6_DIS_PORTSCAN_SZ ································································································· 246
ATK_IP6_DNS_FLOOD_SZ······································································································· 246

vi
ATK_IP6_FIN_FLOOD_SZ ········································································································ 247
ATK_IP6_FRAGMENT_SZ ········································································································ 248
ATK_IP6_FRAGMENT_RAW_SZ ······························································································· 249
ATK_IP6_HTTP_FLOOD_SZ ····································································································· 249
ATK_IP6_IMPOSSIBLE_SZ ······································································································· 250
ATK_IP6_IMPOSSIBLE_RAW_SZ ······························································································ 251
ATK_IP6_IPSWEEP_SZ ··········································································································· 251
ATK_IP6_PORTSCAN_SZ ········································································································ 252
ATK_IP6_RST_FLOOD_SZ ······································································································· 252
ATK_IP6_SYN_FLOOD_SZ ······································································································· 253
ATK_IP6_SYNACK_FLOOD_SZ ································································································ 253
ATK_IP6_TCP_ALLFLAGS_SZ ·································································································· 254
ATK_IP6_TCP_ALLFLAGS_RAW_SZ ························································································· 254
ATK_IP6_TCP_FINONLY_SZ ···································································································· 255
ATK_IP6_TCP_FINONLY_RAW_SZ ··························································································· 255
ATK_IP6_TCP_INVALIDFLAGS_SZ···························································································· 256
ATK_IP6_TCP_INVALIDFLAGS_RAW_SZ ··················································································· 257
ATK_IP6_TCP_LAND_SZ ········································································································· 258
ATK_IP6_TCP_LAND_RAW_SZ ································································································ 258
ATK_IP6_TCP_NULLFLAG_SZ ·································································································· 259
ATK_IP6_TCP_NULLFLAG_RAW_SZ ························································································· 259
ATK_IP6_TCP_SYNFIN_SZ ······································································································ 260
ATK_IP6_TCP_SYNFIN_RAW_SZ ····························································································· 260
ATK_IP6_TCP_WINNUKE_SZ ··································································································· 261
ATK_IP6_TCP_WINNUKE_RAW_SZ ·························································································· 261
ATK_IP6_UDP_FLOOD_SZ······································································································· 262
ATK_IP6_UDP_FRAGGLE_SZ··································································································· 262
ATK_IP6_UDP_FRAGGLE_RAW_SZ ·························································································· 263
ATK_IP6_UDP_SNORK_SZ ······································································································ 263
ATK_IP6_UDP_SNORK_RAW_SZ ····························································································· 264
ATK_IP_OPTION_SZ ··············································································································· 265
ATK_IP_OPTION_RAW_SZ ······································································································ 266
ATK_IPOPT_ABNORMAL_SZ···································································································· 267
ATK_IPOPT_ABNORMAL_RAW_SZ ··························································································· 268
ATK_IPOPT_LOOSESRCROUTE_SZ ························································································· 269
ATK_IPOPT_LOOSESRCROUTE_RAW_SZ ················································································ 270
ATK_IPOPT_RECORDROUTE_SZ ····························································································· 271
ATK_IPOPT_RECORDROUTE_RAW_SZ ···················································································· 272
ATK_IPOPT_ROUTEALERT_SZ ································································································ 273
ATK_IPOPT_ROUTEALERT_RAW_SZ ······················································································· 274
ATK_IPOPT_SECURITY_SZ ····································································································· 275
ATK_IPOPT_SECURITY_RAW_SZ ···························································································· 276
ATK_IPOPT_STREAMID_SZ ····································································································· 277
ATK_IPOPT_STREAMID_RAW_SZ ···························································································· 278
ATK_IPOPT_STRICTSRCROUTE_SZ························································································· 279
ATK_IPOPT_STRICTSRCROUTE_RAW_SZ ················································································ 280
ATK_IPOPT_TIMESTAMP_SZ ··································································································· 281
ATK_IPOPT_TIMESTAMP_RAW_SZ ·························································································· 282
ATK_IPV6_EXT_HEADER_SZ ··································································································· 283
ATK_IPV6_EXT_HEADER_RAW_SZ ·························································································· 284
ATM ·························································································· 285
ATM_PVCDOWN····················································································································· 285
ATM_PVCUP ·························································································································· 285
BFD messages ············································································ 287
BFD_CHANGE_FSM ················································································································ 287
BFD_REACHED_UPPER_LIMIT ································································································ 287
BGP messages············································································ 288
BGP_EXCEED_ROUTE_LIMIT ·································································································· 288
BGP_EXCEEDS_THRESHOLD ································································································· 288

vii
BGP_MEM_ALERT ·················································································································· 289
BGP_PEER_LICENSE_REACHED ····························································································· 289
BGP_ROUTE_LICENSE_REACHED··························································································· 289
BGP_STATE_CHANGED ·········································································································· 290
BGP_LOG_ROUTE_FLAP ········································································································ 290
BLS messages ············································································ 291
BLS_ENTRY_ADD ··················································································································· 291
BLS_ENTRY_DEL ··················································································································· 291
BLS_IPV6_ENTRY_ADD ·········································································································· 292
BLS_IPV6_ENTRY_DEL ··········································································································· 292
CFD messages ············································································ 293
CFD_CROSS_CCM ················································································································· 293
CFD_ERROR_CCM ················································································································· 293
CFD_LOST_CCM ···················································································································· 294
CFD_RECEIVE_CCM ··············································································································· 294
CFGMAN messages ····································································· 295
CFGMAN_CFGCHANGED ········································································································ 295
CFGMAN_OPTCOMPLETION ··································································································· 296
CONNLMT messages ··································································· 297
CONNLMT_IPV4_OVERLOAD ··································································································· 297
CONNLMT_IPV4_RECOVER····································································································· 298
CONNLMT_IPV6_OVERLOAD ··································································································· 299
CONNLMT_IPV6_RECOVER····································································································· 300
DEV messages ············································································ 301
BOARD_REBOOT ··················································································································· 301
BOARD_REMOVED ················································································································· 301
BOARD_STATE_NORMAL········································································································ 302
BOARD_STATE_FAULT ··········································································································· 302
CFCARD_INSERTED ··············································································································· 303
CFCARD_REMOVED ··············································································································· 303
CHASSIS_REBOOT ················································································································· 304
DEV_CLOCK_CHANGE ··········································································································· 304
DEV_FAULT_TOOLONG ·········································································································· 304
DYINGGASP··························································································································· 305
FAN_ABSENT ························································································································· 305
FAN_DIRECTION_NOT_PREFERRED························································································ 306
FAN_FAILED ·························································································································· 306
FAN_RECOVERED·················································································································· 307
MAD_DETECT ························································································································ 307
POWER_ABSENT ··················································································································· 308
POWER_FAILED ····················································································································· 308
POWER_MONITOR_ABSENT ··································································································· 309
POWER_MONITOR_FAILED ····································································································· 309
POWER_MONITOR_RECOVERED ···························································································· 310
POWER_RECOVERED ············································································································ 310
RPS_ABSENT ························································································································ 311
RPS_NORMAL ························································································································ 311
SUBCARD_FAULT ·················································································································· 312
SUBCARD_INSERTED ············································································································· 313
SUBCARD_REBOOT ··············································································································· 314
SUBCARD_REMOVED ············································································································· 315
SYSTEM_REBOOT·················································································································· 315
TEMPERATURE_ALARM ········································································································· 316
TEMPERATURE_LOW ············································································································· 317
TEMPERATURE_NORMAL ······································································································· 318
TEMPERATURE_SHUTDOWN ·································································································· 319
TEMPERATURE_WARNING ····································································································· 320

viii
VCHK_VERSION_INCOMPATIBLE ···························································································· 321
DHCP ························································································ 322
DHCP_NOTSUPPORTED ········································································································· 322
DHCP_NORESOURCES ·········································································································· 322
DHCPR ······················································································ 323
DHCPR_SERVERCHANGE ······································································································· 323
DHCPR_SWITCHMASTER ······································································································· 323
DHCPS messages ······································································· 324
DHCPS_ALLOCATE_IP ············································································································ 324
DHCPS_CONFLICT_IP ············································································································ 324
DHCPS_EXTEND_IP ··············································································································· 325
DHCPS_FILE ·························································································································· 325
DHCPS_RECLAIM_IP ·············································································································· 325
DHCPS_VERIFY_CLASS ·········································································································· 326
DHCPS6 messages ······································································ 327
DHCPS6_ALLOCATE_ADDRESS ······························································································ 327
DHCPS6_ALLOCATE_PREFIX ·································································································· 327
DHCPS6_CONFLICT_ADDRESS ······························································································· 328
DHCPS6_EXTEND_ADDRESS ·································································································· 328
DHCPS6_EXTEND_PREFIX······································································································ 329
DHCPS6_FILE ························································································································ 329
DHCPS6_RECLAIM_ADDRESS ································································································· 330
DHCPS6_RECLAIM_PREFIX ···································································································· 330
DHCPSP4 ·················································································· 331
DHCPSP4_FILE ······················································································································ 331
DHCPSP6 ·················································································· 332
DHCPSP6_FILE ······················································································································ 332
DIAG messages ··········································································· 333
MEM_ALERT ·························································································································· 334
MEM_BELOW_THRESHOLD ···································································································· 335
MEM_EXCEED_THRESHOLD ··································································································· 335
DLDP messages ·········································································· 336
DLDP_AUTHENTICATION_FAILED ···························································································· 336
DLDP_LINK_BIDIRECTIONAL ··································································································· 336
DLDP_LINK_SHUTMODECHG ·································································································· 337
DLDP_LINK_UNIDIRECTIONAL ································································································· 337
DLDP_NEIGHBOR_AGED ········································································································ 338
DLDP_NEIGHBOR_CONFIRMED ······························································································ 338
DLDP_NEIGHBOR_DELETED ··································································································· 339
DOT1X messages ········································································ 340
DOT1X_NOTENOUGH_EADFREEIP_RES ·················································································· 340
DOT1X_NOTENOUGH_EADFREERULE_RES ············································································· 340
DOT1X_NOTENOUGH_EADPORTREDIR_RES ··········································································· 341
DOT1X_NOTENOUGH_EADMACREDIR_RES ············································································· 341
DOT1X_NOTENOUGH_ENABLEDOT1X_RES ············································································· 341
DOT1X_UNICAST_NOT_EFFECTIVE ························································································· 342
DOT1X_SMARTON_FAILURE ··································································································· 342
DOT1X_LOGIN_FAILURE ········································································································· 343
DOT1X_LOGIN_SUCC ············································································································· 343
DOT1X_LOGOFF ···················································································································· 344
EDEV messages ·········································································· 345
EDEV_FAILOVER_GROUP_STATE_CHANGE ············································································ 345

ix
ERPS messages ·········································································· 346
ERPS_FSM_CHANGED ··········································································································· 346
ETHOAM messages ····································································· 347
ETHOAM_CONNECTION_FAIL_DOWN ······················································································ 347
ETHOAM_CONNECTION_FAIL_TIMEOUT ·················································································· 347
ETHOAM_CONNECTION_FAIL_UNSATISF················································································· 348
ETHOAM_CONNECTION_SUCCEED ························································································· 348
ETHOAM_DISABLE ················································································································· 348
ETHOAM_DISCOVERY_EXIT···································································································· 349
ETHOAM_ENABLE ·················································································································· 349
ETHOAM_ENTER_LOOPBACK_CTRLLED·················································································· 349
ETHOAM_ENTER_LOOPBACK_CTRLLING ················································································ 350
ETHOAM_LOCAL_DYING_GASP ······························································································ 350
ETHOAM_LOCAL_ERROR_FRAME ··························································································· 350
ETHOAM_LOCAL_ERROR_FRAME_PERIOD·············································································· 351
ETHOAM_LOCAL_ERROR_FRAME_SECOND ············································································ 351
ETHOAM_LOCAL_LINK_FAULT ································································································ 351
ETHOAM_LOOPBACK_EXIT ····································································································· 352
ETHOAM_LOOPBACK_EXIT_ERROR_STATU ············································································ 352
ETHOAM_LOOPBACK_NO_RESOURCE ···················································································· 352
ETHOAM_LOOPBACK_NOT_SUPPORT ····················································································· 353
ETHOAM_QUIT_LOOPBACK_CTRLLED ····················································································· 353
ETHOAM_QUIT_LOOPBACK_CTRLLING ··················································································· 353
ETHOAM_REMOTE_CRITICAL ································································································· 354
ETHOAM_REMOTE_DYING_GASP ··························································································· 354
ETHOAM_REMOTE_ERROR_FRAME ························································································ 354
ETHOAM_REMOTE_ERROR_FRAME_PERIOD ·········································································· 355
ETHOAM_REMOTE_ERROR_FRAME_SECOND ········································································· 355
ETHOAM_REMOTE_ERROR_SYMBOL ······················································································ 355
ETHOAM_REMOTE_EXIT ········································································································ 356
ETHOAM_REMOTE_FAILURE_RECOVER·················································································· 356
ETHOAM_REMOTE_LINK_FAULT ····························································································· 356
ETHOAM_NO_ENOUGH_RESOURCE ······················································································· 357
ETHOAM_NOT_CONNECTION_TIMEOUT ·················································································· 357
EVB messages ············································································ 358
EVB_AGG_FAILED ·················································································································· 358
EVB_LICENSE_EXPIRE ··········································································································· 358
EVB_VSI_OFFLINE ················································································································· 359
EVB_VSI_ONLINE ··················································································································· 359
EVIISIS messages ······································································· 360
EVIISIS_LICENSE_EXPIRED ···································································································· 360
EVIISIS_LICENSE_EXPIRED_TIME ··························································································· 360
EVIISIS_LICENSE_UNAVAILABLE ····························································································· 360
EVIISIS_NBR_CHG ················································································································· 361
FCLINK messages ······································································· 362
FCLINK_FDISC_REJECT_NORESOURCE ·················································································· 362
FCLINK_FLOGI_REJECT_NORESOURCE ·················································································· 362
FCOE messages ·········································································· 363
FCOE_INTERFACE_NOTSUPPORT_FCOE ················································································ 363
FCOE_LAGG_BIND_ACTIVE ···································································································· 363
FCOE_LAGG_BIND_DEACTIVE ································································································ 364
FCZONE messages ······································································ 365
FCZONE_HARDZONE_DISABLED····························································································· 365
FCZONE_HARDZONE_ENABLED ····························································································· 365
FCZONE_ISOLATE_NEIGHBOR ································································································ 366

x
FCZONE_ISOLATE_ALLNEIGHBOR ·························································································· 366
FCZONE_ISOLATE_CLEAR_VSAN ···························································································· 367
FCZONE_ISOLATE_CLEAR_ALLVSAN ······················································································ 367
FCZONE_DISTRIBUTE_FAILED ································································································ 368
FIB messages ············································································· 369
FIB_FILE ································································································································ 369
FILTER messages ········································································ 370
FILTER_EXECUTION_ICMP ····································································································· 370
FILTER_EXECUTION_ICMPV6 ·································································································· 371
FILTER_IPV4_EXECUTION ······································································································ 372
FILTER_IPV6_EXECUTION ······································································································ 373
FIPS messages ··········································································· 374
FCOE_FIPS_HARD_RESOURCE_NOENOUGH ··········································································· 374
FCOE_FIPS_HARD_RESOURCE_RESTORE ·············································································· 374
FTPD messages ·········································································· 375
FTP_ACL_DENY ····················································································································· 375
FTPD_REACH_SESSION_LIMIT ································································································ 375
HA messages ·············································································· 376
HA_BATCHBACKUP_FINISHED ································································································ 376
HA_BATCHBACKUP_STARTED ································································································ 376
HA_STANDBY_NOT_READY ···································································································· 376
HA_STANDBY_TO_MASTER ···································································································· 377
HQOS messages ········································································· 378
HQOS_DP_SET_FAIL ·············································································································· 378
HQOS_FP_SET_FAIL ·············································································································· 378
HQOS_POLICY_APPLY_FAIL ··································································································· 379
HQOS_POLICY_APPLY_FAIL ··································································································· 379
HTTPD messages ········································································ 380
HTTPD_CONNECT ·················································································································· 380
HTTPD_CONNECT_TIMEOUT ·································································································· 380
HTTPD_DISCONNECT ············································································································· 381
HTTPD_FAIL_FOR_ACL ··········································································································· 381
HTTPD_FAIL_FOR_ACP ·········································································································· 381
HTTPD_REACH_CONNECT_LIMIT ···························································································· 382
IFNET messages ········································································· 383
IF_BUFFER_CONGESTION_OCCURRENCE ·············································································· 383
IF_BUFFER_CONGESTION_CLEAR ·························································································· 383
INTERFACE_NOTSUPPRESSED ······························································································ 384
INTERFACE_SUPPRESSED ····································································································· 384
LINK_UPDOWN ······················································································································ 384
PHY_UPDOWN ······················································································································· 385
PROTOCOL_UPDOWN ············································································································ 385
VLAN_MODE_CHANGE ··········································································································· 385
IKE messages ············································································· 386
IKE_P1_SA_ESTABLISH_FAIL ·································································································· 386
IKE_P2_SA_ESTABLISH_FAIL ·································································································· 386
IKE_P2_SA_TERMINATE ········································································································· 387
IPSEC messages ········································································· 388
IPSEC_FAILED_ADD_FLOW_TABLE ························································································· 388
IPSEC_PACKET_DISCARDED ·································································································· 388
IPSEC_SA_ESTABLISH ··········································································································· 389
IPSEC_SA_ESTABLISH_FAIL ··································································································· 389

xi
IPSEC_SA_INITINATION ·········································································································· 390
IPSEC_SA_TERMINATE ·········································································································· 390
IPSG messages ··········································································· 391
IPSG_ADDENTRY_ERROR ······································································································ 391
IPSG_DELENTRY_ERROR ······································································································· 392
IPSG_ADDEXCLUDEDVLAN_ERROR ························································································ 393
IPSG_DELEXCLUDEDVLAN_ERROR························································································· 394
IRDP messages ··········································································· 395
IRDP_EXCEED_ADVADDR_LIMIT ····························································································· 395
IRF···························································································· 396
IRF_LINK_BLOCK ··················································································································· 396
IRF_LINK_DOWN ···················································································································· 396
IRF_LINK_UP ························································································································· 396
IRF_MEMBERID_CONFLICT ····································································································· 397
IRF_MERGE ··························································································································· 397
IRF_MERGE_NEED_REBOOT ·································································································· 397
IRF_MERGE_NOT_NEED_REBOOT ·························································································· 398
ISIS messages ············································································ 399
ISIS_MEM_ALERT··················································································································· 399
ISIS_NBR_CHG ······················································································································ 399
ISSU messages ··········································································· 400
ISSU_ROLLBACKCHECKNORMAL ···························································································· 400
ISSU_PROCESSWITCHOVER ·································································································· 400
L2PT messages ··········································································· 401
L2PT_SET_MULTIMAC_FAILED ································································································ 401
L2PT_CREATE_TUNNELGROUP_FAILED ·················································································· 401
L2PT_ADD_GROUPMEMBER_FAILED ······················································································· 401
L2PT_ENABLE_DROP_FAILED ································································································· 402
L2TP messages ··········································································· 403
L2TPV2_TUNNEL_EXCEED_LIMIT ···························································································· 403
L2TPV2_SESSION_EXCEED_LIMIT ··························································································· 403
L2VPN messages ········································································ 404
L2VPN_BGPVC_CONFLICT_LOCAL ·························································································· 404
L2VPN_BGPVC_CONFLICT_REMOTE ······················································································· 404
L2VPN_HARD_RESOURCE_NOENOUGH ·················································································· 405
L2VPN_HARD_RESOURCE_RESTORE ····················································································· 405
L2VPN_LABEL_DUPLICATE ····································································································· 405
VXLAN_LICENSE_UNAVAILABLE ····························································································· 406
LAGG messages ·········································································· 407
LAGG_ACTIVE ······················································································································· 407
LAGG_INACTIVE_AICFG ········································································································· 407
LAGG_INACTIVE_BFD ············································································································· 408
LAGG_INACTIVE_CONFIGURATION ························································································· 408
LAGG_INACTIVE_DUPLEX······································································································· 409
LAGG_INACTIVE_HARDWAREVALUE ······················································································· 409
LAGG_INACTIVE_LOWER_LIMIT ······························································································ 409
LAGG_INACTIVE_PARTNER ···································································································· 410
LAGG_INACTIVE_PHYSTATE ··································································································· 410
LAGG_INACTIVE_RESOURCE_INSUFICIE ················································································· 410
LAGG_INACTIVE_SPEED ········································································································ 411
LAGG_INACTIVE_UPPER_LIMIT ······························································································· 411

xii
LB messages ·············································································· 412
LB_SLB_LICENSE_INSTALLED ································································································ 412
LB_SLB_LICENSE_UNINSTALLED ···························································································· 412
LDP messages ············································································ 413
LDP_MPLSLSRID_CHG ··········································································································· 413
LDP_SESSION_CHG ··············································································································· 414
LDP_SESSION_GR ················································································································· 415
LDP_SESSION_SP ·················································································································· 415
LLDP messages ·········································································· 416
LLDP_CREATE_NEIGHBOR ····································································································· 416
LLDP_DELETE_NEIGHBOR······································································································ 417
LLDP_LESS_THAN_NEIGHBOR_LIMIT ······················································································ 417
LLDP_NEIGHBOR_AGE_OUT ··································································································· 418
LLDP_PVID_INCONSISTENT ···································································································· 418
LLDP_REACH_NEIGHBOR_LIMIT ····························································································· 419
LOAD messages ·········································································· 420
BOARD_LOADING ·················································································································· 420
LOAD_FAILED ························································································································ 420
LOAD_FINISHED ···················································································································· 421
LOGIN messages ········································································· 422
LOGIN_FAILED ······················································································································· 422
LOGIN_ INVALID_USERNAME_PWD ························································································· 422
LPDT messages ·········································································· 423
LPDT_LOOPED ······················································································································ 423
LPDT_RECOVERED ················································································································ 423
LPDT_VLAN_LOOPED ············································································································· 423
LPDT_VLAN_RECOVERED ······································································································ 424
LS messages ·············································································· 425
LS_ADD_USER_TO_GROUP ···································································································· 425
LS_AUTHEN_FAILURE ············································································································ 425
LS_AUTHEN_SUCCESS ·········································································································· 426
LS_DEL_USER_FROM_GROUP ································································································ 426
LS_DELETE_PASSWORD_FAIL ································································································ 426
LS_PWD_ADDBLACKLIST········································································································ 427
LS_PWD_CHGPWD_FOR_AGEDOUT ························································································ 427
LS_PWD_CHGPWD_FOR_AGEOUT ·························································································· 427
LS_PWD_CHGPWD_FOR_COMPOSITION ················································································· 428
LS_PWD_CHGPWD_FOR_FIRSTLOGIN ···················································································· 428
LS_PWD_CHGPWD_FOR_LENGTH ·························································································· 428
LS_PWD_FAILED2WRITEPASS2FILE ························································································ 429
LS_PWD_MODIFY_FAIL ·········································································································· 429
LS_PWD_MODIFY_SUCCESS ·································································································· 429
LS_REAUTHEN_FAILURE ········································································································ 430
LS_UPDATE_PASSWORD_FAIL ······························································································· 430
LS_USER_CANCEL ················································································································· 430
LS_USER_PASSWORD_EXPIRE ······························································································ 431
LS_USER_ROLE_CHANGE ······································································································ 431
LSPV messages ·········································································· 432
LSPV_PING_STATIS_INFO ······································································································ 432
MAC messages ··········································································· 433
MAC_DRIVER_ADD_ENTRY····································································································· 433
MAC_TABLE_FULL_GLOBAL···································································································· 433
MAC_TABLE_FULL_PORT ······································································································· 434

xiii
MAC_TABLE_FULL_VLAN ········································································································ 434
MACA messages ········································································· 435
MACA_ENABLE_NOT_EFFECTIVE···························································································· 435
MACA_LOGIN_FAILURE ·········································································································· 435
MACA_LOGIN_SUCC ·············································································································· 436
MACA_LOGOFF ······················································································································ 436
MACSEC messages ····································································· 437
MACSEC_MKA_KEEPALIVE_TIMEOUT ····················································································· 437
MACSEC_MKA_PRINCIPAL_ACTOR ························································································· 437
MACSEC_MKA_SAK_REFRESH ······························································································· 437
MACSEC_MKA_SESSION_REAUTH ·························································································· 438
MACSEC_MKA_SESSION_SECURED························································································ 438
MACSEC_MKA_SESSION_START ···························································································· 439
MACSEC_MKA_SESSION_STOP ······························································································ 439
MACSEC_MKA_SESSION_UNSECURED ··················································································· 440
MBFD messages ········································································· 441
MBFD_TRACEROUTE_FAILURE ······························································································· 441
MDC messages ··········································································· 442
MDC_CREATE_ERR················································································································ 442
MDC_CREATE ························································································································ 442
MDC_DELETE ························································································································ 443
MDC_KERNEL_EVENT_TOOLONG ··························································································· 443
MDC_LICENSE_EXPIRE ·········································································································· 443
MDC_NO_FORMAL_LICENSE ·································································································· 444
MDC_NO_LICENSE_EXIT ········································································································ 444
MDC_OFFLINE ······················································································································· 444
MDC_ONLINE ························································································································· 445
MDC_STATE_CHANGE ··········································································································· 445
MFIB messages ··········································································· 446
MFIB_MEM_ALERT ················································································································· 446
MGROUP messages ···································································· 447
MGROUP_APPLY_SAMPLER_FAIL ··························································································· 447
MGROUP_RESTORE_CPUCFG_FAIL ························································································ 447
MGROUP_RESTORE_IFCFG_FAIL ···························································································· 448
MGROUP_SYNC_CFG_FAIL····································································································· 448
MPLS messages ·········································································· 449
MPLS_HARD_RESOURCE_NOENOUGH ··················································································· 449
MPLS_HARD_RESOURCE_RESTORE ······················································································· 449
MTLK messages ·········································································· 450
MTLK_UPLINK_STATUS_CHANGE ··························································································· 450
NAT messages ············································································ 451
NAT_ADDR_BIND_CONFLICT ·································································································· 451
NAT_FAILED_ADD_FLOW_TABLE ···························································································· 451
NAT_FLOW ···························································································································· 452
NAT_SERVICE_CARD_RECOVER_FAILURE ·············································································· 453
NAT_SERVER_INVALID ··········································································································· 453
NAT_FAILED_ADD_FLOW_RULE ······························································································ 454
ND messages·············································································· 455
ND_CONFLICT ······················································································································· 455
ND_DUPADDR ······················································································································· 455
ND_HOST_IP_CONFLICT ········································································································· 456
ND_MAC_CHECK ··················································································································· 456

xiv
ND_SET_PORT_TRUST_NORESOURCE ··················································································· 456
ND_SET_VLAN_REDIRECT_NORESOURCE ·············································································· 457
ND_RAGUARD_DROP ············································································································· 457
NQA messages ··········································································· 458
NQA_LOG_UNREACHABLE ····································································································· 458
NTP messages ············································································ 459
NTP_CLOCK_CHANGE ············································································································ 459
NTP_LEAP_CHANGE ·············································································································· 459
NTP_SOURCE_CHANGE ········································································································· 460
NTP_SOURCE_LOST ·············································································································· 460
NTP_STRATUM_CHANGE ······································································································· 460
OBJP messages ·········································································· 461
OBJP_ACCELERATE_NO_RES ································································································ 461
OBJP_ACCELERATE_NOT_SUPPORT ······················································································ 461
OBJP_ACCELERATE_UNK_ERR ······························································································ 462
OFP messages ············································································ 463
OFP_ACTIVE ·························································································································· 463
OFP_ACTIVE_FAILED ············································································································· 463
OFP_CONNECT ······················································································································ 463
OFP_FAIL_OPEN ···················································································································· 464
OFP_FLOW_ADD ···················································································································· 464
OFP_FLOW_ADD_DUP ············································································································ 465
OFP_FLOW_ADD_FAILED ······································································································· 465
OFP_FLOW_ADD_TABLE_MISS ······························································································· 466
OFP_FLOW_ADD_TABLE_MISS_FAILED ··················································································· 466
OFP_FLOW_DEL ···················································································································· 467
OFP_FLOW_DEL_TABLE_MISS ································································································ 467
OFP_FLOW_DEL_TABLE_MISS_FAILED ··················································································· 468
OFP_FLOW_MOD ··················································································································· 468
OFP_FLOW_MOD_FAILED ······································································································· 468
OFP_FLOW_MOD_TABLE_MISS ······························································································· 469
OFP_FLOW_MOD_TABLE_MISS_FAILED ·················································································· 469
OFP_FLOW_RMV_GROUP ······································································································· 469
OFP_FLOW_RMV_HARDTIME ·································································································· 470
OFP_FLOW_RMV_IDLETIME ···································································································· 470
OFP_FLOW_RMV_METER ······································································································· 470
OFP_GROUP_ADD ················································································································· 471
OFP_GROUP_ADD_FAILED ····································································································· 471
OFP_GROUP_DEL ·················································································································· 471
OFP_GROUP_MOD ················································································································· 472
OFP_GROUP_MOD_FAILED ···································································································· 472
OFP_METER_ADD ·················································································································· 472
OFP_METER_ADD_FAILED······································································································ 473
OFP_METER_DEL ·················································································································· 473
OFP_METER_MOD ················································································································· 473
OFP_METER_MOD_FAILED ····································································································· 474
OFP_MISS_RMV_GROUP ········································································································ 474
OFP_MISS_RMV_HARDTIME ··································································································· 474
OFP_MISS_RMV_IDLETIME ····································································································· 475
OFP_MISS_RMV_METER ········································································································ 475
OPENSRC (FreeRADIUS) messages ··············································· 476
HUP event ······························································································································ 476
Process restart event ················································································································ 477
Process start event··················································································································· 477
User authentication ·················································································································· 478

xv
OPTMOD messages ····································································· 481
BIAS_HIGH ···························································································································· 481
BIAS_LOW ····························································································································· 481
BIAS_NORMAL ······················································································································· 482
CFG_ERR ······························································································································ 482
CHKSUM_ERR ······················································································································· 482
FIBER_SFP MODULE_INVALID ································································································· 483
FIBER_SFPMODULE_NOWINVALID ·························································································· 483
IO_ERR ································································································································· 484
MOD_ALM_OFF ······················································································································ 484
MOD_ALM_ON ······················································································································· 484
MODULE_IN ··························································································································· 485
MODULE_OUT ······················································································································· 485
PHONY_MODULE ··················································································································· 485
RX_ALM_OFF ························································································································· 486
RX_ALM_ON ·························································································································· 486
RX_POW_HIGH ······················································································································ 486
RX_POW_LOW ······················································································································· 487
RX_POW_NORMAL ················································································································· 487
TEMP_HIGH ··························································································································· 487
TEMP_LOW ···························································································································· 488
TEMP_NORMAL ····················································································································· 488
TX_ALM_OFF ························································································································· 488
TX_ALM_ON··························································································································· 489
TX_POW_HIGH ······················································································································ 489
TX_POW_LOW ······················································································································· 489
TX_POW_NORMAL ················································································································· 490
TYPE_ERR····························································································································· 490
VOLT_HIGH ··························································································································· 490
VOLT_LOW ···························································································································· 491
VOLT_NORMAL ······················································································································ 491
OSPF messages ·········································································· 492
OSPF_IP_CONFLICT_INTRA ···································································································· 492
OSPF_RTRID_CONFLICT_INTRA ······························································································ 492
OSPF_RTRID_CONFLICT_INTER ······························································································ 493
OSPF_DUP_RTRID_NBR ········································································································· 493
OSPF_LAST_NBR_DOWN········································································································ 494
OSPF_MEM_ALERT ················································································································ 494
OSPF_NBR_CHG ···················································································································· 495
OSPF_RT_LMT ······················································································································· 495
OSPF_RTRID_CHG ················································································································· 495
OSPF_VLINKID_CHG ·············································································································· 496
OSPFV3 messages ······································································ 497
OSPFV3_LAST_NBR_DOWN ···································································································· 497
OSPFV3_MEM_ALERT ············································································································ 497
OSPFV3_NBR_CHG ················································································································ 498
OSPFV3_RT_LMT ··················································································································· 498
Packet capture messages ······························································ 499
PKTCPT_AP_OFFLINE ············································································································ 499
PKTCPT_AREADY_EXIT ·········································································································· 499
PKTCPT_CONN_FAIL ·············································································································· 500
PKTCPT_INVALID_FILTER ······································································································· 500
PKTCPT_LOGIN_DENIED ········································································································ 500
PKTCPT_MEMORY_ALERT ······································································································ 501
PKTCPT_OPEN_FAIL ·············································································································· 501
PKTCPT_OPERATION_TIMEOUT ······························································································ 501
PKTCPT_SERVICE_FAIL ········································································································· 502
PKTCPT_UNKNOWN_ERROR ·································································································· 502

xvi
PKTCPT_UPLOAD_ERROR ······································································································ 502
PKTCPT_WRITE_FAIL ············································································································· 503
PBB messages ············································································ 504
PBB_JOINAGG_WARNING ······································································································· 504
PBR messages ············································································ 505
PBR_HARDWARE_ERROR ······································································································ 505
PCE messages ············································································ 506
PCE_PCEP_SESSION_CHG ····································································································· 506
PEX messages (IRF 3) ·································································· 507
PEX_ASSOCIATEID_MISMATCHING ························································································· 507
PEX_CONFIG_ERROR ············································································································ 508
PEX_CONNECTION_ERROR ···································································································· 508
PEX_FORBID_STACK ············································································································· 509
PEX_LINK_BLOCK ·················································································································· 509
PEX_LINK_DOWN ··················································································································· 510
PEX_LINK_FORWARD ············································································································· 510
PEX_REG_JOININ··················································································································· 511
PEX_REG_LEAVE ··················································································································· 511
PEX_REG_REQUEST ·············································································································· 512
PEX_STACKCONNECTION_ERROR·························································································· 512
PEX messages (IRF 3.1) ······························································· 513
PEX_LLDP_DISCOVER ············································································································ 513
PEX_MEMBERID_EXCEED ······································································································ 513
PEX_PECSP_OPEN_RCVD ······································································································ 514
PEX_PECSP_OPEN_SEND ······································································································ 514
PEX_PECSP_TIMEOUT ··········································································································· 514
PIM messages············································································· 515
PIM_MEM_ALERT ··················································································································· 515
PIM_NBR_DOWN ···················································································································· 515
PIM_NBR_UP ························································································································· 516
PING messages ··········································································· 517
PING_STATISTICS ·················································································································· 517
PING_VPN_STATISTICS ·········································································································· 518
PKI messages ············································································· 519
REQUEST_CERT_FAIL ············································································································ 519
REQUEST_CERT_SUCCESS···································································································· 519
PKT2CPU messages ···································································· 520
PKT2CPU_NO_RESOURCE ····································································································· 520
PORTSEC messages ··································································· 521
PORTSEC_CREATEAC_FAILURE ····························································································· 521
PORTSEC_PORTMODE_NOT_EFFECTIVE ················································································ 521
PORTSEC_NTK_NOT_EFFECTIVE···························································································· 522
PORTSEC_LEARNED_MACADDR ····························································································· 522
PORTSEC_VIOLATION ············································································································ 523
PORTSEC_ACL_FAILURE ········································································································ 523
PORTSEC_PROFILE_FAILURE ································································································· 524
PPP messages ············································································ 525
IPPOOL_ADDRESS_EXHAUSTED····························································································· 525
PPP_USER_LOGON_SUCCESS ······························································································· 525
PPP_USER_LOGON_FAILED ··································································································· 526
PPP_USER_LOGOFF ·············································································································· 526

xvii
PWDCTL messages ····································································· 528
ADDBLACKLIST ······················································································································ 528
CHANGEPASSWORD ·············································································································· 528
FAILEDTOWRITEPWD ············································································································· 529
QOS messages ··········································································· 530
QOS_CAR_APPLYUSER_FAIL ·································································································· 530
QOS_CBWFQ_REMOVED ········································································································ 530
QOS_GTS_APPLYUSER_FAIL ·································································································· 531
QOS_NOT_ENOUGH_BANDWIDTH··························································································· 531
QOS_POLICY_APPLYCOPP_CBFAIL························································································· 532
QOS_POLICY_APPLYCOPP_FAIL ····························································································· 532
QOS_POLICY_APPLYGLOBAL_CBFAIL ····················································································· 533
QOS_POLICY_APPLYGLOBAL_FAIL ························································································· 533
QOS_POLICY_APPLYIF_CBFAIL ······························································································ 534
QOS_POLICY_APPLYIF_FAIL ··································································································· 534
QOS_POLICY_APPLYUSER_FAIL ····························································································· 535
QOS_POLICY_APPLYVLAN_CBFAIL ························································································· 535
QOS_POLICY_APPLYVLAN_FAIL ····························································································· 536
QOS_QMPROFILE_APPLYUSER_FAIL ······················································································ 536
QOS_QMPROFILE_MODIFYQUEUE_FAIL ·················································································· 537
RADIUS messages ······································································· 538
RADIUS_AUTH_FAILURE ········································································································· 538
RADIUS_AUTH_SUCCESS ······································································································· 538
RADIUS_DELETE_HOST_FAIL ································································································· 538
RDDC messages ········································································· 539
RDDC_ACTIVENODE_CHANGE ································································································ 539
RIP messages ············································································· 540
RIP_MEM_ALERT ··················································································································· 540
RIP_RT_LMT ·························································································································· 540
RIPNG messages ········································································ 541
RIPNG_MEM_ALERT ··············································································································· 541
RIPNG_RT_LMT ····················································································································· 541
RM messages ············································································· 542
RM_ACRT_REACH_LIMIT ········································································································ 542
RM_ACRT_REACH_THRESVALUE···························································································· 542
RM_THRESHLD_VALUE_REACH ······························································································ 543
RPR messages············································································ 544
RPR_EXCEED_MAX_SEC_MAC ······························································································· 544
RPR_EXCEED_MAX_SEC_MAC_OVER ····················································································· 544
RPR_EXCEED_MAX_STATION ································································································· 545
RPR_EXCEED_MAX_STATION_OVER ······················································································ 545
RPR_EXCEED_RESERVED_RATE ···························································································· 545
RPR_EXCEED_RESERVED_RATE_OVER ················································································· 546
RPR_IP_DUPLICATE ··············································································································· 546
RPR_IP_DUPLICATE_OVER····································································································· 546
RPR_JUMBO_INCONSISTENT ································································································· 547
RPR_JUMBO_INCONSISTENT_OVER ······················································································· 547
RPR_MISCABLING ·················································································································· 547
RPR_MISCABLING_OVER ······································································································· 548
RPR_PROTECTION_INCONSISTENT ························································································ 548
RPR_PROTECTION_INCONSISTENT_OVER ·············································································· 548
RPR_SEC_MAC_DUPLICATE ··································································································· 549
RPR_SEC_MAC_DUPLICATE_OVER ························································································· 549
RPR_TOPOLOGY_INCONSISTENT ··························································································· 549

xviii
RPR_TOPOLOGY_INCONSISTENT_OVER ················································································· 550
RPR_TOPOLOGY_INSTABILITY ······························································································· 550
RPR_TOPOLOGY_INSTABILITY_OVER ····················································································· 550
RPR_TOPOLOGY_INVALID ······································································································ 551
RPR_TOPOLOGY_INVALID_OVER···························································································· 551
RRPP messages ·········································································· 552
RRPP_RING_FAIL ··················································································································· 552
RRPP_RING_RESTORE ·········································································································· 552
RTM messages ··········································································· 553
RTM_TCL_NOT_EXIST ············································································································ 553
RTM_TCL_MODIFY ················································································································· 553
RTM_TCL_LOAD_FAILED ········································································································ 553
SCM messages ··········································································· 554
PROCESS_ABNORMAL ··········································································································· 554
PROCESS_ACTIVEFAILED ······································································································ 554
SCM_ABNORMAL_REBOOT (Distributed devices–Centralized IRF devices–In standalone mode/Distributed
devices–In IRF mode) ··············································································································· 555
SCM_ABNORMAL_REBOOT····································································································· 556
SCM_ABNORMAL_REBOOTMDC ······························································································ 556
SCM_ABORT_RESTORE ········································································································· 557
SCM_INSMOD_ADDON_TOOLONG ·························································································· 557
SCM_KERNEL_INIT_TOOLONG ································································································ 557
SCM_PROCESS_STARTING_TOOLONG ··················································································· 558
SCM_PROCESS_STILL_STARTING ·························································································· 558
SCM_SKIP_PROCESS ············································································································· 559
SCM_SKIP_PROCESS ············································································································· 559
SCRLSP messages ······································································ 560
SCRLSP_LABEL_DUPLICATE ·································································································· 560
SESSION messages ····································································· 561
SESSION_IPV4_FLOW ············································································································ 562
SESSION_IPV6_FLOW ············································································································ 563
SFLOW messages ······································································· 564
SFLOW_HARDWARE_ERROR ·································································································· 564
SHELL messages ········································································ 565
SHELL_CMD ·························································································································· 565
SHELL_CMD_CONFIRM ·········································································································· 565
SHELL_CMD_EXECUTEFAIL ···································································································· 566
SHELL_CMD_INPUT················································································································ 566
SHELL_CMD_INPUT_TIMEOUT ································································································ 566
SHELL_CMD_MATCHFAIL ······································································································· 567
SHELL_CMDDENY ·················································································································· 567
SHELL_CMDFAIL ···················································································································· 567
SHELL_CRITICAL_CMDFAIL ···································································································· 568
SHELL_LOGIN ························································································································ 568
SHELL_LOGOUT ···················································································································· 568
SLSP messages ·········································································· 569
SLSP_LABEL_DUPLICATE ······································································································· 569
SMLK messages ·········································································· 570
SMLK_LINK_SWITCH ·············································································································· 570
SNMP messages ········································································· 571
SNMP_ACL_RESTRICTION ······································································································ 571
SNMP_AUTHENTICATION_FAILURE ························································································· 571

xix
SNMP_GET ···························································································································· 572
SNMP_NOTIFY ······················································································································· 572
SNMP_SET ···························································································································· 573
SNMP_USM_NOTINTIMEWINDOW ···························································································· 573
SSHS messages ·········································································· 574
SSHS_ACL_DENY··················································································································· 574
SSHS_ALGORITHM_MISMATCH ······························································································· 574
SSHS_AUTH_EXCEED_RETRY_TIMES ····················································································· 575
SSHS_AUTH_FAIL ·················································································································· 575
SSHS_AUTH_TIMEOUT ··········································································································· 575
SSHS_CONNECT ···················································································································· 576
SSHS_DECRYPT_FAIL ············································································································ 576
SSHS_DISCONNECT··············································································································· 576
SSHS_ENCRYPT_FAIL ············································································································ 577
SSHS_LOG ···························································································································· 577
SSHS_MAC_ERROR ··············································································································· 577
SSHS_REACH_SESSION_LIMIT ······························································································· 578
SSHS_REACH_USER_LIMIT ···································································································· 578
SSHS_SCP_OPER ·················································································································· 578
SSHS_SFTP_OPER················································································································· 579
SSHS_VERSION_MISMATCH ··································································································· 579
STAMGR messages ····································································· 580
STAMGR_ADD_FAILVLAN ······································································································· 580
STAMGR_ADDBAC_INFO ········································································································ 580
STAMGR_ADDSTA_INFO ········································································································· 580
STAMGR_AUTHORACL_FAILURE ····························································································· 581
STAMGR_AUTHORUSERPROFILE_FAILURE ············································································· 581
STAMGR_CLIENT_OFFLINE····································································································· 582
STAMGR_CLIENT_ONLINE ······································································································ 582
STAMGR_DELBAC_INFO ········································································································· 582
STAMGR_DELSTA_INFO ········································································································· 583
STAMGR_DOT1X_LOGIN_FAILURE ·························································································· 583
STAMGR_DOT1X_LOGIN_SUCC ······························································································ 584
STAMGR_DOT1X_LOGOFF······································································································ 584
STAMGR_MACA_LOGIN_FAILURE ··························································································· 585
STAMGR_MACA_LOGIN_SUCC ································································································ 586
STAMGR_MACA_LOGOFF ······································································································· 586
STAMGR_STAIPCHANGE_INFO ······························································································· 587
STAMGR_TRIGGER_IP ··········································································································· 587
STM messages ············································································ 588
STM_AUTO_UPDATE_FAILED ·································································································· 588
STM_AUTO_UPDATE_FAILED ·································································································· 589
STM_AUTO_UPDATE_FINISHED ······························································································ 589
STM_AUTO_UPDATE_FINISHED ······························································································ 590
STM_AUTO_UPDATING ··········································································································· 590
STM_AUTO_UPDATING ··········································································································· 590
STM_LINK_DOWN ·················································································································· 591
STM_LINK_MERGE ················································································································· 591
STM_LINK_TIMEOUT ·············································································································· 591
STM_LINK_UP ························································································································ 592
STM_MERGE_NEED_REBOOT ································································································· 592
STM_MERGE_NOT_NEED_REBOOT························································································· 592
STM_SAMEMAC ····················································································································· 593
STM_SOMER_CHECK ············································································································· 593
STP messages ············································································ 594
STP_BPDU_PROTECTION ······································································································· 594
STP_BPDU_RECEIVE_EXPIRY ································································································· 594
STP_CONSISTENCY_RESTORATION ······················································································· 594

xx
STP_DETECTED_TC ··············································································································· 595
STP_DISABLE ························································································································ 595
STP_DISCARDING ·················································································································· 595
STP_DISPUTE ························································································································ 596
STP_ENABLE ························································································································· 596
STP_FORWARDING ················································································································ 596
STP_LOOP_PROTECTION ······································································································· 597
STP_LOOPBACK_PROTECTION ······························································································· 597
STP_NOT_ROOT ···················································································································· 597
STP_NOTIFIED_TC ················································································································· 598
STP_PORT_TYPE_INCONSISTENCY ························································································ 598
STP_PVID_INCONSISTENCY ··································································································· 598
STP_PVST_BPDU_PROTECTION ····························································································· 599
STP_ROOT_PROTECTION······································································································· 599
SYSLOG messages ······································································ 601
SYSLOG_RTM_EVENT_BUFFER_FULL ····················································································· 601
SYSLOG_LOGFILE_FULL ········································································································ 601
SYSLOG_RESTART ················································································································ 602
TACACS messages ······································································ 603
TACACS_AUTH_FAILURE ········································································································ 603
TACACS_AUTH_SUCCESS ······································································································ 603
TACACS_DELETE_HOST_FAIL ································································································ 603
TELNETD messages ···································································· 604
TELNETD_ACL_DENY ············································································································· 604
TELNETD_REACH_SESSION_LIMIT ·························································································· 604
TRILL messages ·········································································· 605
TRILL_DUP_SYSTEMID ··········································································································· 605
TRILL_INTF_CAPABILITY ········································································································· 605
TRILL_LICENSE_EXPIRED······································································································· 606
TRILL_LICENSE_EXPIRED_TIME ······························································································ 606
TRILL_LICENSE_UNAVAILABLE ······························································································· 606
TRILL_MEM_ALERT ················································································································ 607
TRILL_NBR_CHG ···················································································································· 607
VCF messages ············································································ 608
VCF_AGGR_CREAT ················································································································ 608
VCF_AGGR_DELETE ·············································································································· 608
VCF_AGGR_FAILED················································································································ 609
VCF_AUTO_ANALYZE_USERDEF····························································································· 609
VCF_AUTO_NO_USERDEF ······································································································ 609
VCF_AUTO_START ················································································································· 610
VCF_AUTO_STATIC_CMD ······································································································· 610
VCF_BGP ······························································································································ 610
VCF_DOWN_LINK ··················································································································· 611
VCF_GET_IMAGE ··················································································································· 611
VCF_GET_TEMPLATE ············································································································· 612
VCF_INSTALL_IMAGE ············································································································· 612
VCF_IRF_FINISH ···················································································································· 612
VCF_IRF_FOUND ··················································································································· 613
VCF_IRF_REBOOT ················································································································· 613
VCF_IRF_START ···················································································································· 614
VCF_LOOPBACK_START ········································································································ 614
VCF_LOOPBACK_START_FAILED ···························································································· 615
VCF_LOOPBACK_ALLOC ········································································································ 615
VCF_LOOPBACK_NO_FREE_IP ······························································································· 616
VCF_LOOPBACK_RECLAIM ····································································································· 616
VCF_REBOOT ························································································································ 616
VCF_SKIP_INSTALL ················································································································ 617

xxi
VCF_STATIC_CMD_ERROR ····································································································· 617
VCF_UP_LINK ························································································································ 617
VLAN messages ·········································································· 619
VLAN_FAILED ························································································································ 619
VLAN_VLANMAPPING_FAILED ································································································· 619
VLAN_VLANTRANSPARENT_FAILED ························································································ 620
VRRP messages ·········································································· 621
VRRP_STATUS_CHANGE ········································································································ 621
VRRP_VF_STATUS_CHANGE ·································································································· 622
VRRP_VMAC_INEFFECTIVE ···································································································· 622
VSRP messages ·········································································· 623
VSRP_BIND_FAILED ··············································································································· 623
WIPS messages ·········································································· 624
WIPS_APFLOOD ····················································································································· 624
WIPS_AP_CHANNEL_CHANGE ································································································ 624
WIPS_ASSOCIATEOVERFLOW ································································································ 624
WIPS_DOS····························································································································· 625
WIPS_FLOOD ························································································································· 625
WIPS_HONEYPOT ·················································································································· 626
WIPS_HTGREENMODE ··········································································································· 626
WIPS_MALF ··························································································································· 627
WIPS_MAN_IN_MIDDLE ·········································································································· 627
WIPS_SPOOF ························································································································ 628
WIPS_WEAKIV ······················································································································· 628
WIPS_WIRELESSBRIDGE ········································································································ 629

xxii
Introduction
This document includes the following system messages:
• Messages specific to the HPE FlexFabric 5950 switches.
• Messages for the Comware 7 software platform version based on which the switch software
was produced. Some platform system messages might not be available on the device.
This document is intended only for managing HPE FlexFabric 5950 switches. Do not use this
document for any other device models.
This document assumes that the readers are familiar with data communications technologies and
HPE networking products.

System log message format


By default, the system log messages use one of the following formats depending on the output
destination:
• Log host:
<PRI>TIMESTAMP Sysname %%vendorMODULE/severity/MNEMONIC: location; CONTENT
• Destinations except for the log host:
Prefix TIMESTAMP Sysname MODULE/severity/MNEMONIC: CONTENT

Table 1 System log message elements

Element Description
Priority identifier. It is calculated by using the following formula:
Priority identifier=facilityx8+severity
Where:
<PRI> • Facility is specified by using the info-center loghost command. A log
host uses this parameter to identify log sources and filter log messages.
• Severity represents the importance of the message. For more
information about severity levels, see Table 2.
Message type identifier. This element is contained in the system log
messages sent to non-log host destinations.
Prefix The element uses the following symbols to indicate message severity:
• Percentage sign (%)—Informational and higher levels.
• Asterisk (*)—Debug level.

Date and time when the event occurred.


The following are commands for configuring the timestamp format:
TIMESTAMP • Log host—Use the info-center timestamp loghost command.
• Non-log host destinations—Use the info-center timestamp
command.
Sysname Name or IP address of the device that generated the message.
Manufacturer flag. This element is %%10 for HPE.
%%vendor
This element is only available in messages sent to the log host.
MODULE Name of the module that produced the message.
Severity level of the message. (For more information about severity levels,
severity
see Table 2.)

1
Element Description
Text string that uniquely identifies the system message. The maximum
MNEMONIC
length is 32 characters.
Optional. This element presents location information for the message in the
following format:
location -attribute1=x-attribute2=y…-attributeN=z
This element is separated from the message description by using a
semicolon (;).
Text string that contains detailed information about the event or error.
CONTENT For variable fields in this element, this document uses the representations in
Table 3.

System log messages are classified into eight severity levels from 0 to 7. The lower the number, the
higher the severity, as shown in Table 2.
Table 2 System log message severity levels

Level Severity Description


The system is unusable. For example, the system authorization has
0 Emergency
expired.
Action must be taken immediately. For example, traffic on an interface
1 Alert
exceeds the upper limit.
Critical condition. For example, the device temperature exceeds the upper
2 Critical
limit, the power module fails, or the fan tray fails.
Error condition. For example, the link state changes or a storage card is
3 Error
unplugged.
Warning condition. For example, an interface is disconnected, or the
4 Warning
memory resources are used up.
Normal but significant condition. For example, a terminal logs in to the
5 Notification
device, or the device reboots.
Informational message. For example, a command or a ping operation is
6 Informational
executed.
7 Debug Debugging message.

For variable fields in the message text, this document uses the representations in Table 3. The
values are case insensitive, even though the representations are uppercase letters.
Table 3 Variable field representations

Representation Information type


INT16 Signed 16-bit decimal number.

UINT16 Unsigned 16-bit decimal number.

INT32 Signed 32-bit decimal number.

UINT32 Unsigned 32-bit decimal number.

INT64 Signed 64-bit decimal number.

UINT64 Unsigned 64-bit decimal number.

2
Two dot-separated signed 32-bit decimal numbers. The format is
DOUBLE
[INTEGER].[INTEGER].

HEX Hexadecimal number.

CHAR Single character.

STRING Character string.

IPADDR IP address.

MAC MAC address.

DATE Date.

TIME Time.

Managing and obtaining system log messages


You can manage system log messages by using the information center.
By default, the information center is enabled. Log messages can be output to the console, log buffer,
monitor terminal, log host, and log file.
To filter log messages, use the info-center source command to specify log output rules. A log output
rule specifies the source modules and the lowest severity level of log messages that can be output to
a destination. A log message is output if its severity level is higher than or equal to the specified level.
For example, if you specify a severity level of 6 (informational), log messages that have a severity
level from 0 to 6 are output.
For more information about using the information center, see the network management and
monitoring configuration guide for the product.

Obtaining log messages from the console terminal


Access the device through the console port. Real-time log messages are displayed on the console
terminal.

Obtaining log messages from the log buffer


Use the display logbuffer command to display history log messages in the log buffer.

Obtaining log messages from a monitor terminal


Monitor terminals refer to terminals that access the device through the AUX, VTY, or TTY lines (for
example, Telnet). To obtain log messages from a monitor terminal, use the following guidelines:
• To display log messages on the monitor terminal, you must configure the terminal monitor
command.
• For monitor terminals, the lowest level of log messages that can be displayed is determined by
both the terminal logging level and info-center source commands.

Obtaining log messages from the log file


By default, the log file feature automatically saves logs from the log file buffer to the log file every 24
hours. You can use the info-center logfile frequency command to change the automatic saving
internal.

3
To manually save logs to the log file, use the logfile save command. The log file buffer is cleared
each time a save operation is performed.
By default, you can obtain the log file from the flash:/logfile/ path.

Obtaining log messages from a log host


Use the info-center loghost command to specify the service port number and IP address of a log
host. To specify multiple log hosts, repeat the command.
For a successful log message transmission, make sure the specified port number is the same as the
port number used on the log host. The default service port number is 514.

Software module list


Table 4 lists all software modules that might produce system log messages. This document uses
"OPENSRC" to represent all open source modules.
Table 4 Software module list

Module name representation Module name expansion


AAA Authentication, Authorization and Accounting
ACL Access Control List
ANCP Access Node Control Protocol
APMGR Access Point Management
ARP Address Resolution Protocol
ATK Attack Detection and Prevention
ATM Asynchronous Transfer Mode
BFD Bidirectional Forwarding Detection
BGP Border Gateway Protocol
BLS Blacklist
CFD Connectivity Fault Detection
CFGMAN Configuration Management
CONNLMT Connection Limit
DEV Device Management
DHCP Dynamic Host Configuration Protocol
DHCPR IPv4 DHCP Relay
DHCPS DHCP Server
DHCPS6 DHCPv6 Server
DHCPSP4 DHCP Snooping
DHCPSP6 DHCPv6 Snooping
DIAG Diagnosis
DLDP Device Link Detection Protocol
DOT1X 802.1X
EDEV Extended-Device Management

4
Module name representation Module name expansion
ERPS Ethernet Ring Protection Switching
ETHOAM Ethernet Operation, Administration and Maintenance
EVB Edge Virtual Bridging
Ethernet Virtual Interconnect Intermediate
EVIISIS
System-to-Intermediate System
FCOE Fibre Channel Over Ethernet
FCLINK Fibre Channel Link
FCZONE Fibre Channel Zone
FIB Forwarding Information Base
FILTER Filter

FIPS FIP Snooping

FTPD File Transfer Protocol Daemon


HA High Availability
HQOS Hierarchical QoS
HTTPD Hypertext Transfer Protocol Daemon
IFNET Interface Net Management
IKE Internet Key Exchange

IPSEC IP Security

IPSG IP Source Guard


IRDP ICMP Router Discovery Protocol
ISIS Intermediate System-to-Intermediate System
ISSU In-Service Software Upgrade
L2TP Layer 2 Tunneling Protocol
L2VPN Layer 2 VPN
LAGG Link Aggregation
LDP Label Distribution Protocol
LLDP Link Layer Discovery Protocol
LOAD Load Management
LOGIN Login
LPDT Loopback Detection
LS Local Server
LSPV LSP Verification
MAC Media Access Control
MACA MAC Authentication
MACSEC MAC Security
MBFD MPLS BFD
MDC Multitenant Device Context

5
Module name representation Module name expansion
MFIB Multicast Forwarding Information Base
MGROUP Mirroring group
MPLS Multiprotocol Label Switching
MTLK Monitor Link
NAT Network Address Translation
ND Neighbor Discovery
NQA Network Quality Analyzer
NTP Network Time Protocol
OPENSRC Open Source
OBJP Object Policy
OFP OpenFlow Protocol
OPTMOD Optical Module
OSPF Open Shortest Path First
OSPFV3 Open Shortest Path First Version 3
Packet Capture Packet Capture
PBB Provider Backbone Bridge
PBR Policy-Based Routing
PCE Path Computation Element
PEX Port Extender
PIM Protocol Independent Multicast
PING Packet Internet Groper
PKI Public Key Infrastructure
PKT2CPU Packet to CPU
PORTSEC Port Security
PPP Point to Point Protocol
PWDCTL Password Control
QOS Quality of Service
RADIUS Remote Authentication Dial In User Service
RDDC Redundancy
RIP Routing Information Protocol
RIPNG Routing Information Protocol Next Generation
RM Routing Management
RRPP Rapid Ring Protection Protocol
RTM Real-Time Event Manager
SCM Service Control Manager
SCRLSP Static CRLSP
SESSION Session

6
Module name representation Module name expansion
SFLOW Sampler Flow
SHELL Shell
SLSP Static LSP
SMLK Smart Link
SNMP Simple Network Management Protocol
SSHS Secure Shell Server
STAMGR Station Management
STM Stack Topology Management
STP Spanning Tree Protocol
SYSEVENT System Event
SYSLOG System Log
TACACS Terminal Access Controller Access Control System
TELNETD Telnet Daemon
TRILL Transparent Interconnect of Lots of Links
VCF Vertical Converged Framework
VLAN Virtual Local Area Network
VRRP Virtual Router Redundancy Protocol
VSRP Virtual Service Redundancy Protocol
WIPS Wireless Intrusion Prevention System

Using this document


This document categorizes system log messages by software module. The modules are ordered
alphabetically. Except for OPENSRC, the system log messages for each module are listed in
alphabetic order of their mnemonic names. The OPENSRC messages are unordered because they
use the same mnemonic name (SYSLOG). For each OPENSRC message, the section title uses a
short description instead of the mnemonic name.
This document explains messages in tables. Table 5 describes information provided in these tables.
Table 5 Message explanation table contents

Item Content Example


ACL [UINT32] [STRING] [UINT64]
Message text Presents the message description.
packet(s).
Briefly describes the variable fields in the $1: ACL number.
order that they appear in the message text.
$2: ID and content of an ACL rule.
Variable fields The variable fields are numbered in the
"$Number" form to help you identify their $3: Number of packets that matched
location in the message text. the rule.

Severity level Provides the severity level of the message. 6

7
Item Content Example
Provides a real message example. The
examples do not include the
ACL/6/ACL_STATIS_INFO: ACL 2000
"<PRI>TIMESTAMP Sysname %%vendor"
Example rule 0 permit source 1.1.1.1 0 logging
part or the "Prefix TIMESTAMP Sysname"
10000 packet(s).
part, because information in this part varies
with system settings.
Number of packets that matched an
Explains the message, including the event or
Explanation ACL rule. This message is sent when
error cause.
the packet counter changes.
Provides recommended actions. For
Recommended
informational messages, no action is No action is required.
action
required.

8
AAA messages
This section contains AAA messages.

AAA_FAILURE
-AAAType=[STRING]-AAADomain=[STRING]-Service=[STRING]-UserName=[STRIN
Message text G]; AAA failed.
$1: AAA type.
$2: AAA scheme.
Variable fields
$3: Service.
$4: User name.
Severity level 5
AAA/5/AAA_FAILURE:
Example -AAAType=AUTHOR-AAADomain=domain1-Service=login-UserName=cwf@system;
AAA failed.
An AAA request was rejected.
The following are the common reasons:
Explanation • No response was received from the server.
• The user name or password was incorrect.
• The service type that the user applied for was incorrect.
1. Verify that the device is correctly connected to the server.
Recommende 2. Enter the correct user name and password.
d action 3. Verify that the server settings are the same as the settings on the device.
4. If the problem persists, contact Hewlett Packard Enterprise Support.

AAA_LAUNCH
-AAAType=[STRING]-AAADomain=[STRING]-Service=[STRING]-UserName=[STRIN
Message text G]; AAA launched.
$1: AAA type.
$2: AAA scheme.
Variable fields
$3: Service.
$4: User name.
Severity level 6
AAA/6/AAA_LAUNCH:
Example -AAAType=AUTHEN-AAADomain=domain1-Service=login-UserName=cwf@system;
AAA launched.
Explanation An AAA request was received.
Recommende No action is required.
d action

9
AAA_SUCCESS
-AAAType=[STRING]-AAADomain=[STRING]-Service=[STRING]-UserName=[STRIN
Message text G]; AAA succeeded.
$1: AAA type.
$2: AAA scheme.
Variable fields
$3: Service.
$4: User name.
Severity level 6
AAA/6/AAA_SUCCESS:
Example -AAAType=AUTHOR-AAADomain=domain1-Service=login-UserName=cwf@system;
AAA succeeded.
Explanation An AAA request was accepted.
Recommende No action is required.
d action

10
Security level: Secret

ACL messages
This section contains ACL messages.

ACL_ACCELERATE_NO_RES
Message text Failed to accelerate [STRING] ACL [UINT32]. The resources are insufficient.
$1: ACL type.
Variable fields
$2: ACL number.
Severity level 4
ACL/4/ACL_ACCELERATE_NO_RES: Failed to accelerate IPv6 ACL 2001. The
Example resources are insufficient.
Explanation Hardware resources were insufficient for accelerating an ACL.
Recommended Delete some rules or disabled ACL acceleration for other ACLs to release
action hardware resources.

ACL_ACCELERATE_NONCONTIGUOUSMASK
Failed to accelerate ACL [UINT32]. ACL acceleration supports only contiguous
Message text wildcard masks.

Variable fields $1: ACL number.


Severity level 4
ACL/4/ACL_ACCELERATE_NONCONTIGUOUSMASK: Failed to accelerate
Example ACL 2001. ACL acceleration supports only contiguous wildcard masks.
ACL acceleration failed because rules containing noncontiguous wildcard masks
Explanation exist in the ACL.
Recommended Check the ACL rules and delete the unsupported configuration.
action

ACL_ACCELERATE_NOT_SUPPORT
Message text Failed to accelerate [STRING] ACL [UINT32]. The operation is not supported.
$1: ACL type.
Variable fields
$2: ACL number.
Severity level 4
ACL/4/ACL_ACCELERATE_NOT_SUPPORT: Failed to accelerate IPv6 ACL
Example 2001. The operation is not supported.
Explanation ACL acceleration failed because the system does not support ACL acceleration.
Recommended No action is required.
action

11
Security level: Secret

ACL_ACCELERATE_NOT_SUPPORTHOPBYH
OP
Failed to accelerate IPv6 ACL [UINT32]. ACL acceleration does not support the
Message text rules that contain the hop-by-hop keywords.

Variable fields $1: ACL number.


Severity level 4
ACL/4/ACL_ACCELERATE_NOT_SUPPORTHOPBYHOP: Failed to accelerate
Example IPv6 ACL 2001. ACL acceleration does not support the rules that contain the
hop-by-hop keywords.
ACL acceleration failed for the IPv6 ACL because rules containing the
Explanation hop-by-hop keyword exist in the ACL.
Recommended Check the ACL rules and delete the unsupported configuration.
action

ACL_ACCELERATE_NOT_SUPPORTMULTITC
PFLAG
Failed to accelerate IPv6 ACL [UINT32]. ACL acceleration does not support
Message text specifying multiple TCP flags in one rule.

Variable fields $1: ACL number.


Severity level 4
ACL/4/ACL_ACCELERATE_NOT_SUPPORTMULTITCPFLAG: Failed to
Example accelerate IPv6 ACL 2001. ACL acceleration does not support specifying multiple
TCP flags in one rule.
ACL acceleration failed for the IPv6 ACL because rules containing multiple TCP
Explanation flags exist in the ACL.
Recommended Check the ACL rules and delete the unsupported configuration.
action

ACL_ACCELERATE_UNK_ERR
Message text Failed to accelerate [STRING] ACL [UINT32].
$1: ACL type.
Variable fields
$2: ACL number.
Severity level 4
Example ACL/4/ACL_ACCELERATE_UNK_ERR: Failed to accelerate IPv6 ACL 2001.
Explanation ACL acceleration failed because of an unknown error.
Recommended No action is required.
action

12
Security level: Secret

ACL_IPV6_STATIS_INFO
Message text IPv6 ACL [UINT32] [STRING] [UINT64] packet(s).
$1: ACL number.
Variable fields $2: ID and content of an IPv6 ACL rule.
$3: Number of packets that matched the rule.
Severity level 6
ACL6/6/ACL_IPV6_STATIS_INFO: IPv6 ACL 2000 rule 0 permit source 1:1::/64
Example logging 1000 packet(s).
Explanation The number of packets matching the IPv6 ACL rule changed.
Recommended No action is required.
action

ACL_NO_MEM
Message text Failed to configure [STRING] ACL [UINT] due to lack of memory.
$1: ACL type.
Variable fields
$2: ACL number.
Severity level 3
Example ACL/3/ACL_NO_MEM: Failed to configure ACL 2001 due to lack of memory.
Explanation Configuring the ACL failed because memory is insufficient.
Recommended Use the display memory-threshold command to check the memory usage.
action

ACL_STATIS_INFO
Message text ACL [UINT32] [STRING] [UINT64] packet(s).
$1: ACL number.
Variable fields $2: ID and content of an IPv4 ACL rule.
$3: Number of packets that matched the rule.
Severity level 6
ACL/6/ACL_STATIS_INFO: ACL 2000 rule 0 permit source 1.1.1.1 0 logging
Example 10000 packet(s).
Explanation The number of packets matching the IPv4 ACL rule changed.
Recommended No action is required.
action

13
Security level: Secret

PFILTER_GLB_IPV4_DACT_NO_RES
Failed to apply or refresh the IPv4 default action to the [STRING] direction
Message text globally. The resources are insufficient.

Variable fields $1: Traffic direction.


Severity level 3
PFILTER/3/PFILTER_GLB_IPV4_DACT_NO_RES: Failed to apply or refresh the
Example IPv4 default action to the inbound direction globally. The resources are
insufficient.
The system failed to perform one of the following actions because hardware
resources are insufficient:
Explanation • Applying the IPv4 default action to a specific direction globally.
• Updating the IPv4 default action applied to a specific direction globally.
Recommended Use the display qos-acl resource command to check hardware resource usage.
action

PFILTER_GLB_IPV4_DACT_UNK_ERR
Message text Failed to apply or refresh the IPv4 default action to the [STRING] direction globally.

Variable fields $1: Traffic direction.


Severity level 3
PFILTER/3/PFILTER_GLB_IPV4_DACT_UNK_ERR: Failed to apply or refresh
Example the IPv4 default action to the inbound direction globally.
The system failed to perform one of the following actions due to an unknown error:
Explanation • Applying the IPv4 default action to a specific direction globally.
• Updating the IPv4 default action applied to a specific direction globally.
Recommended No action is required.
action

PFILTER_GLB_IPV6_DACT_NO_RES
Failed to apply or refresh the IPv6 default action to the [STRING] direction
Message text globally. The resources are insufficient.

Variable fields $1: Traffic direction.


Severity level 3
PFILTER/3/PFILTER_GLB_IPV6_DACT_NO_RES: Failed to apply or refresh the
Example IPv6 default action to the inbound direction globally. The resources are
insufficient.
The system failed to perform one of the following actions because hardware
resources are insufficient:
Explanation • Applying the IPv6 default action to a specific direction globally.
• Updating the IPv6 default action applied to a specific direction globally.
Recommended Use the display qos-acl resource command to check hardware resource usage.
action

14
Security level: Secret

PFILTER_GLB_IPV6_DACT_UNK_ERR
Message text Failed to apply or refresh the IPv6 default action to the [STRING] direction globally.

Variable fields $1: Traffic direction.


Severity level 3
PFILTER/3/PFILTER_GLB_IPV6_DACT_UNK_ERR: Failed to apply or refresh
Example the IPv6 default action to the inbound direction globally.
The system failed to perform one of the following actions due to an unknown error:
Explanation • Applying the IPv6 default action to a specific direction globally.
• Updating the IPv6 default action applied to a specific direction globally.
Recommended No action is required.
action

PFILTER_GLB_MAC_DACT_NO_RES
Failed to apply or refresh the MAC default action to the [STRING] direction
Message text globally. The resources are insufficient.

Variable fields $1: Traffic direction.


Severity level 3
PFILTER/3/PFILTER_GLB_MAC_DACT_NO_RES: Failed to apply or refresh the
Example MAC default action to the inbound direction globally. The resources are
insufficient.
The system failed to perform one of the following actions because hardware
resources are insufficient:
Explanation • Applying the MAC default action to a specific direction globally.
• Updating the MAC default action applied to a specific direction globally.
Recommended Use the display qos-acl resource command to check hardware resource usage.
action

PFILTER_GLB_MAC_DACT_UNK_ERR
Failed to apply or refresh the MAC default action to the [STRING] direction
Message text globally.

Variable fields $1: Traffic direction.


Severity level 3
PFILTER/3/PFILTER_GLB_MAC_DACT_UNK_ERR: Failed to apply or refresh
Example the MAC default action to the inbound direction globally.
The system failed to perform one of the following actions due to an unknown error:
Explanation • Applying the MAC default action to a specific direction globally.
• Updating the MAC default action applied to a specific direction globally.
Recommended No action is required.
action

15
Security level: Secret

PFILTER_GLB_NO_RES
Failed to apply or refresh [STRING] ACL [UINT] [STRING] to the [STRING]
Message text direction globally. The resources are insufficient.
$1: ACL type.
$2: ACL number.
Variable fields
$3: ACL rule ID.
$4: Traffic direction.
Severity level 3
PFILTER/3/PFILTER_GLB_NO_RES: Failed to apply or refresh IPv6 ACL 2000
Example rule 1 to the inbound direction globally. The resources are insufficient.
The system failed to perform one of the following actions because hardware
resources are insufficient:
Explanation • Applying an ACL rule to a specific direction globally.
• Updating an ACL rule applied to a specific direction globally.
Recommended Use the display qos-acl resource command to check hardware resource
action usage.

PFILTER_GLB_NOT_SUPPORT
Failed to apply or refresh [STRING] ACL [UINT] [STRING] to the [STRING]
Message text direction globally. The ACL is not supported.
$1: ACL type.
$2: ACL number.
Variable fields
$3: ACL rule ID.
$4: Traffic direction.
Severity level 3
PFILTER/3/PFILTER_GLB_NOT_SUPPORT: Failed to apply or refresh IPv6 ACL
Example 2000 rule 1 to the inbound direction globally. The ACL is not supported.
The system failed to perform one of the following actions because the ACL rule is
not supported:
Explanation • Applying an ACL rule to a specific direction globally.
• Updating an ACL rule applied to a specific direction globally.
Recommended Verify the ACL configuration and remove the settings that are not supported.
action

16
Security level: Secret

PFILTER_GLB_ RES_CONFLICT
Failed to apply or refresh [STRING] ACL [UINT] to the [STRING] direction globally.
Message text [STRING] ACL [UINT] has already been applied globally.
$1: ACL type.
$2: ACL number.
Variable fields $3: Traffic direction.
$4: ACL type.
$5: ACL number.
Severity level 3
PFILTER/3/PFILTER_GLB_RES_CONFLICT: Failed to apply or refresh IPv6 ACL
Example 2000 to the inbound direction globally. IPv6 ACL 3000 has already been applied
globally.
The system failed to perform one of the following actions because an ACL of the
same type (IPv4 ACL, IPv6 ACL, or MAC ACL) has already been applied:
Explanation • Applying the ACL to a specific direction globally.
• Updating the ACL applied to a specific direction globally.
Recommended Remove the ACL of the same type.
action

PFILTER_GLB_UNK_ERR
Failed to apply or refresh [STRING] ACL [UINT] [STRING] to the [STRING]
Message text direction globally.
$1: ACL type.
$2: ACL number.
Variable fields
$3: ACL rule ID.
$4: Traffic direction.
Severity level 3
PFILTER/3/PFILTER_GLB_UNK_ERR: Failed to apply or refresh IPv6 ACL 2000
Example rule 1 to the inbound direction globally.
The system failed to perform one of the following actions due to an unknown error:
Explanation • Applying an ACL rule to a specific direction globally.
• Updating an ACL rule applied to a specific direction globally.
Recommended No action is required.
action

17
Security level: Secret

PFILTER_IF_IPV4_DACT_NO_RES
Failed to apply or refresh the IPv4 default action to the [STRING] direction of
Message text interface [STRING]. The resources are insufficient.
$1: Traffic direction.
Variable fields
$2: Interface name.
Severity level 3
PFILTER/3/PFILTER_IF_IPV4_DACT_NO_RES: Failed to apply or refresh the
Example IPv4 default action to the inbound direction of interface Ethernet 3/1/2. The
resources are insufficient.
The system failed to perform one of the following actions because hardware
resources are insufficient:
Explanation • Applying the IPv4 default action to a specific direction of an interface.
• Updating the IPv4 default action applied to a specific direction of an
interface.
Recommended Use the display qos-acl resource command to check hardware resource usage.
action

PFILTER_IF_IPV4_DACT_UNK_ERR
Failed to apply or refresh the IPv4 default action to the [STRING] direction of
Message text interface [STRING].
$1: Traffic direction.
Variable fields
$2: Interface name.
Severity level 3
PFILTER/3/PFILTER_IF_IPV4_DACT_UNK_ERR: Failed to apply or refresh the
Example IPv4 default action to the inbound direction of interface Ethernet 3/1/2.
The system failed to perform one of the following actions because an unknown
error:
Explanation • Applying the IPv4 default action to a specific direction of an interface.
• Updating the IPv4 default action applied to a specific direction of an
interface.
Recommended No action is required.
action

18
Security level: Secret

PFILTER_IF_IPV6_DACT_NO_RES
Failed to apply or refresh the IPv6 default action to the [STRING] direction of
Message text interface [STRING]. The resources are insufficient.
$1: Traffic direction.
Variable fields
$2: Interface name.
Severity level 3
PFILTER/3/PFILTER_IF_IPV6_DACT_NO_RES: Failed to apply or refresh the
Example IPv6 default action to the inbound direction of interface Ethernet 3/1/2. The
resources are insufficient.
The system failed to perform one of the following actions because hardware
resources are insufficient:
Explanation • Applying the IPv6 default action to a specific direction of an interface.
• Updating the IPv6 default action applied to a specific direction of an
interface.
Recommended Use the display qos-acl resource command to check hardware resource usage.
action

PFILTER_IF_IPV6_DACT_UNK_ERR
Failed to apply or refresh the IPv6 default action to the [STRING] direction of
Message text interface [STRING].
$1: Traffic direction.
Variable fields
$2: Interface name.
Severity level 3
PFILTER/3/PFILTER_IF_IPV6_DACT_UNK_ERR: Failed to apply or refresh the
Example IPv6 default action to the inbound direction of interface Ethernet 3/1/2.
The system failed to perform one of the following actions due to an unknown error:
• Applying the IPv6 default action to a specific direction of an interface.
Explanation
• Updating the IPv6 default action applied to a specific direction of an
interface.
Recommended No action is required.
action

19
Security level: Secret

PFILTER_IF_MAC_DACT_NO_RES
Failed to apply or refresh the MAC default action to the [STRING] direction of
Message text interface [STRING]. The resources are insufficient.
$1: Traffic direction.
Variable fields
$2: Interface name.
Severity level 3
PFILTER/3/PFILTER_IF_MAC_DACT_NO_RES: Failed to apply or refresh the
Example MAC default action to the inbound direction of interface Ethernet 3/1/2. The
resources are insufficient.
The system failed to perform one of the following actions because hardware
resources are insufficient:
Explanation • Applying the MAC default action to a specific direction of an interface.
• Updating the MAC default action applied to a specific direction of an
interface.
Recommended Use the display qos-acl resource command to check hardware resource usage.
action

PFILTER_IF_MAC_DACT_UNK_ERR
Failed to apply or refresh the MAC default action to the [STRING] direction of
Message text interface [STRING].
$1: Traffic direction.
Variable fields
$2: Interface name.
Severity level 3
PFILTER/3/PFILTER_IF_MAC_DACT_UNK_ERR: Failed to apply or refresh the
Example MAC default action to the inbound direction of interface Ethernet 3/1/2.
The system failed to perform one of the following actions due to an unknown error:
• Applying the MAC default action to a specific direction of an interface.
Explanation
• Updating the MAC default action applied to a specific direction of an
interface.
Recommended No action is required.
action

20
Security level: Secret

PFILTER_IF_NO_RES
Failed to apply or refresh [STRING] ACL [UINT] [STRING] to the [STRING]
Message text direction of interface [STRING]. The resources are insufficient.
$1: ACL type.
$2: ACL number.
Variable fields $3: ACL rule ID.
$4: Traffic direction.
$5: Interface name.
Severity level 3
PFILTER/3/PFILTER_IF_NO_RES: Failed to apply or refresh IPv6 ACL 2000
Example rule 1 to the inbound direction of interface Ethernet 3/1/2. The resources are
insufficient.
The system failed to perform one of the following actions because hardware
resources are insufficient:
Explanation • Applying an ACL rule to a specific direction of an interface.
• Updating an ACL rule applied to a specific direction of an interface.
Recommended Use the display qos-acl resource command to check hardware resource usage.
action

PFILTER_IF_NOT_SUPPORT
Failed to apply or refresh [STRING] ACL [UINT] [STRING] to the [STRING]
Message text direction of interface [STRING]. The ACL is not supported.
$1: ACL type.
$2: ACL number.
Variable fields $3: ACL rule ID.
$4: Traffic direction.
$5: Interface name.
Severity level 3
PFILTER/3/PFILTER_IF_NOT_SUPPORT: Failed to apply or refresh IPv6 ACL
Example 2000 rule 1 to the inbound direction of interface Ethernet 3/1/2. The ACL is not
supported.
The system failed to perform one of the following actions because the ACL rule is
not supported:
Explanation • Applying an ACL rule to a specific direction of an interface.
• Updating an ACL rule applied to a specific direction of an interface.
Recommended Verify the ACL configuration and remove the settings that are not supported.
action

21
Security level: Secret

PFILTER_IF_RES_CONFLICT
Failed to apply or refresh [STRING] ACL [UINT] to the [STRING] direction of
Message text interface [STRING]. [STRING] ACL [UINT] has already been applied to the
interface.
$1: ACL type.
$2: ACL number.
$3: Traffic direction.
Variable fields
$4: Interface name.
$5: ACL type.
$6: ACL number.
Severity level 3
PFILTER/3/PFILTER_IF_RES_CONFLICT: Failed to apply or refresh IPv6 ACL
Example 2000 to the inbound direction of interface Ethernet 3/1/2. IPv6 ACL 3000 has
already been applied to the interface.
The system failed to perform one of the following actions because an ACL of the
same type (IPv4 ACL, IPv6 ACL, or MAC ACL) has already been applied:
Explanation • Applying the ACL to a specific direction of an interface.
• Updating the ACL applied to a specific direction of an interface.
Recommended Remove the ACL of the same type.
action

PFILTER_IF_UNK_ERR
Failed to apply or refresh [STRING] ACL [UINT] [STRING] to the [STRING]
Message text direction of interface [STRING].
$1: ACL type.
$2: ACL number.
Variable fields $3: ACL rule ID.
$4: Traffic direction.
$5: Interface name.
Severity level 3
PFILTER/3/PFILTER_IF_UNK_ERR: Failed to apply or refresh IPv6 ACL 2000
Example rule 1 to the inbound direction of interface Ethernet 3/1/2.
The system failed to perform one of the following actions due to an unknown
error:
Explanation • Applying an ACL rule to a specific direction of an interface.
• Updating an ACL rule applied to a specific direction of an interface.
Recommended No action is required.
action

22
Security level: Secret

PFILTER_IPV6_STATIS_INFO
[STRING] ([STRING]): Packet-filter IPv6 [UINT32] [STRING] [STRING] [UINT64]
Message text packet(s).
$1: Destination to which packet filter applies.
$2: Traffic direction.
Variable fields $3: ACL number.
$4: ID and content of an ACL rule.
$5: Number of packets that matched the rule.
Severity level 6
ACL/6/PFILTER_IPV6_STATIS_INFO: Ethernet0/4/0 (inbound): Packet-filter
Example IPv6 2000 rule 0 permit source 1:1::/64 logging 1000 packet(s).
Explanation The number of packets matching the packet-filter IPv6 ACL rule changed.
Recommended No action is required.
action

PFILTER_STATIS_INFO
Message text [STRING] ([STRING]): Packet-filter [UINT32] [STRING] [UINT64] packet(s).
$1: Destination to which packet filter applies.
$2: Traffic direction.
Variable fields $3: ACL number.
$4: ID and content of an ACL rule.
$5: Number of packets that matched the rule.
Severity level 6
ACL/6/PFILTER_STATIS_INFO: Ethernet0/4/0 (inbound): Packet-filter 2000 rule
Example 0 permit source 1.1.1.1 0 logging 10000 packet(s).
Explanation The number of packets matching the packet-filter IPv4 ACL rule changed.
Recommended No action is required.
action

23
Security level: Secret

PFILTER_VLAN_IPV4_DACT_NO_RES
Failed to apply or refresh the IPv4 default action to the [STRING] direction of VLAN
Message text [UINT16]. The resources are insufficient.
$1: Traffic direction.
Variable fields
$2: VLAN ID.
Severity level 3
PFILTER/3/PFILTER_VLAN_IPV4_DACT_NO_RES: Failed to apply or refresh
Example the IPv4 default action to the inbound direction of VLAN 1. The resources are
insufficient.
The system failed to perform one of the following actions because hardware
resources are insufficient:
Explanation • Applying the IPv4 default action to a specific direction of a VLAN.
• Updating the IPv4 default action applied to a specific direction of a VLAN.
Recommended Use the display qos-acl resource command to check hardware resource usage.
action

PFILTER_VLAN_IPV4_DACT_UNK_ERR
Failed to apply or refresh the IPv4 default action to the [STRING] direction of VLAN
Message text [UINT16].
$1: Traffic direction.
Variable fields
$2: VLAN ID.
Severity level 3
PFILTER/3/PFILTER_VLAN_IPV4_DACT_UNK_ERR: Failed to apply or refresh
Example the IPv4 default action to the inbound direction of VLAN 1.
The system failed to perform one of the following actions due to an unknown error:
Explanation • Applying the IPv4 default action to a specific direction of a VLAN.
• Updating the IPv4 default action applied to a specific direction of a VLAN.
Recommended No action is required.
action

24
Security level: Secret

PFILTER_VLAN_IPV6_DACT_NO_RES
Failed to apply or refresh the IPv6 default action to the [STRING] direction of VLAN
Message text [UINT16]. The resources are insufficient.
$1: Traffic direction.
Variable fields
$2: VLAN ID.
Severity level 3
PFILTER/3/PFILTER_VLAN_IPV6_DACT_NO_RES: Failed to apply or refresh
Example the IPv6 default action to the inbound direction of VLAN 1. The resources are
insufficient.
The system failed to perform one of the following actions because hardware
resources are insufficient:
Explanation • Applying the IPv6 default action to a specific direction of a VLAN.
• Updating the IPv6 default action applied to a specific direction of a VLAN.
Recommended Use the display qos-acl resource command to check hardware resource usage.
action

PFILTER_VLAN_IPV6_DACT_UNK_ERR
Failed to apply or refresh the IPv6 default action to the [STRING] direction of VLAN
Message text [UINT16].
$1: Traffic direction.
Variable fields
$2: VLAN ID.
Severity level 3
PFILTER/3/PFILTER_VLAN_IPV6_DACT_UNK_ERR: Failed to apply or refresh
Example the IPv6 default action to the inbound direction of VLAN 1.
The system failed to perform one of the following actions due to an unknown error:
Explanation • Applying the IPv6 default action to a specific direction of a VLAN.
• Updating the IPv6 default action applied to a specific direction of a VLAN.
Recommended No action is required.
action

25
Security level: Secret

PFILTER_VLAN_MAC_DACT_NO_RES
Failed to apply or refresh the MAC default action to the [STRING] direction of
Message text VLAN [UINT16]. The resources are insufficient.
$1: Traffic direction.
Variable fields
$2: VLAN ID.
Severity level 3
PFILTER/3/PFILTER_VLAN_MAC_DACT_NO_RES: Failed to apply or refresh
Example the MAC default action to the inbound direction of VLAN 1. The resources are
insufficient.
The system failed to perform one of the following actions because hardware
resources are insufficient:
Explanation • Applying the MAC default action to a specific direction of a VLAN.
• Updating the MAC default action applied to a specific direction of a VLAN.
Recommended Use the display qos-acl resource command to check hardware resource usage.
action

PFILTER_VLAN_MAC_DACT_UNK_ERR
Failed to apply or refresh the MAC default action to the [STRING] direction of
Message text VLAN [UINT16].
$1: Traffic direction.
Variable fields
$2: VLAN ID.
Severity level 3
PFILTER/3/PFILTER_VLAN_MAC_DACT_UNK_ERR: Failed to apply or refresh
Example the MAC default action to the inbound direction of VLAN 1.
The system failed to perform one of the following actions due to an unknown error:
Explanation • Applying the MAC default action to a specific direction of a VLAN.
• Updating the MAC default action applied to a specific direction of a VLAN.
Recommended No action is required.
action

26
Security level: Secret

PFILTER_VLAN_NO_RES
Failed to apply or refresh [STRING] ACL [UINT] [STRING] to the [STRING]
Message text direction of VLAN [UINT16]. The resources are insufficient.
$1: ACL type.
$2: ACL number.
Variable fields $3: ACL rule ID.
$4: Traffic direction.
$5: VLAN ID.
Severity level 3
PFILTER/3/PFILTER_VLAN_NO_RES: Failed to apply or refresh IPv6 ACL 2000
Example rule 1 to the inbound direction of VLAN 1. The resources are insufficient.
The system failed to perform one of the following actions because hardware
resources are insufficient:
Explanation • Applying an ACL rule to a specific direction of a VLAN.
• Updating an ACL rule applied to a specific direction of a VLAN.
Recommended Use the display qos-acl resource command to check hardware resource usage.
action

PFILTER_VLAN_NOT_SUPPORT
Failed to apply or refresh [STRING] ACL [UINT] [STRING] to the [STRING]
Message text direction of VLAN [UINT16]. The ACL is not supported.
$1: ACL type.
$2: ACL number.
Variable fields $3: ACL rule ID.
$4: Traffic direction.
$5: VLAN ID.
Severity level 3
PFILTER/3/PFILTER_VLAN_NOT_SUPPORT: Failed to apply or refresh ACL
Example 2000 rule 1 to the inbound direction of VLAN 1. The ACL is not supported.
The system failed to perform one of the following actions because the ACL rule is
not supported:
Explanation • Applying an ACL rule to a specific direction of a VLAN.
• Updating an ACL rule applied to a specific direction of a VLAN.
Recommended Verify the ACL configuration and remove the settings that are not supported.
action

27
Security level: Secret

PFILTER_VLAN_RES_CONFLICT
Failed to apply or refresh [STRING] ACL [UINT] to the [STRING] direction of
Message text VLAN [UINT16]. [STRING] ACL [UINT] has already been applied to the VLAN.
$1: ACL type.
$2: ACL number.
$3: Traffic direction.
Variable fields
$4: VLAN ID.
$5: ACL type.
$6: ACL number.
Severity level 3
PFILTER/3/PFILTER_VLAN_RES_CONFLICT: Failed to apply or refresh IPv6
Example ACL 2000 to the inbound direction of VLAN 1. IPv6 ACL 3000 has already been
applied to the VLAN.
The system failed to perform one of the following actions because an ACL of the
same type (IPv4 ACL, IPv6 ACL, or MAC ACL) has already been applied:
Explanation • Applying the ACL to a specific direction of a VLAN.
• Updating the ACL applied to a specific direction of a VLAN.
Recommended Remove the ACL of the same type.
action

PFILTER_VLAN_UNK_ERR
Failed to apply or refresh [STRING] ACL [UINT] [STRING] to the [STRING]
Message text direction of VLAN [UINT16].
$1: ACL type.
$2: ACL number.
Variable fields $3: ACL rule ID.
$4: Traffic direction.
$5: VLAN ID.
Severity level 3
PFILTER/3/PFILTER_VLAN_UNK_ERR: Failed to apply or refresh ACL 2000
Example rule 1 to the inbound direction of VLAN 1.
The system failed to perform one of the following actions due to an unknown
error:
Explanation • Applying an ACL rule to a specific direction of a VLAN.
• Updating an ACL rule applied to a specific direction of a VLAN.
Recommended No action is required.
action

28
Security level: Secret

ANCP messages
This section contains ANCP messages.

ANCP_INVALID_PACKET
-NeighborName=[STRING]-State=[STRING]-MessageType=[STRING]; The
Message text [STRING] value [STRING] is wrong, and the value [STRING] is expected.
$1: ANCP neighbor name.
$2: Neighbor state.
$3: Message type.
$4: Field:
• Sender Instance.
• Sender Port.
• Sender Name.
• Partition ID.
Variable fields • Receiver Instance.
• Receiver Port.
• Receiver Name.
• Version.
• Timer.
• Pflag.
• Capabilities.
$5: Wrong value of the field.
$6: Expected value of the field.
Severity level 6
ANCP/6/ANCP_INVALID_PACKET:
Example -NeighborName=Dslam-State=SYNSENT-MessageType=SYNACK; The
Sender Instance value 0 is wrong, and the value 1 is expected.
Explanation The system received an adjacency message that had a field with a wrong value.
Recommended No action is required.
action

29
Security level: Secret

APMGR messages
This section contains access point management messages.

APMGR_AC_MEM_ALERT
Message text The memory utilization has reached the threshold.

Variable fields N/A


Severity level 4
APMGR/4/APMGR_AC_MEM_ALERT: The memory utilization has reached
Example the threshold.
The AP failed to come online because the memory utilization exceeded the
Explanation limit.
Recommended Stop creating manual APs and prevent APs from coming online.
action

APMGR_ADD_AP_FAIL
AP [STRING] failed to come online using serial ID [STRING]: MAC address
Message text [STRING] is being used by AP [STRING].

$1: AP name.
$2: Serial ID.
Variable fields
$3: MAC address.
$4: AP name.

Severity level 4

APMGR/4/ APMGR_ADD_AP_FAIL: AP ap1 failed to come online using serial


Example ID 01247ef96: MAC address 0023-7961-5201 is being used by AP ap2.

The AP failed to come online because a manual AP that has the same MAC
Explanation address already exists on the AC.
Recommended Delete either the manual AP that has the MAC address or the serial ID.
action

APMGR_ADDBAC_INFO
Message text Add BAS AC [STRING].

Variable fields $1: MAC address of the BAS AC.


Severity level 6
Example APMGR/6/APMGR_ADDBAC_INFO: Add BAS AC 3ce5-a616-28cd.
Explanation The BAS AC was connected to the master AC.
Recommended No action is required.
action

30
Security level: Secret

APMGR_AP_OFFLINE
Message text AP [STRING] went offline. State changed to Idle.

Variable fields $1: AP name.


Severity level 6
Example APMGR/6/APMGR_AP_OFFLINE: AP ap1 went offline. State changed to Idle.
Explanation The AP went offline. The state of the AP changed to Idle.
Recommended If the AP went offline abnormally, check the debugging information to locate the
action problem and resolve it.

APMGR_AP_ONLINE
Message text AP [STRING] went online. State changed to Run.

Variable fields $1: AP name.


Severity level 6
Example APMGR/6/APMGR_AP_ONLINE: AP ap1 went online. State changed to Run.
Explanation The AP came online. The state of the AP changed to Run.
Recommended No action is required.
action

APMGR_CWC_IMG_DOWNLOAD_COMPLETE
System software image file [STRING] downloading through the CAPWAP
Message text tunnel to AC [STRING] completed.
$1: Image file name.
Variable fields
$2: AC IP address.
Severity level 6
APMGR/6/APMGR_CWC_IMG_DOWNLOAD_COMPLETE: System software
Example image file 5800.ipe downloading through the CAPWAP tunnel to AC
192.168.10.1 completed.
Explanation The AP downloaded the image file from the AC successfully.
Recommended No action is required.
action

31
Security level: Secret

APMGR_CWC_IMG_DOWNLOAD_START
Started to download the system software image file [STRING] through the
Message text CAPWAP tunnel to AC [STRING].
$1: Image file name.
Variable fields
$2: AC IP address.
Severity level 6
APMGR/6/APMGR_CWC_IMG_DOWNLOAD_START: Started to download
Example the system software image file 5800.ipe through the CAPWAP tunnel to AC
192.168.10.1.
Explanation The AP started to download the image file from the AC.
Recommended Make sure the AP is correctly connected to the AC.
action

APMGR_CWC_IMG_NO_ENOUGH_SPACE
Insufficient flash memory space for downloading system software image file
Message text [STRING].

Variable fields $1: Image file name.


Severity level 6
APMGR/6/APMGR_CWC_IMG_NO_ENOUGH_SPACE: Insufficient flash
Example memory space for downloading system software image file 5800.ipe.
The AP failed to download the image file from the AC because of insufficient
Explanation flash memory.
Recommended Delete files not in use from the AP.
action

32
Security level: Secret

APMGR_CWC_LOCAL_AC_DOWN
Message text CAPWAP tunnel to Central AC [STRING] went down. Reason: [STRING].
$1: IP address of the central AC.
$2: Reason:
• Added local AC IP address.
Variable fields • Deleted local AC IP address.
• Local AC interface used for CAPWAP tunnel went down.
• Local AC config changed.
• N/A
Severity level 4
APMGR/4/APMGR_CWC_LOCAL_AC_DOWN: CAPWAP tunnel to Central
Example AC 2.2.2.1 went down. Reason: Added local AC IP address.
The CAPWAP tunnel between the central AC and the local AC was terminated
Explanation for a specific reason.
To resolve the problem:
1. Examine the network connection between the central AC and the local AC.
Recommended 2. Verify that the central AC is correctly configured.
action 3. Verify that the local AC is correctly configured.
4. If the problem persists, contact Hewlett Packard Enterprise Support.

APMGR_CWC_LOCAL_AC_UP
Message text CAPWAP tunnel to Central AC [STRING] went up.

Variable fields $1: IP address of the central AC.


Severity level 6
APMGR/6/APMGR_CWC_LOCAL_AC_UP: CAPWAP tunnel to Central AC
Example 2.2.2.1 went up.
Explanation The central AC has established a CAPWAP tunnel with the local AC.
Recommended No action is required.
action

33
Security level: Secret

APMGR_CWC_REBOOT
Message text AP in state [STRING] is rebooting. Reason: [STRING]
$1: AP state.
$2: Reason:
Variable fields • AP was reset.
• Image was downloaded successfully.
• AP stayed in idle state for a long time.
Severity level 6
APMGR/6/APMGR_CWC_REBOOT: AP in State Run is rebooting. Reason: AP
Example was reset.
Explanation The AP rebooted for a specific reason.
Recommended No action is required.
action

APMGR_CWC_RUN_DOWNLOAD_COMPLETE
File [STRING] successfully downloaded through the CAPWAP tunnel to AC
Message text [STRING].
$1: File name.
Variable fields
$2: AC IP address.
Severity level 6
APMGR/6/APMGR_CWC_RUN_DOWNLOAD_COMPLETE: File ac.cfg
Example successfully downloaded through the CAPWAP tunnel to AC 192.168.10.1.
Explanation The AP downloaded the file from the AC successfully.
Recommended No action is required.
action

APMGR_CWC_RUN_DOWNLOAD_START
Started to download the file [STRING] through the CAPWAP tunnel to AC
Message text [STRING].
$1: File name.
Variable fields
$2: AC IP address.
Severity level 6
APMGR/6/APMGR_CWC_RUN_DOWNLOAD_START: Started to download
Example the file ac.cfg through the CAPWAP tunnel to AC 192.168.10.1.
Explanation The AP started to download the file from the AC.
Recommended Make sure the AP is correctly connected to the AC.
action

34
Security level: Secret

APMGR_CWC_RUN_NO_ENOUGH_SPACE
Message text Insufficient flash memory space for downloading file [STRING].

Variable fields $1: File name.


Severity level 6
APMGR/6/APMGR_CWC_RUN_NO_ENOUGH_SPACE: Insufficient flash
Example memory space for downloading file ac.cfg.
The AP failed to download the file from the AC because of insufficient flash
Explanation memory.
Recommended Delete files not in use from the AP.
action

APMGR_CWC_TUNNEL_DOWN
Message text CAPWAP tunnel to AC [STRING] went down. Reason: [STRING].
$1: AC IP address.
$2: Reason:
• Added AP IP address.
• Deleted AP IP address.
• AP interface used for CAPWAP tunnel went down.
• AP config changed.
• AP was reset.
Variable fields • Number of echo retransmission attempts exceeded the limit.
• Full retransmission queue.
• Data channel timer expired.
• Backup AC IP address changed.
• Backup tunnel changed to master tunnel.
• Failed to change backup tunnel to master tunnel.
• Backup method changed.
• N/A.
Severity level 6
APMGR/6/APMGR_CWC_TUNNEL_DOWN: CAPWAP tunnel to AC
Example 192.168.10.1 went down. Reason: AP was reset.
The CAPWAP tunnel between the AP and the AC was terminated for a specific
Explanation reason.
Recommended Examine the network connection between the AP and the AC.
action

35
Security level: Secret

APMGR_CWC_TUNNEL_UP
Message text [STRING] CAPWAP tunnel to AC [STRING] went up.
$1: Tunnel type:
• Master.
Variable fields • Backup.
$2: AC IP address.
Severity level 6
APMGR/6/APMGR_CWC_TUNNEL_UP: Master CAPWAP tunnel to AC
Example 192.168.10.1 went up.
Explanation The AP was connected to the AC successfully and entered Run state.
Recommended No action is required.
action

APMGR_CWS_LOCAL_AC_DOWN
Message text CAPWAP tunnel to local AC [STRING] went down. Reason: [STRING].
$1: IP address of the local AC.
$2: Reason:
• Neighbor dead timer expired.
• Local AC was deleted.
Variable fields
• Serial number changed.
• Processed join request in Run state.
• Failed to retransmit message.
• N/A
Severity level 4
APMGR/4/APMGR_CWS_LOCAL_AC_DOWN: CAPWAP tunnel to local AC
Example 1.1.1.1 went down. Reason: Serial number changed.
The CAPWAP tunnel between the central AC and the local AC was terminated
Explanation for a specific reason.
To resolve the problem:
1. Examine the network connection between the central AC and the local AC.
Recommended 2. Verify that the central AC is correctly configured.
action 3. Verify that the local AC is correctly configured.
4. If the problem persists, contact Hewlett Packard Enterprise Support.

36
Security level: Secret

APMGR_CWS_LOCAL_AC_UP
Message text CAPWAP tunnel to local AC [STRING] went up.

Variable fields $1: IP address of the local AC.


Severity level 6
APMGR/6/APMGR_CWS_LOCAL_AC_UP: CAPWAP tunnel to local AC
Example 1.1.1.1 went up.
Explanation The central AC has established a CAPWAP tunnel with the local AC.
Recommended No action is required.
action

APMGR_CWS_IMG_DOWNLOAD_COMPLETE
System software image file [STRING] downloading through the CAPWAP
Message text tunnel for AP [STRING] completed.
$1: Image file name.
Variable fields
$2: AP name.
Severity level 6
APMGR/6/APMGR_ CWS_IMG_DOWNLOAD_COMPLETE: System software
Example image file 5800.ipe downloading through the CAPWAP tunnel for AP ap2
completed.
Explanation The AP downloaded the image file from the AC successfully.
Recommended No action is required.
action

APMGR_CWS_IMG_DOWNLOAD_START
Message text AP [STRING] started to download the system software image file [STRING].
$1: AP name.
Variable fields
$2: Image file name.
Severity level 6
APMGR/6/APMGR_CWS_IMG_DOWNLOAD_START: AP ap1 started to
Example download the system software image file 5800.ipe.
Explanation The AP started to download the image file from the AC.
Recommended No action is required.
action

37
Security level: Secret

APMGR_CWS_RUN_DOWNLOAD_COMPLETE
File [STRING] successfully downloaded through the CAPWAP tunnel for AP
Message text [STRING].
$1: File name.
Variable fields
$2: AP name.
Severity level 6
APMGR/6/APMGR_CWS_RUN_DOWNLOAD_COMPLETE: File ac.cfg
Example successfully downloaded through the CAPWAP tunnel for AP ap2.
Explanation The AP downloaded the file from the AC successfully.
Recommended No action is required.
action

APMGR_CWS_RUN_DOWNLOAD_START
Message text AP [STRING] started to download the file [STRING].
$1: AP name.
Variable fields
$2: File name.
Severity level 6
APMGR/6/APMGR_CWS_RUN_DOWNLOAD_START: AP ap1 started to
Example download the file ac.cfg.
Explanation The AP started to download the file from the AC.
Recommended No action is required.
action

38
Security level: Secret

APMGR_CWS_TUNNEL_DOWN
Message text CAPWAP tunnel to AP [STRING] went down. Reason: [STRING].
$1: AP name.
$2: Reason:
• Neighbor dead timer expired.
• AP was reset.
• AP was deleted.
• Serial number changed.
Variable fields
• Processed join request in Run state.
• Failed to retransmit message.
• Received WTP tunnel down event from AP.
• Backup AC closed the backup tunnel.
• Tunnel switched.
• N/A.
Severity level 6
APMGR/6/APMGR_CWS_TUNNEL_DOWN: CAPWAP tunnel to AP ap1 went
Example down. Reason: AP was reset.
Explanation The AP went offline for a specific reason.
To resolve the problem:
1. Examine the network connection between the AP and the AC.
Recommended 2. Verify that the AP is correctly configured.
action 3. Verify that the AC is correctly configured.
4. If the problem persists, contact Hewlett Packard Enterprise Support.

APMGR_CWS_TUNNEL_UP
Message text [STRING] CAPWAP tunnel to AP [STRING] went up.
$1: Tunnel type:
• Master.
Variable fields • Backup.
$2: AP name.
Severity level 6
APMGR/6/APMGR_CWS_TUNNEL_UP: Backup CAPWAP tunnel to AP ap1
Example went up.
Explanation The AP came online and entered Run state.
Recommended No action is required.
action

39
Security level: Secret

APMGR_DELBAC_INFO
Message text Delete BAS AC [STRING].

Variable fields $1: MAC address of the BAS AC.


Severity level 6
Example APMGR/6/APMGR_DELBAC_INFO: Delete BAS AC 3ce5-a616-28cd.
Explanation The BAS AC was disconnected from the master AC.
Recommended No action is required.
action

APMGR_LOCAL_AC_OFFLINE
Message text Local AC [STRING] went offline. State changed to Idle.

Variable fields $1: Name of the local AC.


Severity level 6
APMGR/6/APMGR_LOCAL_AC_OFFLINE: Local AC ac1 went offline. State
Example changed to Idle.
Explanation The local AC went offline. The state of the local AC changed to Idle.
1. If the local AC went offline abnormally, check the debugging information to
Recommended locate the problem and resolve it.
action 2. If the problem persists, contact Hewlett Packard Enterprise Support.

APMGR_LOCAL_AC_ONLINE
Message text Local AC [STRING] went online. State changed to Run.

Variable fields $1: Name of the local AC.


Severity level 6
APMGR/6/APMGR_LOCAL_AC_ONLINE: Local AC ac1 went online. State
Example changed to Run.
Explanation The local AC came online. The state of the local AC changed to Run.
Recommended No action is required.
action

40
Security level: Secret

ARP messages
This section contains ARP messages.

ARP_ACTIVE_ACK_NO_REPLY
Message text No ARP reply from IP [STRING] was received on interface [STRING].
$1: IP address.
Variable fields
$2: Interface name.
Severity level 6
ARP/6/ARP_ACTIVE_ACK_NO_REPLY: No ARP reply from IP
Example 192.168.10.1 was received on interface Ethernet0/1/0.
The ARP active acknowledgement feature did not receive an ARP reply after
Explanation it sent an ARP request to the sender IP of an ARP message.
This message indicates the risk of attacks.
1. Verify that the learned ARP entries on the device are consistent with the
existing legal devices. When gateways and servers are on the network,
Recommended action check the ARP entries for these devices first.
2. If the ARP entries are correct and the attack continues, contact Hewlett
Packard Enterprise Support.

ARP_ACTIVE_ACK_NOREQUESTED_REPLY
Interface [STRING] received from IP [STRING] an ARP reply that was not
Message text requested by the device.
$1: Interface name.
Variable fields
$2: IP address.
Severity level 6
ARP/6/ARP_ACTIVE_ACK_NOREQUESTED_REPLY: Interface
Example Ethernet0/1/0 received from IP 192.168.10.1 an ARP reply that was not
requested by the device.
The ARP active acknowledgement feature received an unsolicited ARP reply
Explanation from a sender IP.
This message indicates the risk of attacks.
Recommended action No action is required. The device discards the ARP reply automatically.

41
Security level: Secret

ARP_BINDRULETOHW_FAILED
Failed to download binding rule to hardware on the interface [STRING],
Message text SrcIP [IPADDR], SrcMAC [MAC], VLAN [UINT16], Gateway MAC [MAC].
$1: Interface name.
$2: Source IP address.
Variable fields $3: Source MAC address.
$4: VLAN ID.
$5: Gateway MAC address.
Severity level 5
ARP/5/ARP_BINDRULETOHW_FAILED: Failed to download binding rule to
Example hardware on the interface Ethernet1/0/1, SrcIP 1.1.1.132, SrcMAC
0015-E944-A947, VLAN 1, Gateway MAC 00A1-B812-1108.
The system failed to set a binding rule to the hardware on an interface. The
message is sent in any of the following situations:
Explanation • The resources are not sufficient for the operation.
• The memory is not sufficient for the operation.
• A hardware error occurs.
To resolve the problem:
1. Execute the display qos-acl resource command to check if the ACL
resources for the operation are sufficient.
 If yes, proceed to step 2.
 If no, delete unnecessary configuration to release ACL resources. If
no configuration can be deleted, proceed to step 2.
Recommended action 2. Execute the display memory command to check if the memory for the
operation is sufficient.
 If yes, proceed to step 3.
 If no, delete unnecessary configuration to release memory. If no
configuration can be deleted, proceed to step 3.
3. Delete the configuration and perform the operation again.

42
Security level: Secret

ARP_ENTRY_CONFLICT
The software entry for [STRING] on [STRING] and the hardware entry did
Message text not have the same [STRING].
$1: IP address.
$2: VPN instance name. If the ARP entry belongs to the public network, this
field displays the public network.
$3: Inconsistent items:
 MAC address.
Variable fields  output interface.
 output port.
 outermost layer VLAN ID.
 second outermost layer VLAN ID.
 VSI index.
 link ID.
Severity level 6
ARP/6/ARP_ENTRY_CONFLICT: The software entry for 1.1.1.1 on the VPN
a and the hardware entry did not have the same MAC address, output port,
VSI index, and link ID.
Example
ARP/6/ARP_ENTRY_CONFLICT: The software entry for 1.1.1.2 on the
public network and the hardware entry did not have the same MAC address,
output port, VSI index, and link ID.
The software entry for the specified IP address is not the same as the
Explanation hardware entry. For example, they do not have the same output interface.
Recommended action No action is required. ARP automatically refreshes the hardware entries.

ARP_HOST_IP_CONFLICT
The host [STRING] connected to interface [STRING] cannot communicate
Message text correctly, because it uses the same IP address as the host connected to
interface [STRING].
$1: IP address.
Variable fields $2: Interface name.
$3: Interface name.
Severity level 4
ARP/4/ARP_HOST_IP_CONFLICT: The host 1.1.1.1 connected to interface
Example GigabitEthernet1/0/1 cannot communicate correctly, because it uses the
same IP address as the host connected to interface GigabitEthernet1/0/2.
The sender IP address in a received ARP message conflicted with the IP
Explanation address of a host connected to another interface.
Check whether the hosts that send the ARP messages are legitimate.
Recommended action Disconnect the illegal host from the network.

43
Security level: Secret

ARP_RATE_EXCEEDED
The ARP packet rate ([UINT32] pps) exceeded the rate limit ([UINT32] pps)
Message text on interface [STRING] in the last [UINT32] seconds.
$1: ARP packet rate.
$2: ARP limit rate.
Variable fields
$3: Interface name.
$4: Interval time.
Severity level 4
ARP/4/ARP_RATE_EXCEEDED: The ARP packet rate (100 pps)
Example exceeded the rate limit (80 pps) on interface Ethernet0/1/0 in the last 10
seconds.
Explanation An interface received ARP messages at a higher rate than the rate limit.
Recommended action Verify that the hosts at the sender IP addresses are legitimate.

ARP_SENDER_IP_INVALID
Sender IP [STRING] was not on the same network as the receiving
Message text interface [STRING].
$1: IP address.
Variable fields
$2: Interface name.
Severity level 6
ARP/6/ARP_SENDER_IP_INVALID: Sender IP 192.168.10.2 was not on
Example the same network as the receiving interface Ethernet0/1/0.
The sender IP of a received ARP message was not on the same network
Explanation as the receiving interface.
Recommended action Verify that the host at the sender IP address is legitimate.

ARP_SENDER_MAC_INVALID
Sender MAC [STRING] was not identical to Ethernet source MAC
Message text [STRING] on interface [STRING].
$1: MAC address.
Variable fields $2: MAC address.
$3: Interface name.
Severity level 6
ARP/6/ARP_SENDER_MAC_INVALID: Sender MAC 0000-5E14-0E00
Example was not identical to Ethernet source MAC 0000-5C14-0E00 on interface
Ethernet0/1/0.
An interface received an ARP message. The sender MAC address in the
Explanation message body was not identical to the source MAC address in the Ethernet
header.
Recommended action Verify that the host at the sender MAC address is legitimate.

44
Security level: Secret

ARP_SENDER_SMACCONFLICT
Packet was discarded because its sender MAC address was the MAC address
Message text of the receiving interface.
Interface: [STRING], sender IP: [STRING], target IP: [STRING].
$1: Interface name.
Variable fields $2: Sender IP address.
$3: Target IP address.
Severity level 6
Packet discarded for the sender MAC address is the same as the receiving
Example interface.
Interface: GE1/0/1 sender IP: 1.1.2.2 target IP: 1.1.2.1,
The sender MAC address of a received ARP packet conflicts with the MAC
Explanation address of the device.
Recommended No action is required.
action

ARP_SENDER_SMACCONFLICT_VSI
Packet was discarded because its sender MAC address was the MAC address
of the receiving interface.
Message text
Interface: [STRING], sender IP: [STRING], target IP: [STRING],VSI index:
[UINT32], link ID: [UINT32].
$1: Interface name.
$2: Sender IP address.
Variable fields $3: Target IP address.
$4: VSI index.
$5: Link ID.
Severity level 6
Packet discarded for the sender MAC address is the same as the receiving
Example interface.
Interface: VSI3 sender IP: 1.1.2.2 target IP: 1.1.2.1, VSI Index: 2, Link ID: 0
The sender MAC address of a received ARP packet conflicts with the MAC
Explanation address of the device. The receiving interface is a VSI interface.
Recommended No action is required.
action

45
Security level: Secret

ARP_SRC_MAC_FOUND_ATTACK
Message text An attack from MAC [STRING] was detected on interface [STRING].
$1: MAC address.
Variable fields
$2: Interface name.
Severity level 6
ARP/6/ARP_SRC_MAC_FOUND_ATTACK: An attack from MAC
Example 0000-5E14-0E00 was detected on interface Ethernet0/1/0.
The source MAC-based ARP attack detection feature received more ARP
packets from the same MAC address within 5 seconds than the specified
Explanation threshold.
This message indicates the risk of attacks.
Recommended action Verify that the host at the source MAC address is legitimate.

ARP_TARGET_IP_INVALID
Message text Target IP [STRING] was not the IP of the receiving interface [STRING].
$1: IP address.
Variable fields
$2: Interface name.
Severity level 6
ARP/6/ARP_TARGET_IP_INVALID: Target IP 192.168.10.2 was not the IP
Example of the receiving interface Ethernet0/1/0.
The target IP address of a received ARP message was not the IP address of
Explanation the receiving interface.
Recommended action Verify that the host at the sender IP address is legitimate.

DUPIFIP
Duplicate address [STRING] on interface [STRING], sourced from
Message text [STRING].
$1: IP address.
Variable fields $2: Interface name.
$3: MAC Address.
Severity level 6
ARP/6/DUPIFIP: Duplicate address 1.1.1.1 on interface Ethernet1/1/1,
Example sourced from 0015-E944-A947.
ARP detected a duplicate address.
Explanation The sender IP in the received ARP packet was being used by the receiving
interface.
Recommended action Modify the IP address configuration.

46
Security level: Secret

DUPIP
IP address [STRING] conflicted with global or imported IP address, sourced
Message text from [STRING].
$1: IP address.
Variable fields
$2: MAC Address.
Severity level 6
ARP/6/DUPIP: IP address 30.1.1.1 conflicted with global or imported IP
Example address, sourced from 0000-0000-0001.
The sender IP address of the received ARP packet conflicted with the global
Explanation or imported IP address.
Recommended action Modify the IP address configuration.

DUPVRRPIP
IP address [STRING] conflicted with VRRP virtual IP address on interface
Message text [STRING], sourced from [STRING].
$1: IP address.
Variable fields $2: Interface name.
$3: MAC address.
Severity level 6
ARP/6/DUPVRRPIP: IP address 1.1.1.1 conflicted with VRRP virtual IP
Example address on interface Ethernet1/1/1, sourced from 0015-E944-A947.
The sender IP address of the received ARP packet conflicted with the VRRP
Explanation virtual IP address.
Recommended action Modify the IP address configuration.

47
Security level: Secret

ATK messages
This section contains attack detection and prevention messages.

ATK_ICMP_ADDRMASK_REQ
IcmpType(1058)=[UINT32]; RcvIfName(1023)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32].
$1: ICMP message type.
$2: Receiving interface name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
Variable fields
$6: Name of the receiving VPN instance.
$7: Actions against the attack.
$8: Start time of the attack.
$9: End time of the attack.
$10: Attack times.
Severity level 5
ATK/5/ATK_ICMP_ADDRMASK_REQ: IcmpType(1058)=17;
RcvIfName(1023)=Ethernet0/0/2; SrcIPAddr(1003)=9.1.1.1;
DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
Example RcvVPNInstance(1041)=--; Action(1049)=logging;
BeginTime_c(1011)=20131011091319; EndTime_c(1012)=20131011091819;
AtkTimes(1050)=2.
Explanation This message is sent when ICMP address mask request logs are aggregated.
Recommended No action is required.
action

48
Security level: Secret

ATK_ICMP_ADDRMASK_REQ_RAW
IcmpType(1058)=[UINT32]; RcvIfName(1023)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING].
$1: ICMP message type.
$2: Receiving interface name.
$3: Source IP address.
Variable fields $4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
$6: Name of the receiving VPN instance.
$7: Actions against the attack.
Severity level 5
ATK/5/ATK_ICMP_ADDRMASK_REQ_RAW: IcmpType(1058)=17;
RcvIfName(1023)=Ethernet0/0/2; SrcIPAddr(1003)=9.1.1.1;
Example DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
RcvVPNInstance(1041)=--; Action(1049)=logging.
If log aggregation is enabled, for ICMP address mask requests of the same
attributes, this message is sent only when the first request is received.
Explanation
If log aggregation is disabled, this message is sent every time an ICMP address
mask request is received.
Recommended No action is required.
action

49
Security level: Secret

ATK_ICMP_ADDRMASK_RPL
IcmpType(1058)=[UINT32]; RcvIfName(1023)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32].
$1: ICMP message type.
$2: Receiving interface name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
Variable fields
$6: Name of the receiving VPN instance.
$7: Actions against the attack.
$8: Start time of the attack.
$9: End time of the attack.
$10: Attack times.
Severity level 5
ATK/5/ATK_ICMP_ADDRMASK_RPL: IcmpType(1058)=18;
RcvIfName(1023)=Ethernet0/0/2; SrcIPAddr(1003)=9.1.1.1;
DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
Example RcvVPNInstance(1041)=--; Action(1049)=logging;
BeginTime_c(1011)=20131011091319; EndTime_c(1012)=20131011091819;
AtkTimes(1050)=2.
Explanation This message is sent when ICMP address mask reply logs are aggregated.
Recommended No action is required.
action

50
Security level: Secret

ATK_ICMP_ADDRMASK_RPL_RAW
IcmpType(1058)=[UINT32]; RcvIfName(1023)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING].
$1: ICMP message type.
$2: Receiving interface name.
$3: Source IP address.
Variable fields $4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
$6: Name of the receiving VPN instance.
$7: Actions against the attack.
Severity level 5
ATK/5/ATK_ICMP_ADDRMASK_RPL_RAW: IcmpType(1058)=18;
RcvIfName(1023)=Ethernet0/0/2; SrcIPAddr(1003)=9.1.1.1;
Example DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
RcvVPNInstance(1041)=--; Action(1049)=logging.
If log aggregation is enabled, for ICMP address mask replies of the same
attributes, this message is sent only when the first reply is received.
Explanation
If log aggregation is disabled, this message is sent every time an ICMP address
mask reply is received.
Recommended No action is required.
action

51
Security level: Secret

ATK_ICMP_ECHO_RPL
IcmpType(1058)=[UINT32]; RcvIfName(1023)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32].
$1: ICMP message type.
$2: Receiving interface name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
Variable fields
$6: Name of the receiving VPN instance.
$7: Actions against the attack.
$8: Start time of the attack.
$9: End time of the attack.
$10: Attack times.
Severity level 5
ATK/5/ATK_ICMP_ECHO_RPL: IcmpType(1058)=0;
RcvIfName(1023)=Ethernet0/0/2; SrcIPAddr(1003)=9.1.1.1;
DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
Example RcvVPNInstance(1041)=--; Action(1049)=logging;
BeginTime_c(1011)=20131011091319; EndTime_c(1012)=20131011091819;
AtkTimes(1050)=2.
Explanation This message is sent when ICMP echo reply logs are aggregated.
Recommended No action is required.
action

52
Security level: Secret

ATK_ICMP_ECHO_RPL_RAW
IcmpType(1058)=[UINT32]; RcvIfName(1023)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING].
$1: ICMP message type.
$2: Receiving interface name.
$3: Source IP address.
Variable fields $4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
$6: Name of the receiving VPN instance.
$7: Actions against the attack.
Severity level 5
ATK/5/ATK_ICMP_ECHO_RPL_RAW: IcmpType(1058)=0;
RcvIfName(1023)=Ethernet0/0/2; SrcIPAddr(1003)=9.1.1.1;
Example DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
RcvVPNInstance(1041)=--; Action(1049)=logging.
If log aggregation is enabled, for ICMP echo replies of the same attributes, this
message is sent only when the first reply is received.
Explanation
If log aggregation is disabled, this message is sent every time an ICMP echo reply
is received.
Recommended No action is required.
action

53
Security level: Secret

ATK_ICMP_ECHO_REQ
IcmpType(1058)=[UINT32]; RcvIfName(1023)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32].
$1: ICMP message type.
$2: Receiving interface name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
Variable fields
$6: Name of the receiving VPN instance.
$7: Actions against the attack.
$8: Start time of the attack.
$9: End time of the attack.
$10: Attack times.
Severity level 5
ATK/5/ATK_ICMP_ECHO_REQ: IcmpType(1058)=8;
RcvIfName(1023)=Ethernet0/0/2; SrcIPAddr(1003)=9.1.1.1;
DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
Example RcvVPNInstance(1041)=--; Action(1049)=logging;
BeginTime_c(1011)=20131011091319; EndTime_c(1012)=20131011091819;
AtkTimes(1050)=2.
Explanation This message is sent when ICMP echo request logs are aggregated.
Recommended No action is required.
action

54
Security level: Secret

ATK_ICMP_ECHO_REQ_RAW
IcmpType(1058)=[UINT32]; RcvIfName(1023)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; DstPort(1004)=[UINT16];
RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING].
$1: ICMP message type.
$2: Receiving interface name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
Variable fields
$5: Destination IP address.
$6: Destination port number.
$7: Name of the receiving VPN instance.
$8: Actions against the attack.
Severity level 5
ATK/5/ATK_ICMP_ECHO_REQ_RAW: IcmpType(1058)=8;
RcvIfName(1023)=Ethernet0/0/2; SrcIPAddr(1003)=9.1.1.1; DstPort(1004)=22;
Example DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
RcvVPNInstance(1041)=--; Action(1049)=logging.
If log aggregation is enabled, for ICMP echo requests of the same attributes, this
message is sent only when the first request is received.
Explanation
If log aggregation is disabled, this message is sent every time an ICMP echo
request is received.
Recommended No action is required.
action

ATK_ICMP_FLOOD
RcvIfName(1023)=[STRING]; DstIPAddr(1007)=[IPADDR];
DstPort(1008)=[UINT16]; RcvVPNInstance(1041)=[STRING];
Message text UpperLimit(1048)=[UINT32]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING].
$1: Receiving interface name.
$2: Destination IP address.
$3: Destination port number.
Variable fields $4: Name of the receiving VPN instance.
$5: Rate limit.
$6: Actions against the attack.
$7: Start time of the attack.
Severity level 3
ATK/3/ATK_ICMP_FLOOD: RcvIfName(1023)=Ethernet0/0/2;
DstIPAddr(1007)=6.1.1.5; DstPort(1008)=22; RcvVPNInstance(1041)=--;
Example UpperLimit(1048)=10; Action(1049)=logging;
BeginTime_c(1011)=20131009093351.
This message is sent when the number of ICMP packets sent to a destination per
Explanation second exceeds the rate limit.
Recommended No action is required.
action

55
Security level: Secret

ATK_ICMP_INFO_REQ
IcmpType(1058)=[UINT32]; RcvIfName(1023)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32].
$1: ICMP message type.
$2: Receiving interface name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
Variable fields
$6: Name of the receiving VPN instance.
$7: Actions against the attack.
$8: Start time of the attack.
$9: End time of the attack.
$10: Attack times.
Severity level 5
ATK/5/ATK_ICMP_INFO_REQ: IcmpType(1058)=15;
RcvIfName(1023)=Ethernet0/0/2; SrcIPAddr(1003)=9.1.1.1;
DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
Example RcvVPNInstance(1041)=--; Action(1049)=logging;
BeginTime_c(1011)=20131011091319; EndTime_c(1012)=20131011091819;
AtkTimes(1050)=2.
Explanation This message is sent when ICMP information request logs are aggregated.
Recommended No action is required.
action

56
Security level: Secret

ATK_ICMP_INFO_REQ_RAW
IcmpType(1058)=[UINT32]; RcvIfName(1023)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING].
$1: ICMP message type.
$2: Receiving interface name.
$3: Source IP address.
Variable fields $4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
$6: Name of the receiving VPN instance.
$7: Actions against the attack.
Severity level 5
ATK/5/ATK_ICMP_INFO_REQ_RAW: IcmpType(1058)=15;
RcvIfName(1023)=Ethernet0/0/2; SrcIPAddr(1003)=9.1.1.1;
Example DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
RcvVPNInstance(1041)=--; Action(1049)=logging.
If log aggregation is enabled, for ICMP information requests of the same
attributes, this message is sent only when the first request is received.
Explanation
If log aggregation is disabled, this message is sent every time an ICMP
information request is received.
Recommended No action is required.
action

57
Security level: Secret

ATK_ICMP_INFO_RPL
IcmpType(1058)=[UINT32]; RcvIfName(1023)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32].
$1: ICMP message type.
$2: Receiving interface name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
Variable fields
$6: Name of the receiving VPN instance.
$7: Actions against the attack.
$8: Start time of the attack.
$9: End time of the attack.
$10: Attack times.
Severity level 5
ATK/5/ATK_ICMP_INFO_RPL: IcmpType(1058)=16;
RcvIfName(1023)=Ethernet0/0/2; SrcIPAddr(1003)=9.1.1.1;
DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
Example RcvVPNInstance(1041)=--; Action(1049)=logging;
BeginTime_c(1011)=20131011091319; EndTime_c(1012)=20131011091819;
AtkTimes(1050)=2.
Explanation This message is sent when ICMP information reply logs are aggregated.
Recommended No action is required.
action

58
Security level: Secret

ATK_ICMP_INFO_RPL_RAW
IcmpType(1058)=[UINT32]; RcvIfName(1023)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING].
$1: ICMP message type.
$2: Receiving interface name.
$3: Source IP address.
Variable fields $4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
$6: Name of the receiving VPN instance.
$7: Actions against the attack.
Severity level 5
ATK/5/ATK_ICMP_INFO_RPL_RAW: IcmpType(1058)=16;
RcvIfName(1023)=Ethernet0/0/2; SrcIPAddr(1003)=9.1.1.1;
Example DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
RcvVPNInstance(1041)=--; Action(1049)=logging.
If log aggregation is enabled, for ICMP information replies of the same attributes,
this message is sent only when the first reply is received.
Explanation
If log aggregation is disabled, this message is sent every time an ICMP
information reply is received.
Recommended No action is required.
action

59
Security level: Secret

ATK_ICMP_LARGE
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR];
DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: Receiving interface name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
$4: Destination IP address.
Variable fields $5: Name of the receiving VPN instance.
$6: Actions against the attack.
$7: Start time of the attack.
$8: End time of the attack.
$9: Attack times.
Severity level 3
ATK/3/ATK_ICMP_LARGE: RcvIfName(1023)=Ethernet0/0/2;
SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
Example RcvVPNInstance(1041)=--; Action(1049)=logging;
BeginTime_c(1011)=20131011074913; EndTime_c(1012)=20131011075413;
AtkTimes(1050)=2.
Explanation This message is sent when large ICMP packet logs are aggregated.
Recommended No action is required.
action

ATK_ICMP_LARGE_RAW
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR];
Message text DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING].
$1: Receiving interface name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
Variable fields
$4: Destination IP address.
$5: Name of the receiving VPN instance.
$6: Actions against the attack.
Severity level 3
ATK/3/ATK_ICMP_LARGE_RAW: RcvIfName(1023)=Ethernet0/0/2;
Example SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--;
DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging.
If log aggregation is enabled, for large ICMP packets of the same attributes, this
message is sent only when the first packet is received.
Explanation
If log aggregation is disabled, this message is sent every time a large ICMP
packet is received.
Recommended No action is required.
action

60
Security level: Secret

ATK_ICMP_PARAPROBLEM
IcmpType(1058)=[UINT32]; RcvIfName(1023)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32].
$1: ICMP message type.
$2: Receiving interface name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
Variable fields
$6: Name of the receiving VPN instance.
$7: Actions against the attack.
$8: Start time of the attack.
$9: End time of the attack.
$10: Attack times.
Severity level 5
ATK/5/ATK_ICMP_PARAPROBLEM: IcmpType(1058)=12;
RcvIfName(1023)=Ethernet0/0/2; SrcIPAddr(1003)=9.1.1.1;
DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
Example RcvVPNInstance(1041)=--; Action(1049)=logging;
BeginTime_c(1011)=20131011091319; EndTime_c(1012)=20131011091819;
AtkTimes(1050)=2.
Explanation This message is sent when ICMP parameter problem logs are aggregated.
Recommended No action is required.
action

61
Security level: Secret

ATK_ICMP_PARAPROBLEM_RAW
IcmpType(1058)=[UINT32]; RcvIfName(1023)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING].
$1: ICMP message type.
$2: Receiving interface name.
$3: Source IP address.
Variable fields $4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
$6: Name of the receiving VPN instance.
$7: Actions against the attack.
Severity level 5
ATK/5/ATK_ICMP_PARAPROBLEM_RAW: IcmpType(1058)=12;
RcvIfName(1023)=Ethernet0/0/2; SrcIPAddr(1003)=9.1.1.1;
Example DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
RcvVPNInstance(1041)=--; Action(1049)=logging.
If log aggregation is enabled, for ICMP parameter problem packets of the same
attributes, this message is sent only when the first packet is received.
Explanation
If log aggregation is disabled, this message is sent every time an ICMP parameter
problem packet is received.
Recommended No action is required.
action

62
Security level: Secret

ATK_ICMP_PINGOFDEATH
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR];
DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: Receiving interface name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
$4: Destination IP address.
Variable fields $5: Name of the receiving VPN instance.
$6: Actions against the attack.
$7: Start time of the attack.
$8: End time of the attack.
$9: Attack times.
Severity level 3
ATK/3/ATK_ICMP_PINGOFDEATH: RcvIfName(1023)=Ethernet0/0/2;
SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--;
Example DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging;
BeginTime_c(1011)=20131011074913; EndTime_c(1012)=20131011075413;
AtkTimes(1050)=2.
This message is sent when logs are aggregated for ICMP packets larger than
Explanation 65535 bytes with the MF flag set to 0.
Recommended No action is required.
action

63
Security level: Secret

ATK_ICMP_PINGOFDEATH_RAW
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR];
Message text DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING].
$1: Receiving interface name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
Variable fields
$4: Destination IP address.
$5: Name of the receiving VPN instance.
$6: Actions against the attack.
Severity level 3
ATK/3/ATK_ICMP_PINGOFDEATH_RAW: RcvIfName(1023)=Ethernet0/0/2;
Example SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--;
DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging.
This message is for the ping of death attack. The attack uses ICMP packets larger
than 65535 bytes with the MF flag set to 0.
If log aggregation is enabled, for packets of the same attributes, this message is
Explanation sent only when the first packet is received.
If log aggregation is disabled, this message is sent every time a packet is
received.
Recommended No action is required.
action

64
Security level: Secret

ATK_ICMP_REDIRECT
IcmpType(1058)=[UINT32]; RcvIfName(1023)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32].
$1: ICMP message type.
$2: Receiving interface name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
Variable fields
$6: Name of the receiving VPN instance.
$7: Actions against the attack.
$8: Start time of the attack.
$9: End time of the attack.
$10: Attack times.
Severity level 5
ATK/5/ATK_ICMP_REDIRECT: IcmpType(1058)=5;
RcvIfName(1023)=Ethernet0/0/2; SrcIPAddr(1003)=9.1.1.1;
DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
Example RcvVPNInstance(1041)=--; Action(1049)=logging;
BeginTime_c(1011)=20131011091319; EndTime_c(1012)=20131011091819;
AtkTimes(1050)=2.
Explanation This message is sent when ICMP redirect logs are aggregated.
Recommended No action is required.
action

65
Security level: Secret

ATK_ICMP_REDIRECT_RAW
IcmpType(1058)=[UINT32]; RcvIfName(1023)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING].
$1: ICMP message type.
$2: Receiving interface name.
$3: Source IP address.
Variable fields $4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
$6: Name of the receiving VPN instance.
$7: Actions against the attack.
Severity level 5
ATK/5/ATK_ICMP_REDIRECT_RAW: IcmpType(1058)=5;
RcvIfName(1023)=Ethernet0/0/2; SrcIPAddr(1003)=9.1.1.1;
Example DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
RcvVPNInstance(1041)=--; Action(1049)=logging.
If log aggregation is enabled, for ICMP redirect packets of the same attributes, this
message is sent only when the first packet is received.
Explanation
If log aggregation is disabled, this message is sent every time an ICMP redirect
packet is received.
Recommended No action is required.
action

66
Security level: Secret

ATK_ICMP_SMURF
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR];
DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: Receiving interface name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
$4: Destination IP address.
Variable fields $5: Name of the receiving VPN instance.
$6: Actions against the attack.
$7: Start time of the attack.
$8: End time of the attack.
$9: Attack times.
Severity level 3
ATK/3/ATK_ICMP_SMURF: RcvIfName(1023)=Ethernet0/0/2;
SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--;
Example DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging;
BeginTime_c(1011)=20131011074913; EndTime_c(1012)=20131011075413;
AtkTimes(1050)=2.
This message is sent when logs are aggregated for ICMP echo requests whose
destination IP address is one of the following addresses:
• A broadcast or network address of A, B, or C class.
Explanation
• An IP address of D or E class.
• The broadcast or network address of the network where the receiving
interface resides.
Recommended No action is required.
action

67
Security level: Secret

ATK_ICMP_SMURF_RAW
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR];
Message text DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING].
$1: Receiving interface name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
Variable fields
$4: Destination IP address.
$5: Name of the receiving VPN instance.
$6: Actions against the attack.
Severity level 3
ATK/3/ATK_ICMP_SMURF_RAW: RcvIfName(1023)=Ethernet0/0/2;
Example SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--;
DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging.
This message is for the smurf attack. The attack uses ICMP echo requests with
the destination IP address being one of the following addresses:
• A broadcast or network address of A, B, or C class.
• An IP address of D or E class.
• The broadcast or network address of the network where the receiving
Explanation interface resides.
If log aggregation is enabled, for requests of the same attributes, this message is
sent only when the first request is received.
If log aggregation is disabled, this message is sent every time a request is
received.
Recommended No action is required.
action

68
Security level: Secret

ATK_ICMP_SOURCEQUENCH
IcmpType(1058)=[UINT32]; RcvIfName(1023)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32].
$1: ICMP message type.
$2: Receiving interface name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
Variable fields
$6: Name of the receiving VPN instance.
$7: Actions against the attack.
$8: Start time of the attack.
$9: End time of the attack.
$10: Attack times.
Severity level 5
ATK/5/ATK_ICMP_SOURCEQUENCH: IcmpType(1058)=4;
RcvIfName(1023)=Ethernet0/0/2; SrcIPAddr(1003)=9.1.1.1;
DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
Example RcvVPNInstance(1041)=--; Action(1049)=logging;
BeginTime_c(1011)=20131011091319; EndTime_c(1012)=20131011091819;
AtkTimes(1050)=2.
Explanation This message is sent when ICMP source quench logs are aggregated.
Recommended No action is required.
action

69
Security level: Secret

ATK_ICMP_SOURCEQUENCH_RAW
IcmpType(1058)=[UINT32]; RcvIfName(1023)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING].
$1: ICMP message type.
$2: Receiving interface name.
$3: Source IP address.
Variable fields $4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
$6: Name of the receiving VPN instance.
$7: Actions against the attack.
Severity level 5
ATK/5/ATK_ICMP_SOURCEQUENCH_RAW: IcmpType(1058)=4;
RcvIfName(1023)=Ethernet0/0/2; SrcIPAddr(1003)=9.1.1.1;
Example DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
RcvVPNInstance(1041)=--; Action(1049)=logging.
If log aggregation is enabled, for ICMP source quench packets of the same
attributes, this message is sent only when the first packet is received.
Explanation
If log aggregation is disabled, this message is sent every time an ICMP source
quench packet is received.
Recommended No action is required.
action

70
Security level: Secret

ATK_ICMP_TIMEEXCEED
IcmpType(1058)=[UINT32]; RcvIfName(1023)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32].
$1: ICMP message type.
$2: Receiving interface name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
Variable fields
$6: Name of the receiving VPN instance.
$7: Actions against the attack.
$8: Start time of the attack.
$9: End time of the attack.
$10: Attack times.
Severity level 5
ATK/5/ATK_ICMP_TIMEEXCEED: IcmpType(1058)=11;
RcvIfName(1023)=Ethernet0/0/2; SrcIPAddr(1003)=9.1.1.1;
DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
Example RcvVPNInstance(1041)=--; Action(1049)=logging;
BeginTime_c(1011)=20131011091319; EndTime_c(1012)=20131011091819;
AtkTimes(1050)=2.
Explanation This message is sent when ICMP time exceeded logs are aggregated.
Recommended No action is required.
action

71
Security level: Secret

ATK_ICMP_TIMEEXCEED_RAW
IcmpType(1058)=[UINT32]; RcvIfName(1023)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING].
$1: ICMP message type.
$2: Receiving interface name.
$3: Source IP address.
Variable fields $4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
$6: Name of the receiving VPN instance.
$7: Actions against the attack.
Severity level 5
ATK/5/ATK_ICMP_TIMEEXCEED_RAW: IcmpType(1058)=11;
RcvIfName(1023)=Ethernet0/0/2; SrcIPAddr(1003)=9.1.1.1;
Example DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
RcvVPNInstance(1041)=--; Action(1049)=logging.
If log aggregation is enabled, for ICMP time exceeded packets of the same
attributes, this message is sent only when the first packet is received.
Explanation
If log aggregation is disabled, this message is sent every time an ICMP time
exceeded packet is received.
Recommended No action is required.
action

72
Security level: Secret

ATK_ICMP_TRACEROUTE
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR];
DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: Receiving interface name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
$4: Destination IP address.
Variable fields $5: Name of the receiving VPN instance.
$6: Actions against the attack.
$7: Start time of the attack.
$8: End time of the attack.
$9: Attack times.
Severity level 3
ATK/3/ATK_ICMP_TRACEROUTE: RcvIfName(1023)=Ethernet0/0/2;
SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--;
Example DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging;
BeginTime_c(1011)=20131011074913; EndTime_c(1012)=20131011075413;
AtkTimes(1050)=2.
This message is sent when logs are aggregated for ICMP time exceeded packets
Explanation of code 0.
Recommended No action is required.
action

ATK_ICMP_TRACEROUTE_RAW
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR];
Message text DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING].
$1: Receiving interface name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
Variable fields
$4: Destination IP address.
$5: Name of the receiving VPN instance.
$6: Actions against the attack.
Severity level 3
ATK/3/ATK_ICMP_TRACEROUTE_RAW: RcvIfName(1023)=Ethernet0/0/2;
Example SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--;
DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging.
If log aggregation is enabled, for ICMP time exceeded packets of code 0 of the
same attributes, this message is sent only when the first packet is received.
Explanation
If log aggregation is disabled, this message is sent every time an ICMP time
exceeded packet of code 0 is received.
Recommended No action is required.
action

73
Security level: Secret

ATK_ICMP_TSTAMP_REQ
IcmpType(1058)=[UINT32]; RcvIfName(1023)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32].
$1: ICMP message type.
$2: Receiving interface name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
Variable fields
$6: Name of the receiving VPN instance.
$7: Actions against the attack.
$8: Start time of the attack.
$9: End time of the attack.
$10: Attack times.
Severity level 5
ATK/5/ATK_ICMP_TSTAMP_REQ: IcmpType(1058)=13;
RcvIfName(1023)=Ethernet0/0/2; SrcIPAddr(1003)=9.1.1.1;
DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
Example RcvVPNInstance(1041)=--; Action(1049)=logging;
BeginTime_c(1011)=20131011091319; EndTime_c(1012)=20131011091819;
AtkTimes(1050)=2.
Explanation This message is sent when ICMP timestamp logs are aggregated.
Recommended No action is required.
action

74
Security level: Secret

ATK_ICMP_TSTAMP_REQ_RAW
IcmpType(1058)=[UINT32]; RcvIfName(1023)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING].
$1: ICMP message type.
$2: Receiving interface name.
$3: Source IP address.
Variable fields $4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
$6: Name of the receiving VPN instance.
$7: Actions against the attack.
Severity level 5
ATK/5/ATK_ICMP_TSTAMP_REQ_RAW: IcmpType(1058)=13;
RcvIfName(1023)=Ethernet0/0/2; SrcIPAddr(1003)=9.1.1.1;
Example DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
RcvVPNInstance(1041)=--; Action(1049)=logging.
If log aggregation is enabled, for ICMP timestamp packets of the same attributes,
this message is sent only when the first packet is received.
Explanation
If log aggregation is disabled, this message is sent every time an ICMP timestamp
packet is received.
Recommended No action is required.
action

75
Security level: Secret

ATK_ICMP_TSTAMP_RPL
IcmpType(1058)=[UINT32]; RcvIfName(1023)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32].
$1: ICMP message type.
$2: Receiving interface name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
Variable fields
$6: Name of the receiving VPN instance.
$7: Actions against the attack.
$8: Start time of the attack.
$9: End time of the attack.
$10: Attack times.
Severity level 5
ATK/5/ATK_ICMP_TSTAMP_RPL: IcmpType(1058)=14;
RcvIfName(1023)=Ethernet0/0/2; SrcIPAddr(1003)=9.1.1.1;
DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
Example RcvVPNInstance(1041)=--; Action(1049)=logging;
BeginTime_c(1011)=20131011091319; EndTime_c(1012)=20131011091819;
AtkTimes(1050)=2.
Explanation This message is sent when ICMP timestamp reply logs are aggregated.
Recommended No action is required.
action

76
Security level: Secret

ATK_ICMP_TSTAMP_RPL_RAW
IcmpType(1058)=[UINT32]; RcvIfName(1023)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING].
$1: ICMP message type.
$2: Receiving interface name.
$3: Source IP address.
Variable fields $4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
$6: Name of the receiving VPN instance.
$7: Actions against the attack.
Severity level 5
ATK/5/ATK_ICMP_TSTAMP_RPL_RAW: IcmpType(1058)=14;
RcvIfName(1023)=Ethernet0/0/2; SrcIPAddr(1003)=9.1.1.1;
Example DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
RcvVPNInstance(1041)=--; Action(1049)=logging.
If log aggregation is enabled, for ICMP timestamp replies of the same attributes,
this message is sent only when the first reply is received.
Explanation
If log aggregation is disabled, this message is sent every time an ICMP timestamp
reply is received.
Recommended No action is required.
action

77
Security level: Secret

ATK_ICMP_TYPE
IcmpType(1058)=[UINT32]; RcvIfName(1023)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32].
$1: ICMP message type.
$2: Receiving interface name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
Variable fields
$6: Name of the receiving VPN instance.
$7: Actions against the attack.
$8: Start time of the attack.
$9: End time of the attack.
$10: Attack times.
Severity level 5
ATK/5/ATK_ICMP_TYPE: IcmpType(1058)=38;
RcvIfName(1023)=Ethernet0/0/2; SrcIPAddr(1003)=9.1.1.1;
DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
Example RcvVPNInstance(1041)=--; Action(1049)=logging;
BeginTime_c(1011)=20131011091319; EndTime_c(1012)=20131011091819;
AtkTimes(1050)=2.
Explanation This message is sent when logs are aggregated for user-defined ICMP packets.
Recommended No action is required.
action

78
Security level: Secret

ATK_ICMP_TYPE_RAW
IcmpType(1058)=[UINT32]; RcvIfName(1023)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING].
$1: ICMP message type.
$2: Receiving interface name.
$3: Source IP address.
Variable fields $4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
$6: Name of the receiving VPN instance.
$7: Actions against the attack.
Severity level 5
ATK/5/ATK_ICMP_TYPE_RAW: IcmpType(1058)=38;
RcvIfName(1023)=Ethernet0/0/2; SrcIPAddr(1003)=9.1.1.1;
Example DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
RcvVPNInstance(1041)=--; Action(1049)=logging.
If log aggregation is enabled, for user-defined ICMP packets of the same
attributes, this message is sent only when the first packet is received.
Explanation
If log aggregation is disabled, this message is sent every time a user-defined
ICMP packet is received.
Recommended No action is required.
action

79
Security level: Secret

ATK_ICMP_UNREACHABLE
IcmpType(1058)=[UINT32]; RcvIfName(1023)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32].
$1: ICMP message type.
$2: Receiving interface name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
Variable fields
$6: Name of the receiving VPN instance.
$7: Actions against the attack.
$8: Start time of the attack.
$9: End time of the attack.
$10: Attack times.
Severity level 5
ATK/5/ATK_ICMP_UNREACHABLE: IcmpType(1058)=3;
RcvIfName(1023)=Ethernet0/0/2; SrcIPAddr(1003)=9.1.1.1;
DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
Example RcvVPNInstance(1041)=--; Action(1049)=logging;
BeginTime_c(1011)=20131011091319; EndTime_c(1012)=20131011091819;
AtkTimes(1050)=2.
Explanation This message is sent when ICMP destination unreachable logs are aggregated.
Recommended No action is required.
action

80
Security level: Secret

ATK_ICMP_UNREACHABLE_RAW
IcmpType(1058)=[UINT32]; RcvIfName(1023)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING].
$1: ICMP message type.
$2: Receiving interface name.
$3: Source IP address.
Variable fields $4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
$6: Name of the receiving VPN instance.
$7: Actions against the attack.
Severity level 5
ATK/5/ATK_ICMP_UNREACHABLE_RAW: IcmpType(1058)=3;
RcvIfName(1023)=Ethernet0/0/2; SrcIPAddr(1003)=9.1.1.1;
Example DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
RcvVPNInstance(1041)=--; Action(1049)=logging.
If log aggregation is enabled, for ICMP destination unreachable packets of the
same attributes, this message is sent only when the first packet is received.
Explanation
If log aggregation is disabled, this message is sent every time an ICMP
destination unreachable packet is received.
Recommended No action is required.
action

81
Security level: Secret

ATK_ICMPV6_DEST_UNREACH
Icmpv6Type(1059)=[UINT32]; RcvIfName(1023)=[STRING];
SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: ICMPv6 message type.
$2: Receiving interface name.
$3: Source IPv6 address.
$4: Destination IPv6 address.
Variable fields $5: Name of the receiving VPN instance.
$6: Actions against the attack.
$7: Start time of the attack.
$8: End time of the attack.
$9: Attack times.
Severity level 5
ATK/5/ATK_ICMPV6_DEST_UNREACH: Icmpv6Type(1059)=133;
RcvIfName(1023)=Ethernet0/0/2; SrcIPv6Addr(1036)=5600::12;
Example DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--;
Action(1049)=logging; BeginTime_c(1011)=20131011100935;
EndTime_c(1012)=20131011101435; AtkTimes(1050)=2.
Explanation This message is sent when ICMPv6 destination unreachable logs are aggregated.
Recommended No action is required.
action

ATK_ICMPV6_DEST_UNREACH_RAW
Icmpv6Type(1059)=[UINT32]; RcvIfName(1023)=[STRING];
Message text SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR];
RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING].
$1: ICMPv6 message type.
$2: Receiving interface name.
$3: Source IPv6 address.
Variable fields
$4: Destination IPv6 address.
$5: Name of the receiving VPN instance.
$6: Actions against the attack.
Severity level 5
ATK/5/ATK_ICMPV6_DEST_UNREACH_RAW: Icmpv6Type(1059)=133;
RcvIfName(1023)=Ethernet0/0/2; SrcIPv6Addr(1036)=5600::12;
Example DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--;
Action(1049)=logging.
If log aggregation is enabled, for ICMPv6 destination unreachable packets of the
same attributes, this message is sent only when the first packet is received.
Explanation
If log aggregation is disabled, this message is sent every time an ICMPv6
destination unreachable packet is received.
Recommended No action is required.
action

82
Security level: Secret

ATK_ICMPV6_ECHO_REQ
Icmpv6Type(1059)=[UINT32]; RcvIfName(1023)=[STRING];
SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: ICMPv6 message type.
$2: Receiving interface name.
$3: Source IPv6 address.
$4: Destination IPv6 address.
Variable fields $5: Name of the receiving VPN instance.
$6: Actions against the attack.
$7: Start time of the attack.
$8: End time of the attack.
$9: Attack times.
Severity level 5
ATK/5/ATK_ICMPV6_ECHO_REQ: Icmpv6Type(1059)=128;
RcvIfName(1023)=Ethernet0/0/2; SrcIPv6Addr(1036)=5600::12;
Example DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--;
Action(1049)=logging; BeginTime_c(1011)=20131011100935;
EndTime_c(1012)=20131011101435; AtkTimes(1050)=2.
Explanation This message is sent when ICMPv6 echo request logs are aggregated.
Recommended No action is required.
action

ATK_ICMPV6_ECHO_REQ_RAW
Icmpv6Type(1059)=[UINT32]; RcvIfName(1023)=[STRING];
Message text SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR];
RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING].
$1: ICMPv6 message type.
$2: Receiving interface name.
$3: Source IPv6 address.
Variable fields
$4: Destination IPv6 address.
$5: Name of the receiving VPN instance.
$6: Actions against the attack.
Severity level 5
ATK/5/ATK_ICMPV6_ECHO_REQ_RAW: Icmpv6Type(1059)=128;
RcvIfName(1023)=Ethernet0/0/2; SrcIPv6Addr(1036)=5600::12;
Example DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--;
Action(1049)=logging.
If log aggregation is enabled, for ICMPv6 echo requests of the same attributes,
this message is sent only when the first request is received.
Explanation
If log aggregation is disabled, this message is sent every time an ICMPv6 echo
request is received.
Recommended No action is required.
action

83
Security level: Secret

ATK_ICMPV6_ECHO_RPL
Icmpv6Type(1059)=[UINT32]; RcvIfName(1023)=[STRING];
SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: ICMPv6 message type.
$2: Receiving interface name.
$3: Source IPv6 address.
$4: Destination IPv6 address.
Variable fields $5: Name of the receiving VPN instance.
$6: Actions against the attack.
$7: Start time of the attack.
$8: End time of the attack.
$9: Attack times.
Severity level 5
ATK/5/ATK_ICMPV6_ECHO_RPL: Icmpv6Type(1059)=129;
RcvIfName(1023)=Ethernet0/0/2; SrcIPv6Addr(1036)=5600::12;
Example DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--;
Action(1049)=logging; BeginTime_c(1011)=20131011100935;
EndTime_c(1012)=20131011101435; AtkTimes(1050)=2.
Explanation This message is sent when ICMPv6 echo reply logs are aggregated.
Recommended No action is required.
action

ATK_ICMPV6_ECHO_RPL_RAW
Icmpv6Type(1059)=[UINT32]; RcvIfName(1023)=[STRING];
Message text SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR];
RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING].
$1: ICMPv6 message type.
$2: Receiving interface name.
$3: Source IPv6 address.
Variable fields
$4: Destination IPv6 address.
$5: Name of the receiving VPN instance.
$6: Actions against the attack.
Severity level 5
ATK/5/ATK_ICMPV6_ECHO_RPL_RAW: Icmpv6Type(1059)=129;
RcvIfName(1023)=Ethernet0/0/2; SrcIPv6Addr(1036)=5600::12;
Example DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--;
Action(1049)=logging.
If log aggregation is enabled, for ICMPv6 echo replies of the same attributes, this
message is sent only when the first reply is received.
Explanation
If log aggregation is disabled, this message is sent every time an ICMPv6 echo
reply is received.
Recommended No action is required.
action

84
Security level: Secret

ATK_ICMPV6_FLOOD
RcvIfName(1023)=[STRING]; DstIPv6Addr(1037)=[IPADDR];
DstPort(1008)=[UINT16]; RcvVPNInstance(1041)=[STRING];
Message text UpperLimit(1048)=[UINT32]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING].
$1: Receiving interface name.
$2: Destination IPv6 address.
$3: Destination port number.
Variable fields $4: Name of the receiving VPN instance.
$5: Rate limit.
$6: Actions against the attack.
$7: Start time of the attack.
Severity level 3
ATK/3/ATK_ICMPV6_FLOOD: RcvIfName(1023)=Ethernet0/0/2;
DstIPv6Addr(1007)=2002::2; DstPort(1008)=22; RcvVPNInstance(1041)=--;
Example UpperLimit(1048)=10; Action(1049)=logging;
BeginTime_c(1011)=20131009093351.
This message is sent when the number of ICMPv6 packets sent to a destination
Explanation per second exceeds the rate limit.
Recommended No action is required.
action

ATK_ICMPV6_GROUPQUERY
Icmpv6Type(1059)=[UINT32]; RcvIfName(1023)=[STRING];
SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: ICMPv6 message type.
$2: Receiving interface name.
$3: Source IPv6 address.
$4: Destination IPv6 address.
Variable fields $5: Name of the receiving VPN instance.
$6: Actions against the attack.
$7: Start time of the attack.
$8: End time of the attack.
$9: Attack times.
Severity level 5
ATK/5/ATK_ICMPV6_GROUPQUERY: Icmpv6Type(1059)=130;
RcvIfName(1023)=Ethernet0/0/2; SrcIPv6Addr(1036)=5600::12;
Example DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--;
Action(1049)=logging; BeginTime_c(1011)=20131011100935;
EndTime_c(1012)=20131011101435; AtkTimes(1050)=2.
Explanation This message is sent when ICMPv6 multicast listener query logs are aggregated.
Recommended No action is required.
action

85
Security level: Secret

ATK_ICMPV6_GROUPQUERY_RAW
Icmpv6Type(1059)=[UINT32]; RcvIfName(1023)=[STRING];
Message text SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR];
RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING].
$1: ICMPv6 message type.
$2: Receiving interface name.
$3: Source IPv6 address.
Variable fields
$4: Destination IPv6 address.
$5: Name of the receiving VPN instance.
$6: Actions against the attack.
Severity level 5
ATK/5/ATK_ICMPV6_GROUPQUERY_RAW: Icmpv6Type(1059)=130;
RcvIfName(1023)=Ethernet0/0/2; SrcIPv6Addr(1036)=5600::12;
Example DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--;
Action(1049)=logging.
If log aggregation is enabled, for ICMPv6 multicast listener queries of the same
attributes, this message is sent only when the first query is received.
Explanation
If log aggregation is disabled, this message is sent every time an ICMPv6
multicast listener query is received.
Recommended No action is required.
action

ATK_ICMPV6_GROUPREDUCTION
Icmpv6Type(1059)=[UINT32]; RcvIfName(1023)=[STRING];
SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: ICMPv6 message type.
$2: Receiving interface name.
$3: Source IPv6 address.
$4: Destination IPv6 address.
Variable fields $5: Name of the receiving VPN instance.
$6: Actions against the attack.
$7: Start time of the attack.
$8: End time of the attack.
$9: Attack times.
Severity level 5
ATK/5/ATK_ICMPV6_GROUPREDUCTION: Icmpv6Type(1059)=132;
RcvIfName(1023)=Ethernet0/0/2; SrcIPv6Addr(1036)=5600::12;
Example DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--;
Action(1049)=logging; BeginTime_c(1011)=20131011100935;
EndTime_c(1012)=20131011101435; AtkTimes(1050)=2.
Explanation This message is sent when ICMPv6 multicast listener done logs are aggregated.
Recommended No action is required.
action

86
Security level: Secret

ATK_ICMPV6_GROUPREDUCTION_RAW
Icmpv6Type(1059)=[UINT32]; RcvIfName(1023)=[STRING];
Message text SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR];
RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING].
$1: ICMPv6 message type.
$2: Receiving interface name.
$3: Source IPv6 address.
Variable fields
$4: Destination IPv6 address.
$5: Name of the receiving VPN instance.
$6: Actions against the attack.
Severity level 5
ATK/5/ATK_ICMPV6_GROUPREDUCTION_RAW: Icmpv6Type(1059)=132;
RcvIfName(1023)=Ethernet0/0/2; SrcIPv6Addr(1036)=5600::12;
Example DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--;
Action(1049)=logging.
If log aggregation is enabled, for ICMPv6 multicast listener done packets of the
same attributes, this message is sent only when the first packet is received.
Explanation
If log aggregation is disabled, this message is sent every time an ICMPv6
multicast listener done packet is received.
Recommended No action is required.
action

ATK_ICMPV6_GROUPREPORT
Icmpv6Type(1059)=[UINT32]; RcvIfName(1023)=[STRING];
SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: ICMPv6 message type.
$2: Receiving interface name.
$3: Source IPv6 address.
$4: Destination IPv6 address.
Variable fields $5: Name of the receiving VPN instance.
$6: Actions against the attack.
$7: Start time of the attack.
$8: End time of the attack.
$9: Attack times.
Severity level 5
ATK/5/ATK_ICMPV6_GROUPREPORT: Icmpv6Type(1059)=131;
RcvIfName(1023)=Ethernet0/0/2; SrcIPv6Addr(1036)=5600::12;
Example DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--;
Action(1049)=logging; BeginTime_c(1011)=20131011100935;
EndTime_c(1012)=20131011101435; AtkTimes(1050)=2.
Explanation This message is sent when ICMPv6 multicast listener report logs are aggregated.
Recommended No action is required.
action

87
Security level: Secret

ATK_ICMPV6_GROUPREPORT_RAW
Icmpv6Type(1059)=[UINT32]; RcvIfName(1023)=[STRING];
Message text SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR];
RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING].
$1: ICMPv6 message type.
$2: Receiving interface name.
$3: Source IPv6 address.
Variable fields
$4: Destination IPv6 address.
$5: Name of the receiving VPN instance.
$6: Actions against the attack.
Severity level 5
ATK/5/ATK_ICMPV6_GROUPREPORT_RAW: Icmpv6Type(1059)=131;
RcvIfName(1023)=Ethernet0/0/2; SrcIPv6Addr(1036)=5600::12;
Example DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--;
Action(1049)=logging.
If log aggregation is enabled, for ICMPv6 multicast listener reports of the same
attributes, this message is sent only when the first report is received.
Explanation
If log aggregation is disabled, this message is sent every time an ICMPv6
multicast listener report is received.
Recommended No action is required.
action

ATK_ICMPV6_LARGE
RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR];
DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Message text Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32].
$1: Receiving interface name.
$2: Source IPv6 address.
$3: Destination IPv6 address.
$4: Name of the receiving VPN instance.
Variable fields
$5: Actions against the attack.
$6: Start time of the attack.
$7: End time of the attack.
$8: Attack times.
Severity level 3
ATK/3/ATK_ICMPV6_LARGE: RcvIfName(1023)=Ethernet0/0/2;
SrcIPv6Addr(1036)=5600::12;
Example DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--;
Action(1049)=logging; BeginTime_c(1011)=20131011100935;
EndTime_c(1012)=20131011101435; AtkTimes(1050)=2.
Explanation This message is sent when large ICMPv6 packet logs are aggregated.
Recommended No action is required.
action

88
Security level: Secret

ATK_ICMPV6_LARGE_RAW
RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR];
Message text DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING].
$1: Receiving interface name.
$2: Source IPv6 address.
Variable fields $3: Destination IPv6 address.
$4: Name of the receiving VPN instance.
$5: Actions against the attack.
Severity level 3
ATK/3/ATK_ICMPV6_LARGE_RAW: RcvIfName(1023)=Ethernet0/0/2;
SrcIPv6Addr(1036)=5600::12;
Example DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--;
Action(1049)=logging.
If log aggregation is enabled, for large ICMPv6 packets of the same attributes, this
message is sent only when the first packet is received.
Explanation
If log aggregation is disabled, this message is sent every time a large ICMPv6
packet is received.
Recommended No action is required.
action

ATK_ICMPV6_PACKETTOOBIG
Icmpv6Type(1059)=[UINT32]; RcvIfName(1023)=[STRING];
SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: ICMPv6 message type.
$2: Receiving interface name.
$3: Source IPv6 address.
$4: Destination IPv6 address.
Variable fields $5: Name of the receiving VPN instance.
$6: Actions against the attack.
$7: Start time of the attack.
$8: End time of the attack.
$9: Attack times.
Severity level 5
ATK/5/ATK_ICMPV6_PACKETTOOBIG: Icmpv6Type(1059)=136;
RcvIfName(1023)=Ethernet0/0/2; SrcIPv6Addr(1036)=5600::12;
Example DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--;
Action(1049)=logging; BeginTime_c(1011)=20131011100935;
EndTime_c(1012)=20131011101435; AtkTimes(1050)=2.
Explanation This message is sent when ICMPv6 packet too big logs are aggregated.
Recommended No action is required.
action

89
Security level: Secret

ATK_ICMPV6_PACKETTOOBIG_RAW
Icmpv6Type(1059)=[UINT32]; RcvIfName(1023)=[STRING];
Message text SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR];
RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING].
$1: ICMPv6 message type.
$2: Receiving interface name.
$3: Source IPv6 address.
Variable fields
$4: Destination IPv6 address.
$5: Name of the receiving VPN instance.
$6: Actions against the attack.
Severity level 5
ATK/5/ATK_ICMPV6_PACKETTOOBIG_RAW: Icmpv6Type(1059)=136;
RcvIfName(1023)=Ethernet0/0/2; SrcIPv6Addr(1036)=5600::12;
Example DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--;
Action(1049)=logging.
If log aggregation is enabled, for ICMPv6 packet too big packets of the same
attributes, this message is sent only when the first packet is received.
Explanation
If log aggregation is disabled, this message is sent every time an ICMPv6 packet
too big packet is received.
Recommended No action is required.
action

ATK_ICMPV6_PARAPROBLEM
Icmpv6Type(1059)=[UINT32]; RcvIfName(1023)=[STRING];
SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: ICMPv6 message type.
$2: Receiving interface name.
$3: Source IPv6 address.
$4: Destination IPv6 address.
Variable fields $5: Name of the receiving VPN instance.
$6: Actions against the attack.
$7: Start time of the attack.
$8: End time of the attack.
$9: Attack times.
Severity level 5
ATK/5/ATK_ICMPV6_PARAPROBLEM: Icmpv6Type(1059)=135;
RcvIfName(1023)=Ethernet0/0/2; SrcIPv6Addr(1036)=5600::12;
Example DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--;
Action(1049)=logging; BeginTime_c(1011)=20131011100935;
EndTime_c(1012)=20131011101435; AtkTimes(1050)=2.
Explanation This message is sent when ICMPv6 parameter problem logs are aggregated.
Recommended No action is required.
action

90
Security level: Secret

ATK_ICMPV6_PARAPROBLEM_RAW
Icmpv6Type(1059)=[UINT32]; RcvIfName(1023)=[STRING];
Message text SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR];
RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING].
$1: ICMPv6 message type.
$2: Receiving interface name.
$3: Source IPv6 address.
Variable fields
$4: Destination IPv6 address.
$5: Name of the receiving VPN instance.
$6: Actions against the attack.
Severity level 5
ATK/5/ATK_ICMPV6_PARAPROBLEM_RAW: Icmpv6Type(1059)=135;
RcvIfName(1023)=Ethernet0/0/2; SrcIPv6Addr(1036)=5600::12;
Example DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--;
Action(1049)=logging.
If log aggregation is enabled, for ICMPv6 parameter problem packets of the same
attributes, this message is sent only when the first packet is received.
Explanation
If log aggregation is disabled, this message is sent every time an ICMPv6
parameter problem packet is received.
Recommended No action is required.
action

ATK_ICMPV6_TIMEEXCEED
Icmpv6Type(1059)=[UINT32]; RcvIfName(1023)=[STRING];
SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: ICMPv6 message type.
$2: Receiving interface name.
$3: Source IPv6 address.
$4: Destination IPv6 address.
Variable fields $5: Name of the receiving VPN instance.
$6: Actions against the attack.
$7: Start time of the attack.
$8: End time of the attack.
$9: Attack times.
Severity level 5
ATK/5/ATK_ICMPV6_TIMEEXCEED: Icmpv6Type(1059)=134;
RcvIfName(1023)=Ethernet0/0/2; SrcIPv6Addr(1036)=5600::12;
Example DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--;
Action(1049)=logging; BeginTime_c(1011)=20131011100935;
EndTime_c(1012)=20131011101435; AtkTimes(1050)=2.
Explanation This message is sent when ICMPv6 time exceeded logs are aggregated.
Recommended No action is required.
action

91
Security level: Secret

ATK_ICMPV6_TIMEEXCEED_RAW
Icmpv6Type(1059)=[UINT32]; RcvIfName(1023)=[STRING];
Message text SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR];
RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING].
$1: ICMPv6 message type.
$2: Receiving interface name.
$3: Source IPv6 address.
Variable fields
$4: Destination IPv6 address.
$5: Name of the receiving VPN instance.
$6: Actions against the attack.
Severity level 5
ATK/5/ATK_ICMPV6_TIMEEXCEED_RAW: Icmpv6Type(1059)=134;
RcvIfName(1023)=Ethernet0/0/2; SrcIPv6Addr(1036)=5600::12;
Example DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--;
Action(1049)=logging.
If log aggregation is enabled, for ICMPv6 time exceeded packets of the same
attributes, this message is sent only when the first packet is received.
Explanation
If log aggregation is disabled, this message is sent every time an ICMPv6 time
exceeded packet is received.
Recommended No action is required.
action

ATK_ICMPV6_TRACEROUTE
RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR];
DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Message text Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32].
$1: Receiving interface name.
$2: Source IPv6 address.
$3: Destination IPv6 address.
$4: Name of the receiving VPN instance.
Variable fields
$5: Actions against the attack.
$6: Start time of the attack.
$7: End time of the attack.
$8: Attack times.
Severity level 3
ATK/3/ATK_ICMPV6_TRACEROUTE: RcvIfName(1023)=Ethernet0/0/2;
SrcIPv6Addr(1036)=5600::12;
Example DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--;
Action(1049)=logging; BeginTime_c(1011)=20131011100935;
EndTime_c(1012)=20131011101435; AtkTimes(1050)=2.
This message is sent when logs are aggregated for ICMPv6 time exceeded
Explanation packets of code 0.
Recommended No action is required.
action

92
Security level: Secret

ATK_ICMPV6_TRACEROUTE_RAW
RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR];
DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Message text Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING].
$1: Receiving interface name.
$2: Source IPv6 address.
$3: Destination IPv6 address.
$4: Name of the receiving VPN instance.
Variable fields
$5: Actions against the attack.
$6: Start time of the attack.
$7: End time of the attack.
$8: Attack times.
Severity level 3
ATK/3/ATK_ICMPV6_TRACEROUTE_RAW: RcvIfName(1023)=Ethernet0/0/2;
SrcIPv6Addr(1036)=5600::12;
Example DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--;
Action(1049)=logging; BeginTime_c(1011)=20131011100935;
EndTime_c(1012)=20131011101435.
If log aggregation is enabled, for ICMPv6 time exceeded packets of code 0 of the
same attributes, this message is sent only when the first packet is received.
Explanation
If log aggregation is disabled, this message is sent every time an ICMPv6 time
exceeded packet of code 0 is received.
Recommended No action is required.
action

93
Security level: Secret

ATK_ICMPV6_TYPE
Icmpv6Type(1059)=[UINT32]; RcvIfName(1023)=[STRING];
SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: ICMPv6 message type.
$2: Receiving interface name.
$3: Source IPv6 address.
$4: Destination IPv6 address.
Variable fields $5: Name of the receiving VPN instance.
$6: Actions against the attack.
$7: Start time of the attack.
$8: End time of the attack.
$9: Attack times.
Severity level 5
ATK/5/ATK_ICMPV6_TYPE: Icmpv6Type(1059)=38;
RcvIfName(1023)=Ethernet0/0/2; SrcIPv6Addr(1036)=5600::12;
Example DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--;
Action(1049)=logging; BeginTime_c(1011)=20131011100935;
EndTime_c(1012)=20131011101435; AtkTimes(1050)=2.
Explanation This message is sent when logs are aggregated for user-defined ICMPv6 packets.
Recommended No action is required.
action

ATK_ICMPV6_TYPE_RAW
Icmpv6Type(1059)=[UINT32]; RcvIfName(1023)=[STRING];
Message text SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR];
RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING].
$1: ICMPv6 message type.
$2: Receiving interface name.
$3: Source IPv6 address.
Variable fields
$4: Destination IPv6 address.
$5: Name of the receiving VPN instance.
$6: Actions against the attack.
Severity level 5
ATK/5/ATK_ICMPV6_TYPE_RAW: Icmpv6Type(1059)=38;
RcvIfName(1023)=Ethernet0/0/2; SrcIPv6Addr(1036)=5600::12;
Example DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--;
Action(1049)=logging.
If log aggregation is enabled, for user-defined ICMPv6 packets of the same
attributes, this message is sent only when the first packet is received.
Explanation
If log aggregation is disabled, this message is sent every time a user-defined
ICMPv6 packet is received.
Recommended No action is required.
action

94
Security level: Secret

ATK_IP4_ACK_FLOOD
RcvIfName(1023)=[STRING]; DstIPAddr(1007)=[IPADDR];
DstPort(1008)=[UINT16]; RcvVPNInstance(1041)=[STRING];
Message text UpperLimit(1048)=[UINT32]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING].
$1: Receiving interface name.
$2: Destination IP address.
$3: Destination port number.
Variable fields $4: Name of the receiving VPN instance.
$5: Rate limit.
$6: Actions against the attack.
$7: Start time of the attack.
Severity level 3
ATK/3/ATK_IP4_ACK_FLOOD: RcvIfName(1023)=Ethernet0/0/2;
DstIPAddr(1007)=6.1.1.5; DstPort(1008)=22; RcvVPNInstance(1041)=--;
Example UpperLimit(1048)=10; Action(1049)=logging;
BeginTime_c(1011)=20131009093351.
This message is sent when the number of IPv4 ACK packets sent to a destination
Explanation per second exceeds the rate limit.
Recommended No action is required.
action

ATK_IP4_DIS_PORTSCAN
RcvIfName(1023)=[STRING]; Protocol(1001)=[STRING];
TcpFlag(1074)=[STRING]; DstIPAddr(1007)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING].
$1: Receiving interface name.
$2: Protocol name.
$3: TCP packet type. (This field is available only for TCP packets.)
Variable fields $4: Destination IP address.
$5: Name of the receiving VPN instance.
$6: Actions against the attack.
$7: Start time of the attack.
Severity level 3
ATK/3/ATK_IP4_DIS_PORTSCAN: RcvIfName(1023)=Ethernet0/0/2;
Protocol(1001)=TCP; TcpFlag(1074)=[SYN]; DstIPAddr(1007)=6.1.1.5;
Example RcvVPNInstance(1041)=vpn1; Action(1049)=logging,block-source;
BeginTime_c(1011)=20131009052955.
Explanation This message is sent when an IPv4 distributed port scan attack is detected.
Recommended No action is required.
action

95
Security level: Secret

ATK_IP4_DNS_FLOOD
RcvIfName(1023)=[STRING]; DstIPAddr(1007)=[IPADDR];
DstPort(1008)=[UINT16]; RcvVPNInstance(1041)=[STRING];
Message text UpperLimit(1048)=[UINT32]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING].
$1: Receiving interface name.
$2: Destination IP address.
$3: Destination port number.
Variable fields $4: Name of the receiving VPN instance.
$5: Rate limit.
$6: Actions against the attack.
$7: Start time of the attack.
Severity level 3
ATK/3/ATK_IP4_DNS_FLOOD: RcvIfName(1023)=Ethernet0/0/2;
DstIPAddr(1007)=6.1.1.5; DstPort(1008)=22; RcvVPNInstance(1041)=--;
Example UpperLimit(1048)=10; Action(1049)=logging;
BeginTime_c(1011)=20131009093351.
This message is sent when the number of IPv4 DNS queries sent to a destination
Explanation per second exceeds the rate limit.
Recommended No action is required.
action

ATK_IP4_FIN_FLOOD
RcvIfName(1023)=[STRING]; DstIPAddr(1007)=[IPADDR];
DstPort(1008)=[UINT16]; RcvVPNInstance(1041)=[STRING];
Message text UpperLimit(1048)=[UINT32]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING].
$1: Receiving interface name.
$2: Destination IP address.
$3: Destination port number.
Variable fields $4: Name of the receiving VPN instance.
$5: Rate limit.
$6: Actions against the attack.
$7: Start time of the attack.
Severity level 3
ATK/3/ATK_IP4_FIN_FLOOD: RcvIfName(1023)=Ethernet0/0/2;
DstIPAddr(1007)=6.1.1.5; DstPort(1008)=22; RcvVPNInstance(1041)=--;
Example UpperLimit(1048)=10; Action(1049)=logging;
BeginTime_c(1011)=20131009093351.
This message is sent when the number of IPv4 FIN packets sent to a destination
Explanation per second exceeds the rate limit.
Recommended No action is required.
action

96
Security level: Secret

ATK_IP4_FRAGMENT
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR];
DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Protocol(1001)=[STRING];
Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32].
$1: Receiving interface name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
$4: Destination IP address.
$5: Name of the receiving VPN instance.
Variable fields
$6: Protocol type.
$7: Actions against the attack.
$8: Start time of the attack.
$9: End time of the attack.
$10: Attack times.
Severity level 3
ATK/3/ATK_IP4_FRAGMENT: RcvIfName(1023)=Ethernet0/0/2;
SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--;
Example DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Protocol(1001)=TCP;
Action(1049)=logging; BeginTime_c(1011)=20131011074913;
EndTime_c(1012)=20131011075413; AtkTimes(1050)=3.
This message is sent when logs are aggregated for IPv4 packets with an offset
Explanation smaller than 5 but bigger than 0.
Recommended No action is required.
action

97
Security level: Secret

ATK_IP4_FRAGMENT_RAW
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR];
DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Protocol(1001)=[STRING];
Action(1049)=[STRING].
$1: Receiving interface name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
Variable fields $4: Destination IP address.
$5: Name of the receiving VPN instance.
$6: Protocol type.
$7: Actions against the attack.
Severity level 3
ATK/3/ATK_IP4_FRAGMENT_RAW: RcvIfName(1023)=Ethernet0/0/2;
SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--;
Example DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Protocol(1001)=TCP;
Action(1049)=logging.
This message is for the IPv4 fragment attack. The attack uses IPv4 packets with
an offset smaller than 5 but bigger than 0.
If log aggregation is enabled, for packets of the same attributes, this message is
Explanation sent only when the first packet is received.
If log aggregation is disabled, this message is sent every time a packet is
received.
Recommended No action is required.
action

98
Security level: Secret

ATK_IP4_HTTP_FLOOD
RcvIfName(1023)=[STRING]; DstIPAddr(1007)=[IPADDR];
DstPort(1008)=[UINT16]; RcvVPNInstance(1041)=[STRING];
Message text UpperLimit(1048)=[UINT32]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING].
$1: Receiving interface name.
$2: Destination IP address.
$3: Destination port number.
Variable fields $4: Name of the receiving VPN instance.
$5: Rate limit.
$6: Actions against the attack.
$7: Start time of the attack.
Severity level 3
ATK/3/ATK_IP4_HTTP_FLOOD: RcvIfName(1023)=Ethernet0/0/2;
DstIPAddr(1007)=6.1.1.5; DstPort(1008)=22; RcvVPNInstance(1041)=--;
Example UpperLimit(1048)=10; Action(1049)=logging;
BeginTime_c(1011)=20131009093351.
This message is sent when the number of IPv4 HTTP Get packets sent to a
Explanation destination per second exceeds the rate limit.
Recommended No action is required.
action

99
Security level: Secret

ATK_IP4_IMPOSSIBLE
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR];
DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Protocol(1001)=[STRING];
Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32].
$1: Receiving interface name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
$4: Destination IP address.
$5: Name of the receiving VPN instance.
Variable fields
$6: Protocol type.
$7: Actions against the attack.
$8: Start time of the attack.
$9: End time of the attack.
$10: Attack times.
Severity level 3
ATK/3/ATK_IP4_IMPOSSIBLE: RcvIfName(1023)=Ethernet0/0/2;
SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--;
Example DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Protocol(1001)=TCP;
Action(1049)=logging; BeginTime_c(1011)=20131011074913;
EndTime_c(1012)=20131011075413; AtkTimes(1050)=3.
This message is sent when logs are aggregated for IPv4 packets whose source
Explanation IPv4 address is the same as the destination IPv4 address.
Recommended No action is required.
action

100
Security level: Secret

ATK_IP4_IMPOSSIBLE_RAW
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR];
DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Protocol(1001)=[STRING];
Action(1049)=[STRING].
$1: Receiving interface name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
Variable fields $4: Destination IP address.
$5: Name of the receiving VPN instance.
$6: Protocol type.
$7: Actions against the attack.
Severity level 3
ATK/3/ATK_IP4_IMPOSSIBLE_RAW: RcvIfName(1023)=Ethernet0/0/2;
SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--;
Example DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Protocol(1001)=TCP;
Action(1049)=logging.
This message is for the IPv4 impossible packet attack. The attack uses IPv4
packets whose source IPv4 address is the same as the destination IPv4 address.
If log aggregation is enabled, for packets of the same attributes, this message is
Explanation sent only when the first packet is received.
If log aggregation is disabled, this message is sent every time a packet is
received.
Recommended No action is required.
action

ATK_IP4_IPSWEEP
RcvIfName(1023)=[STRING]; Protocol(1001)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING].
$1: Receiving interface name.
$2: Protocol name.
$3: Source IP address.
Variable fields $4: IP address of the peer DS-Lite tunnel interface.
$5: Name of the receiving VPN instance.
$6: Actions against the attack.
$7: Start time of the attack.
Severity level 3
ATK/3/ATK_IP4_IPSWEEP: RcvIfName(1023)=Ethernet0/0/2;
Protocol(1001)=TCP; SrcIPAddr(1003)=9.1.1.5; DSLiteTunnelPeer(1040)=--;
Example RcvVPNInstance(1041)=vpn1; Action(1049)=logging,block-source;
BeginTime_c(1011)=20131009060657.
Explanation This message is sent when an IPv4 sweep attack is detected.
Recommended No action is required.
action

101
Security level: Secret

ATK_IP4_PORTSCAN
RcvIfName(1023)=[STRING]; Protocol(1001)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text RcvVPNInstance(1041)=[STRING]; DstIPAddr(1007)=[IPADDR];
Action(1049)=[STRING]; BeginTime_c(1011)=[STRING].
$1: Receiving interface name.
$2: Protocol name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
Variable fields
$5: Name of the receiving VPN instance.
$6: Destination IP address.
$7: Actions against the attack.
$8: Start time of the attack.
Severity level 3
ATK/3/ATK_IP4_PORTSCAN: RcvIfName(1023)=Ethernet0/0/2;
Protocol(1001)=TCP; SrcIPAddr(1003)=9.1.1.5; DSLiteTunnelPeer(1040)=--;
Example RcvVPNInstance(1041)=vpn1; DstIPAddr(1007)=6.1.1.5;
Action(1049)=logging,block-source; BeginTime_c(1011)=20131009052955.
Explanation This message is sent when an IPv4 port scan attack is detected.
Recommended No action is required.
action

ATK_IP4_RST_FLOOD
RcvIfName(1023)=[STRING]; DstIPAddr(1007)=[IPADDR];
DstPort(1008)=[UINT16]; RcvVPNInstance(1041)=[STRING];
Message text UpperLimit(1048)=[UINT32]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING].
$1: Receiving interface name.
$2: Destination IP address.
$3: Destination port number.
Variable fields $4: Name of the receiving VPN instance.
$5: Rate limit.
$6: Actions against the attack.
$7: Start time of the attack.
Severity level 3
ATK/3/ATK_IP4_RST_FLOOD: RcvIfName(1023)=Ethernet0/0/2;
DstIPAddr(1007)=6.1.1.5; DstPort(1008)=22; RcvVPNInstance(1041)=--;
Example UpperLimit(1048)=10; Action(1049)=logging;
BeginTime_c(1011)=20131009093351.
This message is sent when the number of IPv4 RST packets sent to a destination
Explanation per second exceeds the rate limit.
Recommended No action is required.
action

102
Security level: Secret

ATK_IP4_SYN_FLOOD
RcvIfName(1023)=[STRING]; DstIPAddr(1007)=[IPADDR];
DstPort(1008)=[UINT16]; RcvVPNInstance(1041)=[STRING];
Message text UpperLimit(1048)=[UINT32]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING].
$1: Receiving interface name.
$2: Destination IP address.
$3: Destination port number.
Variable fields $4: Name of the receiving VPN instance.
$5: Rate limit.
$6: Actions against the attack.
$7: Start time of the attack.
Severity level 3
ATK/3/ATK_IP4_SYN_FLOOD: RcvIfName(1023)=Ethernet0/0/2;
DstIPAddr(1007)=6.1.1.5; DstPort(1008)=22; RcvVPNInstance(1041)=--;
Example UpperLimit(1048)=10; Action(1049)=logging;
BeginTime_c(1011)=20131009093351.
This message is sent when the number of IPv4 SYN packets sent to a destination
Explanation per second exceeds the rate limit.
Recommended No action is required.
action

ATK_IP4_SYNACK_FLOOD
RcvIfName(1023)=[STRING]; DstIPAddr(1007)=[IPADDR];
DstPort(1008)=[UINT16]; RcvVPNInstance(1041)=[STRING];
Message text UpperLimit(1048)=[UINT32]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING].
$1: Receiving interface name.
$2: Destination IP address.
$3: Destination port number.
Variable fields $4: Name of the receiving VPN instance.
$5: Rate limit.
$6: Actions against the attack.
$7: Start time of the attack.
Severity level 3
ATK/3/ATK_IP4_SYNACK_FLOOD: RcvIfName(1023)=Ethernet0/0/2;
DstIPAddr(1007)=6.1.1.5; DstPort(1008)=22; RcvVPNInstance(1041)=--;
Example UpperLimit(1048)=10; Action(1049)=logging;
BeginTime_c(1011)=20131009093351.
This message is sent when the number of IPv4 SYN-ACK packets sent to a
Explanation destination per second exceeds the rate limit.
Recommended No action is required.
action

103
Security level: Secret

ATK_IP4_TCP_ALLFLAGS
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR];
DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: Receiving interface name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
$4: Destination IP address.
Variable fields $5: Name of the receiving VPN instance.
$6: Actions against the attack.
$7: Start time of the attack.
$8: End time of the attack.
$9: Attack times.
Severity level 3
ATK/3/ATK_IP4_TCP_ALLFLAGS: RcvIfName(1023)=Ethernet0/0/2;
SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--;
Example DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging;
BeginTime_c(1011)=20131011074913; EndTime_c(1012)=20131011075413;
AtkTimes(1050)=3.
This message is sent when logs are aggregated for IPv4 TCP packets that have
Explanation all flags set.
Recommended No action is required.
action

104
Security level: Secret

ATK_IP4_TCP_ALLFLAGS_RAW
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR];
Message text DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING].
$1: Receiving interface name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
Variable fields
$4: Destination IP address.
$5: Name of the receiving VPN instance.
$6: Actions against the attack.
Severity level 3
ATK/3/ATK_IP4_TCP_ALLFLAGS_RAW: RcvIfName(1023)=Ethernet0/0/2;
Example SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--;
DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging.
This message is for IPv4 TCP packets that have all flags set.
If log aggregation is enabled, for packets of the same attributes, this message is
Explanation sent only when the first packet is received.
If log aggregation is disabled, this message is sent every time a packet is
received.
Recommended No action is required.
action

105
Security level: Secret

ATK_IP4_TCP_FINONLY
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR];
DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: Receiving interface name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
$4: Destination IP address.
Variable fields $5: Name of the receiving VPN instance.
$6: Actions against the attack.
$7: Start time of the attack.
$8: End time of the attack.
$9: Attack times.
Severity level 3
ATK/3/ATK_IP4_TCP_FINONLY: RcvIfName(1023)=Ethernet0/0/2;
SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--;
Example DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging;
BeginTime_c(1011)=20131011074913; EndTime_c(1012)=20131011075413;
AtkTimes(1050)=3.
This message is sent when logs are aggregated for IPv4 TCP packets that have
Explanation only the FIN flag set.
Recommended No action is required.
action

106
Security level: Secret

ATK_IP4_TCP_FINONLY_RAW
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR];
Message text DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING].
$1: Receiving interface name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
Variable fields
$4: Destination IP address.
$5: Name of the receiving VPN instance.
$6: Actions against the attack.
Severity level 3
ATK/3/ATK_IP4_TCP_FINONLY_RAW: RcvIfName(1023)=Ethernet0/0/2;
Example SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--;
DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging.
This message is for IPv4 TCP packets that have only the FIN flag set.
If log aggregation is enabled, for packets of the same attributes, this message is
Explanation sent only when the first packet is received.
If log aggregation is disabled, this message is sent every time a packet is
received.
Recommended No action is required.
action

107
Security level: Secret

ATK_IP4_TCP_INVALIDFLAGS
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR];
DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: Receiving interface name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
$4: Destination IP address.
Variable fields $5: Name of the receiving VPN instance.
$6: Actions against the attack.
$7: Start time of the attack.
$8: End time of the attack.
$9: Attack times.
Severity level 3
ATK/3/ATK_IP4_TCP_INVALIDFLAGS: RcvIfName(1023)=Ethernet0/0/2;
SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--;
Example DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging;
BeginTime_c(1011)=20131011074913; EndTime_c(1012)=20131011075413;
AtkTimes(1050)=3.
This message is sent when logs are aggregated for IPv4 TCP packets that have
invalid flag settings. Invalid flag settings include:
• The RST and FIN flags are both set.
• The RST and SYN flags are both set.
• The RST, FIN, and SYN flags are all set.
• The PSH, RST, and FIN flags are all set.
• The PSH, RST, and SYN flags are all set.
Explanation • The PSH, RST, SYN, and FIN flags are all set.
• The ACK, RST, and FIN flags are all set.
• The ACK, RST, and SYN flags are all set.
• The ACK, RST, SYN, and FIN flags are all set.
• The ACK, PSH, SYN, and FIN flags are all set.
• The ACK, PSH, RST, and FIN flags are all set.
• The ACK, PSH, RST, and SYN flags are all set.
Recommended No action is required.
action

108
Security level: Secret

ATK_IP4_TCP_INVALIDFLAGS_RAW
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR];
Message text DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING].
$1: Receiving interface name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
Variable fields
$4: Destination IP address.
$5: Name of the receiving VPN instance.
$6: Actions against the attack.
Severity level 3
ATK/3/ATK_IP4_TCP_INVALIDFLAGS_RAW: RcvIfName(1023)=Ethernet0/0/2;
Example SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--;
DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging.
This message is for IPv4 TCP packets that have invalid flag settings. Invalid flag
settings include:
• The RST and FIN flags are both set.
• The RST and SYN flags are both set.
• The RST, FIN, and SYN flags are all set.
• The PSH, RST, and FIN flags are all set.
• The PSH, RST, and SYN flags are all set.
• The PSH, RST, SYN, and FIN flags are all set.
• The ACK, RST, and FIN flags are all set.
Explanation • The ACK, RST, and SYN flags are all set.
• The ACK, RST, SYN, and FIN flags are all set.
• The ACK, PSH, SYN, and FIN flags are all set.
• The ACK, PSH, RST, and FIN flags are all set.
• The ACK, PSH, RST, and SYN flags are all set.
If log aggregation is enabled, for packets of the same attributes, this message is
sent only when the first packet is received.
If log aggregation is disabled, this message is sent every time a packet is
received.
Recommended No action is required.
action

109
Security level: Secret

ATK_IP4_TCP_LAND
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR];
DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: Receiving interface name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
$4: Destination IP address.
Variable fields $5: Name of the receiving VPN instance.
$6: Actions against the attack.
$7: Start time of the attack.
$8: End time of the attack.
$9: Attack times.
Severity level 3
ATK/3/ATK_IP4_TCP_LAND: RcvIfName(1023)=Ethernet0/0/2;
SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--;
Example DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging;
BeginTime_c(1011)=20131011074913; EndTime_c(1012)=20131011075413;
AtkTimes(1050)=3.
This message is sent when logs are aggregated for IPv4 TCP packets whose
Explanation source IP address is the same as the destination IP address.
Recommended No action is required.
action

110
Security level: Secret

ATK_IP4_TCP_LAND_RAW
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR];
Message text DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING].
$1: Receiving interface name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
Variable fields
$4: Destination IP address.
$5: Name of the receiving VPN instance.
$6: Actions against the attack.
Severity level 3
ATK/3/ATK_IP4_TCP_LAND_RAW: RcvIfName(1023)=Ethernet0/0/2;
Example SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--;
DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging.
This message is for the IPv4 land attack. The attack uses IPv4 TCP packets
whose source IP address is the same as the destination IP address.
If log aggregation is enabled, for packets of the same attributes, this message is
Explanation sent only when the first packet is received.
If log aggregation is disabled, this message is sent every time a packet is
received.
Recommended No action is required.
action

111
Security level: Secret

ATK_IP4_TCP_NULLFLAG
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR];
DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: Receiving interface name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
$4: Destination IP address.
Variable fields $5: Name of the receiving VPN instance.
$6: Actions against the attack.
$7: Start time of the attack.
$8: End time of the attack.
$9: Attack times.
Severity level 3
ATK/3/ATK_IP4_TCP_NULLFLAG: RcvIfName(1023)=Ethernet0/0/2;
SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--;
Example DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging;
BeginTime_c(1011)=20131011074913; EndTime_c(1012)=20131011075413;
AtkTimes(1050)=4.
This message is sent when logs are aggregated for IPv4 TCP packets that have
Explanation no flag set.
Recommended No action is required.
action

112
Security level: Secret

ATK_IP4_TCP_NULLFLAG_RAW
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR];
Message text DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING].
$1: Receiving interface name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
Variable fields
$4: Destination IP address.
$5: Name of the receiving VPN instance.
$6: Actions against the attack.
Severity level 3
ATK/3/ATK_IP4_TCP_NULLFLAG_RAW: RcvIfName(1023)=Ethernet0/0/2;
Example SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--;
DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging.
This message is for IPv4 TCP packets that have no flag set.
If log aggregation is enabled, for packets of the same attributes, this message is
Explanation sent only when the first packet is received.
If log aggregation is disabled, this message is sent every time a packet is
received.
Recommended No action is required.
action

113
Security level: Secret

ATK_IP4_TCP_SYNFIN
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR];
DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: Receiving interface name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
$4: Destination IP address.
Variable fields $5: Name of the receiving VPN instance.
$6: Actions against the attack.
$7: Start time of the attack.
$8: End time of the attack.
$9: Attack times.
Severity level 3
ATK/3/ATK_IP4_TCP_SYNFIN: RcvIfName(1023)=Ethernet0/0/2;
SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--;
Example DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging;
BeginTime_c(1011)=20131011074913; EndTime_c(1012)=20131011075413;
AtkTimes(1050)=2.
This message is sent when logs are aggregated for IPv4 TCP packets that have
Explanation SYN and FIN flags set.
Recommended No action is required.
action

114
Security level: Secret

ATK_IP4_TCP_SYNFIN_RAW
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR];
Message text DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING].
$1: Receiving interface name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
Variable fields
$4: Destination IP address.
$5: Name of the receiving VPN instance.
$6: Actions against the attack.
Severity level 3
ATK/3/ATK_IP4_TCP_SYNFIN_RAW: RcvIfName(1023)=Ethernet0/0/2;
Example SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--;
DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging.
This message is for IPv4 TCP packets that have SYN and FIN flags set.
If log aggregation is enabled, for packets of the same attributes, this message is
Explanation sent only when the first packet is received.
If log aggregation is disabled, this message is sent every time a packet is
received.
Recommended No action is required.
action

115
Security level: Secret

ATK_IP4_TCP_WINNUKE
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR];
DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: Receiving interface name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
$4: Destination IP address.
Variable fields $5: Name of the receiving VPN instance.
$6: Actions against the attack.
$7: Start time of the attack.
$8: End time of the attack.
$9: Attack times.
Severity level 3
ATK/3/ATK_IP4_TCP_WINNUKE: RcvIfName(1023)=Ethernet0/0/2;
SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--;
Example DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging;
BeginTime_c(1011)=20131011074913; EndTime_c(1012)=20131011075413;
AtkTimes(1050)=5.
This message is sent when logs are aggregated for IPv4 TCP packets with
Explanation destination port 139, the URG flag set, and a nonzero Urgent Pointer.
Recommended No action is required.
action

116
Security level: Secret

ATK_IP4_TCP_WINNUKE_RAW
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR];
Message text DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING].
$1: Receiving interface name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
Variable fields
$4: Destination IP address.
$5: Name of the receiving VPN instance.
$6: Actions against the attack.
Severity level 3
ATK/3/ATK_IP4_TCP_WINNUKE_RAW: RcvIfName(1023)=Ethernet0/0/2;
Example SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--;
DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging.
This message is for the IPv4 WinNuke attack. The attack uses IPv4 TCP packets
with destination port 139, the URG flag set, and a nonzero Urgent Pointer.
If log aggregation is enabled, for packets of the same attributes, this message is
Explanation sent only when the first packet is received.
If log aggregation is disabled, this message is sent every time a packet is
received.
Recommended No action is required.
action

117
Security level: Secret

ATK_IP4_TEARDROP
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR];
DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Protocol(1001)=[STRING];
Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32].
$1: Receiving interface name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
$4: Destination IP address.
$5: Name of the receiving VPN instance.
Variable fields
$6: Protocol type.
$7: Actions against the attack.
$8: Start time of the attack.
$9: End time of the attack.
$10: Attack times.
Severity level 3
ATK/3/ATK_IP4_TEARDROP: RcvIfName(1023)=Ethernet0/0/2;
SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--;
Example DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Protocol(1001)=TCP;
Action(1049)=logging; BeginTime_c(1011)=20131011074913;
EndTime_c(1012)=20131011075413; AtkTimes(1050)=3.
Explanation This message is sent when logs are aggregated for IPv4 overlapping fragments.
Recommended No action is required.
action

118
Security level: Secret

ATK_IP4_TEARDROP_RAW
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR];
DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Protocol(1001)=[STRING];
Action(1049)=[STRING].
$1: Receiving interface name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
Variable fields $4: Destination IP address.
$5: Name of the receiving VPN instance.
$6: Protocol type.
$7: Actions against the attack.
Severity level 3
ATK/3/ATK_IP4_TEARDROP_RAW: RcvIfName(1023)=Ethernet0/0/2;
SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--;
Example DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Protocol(1001)=TCP;
Action(1049)=logging.
If log aggregation is enabled, for IPv4 overlapping fragments of the same
attributes, this message is sent only when the first overlapping fragment is
Explanation received.
If log aggregation is disabled, this message is sent every time an IPv4 overlapping
fragment is received.
Recommended No action is required.
action

119
Security level: Secret

ATK_IP4_TINY_FRAGMENT
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR];
DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Protocol(1001)=[STRING];
Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32].
$1: Receiving interface name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
$4: Destination IP address.
$5: Name of the receiving VPN instance.
Variable fields
$6: Protocol type.
$7: Actions against the attack.
$8: Start time of the attack.
$9: End time of the attack.
$10: Attack times.
Severity level 3
ATK/3/ATK_IP4_TINY_FRAGMENT: RcvIfName(1023)=Ethernet0/0/2;
SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--;
Example DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Protocol(1001)=TCP;
Action(1049)=logging; BeginTime_c(1011)=20131011074913;
EndTime_c(1012)=20131011075413; AtkTimes(1050)=6.
This message is sent when logs are aggregated for IPv4 packets with a datagram
Explanation smaller than 68 bytes and the MF flag set.
Recommended No action is required.
action

120
Security level: Secret

ATK_IP4_TINY_FRAGMENT_RAW
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR];
DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Protocol(1001)=[STRING];
Action(1049)=[STRING].
$1: Receiving interface name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
Variable fields $4: Destination IP address.
$5: Name of the receiving VPN instance.
$6: Protocol type.
$7: Actions against the attack.
Severity level 3
ATK/3/ATK_IP4_TINY_FRAGMENT_RAW: RcvIfName(1023)=Ethernet0/0/2;
SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--;
Example DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Protocol(1001)=TCP;
Action(1049)=logging.
This message is for the IPv4 tiny fragment attack. The attack uses IPv4 packets
with a datagram smaller than 68 bytes and the MF flag set.
If log aggregation is enabled, for packets of the same attributes, this message is
Explanation sent only when the first packet is received.
If log aggregation is disabled, this message is sent every time a packet is
received.
Recommended No action is required.
action

121
Security level: Secret

ATK_IP4_UDP_BOMB
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR];
DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: Receiving interface name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
$4: Destination IP address.
Variable fields $5: Name of the receiving VPN instance.
$6: Actions against the attack.
$7: Start time of the attack.
$8: End time of the attack.
$9: Attack times.
Severity level 3
ATK/3/ATK_IP4_UDP_BOMB: RcvIfName(1023)=Ethernet0/0/2;
SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--;
Example DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging;
BeginTime_c(1011)=20131011074913; EndTime_c(1012)=20131011075413;
AtkTimes(1050)=2.
This message is sent when logs are aggregated for IPv4 UDP packets in which
Explanation the length value in the IP header is larger than the IP header length plus the length
in the UDP header.
Recommended No action is required.
action

122
Security level: Secret

ATK_IP4_UDP_BOMB_RAW
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR];
Message text DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING].
$1: Receiving interface name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
Variable fields
$4: Destination IP address.
$5: Name of the receiving VPN instance.
$6: Actions against the attack.
Severity level 3
ATK/3/ATK_IP4_UDP_BOMB_RAW: RcvIfName(1023)=Ethernet0/0/2;
Example SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--;
DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging.
This message is for IPv4 UDP bomb attack. The attack uses IPv4 UDP packets in
which the length value in the IP header is larger than the IP header length plus the
length in the UDP header.
Explanation If log aggregation is enabled, for packets of the same attributes, this message is
sent only when the first packet is received.
If log aggregation is disabled, this message is sent every time a packet is
received.
Recommended No action is required.
action

ATK_IP4_UDP_FLOOD
RcvIfName(1023)=[STRING]; DstIPAddr(1007)=[IPADDR];
DstPort(1008)=[UINT16]; RcvVPNInstance(1041)=[STRING];
Message text UpperLimit(1048)=[UINT32]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING].
$1: Receiving interface name.
$2: Destination IP address.
$3: Destination port number.
Variable fields $4: Name of the receiving VPN instance.
$5: Rate limit.
$6: Actions against the attack.
$7: Start time of the attack.
Severity level 3
ATK/3/ATK_IP4_UDP_FLOOD: RcvIfName(1023)=Ethernet0/0/2;
DstIPAddr(1007)=6.1.1.5; DstPort(1008)=22; RcvVPNInstance(1041)=--;
Example UpperLimit(1048)=10; Action(1049)=logging;
BeginTime_c(1011)=20131009093351.
This message is sent when the number of IPv4 UDP packets sent to a destination
Explanation per second exceeds the rate limit.
Recommended No action is required.
action

123
Security level: Secret

ATK_IP4_UDP_FRAGGLE
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR];
DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: Receiving interface name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
$4: Destination IP address.
Variable fields $5: Name of the receiving VPN instance.
$6: Actions against the attack.
$7: Start time of the attack.
$8: End time of the attack.
$9: Attack times.
Severity level 3
ATK/3/ATK_IP4_UDP_FRAGGLE: RcvIfName(1023)=Ethernet0/0/2;
SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--;
Example DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging;
BeginTime_c(1011)=20131011074913; EndTime_c(1012)=20131011075413;
AtkTimes(1050)=11.
This message is sent when logs are aggregated for IPv4 UDP packets with source
Explanation port 7 and destination port 19.
Recommended No action is required.
action

124
Security level: Secret

ATK_IP4_UDP_FRAGGLE_RAW
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR];
Message text DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING].
$1: Receiving interface name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
Variable fields
$4: Destination IP address.
$5: Name of the receiving VPN instance.
$6: Actions against the attack.
Severity level 3
ATK/3/ATK_IP4_UDP_FRAGGLE_RAW: RcvIfName(1023)=Ethernet0/0/2;
Example SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--;
DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging.
This message is for IPv4 UDP fraggle attack. The attack uses IPv4 UDP packets
with source port 7 and destination port 19.
If log aggregation is enabled, for packets of the same attributes, this message is
Explanation sent only when the first packet is received.
If log aggregation is disabled, this message is sent every time a packet is
received.
Recommended No action is required.
action

125
Security level: Secret

ATK_IP4_UDP_SNORK
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR];
DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: Receiving interface name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
$4: Destination IP address.
Variable fields $5: Name of the receiving VPN instance.
$6: Actions against the attack.
$7: Start time of the attack.
$8: End time of the attack.
$9: Attack times.
Severity level 3
ATK/3/ATK_IP4_UDP_SNORK: RcvIfName(1023)=Ethernet0/0/2;
SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--;
Example DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging;
BeginTime_c(1011)=20131011074913; EndTime_c(1012)=20131011075413;
AtkTimes(1050)=2.
This message is sent when logs are aggregated for IPv4 UDP packets with source
Explanation port 7, 19, or 135, and destination port 135.
Recommended No action is required.
action

126
Security level: Secret

ATK_IP4_UDP_SNORK_RAW
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR];
Message text DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING].
$1: Receiving interface name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
Variable fields
$4: Destination IP address.
$5: Name of the receiving VPN instance.
$6: Actions against the attack.
Severity level 3
ATK/3/ATK_IP4_UDP_SNORK_RAW: RcvIfName(1023)=Ethernet0/0/2;
Example SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--;
DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Action(1049)=logging.
This message is for IPv4 UDP snork attack. The attack uses IPv4 UDP packets
with source port 7, 19, or 135, and destination port 135.
If log aggregation is enabled, for packets of the same attributes, this message is
Explanation sent only when the first packet is received.
If log aggregation is disabled, this message is sent every time a packet is
received.
Recommended No action is required.
action

ATK_IP6_ACK_FLOOD
RcvIfName(1023)=[STRING]; DstIPv6Addr(1037)=[IPADDR];
DstPort(1008)=[UINT16]; RcvVPNInstance(1041)=[STRING];
Message text UpperLimit(1048)=[UINT32]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING].
$1: Receiving interface name.
$2: Destination IPv6 address.
$3: Destination port number.
Variable fields $4: Name of the receiving VPN instance.
$5: Rate limit.
$6: Actions against the attack.
$7: Start time of the attack.
Severity level 3
ATK/3/ATK_IP6_ACK_FLOOD: RcvIfName(1023)=Ethernet0/0/2;
DstIPv6Addr(1037)=2::2; DstPort(1008)=22; RcvVPNInstance(1041)=--;
Example UpperLimit(1048)=10; Action(1049)=logging;
BeginTime_c(1011)=20131009100434.
This message is sent when the number of IPv6 ACK packets sent to a destination
Explanation per second exceeds the rate limit.
Recommended No action is required.
action

127
Security level: Secret

ATK_IP6_DIS_PORTSCAN
RcvIfName(1023)=[STRING]; Protocol(1001)=[STRING];
Message text DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING]; BeginTime_c(1011)=[STRING].
$1: Receiving interface name.
$2: Protocol name.
$3: Destination IPv6 address.
Variable fields
$4: Name of the receiving VPN instance.
$5: Actions against the attack.
$6: Start time of the attack.
Severity level 3
ATK/3/ATK_IP6_DIS_PORTSCAN: RcvIfName(1023)=Ethernet0/0/2;
Example Protocol(1001)=UDP; DstIPv6Addr(1037)=2::2; RcvVPNInstance(1041)=--;
Action(1049)=logging; BeginTime_c(1011)=20131009100928.
Explanation This message is sent when an IPv6 distributed port scan attack is detected.
Recommended No action is required.
action

ATK_IP6_DNS_FLOOD
RcvIfName(1023)=[STRING]; DstIPv6Addr(1037)=[IPADDR];
DstPort(1008)=[UINT16]; RcvVPNInstance(1041)=[STRING];
Message text UpperLimit(1048)=[UINT32]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING].
$1: Receiving interface name.
$2: Destination IPv6 address.
$3: Destination port number.
Variable fields $4: Name of the receiving VPN instance.
$5: Rate limit.
$6: Actions against the attack.
$7: Start time of the attack.
Severity level 3
ATK/3/ATK_IP6_DNS_FLOOD: RcvIfName(1023)=Ethernet0/0/2;
DstIPv6Addr(1037)=2::2; DstPort(1008)=22; RcvVPNInstance(1041)=--;
Example UpperLimit(1048)=10; Action(1049)=logging;
BeginTime_c(1011)=20131009100434.
This message is sent when the number of IPv6 DNS queries sent to a destination
Explanation per second exceeds the rate limit.
Recommended No action is required.
action

128
Security level: Secret

ATK_IP6_FIN_FLOOD
RcvIfName(1023)=[STRING]; DstIPv6Addr(1037)=[IPADDR];
DstPort(1008)=[UINT16]; RcvVPNInstance(1041)=[STRING];
Message text UpperLimit(1048)=[UINT32]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING].
$1: Receiving interface name.
$2: Destination IPv6 address.
$3: Destination port number.
Variable fields $4: Name of the receiving VPN instance.
$5: Rate limit.
$6: Actions against the attack.
$7: Start time of the attack.
Severity level 3
ATK/3/ATK_IP6_FIN_FLOOD: RcvIfName(1023)=Ethernet0/0/2;
DstIPv6Addr(1037)=2::2; DstPort(1008)=22; RcvVPNInstance(1041)=--;
Example UpperLimit(1048)=10; Action(1049)=logging;
BeginTime_c(1011)=20131009100434.
This message is sent when the number of IPv6 FIN packets sent to a destination
Explanation per second exceeds the rate limit.
Recommended No action is required.
action

129
Security level: Secret

ATK_IP6_FRAGMENT
RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR];
DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Message text Protocol(1001)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: Receiving interface name.
$2: Source IPv6 address.
$3: Destination IPv6 address.
$4: Name of the receiving VPN instance.
Variable fields $5: Protocol type.
$6: Actions against the attack.
$7: Start time of the attack.
$8: End time of the attack.
$9: Attack times.
Severity level 3
ATK/3/ATK_IP6_FRAGMENT: RcvIfName(1023)=Ethernet0/0/2;
SrcIPv6Addr(1036)=1::1; DstIPv6Addr(1037)=1::1; RcvVPNInstance(1041)=--;
Example Protocol(1001)=IPv6-ICMP; Action(1049)=logging;
BeginTime_c(1011)=20131011103335; EndTime_c(1012)=20131011103835;
AtkTimes(1050)=2.
This message is sent when logs are aggregated for IPv6 packets with an offset
Explanation smaller than 5 but bigger than 0.
Recommended No action is required.
action

130
Security level: Secret

ATK_IP6_FRAGMENT_RAW
RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR];
Message text DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Protocol(1001)=[STRING]; Action(1049)=[STRING].
$1: Receiving interface name.
$2: Source IPv6 address.
$3: Destination IPv6 address.
Variable fields
$4: Name of the receiving VPN instance.
$5: Protocol type.
$6: Actions against the attack.
Severity level 3
ATK/3/ATK_IP6_FRAGMENT_RAW: RcvIfName(1023)=Ethernet0/0/2;
Example SrcIPv6Addr(1036)=1::1; DstIPv6Addr(1037)=1::1; RcvVPNInstance(1041)=--;
Protocol(1001)=IPv6-ICMP; Action(1049)=logging.
This message is for the IPv6 fragment attack. The attack uses IPv6 packets with
an offset smaller than 5 but bigger than 0.
If log aggregation is enabled, for packets of the same attributes, this message is
Explanation sent only when the first packet is received.
If log aggregation is disabled, this message is sent every time a packet is
received.
Recommended No action is required.
action

ATK_IP6_HTTP_FLOOD
RcvIfName(1023)=[STRING]; DstIPv6Addr(1037)=[IPADDR];
DstPort(1008)=[UINT16]; RcvVPNInstance(1041)=[STRING];
Message text UpperLimit(1048)=[UINT32]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING].
$1: Receiving interface name.
$2: Destination IPv6 address.
$3: Destination port number.
Variable fields $4: Name of the receiving VPN instance.
$5: Rate limit.
$6: Actions against the attack.
$7: Start time of the attack.
Severity level 3
ATK/3/ATK_IP6_HTTP_FLOOD: RcvIfName(1023)=Ethernet0/0/2;
DstIPv6Addr(1037)=2::2; DstPort(1008)=22; RcvVPNInstance(1041)=--;
Example UpperLimit(1048)=10; Action(1049)=logging;
BeginTime_c(1011)=20131009100434.
This message is sent when the number of IPv6 HTTP Get packets sent to a
Explanation destination per second exceeds the rate limit.
Recommended No action is required.
action

131
Security level: Secret

ATK_IP6_IMPOSSIBLE
RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR];
DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Message text Protocol(1001)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: Receiving interface name.
$2: Source IPv6 address.
$3: Destination IPv6 address.
$4: Name of the receiving VPN instance.
Variable fields $5: Protocol type.
$6: Actions against the attack.
$7: Start time of the attack.
$8: End time of the attack.
$9: Attack times.
Severity level 3
ATK/3/ATK_IP6_IMPOSSIBLE: RcvIfName(1023)=Ethernet0/0/2;
SrcIPv6Addr(1036)=1::1; DstIPv6Addr(1037)=1::1; RcvVPNInstance(1041)=--;
Example Protocol(1001)=IPv6-ICMP; Action(1049)=logging;
BeginTime_c(1011)=20131011103335; EndTime_c(1012)=20131011103835;
AtkTimes(1050)=2.
This message is sent when logs are aggregated for IPv6 packets whose source
Explanation IPv6 address is the same as the destination IPv6 address.
Recommended No action is required.
action

132
Security level: Secret

ATK_IP6_IMPOSSIBLE_RAW
RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR];
Message text DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Protocol(1001)=[STRING]; Action(1049)=[STRING].
$1: Receiving interface name.
$2: Source IPv6 address.
$3: Destination IPv6 address.
Variable fields
$4: Name of the receiving VPN instance.
$5: Protocol type.
$6: Actions against the attack.
Severity level 3
ATK/3/ATK_IP6_IMPOSSIBLE_RAW: RcvIfName(1023)=Ethernet0/0/2;
Example SrcIPv6Addr(1036)=1::1; DstIPv6Addr(1037)=1::1; RcvVPNInstance(1041)=--;
Protocol(1001)=IPv6-ICMP; Action(1049)=logging.
This message is for the IPv6 impossible packet attack. The attack uses IPv6
packets whose source IPv6 address is the same as the destination IPv6 address.
If log aggregation is enabled, for packets of the same attributes, this message is
Explanation sent only when the first packet is received.
If log aggregation is disabled, this message is sent every time a packet is
received.
Recommended No action is required.
action

ATK_IP6_IPSWEEP
RcvIfName(1023)=[STRING]; Protocol(1001)=[STRING];
Message text SrcIPv6Addr(1036)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING]; BeginTime_c(1011)=[STRING].
$1: Receiving interface name.
$2: Protocol name.
$3: Source IPv6 address.
Variable fields
$4: Name of the receiving VPN instance.
$5: Actions against the attack.
$6: Start time of the attack.
Severity level 3
ATK/3/ATK_IP6_IPSWEEP: RcvIfName(1023)=Ethernet0/0/2;
Example Protocol(1001)=UDP; SrcIPv6Addr(1036)=1::5; RcvVPNInstance(1041)=--;
Action(1049)=logging,block-source; BeginTime_c(1011)=20131009100639.
Explanation This message is sent when an IPv6 sweep attack is detected.
Recommended No action is required.
action

133
Security level: Secret

ATK_IP6_PORTSCAN
RcvIfName(1023)=[STRING]; Protocol(1001)=[STRING];
SrcIPv6Addr(1036)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Message text DstIPv6Addr(1037)=[IPADDR]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING].
$1: Receiving interface name.
$2: Protocol name.
$3: Source IPv6 address.
Variable fields $4: Name of the receiving VPN instance.
$5: Destination IPv6 address.
$6: Actions against the attack.
$7: Start time of the attack.
Severity level 3
ATK/3/ATK_IP6_PORTSCAN: RcvIfName(1023)=Ethernet0/0/2;
Protocol(1001)=UDP; SrcIPv6Addr(1036)=1::5; RcvVPNInstance(1041)=--;
Example DstIPv6Addr(1037)=2::2; Action(1049)=logging,block-source;
BeginTime_c(1011)=20131009100455.
Explanation This message is sent when an IPv6 port scan attack is detected.
Recommended No action is required.
action

ATK_IP6_RST_FLOOD
RcvIfName(1023)=[STRING]; DstIPv6Addr(1037)=[IPADDR];
DstPort(1008)=[UINT16]; RcvVPNInstance(1041)=[STRING];
Message text UpperLimit(1048)=[UINT32]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING].
$1: Receiving interface name.
$2: Destination IPv6 address.
$3: Destination port number.
Variable fields $4: Name of the receiving VPN instance.
$5: Rate limit.
$6: Actions against the attack.
$7: Start time of the attack.
Severity level 3
ATK/3/ATK_IP6_RST_FLOOD: RcvIfName(1023)=Ethernet0/0/2;
Example DstIPv6Addr(1037)=2::2; RcvVPNInstance(1041)=--; UpperLimit(1048)=10;
Action(1049)=logging; BeginTime_c(1011)=20131009100434.
This message is sent when the number of IPv6 RST packets sent to a destination
Explanation per second exceeds the rate limit.
Recommended No action is required.
action

134
Security level: Secret

ATK_IP6_SYN_FLOOD
RcvIfName(1023)=[STRING]; DstIPv6Addr(1037)=[IPADDR];
DstPort(1008)=[UINT16]; RcvVPNInstance(1041)=[STRING];
Message text UpperLimit(1048)=[UINT32]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING].
$1: Receiving interface name.
$2: Destination IPv6 address.
$3: Destination port number.
Variable fields $4: Name of the receiving VPN instance.
$5: Rate limit.
$6: Actions against the attack.
$7: Start time of the attack.
Severity level 3
ATK/3/ATK_IP6_SYN_FLOOD: RcvIfName(1023)=Ethernet0/0/2;
DstIPv6Addr(1037)=2::2; DstPort(1008)=22; RcvVPNInstance(1041)=--;
Example UpperLimit(1048)=10; Action(1049)=logging;
BeginTime_c(1011)=20131009100434.
This message is sent when the number of IPv6 SYN packets sent to a destination
Explanation per second exceeds the rate limit.
Recommended No action is required.
action

ATK_IP6_SYNACK_FLOOD
RcvIfName(1023)=[STRING]; DstIPv6Addr(1037)=[IPADDR];
DstPort(1008)=[UINT16]; RcvVPNInstance(1041)=[STRING];
Message text UpperLimit(1048)=[UINT32]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING].
$1: Receiving interface name.
$2: Destination IPv6 address.
$3: Destination port number.
Variable fields $4: Name of the receiving VPN instance.
$5: Rate limit.
$6: Actions against the attack.
$7: Start time of the attack.
Severity level 3
ATK/3/ATK_IP6_SYNACK_FLOOD: RcvIfName(1023)=Ethernet0/0/2;
DstIPv6Addr(1037)=2::2; DstPort(1008)=22; RcvVPNInstance(1041)=--;
Example UpperLimit(1048)=10; Action(1049)=logging;
BeginTime_c(1011)=20131009100434.
This message is sent when the number of IPv6 SYN-ACK packets sent to a
Explanation destination per second exceeds the rate limit.
Recommended No action is required.
action

135
Security level: Secret

ATK_IP6_TCP_ALLFLAGS
RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR];
DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Message text Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32].
$1: Receiving interface name.
$2: Source IPv6 address.
$3: Destination IPv6 address.
$4: Name of the receiving VPN instance.
Variable fields
$5: Actions against the attack.
$6: Start time of the attack.
$7: End time of the attack.
$8: Attack times.
Severity level 3
ATK/3/ATK_IP6_TCP_ALLFLAGS: RcvIfName(1023)=Ethernet0/0/2;
SrcIPv6Addr(1036)=1::1; DstIPv6Addr(1037)=2::11; RcvVPNInstance(1041)=--;
Example Action(1049)=logging; BeginTime_c(1011)=20131009103631;
EndTime_c(1012)=20131009104131; AtkTimes(1050)=2.
This message is sent when logs are aggregated for IPv6 TCP packets that have
Explanation all flags set.
Recommended No action is required.
action

ATK_IP6_TCP_ALLFLAGS_RAW
RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR];
Message text DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING].
$1: Receiving interface name.
$2: Source IPv6 address.
Variable fields $3: Destination IPv6 address.
$4: Name of the receiving VPN instance.
$5: Actions against the attack.
Severity level 3
ATK/3/ATK_IP6_TCP_ALLFLAGS_RAW: RcvIfName(1023)=Ethernet0/0/2;
Example SrcIPv6Addr(1036)=2000::1; DstIPv6Addr(1037)=2003::200;
RcvVPNInstance(1041)=--; Action(1049)=logging.
This message is for IPv6 TCP packets that have all flags set.
If log aggregation is enabled, for packets of the same attributes, this message is
Explanation sent only when the first packet is received.
If log aggregation is disabled, this message is sent every time a packet is
received.
Recommended No action is required.
action

136
Security level: Secret

ATK_IP6_TCP_FINONLY
RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR];
DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Message text Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32].
$1: Receiving interface name.
$2: Source IPv6 address.
$3: Destination IPv6 address.
$4: Name of the receiving VPN instance.
Variable fields
$5: Actions against the attack.
$6: Start time of the attack.
$7: End time of the attack.
$8: Attack times.
Severity level 3
ATK/3/ATK_IP6_TCP_FINONLY: RcvIfName(1023)=Ethernet0/0/2;
SrcIPv6Addr(1036)=1::1; DstIPv6Addr(1037)=2::11; RcvVPNInstance(1041)=--;
Example Action(1049)=logging; BeginTime_c(1011)=20131009103631;
EndTime_c(1012)=20131009104131; AtkTimes(1050)=2.
This message is sent when logs are aggregated for IPv6 TCP packets that have
Explanation only the FIN flag set.
Recommended No action is required.
action

ATK_IP6_TCP_FINONLY_RAW
RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR];
Message text DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING].
$1: Receiving interface name.
$2: Source IPv6 address.
Variable fields $3: Destination IPv6 address.
$4: Name of the receiving VPN instance.
$5: Actions against the attack.
Severity level 3
ATK/3/ATK_IP6_TCP_FINONLY_RAW: RcvIfName(1023)=Ethernet0/0/2;
Example SrcIPv6Addr(1036)=2000::1; DstIPv6Addr(1037)=2003::200;
RcvVPNInstance(1041)=--; Action(1049)=logging.
This message is for IPv6 TCP packets that have only the FIN flag set.
If log aggregation is enabled, for packets of the same attributes, this message is
Explanation sent only when the first packet is received.
If log aggregation is disabled, this message is sent every time a packet is
received.
Recommended No action is required.
action

137
Security level: Secret

ATK_IP6_TCP_INVALIDFLAGS
RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR];
DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Message text Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32].
$1: Receiving interface name.
$2: Source IPv6 address.
$3: Destination IPv6 address.
$4: Name of the receiving VPN instance.
Variable fields
$5: Actions against the attack.
$6: Start time of the attack.
$7: End time of the attack.
$8: Attack times.
Severity level 3
ATK/3/ATK_IP6_TCP_INVALIDFLAGS: RcvIfName(1023)=Ethernet0/0/2;
SrcIPv6Addr(1036)=1::1; DstIPv6Addr(1037)=2::11; RcvVPNInstance(1041)=--;
Example Action(1049)=logging; BeginTime_c(1011)=20131009103631;
EndTime_c(1012)=20131009104131; AtkTimes(1050)=2.
This message is sent when logs are aggregated for IPv6 TCP packets that have
invalid flag settings. Invalid flag settings include:
• The RST and FIN flags are both set.
• The RST and SYN flags are both set.
• The RST, FIN, and SYN flags are all set.
• The PSH, RST, and FIN flags are all set.
• The PSH, RST, and SYN flags are all set.
Explanation • The PSH, RST, SYN, and FIN flags are all set.
• The ACK, RST, and FIN flags are all set.
• The ACK, RST, and SYN flags are all set.
• The ACK, RST, SYN, and FIN flags are all set.
• The ACK, PSH, SYN, and FIN flags are all set.
• The ACK, PSH, RST, and FIN flags are all set.
• The ACK, PSH, RST, and SYN flags are all set.
Recommended No action is required.
action

138
Security level: Secret

ATK_IP6_TCP_INVALIDFLAGS_RAW
RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR];
Message text DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING].
$1: Receiving interface name.
$2: Source IPv6 address.
Variable fields $3: Destination IPv6 address.
$4: Name of the receiving VPN instance.
$5: Actions against the attack.
Severity level 3
ATK/3/ATK_IP6_TCP_INVALIDFLAGS_RAW: RcvIfName(1023)=Ethernet0/0/2;
Example SrcIPv6Addr(1036)=2000::1; DstIPv6Addr(1037)=2003::200;
RcvVPNInstance(1041)=--; Action(1049)=logging.
This message is for IPv6 TCP packets that have invalid flag settings. Invalid flag
settings include:
• The RST and FIN flags are both set.
• The RST and SYN flags are both set.
• The RST, FIN, and SYN flags are all set.
• The PSH, RST, and FIN flags are all set.
• The PSH, RST, and SYN flags are all set.
• The PSH, RST, SYN, and FIN flags are all set.
• The ACK, RST, and FIN flags are all set.
Explanation • The ACK, RST, and SYN flags are all set.
• The ACK, RST, SYN, and FIN flags are all set.
• The ACK, PSH, SYN, and FIN flags are all set.
• The ACK, PSH, RST, and FIN flags are all set.
• The ACK, PSH, RST, and SYN flags are all set.
If log aggregation is enabled, for packets of the same attributes, this message is
sent only when the first packet is received.
If log aggregation is disabled, this message is sent every time a packet is
received.
Recommended No action is required.
action

139
Security level: Secret

ATK_IP6_TCP_LAND
RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR];
DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Message text Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32].
$1: Receiving interface name.
$2: Source IPv6 address.
$3: Destination IPv6 address.
$4: Name of the receiving VPN instance.
Variable fields
$5: Actions against the attack.
$6: Start time of the attack.
$7: End time of the attack.
$8: Attack times.
Severity level 3
ATK/3/ATK_IP6_TCP_LAND: RcvIfName(1023)=Ethernet0/0/2;
SrcIPv6Addr(1036)=1::1; DstIPv6Addr(1037)=2::11; RcvVPNInstance(1041)=--;
Example Action(1049)=logging; BeginTime_c(1011)=20131009103631;
EndTime_c(1012)=20131009104131; AtkTimes(1050)=2.
This message is sent when logs are aggregated for IPv6 TCP packets whose
Explanation source IPv6 address is the same as the destination IPv6 address.
Recommended No action is required.
action

ATK_IP6_TCP_LAND_RAW
RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR];
Message text DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING].
$1: Receiving interface name.
$2: Source IPv6 address.
Variable fields $3: Destination IPv6 address.
$4: Name of the receiving VPN instance.
$5: Actions against the attack.
Severity level 3
ATK/3/ATK_IP6_TCP_LAND_RAW: RcvIfName(1023)=Ethernet0/0/2;
Example SrcIPv6Addr(1036)=2000::1; DstIPv6Addr(1037)=2003::200;
RcvVPNInstance(1041)=--; Action(1049)=logging.
This message is for the IPv6 land attack. The attack uses IPv6 TCP packets
whose source IPv6 address is the same as the destination IPv6 address.
If log aggregation is enabled, for packets of the same attributes, this message is
Explanation sent only when the first packet is received.
If log aggregation is disabled, this message is sent every time a packet is
received.
Recommended No action is required.
action

140
Security level: Secret

ATK_IP6_TCP_NULLFLAG
RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR];
DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Message text Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32].
$1: Receiving interface name.
$2: Source IPv6 address.
$3: Destination IPv6 address.
$4: Name of the receiving VPN instance.
Variable fields
$5: Actions against the attack.
$6: Start time of the attack.
$7: End time of the attack.
$8: Attack times.
Severity level 3
ATK/3/ATK_IP6_TCP_NULLFLAG: RcvIfName(1023)=Ethernet0/0/2;
SrcIPv6Addr(1036)=1::1; DstIPv6Addr(1037)=2::11; RcvVPNInstance(1041)=--;
Example Action(1049)=logging; BeginTime_c(1011)=20131009103631;
EndTime_c(1012)=20131009104131; AtkTimes(1050)=2.
This message is sent when logs are aggregated for IPv6 TCP packets that have
Explanation no flag set.
Recommended No action is required.
action

ATK_IP6_TCP_NULLFLAG_RAW
RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR];
Message text DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING].
$1: Receiving interface name.
$2: Source IPv6 address.
Variable fields $3: Destination IPv6 address.
$4: Name of the receiving VPN instance.
$5: Actions against the attack.
Severity level 3
ATK/3/ATK_IP6_TCP_NULLFLAG_RAW: RcvIfName(1023)=Ethernet0/0/2;
Example SrcIPv6Addr(1036)=2000::1; DstIPv6Addr(1037)=2003::200;
RcvVPNInstance(1041)=--; Action(1049)=logging.
This message is for IPv6 TCP packets that have no flag set.
If log aggregation is enabled, for packets of the same attributes, this message is
Explanation sent only when the first packet is received.
If log aggregation is disabled, this message is sent every time a packet is
received.
Recommended No action is required.
action

141
Security level: Secret

ATK_IP6_TCP_SYNFIN
RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR];
DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Message text Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32].
$1: Receiving interface name.
$2: Source IPv6 address.
$3: Destination IPv6 address.
$4: Name of the receiving VPN instance.
Variable fields
$5: Actions against the attack.
$6: Start time of the attack.
$7: End time of the attack.
$8: Attack times.
Severity level 3
ATK/3/ATK_IP6_TCP_SYNFIN: RcvIfName(1023)=Ethernet0/0/2;
SrcIPv6Addr(1036)=1::1; DstIPv6Addr(1037)=2::11; RcvVPNInstance(1041)=--;
Example Action(1049)=logging; BeginTime_c(1011)=20131009103631;
EndTime_c(1012)=20131009104131; AtkTimes(1050)=2.
This message is sent when logs are aggregated for IPv6 TCP packets that have
Explanation SYN and FIN flags set.
Recommended No action is required.
action

ATK_IP6_TCP_SYNFIN_RAW
RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR];
Message text DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING].
$1: Receiving interface name.
$2: Source IPv6 address.
Variable fields $3: Destination IPv6 address.
$4: Name of the receiving VPN instance.
$5: Actions against the attack.
Severity level 3
ATK/3/ATK_IP6_TCP_SYNFIN_RAW: RcvIfName(1023)=Ethernet0/0/2;
Example SrcIPv6Addr(1036)=2000::1; DstIPv6Addr(1037)=2003::200;
RcvVPNInstance(1041)=--; Action(1049)=logging.
This message is for IPv6 TCP packets that have SYN and FIN flags set.
If log aggregation is enabled, for packets of the same attributes, this message is
Explanation sent only when the first packet is received.
If log aggregation is disabled, this message is sent every time a packet is
received.
Recommended No action is required.
action

142
Security level: Secret

ATK_IP6_TCP_WINNUKE
RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR];
DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Message text Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32].
$1: Receiving interface name.
$2: Source IPv6 address.
$3: Destination IPv6 address.
$4: Name of the receiving VPN instance.
Variable fields
$5: Actions against the attack.
$6: Start time of the attack.
$7: End time of the attack.
$8: Attack times.
Severity level 3
ATK/3/ATK_IP6_TCP_WINNUKE: RcvIfName(1023)=Ethernet0/0/2;
SrcIPv6Addr(1036)=1::1; DstIPv6Addr(1037)=2::11; RcvVPNInstance(1041)=--;
Example Action(1049)=logging; BeginTime_c(1011)=20131009103631;
EndTime_c(1012)=20131009104131; AtkTimes(1050)=2.
This message is sent when logs are aggregated for IPv6 TCP packets with
Explanation destination port 139, the URG flag set, and a nonzero Urgent Pointer.
Recommended No action is required.
action

ATK_IP6_TCP_WINNUKE_RAW
RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR];
Message text DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING].
$1: Receiving interface name.
$2: Source IPv6 address.
Variable fields $3: Destination IPv6 address.
$4: Name of the receiving VPN instance.
$5: Actions against the attack.
Severity level 3
ATK/3/ATK_IP6_TCP_WINNUKE_RAW: RcvIfName(1023)=Ethernet0/0/2;
Example SrcIPv6Addr(1036)=1::1; DstIPv6Addr(1037)=2::11; RcvVPNInstance(1041)=--;
Action(1049)=logging.
This message is for the IPv6 WinNuke attack. The attack uses IPv6 TCP packets
with destination port 139, the URG flag set, and a nonzero Urgent Pointer.
If log aggregation is enabled, for packets of the same attributes, this message is
Explanation sent only when the first packet is received.
If log aggregation is disabled, this message is sent every time a packet is
received.
Recommended No action is required.
action

143
Security level: Secret

ATK_IP6_UDP_FLOOD
RcvIfName(1023)=[STRING]; DstIPv6Addr(1037)=[IPADDR];
DstPort(1008)=[UINT16]; RcvVPNInstance(1041)=[STRING];
Message text UpperLimit(1048)=[UINT32]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING].
$1: Receiving interface name.
$2: Destination IPv6 address.
$3: Destination port number.
Variable fields $4: Name of the receiving VPN instance.
$5: Rate limit.
$6: Actions against the attack.
$7: Start time of the attack.
Severity level 3
ATK/3/ATK_IP6_UDP_FLOOD: RcvIfName(1023)=Ethernet0/0/2;
DstIPv6Addr(1037)=2::2; DstPort(1008)=22; RcvVPNInstance(1041)=--;
Example UpperLimit(1048)=10; Action(1049)=logging;
BeginTime_c(1011)=20131009100434.
This message is sent when the number of IPv6 UDP packets sent to a destination
Explanation per second exceeds the rate limit.
Recommended No action is required.
action

ATK_IP6_UDP_FRAGGLE
RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR];
DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Message text Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32].
$1: Receiving interface name.
$2: Source IPv6 address.
$3: Destination IPv6 address.
$4: Name of the receiving VPN instance.
Variable fields
$5: Actions against the attack.
$6: Start time of the attack.
$7: End time of the attack.
$8: Attack times.
Severity level 3
ATK/3/ATK_IP6_UDP_FRAGGLE: RcvIfName(1023)=Ethernet0/0/2;
SrcIPv6Addr(1036)=1::1; DstIPv6Addr(1037)=2::11; RcvVPNInstance(1041)=--;
Example Action(1049)=logging; BeginTime_c(1011)=20131009103631;
EndTime_c(1012)=20131009104131; AtkTimes(1050)=2.
This message is sent when logs are aggregated for IPv6 UDP packets with source
Explanation port 7 and destination port 19.
Recommended No action is required.
action

144
Security level: Secret

ATK_IP6_UDP_FRAGGLE_RAW
RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR];
Message text DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING].
$1: Receiving interface name.
$2: Source IPv6 address.
Variable fields $3: Destination IPv6 address.
$4: Name of the receiving VPN instance.
$5: Actions against the attack.
Severity level 3
ATK/3/ATK_IP6_UDP_FRAGGLE_RAW: RcvIfName(1023)=Ethernet0/0/2;
Example SrcIPv6Addr(1036)=1::1; DstIPv6Addr(1037)=2::11; RcvVPNInstance(1041)=--;
Action(1049)=logging.
This message is for IPv6 UDP fraggle attack. The attack uses IPv6 UDP packets
with source port 7 and destination port 19.
If log aggregation is enabled, for packets of the same attributes, this message is
Explanation sent only when the first packet is received.
If log aggregation is disabled, this message is sent every time a packet is
received.
Recommended No action is required.
action

ATK_IP6_UDP_SNORK
RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR];
DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Message text Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32].
$1: Receiving interface name.
$2: Source IPv6 address.
$3: Destination IPv6 address.
$4: Name of the receiving VPN instance.
Variable fields
$5: Actions against the attack.
$6: Start time of the attack.
$7: End time of the attack.
$8: Attack times.
Severity level 3
ATK/3/ATK_IP6_UDP_SNORK: RcvIfName(1023)=Ethernet0/0/2;
SrcIPv6Addr(1036)=1::1; DstIPv6Addr(1037)=2::11; RcvVPNInstance(1041)=--;
Example Action(1049)=logging; BeginTime_c(1011)=20131009103631;
EndTime_c(1012)=20131009104131; AtkTimes(1050)=2.
This message is sent when logs are aggregated for IPv6 UDP packets with source
Explanation port 7, 19, or 135, and destination port 135.
Recommended No action is required.
action

145
Security level: Secret

ATK_IP6_UDP_SNORK_RAW
RcvIfName(1023)=[STRING]; SrcIPv6Addr(1036)=[IPADDR];
Message text DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING].
$1: Receiving interface name.
$2: Source IPv6 address.
Variable fields $3: Destination IPv6 address.
$4: Name of the receiving VPN instance.
$5: Actions against the attack.
Severity level 3
ATK/3/ATK_IP6_UDP_SNORK_RAW: RcvIfName(1023)=Ethernet0/0/2;
Example SrcIPv6Addr(1036)=1::1; DstIPv6Addr(1037)=2::11; RcvVPNInstance(1041)=--;
Action(1049)=logging.
This message is for IPv6 UDP snork attack. The attack uses IPv6 UDP packets
with source port 7, 19, or 135, and port 135.
If log aggregation is enabled, for packets of the same attributes, this message is
Explanation sent only when the first packet is received.
If log aggregation is disabled, this message is sent every time a packet is
received.
Recommended No action is required.
action

146
Security level: Secret

ATK_IP_OPTION
IPOptValue(1057)=[UINT32]; RcvIfName(1023)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Message text Protocol(1001)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: IP option value.
$2: Receiving interface name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
Variable fields $6: Name of the receiving VPN instance.
$7: Protocol type.
$8: Actions against the attack.
$9: Start time of the attack.
$10: End time of the attack.
$11: Attack times.
Severity level 5
ATK/5/ATK_IP_OPTION: IPOptValue(1057)=38;
RcvIfName(1023)=Ethernet0/0/2; SrcIPAddr(1003)=9.1.1.1;
DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
Example RcvVPNInstance(1041)=--; Protocol(1001)=RAWIP; Action(1049)=logging;
BeginTime_c(1011)=20131011063123; EndTime_c(1012)=20131011063623;
AtkTimes(1050)=3.
This message is sent when logs are aggregated for packets with a user-defined IP
Explanation option.
Recommended No action is required.
action

147
Security level: Secret

ATK_IP_OPTION_RAW
IPOptValue(1057)=[UINT32]; RcvIfName(1023)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Protocol(1001)=[STRING]; Action(1049)=[STRING].
$1: IP option value.
$2: Receiving interface name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
Variable fields
$5: Destination IP address.
$6: Name of the receiving VPN instance.
$7: Protocol type.
$8: Actions against the attack.
Severity level 5
ATK/5/ATK_IP_OPTION_RAW: IPOptValue(1057)=38;
RcvIfName(1023)=Ethernet0/0/2; SrcIPAddr(1003)=9.1.1.1;
Example DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
RcvVPNInstance(1041)=--; Protocol(1001)=RAWIP; Action(1049)=logging.
If log aggregation is enabled, for packets with a user-defined IP option and of the
same attributes, this message is sent only when the first packet is received.
Explanation
If log aggregation is disabled, this message is sent every time a packet with a
user-defined IP option is received.
Recommended No action is required.
action

148
Security level: Secret

ATK_IPOPT_ABNORMAL
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR];
DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Protocol(1001)=[STRING];
Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32].
$1: Receiving interface name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
$4: Destination IP address.
$5: Name of the receiving VPN instance.
Variable fields
$6: Protocol type.
$7: Actions against the attack.
$8: Start time of the attack.
$9: End time of the attack.
$10: Attack times.
Severity level 3
ATK/3/ATK_IPOPT_ABNORMAL: RcvIfName(1023)=Ethernet0/0/2;
SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--;
Example DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Protocol(1001)=RAWIP;
Action(1049)=logging; BeginTime_c(1011)=20131011072002;
EndTime_c(1012)=20131011072502; AtkTimes(1050)=3.
This message is sent when logs are aggregated for packets with more than two IP
Explanation options.
Recommended No action is required.
action

149
Security level: Secret

ATK_IPOPT_ABNORMAL_RAW
RcvIfName(1023)=[STRING]; SrcIPAddr(1003)=[IPADDR];
DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Protocol(1001)=[STRING];
Action(1049)=[STRING].
$1: Receiving interface name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
Variable fields $4: Destination IP address.
$5: Name of the receiving VPN instance.
$6: Protocol type.
$7: Actions against the attack.
Severity level 3
ATK/3/ATK_IPOPT_ABNORMAL_RAW: RcvIfName(1023)=Ethernet0/0/2;
SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--;
Example DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--; Protocol(1001)=RAWIP;
Action(1049)=logging.
This message is for packets that each has more than two IP options.
If log aggregation is enabled, for packets of the same attributes, this message is
Explanation sent only when the first packet is received.
If log aggregation is disabled, this message is sent every time a packet with more
than two IP options is received.
Recommended No action is required.
action

150
Security level: Secret

ATK_IPOPT_LOOSESRCROUTE
IPOptValue(1057)=[UINT32]; RcvIfName(1023)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Message text Protocol(1001)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=
[UINT32].
$1: IP option value.
$2: Receiving interface name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
Variable fields $6: Name of the receiving VPN instance.
$7: Protocol type.
$8: Actions against the attack.
$9: Start time of the attack.
$10: End time of the attack.
$11: Attack times.
Severity level 5
ATK/5/ATK_IPOPT_LOOSESRCROUTE: IPOptValue(1057)=131;
RcvIfName(1023)=Ethernet0/0/2; SrcIPAddr(1003)=9.1.1.1;
DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
Example RcvVPNInstance(1041)=--; Protocol(1001)=RAWIP; Action(1049)=logging;
BeginTime_c(1011)=20131011063123; EndTime_c(1012)=20131011063623;
AtkTimes(1050)=3.
Explanation This message is sent when logs are aggregated for packets with IP option 131.
Recommended No action is required.
action

151
Security level: Secret

ATK_IPOPT_LOOSESRCROUTE_RAW
IPOptValue(1057)=[UINT32]; RcvIfName(1023)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Protocol(1001)=[STRING]; Action(1049)=[STRING].
$1: IP option value.
$2: Receiving interface name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
Variable fields
$5: Destination IP address.
$6: Name of the receiving VPN instance.
$7: Protocol type.
$8: Actions against the attack.
Severity level 5
ATK/5/ATK_IPOPT_LOOSESRCROUTE_RAW: IPOptValue(1057)=131;
RcvIfName(1023)=Ethernet0/0/2; SrcIPAddr(1003)=9.1.1.1;
Example DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
RcvVPNInstance(1041)=--; Protocol(1001)=RAWIP; Action(1049)=logging.
If log aggregation is enabled, for packets with IP option 131 and of the same
attributes, this message is sent only when the first packet is received.
Explanation
If log aggregation is disabled, this message is sent every time a packet with IP
option 131 is received.
Recommended No action is required.
action

152
Security level: Secret

ATK_IPOPT_RECORDROUTE
IPOptValue(1057)=[UINT32]; RcvIfName(1023)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Message text Protocol(1001)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: IP option value.
$2: Receiving interface name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
Variable fields $6: Name of the receiving VPN instance.
$7: Protocol type.
$8: Actions against the attack.
$9: Start time of the attack.
$10: End time of the attack.
$11: Attack times.
Severity level 5
ATK/5/ATK_IPOPT_RECORDROUTE: IPOptValue(1057)=7;
RcvIfName(1023)=Ethernet0/0/2; SrcIPAddr(1003)=9.1.1.1;
DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
Example RcvVPNInstance(1041)=--; Protocol(1001)=RAWIP; Action(1049)=logging;
BeginTime_c(1011)=20131011063123; EndTime_c(1012)=20131011063623;
AtkTimes(1050)=3.
Explanation This message is sent when logs are aggregated for packets with IP option 7.
Recommended No action is required.
action

153
Security level: Secret

ATK_IPOPT_RECORDROUTE_RAW
IPOptValue(1057)=[UINT32]; RcvIfName(1023)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Protocol(1001)=[STRING]; Action(1049)=[STRING].
$1: IP option value.
$2: Receiving interface name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
Variable fields
$5: Destination IP address.
$6: Name of the receiving VPN instance.
$7: Protocol type.
$8: Actions against the attack.
Severity level 5
ATK/5/ATK_IPOPT_RECORDROUTE_RAW: IPOptValue(1057)=7;
RcvIfName(1023)=Ethernet0/0/2; SrcIPAddr(1003)=9.1.1.1;
Example DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
RcvVPNInstance(1041)=--; Protocol(1001)=RAWIP; Action(1049)=logging.
If log aggregation is enabled, for packets with IP option 7 and of the same
attributes, this message is sent only when the first packet is received.
Explanation
If log aggregation is disabled, this message is sent every time a packet with IP
option 7 is received.
Recommended No action is required.
action

154
Security level: Secret

ATK_IPOPT_ROUTEALERT
IPOptValue(1057)=[UINT32]; RcvIfName(1023)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Message text Protocol(1001)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: IP option value.
$2: Receiving interface name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
Variable fields $6: Name of the receiving VPN instance.
$7: Protocol type.
$8: Actions against the attack.
$9: Start time of the attack.
$10: End time of the attack.
$11: Attack times.
Severity level 5
ATK/5/ATK_IPOPT_ROUTEALERT: IPOptValue(1057)=148;
RcvIfName(1023)=Ethernet0/0/2; SrcIPAddr(1003)=9.1.1.1;
DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
Example RcvVPNInstance(1041)=--; Protocol(1001)=RAWIP; Action(1049)=logging;
BeginTime_c(1011)=20131011063123; EndTime_c(1012)=20131011063623;
AtkTimes(1050)=3.
Explanation This message is sent when logs are aggregated for packets with IP option 148.
Recommended No action is required.
action

155
Security level: Secret

ATK_IPOPT_ROUTEALERT_RAW
IPOptValue(1057)=[UINT32]; RcvIfName(1023)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Protocol(1001)=[STRING]; Action(1049)=[STRING].
$1: IP option value.
$2: Receiving interface name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
Variable fields
$5: Destination IP address.
$6: Name of the receiving VPN instance.
$7: Protocol type.
$8: Actions against the attack.
Severity level 5
ATK/5/ATK_IPOPT_ROUTEALERT_RAW: IPOptValue(1057)=148;
RcvIfName(1023)=Ethernet0/0/2; SrcIPAddr(1003)=9.1.1.1;
Example DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
RcvVPNInstance(1041)=--; Protocol(1001)=RAWIP; Action(1049)=logging.
If log aggregation is enabled, for packets with IP option 148 and of the same
attributes, this message is sent only when the first packet is received.
Explanation
If log aggregation is disabled, this message is sent every time a packet with IP
option 148 is received.
Recommended No action is required.
action

156
Security level: Secret

ATK_IPOPT_SECURITY
IPOptValue(1057)=[UINT32]; RcvIfName(1023)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Message text Protocol(1001)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: IP option value.
$2: Receiving interface name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
Variable fields $6: Name of the receiving VPN instance.
$7: Protocol type.
$8: Actions against the attack.
$9: Start time of the attack.
$10: End time of the attack.
$11: Attack times.
Severity level 5
ATK/5/ATK_IPOPT_SECURITY: IPOptValue(1057)=130;
RcvIfName(1023)=Ethernet0/0/2; SrcIPAddr(1003)=9.1.1.1;
DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
Example RcvVPNInstance(1041)=--; Protocol(1001)=RAWIP; Action(1049)=logging;
BeginTime_c(1011)=20131009091022; EndTime_c(1012)=20131009091522;
AtkTimes(1050)=2.
Explanation This message is sent when logs are aggregated for packets with IP option 130.
Recommended No action is required.
action

157
Security level: Secret

ATK_IPOPT_SECURITY_RAW
IPOptValue(1057)=[UINT32]; RcvIfName(1023)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Protocol(1001)=[STRING]; Action(1049)=[STRING].
$1: IP option value.
$2: Receiving interface name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
Variable fields
$5: Destination IP address.
$6: Name of the receiving VPN instance.
$7: Protocol type.
$8: Actions against the attack.
Severity level 5
ATK/5/ATK_IPOPT_SECURITY_RAW: IPOptValue(1057)=130;
RcvIfName(1023)=Ethernet0/0/2; SrcIPAddr(1003)=9.1.1.1;
Example DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
RcvVPNInstance(1041)=--; Protocol(1001)=RAWIP; Action(1049)=logging.
If log aggregation is enabled, for packets with IP option 130 and of the same
attributes, this message is sent only when the first packet is received.
Explanation
If log aggregation is disabled, this message is sent every time a packet with IP
option 130 is received.
Recommended No action is required.
action

158
Security level: Secret

ATK_IPOPT_STREAMID
IPOptValue(1057)=[UINT32]; RcvIfName(1023)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Message text Protocol(1001)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: IP option value.
$2: Receiving interface name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
Variable fields $6: Name of the receiving VPN instance.
$7: Protocol type.
$8: Actions against the attack.
$9: Start time of the attack.
$10: End time of the attack.
$11: Attack times.
Severity level 5
ATK/5/ATK_IPOPT_STREAMID: IPOptValue(1057)=136;
RcvIfName(1023)=Ethernet0/0/2; SrcIPAddr(1003)=9.1.1.1;
DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
Example RcvVPNInstance(1041)=--; Protocol(1001)=RAWIP; Action(1049)=logging;
BeginTime_c(1011)=20131011063123; EndTime_c(1012)=20131011063623;
AtkTimes(1050)=3.
Explanation This message is sent when logs are aggregated for packets with IP option 136.
Recommended No action is required.
action

159
Security level: Secret

ATK_IPOPT_STREAMID_RAW
IPOptValue(1057)=[UINT32]; RcvIfName(1023)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Protocol(1001)=[STRING]; Action(1049)=[STRING].
$1: IP option value.
$2: Receiving interface name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
Variable fields
$5: Destination IP address.
$6: Name of the receiving VPN instance.
$7: Protocol type.
$8: Actions against the attack.
Severity level 5
ATK/5/ATK_IPOPT_STREAMID_RAW: IPOptValue(1057)=136;
RcvIfName(1023)=Ethernet0/0/2; SrcIPAddr(1003)=9.1.1.1;
Example DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
RcvVPNInstance(1041)=--; Protocol(1001)=RAWIP; Action(1049)=logging.
If log aggregation is enabled, for packets with IP option 136 and of the same
attributes, this message is sent only when the first packet is received.
Explanation
If log aggregation is disabled, this message is sent every time a packet with IP
option 136 is received.
Recommended No action is required.
action

160
Security level: Secret

ATK_IPOPT_STRICTSRCROUTE
IPOptValue(1057)=[UINT32]; RcvIfName(1023)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Message text Protocol(1001)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: IP option value.
$2: Receiving interface name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
Variable fields $6: Name of the receiving VPN instance.
$7: Protocol type.
$8: Actions against the attack.
$9: Start time of the attack.
$10: End time of the attack.
$11: Attack times.
Severity level 5
ATK/5/ATK_IPOPT_STRICTSRCROUTE: IPOptValue(1057)=137;
RcvIfName(1023)=Ethernet0/0/2; SrcIPAddr(1003)=9.1.1.1;
DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
Example RcvVPNInstance(1041)=--; Protocol(1001)=RAWIP; Action(1049)=logging;
BeginTime_c(1011)=20131011063123; EndTime_c(1012)=20131011063623;
AtkTimes(1050)=3.
Explanation This message is sent when logs are aggregated for packets with IP option 137.
Recommended No action is required.
action

161
Security level: Secret

ATK_IPOPT_STRICTSRCROUTE_RAW
IPOptValue(1057)=[UINT32]; RcvIfName(1023)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Protocol(1001)=[STRING]; Action(1049)=[STRING].
$1: IP option value.
$2: Receiving interface name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
Variable fields
$5: Destination IP address.
$6: Name of the receiving VPN instance.
$7: Protocol type.
$8: Actions against the attack.
Severity level 5
ATK/5/ATK_IPOPT_STRICTSRCROUTE_RAW: IPOptValue(1057)=137;
RcvIfName(1023)=Ethernet0/0/2; SrcIPAddr(1003)=9.1.1.1;
Example DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
RcvVPNInstance(1041)=--; Protocol(1001)=RAWIP; Action(1049)=logging.
If log aggregation is enabled, for packets with IP option 137 and of the same
attributes, this message is sent only when the first packet is received.
Explanation
If log aggregation is disabled, this message is sent every time a packet with IP
option 137 is received.
Recommended No action is required.
action

162
Security level: Secret

ATK_IPOPT_TIMESTAMP
IPOptValue(1057)=[UINT32]; RcvIfName(1023)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Message text Protocol(1001)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: IP option value.
$2: Receiving interface name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
Variable fields $6: Name of the receiving VPN instance.
$7: Protocol type.
$8: Actions against the attack.
$9: Start time of the attack.
$10: End time of the attack.
$11: Attack times.
Severity level 5
ATK/5/ATK_IPOPT_TIMESTAMP: IPOptValue(1057)=68;
RcvIfName(1023)=Ethernet0/0/2; SrcIPAddr(1003)=9.1.1.1;
DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
Example RcvVPNInstance(1041)=--; Protocol(1001)=RAWIP; Action(1049)=logging;
BeginTime_c(1011)=20131011063123; EndTime_c(1012)=20131011063623;
AtkTimes(1050)=3.
Explanation This message is sent when logs are aggregated for packets with IP option 68.
Recommended No action is required.
action

163
Security level: Secret

ATK_IPOPT_TIMESTAMP_RAW
IPOptValue(1057)=[UINT32]; RcvIfName(1023)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Protocol(1001)=[STRING]; Action(1049)=[STRING].
$1: IP option value.
$2: Receiving interface name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
Variable fields
$5: Destination IP address.
$6: Name of the receiving VPN instance.
$7: Protocol type.
$8: Actions against the attack.
Severity level 5
ATK/5/ATK_IPOPT_TIMESTAMP_RAW: IPOptValue(1057)=68;
RcvIfName(1023)=Ethernet0/0/2; SrcIPAddr(1003)=9.1.1.1;
Example DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
RcvVPNInstance(1041)=--; Protocol(1001)=RAWIP; Action(1049)=logging.
If log aggregation is enabled, for packets with IP option 68 and of the same
attributes, this message is sent only when the first packet is received.
Explanation
If log aggregation is disabled, this message is sent every time a packet with IP
option 68 is received.
Recommended No action is required.
action

164
Security level: Secret

ATK_IPV6_EXT_HEADER
IPv6ExtHeader(1060)=[UINT32]; RcvIfName(1023)=[STRING];
SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: IPv6 extension header value.
$2: Receiving interface name.
$3: Source IPv6 address.
$4: Destination IPv6 address.
Variable fields $5: Name of the receiving VPN instance.
$6: Actions against the attack.
$7: Start time of the attack.
$8: End time of the attack.
$9: Attack times.
Severity level 5
ATK/5/ATK_IPV6_EXT_HEADER: IPv6ExtHeader(1060)=43;
RcvIfName(1023)=Ethernet0/0/2; SrcIPv6Addr(1036)=1::1;
Example DstIPv6Addr(1037)=2::11; RcvVPNInstance(1041)=--; Action(1049)=logging;
BeginTime_c(1011)=20131009103631; EndTime_c(1012)=20131009104131;
AtkTimes(1050)=2.
This message is sent when logs are aggregated for IPv6 packets with a
Explanation user-defined extension header.
Recommended No action is required.
action

165
Security level: Secret

ATK_IPV6_EXT_HEADER_RAW
IPv6ExtHeader(1060)=[UINT32]; RcvIfName(1023)=[STRING];
Message text SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR];
RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING].
$1: IPv6 extension header value.
$2: Receiving interface name.
$3: Source IPv6 address.
Variable fields
$4: Destination IPv6 address.
$5: Name of the receiving VPN instance.
$6: Actions against the attack.
Severity level 5
ATK/5/ATK_IPV6_EXT_HEADER_RAW: IPv6ExtHeader(1060)=43;
Example RcvIfName(1023)=Ethernet0/0/2; SrcIPv6Addr(1036)=1::1;
DstIPv6Addr(1037)=2::11; RcvVPNInstance(1041)=--; Action(1049)=logging.
If log aggregation is enabled, for IPv6 packets with a user-defined extension
header and of the same attributes, this message is sent only when the first packet
Explanation is received.
If log aggregation is disabled, this message is sent every time an IPv6 packet with
a user-defined extension header is received.
Recommended No action is required.
action

166
Security level: Secret

ATK_ICMP_ADDRMASK_REQ_SZ
IcmpType(1058)=[UINT32]; SrcZoneName(1025)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32].
$1: ICMP message type.
$2: Source security zone name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
Variable fields
$6: Name of the receiving VPN instance.
$7: Actions against the attack.
$8: Start time of the attack.
$9: End time of the attack.
$10: Attack times.
Severity level 5
ATK/5/ATK_ICMP_ADDRMASK_REQ_SZ: IcmpType(1058)=17;
SrcZoneName(1025)=Trust; SrcIPAddr(1003)=9.1.1.1;
Example DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--;
Action(1049)=logging; BeginTime_c(1011)=20131011091319;
EndTime_c(1012)=20131011091819; AtkTimes(1050)=2.
Explanation This message is sent when ICMP address mask request logs are aggregated.
Recommended No action is required.
action

167
Security level: Secret

ATK_ICMP_ADDRMASK_REQ_RAW_SZ
IcmpType(1058)=[UINT32]; SrcZoneName(1025)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING].
$1: ICMP message type.
$2: Source security zone name.
$3: Source IP address.
Variable fields $4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
$6: Name of the receiving VPN instance.
$7: Actions against the attack.
Severity level 5
ATK/5/ATK_ICMP_ADDRMASK_REQ_RAW_SZ: IcmpType(1058)=17;
SrcZoneName(1025)=Trust; SrcIPAddr(1003)=9.1.1.1;
Example DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--;
Action(1049)=logging.
If log aggregation is enabled, for ICMP address mask requests of the same
attributes, this message is sent only when the first request is received.
Explanation
If log aggregation is disabled, this message is sent every time an ICMP address
mask request is received.
Recommended No action is required.
action

168
Security level: Secret

ATK_ICMP_ADDRMASK_RPL_SZ
IcmpType(1058)=[UINT32]; SrcZoneName(1025)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32].
$1: ICMP message type.
$2: Source security zone name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
Variable fields
$6: Name of the receiving VPN instance.
$7: Actions against the attack.
$8: Start time of the attack.
$9: End time of the attack.
$10: Attack times.
Severity level 5
ATK/5/ATK_ICMP_ADDRMASK_RPL_SZ: IcmpType(1058)=18;
SrcZoneName(1025)=Trust; SrcIPAddr(1003)=9.1.1.1;
Example DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--;
Action(1049)=logging; BeginTime_c(1011)=20131011091319;
EndTime_c(1012)=20131011091819; AtkTimes(1050)=2.
Explanation This message is sent when ICMP address mask reply logs are aggregated.
Recommended No action is required.
action

169
Security level: Secret

ATK_ICMP_ADDRMASK_RPL_RAW_SZ
IcmpType(1058)=[UINT32]; SrcZoneName(1025)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING].
$1: ICMP message type.
$2: Source security zone name.
$3: Source IP address.
Variable fields $4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
$6: Name of the receiving VPN instance.
$7: Actions against the attack.
Severity level 5
ATK/5/ATK_ICMP_ADDRMASK_RPL_RAW_SZ: IcmpType(1058)=18;
SrcZoneName(1025)=Trust; SrcIPAddr(1003)=9.1.1.1;
Example DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--;
Action(1049)=logging.
If log aggregation is enabled, for ICMP address mask replies of the same attributes,
this message is sent only when the first reply is received.
Explanation
If log aggregation is disabled, this message is sent every time an ICMP address
mask reply is received.
Recommended No action is required.
action

170
Security level: Secret

ATK_ICMP_ECHO_RPL_SZ
IcmpType(1058)=[UINT32]; SrcZoneName(1025)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32].
$1: ICMP message type.
$2: Source security zone name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
Variable fields
$6: Name of the receiving VPN instance.
$7: Actions against the attack.
$8: Start time of the attack.
$9: End time of the attack.
$10: Attack times.
Severity level 5
ATK/5/ATK_ICMP_ECHO_RPL_SZ: IcmpType(1058)=0;
SrcZoneName(1025)=Trust; SrcIPAddr(1003)=9.1.1.1;
Example DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--;
Action(1049)=logging; BeginTime_c(1011)=20131011091319;
EndTime_c(1012)=20131011091819; AtkTimes(1050)=2.
Explanation This message is sent when ICMP echo reply logs are aggregated.
Recommended No action is required.
action

171
Security level: Secret

ATK_ICMP_ECHO_RPL_RAW_SZ
IcmpType(1058)=[UINT32]; SrcZoneName(1025)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING].
$1: ICMP message type.
$2: Source security zone name.
$3: Source IP address.
Variable fields $4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
$6: Name of the receiving VPN instance.
$7: Actions against the attack.
Severity level 5
ATK/5/ATK_ICMP_ECHO_RPL_RAW_SZ: IcmpType(1058)=0;
SrcZoneName(1025)=Trust; SrcIPAddr(1003)=9.1.1.1;
Example DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--;
Action(1049)=logging.
If log aggregation is enabled, for ICMP echo replies of the same attributes, this
message is sent only when the first reply is received.
Explanation
If log aggregation is disabled, this message is sent every time an ICMP echo reply is
received.
Recommended No action is required.
action

172
Security level: Secret

ATK_ICMP_ECHO_REQ_SZ
IcmpType(1058)=[UINT32]; SrcZoneName(1025)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32].
$1: ICMP message type.
$2: Source security zone name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
Variable fields
$6: Name of the receiving VPN instance.
$7: Actions against the attack.
$8: Start time of the attack.
$9: End time of the attack.
$10: Attack times.
Severity level 5
ATK/5/ATK_ICMP_ECHO_REQ_SZ: IcmpType(1058)=8;
SrcZoneName(1025)=Trust; SrcIPAddr(1003)=9.1.1.1;
Example DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--;
Action(1049)=logging; BeginTime_c(1011)=20131011091319;
EndTime_c(1012)=20131011091819; AtkTimes(1050)=2.
Explanation This message is sent when ICMP echo request logs are aggregated.
Recommended No action is required.
action

173
Security level: Secret

ATK_ICMP_ECHO_REQ_RAW_SZ
IcmpType(1058)=[UINT32]; SrcZoneName(1025)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; DstPort(1004)=[UINT16];
RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING].
$1: ICMP message type.
$2: Source security zone name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
Variable fields
$5: Destination IP address.
$6: Destination port number.
$7: Name of the receiving VPN instance.
$8: Actions against the attack.
Severity level 5
ATK/5/ATK_ICMP_ECHO_REQ_RAW_SZ: IcmpType(1058)=8;
SrcZoneName(1025)=Trust; SrcIPAddr(1003)=9.1.1.1; DstPort(1004)=22;
Example DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--;
Action(1049)=logging.
If log aggregation is enabled, for ICMP echo requests of the same attributes, this
message is sent only when the first request is received.
Explanation
If log aggregation is disabled, this message is sent every time an ICMP echo
request is received.
Recommended No action is required.
action

ATK_ICMP_FLOOD_SZ
SrcZoneName(1025)=[STRING]; DstIPAddr(1007)=[IPADDR];
DstPort(1008)=[UINT16]; RcvVPNInstance(1041)=[STRING];
Message text UpperLimit(1048)=[UINT32]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING].
$1: Source security zone name.
$2: Destination IP address.
$3: Destination port number.
Variable fields $4: Name of the receiving VPN instance.
$5: Rate limit.
$6: Actions against the attack.
$7: Start time of the attack.
Severity level 3
ATK/3/ATK_ICMP_FLOOD_SZ: SrcZoneName(1025)=Trust;
DstIPAddr(1007)=6.1.1.5; DstPort(1008)=22; RcvVPNInstance(1041)=--;
Example UpperLimit(1048)=10; Action(1049)=logging;
BeginTime_c(1011)=20131009093351.
This message is sent when the number of ICMP packets sent to a destination per
Explanation second exceeds the rate limit.
Recommended No action is required.
action

174
Security level: Secret

ATK_ICMP_INFO_REQ_SZ
IcmpType(1058)=[UINT32]; SrcZoneName(1025)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32].
$1: ICMP message type.
$2: Source security zone name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
Variable fields
$6: Name of the receiving VPN instance.
$7: Actions against the attack.
$8: Start time of the attack.
$9: End time of the attack.
$10: Attack times.
Severity level 5
ATK/5/ATK_ICMP_INFO_REQ_SZ: IcmpType(1058)=15;
SrcZoneName(1025)=Trust; SrcIPAddr(1003)=9.1.1.1;
Example DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--;
Action(1049)=logging; BeginTime_c(1011)=20131011091319;
EndTime_c(1012)=20131011091819; AtkTimes(1050)=2.
Explanation This message is sent when ICMP information request logs are aggregated.
Recommended No action is required.
action

175
Security level: Secret

ATK_ICMP_INFO_REQ_RAW_SZ
IcmpType(1058)=[UINT32]; SrcZoneName(1025)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING].
$1: ICMP message type.
$2: Source security zone name.
$3: Source IP address.
Variable fields $4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
$6: Name of the receiving VPN instance.
$7: Actions against the attack.
Severity level 5
ATK/5/ATK_ICMP_INFO_REQ_RAW_SZ: IcmpType(1058)=15;
SrcZoneName(1025)=Trust; SrcIPAddr(1003)=9.1.1.1;
Example DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--;
Action(1049)=logging.
If log aggregation is enabled, for ICMP information requests of the same attributes,
this message is sent only when the first request is received.
Explanation
If log aggregation is disabled, this message is sent every time an ICMP information
request is received.
Recommended No action is required.
action

176
Security level: Secret

ATK_ICMP_INFO_RPL_SZ
IcmpType(1058)=[UINT32]; SrcZoneName(1025)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32].
$1: ICMP message type.
$2: Source security zone name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
Variable fields
$6: Name of the receiving VPN instance.
$7: Actions against the attack.
$8: Start time of the attack.
$9: End time of the attack.
$10: Attack times.
Severity level 5
ATK/5/ATK_ICMP_INFO_RPL_SZ: IcmpType(1058)=16;
SrcZoneName(1025)=Trust; SrcIPAddr(1003)=9.1.1.1;
Example DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--;
Action(1049)=logging; BeginTime_c(1011)=20131011091319;
EndTime_c(1012)=20131011091819; AtkTimes(1050)=2.
Explanation This message is sent when ICMP information reply logs are aggregated.
Recommended No action is required.
action

177
Security level: Secret

ATK_ICMP_INFO_RPL_RAW_SZ
IcmpType(1058)=[UINT32]; SrcZoneName(1025)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING].
$1: ICMP message type.
$2: Source security zone name.
$3: Source IP address.
Variable fields $4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
$6: Name of the receiving VPN instance.
$7: Actions against the attack.
Severity level 5
ATK/5/ATK_ICMP_INFO_RPL_RAW_SZ: IcmpType(1058)=16;
SrcZoneName(1025)=Trust; SrcIPAddr(1003)=9.1.1.1;
Example DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--;
Action(1049)=logging.
If log aggregation is enabled, for ICMP information replies of the same attributes,
this message is sent only when the first reply is received.
Explanation
If log aggregation is disabled, this message is sent every time an ICMP information
reply is received.
Recommended No action is required.
action

178
Security level: Secret

ATK_ICMP_LARGE_SZ
SrcZoneName(1025)=[STRING]; SrcIPAddr(1003)=[IPADDR];
DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: Source security zone name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
$4: Destination IP address.
Variable fields $5: Name of the receiving VPN instance.
$6: Actions against the attack.
$7: Start time of the attack.
$8: End time of the attack.
$9: Attack times.
Severity level 3
ATK/3/ATK_ICMP_LARGE_SZ: SrcZoneName(1025)=Trust;
SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
Example RcvVPNInstance(1041)=--; Action(1049)=logging;
BeginTime_c(1011)=20131011074913; EndTime_c(1012)=20131011075413;
AtkTimes(1050)=2.
Explanation This message is sent when large ICMP packet logs are aggregated.
Recommended No action is required.
action

ATK_ICMP_LARGE_RAW_SZ
SrcZoneName(1025)=[STRING]; SrcIPAddr(1003)=[IPADDR];
Message text DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING].
$1: Source security zone name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
Variable fields
$4: Destination IP address.
$5: Name of the receiving VPN instance.
$6: Actions against the attack.
Severity level 5
ATK/5/ATK_ICMP_LARGE_RAW_SZ: SrcZoneName(1025)=Trust;
Example SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
RcvVPNInstance(1041)=--; Action(1049)=logging.
If log aggregation is enabled, for large ICMP packets of the same attributes, this
message is sent only when the first packet is received.
Explanation
If log aggregation is disabled, this message is sent every time a large ICMP packet
is received.
Recommended No action is required.
action

179
Security level: Secret

ATK_ICMP_PARAPROBLEM_SZ
IcmpType(1058)=[UINT32]; SrcZoneName(1025)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32].
$1: ICMP message type.
$2: Source security zone name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
Variable fields
$6: Name of the receiving VPN instance.
$7: Actions against the attack.
$8: Start time of the attack.
$9: End time of the attack.
$10: Attack times.
Severity level 5
ATK/5/ATK_ICMP_PARAPROBLEM_SZ: IcmpType(1058)=12;
SrcZoneName(1025)=Trust; SrcIPAddr(1003)=9.1.1.1;
Example DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--;
Action(1049)=logging; BeginTime_c(1011)=20131011091319;
EndTime_c(1012)=20131011091819; AtkTimes(1050)=2.
Explanation This message is sent when ICMP parameter problem logs are aggregated.
Recommended No action is required.
action

180
Security level: Secret

ATK_ICMP_PARAPROBLEM_RAW_SZ
IcmpType(1058)=[UINT32]; SrcZoneName(1025)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING].
$1: ICMP message type.
$2: Source security zone name.
$3: Source IP address.
Variable fields $4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
$6: Name of the receiving VPN instance.
$7: Actions against the attack.
Severity level 5
ATK/5/ATK_ICMP_PARAPROBLEM_RAW_SZ: IcmpType(1058)=12;
SrcZoneName(1025)=Trust; SrcIPAddr(1003)=9.1.1.1;
Example DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--;
Action(1049)=logging.
If log aggregation is enabled, for ICMP parameter problem packets of the same
attributes, this message is sent only when the first packet is received.
Explanation
If log aggregation is disabled, this message is sent every time an ICMP parameter
problem packet is received.
Recommended No action is required.
action

181
Security level: Secret

ATK_ICMP_PINGOFDEATH_SZ
SrcZoneName(1025)=[STRING]; SrcIPAddr(1003)=[IPADDR];
DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: Source security zone name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
$4: Destination IP address.
Variable fields $5: Name of the receiving VPN instance.
$6: Actions against the attack.
$7: Start time of the attack.
$8: End time of the attack.
$9: Attack times.
Severity level 3
ATK/3/ATK_ICMP_PINGOFDEATH_SZ: SrcZoneName(1025)=Trust;
SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
Example RcvVPNInstance(1041)=--; Action(1049)=logging;
BeginTime_c(1011)=20131011074913; EndTime_c(1012)=20131011075413;
AtkTimes(1050)=2.
This message is sent when logs are aggregated for ICMP packets larger than
Explanation 65535 bytes with the MF flag set to 0.
Recommended No action is required.
action

182
Security level: Secret

ATK_ICMP_PINGOFDEATH_RAW_SZ
SrcZoneName(1025)=[STRING]; SrcIPAddr(1003)=[IPADDR];
Message text DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING].
$1: Source security zone name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
Variable fields
$4: Destination IP address.
$5: Name of the receiving VPN instance.
$6: Actions against the attack.
Severity level 3
ATK/3/ATK_ICMP_PINGOFDEATH_RAW_SZ: SrcZoneName(1025)=Trust;
Example SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
RcvVPNInstance(1041)=--; Action(1049)=logging.
This message is for the ping of death attack. The attack uses ICMP packets larger
than 65535 bytes with the MF flag set to 0.
Explanation If log aggregation is enabled, for packets of the same attributes, this message is
sent only when the first packet is received.
If log aggregation is disabled, this message is sent every time a packet is received.
Recommended No action is required.
action

183
Security level: Secret

ATK_ICMP_REDIRECT_SZ
IcmpType(1058)=[UINT32]; SrcZoneName(1025)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32].
$1: ICMP message type.
$2: Source security zone name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
Variable fields
$6: Name of the receiving VPN instance.
$7: Actions against the attack.
$8: Start time of the attack.
$9: End time of the attack.
$10: Attack times.
Severity level 5
ATK/5/ATK_ICMP_REDIRECT_SZ: IcmpType(1058)=5;
SrcZoneName(1025)=Trust; SrcIPAddr(1003)=9.1.1.1;
Example DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--;
Action(1049)=logging; BeginTime_c(1011)=20131011091319;
EndTime_c(1012)=20131011091819; AtkTimes(1050)=2.
Explanation This message is sent when ICMP redirect logs are aggregated.
Recommended No action is required.
action

184
Security level: Secret

ATK_ICMP_REDIRECT_RAW_SZ
IcmpType(1058)=[UINT32]; SrcZoneName(1025)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING].
$1: ICMP message type.
$2: Source security zone name.
$3: Source IP address.
Variable fields $4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
$6: Name of the receiving VPN instance.
$7: Actions against the attack.
Severity level 5
ATK/5/ATK_ICMP_REDIRECT_RAW_SZ: IcmpType(1058)=5;
SrcZoneName(1025)=Trust; SrcIPAddr(1003)=9.1.1.1;
Example DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--;
Action(1049)=logging.
If log aggregation is enabled, for ICMP redirect packets of the same attributes, this
message is sent only when the first packet is received.
Explanation
If log aggregation is disabled, this message is sent every time an ICMP redirect
packet is received.
Recommended No action is required.
action

185
Security level: Secret

ATK_ICMP_SMURF_SZ
SrcZoneName(1025)=[STRING]; SrcIPAddr(1003)=[IPADDR];
DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: Source security zone name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
$4: Destination IP address.
Variable fields $5: Name of the receiving VPN instance.
$6: Actions against the attack.
$7: Start time of the attack.
$8: End time of the attack.
$9: Attack times.
Severity level 3
ATK/3/ATK_ICMP_SMURF_SZ: SrcZoneName(1025)=Trust;
SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
Example RcvVPNInstance(1041)=--; Action(1049)=logging;
BeginTime_c(1011)=20131011074913; EndTime_c(1012)=20131011075413;
AtkTimes(1050)=2.
This message is sent when logs are aggregated for ICMP echo requests whose
destination IP address is one of the following addresses:
• A broadcast or network address of A, B, or C class.
Explanation
• An IP address of D or E class.
• The broadcast or network address of the network where the receiving interface
resides.
Recommended No action is required.
action

186
Security level: Secret

ATK_ICMP_SMURF_RAW_SZ
SrcZoneName(1025)=[STRING]; SrcIPAddr(1003)=[IPADDR];
Message text DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING].
$1: Source security zone name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
Variable fields
$4: Destination IP address.
$5: Name of the receiving VPN instance.
$6: Actions against the attack.
Severity level 3
ATK/3/ATK_ICMP_SMURF_RAW_SZ: SrcZoneName(1025)=Trust;
Example SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
RcvVPNInstance(1041)=--; Action(1049)=logging.
This message is for the smurf attack. The attack uses ICMP echo requests with the
destination IP address being one of the following addresses:
• A broadcast or network address of A, B, or C class.
• An IP address of D or E class.
Explanation • The broadcast or network address of the network where the receiving interface
resides.
If log aggregation is enabled, for requests of the same attributes, this message is
sent only when the first request is received.
If log aggregation is disabled, this message is sent every time a request is received.
Recommended No action is required.
action

187
Security level: Secret

ATK_ICMP_SOURCEQUENCH_SZ
IcmpType(1058)=[UINT32]; SrcZoneName(1025)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32].
$1: ICMP message type.
$2: Source security zone name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
Variable fields
$6: Name of the receiving VPN instance.
$7: Actions against the attack.
$8: Start time of the attack.
$9: End time of the attack.
$10: Attack times.
Severity level 5
ATK/5/ATK_ICMP_SOURCEQUENCH_SZ: IcmpType(1058)=4;
SrcZoneName(1025)=Trust; SrcIPAddr(1003)=9.1.1.1;
Example DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--;
Action(1049)=logging; BeginTime_c(1011)=20131011091319;
EndTime_c(1012)=20131011091819; AtkTimes(1050)=2.
Explanation This message is sent when ICMP source quench logs are aggregated.
Recommended No action is required.
action

188
Security level: Secret

ATK_ICMP_SOURCEQUENCH_RAW_SZ
IcmpType(1058)=[UINT32]; SrcZoneName(1025)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING].
$1: ICMP message type.
$2: Source security zone name.
$3: Source IP address.
Variable fields $4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
$6: Name of the receiving VPN instance.
$7: Actions against the attack.
Severity level 5
ATK/5/ATK_ICMP_SOURCEQUENCH_RAW_SZ: IcmpType(1058)=4;
SrcZoneName(1025)=Trust; SrcIPAddr(1003)=9.1.1.1;
Example DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--;
Action(1049)=logging.
If log aggregation is enabled, for ICMP source quench packets of the same
attributes, this message is sent only when the first packet is received.
Explanation
If log aggregation is disabled, this message is sent every time an ICMP source
quench packet is received.
Recommended No action is required.
action

189
Security level: Secret

ATK_ICMP_TIMEEXCEED_SZ
IcmpType(1058)=[UINT32]; SrcZoneName(1025)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32].
$1: ICMP message type.
$2: Source security zone name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
Variable fields
$6: Name of the receiving VPN instance.
$7: Actions against the attack.
$8: Start time of the attack.
$9: End time of the attack.
$10: Attack times.
Severity level 5
ATK/5/ATK_ICMP_TIMEEXCEED_SZ: IcmpType(1058)=11;
SrcZoneName(1025)=Trust; SrcIPAddr(1003)=9.1.1.1;
Example DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--;
Action(1049)=logging; BeginTime_c(1011)=20131011091319;
EndTime_c(1012)=20131011091819; AtkTimes(1050)=2.
Explanation This message is sent when ICMP time exceeded logs are aggregated.
Recommended No action is required.
action

190
Security level: Secret

ATK_ICMP_TIMEEXCEED_RAW_SZ
IcmpType(1058)=[UINT32]; SrcZoneName(1025)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING].
$1: ICMP message type.
$2: Source security zone name.
$3: Source IP address.
Variable fields $4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
$6: Name of the receiving VPN instance.
$7: Actions against the attack.
Severity level 5
ATK/5/ATK_ICMP_TIMEEXCEED_RAW_SZ: IcmpType(1058)=11;
SrcZoneName(1025)=Trust; SrcIPAddr(1003)=9.1.1.1;
Example DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--;
Action(1049)=logging.
If log aggregation is enabled, for ICMP time exceeded packets of the same
attributes, this message is sent only when the first packet is received.
Explanation
If log aggregation is disabled, this message is sent every time an ICMP time
exceeded packet is received.
Recommended No action is required.
action

191
Security level: Secret

ATK_ICMP_TRACEROUTE_SZ
SrcZoneName(1025)=[STRING]; SrcIPAddr(1003)=[IPADDR];
DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: Source security zone name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
$4: Destination IP address.
Variable fields $5: Name of the receiving VPN instance.
$6: Actions against the attack.
$7: Start time of the attack.
$8: End time of the attack.
$9: Attack times.
Severity level 3
ATK/3/ATK_ICMP_TRACEROUTE_SZ: SrcZoneName(1025)=Trust;
SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
Example RcvVPNInstance(1041)=--; Action(1049)=logging;
BeginTime_c(1011)=20131011074913; EndTime_c(1012)=20131011075413;
AtkTimes(1050)=2.
This message is sent when logs are aggregated for ICMP time exceeded packets of
Explanation code 0.
Recommended No action is required.
action

ATK_ICMP_TRACEROUTE_RAW_SZ
SrcZoneName(1025)=[STRING]; SrcIPAddr(1003)=[IPADDR];
Message text DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING].
$1: Source security zone name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
Variable fields
$4: Destination IP address.
$5: Name of the receiving VPN instance.
$6: Actions against the attack.
Severity level 3
ATK/3/ATK_ICMP_TRACEROUTE_RAW_SZ: SrcZoneName(1025)=Trust;
Example SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
RcvVPNInstance(1041)=--; Action(1049)=logging.
If log aggregation is enabled, for ICMP time exceeded packets of code 0 of the
same attributes, this message is sent only when the first packet is received.
Explanation
If log aggregation is disabled, this message is sent every time an ICMP time
exceeded packet of code 0 is received.
Recommended No action is required.
action

192
Security level: Secret

ATK_ICMP_TSTAMP_REQ_SZ
IcmpType(1058)=[UINT32]; SrcZoneName(1025)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32].
$1: ICMP message type.
$2: Source security zone name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
Variable fields
$6: Name of the receiving VPN instance.
$7: Actions against the attack.
$8: Start time of the attack.
$9: End time of the attack.
$10: Attack times.
Severity level 5
ATK/5/ATK_ICMP_TSTAMP_REQ_SZ: IcmpType(1058)=13;
SrcZoneName(1025)=Trust; SrcIPAddr(1003)=9.1.1.1;
Example DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--;
Action(1049)=logging; BeginTime_c(1011)=20131011091319;
EndTime_c(1012)=20131011091819; AtkTimes(1050)=2.
Explanation This message is sent when ICMP timestamp logs are aggregated.
Recommended No action is required.
action

193
Security level: Secret

ATK_ICMP_TSTAMP_REQ_RAW_SZ
IcmpType(1058)=[UINT32]; SrcZoneName(1025)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING].
$1: ICMP message type.
$2: Source security zone name.
$3: Source IP address.
Variable fields $4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
$6: Name of the receiving VPN instance.
$7: Actions against the attack.
Severity level 5
ATK/5/ATK_ICMP_TSTAMP_REQ_RAW_SZ: IcmpType(1058)=13;
SrcZoneName(1025)=Trust; SrcIPAddr(1003)=9.1.1.1;
Example DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--;
Action(1049)=logging.
If log aggregation is enabled, for ICMP timestamp packets of the same attributes,
this message is sent only when the first packet is received.
Explanation
If log aggregation is disabled, this message is sent every time an ICMP timestamp
packet is received.
Recommended No action is required.
action

194
Security level: Secret

ATK_ICMP_TSTAMP_RPL_SZ
IcmpType(1058)=[UINT32]; SrcZoneName(1025)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32].
$1: ICMP message type.
$2: Source security zone name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
Variable fields
$6: Name of the receiving VPN instance.
$7: Actions against the attack.
$8: Start time of the attack.
$9: End time of the attack.
$10: Attack times.
Severity level 5
ATK/5/ATK_ICMP_TSTAMP_RPL_SZ: IcmpType(1058)=14;
SrcZoneName(1025)=Trust; SrcIPAddr(1003)=9.1.1.1;
Example DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--;
Action(1049)=logging; BeginTime_c(1011)=20131011091319;
EndTime_c(1012)=20131011091819; AtkTimes(1050)=2.
Explanation This message is sent when ICMP timestamp reply logs are aggregated.
Recommended No action is required.
action

195
Security level: Secret

ATK_ICMP_TSTAMP_RPL_RAW_SZ
IcmpType(1058)=[UINT32]; SrcZoneName(1025)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING].
$1: ICMP message type.
$2: Source security zone name.
$3: Source IP address.
Variable fields $4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
$6: Name of the receiving VPN instance.
$7: Actions against the attack.
Severity level 5
ATK/5/ATK_ICMP_TSTAMP_RPL_RAW_SZ: IcmpType(1058)=14;
SrcZoneName(1025)=Trust; SrcIPAddr(1003)=9.1.1.1;
Example DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--;
Action(1049)=logging.
If log aggregation is enabled, for ICMP timestamp replies of the same attributes, this
message is sent only when the first reply is received.
Explanation
If log aggregation is disabled, this message is sent every time an ICMP timestamp
reply is received.
Recommended No action is required.
action

196
Security level: Secret

ATK_ICMP_TYPE_SZ
IcmpType(1058)=[UINT32]; SrcZoneName(1025)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32].
$1: ICMP message type.
$2: Source security zone name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
Variable fields
$6: Name of the receiving VPN instance.
$7: Actions against the attack.
$8: Start time of the attack.
$9: End time of the attack.
$10: Attack times.
Severity level 5
ATK/5/ATK_ICMP_TYPE_SZ: IcmpType(1058)=38; SrcZoneName(1025)=Trust;
SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
Example RcvVPNInstance(1041)=--; Action(1049)=logging;
BeginTime_c(1011)=20131011091319; EndTime_c(1012)=20131011091819;
AtkTimes(1050)=2.
Explanation This message is sent when logs are aggregated for user-defined ICMP packets.
Recommended No action is required.
action

197
Security level: Secret

ATK_ICMP_TYPE_RAW_SZ
IcmpType(1058)=[UINT32]; SrcZoneName(1025)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING].
$1: ICMP message type.
$2: Source security zone name.
$3: Source IP address.
Variable fields $4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
$6: Name of the receiving VPN instance.
$7: Actions against the attack.
Severity level 5
ATK/5/ATK_ICMP_TYPE_RAW_SZ: IcmpType(1058)=38;
SrcZoneName(1025)=Trust; SrcIPAddr(1003)=9.1.1.1;
Example DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--;
Action(1049)=logging.
If log aggregation is enabled, for user-defined ICMP packets of the same attributes,
this message is sent only when the first packet is received.
Explanation
If log aggregation is disabled, this message is sent every time a user-defined ICMP
packet is received.
Recommended No action is required.
action

198
Security level: Secret

ATK_ICMP_UNREACHABLE_SZ
IcmpType(1058)=[UINT32]; SrcZoneName(1025)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32].
$1: ICMP message type.
$2: Source security zone name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
Variable fields
$6: Name of the receiving VPN instance.
$7: Actions against the attack.
$8: Start time of the attack.
$9: End time of the attack.
$10: Attack times.
Severity level 5
ATK/5/ATK_ICMP_UNREACHABLE_SZ: IcmpType(1058)=3;
SrcZoneName(1025)=Trust; SrcIPAddr(1003)=9.1.1.1;
Example DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--;
Action(1049)=logging; BeginTime_c(1011)=20131011091319;
EndTime_c(1012)=20131011091819; AtkTimes(1050)=2.
Explanation This message is sent when ICMP destination unreachable logs are aggregated.
Recommended No action is required.
action

199
Security level: Secret

ATK_ICMP_UNREACHABLE_RAW_SZ
IcmpType(1058)=[UINT32]; SrcZoneName(1025)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING].
$1: ICMP message type.
$2: Source security zone name.
$3: Source IP address.
Variable fields $4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
$6: Name of the receiving VPN instance.
$7: Actions against the attack.
Severity level 5
ATK/5/ATK_ICMP_UNREACHABLE_RAW_SZ: IcmpType(1058)=3;
SrcZoneName(1025)=Trust; SrcIPAddr(1003)=9.1.1.1;
Example DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--;
Action(1049)=logging.
If log aggregation is enabled, for ICMP destination unreachable packets of the same
attributes, this message is sent only when the first packet is received.
Explanation
If log aggregation is disabled, this message is sent every time an ICMP destination
unreachable packet is received.
Recommended No action is required.
action

200
Security level: Secret

ATK_ICMPV6_DEST_UNREACH_SZ
Icmpv6Type(1059)=[UINT32]; SrcZoneName(1025)=[STRING];
SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: ICMPv6 message type.
$2: Source security zone name.
$3: Source IPv6 address.
$4: Destination IPv6 address.
Variable fields $5: Name of the receiving VPN instance.
$6: Actions against the attack.
$7: Start time of the attack.
$8: End time of the attack.
$9: Attack times.
Severity level 5
ATK/5/ATK_ICMPV6_DEST_UNREACH_SZ: Icmpv6Type(1059)=133;
SrcZoneName(1025)=Trust; SrcIPv6Addr(1036)=5600::12;
Example DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--;
Action(1049)=logging; BeginTime_c(1011)=20131011100935;
EndTime_c(1012)=20131011101435; AtkTimes(1050)=2.
Explanation This message is sent when ICMPv6 destination unreachable logs are aggregated.
Recommended No action is required.
action

ATK_ICMPV6_DEST_UNREACH_RAW_SZ
Icmpv6Type(1059)=[UINT32]; SrcZoneName(1025)=[STRING];
Message text SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR];
RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING].
$1: ICMPv6 message type.
$2: Source security zone name.
$3: Source IPv6 address.
Variable fields
$4: Destination IPv6 address.
$5: Name of the receiving VPN instance.
$6: Actions against the attack.
Severity level 5
ATK/5/ATK_ICMPV6_DEST_UNREACH_RAW_SZ: Icmpv6Type(1059)=133;
SrcZoneName(1025)=Trust; SrcIPv6Addr(1036)=5600::12;
Example DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--;
Action(1049)=logging.
If log aggregation is enabled, for ICMPv6 destination unreachable packets of the
same attributes, this message is sent only when the first packet is received.
Explanation
If log aggregation is disabled, this message is sent every time an ICMPv6
destination unreachable packet is received.
Recommended No action is required.
action

201
Security level: Secret

ATK_ICMPV6_ECHO_REQ_SZ
Icmpv6Type(1059)=[UINT32]; SrcZoneName(1025)=[STRING];
SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: ICMPv6 message type.
$2: Source security zone name.
$3: Source IPv6 address.
$4: Destination IPv6 address.
Variable fields $5: Name of the receiving VPN instance.
$6: Actions against the attack.
$7: Start time of the attack.
$8: End time of the attack.
$9: Attack times.
Severity level 5
ATK/5/ATK_ICMPV6_ECHO_REQ_SZ: Icmpv6Type(1059)=128;
SrcZoneName(1025)=Trust; SrcIPv6Addr(1036)=5600::12;
Example DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--;
Action(1049)=logging; BeginTime_c(1011)=20131011100935;
EndTime_c(1012)=20131011101435; AtkTimes(1050)=2.
Explanation This message is sent when ICMPv6 echo request logs are aggregated.
Recommended No action is required.
action

ATK_ICMPV6_ECHO_REQ_RAW_SZ
Icmpv6Type(1059)=[UINT32]; SrcZoneName(1025)=[STRING];
Message text SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR];
RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING].
$1: ICMPv6 message type.
$2: Source security zone name.
$3: Source IPv6 address.
Variable fields
$4: Destination IPv6 address.
$5: Name of the receiving VPN instance.
$6: Actions against the attack.
Severity level 5
ATK/5/ATK_ICMPV6_ECHO_REQ_RAW_SZ: Icmpv6Type(1059)=128;
SrcZoneName(1025)=Trust; SrcIPv6Addr(1036)=5600::12;
Example DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--;
Action(1049)=logging.
If log aggregation is enabled, for ICMPv6 echo requests of the same attributes, this
message is sent only when the first request is received.
Explanation
If log aggregation is disabled, this message is sent every time an ICMPv6 echo
request is received.
Recommended No action is required.
action

202
Security level: Secret

ATK_ICMPV6_ECHO_RPL_SZ
Icmpv6Type(1059)=[UINT32]; SrcZoneName(1025)=[STRING];
SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: ICMPv6 message type.
$2: Source security zone name.
$3: Source IPv6 address.
$4: Destination IPv6 address.
Variable fields $5: Name of the receiving VPN instance.
$6: Actions against the attack.
$7: Start time of the attack.
$8: End time of the attack.
$9: Attack times.
Severity level 5
ATK/5/ATK_ICMPV6_ECHO_RPL_SZ: Icmpv6Type(1059)=129;
SrcZoneName(1025)=Trust; SrcIPv6Addr(1036)=5600::12;
Example DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--;
Action(1049)=logging; BeginTime_c(1011)=20131011100935;
EndTime_c(1012)=20131011101435; AtkTimes(1050)=2.
Explanation This message is sent when ICMPv6 echo reply logs are aggregated.
Recommended No action is required.
action

ATK_ICMPV6_ECHO_RPL_RAW_SZ
Icmpv6Type(1059)=[UINT32]; SrcZoneName(1025)=[STRING];
Message text SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR];
RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING].
$1: ICMPv6 message type.
$2: Source security zone name.
$3: Source IPv6 address.
Variable fields
$4: Destination IPv6 address.
$5: Name of the receiving VPN instance.
$6: Actions against the attack.
Severity level 5
ATK/5/ATK_ICMPV6_ECHO_RPL_RAW_SZ: Icmpv6Type(1059)=129;
SrcZoneName(1025)=Trust; SrcIPv6Addr(1036)=5600::12;
Example DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--;
Action(1049)=logging.
If log aggregation is enabled, for ICMPv6 echo replies of the same attributes, this
message is sent only when the first reply is received.
Explanation
If log aggregation is disabled, this message is sent every time an ICMPv6 echo
reply is received.
Recommended No action is required.
action

203
Security level: Secret

ATK_ICMPV6_FLOOD_SZ
SrcZoneName(1025)=[STRING]; DstIPv6Addr(1037)=[IPADDR];
DstPort(1008)=[UINT16]; RcvVPNInstance(1041)=[STRING];
Message text UpperLimit(1048)=[UINT32]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING].
$1: Source security zone name.
$2: Destination IPv6 address.
$3: Destination port number.
Variable fields $4: Name of the receiving VPN instance.
$5: Rate limit.
$6: Actions against the attack.
$7: Start time of the attack.
Severity level 3
ATK/3/ATK_ICMPV6_FLOOD_SZ: SrcZoneName(1025)=Trust;
DstIPv6Addr(1007)=2002::2; DstPort(1008)=22; RcvVPNInstance(1041)=--;
Example UpperLimit(1048)=10; Action(1049)=logging;
BeginTime_c(1011)=20131009093351.
This message is sent when the number of ICMPv6 packets sent to a destination per
Explanation second exceeds the rate limit.
Recommended No action is required.
action

ATK_ICMPV6_GROUPQUERY_SZ
Icmpv6Type(1059)=[UINT32]; SrcZoneName(1025)=[STRING];
SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: ICMPv6 message type.
$2: Source security zone name.
$3: Source IPv6 address.
$4: Destination IPv6 address.
Variable fields $5: Name of the receiving VPN instance.
$6: Actions against the attack.
$7: Start time of the attack.
$8: End time of the attack.
$9: Attack times.
Severity level 5
ATK/5/ATK_ICMPV6_GROUPQUERY_SZ: Icmpv6Type(1059)=130;
SrcZoneName(1025)=Trust; SrcIPv6Addr(1036)=5600::12;
Example DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--;
Action(1049)=logging; BeginTime_c(1011)=20131011100935;
EndTime_c(1012)=20131011101435; AtkTimes(1050)=2.
Explanation This message is sent when ICMPv6 multicast listener query logs are aggregated.
Recommended No action is required.
action

204
Security level: Secret

ATK_ICMPV6_GROUPQUERY_RAW_SZ
Icmpv6Type(1059)=[UINT32]; SrcZoneName(1025)=[STRING];
Message text SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR];
RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING].
$1: ICMPv6 message type.
$2: Source security zone name.
$3: Source IPv6 address.
Variable fields
$4: Destination IPv6 address.
$5: Name of the receiving VPN instance.
$6: Actions against the attack.
Severity level 5
ATK/5/ATK_ICMPV6_GROUPQUERY_RAW_SZ: Icmpv6Type(1059)=130;
SrcZoneName(1025)=Trust; SrcIPv6Addr(1036)=5600::12;
Example DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--;
Action(1049)=logging.
If log aggregation is enabled, for ICMPv6 multicast listener queries of the same
attributes, this message is sent only when the first query is received.
Explanation
If log aggregation is disabled, this message is sent every time an ICMPv6 multicast
listener query is received.
Recommended No action is required.
action

ATK_ICMPV6_GROUPREDUCTION_SZ
Icmpv6Type(1059)=[UINT32]; SrcZoneName(1025)=[STRING];
SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: ICMPv6 message type.
$2: Source security zone name.
$3: Source IPv6 address.
$4: Destination IPv6 address.
Variable fields $5: Name of the receiving VPN instance.
$6: Actions against the attack.
$7: Start time of the attack.
$8: End time of the attack.
$9: Attack times.
Severity level 5
ATK/5/ATK_ICMPV6_GROUPREDUCTION_SZ: Icmpv6Type(1059)=132;
SrcZoneName(1025)=Trust; SrcIPv6Addr(1036)=5600::12;
Example DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--;
Action(1049)=logging; BeginTime_c(1011)=20131011100935;
EndTime_c(1012)=20131011101435; AtkTimes(1050)=2.
Explanation This message is sent when ICMPv6 multicast listener done logs are aggregated.
Recommended No action is required.
action

205
Security level: Secret

ATK_ICMPV6_GROUPREDUCTION_RAW_SZ
Icmpv6Type(1059)=[UINT32]; SrcZoneName(1025)=[STRING];
Message text SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR];
RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING].
$1: ICMPv6 message type.
$2: Source security zone name.
$3: Source IPv6 address.
Variable fields
$4: Destination IPv6 address.
$5: Name of the receiving VPN instance.
$6: Actions against the attack.
Severity level 5
ATK/5/ATK_ICMPV6_GROUPREDUCTION_RAW_SZ: Icmpv6Type(1059)=132;
SrcZoneName(1025)=Trust; SrcIPv6Addr(1036)=5600::12;
Example DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--;
Action(1049)=logging.
If log aggregation is enabled, for ICMPv6 multicast listener done packets of the
same attributes, this message is sent only when the first packet is received.
Explanation
If log aggregation is disabled, this message is sent every time an ICMPv6 multicast
listener done packet is received.
Recommended No action is required.
action

ATK_ICMPV6_GROUPREPORT_SZ
Icmpv6Type(1059)=[UINT32]; SrcZoneName(1025)=[STRING];
SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: ICMPv6 message type.
$2: Source security zone name.
$3: Source IPv6 address.
$4: Destination IPv6 address.
Variable fields $5: Name of the receiving VPN instance.
$6: Actions against the attack.
$7: Start time of the attack.
$8: End time of the attack.
$9: Attack times.
Severity level 5
ATK/5/ATK_ICMPV6_GROUPREPORT_SZ: Icmpv6Type(1059)=131;
SrcZoneName(1025)=Trust; SrcIPv6Addr(1036)=5600::12;
Example DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--;
Action(1049)=logging; BeginTime_c(1011)=20131011100935;
EndTime_c(1012)=20131011101435; AtkTimes(1050)=2.
Explanation This message is sent when ICMPv6 multicast listener report logs are aggregated.
Recommended No action is required.
action

206
Security level: Secret

ATK_ICMPV6_GROUPREPORT_RAW_SZ
Icmpv6Type(1059)=[UINT32]; SrcZoneName(1025)=[STRING];
Message text SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR];
RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING].
$1: ICMPv6 message type.
$2: Source security zone name.
$3: Source IPv6 address.
Variable fields
$4: Destination IPv6 address.
$5: Name of the receiving VPN instance.
$6: Actions against the attack.
Severity level 5
ATK/5/ATK_ICMPV6_GROUPREPORT_RAW_SZ: Icmpv6Type(1059)=131;
SrcZoneName(1025)=Trust; SrcIPv6Addr(1036)=5600::12;
Example DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--;
Action(1049)=logging.
If log aggregation is enabled, for ICMPv6 multicast listener reports of the same
attributes, this message is sent only when the first report is received.
Explanation
If log aggregation is disabled, this message is sent every time an ICMPv6 multicast
listener report is received.
Recommended No action is required.
action

ATK_ICMPV6_LARGE_SZ
SrcZoneName(1025)=[STRING]; SrcIPv6Addr(1036)=[IPADDR];
DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Message text Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32].
$1: Source security zone name.
$2: Source IPv6 address.
$3: Destination IPv6 address.
$4: Name of the receiving VPN instance.
Variable fields
$5: Actions against the attack.
$6: Start time of the attack.
$7: End time of the attack.
$8: Attack times.
Severity level 3
ATK/3/ATK_ICMPV6_LARGE_SZ: SrcZoneName(1025)=Trust;
SrcIPv6Addr(1036)=5600::12; DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0;
Example RcvVPNInstance(1041)=--; Action(1049)=logging;
BeginTime_c(1011)=20131011100935; EndTime_c(1012)=20131011101435;
AtkTimes(1050)=2.
Explanation This message is sent when large ICMPv6 packet logs are aggregated.
Recommended No action is required.
action

207
Security level: Secret

ATK_ICMPV6_LARGE_RAW_SZ
SrcZoneName(1025)=[STRING]; SrcIPv6Addr(1036)=[IPADDR];
Message text DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING].
$1: Source security zone name.
$2: Source IPv6 address.
Variable fields $3: Destination IPv6 address.
$4: Name of the receiving VPN instance.
$5: Actions against the attack.
Severity level 3
ATK/3/ATK_ICMPV6_LARGE_RAW_SZ: SrcZoneName(1025)=Trust;
Example SrcIPv6Addr(1036)=5600::12; DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0;
RcvVPNInstance(1041)=--; Action(1049)=logging.
If log aggregation is enabled, for large ICMPv6 packets of the same attributes, this
message is sent only when the first packet is received.
Explanation
If log aggregation is disabled, this message is sent every time a large ICMPv6
packet is received.
Recommended No action is required.
action

ATK_ICMPV6_PACKETTOOBIG_SZ
Icmpv6Type(1059)=[UINT32]; SrcZoneName(1025)=[STRING];
SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: ICMPv6 message type.
$2: Source security zone name.
$3: Source IPv6 address.
$4: Destination IPv6 address.
Variable fields $5: Name of the receiving VPN instance.
$6: Actions against the attack.
$7: Start time of the attack.
$8: End time of the attack.
$9: Attack times.
Severity level 5
ATK/5/ATK_ICMPV6_PACKETTOOBIG_SZ: Icmpv6Type(1059)=136;
SrcZoneName(1025)=Trust; SrcIPv6Addr(1036)=5600::12;
Example DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--;
Action(1049)=logging; BeginTime_c(1011)=20131011100935;
EndTime_c(1012)=20131011101435; AtkTimes(1050)=2.
Explanation This message is sent when ICMPv6 packet too big logs are aggregated.
Recommended No action is required.
action

208
Security level: Secret

ATK_ICMPV6_PACKETTOOBIG_RAW_SZ
Icmpv6Type(1059)=[UINT32]; SrcZoneName(1025)=[STRING];
Message text SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR];
RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING].
$1: ICMPv6 message type.
$2: Source security zone name.
$3: Source IPv6 address.
Variable fields
$4: Destination IPv6 address.
$5: Name of the receiving VPN instance.
$6: Actions against the attack.
Severity level 5
ATK/5/ATK_ICMPV6_PACKETTOOBIG_RAW_SZ: Icmpv6Type(1059)=136;
SrcZoneName(1025)=Trust; SrcIPv6Addr(1036)=5600::12;
Example DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--;
Action(1049)=logging.
If log aggregation is enabled, for ICMPv6 packet too big packets of the same
attributes, this message is sent only when the first packet is received.
Explanation
If log aggregation is disabled, this message is sent every time an ICMPv6 packet
too big packet is received.
Recommended No action is required.
action

ATK_ICMPV6_PARAPROBLEM_SZ
Icmpv6Type(1059)=[UINT32]; SrcZoneName(1025)=[STRING];
SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: ICMPv6 message type.
$2: Source security zone name.
$3: Source IPv6 address.
$4: Destination IPv6 address.
Variable fields $5: Name of the receiving VPN instance.
$6: Actions against the attack.
$7: Start time of the attack.
$8: End time of the attack.
$9: Attack times.
Severity level 5
ATK/5/ATK_ICMPV6_PARAPROBLEM_SZ: Icmpv6Type(1059)=135;
SrcZoneName(1025)=Trust; SrcIPv6Addr(1036)=5600::12;
Example DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--;
Action(1049)=logging; BeginTime_c(1011)=20131011100935;
EndTime_c(1012)=20131011101435; AtkTimes(1050)=2.
Explanation This message is sent when ICMPv6 parameter problem logs are aggregated.
Recommended No action is required.
action

209
Security level: Secret

ATK_ICMPV6_PARAPROBLEM_RAW_SZ
Icmpv6Type(1059)=[UINT32]; SrcZoneName(1025)=[STRING];
Message text SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR];
RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING].
$1: ICMPv6 message type.
$2: Source security zone name.
$3: Source IPv6 address.
Variable fields
$4: Destination IPv6 address.
$5: Name of the receiving VPN instance.
$6: Actions against the attack.
Severity level 5
ATK/5/ATK_ICMPV6_PARAPROBLEM_RAW_SZ: Icmpv6Type(1059)=135;
SrcZoneName(1025)=Trust; SrcIPv6Addr(1036)=5600::12;
Example DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--;
Action(1049)=logging.
If log aggregation is enabled, for ICMPv6 parameter problem packets of the same
attributes, this message is sent only when the first packet is received.
Explanation
If log aggregation is disabled, this message is sent every time an ICMPv6
parameter problem packet is received.
Recommended No action is required.
action

ATK_ICMPV6_TIMEEXCEED_SZ
Icmpv6Type(1059)=[UINT32]; SrcZoneName(1025)=[STRING];
SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: ICMPv6 message type.
$2: Source security zone name.
$3: Source IPv6 address.
$4: Destination IPv6 address.
Variable fields $5: Name of the receiving VPN instance.
$6: Actions against the attack.
$7: Start time of the attack.
$8: End time of the attack.
$9: Attack times.
Severity level 5
ATK/5/ATK_ICMPV6_TIMEEXCEED_SZ: Icmpv6Type(1059)=134;
SrcZoneName(1025)=Trust; SrcIPv6Addr(1036)=5600::12;
Example DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--;
Action(1049)=logging; BeginTime_c(1011)=20131011100935;
EndTime_c(1012)=20131011101435; AtkTimes(1050)=2.
Explanation This message is sent when ICMPv6 time exceeded logs are aggregated.
Recommended No action is required.
action

210
Security level: Secret

ATK_ICMPV6_TIMEEXCEED_RAW_SZ
Icmpv6Type(1059)=[UINT32]; SrcZoneName(1025)=[STRING];
Message text SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR];
RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING].
$1: ICMPv6 message type.
$2: Source security zone name.
$3: Source IPv6 address.
Variable fields
$4: Destination IPv6 address.
$5: Name of the receiving VPN instance.
$6: Actions against the attack.
Severity level 5
ATK/5/ATK_ICMPV6_TIMEEXCEED_RAW_SZ: Icmpv6Type(1059)=134;
SrcZoneName(1025)=Trust; SrcIPv6Addr(1036)=5600::12;
Example DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--;
Action(1049)=logging.
If log aggregation is enabled, for ICMPv6 time exceeded packets of the same
attributes, this message is sent only when the first packet is received.
Explanation
If log aggregation is disabled, this message is sent every time an ICMPv6 time
exceeded packet is received.
Recommended No action is required.
action

ATK_ICMPV6_TRACEROUTE_SZ
SrcZoneName(1025)=[STRING]; SrcIPv6Addr(1036)=[IPADDR];
DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Message text Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32].
$1: Source security zone name.
$2: Source IPv6 address.
$3: Destination IPv6 address.
$4: Name of the receiving VPN instance.
Variable fields
$5: Actions against the attack.
$6: Start time of the attack.
$7: End time of the attack.
$8: Attack times.
Severity level 3
ATK/3/ATK_ICMPV6_TRACEROUTE_SZ: SrcZoneName(1025)=Trust;
SrcIPv6Addr(1036)=5600::12; DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0;
Example RcvVPNInstance(1041)=--; Action(1049)=logging;
BeginTime_c(1011)=20131011100935; EndTime_c(1012)=20131011101435;
AtkTimes(1050)=2.
This message is sent when logs are aggregated for ICMPv6 time exceeded packets
Explanation of code 0.
Recommended No action is required.
action

211
Security level: Secret

ATK_ICMPV6_TRACEROUTE_RAW_SZ
SrcZoneName(1025)=[STRING]; SrcIPv6Addr(1036)=[IPADDR];
DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Message text Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING].
$1: Source security zone name.
$2: Source IPv6 address.
$3: Destination IPv6 address.
$4: Name of the receiving VPN instance.
Variable fields
$5: Actions against the attack.
$6: Start time of the attack.
$7: End time of the attack.
$8: Attack times.
Severity level 3
ATK/3/ATK_ICMPV6_TRACEROUTE_RAW_SZ: SrcZoneName(1025)=Trust;
SrcIPv6Addr(1036)=5600::12; DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0;
Example RcvVPNInstance(1041)=--; Action(1049)=logging;
BeginTime_c(1011)=20131011100935; EndTime_c(1012)=20131011101435.
If log aggregation is enabled, for ICMPv6 time exceeded packets of code 0 of the
same attributes, this message is sent only when the first packet is received.
Explanation
If log aggregation is disabled, this message is sent every time an ICMPv6 time
exceeded packet of code 0 is received.
Recommended No action is required.
action

212
Security level: Secret

ATK_ICMPV6_TYPE_SZ
Icmpv6Type(1059)=[UINT32]; SrcZoneName(1025)=[STRING];
SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: ICMPv6 message type.
$2: Source security zone name.
$3: Source IPv6 address.
$4: Destination IPv6 address.
Variable fields $5: Name of the receiving VPN instance.
$6: Actions against the attack.
$7: Start time of the attack.
$8: End time of the attack.
$9: Attack times.
Severity level 5
ATK/5/ATK_ICMPV6_TYPE_SZ: Icmpv6Type(1059)=38;
SrcZoneName(1025)=Trust; SrcIPv6Addr(1036)=5600::12;
Example DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--;
Action(1049)=logging; BeginTime_c(1011)=20131011100935;
EndTime_c(1012)=20131011101435; AtkTimes(1050)=2.
Explanation This message is sent when logs are aggregated for user-defined ICMPv6 packets.
Recommended No action is required.
action

ATK_ICMPV6_TYPE _RAW_SZ
Icmpv6Type(1059)=[UINT32]; SrcZoneName(1025)=[STRING];
Message text SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR];
RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING].
$1: ICMPv6 message type.
$2: Source security zone name.
$3: Source IPv6 address.
Variable fields
$4: Destination IPv6 address.
$5: Name of the receiving VPN instance.
$6: Actions against the attack.
Severity level 5
ATK/5/ATK_ICMPV6_TYPE_RAW_SZ: Icmpv6Type(1059)=38;
SrcZoneName(1025)=Trust; SrcIPv6Addr(1036)=5600::12;
Example DstIPv6Addr(1037)=1200:0:3400:0:5600:0:7800:0; RcvVPNInstance(1041)=--;
Action(1049)=logging.
If log aggregation is enabled, for user-defined ICMPv6 packets of the same
attributes, this message is sent only when the first packet is received.
Explanation
If log aggregation is disabled, this message is sent every time a user-defined
ICMPv6 packet is received.
Recommended No action is required.
action

213
Security level: Secret

ATK_IP4_ACK_FLOOD_SZ
SrcZoneName(1025)=[STRING]; DstIPAddr(1007)=[IPADDR];
DstPort(1008)=[UINT16]; RcvVPNInstance(1041)=[STRING];
Message text UpperLimit(1048)=[UINT32]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING].
$1: Source security zone name.
$2: Destination IP address.
$3: Destination port number.
Variable fields $4: Name of the receiving VPN instance.
$5: Rate limit.
$6: Actions against the attack.
$7: Start time of the attack.
Severity level 3
ATK/3/ATK_IP4_ACK_FLOOD_SZ: SrcZoneName(1025)=Trust;
DstIPAddr(1007)=6.1.1.5; DstPort(1008)=22; RcvVPNInstance(1041)=--;
Example UpperLimit(1048)=10; Action(1049)=logging;
BeginTime_c(1011)=20131009093351.
This message is sent when the number of IPv4 ACK packets sent to a destination
Explanation per second exceeds the rate limit.
Recommended No action is required.
action

ATK_IP4_DIS_PORTSCAN_SZ
SrcZoneName(1025)=[STRING]; Protocol(1001)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING]; BeginTime_c(1011)=[STRING].
$1: Source security zone name.
$2: Protocol name.
$3: Destination IP address.
Variable fields
$4: Name of the receiving VPN instance.
$5: Actions against the attack.
$6: Start time of the attack.
Severity level 3
ATK/3/ATK_IP4_DIS_PORTSCAN_SZ: SrcZoneName(1025)=Trust;
Example Protocol(1001)=TCP; DstIPAddr(1007)=6.1.1.5; RcvVPNInstance(1041)=vpn1;
Action(1049)=logging,block-source; BeginTime_c(1011)=20131009052955.
Explanation This message is sent when an IPv4 distributed port scan attack is detected.
Recommended No action is required.
action

214
Security level: Secret

ATK_IP4_DNS_FLOOD_SZ
SrcZoneName(1025)=[STRING]; DstIPAddr(1007)=[IPADDR];
DstPort(1008)=[UINT16]; RcvVPNInstance(1041)=[STRING];
Message text UpperLimit(1048)=[UINT32]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING].
$1: Source security zone name.
$2: Destination IP address.
$3: Destination port number.
Variable fields $4: Name of the receiving VPN instance.
$5: Rate limit.
$6: Actions against the attack.
$7: Start time of the attack.
Severity level 3
ATK/3/ATK_IP4_DNS_FLOOD_SZ: SrcZoneName(1025)=Trust;
DstIPAddr(1007)=6.1.1.5; DstPort(1008)=22; RcvVPNInstance(1041)=--;
Example UpperLimit(1048)=10; Action(1049)=logging;
BeginTime_c(1011)=20131009093351.
This message is sent when the number of IPv4 DNS queries sent to a destination
Explanation per second exceeds the rate limit.
Recommended No action is required.
action

ATK_IP4_FIN_FLOOD_SZ
SrcZoneName(1025)=[STRING]; DstIPAddr(1007)=[IPADDR];
DstPort(1008)=[UINT16]; RcvVPNInstance(1041)=[STRING];
Message text UpperLimit(1048)=[UINT32]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING].
$1: Source security zone name.
$2: Destination IP address.
$3: Destination port number.
Variable fields $4: Name of the receiving VPN instance.
$5: Rate limit.
$6: Actions against the attack.
$7: Start time of the attack.
Severity level 3
ATK/3/ATK_IP4_FIN_FLOOD_SZ: SrcZoneName(1025)=Trust;
DstIPAddr(1007)=6.1.1.5; DstPort(1008)=22; RcvVPNInstance(1041)=--;
Example UpperLimit(1048)=10; Action(1049)=logging;
BeginTime_c(1011)=20131009093351.
This message is sent when the number of IPv4 FIN packets sent to a destination per
Explanation second exceeds the rate limit.
Recommended No action is required.
action

215
Security level: Secret

ATK_IP4_FRAGMENT_SZ
SrcZoneName(1025)=[STRING]; SrcIPAddr(1003)=[IPADDR];
DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Protocol(1001)=[STRING];
Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32].
$1: Source security zone name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
$4: Destination IP address.
$5: Name of the receiving VPN instance.
Variable fields
$6: Protocol type.
$7: Actions against the attack.
$8: Start time of the attack.
$9: End time of the attack.
$10: Attack times.
Severity level 3
ATK/3/ATK_IP4_FRAGMENT_SZ: SrcZoneName(1025)=Trust;
SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
Example RcvVPNInstance(1041)=--; Protocol(1001)=TCP; Action(1049)=logging;
BeginTime_c(1011)=20131011074913; EndTime_c(1012)=20131011075413;
AtkTimes(1050)=3.
This message is sent when logs are aggregated for IPv4 packets with an offset
Explanation smaller than 5 but bigger than 0.
Recommended No action is required.
action

216
Security level: Secret

ATK_IP4_FRAGMENT_RAW_SZ
SrcZoneName(1025)=[STRING]; SrcIPAddr(1003)=[IPADDR];
DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Protocol(1001)=[STRING];
Action(1049)=[STRING].
$1: Source security zone name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
Variable fields $4: Destination IP address.
$5: Name of the receiving VPN instance.
$6: Protocol type.
$7: Actions against the attack.
Severity level 3
ATK/3/ATK_IP4_FRAGMENT_RAW_SZ: SrcZoneName(1025)=Trust;
Example SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
RcvVPNInstance(1041)=--; Protocol(1001)=TCP; Action(1049)=logging.
This message is for the IPv4 fragment attack. The attack uses IPv4 packets with an
offset smaller than 5 but bigger than 0.
Explanation If log aggregation is enabled, for packets of the same attributes, this message is
sent only when the first packet is received.
If log aggregation is disabled, this message is sent every time a packet is received.
Recommended No action is required.
action

ATK_IP4_HTTP_FLOOD_SZ
SrcZoneName(1025)=[STRING]; DstIPAddr(1007)=[IPADDR];
DstPort(1008)=[UINT16]; RcvVPNInstance(1041)=[STRING];
Message text UpperLimit(1048)=[UINT32]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING].
$1: Source security zone name.
$2: Destination IP address.
$3: Destination port number.
Variable fields $4: Name of the receiving VPN instance.
$5: Rate limit.
$6: Actions against the attack.
$7: Start time of the attack.
Severity level 3
ATK/3/ATK_IP4_HTTP_FLOOD_SZ: SrcZoneName(1025)=Trust;
DstIPAddr(1007)=6.1.1.5; DstPort(1008)=22; RcvVPNInstance(1041)=--;
Example UpperLimit(1048)=10; Action(1049)=logging;
BeginTime_c(1011)=20131009093351.
This message is sent when the number of IPv4 HTTP Get packets sent to a
Explanation destination per second exceeds the rate limit.
Recommended No action is required.
action

217
Security level: Secret

ATK_IP4_IMPOSSIBLE_SZ
SrcZoneName(1025)=[STRING]; SrcIPAddr(1003)=[IPADDR];
DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Protocol(1001)=[STRING];
Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32].
$1: Source security zone name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
$4: Destination IP address.
$5: Name of the receiving VPN instance.
Variable fields
$6: Protocol type.
$7: Actions against the attack.
$8: Start time of the attack.
$9: End time of the attack.
$10: Attack times.
Severity level 3
ATK/3/ATK_IP4_IMPOSSIBLE_SZ: SrcZoneName(1025)=Trust;
SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
Example RcvVPNInstance(1041)=--; Protocol(1001)=TCP; Action(1049)=logging;
BeginTime_c(1011)=20131011074913; EndTime_c(1012)=20131011075413;
AtkTimes(1050)=3.
This message is sent when logs are aggregated for IPv4 packets whose source
Explanation IPv4 address is the same as the destination IPv4 address.
Recommended No action is required.
action

218
Security level: Secret

ATK_IP4_IMPOSSIBLE_RAW_SZ
SrcZoneName(1025)=[STRING]; SrcIPAddr(1003)=[IPADDR];
DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Protocol(1001)=[STRING];
Action(1049)=[STRING].
$1: Source security zone name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
Variable fields $4: Destination IP address.
$5: Name of the receiving VPN instance.
$6: Protocol type.
$7: Actions against the attack.
Severity level 3
ATK/3/ATK_IP4_IMPOSSIBLE_RAW_SZ: SrcZoneName(1025)=Trust;
Example SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
RcvVPNInstance(1041)=--; Protocol(1001)=TCP; Action(1049)=logging.
This message is for the IPv4 impossible packet attack. The attack uses IPv4
packets whose source IPv4 address is the same as the destination IPv4 address.
Explanation If log aggregation is enabled, for packets of the same attributes, this message is
sent only when the first packet is received.
If log aggregation is disabled, this message is sent every time a packet is received.
Recommended No action is required.
action

ATK_IP4_IPSWEEP_SZ
SrcZoneName(1025)=[STRING]; Protocol(1001)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING].
$1: Source security zone name.
$2: Protocol name.
$3: Source IP address.
Variable fields $4: IP address of the peer DS-Lite tunnel interface.
$5: Name of the receiving VPN instance.
$6: Actions against the attack.
$7: Start time of the attack.
Severity level 3
ATK/3/ATK_IP4_IPSWEEP_SZ: SrcZoneName(1025)=Trust;
Protocol(1001)=TCP; SrcIPAddr(1003)=9.1.1.5; DSLiteTunnelPeer(1040)=--;
Example RcvVPNInstance(1041)=vpn1; Action(1049)=logging,block-source;
BeginTime_c(1011)=20131009060657.
Explanation This message is sent when an IPv4 sweep attack is detected.
Recommended No action is required.
action

219
Security level: Secret

ATK_IP4_PORTSCAN_SZ
SrcZoneName(1025)=[STRING]; Protocol(1001)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text RcvVPNInstance(1041)=[STRING]; DstIPAddr(1007)=[IPADDR];
Action(1049)=[STRING]; BeginTime_c(1011)=[STRING].
$1: Source security zone name.
$2: Protocol name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
Variable fields
$5: Name of the receiving VPN instance.
$6: Destination IP address.
$7: Actions against the attack.
$8: Start time of the attack.
Severity level 3
ATK/3/ATK_IP4_PORTSCAN_SZ: SrcZoneName(1025)=Trust;
Protocol(1001)=TCP; SrcIPAddr(1003)=9.1.1.5; DSLiteTunnelPeer(1040)=--;
Example RcvVPNInstance(1041)=vpn1; DstIPAddr(1007)=6.1.1.5;
Action(1049)=logging,block-source; BeginTime_c(1011)=20131009052955.
Explanation This message is sent when an IPv4 port scan attack is detected.
Recommended No action is required.
action

ATK_IP4_RST_FLOOD_SZ
SrcZoneName(1025)=[STRING]; DstIPAddr(1007)=[IPADDR];
DstPort(1008)=[UINT16]; RcvVPNInstance(1041)=[STRING];
Message text UpperLimit(1048)=[UINT32]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING].
$1: Source security zone name.
$2: Destination IP address.
$3: Destination port number.
Variable fields $4: Name of the receiving VPN instance.
$5: Rate limit.
$6: Actions against the attack.
$7: Start time of the attack.
Severity level 3
ATK/3/ATK_IP4_RST_FLOOD_SZ: SrcZoneName(1025)=Trust;
DstIPAddr(1007)=6.1.1.5; DstPort(1008)=22; RcvVPNInstance(1041)=--;
Example UpperLimit(1048)=10; Action(1049)=logging;
BeginTime_c(1011)=20131009093351.
This message is sent when the number of IPv4 RST packets sent to a destination
Explanation per second exceeds the rate limit.
Recommended No action is required.
action

220
Security level: Secret

ATK_IP4_SYN_FLOOD_SZ
SrcZoneName(1025)=[STRING]; DstIPAddr(1007)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; UpperLimit(1048)=[UINT32];
Action(1049)=[STRING]; BeginTime_c(1011)=[STRING].
$1: Source security zone name.
$2: Destination IP address.
$3: Name of the receiving VPN instance.
Variable fields
$4: Rate limit.
$5: Actions against the attack.
$6: Start time of the attack.
Severity level 3
ATK/3/ATK_IP4_SYN_FLOOD_SZ: SrcZoneName(1025)=Trust;
Example DstIPAddr(1007)=6.1.1.5; RcvVPNInstance(1041)=--; UpperLimit(1048)=10;
Action(1049)=logging; BeginTime_c(1011)=20131009093351.
This message is sent when the number of IPv4 SYN packets sent to a destination
Explanation per second exceeds the rate limit.
Recommended No action is required.
action

ATK_IP4_SYNACK_FLOOD_SZ
SrcZoneName(1025)=[STRING]; DstIPAddr(1007)=[IPADDR];
DstPort(1008)=[UINT16]; RcvVPNInstance(1041)=[STRING];
Message text UpperLimit(1048)=[UINT32]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING].
$1: Source security zone name.
$2: Destination IP address.
$3: Destination port number.
Variable fields $4: Name of the receiving VPN instance.
$5: Rate limit.
$6: Actions against the attack.
$7: Start time of the attack.
Severity level 3
ATK/3/ATK_IP4_SYNACK_FLOOD_SZ: SrcZoneName(1025)=Trust;
DstIPAddr(1007)=6.1.1.5; DstPort(1008)=22; RcvVPNInstance(1041)=--;
Example UpperLimit(1048)=10; Action(1049)=logging;
BeginTime_c(1011)=20131009093351.
This message is sent when the number of IPv4 SYN-ACK packets sent to a
Explanation destination per second exceeds the rate limit.
Recommended No action is required.
action

221
Security level: Secret

ATK_IP4_TCP_ALLFLAGS_SZ
SrcZoneName(1025)=[STRING]; SrcIPAddr(1003)=[IPADDR];
DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: Source security zone name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
$4: Destination IP address.
Variable fields $5: Name of the receiving VPN instance.
$6: Actions against the attack.
$7: Start time of the attack.
$8: End time of the attack.
$9: Attack times.
Severity level 3
ATK/3/ATK_IP4_TCP_ALLFLAGS_SZ: SrcZoneName(1025)=Trust;
SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
Example RcvVPNInstance(1041)=--; Action(1049)=logging;
BeginTime_c(1011)=20131011074913; EndTime_c(1012)=20131011075413;
AtkTimes(1050)=3.
This message is sent when logs are aggregated for IPv4 TCP packets that have all
Explanation flags set.
Recommended No action is required.
action

222
Security level: Secret

ATK_IP4_TCP_ALLFLAGS_RAW_SZ
SrcZoneName(1025)=[STRING]; SrcIPAddr(1003)=[IPADDR];
Message text DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING].
$1: Source security zone name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
Variable fields
$4: Destination IP address.
$5: Name of the receiving VPN instance.
$6: Actions against the attack.
Severity level 3
ATK/3/ATK_IP4_TCP_ALLFLAGS_RAW_SZ: SrcZoneName(1025)=Trust;
Example SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
RcvVPNInstance(1041)=--; Action(1049)=logging.
This message is for IPv4 TCP packets that have all flags set.
If log aggregation is enabled, for packets of the same attributes, this message is
Explanation sent only when the first packet is received.
If log aggregation is disabled, this message is sent every time a packet is received.
Recommended No action is required.
action

223
Security level: Secret

ATK_IP4_TCP_FINONLY_SZ
SrcZoneName(1025)=[STRING]; SrcIPAddr(1003)=[IPADDR];
DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: Source security zone name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
$4: Destination IP address.
Variable fields $5: Name of the receiving VPN instance.
$6: Actions against the attack.
$7: Start time of the attack.
$8: End time of the attack.
$9: Attack times.
Severity level 3
ATK/3/ATK_IP4_TCP_FINONLY_SZ: SrcZoneName(1025)=Trust;
SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
Example RcvVPNInstance(1041)=--; Action(1049)=logging;
BeginTime_c(1011)=20131011074913; EndTime_c(1012)=20131011075413;
AtkTimes(1050)=3.
This message is sent when logs are aggregated for IPv4 TCP packets that have
Explanation only the FIN flag set.
Recommended No action is required.
action

224
Security level: Secret

ATK_IP4_TCP_FINONLY_RAW_SZ
SrcZoneName(1025)=[STRING]; SrcIPAddr(1003)=[IPADDR];
Message text DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING].
$1: Source security zone name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
Variable fields
$4: Destination IP address.
$5: Name of the receiving VPN instance.
$6: Actions against the attack.
Severity level 3
ATK/3/ATK_IP4_TCP_FINONLY_RAW_SZ: SrcZoneName(1025)=Trust;
Example SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
RcvVPNInstance(1041)=--; Action(1049)=logging.
This message is for IPv4 TCP packets that have only the FIN flag set.
If log aggregation is enabled, for packets of the same attributes, this message is
Explanation sent only when the first packet is received.
If log aggregation is disabled, this message is sent every time a packet is received.
Recommended No action is required.
action

225
Security level: Secret

ATK_IP4_TCP_INVALIDFLAGS_SZ
SrcZoneName(1025)=[STRING]; SrcIPAddr(1003)=[IPADDR];
DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: Source security zone name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
$4: Destination IP address.
Variable fields $5: Name of the receiving VPN instance.
$6: Actions against the attack.
$7: Start time of the attack.
$8: End time of the attack.
$9: Attack times.
Severity level 3
ATK/3/ATK_IP4_TCP_INVALIDFLAGS_SZ: SrcZoneName(1025)=Trust;
SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
Example RcvVPNInstance(1041)=--; Action(1049)=logging;
BeginTime_c(1011)=20131011074913; EndTime_c(1012)=20131011075413;
AtkTimes(1050)=3.
This message is sent when logs are aggregated for IPv4 TCP packets that have
invalid flag settings. Invalid flag settings include:
• The RST and FIN flags are both set.
• The RST and SYN flags are both set.
• The RST, FIN, and SYN flags are all set.
• The PSH, RST, and FIN flags are all set.
• The PSH, RST, and SYN flags are all set.
Explanation • The PSH, RST, SYN, and FIN flags are all set.
• The ACK, RST, and FIN flags are all set.
• The ACK, RST, and SYN flags are all set.
• The ACK, RST, SYN, and FIN flags are all set.
• The ACK, PSH, SYN, and FIN flags are all set.
• The ACK, PSH, RST, and FIN flags are all set.
• The ACK, PSH, RST, and SYN flags are all set.
Recommended No action is required.
action

226
Security level: Secret

ATK_IP4_TCP_INVALIDFLAGS_RAW_SZ
SrcZoneName(1025)=[STRING]; SrcIPAddr(1003)=[IPADDR];
Message text DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING].
$1: Source security zone name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
Variable fields
$4: Destination IP address.
$5: Name of the receiving VPN instance.
$6: Actions against the attack.
Severity level 3
ATK/3/ATK_IP4_TCP_INVALIDFLAGS_RAW_SZ: SrcZoneName(1025)=Trust;
Example SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
RcvVPNInstance(1041)=--; Action(1049)=logging.
This message is for IPv4 TCP packets that have invalid flag settings. Invalid flag
settings include:
• The RST and FIN flags are both set.
• The RST and SYN flags are both set.
• The RST, FIN, and SYN flags are all set.
• The PSH, RST, and FIN flags are all set.
• The PSH, RST, and SYN flags are all set.
• The PSH, RST, SYN, and FIN flags are all set.
Explanation • The ACK, RST, and FIN flags are all set.
• The ACK, RST, and SYN flags are all set.
• The ACK, RST, SYN, and FIN flags are all set.
• The ACK, PSH, SYN, and FIN flags are all set.
• The ACK, PSH, RST, and FIN flags are all set.
• The ACK, PSH, RST, and SYN flags are all set.
If log aggregation is enabled, for packets of the same attributes, this message is
sent only when the first packet is received.
If log aggregation is disabled, this message is sent every time a packet is received.
Recommended No action is required.
action

227
Security level: Secret

ATK_IP4_TCP_LAND_SZ
SrcZoneName(1025)=[STRING]; SrcIPAddr(1003)=[IPADDR];
DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: Source security zone name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
$4: Destination IP address.
Variable fields $5: Name of the receiving VPN instance.
$6: Actions against the attack.
$7: Start time of the attack.
$8: End time of the attack.
$9: Attack times.
Severity level 3
ATK/3/ATK_IP4_TCP_LAND_SZ: SrcZoneName(1025)=Trust;
SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
Example RcvVPNInstance(1041)=--; Action(1049)=logging;
BeginTime_c(1011)=20131011074913; EndTime_c(1012)=20131011075413;
AtkTimes(1050)=3.
This message is sent when logs are aggregated for IPv4 TCP packets whose
Explanation source IP address is the same as the destination IP address.
Recommended No action is required.
action

228
Security level: Secret

ATK_IP4_TCP_LAND_RAW_SZ
SrcZoneName(1025)=[STRING]; SrcIPAddr(1003)=[IPADDR];
Message text DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING].
$1: Source security zone name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
Variable fields
$4: Destination IP address.
$5: Name of the receiving VPN instance.
$6: Actions against the attack.
Severity level 3
ATK/3/ATK_IP4_TCP_LAND_RAW_SZ: SrcZoneName(1025)=Trust;
Example SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
RcvVPNInstance(1041)=--; Action(1049)=logging.
This message is for the IPv4 land attack. The attack uses IPv4 TCP packets whose
source IP address is the same as the destination IP address.
Explanation If log aggregation is enabled, for packets of the same attributes, this message is
sent only when the first packet is received.
If log aggregation is disabled, this message is sent every time a packet is received.
Recommended No action is required.
action

229
Security level: Secret

ATK_IP4_TCP_NULLFLAG_SZ
SrcZoneName(1025)=[STRING]; SrcIPAddr(1003)=[IPADDR];
DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: Source security zone name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
$4: Destination IP address.
Variable fields $5: Name of the receiving VPN instance.
$6: Actions against the attack.
$7: Start time of the attack.
$8: End time of the attack.
$9: Attack times.
Severity level 3
ATK/3/ATK_IP4_TCP_NULLFLAG_SZ: SrcZoneName(1025)=Trust;
SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
Example RcvVPNInstance(1041)=--; Action(1049)=logging;
BeginTime_c(1011)=20131011074913; EndTime_c(1012)=20131011075413;
AtkTimes(1050)=4.
This message is sent when logs are aggregated for IPv4 TCP packets that have no
Explanation flag set.
Recommended No action is required.
action

230
Security level: Secret

ATK_IP4_TCP_NULLFLAG_RAW_SZ
SrcZoneName(1025)=[STRING]; SrcIPAddr(1003)=[IPADDR];
Message text DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING].
$1: Source security zone name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
Variable fields
$4: Destination IP address.
$5: Name of the receiving VPN instance.
$6: Actions against the attack.
Severity level 3
ATK/3/ATK_IP4_TCP_NULLFLAG_RAW_SZ: SrcZoneName(1025)=Trust;
Example SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
RcvVPNInstance(1041)=--; Action(1049)=logging.
This message is for IPv4 TCP packets that have no flag set.
If log aggregation is enabled, for packets of the same attributes, this message is
Explanation sent only when the first packet is received.
If log aggregation is disabled, this message is sent every time a packet is received.
Recommended No action is required.
action

231
Security level: Secret

ATK_IP4_TCP_SYNFIN_SZ
SrcZoneName(1025)=[STRING]; SrcIPAddr(1003)=[IPADDR];
DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: Source security zone name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
$4: Destination IP address.
Variable fields $5: Name of the receiving VPN instance.
$6: Actions against the attack.
$7: Start time of the attack.
$8: End time of the attack.
$9: Attack times.
Severity level 3
ATK/3/ATK_IP4_TCP_SYNFIN_SZ: SrcZoneName(1025)=Trust;
SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
Example RcvVPNInstance(1041)=--; Action(1049)=logging;
BeginTime_c(1011)=20131011074913; EndTime_c(1012)=20131011075413;
AtkTimes(1050)=2.
This message is sent when logs are aggregated for IPv4 TCP packets that have
Explanation SYN and FIN flags set.
Recommended No action is required.
action

232
Security level: Secret

ATK_IP4_TCP_SYNFIN_RAW_SZ
SrcZoneName(1025)=[STRING]; SrcIPAddr(1003)=[IPADDR];
Message text DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING].
$1: Source security zone name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
Variable fields
$4: Destination IP address.
$5: Name of the receiving VPN instance.
$6: Actions against the attack.
Severity level 3
ATK/3/ATK_IP4_TCP_SYNFIN_RAW_SZ: SrcZoneName(1025)=Trust;
Example SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
RcvVPNInstance(1041)=--; Action(1049)=logging.
This message is for IPv4 TCP packets that have SYN and FIN flags set.
If log aggregation is enabled, for packets of the same attributes, this message is
Explanation sent only when the first packet is received.
If log aggregation is disabled, this message is sent every time a packet is received.
Recommended No action is required.
action

233
Security level: Secret

ATK_IP4_TCP_WINNUKE_SZ
SrcZoneName(1025)=[STRING]; SrcIPAddr(1003)=[IPADDR];
DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: Source security zone name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
$4: Destination IP address.
Variable fields $5: Name of the receiving VPN instance.
$6: Actions against the attack.
$7: Start time of the attack.
$8: End time of the attack.
$9: Attack times.
Severity level 3
ATK/3/ATK_IP4_TCP_WINNUKE_SZ: SrcZoneName(1025)=Trust;
SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
Example RcvVPNInstance(1041)=--; Action(1049)=logging;
BeginTime_c(1011)=20131011074913; EndTime_c(1012)=20131011075413;
AtkTimes(1050)=5.
This message is sent when logs are aggregated for IPv4 TCP packets with
Explanation destination port 139, the URG flag set, and a nonzero Urgent Pointer.
Recommended No action is required.
action

234
Security level: Secret

ATK_IP4_TCP_WINNUKE_RAW_SZ
SrcZoneName(1025)=[STRING]; SrcIPAddr(1003)=[IPADDR];
Message text DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING].
$1: Source security zone name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
Variable fields
$4: Destination IP address.
$5: Name of the receiving VPN instance.
$6: Actions against the attack.
Severity level 3
ATK/3/ATK_IP4_TCP_WINNUKE_RAW_SZ: SrcZoneName(1025)=Trust;
Example SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
RcvVPNInstance(1041)=--; Action(1049)=logging.
This message is for the IPv4 WinNuke attack. The attack uses IPv4 TCP packets
with destination port 139, the URG flag set, and a nonzero Urgent Pointer.
Explanation If log aggregation is enabled, for packets of the same attributes, this message is
sent only when the first packet is received.
If log aggregation is disabled, this message is sent every time a packet is received.
Recommended No action is required.
action

235
Security level: Secret

ATK_IP4_TEARDROP_SZ
SrcZoneName(1025)=[STRING]; SrcIPAddr(1003)=[IPADDR];
DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Protocol(1001)=[STRING];
Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32].
$1: Source security zone name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
$4: Destination IP address.
$5: Name of the receiving VPN instance.
Variable fields
$6: Protocol type.
$7: Actions against the attack.
$8: Start time of the attack.
$9: End time of the attack.
$10: Attack times.
Severity level 3
ATK/3/ATK_IP4_TEARDROP_SZ: SrcZoneName(1025)=Trust;
SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
Example RcvVPNInstance(1041)=--; Protocol(1001)=TCP; Action(1049)=logging;
BeginTime_c(1011)=20131011074913; EndTime_c(1012)=20131011075413;
AtkTimes(1050)=3.
Explanation This message is sent when logs are aggregated for IPv4 overlapping fragments.
Recommended No action is required.
action

236
Security level: Secret

ATK_IP4_TEARDROP_RAW_SZ
SrcZoneName(1025)=[STRING]; SrcIPAddr(1003)=[IPADDR];
DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Protocol(1001)=[STRING];
Action(1049)=[STRING].
$1: Source security zone name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
Variable fields $4: Destination IP address.
$5: Name of the receiving VPN instance.
$6: Protocol type.
$7: Actions against the attack.
Severity level 3
ATK/3/ATK_IP4_TEARDROP_RAW_SZ: SrcZoneName(1025)=Trust;
Example SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
RcvVPNInstance(1041)=--; Protocol(1001)=TCP; Action(1049)=logging.
If log aggregation is enabled, for IPv4 overlapping fragments of the same attributes,
this message is sent only when the first overlapping fragment is received.
Explanation
If log aggregation is disabled, this message is sent every time an IPv4 overlapping
fragment is received.
Recommended No action is required.
action

237
Security level: Secret

ATK_IP4_TINY_FRAGMENT_SZ
SrcZoneName(1025)=[STRING]; SrcIPAddr(1003)=[IPADDR];
DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Protocol(1001)=[STRING];
Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32].
$1: Source security zone name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
$4: Destination IP address.
$5: Name of the receiving VPN instance.
Variable fields
$6: Protocol type.
$7: Actions against the attack.
$8: Start time of the attack.
$9: End time of the attack.
$10: Attack times.
Severity level 3
ATK/3/ATK_IP4_TINY_FRAGMENT_SZ: SrcZoneName(1025)=Trust;
SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
Example RcvVPNInstance(1041)=--; Protocol(1001)=TCP; Action(1049)=logging;
BeginTime_c(1011)=20131011074913; EndTime_c(1012)=20131011075413;
AtkTimes(1050)=6.
This message is sent when logs are aggregated for IPv4 packets with a datagram
Explanation smaller than 68 bytes and the MF flag set.
Recommended No action is required.
action

238
Security level: Secret

ATK_IP4_TINY_FRAGMENT_RAW_SZ
SrcZoneName(1025)=[STRING]; SrcIPAddr(1003)=[IPADDR];
DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Protocol(1001)=[STRING];
Action(1049)=[STRING].
$1: Source security zone name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
Variable fields $4: Destination IP address.
$5: Name of the receiving VPN instance.
$6: Protocol type.
$7: Actions against the attack.
Severity level 3
ATK/3/ATK_IP4_TINY_FRAGMENT_RAW_SZ: SrcZoneName(1025)=Trust;
Example SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
RcvVPNInstance(1041)=--; Protocol(1001)=TCP; Action(1049)=logging.
This message is for the IPv4 tiny fragment attack. The attack uses IPv4 packets with
a datagram smaller than 68 bytes and the MF flag set.
Explanation If log aggregation is enabled, for packets of the same attributes, this message is
sent only when the first packet is received.
If log aggregation is disabled, this message is sent every time a packet is received.
Recommended No action is required.
action

239
Security level: Secret

ATK_IP4_UDP_BOMB_SZ
SrcZoneName(1025)=[STRING]; SrcIPAddr(1003)=[IPADDR];
DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: Source security zone name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
$4: Destination IP address.
Variable fields $5: Name of the receiving VPN instance.
$6: Actions against the attack.
$7: Start time of the attack.
$8: End time of the attack.
$9: Attack times.
Severity level 3
ATK/3/ATK_IP4_UDP_BOMB_SZ: SrcZoneName(1025)=Trust;
SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
Example RcvVPNInstance(1041)=--; Action(1049)=logging;
BeginTime_c(1011)=20131011074913; EndTime_c(1012)=20131011075413;
AtkTimes(1050)=2.
This message is sent when logs are aggregated for IPv4 UDP packets in which the
Explanation length value in the IP header is larger than the IP header length plus the length in
the UDP header.
Recommended No action is required.
action

240
Security level: Secret

ATK_IP4_UDP_BOMB_RAW_SZ
SrcZoneName(1025)=[STRING]; SrcIPAddr(1003)=[IPADDR];
Message text DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING].
$1: Source security zone name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
Variable fields
$4: Destination IP address.
$5: Name of the receiving VPN instance.
$6: Actions against the attack.
Severity level 3
ATK/3/ATK_IP4_UDP_BOMB_RAW_SZ: SrcZoneName(1025)=Trust;
Example SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
RcvVPNInstance(1041)=--; Action(1049)=logging.
This message is for IPv4 UDP bomb attack. The attack uses IPv4 UDP packets in
which the length value in the IP header is larger than the IP header length plus the
length in the UDP header.
Explanation If log aggregation is enabled, for packets of the same attributes, this message is
sent only when the first packet is received.
If log aggregation is disabled, this message is sent every time a packet is received.
Recommended No action is required.
action

ATK_IP4_UDP_FLOOD_SZ
SrcZoneName(1025)=[STRING]; DstIPAddr(1007)=[IPADDR];
DstPort(1008)=[UINT16]; RcvVPNInstance(1041)=[STRING];
Message text UpperLimit(1048)=[UINT32]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING].
$1: Source security zone name.
$2: Destination IP address.
$3: Destination port number.
Variable fields $4: Name of the receiving VPN instance.
$5: Rate limit.
$6: Actions against the attack.
$7: Start time of the attack.
Severity level 3
ATK/3/ATK_IP4_UDP_FLOOD_SZ: SrcZoneName(1025)=Trust;
DstIPAddr(1007)=6.1.1.5; DstPort(1008)=22; RcvVPNInstance(1041)=--;
Example UpperLimit(1048)=10; Action(1049)=logging;
BeginTime_c(1011)=20131009093351.
This message is sent when the number of IPv4 UDP packets sent to a destination
Explanation per second exceeds the rate limit.
Recommended No action is required.
action

241
Security level: Secret

ATK_IP4_UDP_FRAGGLE_SZ
SrcZoneName(1025)=[STRING]; SrcIPAddr(1003)=[IPADDR];
DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: Source security zone name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
$4: Destination IP address.
Variable fields $5: Name of the receiving VPN instance.
$6: Actions against the attack.
$7: Start time of the attack.
$8: End time of the attack.
$9: Attack times.
Severity level 3
ATK/3/ATK_IP4_UDP_FRAGGLE_SZ: SrcZoneName(1025)=Trust;
SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
Example RcvVPNInstance(1041)=--; Action(1049)=logging;
BeginTime_c(1011)=20131011074913; EndTime_c(1012)=20131011075413;
AtkTimes(1050)=11.
This message is sent when logs are aggregated for IPv4 UDP packets with source
Explanation port 7 and destination port 19.
Recommended No action is required.
action

242
Security level: Secret

ATK_IP4_UDP_FRAGGLE_RAW_SZ
SrcZoneName(1025)=[STRING]; SrcIPAddr(1003)=[IPADDR];
Message text DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING].
$1: Source security zone name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
Variable fields
$4: Destination IP address.
$5: Name of the receiving VPN instance.
$6: Actions against the attack.
Severity level 3
ATK/3/ATK_IP4_UDP_FRAGGLE_RAW_SZ: SrcZoneName(1025)=Trust;
Example SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
RcvVPNInstance(1041)=--; Action(1049)=logging.
This message is for IPv4 UDP fraggle attack. The attack uses IPv4 UDP packets
with source port 7 and destination port 19.
Explanation If log aggregation is enabled, for packets of the same attributes, this message is
sent only when the first packet is received.
If log aggregation is disabled, this message is sent every time a packet is received.
Recommended No action is required.
action

243
Security level: Secret

ATK_IP4_UDP_SNORK_SZ
SrcZoneName(1025)=[STRING]; SrcIPAddr(1003)=[IPADDR];
DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: Source security zone name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
$4: Destination IP address.
Variable fields $5: Name of the receiving VPN instance.
$6: Actions against the attack.
$7: Start time of the attack.
$8: End time of the attack.
$9: Attack times.
Severity level 3
ATK/3/ATK_IP4_UDP_SNORK_SZ: SrcZoneName(1025)=Trust;
SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
Example RcvVPNInstance(1041)=--; Action(1049)=logging;
BeginTime_c(1011)=20131011074913; EndTime_c(1012)=20131011075413;
AtkTimes(1050)=2.
This message is sent when logs are aggregated for IPv4 UDP packets with source
Explanation port 7, 19, or 135, and destination port 135.
Recommended No action is required.
action

244
Security level: Secret

ATK_IP4_UDP_SNORK_RAW_SZ
SrcZoneName(1025)=[STRING]; SrcIPAddr(1003)=[IPADDR];
Message text DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING].
$1: Source security zone name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
Variable fields
$4: Destination IP address.
$5: Name of the receiving VPN instance.
$6: Actions against the attack.
Severity level 3
ATK/3/ATK_IP4_UDP_SNORK_RAW_SZ: SrcZoneName(1025)=Trust;
Example SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
RcvVPNInstance(1041)=--; Action(1049)=logging.
This message is for IPv4 UDP snork attack. The attack uses IPv4 UDP packets with
source port 7, 19, or 135, and destination port 135.
Explanation If log aggregation is enabled, for packets of the same attributes, this message is
sent only when the first packet is received.
If log aggregation is disabled, this message is sent every time a packet is received.
Recommended No action is required.
action

ATK_IP6_ACK_FLOOD_SZ
SrcZoneName(1025)=[STRING]; DstIPv6Addr(1037)=[IPADDR];
DstPort(1008)=[UINT16]; RcvVPNInstance(1041)=[STRING];
Message text UpperLimit(1048)=[UINT32]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING].
$1: Source security zone name.
$2: Destination IPv6 address.
$3: Destination port number.
Variable fields $4: Name of the receiving VPN instance.
$5: Rate limit.
$6: Actions against the attack.
$7: Start time of the attack.
Severity level 3
ATK/3/ATK_IP6_ACK_FLOOD_SZ: SrcZoneName(1025)=Trust;
DstIPv6Addr(1037)=2::2; DstPort(1008)=22; RcvVPNInstance(1041)=--;
Example UpperLimit(1048)=10; Action(1049)=logging;
BeginTime_c(1011)=20131009100434.
This message is sent when the number of IPv6 ACK packets sent to a destination
Explanation per second exceeds the rate limit.
Recommended No action is required.
action

245
Security level: Secret

ATK_IP6_DIS_PORTSCAN_SZ
SrcZoneName(1025)=[STRING]; Protocol(1001)=[STRING];
Message text DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING]; BeginTime_c(1011)=[STRING].
$1: Source security zone name.
$2: Protocol name.
$3: Destination IPv6 address.
Variable fields
$4: Name of the receiving VPN instance.
$5: Actions against the attack.
$6: Start time of the attack.
Severity level 3
ATK/3/ATK_IP6_DIS_PORTSCAN_SZ: SrcZoneName(1025)=Trust;
Example Protocol(1001)=TCP; DstIPv6Addr(1037)=2::2; RcvVPNInstance(1041)=--;
Action(1049)=logging; BeginTime_c(1011)=20131009100928.
Explanation This message is sent when an IPv6 distributed port scan attack is detected.
Recommended No action is required.
action

ATK_IP6_DNS_FLOOD_SZ
SrcZoneName(1025)=[STRING]; DstIPv6Addr(1037)=[IPADDR];
DstPort(1008)=[UINT16]; RcvVPNInstance(1041)=[STRING];
Message text UpperLimit(1048)=[UINT32]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING].
$1: Source security zone name.
$2: Destination IPv6 address.
$3: Destination port number.
Variable fields $4: Name of the receiving VPN instance.
$5: Rate limit.
$6: Actions against the attack.
$7: Start time of the attack.
Severity level 3
ATK/3/ATK_IP6_DNS_FLOOD_SZ: SrcZoneName(1025)=Trust;
DstIPv6Addr(1037)=2::2; DstPort(1008)=22; RcvVPNInstance(1041)=--;
Example UpperLimit(1048)=10; Action(1049)=logging;
BeginTime_c(1011)=20131009100434.
This message is sent when the number of IPv6 DNS queries sent to a destination
Explanation per second exceeds the rate limit.
Recommended No action is required.
action

246
Security level: Secret

ATK_IP6_FIN_FLOOD_SZ
SrcZoneName(1025)=[STRING]; DstIPv6Addr(1037)=[IPADDR];
DstPort(1008)=[UINT16]; RcvVPNInstance(1041)=[STRING];
Message text UpperLimit(1048)=[UINT32]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING].
$1: Source security zone name.
$2: Destination IPv6 address.
$3: Destination port number.
Variable fields $4: Name of the receiving VPN instance.
$5: Rate limit.
$6: Actions against the attack.
$7: Start time of the attack.
Severity level 3
ATK/3/ATK_IP6_FIN_FLOOD_SZ: SrcZoneName(1025)=Trust;
DstIPv6Addr(1037)=2::2; DstPort(1008)=22; RcvVPNInstance(1041)=--;
Example UpperLimit(1048)=10; Action(1049)=logging;
BeginTime_c(1011)=20131009100434.
This message is sent when the number of IPv6 FIN packets sent to a destination per
Explanation second exceeds the rate limit.
Recommended No action is required.
action

247
Security level: Secret

ATK_IP6_FRAGMENT_SZ
SrcZoneName(1025)=[STRING]; SrcIPv6Addr(1036)=[IPADDR];
DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Message text Protocol(1001)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: Source security zone name.
$2: Source IPv6 address.
$3: Destination IPv6 address.
$4: Name of the receiving VPN instance.
Variable fields $5: Protocol type.
$6: Actions against the attack.
$7: Start time of the attack.
$8: End time of the attack.
$9: Attack times.
Severity level 3
ATK/3/ATK_IP6_FRAGMENT_SZ: SrcZoneName(1025)=Trust;
SrcIPv6Addr(1036)=1::1; DstIPv6Addr(1037)=1::1; RcvVPNInstance(1041)=--;
Example Protocol(1001)=IPv6-ICMP; Action(1049)=logging;
BeginTime_c(1011)=20131011103335; EndTime_c(1012)=20131011103835;
AtkTimes(1050)=2.
This message is sent when logs are aggregated for IPv6 packets with an offset
Explanation smaller than 5 but bigger than 0.
Recommended No action is required.
action

248
Security level: Secret

ATK_IP6_FRAGMENT_RAW_SZ
SrcZoneName(1025)=[STRING]; SrcIPv6Addr(1036)=[IPADDR];
Message text DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Protocol(1001)=[STRING]; Action(1049)=[STRING].
$1: Source security zone name.
$2: Source IPv6 address.
$3: Destination IPv6 address.
Variable fields
$4: Name of the receiving VPN instance.
$5: Protocol type.
$6: Actions against the attack.
Severity level 3
ATK/3/ATK_IP6_FRAGMENT_RAW_SZ: SrcZoneName(1025)=Trust;
Example SrcIPv6Addr(1036)=1::1; DstIPv6Addr(1037)=1::1; RcvVPNInstance(1041)=--;
Protocol(1001)=IPv6-ICMP; Action(1049)=logging.
This message is for the IPv6 fragment attack. The attack uses IPv6 packets with an
offset smaller than 5 but bigger than 0.
Explanation If log aggregation is enabled, for packets of the same attributes, this message is
sent only when the first packet is received.
If log aggregation is disabled, this message is sent every time a packet is received.
Recommended No action is required.
action

ATK_IP6_HTTP_FLOOD_SZ
SrcZoneName(1025)=[STRING]; DstIPv6Addr(1037)=[IPADDR];
DstPort(1008)=[UINT16]; RcvVPNInstance(1041)=[STRING];
Message text UpperLimit(1048)=[UINT32]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING].
$1: Source security zone name.
$2: Destination IPv6 address.
$3: Destination port number.
Variable fields $4: Name of the receiving VPN instance.
$5: Rate limit.
$6: Actions against the attack.
$7: Start time of the attack.
Severity level 3
ATK/3/ATK_IP6_HTTP_FLOOD_SZ: SrcZoneName(1025)=Trust;
DstIPv6Addr(1037)=2::2; DstPort(1008)=22; RcvVPNInstance(1041)=--;
Example UpperLimit(1048)=10; Action(1049)=logging;
BeginTime_c(1011)=20131009100434.
This message is sent when the number of IPv6 HTTP Get packets sent to a
Explanation destination per second exceeds the rate limit.
Recommended No action is required.
action

249
Security level: Secret

ATK_IP6_IMPOSSIBLE_SZ
SrcZoneName(1025)=[STRING]; SrcIPv6Addr(1036)=[IPADDR];
DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Message text Protocol(1001)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: Source security zone name.
$2: Source IPv6 address.
$3: Destination IPv6 address.
$4: Name of the receiving VPN instance.
Variable fields $5: Protocol type.
$6: Actions against the attack.
$7: Start time of the attack.
$8: End time of the attack.
$9: Attack times.
Severity level 3
ATK/3/ATK_IP6_IMPOSSIBLE_SZ: SrcZoneName(1025)=Trust;
SrcIPv6Addr(1036)=1::1; DstIPv6Addr(1037)=1::1; RcvVPNInstance(1041)=--;
Example Protocol(1001)=IPv6-ICMP; Action(1049)=logging;
BeginTime_c(1011)=20131011103335; EndTime_c(1012)=20131011103835;
AtkTimes(1050)=2.
This message is sent when logs are aggregated for IPv6 packets whose source
Explanation IPv6 address is the same as the destination IPv6 address.
Recommended No action is required.
action

250
Security level: Secret

ATK_IP6_IMPOSSIBLE_RAW_SZ
SrcZoneName(1025)=[STRING]; SrcIPv6Addr(1036)=[IPADDR];
Message text DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Protocol(1001)=[STRING]; Action(1049)=[STRING].
$1: Source security zone name.
$2: Source IPv6 address.
$3: Destination IPv6 address.
Variable fields
$4: Name of the receiving VPN instance.
$5: Protocol type.
$6: Actions against the attack.
Severity level 3
ATK/3/ATK_IP6_IMPOSSIBLE_RAW_SZ: SrcZoneName(1025)=Trust;
Example SrcIPv6Addr(1036)=1::1; DstIPv6Addr(1037)=1::1; RcvVPNInstance(1041)=--;
Protocol(1001)=IPv6-ICMP; Action(1049)=logging.
This message is for the IPv6 impossible packet attack. The attack uses IPv6
packets whose source IPv6 address is the same as the destination IPv6 address.
Explanation If log aggregation is enabled, for packets of the same attributes, this message is
sent only when the first packet is received.
If log aggregation is disabled, this message is sent every time a packet is received.
Recommended No action is required.
action

ATK_IP6_IPSWEEP_SZ
SrcZoneName(1025)=[STRING]; Protocol(1001)=[STRING];
Message text SrcIPv6Addr(1036)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING]; BeginTime_c(1011)=[STRING].
$1: Source security zone name.
$2: Protocol name.
$3: Source IPv6 address.
Variable fields
$4: Name of the receiving VPN instance.
$5: Actions against the attack.
$6: Start time of the attack.
Severity level 3
ATK/3/ATK_IP6_IPSWEEP_SZ: SrcZoneName(1025)=Trust;
Example Protocol(1001)=TCP; SrcIPv6Addr(1036)=1::5; RcvVPNInstance(1041)=--;
Action(1049)=logging,block-source; BeginTime_c(1011)=20131009100639.
Explanation This message is sent when an IPv6 sweep attack is detected.
Recommended No action is required.
action

251
Security level: Secret

ATK_IP6_PORTSCAN_SZ
SrcZoneName(1025)=[STRING]; Protocol(1001)=[STRING];
SrcIPv6Addr(1036)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Message text DstIPv6Addr(1037)=[IPADDR]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING].
$1: Source security zone name.
$2: Protocol name.
$3: Source IPv6 address.
Variable fields $4: Name of the receiving VPN instance.
$5: Destination IPv6 address.
$6: Actions against the attack.
$7: Start time of the attack.
Severity level 3
ATK/3/ATK_IP6_PORTSCAN_SZ: SrcZoneName(1025)=Trust;
Protocol(1001)=TCP; SrcIPv6Addr(1036)=1::5; RcvVPNInstance(1041)=--;
Example DstIPv6Addr(1037)=2::2; Action(1049)=logging,block-source;
BeginTime_c(1011)=20131009100455.
Explanation This message is sent when an IPv6 port scan attack is detected.
Recommended No action is required.
action

ATK_IP6_RST_FLOOD_SZ
SrcZoneName(1025)=[STRING]; DstIPv6Addr(1037)=[IPADDR];
DstPort(1008)=[UINT16]; RcvVPNInstance(1041)=[STRING];
Message text UpperLimit(1048)=[UINT32]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING].
$1: Source security zone name.
$2: Destination IPv6 address.
$3: Destination port number.
Variable fields $4: Name of the receiving VPN instance.
$5: Rate limit.
$6: Actions against the attack.
$7: Start time of the attack.
Severity level 3
ATK/3/ATK_IP6_RST_FLOOD_SZ: SrcZoneName(1025)=Trust;
Example DstIPv6Addr(1037)=2::2; RcvVPNInstance(1041)=--; UpperLimit(1048)=10;
Action(1049)=logging; BeginTime_c(1011)=20131009100434.
This message is sent when the number of IPv6 RST packets sent to a destination
Explanation per second exceeds the rate limit.
Recommended No action is required.
action

252
Security level: Secret

ATK_IP6_SYN_FLOOD_SZ
SrcZoneName(1025)=[STRING]; DstIPv6Addr(1037)=[IPADDR];
DstPort(1008)=[UINT16]; RcvVPNInstance(1041)=[STRING];
Message text UpperLimit(1048)=[UINT32]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING].
$1: Source security zone name.
$2: Destination IPv6 address.
$3: Destination port number.
Variable fields $4: Name of the receiving VPN instance.
$5: Rate limit.
$6: Actions against the attack.
$7: Start time of the attack.
Severity level 3
ATK/3/ATK_IP6_SYN_FLOOD_SZ: SrcZoneName(1025)=Trust;
DstIPv6Addr(1037)=2::2; DstPort(1008)=22; RcvVPNInstance(1041)=--;
Example UpperLimit(1048)=10; Action(1049)=logging;
BeginTime_c(1011)=20131009100434.
This message is sent when the number of IPv6 SYN packets sent to a destination
Explanation per second exceeds the rate limit.
Recommended No action is required.
action

ATK_IP6_SYNACK_FLOOD_SZ
SrcZoneName(1025)=[STRING]; DstIPv6Addr(1037)=[IPADDR];
DstPort(1008)=[UINT16]; RcvVPNInstance(1041)=[STRING];
Message text UpperLimit(1048)=[UINT32]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING].
$1: Source security zone name.
$2: Destination IPv6 address.
$3: Destination port number.
Variable fields $4: Name of the receiving VPN instance.
$5: Rate limit.
$6: Actions against the attack.
$7: Start time of the attack.
Severity level 3
ATK/3/ATK_IP6_SYNACK_FLOOD_SZ: SrcZoneName(1025)=Trust;
DstIPv6Addr(1037)=2::2; DstPort(1008)=22; RcvVPNInstance(1041)=--;
Example UpperLimit(1048)=10; Action(1049)=logging;
BeginTime_c(1011)=20131009100434.
This message is sent when the number of IPv6 SYN-ACK packets sent to a
Explanation destination per second exceeds the rate limit.
Recommended No action is required.
action

253
Security level: Secret

ATK_IP6_TCP_ALLFLAGS_SZ
SrcZoneName(1025)=[STRING]; SrcIPv6Addr(1036)=[IPADDR];
DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Message text Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32].
$1: Source security zone name.
$2: Source IPv6 address.
$3: Destination IPv6 address.
$4: Name of the receiving VPN instance.
Variable fields
$5: Actions against the attack.
$6: Start time of the attack.
$7: End time of the attack.
$8: Attack times.
Severity level 3
ATK/3/ATK_IP6_TCP_ALLFLAGS_SZ: SrcZoneName(1025)=Trust;
SrcIPv6Addr(1036)=1::1; DstIPv6Addr(1037)=2::11; RcvVPNInstance(1041)=--;
Example Action(1049)=logging; BeginTime_c(1011)=20131009103631;
EndTime_c(1012)=20131009104131; AtkTimes(1050)=2.
This message is sent when logs are aggregated for IPv6 TCP packets that have all
Explanation flags set.
Recommended No action is required.
action

ATK_IP6_TCP_ALLFLAGS_RAW_SZ
SrcZoneName(1025)=[STRING]; SrcIPv6Addr(1036)=[IPADDR];
Message text DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING].
$1: Source security zone name.
$2: Source IPv6 address.
Variable fields $3: Destination IPv6 address.
$4: Name of the receiving VPN instance.
$5: Actions against the attack.
Severity level 3
ATK/3/ATK_IP6_TCP_ALLFLAGS_RAW_SZ: SrcZoneName(1025)=Trust;
Example SrcIPv6Addr(1036)=2000::1; DstIPv6Addr(1037)=2003::200;
RcvVPNInstance(1041)=--; Action(1049)=logging.
This message is for IPv6 TCP packets that have all flags set.
If log aggregation is enabled, for packets of the same attributes, this message is
Explanation sent only when the first packet is received.
If log aggregation is disabled, this message is sent every time a packet is received.
Recommended No action is required.
action

254
Security level: Secret

ATK_IP6_TCP_FINONLY_SZ
SrcZoneName(1025)=[STRING]; SrcIPv6Addr(1036)=[IPADDR];
DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Message text Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32].
$1: Source security zone name.
$2: Source IPv6 address.
$3: Destination IPv6 address.
$4: Name of the receiving VPN instance.
Variable fields
$5: Actions against the attack.
$6: Start time of the attack.
$7: End time of the attack.
$8: Attack times.
Severity level 3
ATK/3/ATK_IP6_TCP_FINONLY_SZ: SrcZoneName(1025)=Trust;
SrcIPv6Addr(1036)=1::1; DstIPv6Addr(1037)=2::11; RcvVPNInstance(1041)=--;
Example Action(1049)=logging; BeginTime_c(1011)=20131009103631;
EndTime_c(1012)=20131009104131; AtkTimes(1050)=2.
This message is sent when logs are aggregated for IPv6 TCP packets that have
Explanation only the FIN flag set.
Recommended No action is required.
action

ATK_IP6_TCP_FINONLY_RAW_SZ
SrcZoneName(1025)=[STRING]; SrcIPv6Addr(1036)=[IPADDR];
Message text DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING].
$1: Source security zone name.
$2: Source IPv6 address.
Variable fields $3: Destination IPv6 address.
$4: Name of the receiving VPN instance.
$5: Actions against the attack.
Severity level 3
ATK/3/ATK_IP6_TCP_FINONLY_RAW_SZ: SrcZoneName(1025)=Trust;
Example SrcIPv6Addr(1036)=2000::1; DstIPv6Addr(1037)=2003::200;
RcvVPNInstance(1041)=--; Action(1049)=logging.
This message is for IPv6 TCP packets that have only the FIN flag set.
If log aggregation is enabled, for packets of the same attributes, this message is
Explanation sent only when the first packet is received.
If log aggregation is disabled, this message is sent every time a packet is received.
Recommended No action is required.
action

255
Security level: Secret

ATK_IP6_TCP_INVALIDFLAGS_SZ
SrcZoneName(1025)=[STRING]; SrcIPv6Addr(1036)=[IPADDR];
DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Message text Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32].
$1: Source security zone name.
$2: Source IPv6 address.
$3: Destination IPv6 address.
$4: Name of the receiving VPN instance.
Variable fields
$5: Actions against the attack.
$6: Start time of the attack.
$7: End time of the attack.
$8: Attack times.
Severity level 3
ATK/3/ATK_IP6_TCP_INVALIDFLAGS_SZ: SrcZoneName(1025)=Trust;
SrcIPv6Addr(1036)=1::1; DstIPv6Addr(1037)=2::11; RcvVPNInstance(1041)=--;
Example Action(1049)=logging; BeginTime_c(1011)=20131009103631;
EndTime_c(1012)=20131009104131; AtkTimes(1050)=2.
This message is sent when logs are aggregated for IPv6 TCP packets that have
invalid flag settings. Invalid flag settings include:
• The RST and FIN flags are both set.
• The RST and SYN flags are both set.
• The RST, FIN, and SYN flags are all set.
• The PSH, RST, and FIN flags are all set.
• The PSH, RST, and SYN flags are all set.
Explanation • The PSH, RST, SYN, and FIN flags are all set.
• The ACK, RST, and FIN flags are all set.
• The ACK, RST, and SYN flags are all set.
• The ACK, RST, SYN, and FIN flags are all set.
• The ACK, PSH, SYN, and FIN flags are all set.
• The ACK, PSH, RST, and FIN flags are all set.
• The ACK, PSH, RST, and SYN flags are all set.
Recommended No action is required.
action

256
Security level: Secret

ATK_IP6_TCP_INVALIDFLAGS_RAW_SZ
SrcZoneName(1025)=[STRING]; SrcIPv6Addr(1036)=[IPADDR];
Message text DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING].
$1: Source security zone name.
$2: Source IPv6 address.
Variable fields $3: Destination IPv6 address.
$4: Name of the receiving VPN instance.
$5: Actions against the attack.
Severity level 3
ATK/3/ATK_IP6_TCP_INVALIDFLAGS_RAW_SZ: SrcZoneName(1025)=Trust;
Example SrcIPv6Addr(1036)=2000::1; DstIPv6Addr(1037)=2003::200;
RcvVPNInstance(1041)=--; Action(1049)=logging.
This message is for IPv6 TCP packets that have invalid flag settings. Invalid flag
settings include:
• The RST and FIN flags are both set.
• The RST and SYN flags are both set.
• The RST, FIN, and SYN flags are all set.
• The PSH, RST, and FIN flags are all set.
• The PSH, RST, and SYN flags are all set.
• The PSH, RST, SYN, and FIN flags are all set.
Explanation • The ACK, RST, and FIN flags are all set.
• The ACK, RST, and SYN flags are all set.
• The ACK, RST, SYN, and FIN flags are all set.
• The ACK, PSH, SYN, and FIN flags are all set.
• The ACK, PSH, RST, and FIN flags are all set.
• The ACK, PSH, RST, and SYN flags are all set.
If log aggregation is enabled, for packets of the same attributes, this message is
sent only when the first packet is received.
If log aggregation is disabled, this message is sent every time a packet is received.
Recommended No action is required.
action

257
Security level: Secret

ATK_IP6_TCP_LAND_SZ
SrcZoneName(1025)=[STRING]; SrcIPv6Addr(1036)=[IPADDR];
DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Message text Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32].
$1: Source security zone name.
$2: Source IPv6 address.
$3: Destination IPv6 address.
$4: Name of the receiving VPN instance.
Variable fields
$5: Actions against the attack.
$6: Start time of the attack.
$7: End time of the attack.
$8: Attack times.
Severity level 3
ATK/3/ATK_IP6_TCP_LAND_SZ: SrcZoneName(1025)=Trust;
SrcIPv6Addr(1036)=1::1; DstIPv6Addr(1037)=2::11; RcvVPNInstance(1041)=--;
Example Action(1049)=logging; BeginTime_c(1011)=20131009103631;
EndTime_c(1012)=20131009104131; AtkTimes(1050)=2.
This message is sent when logs are aggregated for IPv6 TCP packets whose
Explanation source IPv6 address is the same as the destination IPv6 address.
Recommended No action is required.
action

ATK_IP6_TCP_LAND_RAW_SZ
SrcZoneName(1025)=[STRING]; SrcIPv6Addr(1036)=[IPADDR];
Message text DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING].
$1: Source security zone name.
$2: Source IPv6 address.
Variable fields $3: Destination IPv6 address.
$4: Name of the receiving VPN instance.
$5: Actions against the attack.
Severity level 3
ATK/3/ATK_IP6_TCP_LAND_RAW_SZ: SrcZoneName(1025)=Trust;
Example SrcIPv6Addr(1036)=2000::1; DstIPv6Addr(1037)=2003::200;
RcvVPNInstance(1041)=--; Action(1049)=logging.
This message is for the IPv6 land attack. The attack uses IPv6 TCP packets whose
source IPv6 address is the same as the destination IPv6 address.
Explanation If log aggregation is enabled, for packets of the same attributes, this message is
sent only when the first packet is received.
If log aggregation is disabled, this message is sent every time a packet is received.
Recommended No action is required.
action

258
Security level: Secret

ATK_IP6_TCP_NULLFLAG_SZ
SrcZoneName(1025)=[STRING]; SrcIPv6Addr(1036)=[IPADDR];
DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Message text Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32].
$1: Source security zone name.
$2: Source IPv6 address.
$3: Destination IPv6 address.
$4: Name of the receiving VPN instance.
Variable fields
$5: Actions against the attack.
$6: Start time of the attack.
$7: End time of the attack.
$8: Attack times.
Severity level 3
ATK/3/ATK_IP6_TCP_NULLFLAG_SZ: SrcZoneName(1025)=Trust;
SrcIPv6Addr(1036)=1::1; DstIPv6Addr(1037)=2::11; RcvVPNInstance(1041)=--;
Example Action(1049)=logging; BeginTime_c(1011)=20131009103631;
EndTime_c(1012)=20131009104131; AtkTimes(1050)=2.
This message is sent when logs are aggregated for IPv6 TCP packets that have no
Explanation flag set.
Recommended No action is required.
action

ATK_IP6_TCP_NULLFLAG_RAW_SZ
SrcZoneName(1025)=[STRING]; SrcIPv6Addr(1036)=[IPADDR];
Message text DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING].
$1: Source security zone name.
$2: Source IPv6 address.
Variable fields $3: Destination IPv6 address.
$4: Name of the receiving VPN instance.
$5: Actions against the attack.
Severity level 3
ATK/3/ATK_IP6_TCP_NULLFLAG_RAW_SZ: SrcZoneName(1025)=Trust;
Example SrcIPv6Addr(1036)=2000::1; DstIPv6Addr(1037)=2003::200;
RcvVPNInstance(1041)=--; Action(1049)=logging.
This message is for IPv6 TCP packets that have no flag set.
If log aggregation is enabled, for packets of the same attributes, this message is
Explanation sent only when the first packet is received.
If log aggregation is disabled, this message is sent every time a packet is received.
Recommended No action is required.
action

259
Security level: Secret

ATK_IP6_TCP_SYNFIN_SZ
SrcZoneName(1025)=[STRING]; SrcIPv6Addr(1036)=[IPADDR];
DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Message text Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32].
$1: Source security zone name.
$2: Source IPv6 address.
$3: Destination IPv6 address.
$4: Name of the receiving VPN instance.
Variable fields
$5: Actions against the attack.
$6: Start time of the attack.
$7: End time of the attack.
$8: Attack times.
Severity level 3
ATK/3/ATK_IP6_TCP_SYNFIN_SZ: SrcZoneName(1025)=Trust;
SrcIPv6Addr(1036)=1::1; DstIPv6Addr(1037)=2::11; RcvVPNInstance(1041)=--;
Example Action(1049)=logging; BeginTime_c(1011)=20131009103631;
EndTime_c(1012)=20131009104131; AtkTimes(1050)=2.
This message is sent when logs are aggregated for IPv6 TCP packets that have
Explanation SYN and FIN flags set.
Recommended No action is required.
action

ATK_IP6_TCP_SYNFIN_RAW_SZ
SrcZoneName(1025)=[STRING]; SrcIPv6Addr(1036)=[IPADDR];
Message text DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING].
$1: Source security zone name.
$2: Source IPv6 address.
Variable fields $3: Destination IPv6 address.
$4: Name of the receiving VPN instance.
$5: Actions against the attack.
Severity level 3
ATK/3/ATK_IP6_TCP_SYNFIN_RAW_SZ: SrcZoneName(1025)=Trust;
Example SrcIPv6Addr(1036)=2000::1; DstIPv6Addr(1037)=2003::200;
RcvVPNInstance(1041)=--; Action(1049)=logging.
This message is for IPv6 TCP packets that have SYN and FIN flags set.
If log aggregation is enabled, for packets of the same attributes, this message is
Explanation sent only when the first packet is received.
If log aggregation is disabled, this message is sent every time a packet is received.
Recommended No action is required.
action

260
Security level: Secret

ATK_IP6_TCP_WINNUKE_SZ
SrcZoneName(1025)=[STRING]; SrcIPv6Addr(1036)=[IPADDR];
DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Message text Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32].
$1: Source security zone name.
$2: Source IPv6 address.
$3: Destination IPv6 address.
$4: Name of the receiving VPN instance.
Variable fields
$5: Actions against the attack.
$6: Start time of the attack.
$7: End time of the attack.
$8: Attack times.
Severity level 3
ATK/3/ATK_IP6_TCP_WINNUKE_SZ: SrcZoneName(1025)=Trust;
SrcIPv6Addr(1036)=1::1; DstIPv6Addr(1037)=2::11; RcvVPNInstance(1041)=--;
Example Action(1049)=logging; BeginTime_c(1011)=20131009103631;
EndTime_c(1012)=20131009104131; AtkTimes(1050)=2.
This message is sent when logs are aggregated for IPv6 TCP packets with
Explanation destination port 139, the URG flag set, and a nonzero Urgent Pointer.
Recommended No action is required.
action

ATK_IP6_TCP_WINNUKE_RAW_SZ
SrcZoneName(1025)=[STRING]; SrcIPv6Addr(1036)=[IPADDR];
Message text DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING].
$1: Source security zone name.
$2: Source IPv6 address.
Variable fields $3: Destination IPv6 address.
$4: Name of the receiving VPN instance.
$5: Actions against the attack.
Severity level 3
ATK/3/ATK_IP6_TCP_WINNUKE_RAW_SZ: SrcZoneName(1025)=Trust;
Example SrcIPv6Addr(1036)=1::1; DstIPv6Addr(1037)=2::11; RcvVPNInstance(1041)=--;
Action(1049)=logging.
This message is for the IPv6 WinNuke attack. The attack uses IPv6 TCP packets
with destination port 139, the URG flag set, and a nonzero Urgent Pointer.
Explanation If log aggregation is enabled, for packets of the same attributes, this message is
sent only when the first packet is received.
If log aggregation is disabled, this message is sent every time a packet is received.
Recommended No action is required.
action

261
Security level: Secret

ATK_IP6_UDP_FLOOD_SZ
SrcZoneName(1025)=[STRING]; DstIPv6Addr(1037)=[IPADDR];
DstPort(1008)=[UINT16]; RcvVPNInstance(1041)=[STRING];
Message text UpperLimit(1048)=[UINT32]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING].
$1: Source security zone name.
$2: Destination IPv6 address.
$3: Destination port number.
Variable fields $4: Name of the receiving VPN instance.
$5: Rate limit.
$6: Actions against the attack.
$7: Start time of the attack.
Severity level 3
ATK/3/ATK_IP6_UDP_FLOOD_SZ: SrcZoneName(1025)=Trust;
DstIPv6Addr(1037)=2::2; DstPort(1008)=22; RcvVPNInstance(1041)=--;
Example UpperLimit(1048)=10; Action(1049)=logging;
BeginTime_c(1011)=20131009100434.
This message is sent when the number of IPv6 UDP packets sent to a destination
Explanation per second exceeds the rate limit.
Recommended No action is required.
action

ATK_IP6_UDP_FRAGGLE_SZ
SrcZoneName(1025)=[STRING]; SrcIPv6Addr(1036)=[IPADDR];
DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Message text Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32].
$1: Source security zone name.
$2: Source IPv6 address.
$3: Destination IPv6 address.
$4: Name of the receiving VPN instance.
Variable fields
$5: Actions against the attack.
$6: Start time of the attack.
$7: End time of the attack.
$8: Attack times.
Severity level 3
ATK/3/ATK_IP6_UDP_FRAGGLE_SZ: SrcZoneName(1025)=Trust;
SrcIPv6Addr(1036)=1::1; DstIPv6Addr(1037)=2::11; RcvVPNInstance(1041)=--;
Example Action(1049)=logging; BeginTime_c(1011)=20131009103631;
EndTime_c(1012)=20131009104131; AtkTimes(1050)=2.
This message is sent when logs are aggregated for IPv6 UDP packets with source
Explanation port 7 and destination port 19.
Recommended No action is required.
action

262
Security level: Secret

ATK_IP6_UDP_FRAGGLE_RAW_SZ
SrcZoneName(1025)=[STRING]; SrcIPv6Addr(1036)=[IPADDR];
Message text DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING].
$1: Source security zone name.
$2: Source IPv6 address.
Variable fields $3: Destination IPv6 address.
$4: Name of the receiving VPN instance.
$5: Actions against the attack.
Severity level 3
ATK/3/ATK_IP6_UDP_FRAGGLE_RAW_SZ: SrcZoneName(1025)=Trust;
Example SrcIPv6Addr(1036)=1::1; DstIPv6Addr(1037)=2::11; RcvVPNInstance(1041)=--;
Action(1049)=logging.
This message is for IPv6 UDP fraggle attack. The attack uses IPv6 UDP packets
with source port 7 and destination port 19.
Explanation If log aggregation is enabled, for packets of the same attributes, this message is
sent only when the first packet is received.
If log aggregation is disabled, this message is sent every time a packet is received.
Recommended No action is required.
action

ATK_IP6_UDP_SNORK_SZ
SrcZoneName(1025)=[STRING]; SrcIPv6Addr(1036)=[IPADDR];
DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Message text Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32].
$1: Source security zone name.
$2: Source IPv6 address.
$3: Destination IPv6 address.
$4: Name of the receiving VPN instance.
Variable fields
$5: Actions against the attack.
$6: Start time of the attack.
$7: End time of the attack.
$8: Attack times.
Severity level 3
ATK/3/ATK_IP6_UDP_SNORK_SZ: SrcZoneName(1025)=Trust;
SrcIPv6Addr(1036)=1::1; DstIPv6Addr(1037)=2::11; RcvVPNInstance(1041)=--;
Example Action(1049)=logging; BeginTime_c(1011)=20131009103631;
EndTime_c(1012)=20131009104131; AtkTimes(1050)=2.
This message is sent when logs are aggregated for IPv6 UDP packets with source
Explanation port 7, 19, or 135, and destination port 135.
Recommended No action is required.
action

263
Security level: Secret

ATK_IP6_UDP_SNORK_RAW_SZ
SrcZoneName(1025)=[STRING]; SrcIPv6Addr(1036)=[IPADDR];
Message text DstIPv6Addr(1037)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Action(1049)=[STRING].
$1: Source security zone name.
$2: Source IPv6 address.
Variable fields $3: Destination IPv6 address.
$4: Name of the receiving VPN instance.
$5: Actions against the attack.
Severity level 3
ATK/3/ATK_IP6_UDP_SNORK_RAW_SZ: SrcZoneName(1025)=Trust;
Example SrcIPv6Addr(1036)=1::1; DstIPv6Addr(1037)=2::11; RcvVPNInstance(1041)=--;
Action(1049)=logging.
This message is for IPv6 UDP snork attack. The attack uses IPv6 UDP packets with
source port 7, 19, or 135, and port 135.
Explanation If log aggregation is enabled, for packets of the same attributes, this message is
sent only when the first packet is received.
If log aggregation is disabled, this message is sent every time a packet is received.
Recommended No action is required.
action

264
Security level: Secret

ATK_IP_OPTION_SZ
IPOptValue(1057)=[UINT32]; SrcZoneName(1025)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Message text Protocol(1001)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: IP option value.
$2: Source security zone name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
Variable fields $6: Name of the receiving VPN instance.
$7: Protocol type.
$8: Actions against the attack.
$9: Start time of the attack.
$10: End time of the attack.
$11: Attack times.
Severity level 5
ATK/5/ATK_IP_OPTION_SZ: IPOptValue(1057)=38; SrcZoneName(1025)=Trust;
SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
Example RcvVPNInstance(1041)=--; Protocol(1001)=RAWIP; Action(1049)=logging;
BeginTime_c(1011)=20131011063123; EndTime_c(1012)=20131011063623;
AtkTimes(1050)=3.
This message is sent when logs are aggregated for packets with a user-defined IP
Explanation option.
Recommended No action is required.
action

265
Security level: Secret

ATK_IP_OPTION_RAW_SZ
IPOptValue(1057)=[UINT32]; SrcZoneName(1025)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Protocol(1001)=[STRING]; Action(1049)=[STRING].
$1: IP option value.
$2: Source security zone name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
Variable fields
$5: Destination IP address.
$6: Name of the receiving VPN instance.
$7: Protocol type.
$8: Actions against the attack.
Severity level 5
ATK/5/ATK_IP_OPTION_RAW_SZ: IPOptValue(1057)=38;
SrcZoneName(1025)=Trust; SrcIPAddr(1003)=9.1.1.1;
Example DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--;
Protocol(1001)=RAWIP; Action(1049)=logging.
If log aggregation is enabled, for packets with a user-defined IP option and of the
same attributes, this message is sent only when the first packet is received.
Explanation
If log aggregation is disabled, this message is sent every time a packet with a
user-defined IP option is received.
Recommended No action is required.
action

266
Security level: Secret

ATK_IPOPT_ABNORMAL_SZ
SrcZoneName(1025)=[STRING]; SrcIPAddr(1003)=[IPADDR];
DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Protocol(1001)=[STRING];
Action(1049)=[STRING]; BeginTime_c(1011)=[STRING];
EndTime_c(1012)=[STRING]; AtkTimes(1050)=[UINT32].
$1: Source security zone name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
$4: Destination IP address.
$5: Name of the receiving VPN instance.
Variable fields
$6: Protocol type.
$7: Actions against the attack.
$8: Start time of the attack.
$9: End time of the attack.
$10: Attack times.
Severity level 3
ATK/3/ATK_IPOPT_ABNORMAL_SZ: SrcZoneName(1025)=Trust;
SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
Example RcvVPNInstance(1041)=--; Protocol(1001)=RAWIP; Action(1049)=logging;
BeginTime_c(1011)=20131011072002; EndTime_c(1012)=20131011072502;
AtkTimes(1050)=3.
This message is sent when logs are aggregated for packets with more than two IP
Explanation options.
Recommended No action is required.
action

267
Security level: Secret

ATK_IPOPT_ABNORMAL_RAW_SZ
SrcZoneName(1025)=[STRING]; SrcIPAddr(1003)=[IPADDR];
DSLiteTunnelPeer(1040)=[STRING]; DstIPAddr(1007)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Protocol(1001)=[STRING];
Action(1049)=[STRING].
$1: Source security zone name.
$2: Source IP address.
$3: IP address of the peer DS-Lite tunnel interface.
Variable fields $4: Destination IP address.
$5: Name of the receiving VPN instance.
$6: Protocol type.
$7: Actions against the attack.
Severity level 3
ATK/3/ATK_IPOPT_ABNORMAL_RAW_SZ: SrcZoneName(1025)=Trust;
Example SrcIPAddr(1003)=9.1.1.1; DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1;
RcvVPNInstance(1041)=--; Protocol(1001)=RAWIP; Action(1049)=logging.
This message is for packets that each has more than two IP options.
If log aggregation is enabled, for packets of the same attributes, this message is
Explanation sent only when the first packet is received.
If log aggregation is disabled, this message is sent every time a packet with more
than two IP options is received.
Recommended No action is required.
action

268
Security level: Secret

ATK_IPOPT_LOOSESRCROUTE_SZ
IPOptValue(1057)=[UINT32]; SrcZoneName(1025)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Message text Protocol(1001)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING]; AtkTimes(1050)=
[UINT32].
$1: IP option value.
$2: Source security zone name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
Variable fields $6: Name of the receiving VPN instance.
$7: Protocol type.
$8: Actions against the attack.
$9: Start time of the attack.
$10: End time of the attack.
$11: Attack times.
Severity level 5
ATK/5/ATK_IPOPT_LOOSESRCROUTE_SZ: IPOptValue(1057)=131;
SrcZoneName(1025)=Trust; SrcIPAddr(1003)=9.1.1.1;
DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--;
Example Protocol(1001)=RAWIP; Action(1049)=logging;
BeginTime_c(1011)=20131011063123; EndTime_c(1012)=20131011063623;
AtkTimes(1050)=3.
Explanation This message is sent when logs are aggregated for packets with IP option 131.
Recommended No action is required.
action

269
Security level: Secret

ATK_IPOPT_LOOSESRCROUTE_RAW_SZ
IPOptValue(1057)=[UINT32]; SrcZoneName(1025)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Protocol(1001)=[STRING]; Action(1049)=[STRING].
$1: IP option value.
$2: Source security zone name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
Variable fields
$5: Destination IP address.
$6: Name of the receiving VPN instance.
$7: Protocol type.
$8: Actions against the attack.
Severity level 5
ATK/5/ATK_IPOPT_LOOSESRCROUTE_RAW_SZ: IPOptValue(1057)=131;
SrcZoneName(1025)=Trust; SrcIPAddr(1003)=9.1.1.1;
Example DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--;
Protocol(1001)=RAWIP; Action(1049)=logging.
If log aggregation is enabled, for packets with IP option 131 and of the same
attributes, this message is sent only when the first packet is received.
Explanation
If log aggregation is disabled, this message is sent every time a packet with IP
option 131 is received.
Recommended No action is required.
action

270
Security level: Secret

ATK_IPOPT_RECORDROUTE_SZ
IPOptValue(1057)=[UINT32]; SrcZoneName(1025)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Message text Protocol(1001)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: IP option value.
$2: Source security zone name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
Variable fields $6: Name of the receiving VPN instance.
$7: Protocol type.
$8: Actions against the attack.
$9: Start time of the attack.
$10: End time of the attack.
$11: Attack times.
Severity level 5
ATK/5/ATK_IPOPT_RECORDROUTE_SZ: IPOptValue(1057)=7;
SrcZoneName(1025)=Trust; SrcIPAddr(1003)=9.1.1.1;
DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--;
Example Protocol(1001)=RAWIP; Action(1049)=logging;
BeginTime_c(1011)=20131011063123; EndTime_c(1012)=20131011063623;
AtkTimes(1050)=3.
Explanation This message is sent when logs are aggregated for packets with IP option 7.
Recommended No action is required.
action

271
Security level: Secret

ATK_IPOPT_RECORDROUTE_RAW_SZ
IPOptValue(1057)=[UINT32]; SrcZoneName(1025)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Protocol(1001)=[STRING]; Action(1049)=[STRING].
$1: IP option value.
$2: Source security zone name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
Variable fields
$5: Destination IP address.
$6: Name of the receiving VPN instance.
$7: Protocol type.
$8: Actions against the attack.
Severity level 5
ATK/5/ATK_IPOPT_RECORDROUTE_RAW_SZ: IPOptValue(1057)=7;
SrcZoneName(1025)=Trust; SrcIPAddr(1003)=9.1.1.1;
Example DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--;
Protocol(1001)=RAWIP; Action(1049)=logging.
If log aggregation is enabled, for packets with IP option 7 and of the same attributes,
this message is sent only when the first packet is received.
Explanation
If log aggregation is disabled, this message is sent every time a packet with IP
option 7 is received.
Recommended No action is required.
action

272
Security level: Secret

ATK_IPOPT_ROUTEALERT_SZ
IPOptValue(1057)=[UINT32]; SrcZoneName(1025)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Message text Protocol(1001)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: IP option value.
$2: Source security zone name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
Variable fields $6: Name of the receiving VPN instance.
$7: Protocol type.
$8: Actions against the attack.
$9: Start time of the attack.
$10: End time of the attack.
$11: Attack times.
Severity level 5
ATK/5/ATK_IPOPT_ROUTEALERT_SZ: IPOptValue(1057)=148;
SrcZoneName(1025)=Trust; SrcIPAddr(1003)=9.1.1.1;
DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--;
Example Protocol(1001)=RAWIP; Action(1049)=logging;
BeginTime_c(1011)=20131011063123; EndTime_c(1012)=20131011063623;
AtkTimes(1050)=3.
Explanation This message is sent when logs are aggregated for packets with IP option 148.
Recommended No action is required.
action

273
Security level: Secret

ATK_IPOPT_ROUTEALERT_RAW_SZ
IPOptValue(1057)=[UINT32]; SrcZoneName(1025)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Protocol(1001)=[STRING]; Action(1049)=[STRING].
$1: IP option value.
$2: Source security zone name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
Variable fields
$5: Destination IP address.
$6: Name of the receiving VPN instance.
$7: Protocol type.
$8: Actions against the attack.
Severity level 5
ATK/5/ATK_IPOPT_ROUTEALERT_RAW_SZ: IPOptValue(1057)=148;
SrcZoneName(1025)=Trust; SrcIPAddr(1003)=9.1.1.1;
Example DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--;
Protocol(1001)=RAWIP; Action(1049)=logging.
If log aggregation is enabled, for packets with IP option 148 and of the same
attributes, this message is sent only when the first packet is received.
Explanation
If log aggregation is disabled, this message is sent every time a packet with IP
option 148 is received.
Recommended No action is required.
action

274
Security level: Secret

ATK_IPOPT_SECURITY_SZ
IPOptValue(1057)=[UINT32]; SrcZoneName(1025)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Message text Protocol(1001)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: IP option value.
$2: Source security zone name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
Variable fields $6: Name of the receiving VPN instance.
$7: Protocol type.
$8: Actions against the attack.
$9: Start time of the attack.
$10: End time of the attack.
$11: Attack times.
Severity level 5
ATK/5/ATK_IPOPT_SECURITY_SZ: IPOptValue(1057)=130;
SrcZoneName(1025)=Trust; SrcIPAddr(1003)=9.1.1.1;
DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--;
Example Protocol(1001)=RAWIP; Action(1049)=logging;
BeginTime_c(1011)=20131009091022; EndTime_c(1012)=20131009091522;
AtkTimes(1050)=2.
Explanation This message is sent when logs are aggregated for packets with IP option 130.
Recommended No action is required.
action

275
Security level: Secret

ATK_IPOPT_SECURITY_RAW_SZ
IPOptValue(1057)=[UINT32]; SrcZoneName(1025)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Protocol(1001)=[STRING]; Action(1049)=[STRING].
$1: IP option value.
$2: Source security zone name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
Variable fields
$5: Destination IP address.
$6: Name of the receiving VPN instance.
$7: Protocol type.
$8: Actions against the attack.
Severity level 5
ATK/5/ATK_IPOPT_SECURITY_RAW_SZ: IPOptValue(1057)=130;
SrcZoneName(1025)=Trust; SrcIPAddr(1003)=9.1.1.1;
Example DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--;
Protocol(1001)=RAWIP; Action(1049)=logging.
If log aggregation is enabled, for packets with IP option 130 and of the same
attributes, this message is sent only when the first packet is received.
Explanation
If log aggregation is disabled, this message is sent every time a packet with IP
option 130 is received.
Recommended No action is required.
action

276
Security level: Secret

ATK_IPOPT_STREAMID_SZ
IPOptValue(1057)=[UINT32]; SrcZoneName(1025)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Message text Protocol(1001)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: IP option value.
$2: Source security zone name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
Variable fields $6: Name of the receiving VPN instance.
$7: Protocol type.
$8: Actions against the attack.
$9: Start time of the attack.
$10: End time of the attack.
$11: Attack times.
Severity level 5
ATK/5/ATK_IPOPT_STREAMID_SZ: IPOptValue(1057)=136;
SrcZoneName(1025)=Trust; SrcIPAddr(1003)=9.1.1.1;
DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--;
Example Protocol(1001)=RAWIP; Action(1049)=logging;
BeginTime_c(1011)=20131011063123; EndTime_c(1012)=20131011063623;
AtkTimes(1050)=3.
Explanation This message is sent when logs are aggregated for packets with IP option 136.
Recommended No action is required.
action

277
Security level: Secret

ATK_IPOPT_STREAMID_RAW_SZ
IPOptValue(1057)=[UINT32]; SrcZoneName(1025)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Protocol(1001)=[STRING]; Action(1049)=[STRING].
$1: IP option value.
$2: Source security zone name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
Variable fields
$5: Destination IP address.
$6: Name of the receiving VPN instance.
$7: Protocol type.
$8: Actions against the attack.
Severity level 5
ATK/5/ATK_IPOPT_STREAMID_RAW_SZ: IPOptValue(1057)=136;
SrcZoneName(1025)=Trust; SrcIPAddr(1003)=9.1.1.1;
Example DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--;
Protocol(1001)=RAWIP; Action(1049)=logging.
If log aggregation is enabled, for packets with IP option 136 and of the same
attributes, this message is sent only when the first packet is received.
Explanation
If log aggregation is disabled, this message is sent every time a packet with IP
option 136 is received.
Recommended No action is required.
action

278
Security level: Secret

ATK_IPOPT_STRICTSRCROUTE_SZ
IPOptValue(1057)=[UINT32]; SrcZoneName(1025)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Message text Protocol(1001)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: IP option value.
$2: Source security zone name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
Variable fields $6: Name of the receiving VPN instance.
$7: Protocol type.
$8: Actions against the attack.
$9: Start time of the attack.
$10: End time of the attack.
$11: Attack times.
Severity level 5
ATK/5/ATK_IPOPT_STRICTSRCROUTE_SZ: IPOptValue(1057)=137;
SrcZoneName(1025)=Trust; SrcIPAddr(1003)=9.1.1.1;
DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--;
Example Protocol(1001)=RAWIP; Action(1049)=logging;
BeginTime_c(1011)=20131011063123; EndTime_c(1012)=20131011063623;
AtkTimes(1050)=3.
Explanation This message is sent when logs are aggregated for packets with IP option 137.
Recommended No action is required.
action

279
Security level: Secret

ATK_IPOPT_STRICTSRCROUTE_RAW_SZ
IPOptValue(1057)=[UINT32]; SrcZoneName(1025)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Protocol(1001)=[STRING]; Action(1049)=[STRING].
$1: IP option value.
$2: Source security zone name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
Variable fields
$5: Destination IP address.
$6: Name of the receiving VPN instance.
$7: Protocol type.
$8: Actions against the attack.
Severity level 5
ATK/5/ATK_IPOPT_STRICTSRCROUTE_RAW_SZ: IPOptValue(1057)=137;
SrcZoneName(1025)=Trust; SrcIPAddr(1003)=9.1.1.1;
Example DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--;
Protocol(1001)=RAWIP; Action(1049)=logging.
If log aggregation is enabled, for packets with IP option 137 and of the same
attributes, this message is sent only when the first packet is received.
Explanation
If log aggregation is disabled, this message is sent every time a packet with IP
option 137 is received.
Recommended No action is required.
action

280
Security level: Secret

ATK_IPOPT_TIMESTAMP_SZ
IPOptValue(1057)=[UINT32]; SrcZoneName(1025)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Message text Protocol(1001)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: IP option value.
$2: Source security zone name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
$5: Destination IP address.
Variable fields $6: Name of the receiving VPN instance.
$7: Protocol type.
$8: Actions against the attack.
$9: Start time of the attack.
$10: End time of the attack.
$11: Attack times.
Severity level 5
ATK/5/ATK_IPOPT_TIMESTAMP_SZ: IPOptValue(1057)=68;
SrcZoneName(1025)=Trust; SrcIPAddr(1003)=9.1.1.1;
DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--;
Example Protocol(1001)=RAWIP; Action(1049)=logging;
BeginTime_c(1011)=20131011063123; EndTime_c(1012)=20131011063623;
AtkTimes(1050)=3.
Explanation This message is sent when logs are aggregated for packets with IP option 68.
Recommended No action is required.
action

281
Security level: Secret

ATK_IPOPT_TIMESTAMP_RAW_SZ
IPOptValue(1057)=[UINT32]; SrcZoneName(1025)=[STRING];
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text DstIPAddr(1007)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Protocol(1001)=[STRING]; Action(1049)=[STRING].
$1: IP option value.
$2: Source security zone name.
$3: Source IP address.
$4: IP address of the peer DS-Lite tunnel interface.
Variable fields
$5: Destination IP address.
$6: Name of the receiving VPN instance.
$7: Protocol type.
$8: Actions against the attack.
Severity level 5
ATK/5/ATK_IPOPT_TIMESTAMP_RAW_SZ: IPOptValue(1057)=68;
SrcZoneName(1025)=Trust; SrcIPAddr(1003)=9.1.1.1;
Example DSLiteTunnelPeer(1040)=--; DstIPAddr(1007)=6.1.1.1; RcvVPNInstance(1041)=--;
Protocol(1001)=RAWIP; Action(1049)=logging.
If log aggregation is enabled, for packets with IP option 68 and of the same
attributes, this message is sent only when the first packet is received.
Explanation
If log aggregation is disabled, this message is sent every time a packet with IP
option 68 is received.
Recommended No action is required.
action

282
Security level: Secret

ATK_IPV6_EXT_HEADER_SZ
IPv6ExtHeader(1060)=[UINT32]; SrcZoneName(1025)=[STRING];
SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR];
Message text RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING];
BeginTime_c(1011)=[STRING]; EndTime_c(1012)=[STRING];
AtkTimes(1050)=[UINT32].
$1: IPv6 extension header value.
$2: Source security zone name.
$3: Source IPv6 address.
$4: Destination IPv6 address.
Variable fields $5: Name of the receiving VPN instance.
$6: Actions against the attack.
$7: Start time of the attack.
$8: End time of the attack.
$9: Attack times.
Severity level 5
ATK/5/ATK_IPV6_EXT_HEADER_SZ: IPv6ExtHeader(1060)=43;
SrcZoneName(1025)=Trust; SrcIPv6Addr(1036)=1::1; DstIPv6Addr(1037)=2::11;
Example RcvVPNInstance(1041)=--; Action(1049)=logging;
BeginTime_c(1011)=20131009103631; EndTime_c(1012)=20131009104131;
AtkTimes(1050)=2.
This message is sent when logs are aggregated for IPv6 packets with a
Explanation user-defined extension header.
Recommended No action is required.
action

283
Security level: Secret

ATK_IPV6_EXT_HEADER_RAW_SZ
IPv6ExtHeader(1060)=[UINT32]; SrcZoneName(1025)=[STRING];
Message text SrcIPv6Addr(1036)=[IPADDR]; DstIPv6Addr(1037)=[IPADDR];
RcvVPNInstance(1041)=[STRING]; Action(1049)=[STRING].
$1: IPv6 extension header value.
$2: Source security zone name.
$3: Source IPv6 address.
Variable fields
$4: Destination IPv6 address.
$5: Name of the receiving VPN instance.
$6: Actions against the attack.
Severity level 5
ATK/5/ATK_IPV6_EXT_HEADER_RAW_SZ: IPv6ExtHeader(1060)=43;
Example SrcZoneName(1025)=Trust; SrcIPv6Addr(1036)=1::1; DstIPv6Addr(1037)=2::11;
RcvVPNInstance(1041)=--; Action(1049)=logging.
If log aggregation is enabled, for IPv6 packets with a user-defined extension header
and of the same attributes, this message is sent only when the first packet is
Explanation received.
If log aggregation is disabled, this message is sent every time an IPv6 packet with a
user-defined extension header is received.
Recommended No action is required.
action

284
Security level: Secret

ATM
This section contains ATM messages.

ATM_PVCDOWN
Message text Interface [STRING] PVC [UINT16]/[UINT16] status is down.
$1: Name of the interface to which the PVC belongs.
Variable fields $2: VPI value of the PVC.
$3: VCI value of the PVC.
Severity level 5
Example ATM/5/ATM_PVCDOWN: Interface ATM2/0/2 PVC 0/100 status is down.
The PVC state became down. Possible reasons include the following:
• The ATM interface to which the PVC belongs went down.
Explanation
• The OAM state of the PVC became down.
• The PVC had been manually shut down.
Use the display atm pvc-info command to display detailed information about
the PVC and take relevant actions:
• If the interface state is down, take the following actions:
 Make sure both the local and remote ATM interfaces are up by using
the display interface atm command. If the interfaces have been
manually shut down, execute the undo shutdown command in
interface view to bring them up.
 Make sure the two interfaces are correctly connected.
• If the OAM state is down, take the following actions:
 Make sure the VPI/VCI value of the remote PVC is the same as the
VPI/VCI value of the local PVC.
 Make sure the OAM configuration of the remote PVC is consistent with
Recommended action the OAM configuration of the local PVC. For example, if one end is
configured as the OAM CC cell sink, the other end must be configured
as the OAM CC cell source.
 Make sure the remote PVC is up. If the remote PVC has been
manually shut down, execute the undo shutdown command in PVC
view to bring it up.
 Make sure the two ends are correctly connected.
 If the two routers are connected through an ATM network, in addition
to the previous check items, you must check the forwarding rule of the
ATM network. If the ATM network cannot reach the PVC, the PVC
cannot come up.
• If the PVC state is down, check if the local PVC has been manually shut
down. To bring up the PVC, execute the undo shutdown command in
PVC view.

ATM_PVCUP
Message text Interface [STRING] PVC [UINT16]/[UINT16] status is up.
$1: Name of the interface to which the PVC belongs.
Variable fields
$2: VPI value of the PVC.

285
Security level: Secret

$3: VCI value of the PVC.


Severity level 5
Example ATM/5/ATM_PVCUP: Interface ATM2/0/2 PVC 0/100 status is up.
Explanation The PVC state became up.
Recommended action No action is required.

286
Security level: Secret

BFD messages
This section contains BFD messages.

BFD_CHANGE_FSM
Message text Sess[STRING], Ver, Sta: [STRING]->[STRING], Diag: [UINT32]
$1: Source address, destination address, interface, and message type of the
BFD session.
Variable fields $2: Name of FSM before changing.
$3: Name of FSM after changing.
$4: Diagnostic code.

Severity level 5
BFD/5/BFD_CHANGE_FSM:Sess[20.0.4.2/20.0.4.1,LD/RD:533/532,
Example Interface:Vlan204, SessType:Ctrl, LinkType:INET], Ver.1, Sta: INIT->UP, Diag:
0.

The FSM of the BFD session has been changed. This informational message
Explanation appears when a BFD session comes up or goes down. Unexpected session
loss might indicate high error or packet loss rates in the network.

Recommended Check for incorrect BFD configuration or network congestion.


action

BFD_REACHED_UPPER_LIMIT
The total number of BFD sessions [ULONG] reached the upper limit. Can’t
Message text create a new session.

Variable fields $1: Total number of BFD sessions.

Severity level 5
BFD/5/BFD_REACHED_UPPER_LIMIT: The total number of BFD session 100
Example reached upper limit.

Explanation The total number of BFD sessions has reached the upper limit.

Recommended Check the BFD session configuration.


action

287
Security level: Secret

BGP messages
This section contains BGP messages.

BGP_EXCEED_ROUTE_LIMIT
BGP.[STRING]: The number of routes from peer [STRING] ([STRING]) exceeds
Message text the limit [UINT32].
$1: VPN instance name. This field is blank for the public network.
$2: IP address of the BGP peer.
Variable fields
$3: Address family of the BGP peer.
$4: Maximum number of routes.
Severity level 4
BGP/4/BGP_EXCEEDED_ROUTE_LIMIT: BGP.vpn1: The number of routes
Example from peer 1.1.1.1 (IPv4-UNC) exceeds the limit 100.
The number of routes received from a peer exceeded the maximum number of
Explanation routes that can be received from the peer.
Determine whether it is caused by attacks:
Recommended • If yes, configure the device to defend against the attacks.
action
• If not, increase the maximum number of routes.

BGP_EXCEEDS_THRESHOLD
BGP.[STRING]: The proportion of prefixes received from peer [STRING]
Message text ([STRING]) to maximum allowed prefixes reached the threshold value
([UINT32]%).
$1: VPN instance name. This field is blank for the public network.
$2: IP address of the BGP peer.
Variable fields
$3: Address family of the BGP peer.
$4: Percentage of received routes to the maximum allowed routes.
Severity level 5
BGP/5/BGP_RECHED_THRESHOLD: BGP.vpn1: The proportion of prefixes
Example received from peer 1.1.1.1 (IPv4-UNC) to maximum allowed prefixes reached
the threshold value (60%).
The percentage of received routes to the maximum allowed routes reached the
Explanation threshold.
Determine whether it is caused by attacks:
Recommended • If yes, configure the device to defend against the attacks.
action • If not, increase the threshold value or the maximum number of routes that
can be received from the peer.

288
Security level: Secret

BGP_MEM_ALERT
Message text BGP process received system memory alert [STRING] event.

Variable fields $1: Type of the memory alarm, stop and start.
Severity level 5
BGP/5/BGP_MEM_ALERT: BGP process received system memory alert start
Example event.
Explanation BGP received a memory alarm.
If BGP received a system memory alert start event, check the system memory
Recommended and try to free some memory by adjusting modules that occupied too much
action memory.

BGP_PEER_LICENSE_REACHED
Message text Number of peers in Established state reached the license limit.

Variable fields N/A


Severity level 5
BGP/5/BGP_PEER_LICENSE_REACHED: Number of peers in Established
Example state reached the license limit.
Explanation The number of peers in Established state reached the license limit.
Recommended Determine whether a new license is required.
action

BGP_ROUTE_LICENSE_REACHED
Message text Number of [STRING] routes reached the license limit.
$1: BGP address family:
• IPv4-UNC public—IPv4 unicast routes for the public network.
• IPv6-UNC public—IPv6 unicast routes for the public network.
Variable fields • IPv4 private—IPv4 unicast routes, VPNv4 routes, and nested VPN routes
for the private network.
• IPv6 private—IPv6 unicast routes and VPNv6 routes for the private
network.
Severity level 5
BGP/5/BGP_ROUTE_LICENSE_REACHED: Number of IPv4-UNC public
Example routes reached the license limit.
Explanation The number of routes in the specified address family reached the license limit.
Determine whether a new license is required.
Recommended
After the number of routes in the specified family falls below the license limit or
action the license limit increases, you must manually restore the discarded routes.

289
Security level: Secret

BGP_STATE_CHANGED
Message text BGP.[STRING]: [STRING] state has changed from [STRING] to [STRING].
$1: VPN instance name. This field is blank for the public network.
$2: IP address of the BGP peer.
Variable fields
$3: Name of FSM before the state change.
$4: Name of FSM after the state change.
Severity level 5
BGP/5/BGP_STATE_CHANGED: BGP.vpn1:192.99.0.2 state has changed
Example from ESTABLISHED to IDLE.
The FSM of a BGP peer has changed.
Explanation This informational message appears when a BGP peer comes up or goes
down.
Recommended If a peer goes down unexpectedly, determine whether an error or packet loss
action occurs.

BGP_LOG_ROUTE_FLAP
BGP.[STRING]: The route [STRING] [STRING]/[UINT32] learned from peer
Message text [STRING] ([STRING]) flapped.
$1: VPN instance name. This field is blank for the public network.
$2: RD of the BGP route. This field is blank for a route without an RD.
$3: BGP route prefix.
Variable fields
$4: Mask of the BGP route prefix.
$5: IP address of the BGP peer.
$6: Address family of the BGP peer.
Severity level 4
BGP/4/BGP_LOG_ROUTE_FLAP: BGP.vpn1: The route 15.1.1.1/24 learned
Example from peer 1.1.1.1 (IPv4-UNC) flapped.
Explanation The route learned from a BGP peer flapped.
Recommended If a large number of routes flap, determine the route flapping cause and develop
action a solution.

290
Security level: Secret

BLS messages
This section contains blacklist messages.

BLS_ENTRY_ADD
SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
Message text RcvVPNInstance(1041)=[STRING]; TTL(1051)=[STRING];
Reason(1052)=[STRING].
$1: Blacklisted IP address.
$2: Peer address of the DS-Lite tunnel.
Variable fields $3: VPN instance name.
$4: TTL of a blacklist entry.
$5: Reason why the blacklist entry was added.
Severity level 5
BLS/5/BLS_ENTRY_ADD: SrcIPAddr(1003)=1.1.1.6;
DSLiteTunnelPeer(1040)=--; RcvVPNInstance(1041)=; TTL(1051)=;
Reason(1052)=Configuration.
Example
BLS/5/BLS_ENTRY_ADD: SrcIPAddr(1003)=9.1.1.5;
DSLiteTunnelPeer(1040)=--; RcvVPNInstance(1041)=vpn1; TTL(1051)=10;
Reason(1052)=Scan behavior detected.
A blacklist entry was added. The message is sent when a blacklist entry is
Explanation manually configured or dynamically created according to the scanning result.
Recommended action No action is required.

BLS_ENTRY_DEL
Message SrcIPAddr(1003)=[IPADDR]; DSLiteTunnelPeer(1040)=[STRING];
text RcvVPNInstance(1041)=[STRING]; Reason(1052)=[STRING].
$1: Blacklisted IP address.
$2: Peer address of the DS-Lite tunnel.
Variable fields
$3: VPN instance name.
$4: Reason why the blacklist entry was deleted.
Severity level 5
BLS/5/BLS_ENTRY_DEL: SrcIPAddr(1003)=1.1.1.3;
DSLiteTunnelPeer(1040)=--; RcvVPNInstance(1041)=;
Reason(1052)=Configuration.
Example
BLS/5/BLS_ENTRY_DEL: SrcIPAddr(1003)=9.1.1.5;
DSLiteTunnelPeer(1040)=--; RcvVPNInstance(1041)=vpn1;
Reason(1052)=Aging.
A blacklist entry was deleted. The message is sent when a blacklist entry is
Explanation manually deleted or dynamically deleted due to the aging.
Recommended No action is required.
action

291
Security level: Secret

BLS_IPV6_ENTRY_ADD
SrcIPv6Addr(1036)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Message text TTL(1051)=[STRING]; Reason(1052)=[STRING].
$1: Blacklisted IPv6 address.
$2: VPN instance name.
Variable fields
$3: TTL of a blacklist entry.
$4: Reason why the blacklist entry was added.
Severity level 5
BLS/5/BLS_IPV6_ENTRY_ADD: SrcIPv6Addr(1036)=2::2;
RcvVPNInstance(1041)=; TTL(1051)=; Reason(1052)=Configuration.
Example BLS/5/BLS_IPV6_ENTRY_ADD: SrcIPv6Addr(1036)=1::5;
RcvVPNInstance(1041)=--; TTL(1051)=10; Reason(1052)=Scan behavior
detected.
A blacklist entry was added. The message is sent when a blacklist entry is
Explanation manually configured or dynamically created according to the scanning result.
Recommended No action is required.
action

BLS_IPV6_ENTRY_DEL
SrcIPv6Addr(1036)=[IPADDR]; RcvVPNInstance(1041)=[STRING];
Message text Reason(1052)=[STRING].
$1: Blacklisted IPv6 address.
Variable fields $2: VPN instance name.
$3: Reason why the blacklist entry was deleted.
Severity level 5
BLS/5/BLS_IPV6_ENTRY_DEL: SrcIPv6Addr(1036)=2::2;
Example RcvVPNInstance(1041)=; Reason(1052)=Configuration.
A blacklist entry was deleted. The message is sent when a blacklist entry is
Explanation manually deleted or dynamically deleted due to the aging.
Recommended No action is required.
action

292
Security level: Secret

CFD messages
This section contains CFD messages.

CFD_CROSS_CCM
MEP [UINT16] in SI [INT32] received a cross-connect CCM. It’s SrcMAC is
Message text [MAC], SeqNum is [INT32], RMEP is [UINT16], MD ID is [STRING], MA ID is
[STRING].

$1: Service instance ID.


$2: Local MEP ID.
$3: Source MAC address.
Variable fields $4: Sequence number.
$5: Remote MEP ID.
$6: MD ID. If no MD ID is available, "without ID" is displayed.
$7: MA ID.

Severity level 6
CFD/6/CFD_CROSS_CCM: MEP 13 in SI 10 received a cross-connect CCM.
Example Its SrcMAC is 0011-2233-4401, SeqNum is 78, RMEP is 12, MD ID is without
ID, MA ID is 0.

Explanation A MEP received a cross-connect CCM containing a different MA ID or MD ID.

Recommended Check the configurations of MEPs on both ends. Make sure the MEPs have
action consistent configurations, including MD, MA, and level.

CFD_ERROR_CCM
MEP [UINT16] in SI [INT32] received an error CCM. It’s SrcMAC is [MAC],
Message text SeqNum is [INT32], RMEP is [UINT16], MD ID is [STRING], MA ID is [STRING].

$1: Service instance ID.


$2: Local MEP ID.
$3: Source MAC address.
Variable fields $4: Sequence number.
$5: Remote MEP ID.
$6: MD ID. If no MD ID is available, "without ID" is displayed.
$7: MA ID.

Severity level 6
CFD/6/CFD_ERROR_CCM: MEP 2 in SI 7 received an error CCM. Its SrcMAC
Example is 0011-2233-4401, SeqNum is 21, RMEP is 2, MD ID is 7, MA ID is 1.

Explanation A MEP received an error CCM containing an unexpected MEP ID or lifetime.

Recommended Check the CCM configuration. Make sure the CCM intervals are consistent on
action both ends, and the remote MEP ID is included in the MEP list of the local end.

293
Security level: Secret

CFD_LOST_CCM
Message text MEP [UINT16] in SI [INT32] failed to receive CCMs from RMEP [UINT16].
$1: Local MEP ID.
Variable fields $2: Service instance ID.
$3: Remote MEP ID.

Severity level 6

Example CFD/6/CFD_LOST_CCM: MEP 1 in SI 7 failed to receive CCMs from RMEP 2.


A MEP failed to receive CCMs within 3.5 sending intervals because the link is
Explanation faulty or the remote MEP does not send CCM within 3.5 sending intervals.
Check the link status and the configuration of the remote MEP. If the link is
Recommended down or faulty (becomes unidirectional, for example), restore the link. If the
action remote MEP is configured with the same service instance, make sure the CCM
sending intervals are consistent on both ends.

CFD_RECEIVE_CCM
Message text MEP [UINT16] in SI [INT32] received CCMs from RMEP [UINT16]
$1: Local MEP ID.
Variable fields $2: Service instance ID.
$3: Remote MEP ID.

Severity level 6

Example CFD/6/CFD_RECEIVE_CCM: MEP 1 in SI 7 received CCMs from RMEP 2.

Explanation A MEP received CCMs from a remote MEP.

Recommended No action is required.


action

294
Security level: Secret

CFGMAN messages
This section contains configuration management messages.

CFGMAN_CFGCHANGED
-EventIndex=[INT32]-CommandSource=[INT32]-ConfigSource=[INT32]-Config
Message text Destination=[INT32]; Configuration changed.
$1: Event index in the range of 1 to 2147483647.
$2: Configuration change source:
 cli—The configuration change came from the CLI.
 snmp—The configuration change came from the MIB.
 other—The configuration change came from other sources.
$3: Source configuration:
 erase—Deleting or renaming a configuration file.
 running—Saving the running configuration.
 commandSource—Copying a configuration file.
 startup—Saving the running configuration to the next-startup
configuration file.
 local—Saving the running configuration to a local file.
 networkFtp—Using FTP to transfer and save a configuration file to the
Variable fields device as the running configuration or next-startup configuration file.
 hotPlugging—A card hot swapping caused the configuration to be
deleted or become ineffective.
$4: Destination configuration:
 erase—Deleting or renaming a configuration file.
 running—Saving the running configuration.
 commandSource—Copying a configuration file.
 startup—Saving the running configuration to the next-startup
configuration file.
 local—Saving the running configuration to a local file.
 networkFtp—Using FTP to transfer and save a configuration file to the
device as the running configuration or next-startup configuration file.
 hotPlugging—A card hot swapping caused the configuration to be
deleted or become ineffective.

Severity level 5
CFGMAN/5/CFGMAN_CFGCHANGED:
Example -EventIndex=[6]-CommandSource=[snmp]-ConfigSource=[startup]-ConfigDest
ination=[running]; Configuration changed.

Explanation The running configuration changed in the past 10 minutes.

Recommended No action is required.


action

295
Security level: Secret

CFGMAN_OPTCOMPLETION
-OperateType=[INT32]-OperateTime=[INT32]-OperateState=[INT32]-Operate
Message text EndTime=[INT32]; Operation completed.
$1: Operation type:
 running2startup—Saves the running configuration to the next-startup
configuration file.
 startup2running—Loads the configuration in the next-startup
configuration file.
 running2net—Saves the running configuration to a host on the
network.
 net2running—Transfers a configuration file from a host on the network
and loads the configuration.
 net2startup—Transfers a configuration file from a host on the network
and specifies the file as the next-startup configuration file.
 startup2net—Copies the next-startup configuration file to a host on
the network.
$2: Operation start time.
$3: Operation status:
 InProcess—Operation is in progress.
 success—Operation succeeded.
 InvalidOperation—Invalid operation.
 InvalidProtocol—Invalid protocol.
Variable fields  InvalidSource—Invalid source file name.
 InvalidDestination—Invalid destination file name.
 InvalidServer—Invalid server address.
 DeviceBusy—The device is busy.
 InvalidDevice—Invalid device address.
 DeviceError—An error occurred on the device.
 DeviceNotWritable—The storage medium on the device is write
protected.
 DeviceFull—The device does not have enough free storage space for
the file.
 FileOpenError—Failed to open the file.
 FileTransferError—Failed to transfer the file.
 ChecksumError—File checksum error.
 LowMemory—The memory space is not sufficient.
 AuthFailed—User authentication failed.
 TransferTimeout—Transfer timed out.
 UnknownError—An unknown error occurred.
 invalidConfig—Invalid configuration.
$4: Operation end time.

Severity level 5
CFGMAN/5/CFGMAN_OPTCOMPLETION:
Example -OperateType=[running2startup]-OperateTime=[248]-OperateState=[success]-
OperateEndTime=[959983]; Operation completed.

Explanation The device is performing or has completed an operation.

Recommended If the operation is not successful, locate and resolve the problem.
action

296
Security level: Secret

CONNLMT messages
This section contains connection limit messages.

CONNLMT_IPV4_OVERLOAD
RcvIfName(1023)=[STRING];Protocol(1001)=[STRING];SrcIPAddr(1003)=[IPAD
DR];DstIPAddr(1007)=[IPADDR];ServicePort(1071)=[UINT16];RcvVPNInstance(
Message text 1042)=[STRING];SndVPNInstance(1043)=[STRING];SndDSLiteTunnelPeer(104
1)=[STRING];UpperLimit(1049)=[UINT32];LimitRuleNum(1051)=[UINT16];Event(
1048)=[STRING];
$1: Global, or interface name.
$2: Transport layer protocol type.
$3: Source IP address.
$4: Destination IP address.
$5: Service port number.
Variable fields $6: Source VPN instance name.
$7: Destination VPN instance name.
$8: Peer tunnel ID.
$9: Upper threshold.
$10: Rule ID.
$11: Event message.
Severity level 6
CONNLMT/6/CONNLMT_IPV4_OVERLOAD:
RcvIfName(1023)=Global;Protocol(1001)=;SrcIPAddr(1003)=10.10.10.1;DstIPAd
Example dr(1007)=;ServicePort(1071)=;RcvVPNInstance(1042)=;SndVPNInstance(1043)
=;SndDSLiteTunnelPeer(1041)=;UpperLimit(1049)=1000;LimitRuleNum(1051)=1
;Event(1048)=Exceeds upper threshold;
Explanation The number of concurrent connections exceeded the upper threshold.
Recommended No action is required.
action

297
Security level: Secret

CONNLMT_IPV4_RECOVER
RcvIfName(1023)=[STRING];Protocol(1001)=[STRING];SrcIPAddr(1003)=[IPAD
DR];DstIPAddr(1007)=[IPADDR];ServicePort(1071)=[UINT16];RcvVPNInstance(
Message text 1042)=[STRING];SndVPNInstance(1043)=[STRING];SndDSLiteTunnelPeer(104
1)=[STRING];DropPktCount(1052)=[UINT32];LowerLimit(1050)=[UINT32];LimitR
uleNum(1051)=[UINT16];Event(1048)=[STRING];
$1: Global, or interface name.
$2: Transport layer protocol type.
$3: Source IP address.
$4: Destination IP address.
$5: Service port number.
$6: Source VPN instance name.
Variable fields
$7: Destination VPN instance name.
$8: Peer tunnel ID.
$9: Number of dropped packets.
$10: Lower threshold.
$11: Rule ID.
$12: Event message.
Severity level 6
CONNLMT/6/CONNLMT_IPV4_RECOVER:
RcvIfName(1023)=Global;Protocol(1001)=;SrcIPAddr(1003)=10.10.10.1;DstIPAd
Example dr(1007)=;ServicePort(1071)=;RcvVPNInstance(1042)=;SndVPNInstance(1043)
=;SndDSLiteTunnelPeer(1041)=;DropPktCount(1052)=306004;LowerLimit(1050)
=10;LimitRuleNum(1051)=1;Event(1048)=Reduces below lower threshold;
The number of concurrent connections dropped to the lower threshold from the
Explanation upper threshold.
Recommended No action is required.
action

298
Security level: Secret

CONNLMT_IPV6_OVERLOAD
RcvIfName(1023)=[STRING];Protocol(1001)=[STRING];SrcIPv6Addr(1036)=[IPA
DDR];DstIPv6Addr(1037)=[IPADDR];ServicePort(1071)=[UINT16];RcvVPNInstan
Message text ce(1042)=[STRING];SndVPNInstance(1043)=[STRING];SndDSLiteTunnelPeer(1
041)=[STRING];UpperLimit(1049)=[UINT32];LimitRuleNum(1051)=[UINT16];Eve
nt(1048)=[STRING];
$1: Global, or interface name.
$2: Transport layer protocol type.
$3: Source IPv6 address.
$4: Destination IPv6 address.
$5: Service port number.
Variable fields $6: Source VPN instance name.
$7: Destination VPN instance name.
$8: Peer tunnel ID.
$9: Upper threshold.
$10: Rule ID.
$11: Event message.
Severity level 6
CONNLMT/6/CONNLMT_IPV6_OVERLOAD:
RcvIfName(1023)=Global;Protocol(1001)=;SrcIPv6Addr(1036)=2001::1;DstIPv6A
Example ddr(1037)=;ServicePort(1071)=;RcvVPNInstance(1042)=;SndVPNInstance(1043)
=;SndDSLiteTunnelPeer(1041)=;UpperLimit(1049)=1000;LimitRuleNum(1051)=1
;Event(1048)=Exceeds upper threshold;
Explanation The number of concurrent connections exceeded the upper threshold.
Recommended No action is required.
action

299
Security level: Secret

CONNLMT_IPV6_RECOVER
RcvIfName(1023)=[STRING];Protocol(1001)=[STRING];SrcIPv6Addr(1036)=[IPA
DDR];DstIPv6Addr(1037)=[IPADDR];ServicePort(1071)=[UINT16];RcvVPNInstan
Message text ce(1042)=[STRING];SndVPNInstance(1043)=[STRING];SndDSLiteTunnelPeer(1
041)=[STRING];DropPktCount(1052)=[UINT32];LowerLimit(1050)=[UINT32];Limit
RuleNum(1051)=[UINT16];Event(1048)=[STRING];
$1: Global, or interface name.
$2: Transport layer protocol type.
$3: Source IPv6 address.
$4: Destination IPv6 address.
$5: Service port number.
$6: Source VPN instance name.
Variable fields
$7: Destination VPN instance name.
$8: Peer tunnel ID.
$9: Number of dropped packets.
$10: Lower threshold.
$11: Rule ID.
$12: Event message.
Severity level 6
CONNLMT/6/CONNLMT_IPV6_RECOVER:
RcvIfName(1023)=Global;Protocol(1001)=;SrcIPAddr(1003)=2001::1;DstIPAddr(
Example 1007)=;ServicePort(1071)=;RcvVPNInstance(1042)=;SndVPNInstance(1043)=;S
ndDSLiteTunnelPeer(1041)=;DropPktCount(1052)=306004;LowerLimit(1050)=10
;LimitRuleNum(1051)=1;Event(1048)=Reduces below lower threshold;
The number of concurrent connections dropped to the lower threshold from the
Explanation upper threshold.
Recommended No action is required.
action

300
Security level: Secret

DEV messages
This section contains device management messages.

BOARD_REBOOT
Board is rebooting on slot [INT32]. (Centralized IRF devices–In standalone
Message text mode.)
Board is rebooting on chassis [INT32] slot [INT32]. (In IRF mode.)
$1: Chassis ID. (In IRF mode.)
Variable fields $1: Slot ID. (Centralized IRF devices–In standalone mode.)
$2: Slot ID. (In IRF mode.)

Severity level 5
DEV/5/BOARD_REBOOT: Board is rebooting on slot 2. (Centralized IRF
Example devices–In standalone mode.)

Explanation A card was manually or automatically rebooted.


If an unexpected automatic reboot occurred, perform the following tasks:
Recommended 1. Execute the display version command after the slot starts up.
action 2. Check the Last reboot reason field for the reboot reason.
3. If an exception caused the reboot, contact HP Support.

BOARD_REMOVED
Board was removed from slot [INT32], type is [STRING]. (Centralized IRF
devices–In standalone mode.)
Message text
Board was removed from chassis [INT32] slot [INT32], type is [STRING]. (In
IRF mode.)
Centralized IRF devices–In standalone mode:
$1: Slot ID.
$2: Card type.
Variable fields In IRF mode:
$1: Chassis ID.
$2: Slot ID.
$3: Card type.

Severity level 3
DEV/3/BOARD_REMOVED: Board was removed from slot 2, type is
Example LSQ1FV48SA. (Centralized IRF devices–In standalone mode.)
An LPU or a standby MPU was removed from a member device, causing the
Explanation device to leave the IRF fabric.
If the LPU or MPU was not manually removed, perform the following tasks:
1. Verify that the card is securely seated.
Recommended 2. Replace the card if the message persists.
action 3. Reboot the device to make it join the IRF fabric.
4. If the problem persists, contact HP Support.

301
Security level: Secret

BOARD_STATE_NORMAL
Board state changed to Normal on slot [INT32], type is [STRING]. (Centralized
IRF devices–In standalone mode.)
Message text
Board state changed to Normal on chassis [INT32] slot [INT32], type is
[STRING]. (In IRF mode.)
Centralized IRF devices–In standalone mode:
$1: Slot ID.
$2: Card type.
Variable fields In IRF mode:
$1: Chassis ID.
$2: Slot ID.
$3: Card type.

Severity level 5
DEV/5/BOARD_STATE_NORMAL: Board state changed to Normal on slot 2,
Example type is LSQ1FV48SA. (Centralized IRF devices–In standalone mode.)

Explanation A newly installed LPU or standby MPU completed initialization.

Recommended No action is required.


action

BOARD_STATE_FAULT
Board state changed to Fault on slot [INT32], type is [STRING]. (Centralized
IRF devices–In standalone mode.)
Message text
Board state changed to Fault on chassis [INT32] slot [INT32], type is [STRING].
(In IRF mode.)

Centralized IRF devices–In standalone mode:


$1: Slot ID.
$2: Card type.
Variable fields In IRF mode:
$1: Chassis ID.
$2: Slot ID.
$3: Card type.

Severity level 2
DEV/2/BOARD_STATE_FAULT: Board state changed to Fault on slot 2, type
Example is LSQ1FV48SA. (Centralized IRF devices–In standalone mode.)

The card was starting up (initializing or loading software) or was not operating
Explanation correctly.
• If the card was newly installed, wait for the card to start up. The required
Recommended startup time varies by card model and software version and is typically
action less than 10 minutes.
• If the card was not newly installed, contact HP Support.

302
Security level: Secret

CFCARD_INSERTED
CF card was inserted in slot [INT32] CF card slot [INT32]. (Centralized IRF
devices–In standalone mode.)
Message text
CF card was inserted in chassis [INT32] slot [INT32] CF card slot [INT32]. (In
IRF mode.)
Centralized IRF devices–In standalone mode:
$1: Slot ID.
$2: CF card slot ID.
Variable fields In IRF mode:
$1: Chassis ID.
$2: Slot ID.
$3: CF card slot ID .

Severity level 4
DEV/4/CFCARD_INSERTED: CF card was inserted in slot 2 CF card slot 1.
Example (Centralized IRF devices–In standalone mode.)

Explanation A CF card was installed.

Recommended No action is required.


action

CFCARD_REMOVED
CF card was removed from slot [INT32] CF card slot [INT32]. (Centralized IRF
devices–In standalone mode.)
Message text
CF card was removed from chassis [INT32] slot [INT32] CF card slot [INT32].
(In IRF mode.)

Centralized IRF devices–In standalone mode:


$1: Slot ID.
$2: CF card slot ID.
Variable fields In IRF mode:
$1: Chassis ID.
$2: Slot ID.
$3: CF card slot ID .

Severity level 3
DEV/3/CFCARD_REMOVED: CF card was removed from slot 2 CF card slot 1.
Example (Centralized IRF devices–In standalone mode.)

Explanation A CF card was removed.


If the CF card was not manually removed, perform the following tasks:
Recommended 1. Verify that the card is securely seated.
action 2. Replace the card if the message persists.
3. If the problem persists, contact HP Support.

303
Security level: Secret

CHASSIS_REBOOT
Message text Chassis [INT32] is rebooting now.

Variable fields $1: Chassis ID.

Severity level 5

Example DEV/5/CHASSIS_REBOOT: Chassis 1 is rebooting now.

Explanation The chassis was manually or automatically rebooted.


If an unexpected automatic reboot occurs, perform the following tasks:
Recommended 1. Execute the display version command after the chassis starts up.
action 2. Check the Last reboot reason field for the reboot reason.
3. If an exception caused the reboot, contact HP Support.

DEV_CLOCK_CHANGE
-User=[STRING]-IPAddr=[IPADDR]; System clock changed from [STRING] to
Message text [STRING].

$1: Username of the login user.


$2: IP address of the login user.
Variable fields
$3: Old time.
$4: New time.

Severity level 5
DEV/5/DEV_CLOCK_CHANGE: -User=admin-IPAddr=192.168.1.2; System
Example clock changed from 15:49:52 01/02/2013 to 15:50:00 01/02/2013.

Explanation The system time changed.

Recommended No action is required.


action

DEV_FAULT_TOOLONG
Message text Card in $1 is still in Fault state for $2 minutes.
$1: Slot ID in the slot n form. (Centralized IRF devices–In standalone mode.)
Variable fields $1: Chassis ID and slot ID in the chassis n slot m form. (In IRF mode.)
$2: Time duration during which the card stayed in Fault state.

Severity level 4
DEV/4/DEV_FAULT_TOOLONG: Card in slot 2 is still in Fault state for 60
Example minutes. (Centralized IRF devices–In standalone mode.)

Explanation A card stayed in Fault state for a long period of time.

Recommended 1. Reboot the card.


action 2. If the problem persists, contact HP Support.

304
Security level: Secret

DYINGGASP
Message text Power failure or manual power-off occurred.

Variable fields N/A

Severity level 0

Example DYINGGASP/0/DYINGGASP: Power failure or manual power-off occurred.

Explanation The device detected an abrupt loss of power.


1. Verify that the power source is supplying power correctly.
2. Verify that the power cord is connected firmly.
Recommended 3. Check the installed power modules. If one or more power modules have
action problems, replace the power modules.
4. If the problem persists, contact HP Support.

FAN_ABSENT
Fan [INT32] is absent. (Centralized devices–Centralized IRF devices–In
Message text standalone mode.)
Chassis [INT32] fan [INT32] is absent. (In IRF mode.)
$1: Fan tray ID. (Centralized devices–Centralized IRF devices–In standalone
mode.)
Variable fields $1: Chassis ID. (In IRF mode.)
$2: Fan tray ID. (In IRF mode.)

Severity level 3
DEV/3/FAN_ABSENT: Fan 2 is absent. (Centralized devices–Centralized IRF
Example devices–In standalone mode.)

Explanation A fan tray was not in place.


1. Check the fan tray slot:
 If the fan tray slot is empty, the temperature might have increased and
Recommended the system recommends that you install a fan tray.
action  If a fan tray is present, verify that the fan tray is securely seated.
2. Replace the fan tray if the message persists.
3. If the problem persists, contact HP Support.

305
Security level: Secret

FAN_DIRECTION_NOT_PREFERRED
Fan [INT32] airflow direction is not preferred, please check it. (Centralized
devices.)
Fan [INT32] airflow direction is not preferred on slot [INT32], please check it.
Message text (Centralized IRF devices–In standalone mode.)
Fan [INT32] airflow direction is not preferred on chassis [INT32] slot [INT32],
please check it. (In IRF mode.)
$1: Fan tray ID.
$2: Slot ID. (Centralized IRF devices–In standalone mode.)
Variable fields
$2: Chassis ID. (In IRF mode.)
$3: Slot ID. (In IRF mode.)

Severity level 1
DEV/1/FAN_DIRECTION_NOT_PREFERRED: Fan 1 airflow direction is not
preferred, please check it. (Centralized devices.)
Example DEV/1/FAN_DIRECTION_NOT_PREFERRED: Fan 1 airflow direction is not
preferred on slot 1, please check it. (Centralized IRF devices–In standalone
mode.)

Explanation The airflow direction of the fan tray is different from the airflow direction setting.
1. Verify that the airflow direction setting is correct.
Recommended 2. Verify that the fan tray model provides the same airflow direction as the
action configured setting.
3. If the problem persists, contact HP Support.

FAN_FAILED
Fan [INT32] failed. (Centralized devices–Centralized IRF devices–In
Message text standalone mode.)
Chassis [INT32] fan [INT32] failed. (In IRF mode.)
$1: Fan tray ID. (Centralized devices–Centralized IRF devices–In standalone
mode.)
Variable fields $1: Chassis ID. (In IRF mode.)
$2: Fan tray ID. (In IRF mode.)

Severity level 2
DEV/2/FAN_FAILED: Fan 2 failed. (Centralized devices–Centralized IRF
Example devices–In standalone mode.)

Explanation The fan tray stopped because of an exception.

Recommended Replace the fan tray.


action

306
Security level: Secret

FAN_RECOVERED
Fan [INT32] recovered. (Centralized devices–Centralized IRF devices–In
Message text standalone mode.)
Chassis [INT32] fan [INT32] recovered. (In IRF mode.)
$1: Fan tray ID. (Centralized devices–Centralized IRF devices–In standalone
mode.)
Variable fields $1: Chassis ID. (In IRF mode.)
$2: Fan tray ID. (In IRF mode.)

Severity level 5
DEV/5/FAN_RECOVERED: Fan 2 recovered. (Centralized
Example devices–Centralized IRF devices–In standalone mode.)

Explanation The fan tray started to operate correctly after it was installed.

Recommended No action is required.


action

MAD_DETECT
Message text Multi-active devices detected, please fix it.

Variable fields N/A

Severity level 1

Example DEV/1/MAD_DETECT: Multi-active devices detected, please fix it.

Explanation Multiple member devices were found active.


1. Use the display irf command to view which member devices have left the
Recommended original IRF fabric.
action 2. Use the display irf link command to locate the IRF link with problems.
3. Fix the IRF link in DOWN state.

307
Security level: Secret

POWER_ABSENT
Power [INT32] is absent. (Centralized devices–Centralized IRF devices–In
Message text standalone mode.)
Chassis [INT32] power [INT32] is absent. (In IRF mode.)
$1: Power supply ID. (Centralized devices–Centralized IRF devices–In
standalone mode.)
Variable fields $1: Chassis ID. (In IRF mode.)
$2: Power supply ID. (In IRF mode.)

Severity level 3
DEV/3/POWER_ABSENT: Power 1 is absent. (Centralized
Example devices–Centralized IRF devices–In standalone mode.)

Explanation A power supply was removed.


1. Check the power supply slot.
 If the power supply slot is empty, install a power supply.
Recommended  If a power supply is present, verify that the power supply is securely
action seated.
2. If the problem persists, replace the power supply.
3. If the problem persists, contact HP Support.

POWER_FAILED
Power [INT32] failed. (Centralized devices–Centralized IRF devices–In
Message text standalone mode.)
Chassis [INT32] power [INT32] failed. (In IRF mode.)
$1: Power supply ID. (Centralized devices–Centralized IRF devices–In
standalone mode.)
Variable fields $1: Chassis ID. (In IRF mode.)
$2: Power supply ID. (In IRF mode.)

Severity level 2
DEV/2/POWER_FAILED: Power 1 failed. (Centralized devices–Centralized
Example IRF devices–In standalone mode.)

Explanation A power supply failed.

Recommended Replace the power supply.


action

308
Security level: Secret

POWER_MONITOR_ABSENT
Power monitor unit [INT32] is absent. (Centralized devices–Centralized IRF
Message text devices–In standalone mode.)
Chassis [INT32] power monitor unit [INT32] is absent. (In IRF mode.)
$1: Power monitoring module ID. (Centralized devices–Centralized IRF
devices–In standalone mode.)
Variable fields $1: Chassis ID. (In IRF mode.)
$2: Power monitoring module ID. (In IRF mode.)

Severity level 3
DEV/3/POWER_MONITOR_ABSENT: Power monitor unit 1 is absent.
Example (Centralized devices–Centralized IRF devices–In standalone mode.)

Explanation A power monitoring module was removed.


1. Check the power monitoring module slot.
 If the power monitoring module slot is empty, install a power monitoring
module.
Recommended  If a power monitoring module is present, verify that the power
action monitoring module is securely seated.
2. If the problem persists, replace the power monitoring module.
3. If the problem persists, contact HP Support.

POWER_MONITOR_FAILED
Power monitor unit [INT32] failed. (Centralized devices–Centralized IRF
Message text devices–In standalone mode.)
Chassis [INT32] power monitor unit [INT32] failed. (In IRF mode.)
$1: Power monitoring module ID. (Centralized devices–Centralized IRF
devices–In standalone mode.)
Variable fields $1: Chassis ID. (In IRF mode.)
$2: Power monitoring module ID. (In IRF mode.)

Severity level 2
DEV/2/POWER_MONITOR_FAILED: Power monitor unit 1 failed. (Centralized
Example devices–Centralized IRF devices–In standalone mode.)

Explanation A power monitoring module failed.

Recommended Replace the power monitoring module.


action

309
Security level: Secret

POWER_MONITOR_RECOVERED
Power monitor unit [INT32] recovered. (Centralized devices–Centralized IRF
Message text devices–In standalone mode.)
Chassis [INT32] power monitor unit [INT32] recovered. (In IRF mode.)
$1: Power monitoring module ID. (Centralized devices–Centralized IRF
devices–In standalone mode.)
Variable fields $1: Chassis ID. (In IRF mode.)
$2: Power monitoring module ID. (In IRF mode.)

Severity level 5
DEV/5/POWER_MONITOR_RECOVERED: Power monitor unit 1 recovered.
Example (Centralized devices–Centralized IRF devices–In standalone mode.)

Explanation The power monitoring module started to operate correctly after it was installed.

Recommended No action is required.


action

POWER_RECOVERED
Power [INT32] recovered. (Centralized devices–Centralized IRF devices–In
Message text standalone mode.)
Chassis [INT32] power [INT32] recovered. (In IRF mode.)
$1: Power supply ID. (Centralized devices–Centralized IRF devices–In
standalone mode.)
Variable fields $1: Chassis ID. (In IRF mode.)
$2: Power supply ID. (In IRF mode.)

Severity level 5
DEV/5/POWER_RECOVERED: Power 1 recovered. (Centralized
Example devices–Centralized IRF devices–In standalone mode.)

Explanation The power supply started to operate correctly after it was installed.

Recommended No action is required.


action

310
Security level: Secret

RPS_ABSENT
RPS [INT32] is absent. (Centralized devices–Centralized IRF devices–In
Message text standalone mode.)
Chassis [INT32] RPS [INT32] is absent. (In IRF mode.)
$1: RPS ID. (Centralized devices–Centralized IRF devices–In standalone
mode.)
Variable fields $1: Chassis ID. (In IRF mode.)
$2: RPS ID. (In IRF mode.)

Severity level 3
DEV/3/RPS_ABSENT: RPS 1 is absent. (Centralized devices–Centralized IRF
Example devices–In standalone mode.)

Explanation An RPS was removed.


1. Check the RPS slot.
 If the RPS slot is empty, install an RPS.
Recommended  If an RPS is present, verify that the RPS is securely seated.
action 2. If the problem persists, replace the RPS.
3. If the problem persists, contact HP Support.

RPS_NORMAL
RPS [INT32] is normal. (Centralized devices–Centralized IRF devices–In
Message text standalone mode.)
Chassis [INT32] RPS [INT32] is normal. (In IRF mode.)
$1: RPS ID. (Centralized devices–Centralized IRF devices–In standalone
mode.)
Variable fields $1: Chassis ID. (In IRF mode.)
$2: RPS ID. (In IRF mode.)

Severity level 5
DEV/5/RPS_NORMAL: RPS 1 is normal. (Centralized devices–Centralized
Example IRF devices–In standalone mode.)

Explanation The RPS started to operate correctly after it was installed.

Recommended No action is required.


action

311
Security level: Secret

SUBCARD_FAULT
Subcard state changed to Fault on subslot [INT32], type is [STRING].
(Centralized devices.)
Subcard state changed to Fault on slot [INT32] subslot [INT32], type is
Message text [STRING]. (Centralized IRF devices–In standalone mode.)
Subcard state changed to Fault on chassis [INT32] slot [INT32] subslot [INT32],
type is [STRING]. (In IRF mode.)
Centralized devices:
$1: Subslot ID.
$2: Subcard type.
Centralized IRF devices–In standalone mode:
$1: Slot ID.
$2: Subslot ID.
Variable fields
$3: Subcard type.
In IRF mode:
$1: Chassis ID.
$2: Slot ID.
$3: Subslot ID.
$4: Subcard type.

Severity level 2
DEV/2/SUBCARD_FAULT: Subcard state changed to Fault on subslot 1, type
is MIM-1ATM-OC3SML. (Centralized devices.)
Example
DEV/2/SUBCARD_FAULT: Subcard state changed to Fault on slot 2 subslot 1,
type is MIM-1ATM-OC3SML. (Centralized IRF devices–In standalone mode.)

Explanation The subcard failed, or its status changed to Fault after it was rebooted.

Track the status of the subcard.


Recommended • If the status of the subcard changes to Normal later, no action is required.
action
• If the status is always Fault, replace the subcard.

312
Security level: Secret

SUBCARD_INSERTED
Subcard was inserted in subslot [INT32], type is [STRING]. (Centralized
devices.)
Subcard was inserted in slot [INT32] subslot [INT32], type is [STRING].
Message text (Centralized IRF devices–In standalone mode.)
Subcard was inserted in chassis [INT32] slot [INT32] subslot [INT32], type is
[STRING]. (In IRF mode.)
Centralized devices:
$1: Subslot ID.
$2: Subcard type.
Centralized IRF devices–In standalone mode:
$1: Slot ID.
$2: Subslot ID.
Variable fields
$3: Subcard type.
In IRF mode:
$1: Chassis ID.
$2: Slot ID.
$3: Subslot ID.
$4: Subcard type.

Severity level 4
DEV/4/SUBCARD_INSERTED: Subcard was inserted in subslot 1, type is
MIM-1ATM-OC3SML. (Centralized devices.)
Example DEV/4/SUBCARD_INSERTED: Subcard was inserted in chassis 1 slot 5
subslot 1, type is MIM-1ATM-OC3SML. (Centralized IRF devices–In
standalone mode.)

Explanation A subcard was installed.

Recommended No action is required.


action

313
Security level: Secret

SUBCARD_REBOOT
Subcard is rebooting on subslot [INT32]. (Centralized devices.)
Subcard is rebooting on slot [INT32] subslot [INT32]. (Centralized IRF
Message text devices–In standalone mode.)
Subcard is rebooting on chassis [INT32] slot [INT32] subslot [INT32]. (In IRF
mode.)
Centralized devices:
$1: Subslot ID.
Centralized IRF devices–In standalone mode:
$1: Slot ID.
Variable fields $2: Subslot ID.
In IRF mode:
$1: Chassis ID.
$2: Slot ID.
$3: Subslot ID.

Severity level 5
DEV/5/SUBCARD_REBOOT: Subcard is rebooting on subslot 1. (Centralized
devices.)
Example
DEV/5/SUBCARD_REBOOT: Subcard is rebooting on slot 2 subslot 1.
(Centralized IRF devices–In standalone mode.)

Explanation The subcard was manually or automatically rebooted.


• If the subcard operates correctly after it starts up, no action is required.
Recommended
• If you want to know the reboot reason or the subcard keeps rebooting,
action contact HP Support.

314
Security level: Secret

SUBCARD_REMOVED
Subcard was removed from subslot [INT32], type is [STRING]. (Centralized
devices.)
Subcard was removed from slot [INT32] subslot [INT32], type is [STRING].
Message text (Centralized IRF devices–In standalone mode.)
Subcard was removed from chassis [INT32] slot [INT32] subslot [INT32], type
is [STRING]. (In IRF mode.)
Centralized devices:
$1: Subslot ID.
$2: Subcard type.
Centralized IRF devices–In standalone mode:
$1: Slot ID.
$2: Subslot ID.
Variable fields
$3: Subcard type.
In IRF mode:
$1: Chassis ID.
$2: Slot ID.
$3: Subslot ID.
$4: Subcard type.

Severity level 3
DEV/3/SUBCARD_REMOVED: Subcard was removed from subslot 1, type is
MIM-1ATM-OC3SML. (Centralized devices.)
Example
DEV/3/SUBCARD_REMOVED: Subcard was removed from slot 2 subslot 1,
type is MIM-1ATM-OC3SML. (Centralized IRF devices–In standalone mode.)

Explanation A subcard was removed.


If the subcard was not manually removed, perform the following tasks:
Recommended 1. Verify that the subcard is securely seated.
action 2. Replace the subcard if the message persists.
3. If the problem persists, contact HP Support.

SYSTEM_REBOOT
Message text System is rebooting now.

Variable fields N/A

Severity level 5

Example DEV/5/SYSTEM_REBOOT: System is rebooting now.

Explanation The system was manually or automatically rebooted.


If an unexpected automatic reboot occurred, perform the following tasks:
Recommended 1. Execute the display version command after the system starts up.
action 2. Check the Last reboot reason field for the reboot reason.
3. If an exception caused the reboot, contact HP Support.

315
Security level: Secret

TEMPERATURE_ALARM
Temperature is greater than the high-temperature alarming threshold on
sensor [STRING] [INT32]. (Centralized devices.)
Temperature is greater than the high-temperature alarming threshold on slot
Message text [INT32] sensor [STRING] [INT32]. (Centralized IRF devices–In standalone
mode.)
Temperature is greater than the high-temperature alarming threshold on
chassis [INT32] slot [INT32] sensor [STRING] [INT32]. (In IRF mode.)
Centralized devices:
$1: Sensor type.
$2: Sensor ID.
Centralized IRF devices–In standalone mode:
$1: Slot ID.
$2: Sensor type.
Variable fields
$3: Sensor ID.
In IRF mode:
$1: Chassis ID.
$2: Slot ID.
$3: Sensor type.
$4: Sensor ID.

Severity level 4
DEV/4/TEMPERATURE_ALARM: Temperature is greater than the
high-temperature alarming threshold on sensor inflow 1. (Centralized devices.)
Example DEV/4/TEMPERATURE_ALARM: Temperature is greater than the
high-temperature alarming threshold on slot 2 sensor inflow 1. (Centralized IRF
devices–In standalone mode.)

A sensor's temperature exceeded the high-temperature alarming threshold.


Explanation The ambient temperature was too high or the fan tray was not operating
correctly.
1. Verify that the ambient temperature is normal and the ventilation system is
operating correctly.
Recommended 2. Use the display fan command to verify that the fan trays are in position
action and operating correctly. If a fan tray is missing, install the fan tray. If a fan
tray does not operate correctly, replace it.

316
Security level: Secret

TEMPERATURE_LOW
Temperature is less than the low-temperature threshold on sensor [STRING]
[INT32]. (Centralized devices.)
Temperature is less than the low-temperature threshold on slot [INT32] sensor
Message text [STRING] [INT32]. (Centralized IRF devices–In standalone mode.)
Temperature is less than the low-temperature threshold on chassis [INT32] slot
[INT32] sensor [STRING] [INT32]. (In IRF mode.)
Centralized devices:
$1: Sensor type.
$2: Sensor ID.
Centralized IRF devices–In standalone mode:
$1: Slot ID.
$2: Sensor type.
Variable fields
$3: Sensor ID.
In IRF mode:
$1: Chassis ID.
$2: Slot ID.
$3: Sensor type.
$4: Sensor ID.

Severity level 4
DEV/4/TEMPERATURE_LOW: Temperature is less than the low-temperature
threshold on sensor inflow 1. (Centralized devices.)
Example DEV/4/TEMPERATURE_LOW: Temperature is less than the low-temperature
threshold on slot 2 sensor inflow 1. (Centralized IRF devices–In standalone
mode.)

Explanation A sensor's temperature fell below the low-temperature threshold.

Recommended Adjust the ambient temperature higher.


action

317
Security level: Secret

TEMPERATURE_NORMAL
Temperature changed to normal on sensor [STRING] [INT32]. (Centralized
devices.)
Temperature changed to normal on slot [INT32] sensor [STRING] [INT32].
Message text (Centralized IRF devices–In standalone mode.)
Temperature changed to normal on chassis [INT32] slot [INT32] sensor
[STRING] [INT32]. (In IRF mode.)
Centralized devices:
$1: Sensor type.
$2: Sensor ID.
Centralized IRF devices–In standalone mode:
$1: Slot ID.
$2: Sensor type.
Variable fields
$3: Sensor ID.
In IRF mode:
$1: Chassis ID.
$2: Slot ID.
$3: Sensor type.
$4: Sensor ID.

Severity level 5
DEV/5/TEMPERATURE_NORMAL: Temperature changed to normal on
sensor inflow 1. (Centralized devices.)
Example
DEV/5/TEMPERATURE_NORMAL: Temperature changed to normal on slot 2
sensor inflow 1. (Centralized IRF devices–In standalone mode.)
A sensor's temperature was normal (between the low-temperature threshold
Explanation and the high-temperature warning threshold).

Recommended No action is required.


action

318
Security level: Secret

TEMPERATURE_SHUTDOWN
Temperature is greater than the high-temperature shutdown threshold on
sensor [STRING] [INT32]. The slot will be powered off automatically.
(Centralized devices.)
Temperature is greater than the high-temperature shutdown threshold on slot
Message text [INT32] sensor [STRING] [INT32]. The slot will be powered off automatically.
(Centralized IRF devices–In standalone mode.)
Temperature is greater than the high-temperature shutdown threshold on
chassis [INT32] slot [INT32] sensor [STRING] [INT32]. The slot will be powered
off automatically. (In IRF mode.)

Centralized devices:
$1: Sensor type.
$2: Sensor ID.
Centralized IRF devices–In standalone mode:
$1: Slot ID.
$2: Sensor type.
Variable fields
$3: Sensor ID.
In IRF mode:
$1: Chassis ID.
$2: Slot ID.
$3: Sensor type.
$4: Sensor ID.

Severity level 2
DEV/2/TEMPERATURE_SHUTDOWN: Temperature is greater than the
high-temperature shutdown threshold on sensor inflow 1. The slot will be
powered off automatically. (Centralized devices.)
Example
DEV/2/TEMPERATURE_SHUTDOWN: Temperature is greater than the
high-temperature shutdown threshold on slot 2 sensor inflow 1. The slot will be
powered off automatically. (Centralized IRF devices–In standalone mode.)

A sensor's temperature exceeded the high-temperature shutdown threshold.


Explanation The ambient temperature was too high or the fan tray was not operating
correctly.
1. Verify that the ambient temperature is normal and the ventilation system is
operating correctly.
Recommended 2. Use the display fan command to verify that the fan trays are in position
action and operating correctly. If a fan tray is missing, install the fan tray. If a fan
tray does not operate correctly, replace it.

319
Security level: Secret

TEMPERATURE_WARNING
Temperature is greater than the high-temperature warning threshold on sensor
[STRING] [INT32]. (Centralized devices.)
Temperature is greater than the high-temperature warning threshold on slot
Message text [INT32] sensor [STRING] [INT32]. (Centralized IRF devices–In standalone
mode.)
Temperature is greater than the high-temperature warning threshold on
chassis [INT32] slot [INT32] sensor [STRING] [INT32]. (In IRF mode.)
Centralized devices:
$1: Sensor type.
$2: Sensor ID.
Centralized IRF devices–In standalone mode:
$1: Slot ID.
$2: Sensor type.
Variable fields
$3: Sensor ID.
In IRF mode:
$1: Chassis ID.
$2: Slot ID.
$3: Sensor type.
$4: Sensor ID.

Severity level 4
DEV/4/TEMPERATURE_WARNING: Temperature is greater than the
high-temperature warning threshold on sensor inflow 1. (Centralized devices.)
Example DEV/4/TEMPERATURE_WARNING: Temperature is greater than the
high-temperature warning threshold on slot 2 sensor inflow 1. (Centralized IRF
devices–In standalone mode.)

A sensor's temperature exceeded the high-temperature warning threshold. The


Explanation ambient temperature was too high or the fan tray was not operating correctly.
1. Verify that the ambient temperature is normal and the ventilation system is
operating correctly.
Recommended 2. Use the display fan command to verify that the fan trays are in position
action and operating correctly. If a fan tray is missing, install the fan tray. If a fan
tray does not operate correctly, replace it.

320
Security level: Secret

VCHK_VERSION_INCOMPATIBLE
Message text Software version of [STRING] is incompatible with that of the MPU.
$1: Slot ID in the slot n form. (Centralized IRF devices–In standalone mode.)
Variable fields
$1: Chassis ID and slot ID in the chassis n slot m form. (In IRF mode.)

Severity level 1
DEV/1/ VCHK_VERSION_INCOMPATIBLE: Software version of chassis 9 slot
Example 2 is incompatible with that of the MPU. (Centralized IRF devices–In standalone
mode.)
A PEX that was starting up detected that its software version is incompatible
Explanation with the parent device's software version.

Recommended Specify a set of startup software images for the PEX. Make sure the images are
action compatible with the parent device's software images.

321
Security level: Secret

DHCP
This section contains DHCP messages.

DHCP_NOTSUPPORTED
Failed to apply filtering rules for DHCP packets because some rules are not
Message text supported.

Variable fields N/A


Severity level 3
DHCP/3/DHCP_NOTSUPPORTED: Failed to apply filtering rules for DHCP
Example packets because some rules are not supported.
The system failed to apply filtering rules for DHCP packets because some rules
Explanation are not supported on the device.
Recommended No action is required.
action

DHCP_NORESOURCES
Failed to apply filtering rules for DHCP packets because hardware resources
Message text are insufficient.

Variable fields N/A


Severity level 3
DHCP/3/DHCP_NORESOURCES: Failed to apply filtering rules for DHCP
Example packets because hardware resources are insufficient.
The system failed to apply filtering rules for DHCP packets because the
Explanation hardware resources are insufficient.
Recommended Release hardware resources and then apply the rules again.
action

322
Security level: Secret

DHCPR
This section contains DHCP relay agent messages.

DHCPR_SERVERCHANGE
Switched to the server at [IPADDR] because the current server did not
Message text respond.

Variable fields $1: IP address of the DHCP server.


Severity level 3
DHCPR/3/DHCPR_SERVERCHANGE: -MDC=1;
Example Switched to the server at 2.2.2.2 because the current server did not
respond.
The DHCP relay agent did not receive any responses from the current
Explanation DHCP server and switched to another DHCP server for IP address
acquisition.
Recommended action No action is required.

DHCPR_SWITCHMASTER
Message text Switched to the master DHCP server at [IPADDR].

Variable fields $1: IP address of the master DHCP server.


Severity level 3
DHCPR/3/DHCPR_SWITCHMASTER: -MDC=1;
Example
Switched to the master DHCP server at 2.2.2.2.
After a switchback delay time, the DHCP relay agent switched from a
Explanation backup DHCP server back to the master DHCP server for IP address
acquisition.
Recommended action No action is required.

323
Security level: Secret

DHCPS messages
This section contains DHCP server messages.

DHCPS_ALLOCATE_IP
DHCP server received a DHCP client's request packet on interface [STRING],
Message text and allocated an IP address [IPADDR](lease [UINT32] seconds) for the DHCP
client(MAC [MAC]) from [STRING] pool.
$1: Name of the interface on which DHCP server is configured.
$2: IPv4 address assigned to the DHCP client.
Variable fields $3: Lease duration of the assigned IPv4 address.
$4: MAC address of the DHCP client.
$5: Name of the address pool to which the assigned IPv4 address belongs.
Severity level 5
DHCPS/5/DHCPS_ALLOCATE_IP: DHCP server received a DHCP client’s
request packet on interface Ethernet0/2, and allocated an IP address
Example 1.0.0.91(lease 86400 seconds) for the DHCP client(MAC 0000-0000-905a) from
p1 pool.
Explanation The DHCP server assigned an IPv4 address with a lease to a DHCP client.
Recommended No action is required.
action

DHCPS_CONFLICT_IP
A conflict IP [IPADDR] from [STRING] pool was detected by DHCP server on
Message text interface [STRING].
$1: IPv4 address that is in conflict.
Variable fields $2: Name of the address pool to which the conflicting IPv4 address belongs.
$3: Name of the interface on which DHCP server is configured.
Severity level 5
DHCPS/5/DHCPS_CONFLICT_IP: A conflict IP 100.1.1.1 from p1 pool was
Example detected by DHCP server on interface Ethernet0/2.
Explanation The DHCP server deleted a conflicting IPv4 address from an address pool.
Recommended No action is required.
action

324
Security level: Secret

DHCPS_EXTEND_IP
DHCP server received a DHCP client's request packet on interface [STRING],
Message text and extended lease from [STRING] pool for the DHCP client (IP [IPADDR], MAC
[MAC]).
$1: Name of the interface on which DHCP server is configured.
$2: Name of the address pool to which the client's IPv4 address belongs.
Variable fields
$3: IPv4 address of the DHCP client.
$4: MAC address of the DHCP client.
Severity level 5
DHCPS/5/DHCPS_EXTEND_IP: DHCP server received a DHCP client’s
Example request packet on interface Ethernet0/2, and extended lease from p1 pool for
the DHCP client (IP 1.0.0.91, MAC 0000-0000-905a).
Explanation The DHCP server extended the lease for a DHCP client.
Recommended No action is required.
action

DHCPS_FILE
Message text Failed to save DHCP client information due to lack of storage resources.

Variable fields N/A


Severity level 4
DHCPS/4/DHCPS_FILE: Failed to save DHCP client information due to lack of
Example storage resources.
The DHCP server failed to back up DHCP bindings to the backup file due to lack
Explanation of storage resources.
Recommended Delete unnecessary files to release resources.
action

DHCPS_RECLAIM_IP
DHCP server reclaimed a [STRING] pool’s lease(IP [IPADDR], lease [UINT32]
Message text seconds), which is allocated for the DHCP client (MAC [MAC]).
$1: Name of the address pool to which the assigned IPv4 address belongs.
$2: IPv4 address assigned to the DHCP client.
Variable fields
$3: Lease duration of the assigned IPv4 address.
$4: MAC address of the DHCP client.
Severity level 5
DHCPS/5/DHCPS_RECLAIM_IP: DHCP server reclaimed a p1 pool’s lease(IP
Example 1.0.0.91, lease 86400 seconds), which is allocated for the DHCP client (MAC
0000-0000-905a).
Explanation The DHCP server reclaimed the IPv4 address assigned to a DHCP client.
Recommended No action is required.
action

325
Security level: Secret

DHCPS_VERIFY_CLASS
Message text Illegal DHCP client-PacketType=[STRING]-ClientAddress=[MAC];
$1: Type of the packet.
Variable fields
$2: Hardware address of the DHCP client.
Severity level 5
DHCPS/5/DHCPS_VERIFY_CLASS: Illegal DHCP client-PacketType=
Example DHCPDISCOVER-ClientAddress=0000-5e01-0104;
The DHCP server verified that the DHCP client was not on the user class
Explanation whitelist.
Recommended Check the validity of the DHCP client.
action

326
Security level: Secret

DHCPS6 messages
This section contains DHCPv6 server messages.

DHCPS6_ALLOCATE_ADDRESS
DHCPv6 server received a DHCPv6 client’s request packet on interface
Message text [STRING], and allocated an IPv6 address [IPADDR] (lease [UINT32] seconds)
for the DHCP client(DUID [HEX], IAID [HEX]) from [STRING] pool.
$1: Name of the interface on which DHCPv6 server is configured.
$2: IPv6 address assigned to the DHCPv6 client.
$3: Lease duration of the assigned IPv6 address.
Variable fields
$4: DUID of the DHCPv6 client.
$5: IAID of the DHCPv6 client.
$6: Name of the address pool to which the assigned IPv6 address belongs.
Severity level 5
DHCPS6/5/DHCPS6_ALLOCATE_ADDRESS: DHCPv6 server received a
DHCPv6 client’s request packet on interface Ethernet0/2, and allocated an IPv6
Example address 2000::3(lease 60 seconds) for the DHCP client(DUID
0001000118137c37b4b52facab5a, IAID 10b4b52f) from p1 pool.
Explanation The DHCPv6 server assigned an IPv6 address with a lease to a DHCPv6 client.
Recommended No action is required.
action

DHCPS6_ALLOCATE_PREFIX
DHCPv6 server received a DHCPv6 client’s request packet on interface
Message text [STRING], and allocated an IPv6 prefix [IPADDR] (lease [UINT32] seconds) for
the DHCP client(DUID [HEX], IAID [HEX]) from [STRING] pool.
$1: Name of the interface on which DHCPv6 server is configured.
$2: IPv6 prefix assigned to the DHCPv6 client.
$3: Lease duration of the assigned IPv6 prefix.
Variable fields
$4: DUID of the DHCPv6 client.
$5: IAID of the DHCPv6 client.
$6: Name of the address pool to which the assigned IPv6 prefix belongs.
Severity level 5
DHCPS6/5/DHCPS6_ALLOCATE_PREFIX: DHCPv6 server received a
DHCPv6 client’s request packet on interface Ethernet0/2, and allocated an IPv6
Example prefix 2000::(lease 60 seconds) for the DHCP client(DUID
0001000118137c37b4b52facab5a, IAID 10b4b52f) from p1 pool.
Explanation The DHCPv6 server assigned an IPv6 prefix with a lease to a DHCPv6 client.
Recommended No action is required.
action

327
Security level: Secret

DHCPS6_CONFLICT_ADDRESS
A conflict IPv6 address [IPADDR] from [STRING] pool was detected by DHCPv6
Message text server on interface [STRING].
$1: IPv6 address that is in conflict.
Variable fields $2: Name of the address pool to which the conflicting IPv6 address belongs.
$3: Name of the interface on which DHCPv6 server is configured.
Severity level 5
DHCPS6/5/DHCPS6_CONFLICT_ADDRESS: A conflict IPv6 address 33::1
Example from p1 pool was detected by DHCPv6 server on interface Ethernet0/2.
Explanation The DHCPv6 server deleted a conflicting IPv6 address from an address pool.
Recommended No action is required.
action

DHCPS6_EXTEND_ADDRESS
DHCPv6 server received a DHCP client’s request packet on interface [STRING],
Message text and extended lease from [STRING] pool for the DHCP client (IPv6 address
[IPADDR], DUID [HEX], IAID [HEX]).
$1: Name of the interface on which DHCPv6 server is configured.
$2: Name of the address pool to which the client's IPv6 address belongs.
Variable fields $3: IPv6 address of the DHCPv6 client.
$4: DUID of the DHCPv6 client.
$5: IAID of the DHCPv6 client.
Severity level 5
DHCPS6/5/DHCPS6_EXTEND_ADDRESS: DHCPv6 server received a DHCP
client’s request packet on interface Ethernet0/2, and extended lease from p1
Example pool for the DHCP client (IPv6 address 2000::3, DUID
0001000118137c37b4b52facab5a, IAID 10b4b52f).
Explanation The DHCPv6 server extended the address lease for a DHCPv6 client.
Recommended No action is required.
action

328
Security level: Secret

DHCPS6_EXTEND_PREFIX
DHCPv6 server received a DHCP client’s request packet on interface [STRING],
Message text and extended lease from [STRING] pool for the DHCP client (IPv6 prefix
[IPADDR], DUID [HEX], IAID [HEX]).
$1: Name of the interface on which DHCPv6 server is configured.
$2: Name of the address pool to which the client's IPv6 prefix belongs.
Variable fields $3: IPv6 prefix of the DHCPv6 client.
$4: DUID of the DHCPv6 client.
$5: IAID of the DHCPv6 client.
Severity level 5
DHCPS6/5/DHCPS6_EXTEND_PREFIX: DHCPv6 server received a DHCP
client’s request packet on interface Ethernet0/2, and extended lease from p1
Example pool for the DHCP client (IPv6 prefix 2000::, DUID
0001000118137c37b4b52facab5a, IAID 10b4b52f).
Explanation The DHCPv6 server extended the prefix lease for a DHCPv6 client.
Recommended No action is required.
action

DHCPS6_FILE
Message text Failed to save DHCP client information due to lack of storage resources.

Variable fields N/A


Severity level 4
DHCPS6/4/DHCPS6_FILE: Failed to save DHCP client information due to lack
Example of storage resources.
The DHCPv6 server failed to back up DHCPv6 bindings to the backup file due to
Explanation lack of storage resources.
Recommended Delete unnecessary files to release resources.
action

329
Security level: Secret

DHCPS6_RECLAIM_ADDRESS
DHCPv6 server reclaimed a [STRING] pool's lease(IPv6 address [IPADDR],
Message text lease [UINT32] seconds), which is allocated for the DHCPv6 client (DUID [HEX],
IAID [HEX]).
$1: Name of the address pool to which the assigned IPv6 address belongs.
$2: IPv6 address assigned to the DHCPv6 client.
Variable fields $3: Lease duration of the assigned IPv6 address.
$4: DUID of the DHCPv6 client.
$5: IAID of the DHCPv6 client.
Severity level 5
DHCPS6/5/DHCPS6_RECLAIM_ADDRESS: DHCPv6 server reclaimed a p1
Example pool’s lease(IPv6 address 2000::3, lease 60 seconds), which is allocated for the
DHCPv6 client (DUID 0001000118137c37b4b52facab5a, IAID 10b4b52f).
Explanation The DHCPv6 server reclaimed the IPv6 address assigned to a DHCPv6 client.
Recommended No action is required.
action

DHCPS6_RECLAIM_PREFIX
DHCPv6 server reclaimed a [STRING] pool’s lease(IPv6 prefix [IPADDR], lease
Message text [INTEGER] seconds), which is allocated for the DHCPv6 client (DUID [HEX],
IAID [HEX]).
$1: Name of the address pool to which the assigned IPv6 prefix belongs.
$2: IPv6 prefix assigned to the DHCPv6 client.
Variable fields $3: Lease duration of the assigned IPv6 prefix.
$4: DUID of the DHCPv6 client.
$5: IAID of the DHCPv6 client.
Severity level 5
DHCPS6/5/DHCPS6_RECLAIM_PREFIX: DHCPv6 server reclaimed a p1
Example pool’s lease(IPv6 prefix 2000::, lease 60 seconds), which is allocated for the
DHCPv6 client (DUID 0001000118137c37b4b52facab5a, IAID 10b4b52f).
Explanation The DHCPv6 server reclaimed the IPv6 prefix assigned to a DHCPv6 client.
Recommended No action is required.
action

330
Security level: Secret

DHCPSP4
This section contains DHCP snooping messages.

DHCPSP4_FILE
Message text Failed to save DHCP client information due to lack of storage resources.

Variable fields N/A


Severity level 4
DHCPSP4/4/DHCPSP4_FILE: Failed to save DHCP client information due to
Example lack of storage resources.
The DHCP snooping device failed to back up DHCP snooping entries to the
Explanation backup file due to lack of storage resources.
Recommended Delete unnecessary files to release resources.
action

331
Security level: Secret

DHCPSP6
This section contains DHCPv6 snooping messages.

DHCPSP6_FILE
Message text Failed to save DHCP client information due to lack of storage resources.

Variable fields N/A


Severity level 4
DHCPSP6/4/DHCPSP6_FILE: Failed to save DHCP client information due to
Example lack of storage resources.
The DHCPv6 snooping device failed to back up DHCPv6 snooping entries to the
Explanation backup file due to lack of storage resources.
Recommended Delete unnecessary files to release resources.
action

332
Security level: Secret

DIAG messages
This section contains diagnostic messages.

333
Security level: Secret

MEM_ALERT
system memory info:
total used free shared buffers cached
Mem: [ULONG] [ULONG] [ULONG] [ULONG] [ULONG] [ULONG]
Message text
-/+ buffers/cache: [ULONG] [ULONG]
Swap: [ULONG] [ULONG] [ULONG]
Lowmem: [ULONG] [ULONG] [ULONG]
• Mem—Memory information of the whole system:
 $1: Total size of allocatable physical memory. The system physical
memory contains allocatable physical memory and unallocatable physical
memory. Unallocatable physical memory is mainly used for kernel code
storage, kernel management, and running of basic functions. Allocatable
physical memory is used for such tasks as running service modules and
storing files. The size of unallocatable physical memory is automatically
calculated based on the system operation requirements. The size of
allocatable physical memory is the total physical memory size minus the
unallocatable physical memory size.
 $2: Size of the physical memory used by the system.
 $3: Size of free physical memory of the system.
 $4: Total size of physical memory shared by processes.
 $5: Size of physical memory used for buffers.
Variable fields  $6: Size of physical memory used for caches.
• -/+ buffers/cache—Memory usage information of applications:
 $7: -/+ Buffers/Cache:used = Mem:Used – Mem:Buffers – Mem:Cached,
which indicates the size of physical memory used by applications.
 $8: -/+ Buffers/Cache:free = Mem:Free + Mem:Buffers + Mem:Cached,
which indicates the size of physical memory available for applications.
• Swap—Swap memory usage information:
 $9: Total size of swap memory.
 $10: Size of used swap memory.
 $11: Size of free swap memory.
• Lowmem—Low memory usage information:
 $12: Total size of low memory.
 $13: Size of used low memory.
 $14: Size of free low memory.
Severity level 4
DIAG/4/MEM_ALERT:
system memory info:
total used free shared buffers cached
Example Mem: 1784424 920896 863528 0 0 35400
-/+ buffers/cache: 885496 898928
Swap: 0 0 0
Lowmem: 735848 637896 97952
A memory alarm was generated, displaying memory usage information.
Explanation The system generates this message when the used memory is greater than or
equal to the minor, severe, or critical threshold of memory usage.

334
Security level: Secret

You can perform the following tasks to help remove the alarm:
• Verify that appropriate alarm thresholds are set. To view the alarm thresholds,
use the display memory-threshold command. Then you can use the
Recommended memory-threshold command to modify the alarm thresholds if required.
action • Verify that the device is not under attack by checking the ARP table and
routing table.
• Examine and optimize the network, for example, reduce the number of
routes, or replace the device with a higher-performance device.

MEM_BELOW_THRESHOLD
Message text Memory usage has dropped below [STRING] threshold.

Variable fields $1: Memory usage threshold name: minor, severe, or critical.
Severity level 1
DIAG/1/MEM_BELOW_THRESHOLD: Memory usage has dropped below critical
Example threshold.
A memory alarm was removed. The message is sent when the system free
Explanation memory is greater than a memory alarm recovery threshold.
Recommended action No action is required.

MEM_EXCEED_THRESHOLD
Message text Memory [STRING] threshold has been exceeded.

Variable fields $1: Memory usage threshold name: minor, severe, or critical.
Severity level 1
DIAG/1/MEM_EXCEED_THRESHOLD: Memory minor threshold has been
Example exceeded.
A memory alarm was notified.
When the used memory size is greater than or equal to the minor, severe, or
Explanation critical threshold of memory usage, the system generates this message and
notifies services modules to perform auto repair, such as releasing memory and
stopping requesting memory.
You can perform the following tasks to help remove the alarm:
• Verify that appropriate alarm thresholds are set. To view the alarm thresholds,
use the display memory-threshold command. Then you can use the
Recommended memory-threshold command to modify the alarm thresholds if required.
action • Verify that the device is not under attack by checking the ARP table and
routing table.
• Examine and optimize the network, for example, reduce the number of routes
or replace the device with a higher-performance device.

335
Security level: Secret

DLDP messages
This section contains DLDP messages.

DLDP_AUTHENTICATION_FAILED
The DLDP packet failed the authentication because of unmatched [STRING]
Message text field.
$1: Authentication field.
• AUTHENTICATION PASSWORD—Authentication password mismatch.
Variable fields • AUTHENTICATION TYPE—Authentication type mismatch.
• INTERVAL—Advertisement interval mismatch.

Severity level 5
DLDP/5/DLDP_AUTHENTICATION_FAILED: The DLDP packet failed the
Example authentication because of unmatched INTERVAL field.

The packet authentication failed. Possible reasons include unmatched


Explanation authentication type, unmatched authentication password, and unmatched
advertisement interval.

Recommended Check the DLDP authentication type, authentication password, and


action advertisement interval are consistent with peer end.

DLDP_LINK_BIDIRECTIONAL
Message text DLDP detected a bidirectional link on interface [STRING].

Variable fields $1: Interface name.

Severity level 6
DLDP/6/DLDP_LINK_BIDIRECTIONAL: DLDP detected a bidirectional link on
Example interface Ethernet1/1.

Explanation DLDP detected a bidirectional link on an interface.

Recommended No action is required.


action

336
Security level: Secret

DLDP_LINK_SHUTMODECHG
DLDP automatically [STRING] interface [STRING] because the port shutdown
Message text mode was changed [STRING].
$1: Action according to the port shutdown mode:
 blocked.
 brought up.
$2: Interface name.
Variable fields $3: Shutdown mode change:
 from manual to auto.
 from manual to hybrid.
 from hybrid to auto.
 from hybrid to manual.

Severity level 5
DLDP/5/DLDP_LINK_SHUTMODECHG: DLDP automatically blocked interface
Example Ethernet1/1 because the port shutdown mode was changed from manual to
auto.
The interface was shut down or brought up because the shutdown mode
Explanation changed.

Recommended No action is required.


action

DLDP_LINK_UNIDIRECTIONAL
Message text DLDP detected a unidirectional link on interface [STRING]. [STRING].
$1: Interface name.
$2: Action according to the port shutdown mode:
• DLDP automatically blocked the interface.
Variable fields
• Please manually shut down the interface.
• DLDP automatically shut down the interface. Please manually bring up the
interface.

Severity level 3
DLDP/3/DLDP_LINK_UNIDIRECTIONAL: DLDP detected a unidirectional link
Example on interface Ethernet1/1. DLDP automatically blocked the interface.

Explanation DLDP detected a unidirectional link on an interface.

Recommended Check for incorrect cable connection, cable falloff, or other problems.
action

337
Security level: Secret

DLDP_NEIGHBOR_AGED
A neighbor on interface [STRING] was deleted because the neighbor was aged.
Message text The neighbor's system MAC is [MAC], and the port index is [UINT16].
$1: Interface name.
Variable fields $2: MAC address.
$3: Port index.

Severity level 5
DLDP/5/DLDP_NEIGHBOR_AGED: A neighbor on interface Ethernet1/1 was
Example deleted because the neighbor was aged. The neighbor's system MAC is
000f-e269-5f21, and the port index is 1.

Explanation The interface deleted an aged neighbor.

Recommended No action is required.


action

DLDP_NEIGHBOR_CONFIRMED
A neighbor was confirmed on interface [STRING]. The neighbor's system MAC
Message text is [MAC], and the port index is [UINT16].
$1: Interface name.
Variable fields $2: MAC address.
$3: Port index.

Severity level 6
DLDP/6/DLDP_NEIGHBOR_CONFIRMED: A neighbor was confirmed on
Example interface Ethernet1/1. The neighbor's system MAC is 000f-e269-5f21, and the
port index is 1.

Explanation The interface detected a confirmed neighbor.

Recommended No action is required.


action

338
Security level: Secret

DLDP_NEIGHBOR_DELETED
A neighbor on interface [STRING] was deleted because a [STRING] packet
Message text arrived. The neighbor's system MAC is [MAC], and the port index is [UINT16].
$1: Interface name.
$2: Packet type, DISABLE or LINKDOWN.
Variable fields
$3: MAC address.
$4: Port index.

Severity level 5
DLDP/5/DLDP_NEIGHBOR_DELETED: A neighbor on interface Ethernet1/1
Example was deleted because a DISABLE packet arrived. The neighbor's system MAC is
000f-e269-5f21, and the port index is 1.

The interface deleted a confirmed neighbor because it received a DISABLE or


Explanation LINKDOWN packet.

Recommended No action is required.


action

339
Security level: Secret

DOT1X messages
This section contains 802.1X messages.

DOT1X_NOTENOUGH_EADFREEIP_RES
Failed to assign a rule for free IP [IPADDR] on interface [STRING] due to lack of
Message text ACL resources.
$1: Free IP.
Variable fields
$2: Interface type and number.
Severity level 3
DOT1X/3/DOT1X_NOTENOUGH_EADFREEIP_RES: Failed to assign a rule
Example for free IP 1.1.1.0 on interface Ethernet3/1/2 due to lack of ACL resources.
The device failed to assign an ACL rule to permit a free IP on an interface
Explanation because of ACL resource shortage.
Recommended No action is required.
action

DOT1X_NOTENOUGH_EADFREERULE_RES
Failed to assign a rule for permitting DHCP and DNS packets on interface
Message text [STRING] due to lack of ACL resources.

Variable fields $1: Interface type and number.


Severity level 3
DOT1X/3/DOT1X_NOTENOUGH_EADFREERULE_RES: Failed to assign a
Example rule for permitting DHCP and DNS packets on interface Ethernet3/1/2 due to
lack of ACL resources.
The device failed to assign an ACL rule to permit DHCP and DNS packets on an
Explanation interface because of ACL resource shortage.
Recommended No action is required.
action

340
Security level: Secret

DOT1X_NOTENOUGH_EADPORTREDIR_RES
Failed to assign a rule for redirecting HTTP packets on interface [STRING] due
Message text to lack of ACL resources.

Variable fields $1: Interface type and number.


Severity level 3
DOT1X/3/DOT1X_NOTENOUGH_EADPORTREDIR_RES: Failed to assign a
Example rule for redirecting HTTP packets on interface Ethernet3/1/2 due to lack of ACL
resources.
The device failed to assign an ACL rule to redirect HTTP packets on an
Explanation interface because of ACL resource shortage.
Recommended No action is required.
action

DOT1X_NOTENOUGH_EADMACREDIR_RES
Failed to assign a rule for redirecting HTTP packets with source MAC address
Message text [MAC] on interface [STRING].
$1: Source MAC address of HTTP packets.
Variable fields
$2: Interface type and number.
Severity level 3
DOT1X/3/DOT1X_NOTENOUGH_EADMACREDIR_RES: Failed to assign a
Example rule for redirecting HTTP packets with source MAC address 00e0-fc00-5915 on
interface Ethernet3/1/2.
The device failed to redirect HTTP packet with the designated source MAC on
Explanation an interface because of ACL resource shortage.
Recommended No action is required.
action

DOT1X_NOTENOUGH_ENABLEDOT1X_RES
Message text Failed to enable 802.1X on interface [STRING] due to lack of ACL resources.

Variable fields $1: Interface type and number.


Severity level 3
DOT1X/3/DOT1X_NOTENOUGH_ENABLEDOT1X_RES: Failed to enable
Example 802.1X on interface Ethernet3/1/2 due to lack of ACL resources.
Explanation Failed to enable 802.1X on an interface because of ACL resource shortage.
Recommended Disable 802.1X on the interface, and then re-enable 802.1X.
action

341
Security level: Secret

DOT1X_UNICAST_NOT_EFFECTIVE
Message text The unicast trigger feature is enabled but is not effective on interface [STRING].

Variable fields $1: Interface type and number.


Severity level 3
DOT1X/3/DOT1X_UNICAST_NOT_EFFECTIVE: The unicast trigger feature is
Example enabled but is not effective on interface Ethernet3/1/2.
The unicast trigger setting does not take effect on an interface, because the
Explanation interface does not support unicast trigger.
3. Reconnect the 802.1X clients to another interface that supports the unicast
Recommended trigger feature.
action 4. Enable the unicast trigger feature on the new interface.

DOT1X_SMARTON_FAILURE
-IfName=[STRING]-MACAddr=[STRING]; User failed SmartOn authentication because
Message text [STRING].
$1: Interface type and number.
$2: MAC address.
Variable
$3: Cause of failure:
fields
• the password is mismathced.
• the switch ID is mismatched.
Severity level 6
DOT1X/6/DOT1X_SMARTON_FAILURE:-IfName=GigabitEthernet1/0/4-MACAddr=0010-
Example 8400-22b9; User failed SmartOn authentication because the password is mismatched.
Explanation SmartOn authentication failed for a specific reason.
Recommend Handle the problem according to the failure cause.
ed action

342
Security level: Secret

DOT1X_LOGIN_FAILURE
Message -IfName=[STRING]-MACAddr=[STRING]-VLANID=[STRING]-Username=[STRING]; User
text failed 802.1X authentication.
$1: Interface type and number.
Variable $2: MAC address.
fields $3: VLAN ID.
$4: Username.
Severity 6
level
DOT1X/6/DOT1X_LOGIN_FAILURE:-IfName=GigabitEthernet1/0/4-MACAddr=0010-8400-2
Example 2b9-VLANID=444-Username=aaa; User failed 802.1X authentication.
Explanatio The user failed 802.1X authentication.
n
Recomme
nded Locate the failure cause and handle the problem according to the failure cause.
action

DOT1X_LOGIN_SUCC
Message -IfName=[STRING]-MACAddr=[STRING]-VLANID=[STRING]-Username=[STRING]; User
text passed 802.1X authentication and came online.
$1: Interface type and number.
Variable $2: MAC address.
fields $3: VLAN ID.
$4: Username.
Severity 6
level
DOT1X/6/DOT1X_LOGIN_SUCC:-IfName=GigabitEthernet1/0/4-MACAddr=0010-8400-22b
Example 9-VLANID=444-Username=aaa; User passed 802.1X authentication and came online.
Explanatio The user passed 802.1X authentication.
n
Recomme
nded No action is required.
action

343
Security level: Secret

DOT1X_LOGOFF
Message -IfName=[STRING]-MACAddr=[STRING]-VLANID=[STRING]-Username=[STRING]-ErrCode
text =[STRING]; 802.1X user was logged off.
$1: Interface type and number.
$2: MAC address.
Variable $3: VLAN ID.
fields
$4: Username.
$5: Error code.
Severity 6
level
DOT1X/6/DOT1X_LOGOFF:-IfName=GigabitEthernet1/0/4-MACAddr=0010-8400-22b9-VLA
Example NID=444-Username=aaa-ErrCode=11; 802.1X user was logged off.
Explanatio The 802.1X user was logged off.
n
Recomme
Locate the logoff cause and remove the problem. If the logoff was requested by the user, no
nded action is required.
action

344
Security level: Secret

EDEV messages
This section contains messages for extended-device management.

EDEV_FAILOVER_GROUP_STATE_CHANGE
Status of stateful failover group [STRING] with ID [UINT32] changed to
Message text [STRING].
$1: Failover group name.
Variable fields $2: Failover group ID.
$3: Failover group state.

Severity level 5
EDEV/5/EDEV_FAILOVER_GROUP_STATE_CHANGE: -MDC=1; Status of
Example stateful failover group 123 with ID 0 changed to primary.

Explanation The status of a failover group changed.

Recommended No action is required.


action

345
Security level: Secret

ERPS messages
This section contains ERPS messages.

ERPS_FSM_CHANGED
Message text Ethernet ring [UINT16] instance [UINT16] changed state to [STRING]
$1: ERPS ring ID.
Variable fields $2: ERPS instance ID.
$3: ERPS instance status.

Severity level 6
ERPS/4/ERPS_STATE_CHANGED: Ethernet ring 1 instance 1 changed state
Example to Idle.

Explanation The status of the ERPS instance changed.

Recommended No action is required.


action

346
Security level: Secret

ETHOAM messages
This section contains Ethernet OAM messages.

ETHOAM_CONNECTION_FAIL_DOWN
The link is down on interface [string] because a remote failure occurred on peer
Message text interface.

Variable fields $1: Interface name.

Severity level 5
ETHOAM/5/ETHOAM_OAM_LINK_DOWN: The link is down on interface
Example Ethernet1/0/1 because a remote failure occurred on peer interface.

Explanation The link goes down because a remote failure occurred on the peer interface.

Recommended Check the link status or the OAM status on the peer.
action

ETHOAM_CONNECTION_FAIL_TIMEOUT
Interface [string] removed the OAM connection because it received no
Message text Information OAMPDU before the timer times out.

Variable fields $1: Interface name.

Severity level 5
ETHOAM/5/ETHOAM_CONNECTION_FAIL_TIMEOUT: Interface
Example Ethernet1/0/1 removed the OAM connection because it received no Information
OAMPDU before the timer times out.

The interface removed the OAM connection because it had not received
Explanation Information OAMPDUs before the timer timed out.

Recommended Check the link status or the OAM status on the peer.
action

347
Security level: Secret

ETHOAM_CONNECTION_FAIL_UNSATISF
Interface [string] failed to establish an OAM connection because the peer
Message text doesn’t match the capacity of the local interface.

Variable fields $1: Interface name.

Severity level 3
ETHOAM/3/ETHOAM_CONNECTION_FAIL_UNSATISF: Interface
Example Ethernet1/0/1 failed to establish an OAM connection because the peer doesn’t
match the capacity of the local interface.
Failed to establish an OAM connection because the peer does not match the
Explanation OAM protocol state of the local interface.

Recommended Check the State field of the OAMPDUs sent from both ends.
action

ETHOAM_CONNECTION_SUCCEED
Message text An OAM connection is established on interface [string].

Variable fields $1: Interface name.

Severity level 6
ETHOAM/6/ETHOAM_CONNECTION_SUCCEED: An OAM connection is
Example established on interface Ethernet1/0/1.

Explanation An OAM connection is established.

Recommended No action is required.


action

ETHOAM_DISABLE
Message text Ethernet OAM is now disabled on interface [string].

Variable fields $1: Interface name.

Severity level 6
ETHOAM/6/ETHOAM_DISABLE: Ethernet OAM is now disabled on interface
Example Ethernet1/0/1.

Explanation Ethernet OAM is disabled.

Recommended No action is required.


action

348
Security level: Secret

ETHOAM_DISCOVERY_EXIT
Message text OAM interface [string] quit the OAM connection.

Variable fields $1: Interface name.

Severity level 5
ETHOAM/5/ ETHOAM_DISCOVERY_EXIT: OAM interface Ethernet1/0/1 quit
Example the OAM connection.

Explanation The local interface ended the OAM connection.

Recommended No action is required.


action

ETHOAM_ENABLE
Message text Ethernet OAM is now enabled on interface [string].

Variable fields $1: Interface name.

Severity level 6
ETHOAM/6/ETHOAM_ENABLE: Ethernet OAM is now enabled on interface
Example Ethernet1/0/1.

Explanation Ethernet OAM is enabled.

Recommended No action is required.


action

ETHOAM_ENTER_LOOPBACK_CTRLLED
The local OAM entity enters remote loopback as controlled DTE on OAM
Message text interface [string].

Variable fields $1: Interface name.

Severity level 6
ETHOAM/6/ ETHOAM_ENTER_LOOPBACK_CTRLLED: The local OAM entity
Example enters remote loopback as controlled DTE on OAM interface Ethernet1/0/1.
The local OAM entity enters remote loopback as controlled DTE after you
Explanation enable OAM loopback on the peer end.

Recommended No action is required.


action

349
Security level: Secret

ETHOAM_ENTER_LOOPBACK_CTRLLING
The local OAM entity enters remote loopback as controlling DTE on OAM
Message text interface [string].

Variable fields $1: Interface name.

Severity level 6
ETHOAM/6/ ETHOAM_ENTER_LOOPBACK_CTRLLING: The local OAM
Example entity enters remote loopback as controlling DTE on OAM interface
Ethernet1/0/1.
The local OAM entity enters remote loopback as controlling DTE after you
Explanation enable OAM loopback on the interface.

Recommended No action is required.


action

ETHOAM_LOCAL_DYING_GASP
Message text A local Dying Gasp event has occurred on [string].

Variable fields $1: Interface name.

Severity level 4
ETHOAM/4/ETHOAM_LOCAL_DYING_GASP: A local Dying Gasp event
Example occurred on interface Ethernet1/0/1.
A local Dying Gasp event occurs when you reboot the local device or shut down
Explanation the interface.

Recommended Do not use the link until it recovers.


action

ETHOAM_LOCAL_ERROR_FRAME
Message text An errored frame event occurred on local interface [string].

Variable fields $1: Interface name.

Severity level 6
ETHOAM/6/ETHOAM_LOCAL_ERROR_FRAME: An errored frame event
Example occurred on local interface Ethernet1/0/1.

Explanation An errored frame event occurred on the local interface.

Recommended Check the link between the local and peer ends.
action

350
Security level: Secret

ETHOAM_LOCAL_ERROR_FRAME_PERIOD
Message text An errored frame period event occurred on local interface [string].

Variable fields $1: Interface name.

Severity level 6
ETHOAM/6/ETHOAM_LOCAL_ERROR_FRAME_PERIOD: An errored frame
Example period event occurred on local interface Ethernet1/0/1.

Explanation An errored frame period event occurred on the local interface.

Recommended Check the link between the local and peer ends.
action

ETHOAM_LOCAL_ERROR_FRAME_SECOND
Message text An errored frame seconds event occurred on local interface [string].

Variable fields $1: Interface name.

Severity level 6
ETHOAM/6/ETHOAM_LOCAL_ERROR_FRAME_SECOND: An errored frame
Example seconds event occurred on local interface Ethernet1/0/1.

Explanation An errored frame seconds event occurred on the local interface.

Recommended Check the link between the local and peer ends.
action

ETHOAM_LOCAL_LINK_FAULT
Message text A local Link Fault event occurred on interface [string].

Variable fields $1: Interface name.

Severity level 4
ETHOAM/4/ETHOAM_LOCAL_LINK_FAULT: A local Link Fault event occurred
Example on interface Ethernet1/0/1.

Explanation A local Link Fault event occurred when the local link goes down.

Recommended Re-connect the Rx end of the fiber on the local interface.


action

351
Security level: Secret

ETHOAM_LOOPBACK_EXIT
Message text OAM interface [string] quit remote loopback.

Variable fields $1: Interface name.

Severity level 4
ETHOAM/4/ETHOAM_LOOPBACK_EXIT: OAM interface Ethernet1/0/1 quit
Example remote loopback.
The OAM interface ended remote loopback after remote loopback was disabled
Explanation on the interface and the OAM connection was torn down.

Recommended No action is required.


action

ETHOAM_LOOPBACK_EXIT_ERROR_STATU
OAM interface [string] quit remote loopback due to incorrect multiplexer or
Message text parser status.

Variable fields $1: Interface name.

Severity level 6
ETHOAM/6/ETHOAM_LOOPBACK_EXIT_ERROR_STATU: OAM interface
Example Ethernet1/0/1 quit remote loopback due to incorrect multiplexer or parser status.
OAM interface Ethernet1/0/1 ended remote loopback due to incorrect
Explanation multiplexer or parser status.

Recommended Disable and then re-enable Ethernet OAM on the OAM entity.
action

ETHOAM_LOOPBACK_NO_RESOURCE
Message text OAM interface [string] can’t enter remote loopback due to insufficient resources.

Variable fields $1: Interface name.

Severity level 4
ETHOAM/4/ETHOAM_LOOPBACK_NO_RESOURCE: OAM interface
Example Ethernet1/0/1 can’t enter remote loopback due to insufficient resources.

The OAM interface cannot enter remote loopback due to insufficient resources
Explanation when you execute the oam remote-loopback start command on the local or
remote OAM entity.
To enable remote loopback on an interface, you must set the hardware
forwarding resources on the interface. Enabling remote loopback on a large
Recommended number of interfaces might cause insufficient resources. Disable remote
action loopback on other interfaces, and execute the oam remote-loopback start
command on the interface again.

352
Security level: Secret

ETHOAM_LOOPBACK_NOT_SUPPORT
OAM interface [string] can’t enter remote loopback because the operation is not
Message text supported.

Variable fields $1: Interface name.

Severity level 4
ETHOAM/4/ETHOAM_LOOPBACK_NOT_SUPPORT: OAM interface
Example Ethernet1/0/1 can't enter remote loopback because the operation is not
supported.
The OAM interface cannot enter remote loopback because the operation is not
Explanation supported on the device.

Recommended No action is required.


action

ETHOAM_QUIT_LOOPBACK_CTRLLED
The local OAM entity quit remote loopback as controlled DTE on OAM interface
Message text [string].

Variable fields $1: Interface name.

Severity level 6
ETHOAM/6/ ETHOAM_QUIT_LOOPBACK_CTRLLED: The local OAM entity
Example quit remote loopback as controlled DTE on OAM interface Ethernet1/0/1.

As the Loopback Control OAMPDUs receiving end, the local end quit remote
Explanation loopback after you disabled OAM loopback on the peer end.

Recommended No action is required.


action

ETHOAM_QUIT_LOOPBACK_CTRLLING
The local OAM entity quit remote loopback as controlling DTE on OAM interface
Message text [string].

Variable fields $1: Interface name.

Severity level 6
ETHOAM/6/ETHOAM_QUIT_LOOPBACK_CONTROLLING: The local OAM
Example entity quit remote loopback as controlling DTE on OAM interface Ethernet1/0/1.

The local end quit remote loopback after you disabled OAM loopback on the
Explanation local interface.

Recommended No action is required.


action

353
Security level: Secret

ETHOAM_REMOTE_CRITICAL
Message text A remote Critical event occurred on interface [string].

Variable fields $1: Interface name.

Severity level 4
ETHOAM/4/ETHOAM_REMOTE_CRITICAL: A remote Critical event occurred
Example on interface Ethernet1/0/1.

Explanation A remote critical event occurred.

Recommended Do not use the link until it recovers.


action

ETHOAM_REMOTE_DYING_GASP
Message text A remote Dying Gasp event occurred on interface [string].

Variable fields $1: Interface name.

Severity level 4
ETHOAM/4/ETHOAM_REMOTE_DYING_GASP: A remote Dying Gasp event
Example occurred on interface Ethernet1/0/1.

A remote Dying Gasp event occurred when you reboot the remote device and
Explanation shut down the interface.

Recommended Do not use this link until it recovers.


action

ETHOAM_REMOTE_ERROR_FRAME
Message text An errored frame event occurred on the peer interface [string].

Variable fields $1: Interface name.

Severity level 6
ETHOAM/6/ETHOAM_REMOTE_ERROR_FRAME: An errored frame event
Example occurred on the peer interface Ethernet1/0/1.

Explanation An errored frame event occurred on the peer.

Recommended Check the link between the local and peer ends.
action

354
Security level: Secret

ETHOAM_REMOTE_ERROR_FRAME_PERIOD
Message text An errored frame period event occurred on the peer interface [string].

Variable fields $1: Interface name.

Severity level 6
ETHOAM/6/ETHOAM_REMOTE_ERROR_FRAME_PERIOD: An errored
Example frame period event occurred on the peer interface Ethernet1/0/1.

Explanation An errored frame period event occurred on the peer interface.

Recommended Check the link between the local and peer ends.
action

ETHOAM_REMOTE_ERROR_FRAME_SECON
D
Message text An errored frame seconds event occurred on the peer interface [string].

Variable fields $1: Interface name.

Severity level 6
ETHOAM/6/ETHOAM_REMOTE_ERROR_FRAME_SECOND: An errored
Example frame seconds event occurred on the peer interface Ethernet1/0/1.

Explanation An errored frame seconds event occurred on the peer.

Recommended Check the link between the local and peer ends.
action

ETHOAM_REMOTE_ERROR_SYMBOL
Message text An errored symbol event occurred on the peer interface [string].

Variable fields $1: Interface name.

Severity level 6
ETHOAM/6/ETHOAM_REMOTE_ERROR_SYMBOL: An errored symbol event
Example occurred on the peer interface Ethernet1/0/1.

Explanation An errored symbol event occurred on the peer.

Recommended Check the link between the local and peer ends.
action

355
Security level: Secret

ETHOAM_REMOTE_EXIT
OAM interface [string] quit OAM connection because Ethernet OAM is disabled
Message text on the peer interface.

Variable fields $1: Interface name.

Severity level 5
ETHOAM/5/ ETHOAM_REMOTE_EXIT: OAM interface Ethernet1/0/1 quit
Example OAM connection because Ethernet OAM is disabled on the peer interface.

The local interface ended the OAM connection because Ethernet OAM was
Explanation disabled on the peer interface.

Recommended No action is required.


action

ETHOAM_REMOTE_FAILURE_RECOVER
Message text Peer interface [string] recovered.

Variable fields $1: Interface name.

Severity level 5
ETHOAM/5/ ETHOAM_REMOTE_FAILURE_RECOVER: Peer interface
Example Ethernet1/0/1 recovered.
The Link fault was cleared from the peer interface and the OAM connection was
Explanation restored.

Recommended No action is required.


action

ETHOAM_REMOTE_LINK_FAULT
Message text A remote Link Fault event occurred on interface [string].

Variable fields $1: Interface name.

Severity level 4
ETHOAM/4/ETHOAM_REMOTE_LINK_FAULT: A remote Link Fault event
Example occurred on interface Ethernet1/0/1.

Explanation A remote Link Fault event occurred when the remote link went down.

Recommended Reconnect the Rx end of the fiber on the remote interface.


action

356
Security level: Secret

ETHOAM_NO_ENOUGH_RESOURCE
The configuration failed on OAM interface [string] because of insufficient
Message text resources.

Variable fields $1: Interface name.

Severity level 4
ETHOAM/4/ ETHOAM_NO_ENOUGH_RESOURCE: The configuration failed
Example on OAM interface Ethernet1/0/1 because of insufficient resources.

The configuration failed on the OAM interface because of insufficient system


Explanation resources.

Recommended Remove useless configurations to release the resources, and execute the
action command again.

ETHOAM_NOT_CONNECTION_TIMEOUT
Interface [string] quit Ethernet OAM because it received no Information
Message text OAMPDU before the timer times out.

Variable fields $1: Interface name.

Severity level 5
ETHOAM/5/ ETHOAM_NOT_CONNECTION_TIMEOUT: Interface
Example Ethernet1/0/1 quit Ethernet OAM because it received no Information OAMPDU
before the timer times out.

The local interface ended Ethernet OAM because it had not received
Explanation Information OAMPDUs before the timer timed out.

Recommended Check the link status and the OAM status on the peer.
action

357
Security level: Secret

EVB messages
This section contains EVB messages.

EVB_AGG_FAILED
Remove port [STRING] from aggregation group [STRING]. Otherwise, the EVB
Message text feature does not take effect.
$1: Port name.
Variable fields
$2: Aggregation port name.

Severity level 6
EVB/6/EVB_AGG_FAILED: Remove port GigabitEthernet5/0/5 from
Example aggregation group Bridge-Aggregation5. Otherwise, the EVB feature does not
take effect.

Explanation EVB bridge fails to process a port in an aggregation group.

Recommended Remove the port from the aggregation group.


action

EVB_LICENSE_EXPIRE
Message text The EVB feature's license will expire in [UINT32] days.

Variable fields $1: Number of days.

Severity level 6
EVB/6/EVB_LICENSE_EXPIRE: The EVB feature's license will expire in 15
Example days.

Explanation The license for EVB will expire in the specified number of days.

Recommended Purchase and register a new license for the EVB feature.
action

358
Security level: Secret

EVB_VSI_OFFLINE
Message text VSI [STRING] went offline.

Variable fields $1: VSI interface/VSI aggregate interface name.

Severity level 6

Example EVB/6/EVB_VSI_OFFLINE: VSI Schannel-Aggregation1:2.0 went offline.


The VSI interface or VSI aggregate interface is deleted when either of the
following events occurs:
Explanation • The EVB bridge receives a VDP packet from the EVB station.
• The EVB bridge has not received an acknowledgement after a VDP packet
times out.

Recommended No action is required.


action

EVB_VSI_ONLINE
Message text VSI [STRING] came online, status is [STRING].
$1: VSI interface/VSI aggregate interface name.
Variable fields
$2: VSI status.

Severity level 6
EVB/6/EVB_VSI_ONLINE: VSI Schannel-Aggregation1:2.0 came online, status
Example is association.
The EVB bridge receives a VDP packet and creates a VSI interface or VSI
Explanation aggregate interface successfully.

Recommended No action is required.


action

359
Security level: Secret

EVIISIS messages
This section contains EVI IS-IS messages.

EVIISIS_LICENSE_EXPIRED
Message text The EVIISIS feature is being disabled, because its license has expired.

Variable fields N/A


Severity level 3
EVIISIS/3/EVIISIS_LICENSE_EXPIRED: The EVIISIS feature is being disabled,
Example because its license has expired.
Explanation The EVI IS-IS license has expired.
Recommended Install a valid license for EVI IS-IS.
action

EVIISIS_LICENSE_EXPIRED_TIME
Message text The EVIISIS feature will be disabled in [ULONG] days.

Variable fields $1: Available period of the feature.


Severity level 5
EVIISIS/5/EVIISIS_LICENSE_EXPIRED_TIME: The EVIISIS feature will be
Example disabled in 2 days.
EVI IS-IS will be disabled because no EVI IS-IS license is available.
After an active/standby MPU switchover or IRF master/subordinate switchover,
Explanation
you can use EVI IS-IS only for 30 days if the new active MPU or master does not
have an EVI IS-IS license.
Recommended Install a valid license for EVI IS-IS.
action

EVIISIS_LICENSE_UNAVAILABLE
Message text The EVIISIS feature has no available license.

Variable fields N/A


Severity level 3
EVIISIS/3/EVIISIS_LICENSE_UNAVAILABLE: The EVIISIS feature has no
Example available license.
Explanation No license was found for EVI IS-IS when the EVI IS-IS process started.
Recommended Install a valid license for EVI IS-IS.
action

360
Security level: Secret

EVIISIS_NBR_CHG
EVIISIS [UINT32], [STRING] adjacency [STRING] ([STRING]), state changed
Message text to: [STRING].
$1: EVI IS-IS process ID.
$2: EVI IS-IS neighbor level.
$3: Neighbor system ID.
$4: Interface name.
Variable fields
$5: Adjacency state:
 up—Adjacency was set up.
 initializing—Neighbor state was initializing.
 down—Adjacency was lost.

Severity level 5
EVIISIS/5/EVIISIS_NBR_CHG: EVIISIS 1, Level-1 adjacency 0011.2200.1501
Example (Evi-Link0), state changed to: down.
Explanation The EVI IS-IS adjacency state changed on an interface.
When the adjacency with a neighbor changes to down or initializing on an
Recommended interface, check for EVI IS-IS configuration errors or loss of network
action connectivity.

361
Security level: Secret

FCLINK messages
This section contains FC link messages.

FCLINK_FDISC_REJECT_NORESOURCE
VSAN [UINT16], Interface [STRING]: An FDISC was rejected because the
Message text hardware resource is not enough.
$1: VSAN ID.
Variable fields
$2: Interface name.
Severity level 4
FCLINK/4/FCLINK_FDISC_REJECT_NORESOURCE: VSAN 1, Interface
Example FC2/0/1: An FDISC was rejected because the hardware resource is not enough.
Explanation An FDISC is received when the hardware resources are insufficient.
Recommended Reduce the number of nodes.
action

FCLINK_FLOGI_REJECT_NORESOURCE
VSAN [UINT16], Interface [STRING]: An FLOGI was rejected because the
Message text hardware resource is not enough.
$1: VSAN ID.
Variable fields
$2: Interface name.
Severity level 4
FCLINK/4/FCLINK_FLOGI_REJECT_NORESOURCE: VSAN 1, Interface
Example FC2/0/1: An FLOGI was rejected because the hardware resource is not enough.
Explanation An FLOGI is received when the hardware resources are insufficient.
Recommended Reduce the number of nodes.
action

362
Security level: Secret

FCOE messages
This section contains FCoE messages.

FCOE_INTERFACE_NOTSUPPORT_FCOE
Because the aggregate interface [STRING] has been bound to a VFC interface,
Message text assigning the interface [STRING] that does not support FCoE to the aggregate
interface might cause incorrect processing.
$1: Aggregate interface name.
Variable fields
$2: Ethernet interface name.
Severity level 4
FCOE/4/FCOE_INTERFACE_NOTSUPPORT_FCOE: Because the aggregate
interface Bridge-Aggregation 1 has been bound to a VFC interface, assigning
Example the interface Ten-GigabitEthernet 2/0/1 that does not support FCoE to the
aggregate interface might cause incorrect processing.
This message is generated when an interface that does not support FCoE is
Explanation assigned to an aggregate interface that has been bound to a VFC interface.
Recommended Assign an interface that supports FCoE to the aggregate interface, or remove
action the binding from the VFC interface.

FCOE_LAGG_BIND_ACTIVE
The binding between aggregate interface [STRING] and the VFC interface
Message text takes effect again, because the member port is unbound from its bound VFC
interface or removed from the aggregate interface.

Variable fields $1: Aggregate interface name.


Severity level 4
FCOE/4/FCOE_LAGG_BIND_ACTIVE: The binding between aggregate
interface Bridge-Aggregation1 and the VFC interface takes effect again,
Example because the member port is unbound from its bound VFC interface or removed
from the aggregate interface.
This message is generated when a member port of an aggregate interface is
Explanation unbound from its bound VFC interface or removed from the aggregate interface.
Recommended No action is required.
action

363
Security level: Secret

FCOE_LAGG_BIND_DEACTIVE
The binding between aggregate interface [STRING] and the VFC interface is no
Message text longer in effect, because the new member port has been bound to a VFC
interface.

Variable fields $1: Aggregate interface name.


Severity level 4
FCOE/4/FCOE_LAGG_BIND_DEACTIVE: The binding between aggregate
Example interface Bridge-Aggregation1 and the VFC interface is no longer in effect,
because the new member port has been bound to a VFC interface.
This message is generated when a new member port of an aggregate interface
Explanation has been bound to a VFC interface.
Recommended No action is required.
action

364
Security level: Secret

FCZONE messages
This section contains FC zone messages.

FCZONE_HARDZONE_DISABLED
-VSAN=[UINT16]: No enough hardware resource for zone rule, switched to soft
Message text zoning.

Variable fields $1: VSAN ID.


Severity level 4
FCZONE/4/FCZONE_HARDZONE_DISABLED: -VSAN=2: No enough
Example hardware resource for zone rule, switched to soft zoning.
Explanation Insufficient hardware resources.
Recommended Activate a smaller zone set.
action

FCZONE_HARDZONE_ENABLED
-VSAN=[UINT16]: Hardware resource for zone rule is restored, switched to hard
Message text zoning.

Variable fields $1: VSAN ID.


Severity level 6
FCZONE/6/FCZONE_HARDZONE_ENABLED: -VSAN=2: Hardware resource
Example for zone rule is restored, switched to hard zoning.
Hard zoning is enabled in a VSAN because the hardware resources are
Explanation restored.
Recommended No action is required.
action

365
Security level: Secret

FCZONE_ISOLATE_NEIGHBOR
-VSAN=[UINT16]; All the E ports connected to a neighbor were isolated
Message text because of merge failure, and the neighbor’s switch WWN is [STRING].
$1: VSAN ID.
Variable fields
$2: Neighbor's switch WWN.
Severity level 4
FCZONE/4/FCZONE_ISOLATE_NEIGHBOR: -VSAN=2; All the E ports
Example connected to a neighbor were isolated because of merge failure, and the
neighbor’s switch WWN is 10:00:00:11:22:00:0d:01.
All E_Ports connected to a neighbor were isolated because a merge operation
Explanation with the neighbor failed.
To resolve the problem:
1. Use the display current-configuration command on the local switch and
the neighbor switch to view their zoning configurations.
Recommended
2. Modify those noncompliant configurations on both switches to be
action compliant with merge rules.
3. Execute the shutdown and undo shutdown command sequence on
those isolated E_Ports to trigger a new merge operation.

FCZONE_ISOLATE_ALLNEIGHBOR
-VSAN=[UINT16]; The E ports connected to all neighbors were isolated,
Message text because the length of the locally generated MR packet exceeded the limit.

Variable fields $1: VSAN ID.


Severity level 4
FCZONE/4/FCZONE_ISOLATE_ALLNEIGHBOR: -VSAN=2; The E ports
Example connected to all neighbors were isolated, because the length of the locally
generated MR packet exceeded the limit.
E_Ports connected to all neighbors were isolated because the length of the
Explanation locally generated MR packet exceeded the limit.
To resolve the problem:
1. Use the display current-configuration command on the local switch to
view the zoning configuration.
2. Delete unnecessary zoning configuration of the active zone set.
Recommended 3. Execute the shutdown and undo shutdown command sequence on
action those isolated E_Ports to trigger a new merge operation.
Or
4. Activate a smaller zone set.
5. Execute the shutdown and undo shutdown command sequence on
those isolated E_Ports to trigger a new merge operation.

366
Security level: Secret

FCZONE_ISOLATE_CLEAR_VSAN
Message text -Interface=[STRING]-VSAN=[UINT16]; Isolation status was cleared.
$1: Interface name.
Variable fields
$2: VSAN ID.
Severity level 6
FCZONE/6/FCZONE_ISOLATE_CLEAR_VSAN: -Interface=Fc1/0/1-VSAN=2;
Example Isolation status was cleared.
Explanation The isolation status of an interface was cleared in a VSAN.
Recommended No action is required.
action

FCZONE_ISOLATE_CLEAR_ALLVSAN
Message text -Interface=[STRING]; Isolation status was cleared in all supported VSANs.

Variable fields $1: Interface name.


Severity level 6
FCZONE/6/FCZONE_ISOLATE_CLEAR_ALLVSAN: -Interface=Fc1/0/1;
Example Isolation status was cleared in all supported VSANs.
Explanation The isolation status of an interface was cleared in all supported VSANs.
Recommended No action is required.
action

367
Security level: Secret

FCZONE_DISTRIBUTE_FAILED
-VSAN=[UINT16]; Zone distribution failed. The zoning configurations might
Message text consequently be inconsistent across the fabric.

Variable fields $1: VSAN ID.


Severity level 4
FCZONE/4/FCZONE_DISTRIBUTE_FAILED: -VSAN=2; Zone distribution
Example failed. The zoning configurations might consequently be inconsistent across the
fabric.
A distribution operation failed. Consequently, the zoning configurations might be
Explanation inconsistent across the fabric.
To resolve the problem if the distribution operation is triggered by using the
zoneset activate command:
1. Verify that the contents of the active zone set are consistent on all switches
by using the display current-configuration command.
2. Reactivate the zone set and distribute it to the entire fabric by using the
zoneset activate command.
To resolve the problem if the distribution operation is triggered by using the
zoneset distribute command:
3. Verify that the contents of the active zone set and zone database are
Recommended consistent on all switches by using the display current-configuration
action command.
4. Trigger a new complete distribution by using the zoneset distribute
command.
To resolve the problem if the distribution operation is triggered by a zoning
mode switchover:
5. Verify that the zoning mode is the same on all switches by using the
display zone status command.
6. Trigger a new complete distribution by using the zoneset distribute
command.

368
Security level: Secret

FIB messages
This section contains FIB messages.

FIB_FILE
Message text Failed to save the IP forwarding table due to lack of storage resources.

Variable fields N/A


Severity level 4
FIB/4/FILE: -MDC=1; Failed to save the IP forwarding table due to lack of
Example storage resources.
Explanation Failed to save the IP forwarding table due to lack of storage resources.
Recommended Delete unused files to release storage space.
action

369
Security level: Secret

FILTER messages
This section contains filter messages.

FILTER_EXECUTION_ICMP
RcvIfName(1023)=[STRING];Direction(1070)=[STRING];AclType(1067)=[STRI
NG];Acl(1068)=[STRING];Protocol(1001)=[STRING];SrcIPAddr(1003)=[IPADD
Message text R];DstIPAddr(1007)=[IPADDR];IcmpType(1062)=[STRING]([UINT16]);IcmpCo
de(1063)=[UINT16];MatchAclCount(1069)=[UINT32];Event(1048)=[STRING];
$1: Receiving interface name.
$2: Direction.
$3: ACL type.
$4: ACL number or name.
$5: Layer 4 protocol name.
Variable fields $6: Source IP address.
$7: Destination IP address.
$8: ICMP message type.
$9: ICMP message code.
$10: Match count.
$11: Event information.
Severity level 6
FILTER/6/FILTER_EXECUTION_ICMP:
RcvIfName(1023)=GigabitEthernet2/0/2;Direction(1067)=inbound;AclType(106
Example 4)=ACL;Acl(1065)=3000;Protocol(1001)=ICMP;SrcIPAddr(1003)=100.1.1.1;Dst
IPAddr(1007)=200.1.1.1;IcmpType(1059)=Echo(8);IcmpCode(1060)=0;MatchA
clCount(1066)=1000;Event(1048)=Permit;
ICMP packets matched the packet filter. This message is sent when the first
Explanation ICMP packet of a flow matches the packet filter, and it will be sent regularly for
the flow.
Recommended No action is required.
action

370
Security level: Secret

FILTER_EXECUTION_ICMPV6
RcvIfName(1023)=[STRING];Direction(1070)=[STRING];AclType(1067)=[STRI
NG];Acl(1068)=[STRING];Protocol(1001)=[STRING];SrcIPv6Addr(1036)=[IPAD
Message text DR];DstIPv6Addr(1037)=[IPADDR];Icmpv6Type(1064)=[STRING]([UINT16]);Ic
mpv6Code(1065)=[UINT16];MatchAclCount(1069)=[UINT32];Event(1048)=[ST
RING];
$1: Receiving interface name.
$2: Direction.
$3: ACL type.
$4: ACL number or name.
$5: Layer 4 protocol name.
Variable fields $6: Source IPv6 address.
$7: Destination IPv6 address.
$8: ICMPv6 message type.
$9: ICMPv6 message code.
$10: Match count.
$11: Event information.
Severity level 6
FILTER/6/FILTER_EXECUTION_ICMPV6:
RcvIfName(1023)=GigabitEthernet2/0/2;Direction(1067)=inbound;AclType(106
Example 4)=ACL;Acl(1065)=3000;Protocol(1001)=ICMPV6;SrcIPv6Addr(1036)=2001::1;
DstIPv6Addr(1037)=3001::1;Icmpv6Type(1064)=Echo(128);Icmpv6Code(1065
)=0;MatchAclCount(1066)=1000;Event(1048)=Permit;
ICMPv6 packets matched the packet filter. This message is sent when the first
Explanation ICMPv6 packet of a flow matches the packet filter, and it will be sent regularly for
the flow.
Recommended No action is required.
action

371
Security level: Secret

FILTER_IPV4_EXECUTION
RcvIfName(1023)=[STRING];Direction(1070)=[STRING];AclType(1067)=[STRI
NG];Acl(1068)=[STRING];Protocol(1001)=[STRING];SrcIPAddr(1003)=[IPADD
Message text R];SrcPort(1004)=[UINT16];DstIPAddr(1007)=[IPADDR];DstPort(1008)=[UINT1
6];MatchAclCount(1069)=[UINT32];Event(1048)=[STRING];
$1: Receiving interface name.
$2: Direction.
$3: ACL type.
$4: ACL number or name.
$5: Layer 4 protocol name.
Variable fields $6: Source IP address.
$7: Source port.
$8: Destination IP address.
$9: Destination port number.
$10: Match count.
$11: Event information.
Severity level 6
FILTER/6/FILTER_IPV4_EXECUTION:
RcvIfName(1023)=GigabitEthernet2/0/2;Direction(1070)=inbound;AclType(106
Example 7)=ACL;Acl(1068)=3000;Protocol(1001)=TCP;SrcIPAddr(1003)=100.1.1.1;Src
Port(1004)=1025;DstIPAddr(1007)=200.1.1.1;DstPort(1008)=1026;MatchAclCo
unt(1069)=1000;Event(1048)=Permit;
Packets other than ICMP packets matched the packet filter. This message is
Explanation sent when the first packet of a flow matches the packet filter, and it will be sent
regularly for the flow.
Recommended No action is required.
action

372
Security level: Secret

FILTER_IPV6_EXECUTION
RcvIfName(1023)=[STRING];Direction(1070)=[STRING];AclType(1067)=[STRI
NG];Acl(1068)=[STRING];Protocol(1001)=[STRING];SrcIPv6Addr(1036)=[IPAD
Message text DR];SrcPort(1004)=[UINT16];DstIPv6Addr(1037)=[IPADDR];DstPort(1008)=[UI
NT16];MatchAclCount(1069)=[UINT32];Event(1048)=[STRING];
$1: Receiving interface name.
$2: Direction.
$3: ACL type.
$4: ACL number or name.
$5: Layer 4 protocol name.
Variable fields $6: Source IPv6 address.
$7: Source port number.
$8: Destination IPv6 address.
$9: Destination port number.
$10: Match count.
$11: Event information.
Severity level 6
FILTER/6/FILTER_IPV6_EXECUTION:
RcvIfName(1023)=GigabitEthernet2/0/2;Direction(1070)=inbound;AclType(106
Example 7)=ACL;Acl(1068)=3000;Protocol(1001)=TCP;SrcIPv6Addr(1036)=2001::1;Src
Port(1004)=1025;DstIPv6Addr(1037)=3001::1;DstPort(1008)=1026;MatchAclC
ount(1069)=1000;Event(1048)=Permit;
Packets other than ICMPv6 packets matched the packet filter. This message is
Explanation sent when the first packet of a flow matches the packet filter, and it will be sent
regularly for the flow.
Recommended No action is required.
action

373
Security level: Secret

FIPS messages
This section contains FIP snooping messages.

FCOE_FIPS_HARD_RESOURCE_NOENOUGH
Message text No enough hardware resource for FIP snooping rule.

Variable fields N/A


Severity level 4
FIPS/4/FCOE_FIPS_HARD_RESOURCE_NOENOUGH: No enough hardware
Example resource for FIP snooping rule.
Explanation Hardware resources are insufficient.
Recommended No action is required.
action

FCOE_FIPS_HARD_RESOURCE_RESTORE
Message text Hardware resource for FIP snooping rule is restored.

Variable fields N/A


Severity level 6
FIPS/6/FCOE_FIPS_HARD_RESOURCE_RESTORE: Hardware resource for
Example FIP snooping is restored.
Explanation Hardware resources for FIP snooping rules are restored.
Recommended No action is required.
action

374
Security level: Secret

FTPD messages
This section contains File Transfer Protocol daemon messages.

FTP_ACL_DENY
The FTP Connection [IPADDR]([STRING]) request was denied according to ACL
Message text rules.
$1: IP address of the FTP client.
Variable fields
$2: VPN instance to which the IP address of the FTP client belongs.

Severity level 5
FTP/5/FTP_ACL_DENY: The FTP Connection 1.2.3.4(vpn1) request was denied
Example according to ACL rules.

Explanation The ACL for controlling FTP access denied the access request of an FTP client.

Recommended No action is required.


action

FTPD_REACH_SESSION_LIMIT
FTP client [STRING] failed to log in. The current number of FTP sessions is
Message text [NUMBER]. The maximum number allowed is ([NUMBER]).
$1: IP address of the FTP client.
Variable fields $2: Current number of FTP sessions.
$3: Maximum number of FTP sessions allowed by the device.

Severity level 6
FTPD/6/FTPD_REACH_SESSION_LIMIT: FTP client 1.1.1.1 failed to log in. The
Example current number of FTP sessions is 10. The maximum number allowed (10).

Explanation The number of FTP connections reached the limit.


1. Use the display current-configuration | include session-limit command
to view the current limit for FTP connections. If the command does not
Recommended display the limit, the device is using the default setting.
action 2. If you want to set a greater limit, execute the aaa session-limit command. If
you think the limit is proper, no action is required.

375
Security level: Secret

HA messages
This section contains HA messages.

HA_BATCHBACKUP_FINISHED
Message text Batch backup of standby board in [STRING] has finished.

Variable fields $1: MPU location.

Severity level 5
HA/5/HA_BATCHBACKUP_FINISHED: Batch backup of standby board in
Example chassis 0 slot 1 has finished.

Explanation Batch backup from the active MPU to the standby MPU has finished.

Recommended No action is required.


action

HA_BATCHBACKUP_STARTED
Message text Batch backup of standby board in [STRING] started.

Variable fields $1: MPU location.

Severity level 5
HA/5/HA_BATCHBACKUP_STARTED: Batch backup of standby board in
Example chassis 0 slot 1 started.

Explanation Batch backup from the active MPU to the standby MPU has started.

Recommended No action is required.


action

HA_STANDBY_NOT_READY
Message text Standby board in [STRING] is not ready, reboot ...

Variable fields $1: MPU location.

Severity level 4
HA/4/HA_STANDBY_NOT_READY: Standby board in chassis 0 slot 1 is not
Example ready, reboot ...
This message appears on the standby MPU. When batch backup is not
Explanation complete on the standby MPU, performing active and standby MPU switchover
results in restart of the active and standby MPUs.

Recommended Do not perform active and standby MPU switchover before batch backup is
action complete on the standby MPU.

376
Security level: Secret

HA_STANDBY_TO_MASTER
Message text Standby board in [STRING] changed to the master.

Variable fields $1: MPU location.

Severity level 5
HA/5/HA_STANDBY_TO_MASTER: Standby board in chassis 0 slot 1 changed
Example to the master.
An active and standby MPU switchover occurs. The standby MPU changed to
Explanation active.

Recommended No action is required.


action

377
Security level: Secret

HQOS messages
This section contains HQoS messages.

HQOS_DP_SET_FAIL
Message text Failed to set drop profile [STRING] globally.

Variable fields $1: Drop profile name.


Severity level 4
Example HQOS/4/HQOS_DP_SET_FAIL: Failed to set drop profile b globally.
The system failed to perform one of the following actions:
Explanation • Apply a drop profile globally.
• Modify a drop profile applied globally.
Recommended Check the drop profile settings.
action

HQOS_FP_SET_FAIL
Message text Failed to set [STRING] in forwarding profile [STRING] globally.
$1: Policy type:
• gts.
• bandwidth.
Variable fields • queue.
• drop profile.
$2: Forwarding profile name.
Severity level 4
Example HQOS/4/HQOS_FP_SET_FAIL: Failed to set gts in forwarding profile b globally.
The system failed to perform one of the following actions:
Explanation • Apply a forwarding profile globally.
• Modify a forwarding profile applied globally.
Recommended Examine the forwarding profile, and make sure it is supported and has no
action conflicted contents.

378
Security level: Secret

HQOS_POLICY_APPLY_FAIL
Failed to apply some forwarding classes or forwarding groups in scheduler policy
Message text [STRING] to the [STRING] direction of interface [STRING].
$1: Scheduler policy name.
Variable fields $2: Policy direction: inbound or outbound.
$3: Interface name.
Severity level 4
HQOS/4/HQOS_POLICY_APPLY_FAIL: Failed to apply some forwarding classes
Example or forwarding groups in scheduler policy b to the inbound direction of interface
Ethernet3/1/2.
The system failed to perform one of the following actions:
Explanation • Apply a scheduler policy to a specific direction of an interface.
• Modify a scheduler policy applied to a specific direction of an interface.
Use the display qos scheduler-policy diagnosis interface command to identify
Recommended the nodes that failed to be applied and the failure causes, and modify the running
action configuration.

HQOS_POLICY_APPLY_FAIL
Failed to recover scheduler policy [STRING] to the [STRING] direction of interface
Message text [STRING] due to [STRING].
$1: Scheduler policy name.
$2: Policy direction: inbound or outbound.
Variable fields
$3: Interface name.
$4: Cause.
Severity level 4
HQOS/4/HQOS_POLICY_RECOVER_FAIL: Failed to recover scheduler policy b
Example to the outbound direction of interface Ethernet3/1/2 due to conflicting with QoS
configuration.
The system failed to recover an applied scheduler policy after the card or device
Explanation rebooted, because the scheduler policy conflicted with the QoS configuration on
the interface.
Recommended Check the scheduler policy configuration according to the failure cause.
action

379
Security level: Secret

HTTPD messages
This section contains HTTP daemon messages.

HTTPD_CONNECT
Message text [STRING] client [STRING] connected to the server successfully.
$1: Connection type, HTTP or HTTPS.
Variable fields
$2: Client IP address.

Severity level 6
HTTPD/6/HTTPD_CONNECT: HTTP client 192.168.30.117 connected to the
Example server successfully.
The HTTP or HTTPS server accepted the request from a client. An HTTP or
Explanation HTTPS connection was set up.

Recommended No action is required.


action

HTTPD_CONNECT_TIMEOUT
Message text [STRING] client [STRING] connection idle timeout.
$1: Connection type, HTTP or HTTPS.
Variable fields
$2: Client IP address.

Severity level 6
HTTPD/6/HTTPD_CONNECT_TIMEOUT: HTTP client 192.168.30.117
Example connection to server idle timeout.
An HTTP or HTTPS connection was disconnected because the idle timeout timer
Explanation expires.

Recommended No action is required.


action

380
Security level: Secret

HTTPD_DISCONNECT
Message text [STRING] client [STRING] disconnected from the server.
$1: Connection type, HTTP or HTTPS.
Variable fields
$2: Client IP address.

Severity level 6
HTTPD/6/HTTPD_DISCONNECT: HTTP client 192.168.30.117 disconnected
Example from the server.

Explanation An HTTP or HTTPS client was disconnected from the server.

Recommended No action is required.


action

HTTPD_FAIL_FOR_ACL
[STRING] client [STRING] failed the ACL check and could not connect to the
Message text server.
$1: Connection type, HTTP or HTTPS.
Variable fields
$2: Client IP address.

Severity level 6
HTTPD/6/HTTPD_FAIL_FOR_ACL: HTTP client 192.168.30.117 failed the ACL
Example check and cannot connect to the server.

Explanation An HTTP or HTTPS client was filtered by the ACL.

Recommended No action is required.


action

HTTPD_FAIL_FOR_ACP
[STRING] client [STRING] was denied by the certificate access control policy and
Message text could not connect to the server.
$1: Connection type, HTTP or HTTPS.
Variable fields
$2: Client IP address.

Severity level 6
HTTPD/6/HTTPD_FAIL_FOR_ACP: HTTP client 192.168.30.117 was denied by
Example the certificate attribute access control policy and could not connect to the server.

Explanation An HTTP or HTTPS client was denied by the certificate access control policy.

Recommended No action is required.


action

381
Security level: Secret

HTTPD_REACH_CONNECT_LIMIT
[STRING] client [STRING] failed to connect to the server, because the number of
Message text connections reached the upper limit.
$1: Connection type, HTTP or HTTPS.
Variable fields
$2: Client IP address.

Severity level 6
HTTPD/6/HTTPD_REACH_CONNECT_LIMIT: HTTP client 192.168.30.117 failed
Example to connect to the server, because the number of connections reached the upper
limit.

Explanation The number of connections reached the limit.


1. Use the display current-configuration | include session-limit command to
view the current limit for connections of the specified type. If the command
Recommended does not display the limit, the device is using the default setting.
action 2. If you want to specify a greater limit, execute the aaa session-limit
command. If you think the limit is proper, no action is required.

382
Security level: Secret

IFNET messages
This section contains interface management messages.

IF_BUFFER_CONGESTION_OCCURRENCE
Message text [STRING] congestion occurs on queue [INTEGER] of [STRING].
$1: Data buffer type: ingress (for receive data buffer) or egress (for transmit data
buffer).
Variable fields $2: Queue ID in the range of 0 to 7.
$3: Interface name.
Severity level 4
IFNET/4/IF_BUFFER_CONGESTION_OCCURRENCE: Ingress congestion
Example occurs on queue 1 of GigabitEthernet1/0/1.
On queue 1 of GigabitEthernet 1/0/1, congestion occurs in the receive data
Explanation buffer.
Recommended Examine the network status.
action

IF_BUFFER_CONGESTION_CLEAR
[STRING] congestion on queue [UINT32] of [STRING] is cleared. [UINT64]
Message text packets are discarded.
$1: Data buffer type: ingress (for receive data buffer) or egress (for transmit data
buffer).
Variable fields $2: Queue ID in the range of 0 to 7.
$3: Interface name.
$4: Number of packets dropped.
Severity level 5
IFNET/5/IF_BUFFER_CONGESTION_CLEAR: Ingress congestion on queue 1
Example of GigabitEthernet1/0/1 is cleared. 1000 packets are discarded.
On queue 1 of GigabitEthernet 1/0/1, congestion in the receive data buffer is
Explanation removed. 1000 packets are dropped.
Recommended No action is required.
action

383
Security level: Secret

INTERFACE_NOTSUPPRESSED
Message text Interface [STRING] is not suppressed.

Variable fields $1: Interface name.


Severity level 6
IFNET/6/INTERFACE_NOTSUPPRESSED: Interface Ethernet0/0/0 is not
Example suppressed.
The interface changed from suppressed state to unsuppressed state. When the
Explanation interface is unsuppressed, the upper-layer services can detect the physical
state changes of the interface.
Recommended No action is required.
action

INTERFACE_SUPPRESSED
Message text Interface [STRING] was suppressed.

Variable fields $1: Interface name.


Severity level 5
IFNET/5/INTERFACE_SUPPRESSED: Interface Ethernet0/0/0 was
Example suppressed.
The interface was suppressed because its state frequently changed. When the
Explanation interface is suppressed, the upper-layer services cannot detect the physical
state changes of the interface.
1. Check whether the network cable of the interface or peer interface is
Recommended frequently plugged and unplugged.
action 2. Configure physical state change suppression to adjust the suppression
parameters.

LINK_UPDOWN
Message text Line protocol state on the interface [STRING] changed to [STRING].
$1: Interface name.
Variable fields
$2: State of link layer protocol, which can be up or down.
Severity level 5
IFNET/5/LINK_UPDOWN: Line protocol state on the interface Ethernet0/0
Example changed to down.
Explanation The link layer protocol state changed on an interface.
When the link layer protocol state of an interface is down, use the display
Recommended interface command to display the link layer protocol state and locate the reason
action for which the link layer protocol state changed to down on the interface.

384
Security level: Secret

PHY_UPDOWN
Message text Physical state on the interface [STRING] changed to [STRING].
$1: Interface name.
Variable fields
$2: Link state, which can be up or down.
Severity level 3
Example IFNET/3/PHY_UPDOWN: Physical state on the Ethernet0/0 changed to down.
Explanation The physical state changed on an interface.
Recommended When the interface is physically down, check whether a physical link is present
action or whether the link fails.

PROTOCOL_UPDOWN
Message text Protocol [STRING] state on the interface [STRING] changed to [STRING].
$1: Protocol name.
Variable fields $2: Interface name.
$3: Protocol state, which can be up or down.
Severity level 5
IFNET/5/PROTOCOL_UPDOWN: Protocol IPX state on the interface
Example Ethernet6/4/1 changed to up.
Explanation The state of a protocol has been changed on an interface.
Recommended When the state of a network layer protocol is down, check the network layer
action protocol configuration.

VLAN_MODE_CHANGE
Message text Dynamic VLAN [INT32] has changed to a static VLAN.

Variable fields $1: VLAN ID.


Severity level 5
IFNET/5/VLAN_MODE_CHANGE: Dynamic VLAN 20 has changed to a static
Example VLAN.
Creating a VLAN interface for a VLAN cause the dynamic VLAN to become a
Explanation static VLAN.
Recommended No action is required.
action

385
Security level: Secret

IKE messages
This section contains IKE messages.

IKE_P1_SA_ESTABLISH_FAIL
Failed to establish phase 1 SA for the reason of [STRING]. The SA's source
Message text address is [STRING], and its destination address is [STRING].
$1: no matching proposal | invalid ID information | unavailable certificate |
unsupported DOI | unsupported situation | invalid proposal syntax | invalid SPI |
invalid protocol ID | invalid certificate | authentication failure | invalid message
header | invalid transform ID | malformed payload | retransmission timeout |
Variable fields incorrect configuration.
$2: Source address.
$3: Destination address.
Severity level 6
IKE/6/IKE_P1_SA_ESTABLISH_FAIL: Failed to establish phase 1 SA for the
Example reason of no matching proposal. The SA’s source address is 1.1.1.1 and its
destination address is 2.2.2.2.
Explanation An IKE SA cannot be established in phase 1. The failure reason is displayed.
Recommended Check the IKE configuration on the local and remote devices.
action

IKE_P2_SA_ESTABLISH_FAIL
Failed to establish phase 2 SA for the reason of [STRING]. The SA's source
Message text address is [STRING], and its destination address is [STRING].
$1: invalid key information | invalid ID information | unavailable proposal |
unsupported DOI | unsupported situation | invalid proposal syntax | invalid SPI |
invalid protocol ID | invalid hash information | invalid message header |
Variable fields malformed payload | retransmission timeout | incorrect configuration.
$2: Source address.
$3: Destination address.
Severity level 6
IKE/6/IKE_P2_SA_ESTABLISH_FAIL: Failed to establish phase 2 SA for the
Example reason of invalid key information. The SA’s source address is 1.1.1.1, and its
destination address is 2.2.2.2.
Explanation An IPsec SA cannot be established in phase 2. The failure reason is displayed.
Recommended Check the IKE and IPsec configurations on the local and remote devices.
action

386
Security level: Secret

IKE_P2_SA_TERMINATE
The IKE phase 2 SA was deleted for the reason of [STRING]. The SA's source
Message text address is [STRING], and its destination address is [STRING].

$1: Reason that the SA is deleted, which is SA expiration.


Variable fields $2: Source address.
$3: Destination address.

Severity level 6
IKE/6/IKE_P2_SA_TERMINATE: The IKE phase 2 SA was deleted for the
Example reason of SA expiration. The SA’s source address is 1.1.1.1, and its destination
address is 2.2.2.2.

Explanation An IPsec SA is deleted in phase 2 because it expires.

Recommended No action is required.


action

387
Security level: Secret

IPSEC messages
This section contains IPsec messages.

IPSEC_FAILED_ADD_FLOW_TABLE
Message text Failed to add flow-table due to [STRING].

Variable fields $1: Reason for the failure.

Severity level 4
IPSEC/4/IPSEC_FAILED_ADD_FLOW_TABLE: Failed to add flow-table due to
Example no enough resource.

Failed to add the flow table. Possible reasons include not enough hardware
Explanation resources.

Recommended If the failure is caused by not enough hardware resources, contact Hewlett
action Packard Enterprise Support.

IPSEC_PACKET_DISCARDED
IPsec packet discarded, Src IP:[STRING], Dst IP:[STRING], SPI:[UINT32],
Message text SN:[UINT32], Cause:[STRING].

$1: Source IP address.


$2: Destination IP address.
$3: Security parameter index (SPI).
$4: Sequence number of the packet.
$5: Reason for dropping this packet:
Variable fields  Anti-replay checking failed.
 AH authentication failed.
 ESP authentication failed.
 Invalid SA.
 ESP decryption failed.
 Source address of packet does not match the SA.
 No ACL rule matched.

Severity level 6
IPSEC/6/IPSEC_PACKET_DISCARDED: IPsec packet discarded, Src
Example IP:1.1.1.2, Dest IP:1.1.1.4, SPI:1002, SN:0, Cause:ah authentication failed
An IPsec packet is dropped. Possible reasons include anti-replay checking
Explanation failed, AH/ESP authentication failed, invalid SA, ESP decryption failed, source
address of packet does not match the SA, and no ACL rule matched.

Recommended No action is required.


action

388
Security level: Secret

IPSEC_SA_ESTABLISH
Established IPsec SA. The SA's source address is [STRING], destination
Message text address is [STRING], protocol is [STRING], and SPI is [UINT32].

$1: Source address.


$2: Destination address.
Variable fields
$3: Security protocol.
$4: SPI.

Severity level 6

IPSEC/6/IPSEC_SA_ESTABLISH: Established IPsec SA. The SA's source


Example address is 1.1.1.1, destination address is 2.2.2.2, protocol is AH, and SPI is
2435.

Explanation An IPsec SA is established.

Recommended No action is required.


action

IPSEC_SA_ESTABLISH_FAIL
Failed to establish IPsec SA for the reason of [STRING]. The SA's source
Message text address is [STRING], and its destination address is [STRING].

$1: Reason for the IPsec SA establishment failure:


 Tunnel establishment failure.
 Incomplete configuration.
Variable fields  Unavailable transform set.
$2: Source address.
$3: Destination address.

Severity level 6

IPSEC/6/IPSEC_SA_ESTABLISH_FAIL: Failed to establish IPsec SA for the


Example reason of creating tunnel failure. The SA’s source address is 1.1.1.1, and its
destination address is 2.2.2.2.

Failed to establish the IPsec SA. Possible reasons include creating tunnel
Explanation failure, incomplete configuration, and unavailable transform set.

Recommended Verify the IPsec configurations on the local and remote devices.
action

389
Security level: Secret

IPSEC_SA_INITINATION
Began to establish IPsec SA. The SA's source address is [STRING], and its
Message text destination address is [STRING].

$1: Source address.


Variable fields
$2: Destination address.

Severity level 6

IPSEC/6/IPSEC_SA_INITINATION: Began to establish IPsec SA. The SA's


Example source address is 1.1.1.1, and its destination address is 2.2.2.2.

Explanation An IPsec SA is to be established.

Recommended No action is required.


action

IPSEC_SA_TERMINATE
The IPsec SA was deleted for the reason of [STRING]. The SA's source
Message text address is [STRING], destination address is [STRING], protocol is [STRING],
and SPI is [UINT32].

$1: Reason for the IPsec SA removal:


 SA idle timeout.
 reset command executed.

Variable fields $2: Source address.


$3: Destination address.
$4: Security protocol.
$5: SPI.

Severity level 6

IPSEC/6/IPSEC_SA_TERMINATE: The IPsec SA was deleted for the reason of


Example SA idle timeout. The SA’s source address is 1.1.1.1, destination address is
2.2.2.2, protocol is ESP, and SPI is 34563.

An IPsec SA is deleted. Possible reasons include SA idle timeout and using the
Explanation reset command.

Recommended No action is required.


action

390
Security level: Secret

IPSG messages
This section contains IPSG messages.

IPSG_ADDENTRY_ERROR
Failed to add an IP source guard binding (IP [STRING], MAC [STRING], and
Message text VLAN [UINT16]) on interface [STRING]. [STRING].
$1: IP address. If you do not specify an IP address, this field displays N/A.
$2: MAC address. If you do not specify a MAC address, this field displays N/A.
$3: VLAN ID. If you do not specify a VLAN, this field displays 65535.
$4: Interface name. If you do not specify an interface, this field displays N/A.
Variable fields
$5: Failure reasons. Available options include:
 Feature not supported
 Resources not sufficient
 Unknown error
Severity level 6
IPSG/6/IPSG_ADDENTRY_ERROR: Failed to add an IP source guard binding
Example (IP 1.1.1.1, MAC 0001-0001-0001, and VLAN 1) on interface Vlan-interface1.
Resources not sufficient.
IPSG failed to issue a static or dynamic IPSG binding. The message is sent in
any of the following situations:
Explanation • The IPSG feature is not supported.
• The hardware resources are not sufficient for the operation.
• An unknown error occurs.
To resolve the problem, you can perform the following tasks:
• Clear the memory to release hardware resources when the failure is
Recommended caused by insufficient hardware resources.
action • Add the IPSG binding again if you are adding a static binding.
• Contact Hewlett Packard Enterprise Support if the failure is caused by an
unknown error.

391
Security level: Secret

IPSG_DELENTRY_ERROR
Failed to delete an IP source guard binding (IP [STRING], MAC [STRING], and
Message text VLAN [UINT16]) on interface [STRING]. [STRING].
$1: IP address. If you do not specify an IP address, this field displays N/A.
$2: MAC address. If you do not specify a MAC address, this field displays N/A.
$3: VLAN ID. If you do not specify a VLAN, this field displays 65535.
Variable fields $4: Interface name. If you do not specify an interface, this field displays N/A.
$5: Failure reason. Available options include:
 Feature not supported
 Unknown error
Severity level 6
IPSG/6/IPSG_DELENTRY_ERROR: Failed to delete an IP source guard
Example binding (IP 1.1.1.1, MAC 0001-0001-0001, and VLAN 1) on interface
Vlan-interface1. Unknown error.
IPSG failed to delete a global static IPSG binding. The message is sent in any of
the following situations:
Explanation • The IPSG feature is not supported.
• An unknown error occurs.
To resolve the problem, you can perform the following tasks:
Recommended • Delete the global static IPSG binding again.
action • Contact Hewlett Packard Enterprise Support if the failure is caused by an
unknown error.

392
Security level: Secret

IPSG_ADDEXCLUDEDVLAN_ERROR
Failed to add excluded VLANs (start VLAN [UINT16] to end VLAN [UINT16]).
Message text [STRING].
$1: Start VLAN ID of the VLAN range that has been configured to be excluded
from IPSG filtering.
$2: End VLAN ID of the VLAN range that has been configured to be excluded
from IPSG filtering.
Variable fields $3: Failure reasons. Available options include:
 Feature not supported
 Resources not sufficient
 Unknown error
Severity level 6
IPSG/6/IPSG_ADDEXCLUDEDVLAN_ERROR: -MDC=1-Slot=4; Failed to add
Example excluded VLANs (start VLAN 1 to end VLAN 5). Resources not sufficient.
IPSG failed to issue the specified excluded VLANs. The message is sent in any
of the following situations:
Explanation • Excluded VLANs are not supported.
• The hardware resources are not sufficient for the operation.
• An unknown error occurs.
To resolve the problem, you can perform the following tasks:
• Clear the memory to release hardware resources when the failure is
Recommended caused by insufficient hardware resources. Then configure the excluded
action VLANs again.
• Contact Hewlett Packard Enterprise Support if the failure is caused by an
unknown error.

393
Security level: Secret

IPSG_DELEXCLUDEDVLAN_ERROR
Failed to delete excluded VLANs (start VLAN [UINT16] to end VLAN [UINT16]).
Message text [STRING].
$1: Start VLAN ID of the VLAN range that has been configured to be excluded
from IPSG filtering.
$2: End VLAN ID of the VLAN range that has been configured to be excluded
from IPSG filtering.
Variable fields $3: Failure reasons. Available options include:
• Feature not supported
• Resources not sufficient
• Unknown error
Severity level 6
IPSG/6/IPSG_DELEXCLUDEDVLAN_ERROR: -MDC=1-Slot=4; Failed to
Example delete excluded VLANs (start VLAN 1 to end VLAN 5). Resources not sufficient.
IPSG failed to delete the specified excluded VLANs. The message is sent in any
of the following situations:
Explanation • Excluded VLANs are not supported.
• The hardware resources are not sufficient for the operation.
• An unknown error occurs.
To resolve the problem, you can perform the following tasks:
• Clear the memory to release hardware resources when the failure is
Recommended caused by insufficient hardware resources. Then delete the excluded
action VLANs again.
• Contact Hewlett Packard Enterprise Support if the failure is caused by an
unknown error.

394
Security level: Secret

IRDP messages
This section contains IRDP messages.

IRDP_EXCEED_ADVADDR_LIMIT
The number of advertisement addresses on interface [STRING] exceeded the
Message text limit 255.

Variable fields $1: Interface name.


Severity level 6
IRDP/6/IRDP_EXCEED_ADVADDR_LIMIT: The number of advertisement
Example addresses on interface Ethernet1/1/0/2 exceeded the limit 255.
The number of addresses to be advertised on an interface exceeds the upper
Explanation limit.
Recommended Remove unused addresses on the interface.
action

395
Security level: Secret

IRF
This section contains IRF messages.

IRF_LINK_BLOCK
Message text IRF port went blocked.

Variable fields N/A


Severity level 2
Example IRF/2/IRF_LINK_BLOCK: IRF port went blocked.
The IRF port was blocked. A blocked IRF port cannot send and receive service
packets, but it can send and receive IRF protocol packets. For example, this message
Explanation appears on the member device that has the lower priority when an IRF member ID
conflict is detected for member devices.
Recommended Check the IRF member ID on each member device for any conflict, and change the
action IRF member IDs of member devices to be unique.

IRF_LINK_DOWN
Message text IRF port went down.

Variable fields N/A


Severity level 3
Example IRF/3/IRF_LINK_DOWN: IRF port went down.
Explanation The IRF port went down.
Verify the following items:
Recommended • Network interfaces have been bound to the IRF port.
action
• The IRF network interfaces and the peer interfaces have Layer 2 connectivity.

IRF_LINK_UP
Message text IRF port came up.

Variable fields N/A


Severity level 6
Example IRF/6/IRF_LINK_UP: IRF port came up.
Explanation The IRF port came up.
Recommended No action is required.
action

396
Security level: Secret

IRF_MEMBERID_CONFLICT
IRF member ID conflict occurred. The ID [UINT32] has been used for another device
Message text with CPU-Mac: [STRING].
$1: IRF member ID of the device.
Variable fields
$2: CPU MAC address of the device.
Severity level 4
IRF/4/IRF_MEMBERID_CONFLICT:-slot = 5; IRF member ID conflict occurred, The
Example ID 5 has been used for another device with CPU-Mac: 000c-29d7-c1ae.
This message appears when the device detects that it has the same IRF member ID
Explanation as another device in the same broadcast domain.
Recommended Check the IRF member IDs and change the IRF member ID of a device. Make sure
action the member devices use unique member IDs.

IRF_MERGE
Message text IRF merge occurred.

Variable fields N/A


Severity level 4
Example IRF/4/IRF_MERGE: IRF merge occurred.
Explanation IRF merge occurred.
Recommended No action is required.
action

IRF_MERGE_NEED_REBOOT
Message text IRF merge occurred. This IRF system needs a reboot.

Variable fields N/A


Severity level 4
IRF/4/IRF_MERGE_NEED_REBOOT: IRF merge occurred. This IRF system needs a
Example reboot.
IRF merge occurred. This IRF fabric needs a reboot to complete the IRF merge
Explanation because the master of this IRF fabric failed the master election for IRF merge.
Recommended Reboot the IRF fabric to complete the IRF merge.
action

397
Security level: Secret

IRF_MERGE_NOT_NEED_REBOOT
Message text IRF merge occurred. This IRF system does not need to reboot.

Variable fields N/A


Severity level 5
IRF/5/IRF_MERGE_NOT_NEED_REBOOT: IRF merge occurred. This IRF system
Example does not need to reboot.
IRF merge occurred. This IRF fabric does not need to reboot because the master of
Explanation this IRF fabric won the master election for IRF merge.
Recommended No action is required.
action

398
Security level: Secret

ISIS messages
This section contains IS-IS messages.

ISIS_MEM_ALERT
Message text ISIS Process received system memory alert [STRING] event.

Variable fields $1: Type of the memory alarm.

Severity level 5
ISIS/5/ISIS_MEM_ALERT: ISIS Process received system memory alert start
Example event.

Explanation IS-IS received a memory alarm.

Recommended Check the system memory and release memory for the modules that occupy too
action many memory resources.

ISIS_NBR_CHG
Message text IS-IS [UINT32], [STRING] adjacency %s (%s), state changed to %s.
$1: IS-IS process ID.
$2: Neighbor level.
Variable fields $3: Neighbor ID.
$4: Interface name.
$5: Current adjacency state.

Severity level 5
ISIS/5/ISIS_NBR_CHG: IS-IS 1, Level-1 adjacency 0000.0000.8888
Example (Eth1/4/1/3), state changed to DOWN.

Explanation The IS-IS adjacency state changed on an interface.

Recommended When the adjacency with a neighbor changes to down on an interface, check
action for IS-IS configuration errors and loss of network connectivity.

399
Security level: Secret

ISSU messages
This section contains ISSU messages.

ISSU_ROLLBACKCHECKNORMAL
The rollback might not be able to restore the previous version for [STRING]
Message text because the status is not normal.

Variable fields $1: Slot number of an MPU, such as slot 1 or chassis 1 slot 2.
Severity level 4
ISSU/4/ISSU_ROLLBACKCHECKNORMAL: The rollback might not be able to
Example restore the previous version for chassis 1 slot 2 because the state is not normal.
While an ISSU was in switching state, a user executed the issu rollback
Explanation command or the ISSU automatic-rollback timer expired. However, the status of
the MPU was not normal.
Recommended No action is required.
action

ISSU_PROCESSWITCHOVER
Message text Switchover completed. The standby process became the active process.

Variable fields N/A


Severity level 5
ISSU/5/ISSU_PROCESSWITCHOVER: Switchover completed. The standby
Example process became the active process.
Explanation A user executed the issu run switchover command.
Recommended No action is required.
action

400
Security level: Secret

L2PT messages
This section contains L2PT messages.

L2PT_SET_MULTIMAC_FAILED
Message text Failed to set a tunnel destination MAC address to [MAC].

Variable fields $1: MAC address.


Severity level 4
L2PT/4/L2PT_SET_MULTIMAC_FAILED: Failed to set a tunnel destination
Example MAC address to 010f-e200-0003.
Explanation Failed to specify the destination multicast MAC address for tunneled packets.
Recommended No action is required.
action

L2PT_CREATE_TUNNELGROUP_FAILED
Message text Failed to create a VLAN tunnel group for [STRING].

Variable fields $1: Protocol name.


Severity level 4
L2PT/4/L2PT_CREATE_TUNNELGROUP_FAILED: Failed to create a VLAN
Example tunnel group for STP.
Explanation Failed to create a VLAN tunnel group for a protocol.
Recommended No action is required.
action

L2PT_ADD_GROUPMEMBER_FAILED
Message text Failed to add [STRING] as a member to the VLAN tunnel group for [STRING].
$1: Interface name.
Variable fields
$2: Protocol name.
Severity level 4
L2PT/4/L2PT_ADD_GROUPMEMBER_FAILED: Failed to add
Example GigabitEthernet2/0/1 as a member to the VLAN tunnel group for STP.
Explanation Failed to add an interface to a VLAN tunnel group for a protocol.
Recommended No action is required.
action

401
Security level: Secret

L2PT_ENABLE_DROP_FAILED
Message text Failed to enable [STRING] packet drop on [STRING].
$1: Protocol name.
Variable fields
$2: Interface name.
Severity level 4
L2PT/4/L2PT_ENABLE_DROP_FAILED: Failed to enable STP packet drop on
Example GigabitEthernet2/0/1.
Explanation Failed to enable L2PT drop for a protocol on an interface.
Recommended No action is required.
action

402
Security level: Secret

L2TP messages
This section contains L2TP messages.

L2TPV2_TUNNEL_EXCEED_LIMIT
Message text Number of L2TP tunnels exceeded the limit.

Variable fields N/A


Severity level 4
L2TPV2/4/L2TPV2_TUNNEL_EXCEED_LIMIT: Number of L2TP tunnels
Example exceeded the limit.
Explanation The number of established L2TP tunnels has reached the limit.
1. Perform one of the following tasks:
 Execute the reset l2tp tunnel command to disconnect an idle tunnel.
Recommended  Wait for the device to automatically disconnect an idle tunnel after the
action hello interval elapses.
2. If the problem persists, contact Hewlett Packard Enterprise Support.

L2TPV2_SESSION_EXCEED_LIMIT
Message text Number of L2TP sessions exceeded the limit.

Variable fields N/A


Severity level 4
L2TPV2/4/L2TPV2_SESSION_EXCEED_LIMIT: Number of L2TP sessions
Example exceeded the limit.
Explanation The number of established L2TP sessions has reached the limit.
Recommended No action is required.
action

403
Security level: Secret

L2VPN messages
This section contains L2VPN messages.

L2VPN_BGPVC_CONFLICT_LOCAL
Remote site ID [INT32] (From [STRING], route distinguisher [STRING])
Message text conflicts with local site.
$1: ID of a remote site.
Variable fields $2: IP address of the remote site.
$3: Route distinguisher of the remote site.
Severity level 5
L2VPN/5/L2VPN_BGPVC_CONFLICT_REMOTE: Remote site ID 1 (From
Example 1.1.1.1, route distinguisher 1:1) conflicts with local site.
A remote site ID conflicted with the local site ID. This message is generated
when one of the following situations occurs:
Explanation • The received remote site ID is the same as the local site ID.
• The local site ID is configured the same as a received remote site ID.
Recommended Modify the site ID configuration on the local device or remote device. Or,
action configure the remote site ID in a different VPLS instance than the local site ID.

L2VPN_BGPVC_CONFLICT_REMOTE
Remote site ID [INT32] (From [STRING], route distinguisher [STRING])
Message text conflicts with another remote site.
$1: ID of a remote site.
Variable fields $2: IP address of the remote site.
$3: Route distinguisher of the remote site.
Severity level 5
L2VPN/5/L2VPN_BGPVC_CONFLICT_REMOTE: Remote site ID 1 (From
Example 1.1.1.1, route distinguisher 1:1) conflicts with another remote site.
Two remote site IDs conflicted. This message is generated when the received
Explanation remote site ID is the same as another received remote site ID.
Recommended Modify the site ID configuration on one remote device. Or, configure the two
action remote site IDs in different VPLS instances.

404
Security level: Secret

L2VPN_HARD_RESOURCE_NOENOUGH
Message text No enough hardware resource for L2VPN.

Variable fields N/A


Severity level 4
L2VPN/4/L2VPN_HARD_RESOURCE_NOENOUGH: No enough hardware
Example resource for L2VPN.
Explanation Hardware resources for L2VPN were insufficient.
Recommended Check whether unnecessary VSIs, PWs, or ACs had been generated. If yes,
action delete them.

L2VPN_HARD_RESOURCE_RESTORE
Message text Hardware resources for L2VPN are restored.

Variable fields N/A


Severity level 6
L2VPN/6/L2VPN_HARD_RESOURCE_RESTORE: Hardware resources for
Example L2VPN are restored.
Explanation Hardware resources for L2VPN were restored.
Recommended No action is required.
action

L2VPN_LABEL_DUPLICATE
Message text Incoming label [INT32] for a static PW in [STRING] [STRING] is duplicate.
$1: Incoming label value.
Variable fields $2: Type of L2VPN, Xconnect-group or VSI.
$3: Name of the Xconnect-group or VSI.
Severity level 4
L2VPN/4/L2VPN_LABEL_DUPLICATE: Incoming label 1024 for a static PW in
Example Xconnect-group aaa is duplicate.
The incoming label of a static PW in this Xconnect-group or VSI was occupied
by another configuration, for example, by a static LSP or by a static CRLSP.
This message is generated when one of the following events occurs:
Explanation • When MPLS is enabled, configure a static PW with an incoming label
which is occupied by another configuration.
• Enable MPLS when a static PW whose incoming label is occupied by
another configuration already exists.
Recommended Remove this static PW, and reconfigure it with another incoming label.
action

405
Security level: Secret

VXLAN_LICENSE_UNAVAILABLE
Message text The VXLAN feature is disabled, because no licenses are valid.

Variable fields N/A


Severity level 3
VXLAN/3/VXLAN_LICENSE_UNAVAILABLE: The VXLAN feature is disabled,
Example because no licenses are valid.
Explanation VXLAN was disabled because no licenses were valid.
Recommended Install valid licenses for VXLAN.
action

406
Security level: Secret

LAGG messages
This section contains link aggregation messages.

LAGG_ACTIVE
Member port [STRING] of aggregation group [STRING] changed to the active
Message text state.
$1: Port name.
Variable fields
$2: Link aggregation group type and ID.
Severity level 6
LAGG/6/LAGG_ACTIVE: Member port FGE1/0/50 of aggregation group BAGG1
Example changed to the active state.
Explanation A member port in an aggregation group changed to the Selected state.
Recommended No action is required.
action

LAGG_INACTIVE_AICFG
Member port [STRING] of aggregation group [STRING] changed to the inactive
Message text state, because the member port and the aggregate interface have different
attribute configurations.
$1: Port name.
Variable fields
$2: Link aggregation group type and ID.
Severity level 6
LAGG/6/LAGG_INACTIVE_AICFG: Member port FGE1/0/50 of aggregation group
Example BAGG1 changed to the inactive state, because the member port and the
aggregate interface have different attribute configurations.
A member port in an aggregation group changed to the Unselected state because
Explanation the member port and the aggregate interface had different attribute configurations.
Recommended Modify the attribute configurations of the member port to be consistent with the
action aggregate interface.

407
Security level: Secret

LAGG_INACTIVE_BFD
Member port [STRING] of aggregation group [STRING] changed to the inactive
Message text state, because the BFD session state of the port was down.
$1: Port name.
Variable fields
$2: Link aggregation group type and ID.
Severity level 6
LAGG/6/LAGG_INACTIVE_BFD: Member port FGE1/0/50 of aggregation group
Example BAGG1 changed to the inactive state, because the BFD session state of the port is
down.
A member port in an aggregation group changed to the Unselected state because
Explanation the BFD session on the port became down.
To resolve the problem, you can perform the following tasks:
Recommended • Verify that link failure has occurred and troubleshoot the failure.
action • Modify the port information and configuration for the port to have the same
operational key and attribute configuration as the reference port.

LAGG_INACTIVE_CONFIGURATION
Member port [STRING] of aggregation group [STRING] changed to the inactive
Message text state, because the aggregation configuration of the port is incorrect.
$1: Port name.
Variable fields
$2: Link aggregation group type and ID.
Severity level 6
LAGG/6/LAGG_INACTIVE_CONFIGURATION: Member port FGE1/0/50 of
Example aggregation group BAGG1 changed to the inactive state, because the aggregation
configuration of the port is incorrect.
A member port in an aggregation group changed to the Unselected state because
Explanation the member port and the aggregate interface had different aggregation
configuration.
Recommended No action is required.
action

408
Security level: Secret

LAGG_INACTIVE_DUPLEX
Member port [STRING] of aggregation group [STRING] changed to the inactive
Message text state, because the duplex mode is different between the member port and the
reference port.
$1: Port name.
Variable fields
$2: Link aggregation group type and ID.
Severity level 6
LAGG/6/LAGG_INACTIVE_DUPLEX: Member port FGE1/0/50 of aggregation
Example group BAGG1 changed to the inactive state, because the duplex mode is different
between the member port and the reference port.
A member port in an aggregation group changed to the Unselected state because
Explanation the duplex mode was different between the member port and the reference port.
Recommended Change the duplex mode of the member port to be the same as the reference port.
action

LAGG_INACTIVE_HARDWAREVALUE
Member port [STRING] of aggregation group [STRING] changed to the inactive
Message text state, because of the port's hardware restriction.
$1: Port name.
Variable fields
$2: Link aggregation group type and ID.
Severity level 6
LAGG/6/LAGG_INACTIVE_HARDWAREVALUE: Member port FGE1/0/50 of
Example aggregation group BAGG1 changed to the inactive state, because of the port's
hardware restriction.
A member port in an aggregation group changed to the Unselected state because
Explanation of the port's hardware restriction.
Recommended No action is required.
action

LAGG_INACTIVE_LOWER_LIMIT
Member port [STRING] of aggregation group [STRING] changed to the inactive
Message text state, because the number of active ports is below the lower limit.
$1: Port name.
Variable fields
$2: Link aggregation group type and ID.
Severity level 6
LAGG/6/LAGG_INACTIVE_LOWER_LIMIT: Member port FGE1/0/50 of
Example aggregation group BAGG1 changed to the inactive state, because the number of
active ports is below the lower limit.
A member port in an aggregation group was placed in Unselected state because
Explanation the required minimum number of Selected ports was not reached.
Recommended Make sure the minimum number of Selected ports is met.
action

409
Security level: Secret

LAGG_INACTIVE_PARTNER
Member port [STRING] of aggregation group [STRING] changed to the inactive
Message text state, because the aggregation configuration of its peer port is incorrect.
$1: Port name.
Variable fields
$2: Link aggregation group type and ID.
Severity level 6
LAGG/6/LAGG_INACTIVE_PARTNER: Member port FGE1/0/50 of aggregation
Example group BAGG1 changed to the inactive state, because the aggregation
configuration of its peer port is incorrect.
A member port in an aggregation group changed to the Unselected state because
Explanation the port's partner changed to the Unselected state.
Recommended No action is required.
action

LAGG_INACTIVE_PHYSTATE
Member port [STRING] of aggregation group [STRING] changed to the inactive
Message text state, because the physical state of the port is down.
$1: Port name.
Variable fields
$2: Link aggregation group type and ID.
Severity level 6
LAGG/6/LAGG_INACTIVE_PHYSTATE: Member port FGE1/0/50 of aggregation
Example group BAGG1 changed to the inactive state, because the physical state of the port
is down.
A member port in an aggregation group changed to the Unselected state because
Explanation the port went down.
Recommended Bring up the member port.
action

LAGG_INACTIVE_RESOURCE_INSUFICIE
Member port [STRING] of aggregation group [STRING] changed to the inactive
Message text state, because all aggregate resources are occupied.
$1: Port name.
Variable fields
$2: Link aggregation group type and ID.
Severity level 6
LAGG/6/LAGG_INACTIVE_RESOURCE_INSUFICIE: Member port FGE1/0/50 of
Example aggregation group BAGG1 changed to the inactive state, because all aggregate
resources are occupied.
A member port in an aggregation group changed to the Unselected state because
Explanation all aggregation resources were used.
Recommended No action is required.
action

410
Security level: Secret

LAGG_INACTIVE_SPEED
Member port [STRING] of aggregation group [STRING] changed to the inactive
Message text state, because the speed configuration of the port is incorrect.
$1: Port name.
Variable fields
$2: Link aggregation group type and ID.
Severity level 6
LAGG/6/LAGG_INACTIVE_SPEED: Member port FGE1/0/50 of aggregation
Example group BAGG1 changed to the inactive state, because the speed configuration of
the port is incorrect.
A member port in an aggregation group changed to the Unselected state because
Explanation the speed was different between the member port and the reference port.
Recommended Change the speed of the member port to be the same as the reference port.
action

LAGG_INACTIVE_UPPER_LIMIT
Member port [STRING] of aggregation group [STRING] changed to the inactive
Message text state, because the number of active ports has reached the upper limit.
$1: Port name.
Variable fields
$2: Link aggregation group type and ID.
Severity level 6
LAGG/6/LAGG_INACTIVE_UPPER_LIMIT: Member port FGE1/0/50 of
Example aggregation group BAGG1 changed to the inactive state, because the number of
active ports has reached the upper limit.
The number of Selected ports reached the upper limit in a dynamic aggregation
Explanation group. A member port in the aggregation group changed to the Unselected state
because a more eligible port joined the aggregation group.
Recommended No action is required.
action

411
Security level: Secret

LB messages
This section contains LB messages.

LB_SLB_LICENSE_INSTALLED
Message text The license for SLB has been installed. Server load balancing is available.

Variable fields N/A

Severity level 5
LB/5/LB_SLB_LICENSE_INSTALLED: The license for SLB has been installed.
Example Server load balancing is available.

Explanation The license for SLB had been installed. Server load balancing was available.

Recommended No action is required.


action

LB_SLB_LICENSE_UNINSTALLED
The license for SLB has been uninstalled. Server load balancing is not
Message text available.

Variable fields N/A

Severity level 5
LB/5/LB_SLB_LICENSE_UNINSTALLED: The license for SLB has been
Example uninstalled. Server load balancing is not available.
The license for SLB had been uninstalled. Server load balancing was
Explanation unavailable.

Recommended Install the license for SLB.


action

412
Security level: Secret

LDP messages
This section contains LDP messages.

LDP_MPLSLSRID_CHG
Message text Please reset LDP sessions if you want to make the new MPLS LSR ID take effect.

Variable fields N/A


Severity level 5
LDP/5/LDP_MPLSLSRID_CHG: -MDC=1; Please reset LDP sessions if you want
Example to make the new MPLS LSR ID take effect.
If you configure an LDP LSR ID by using the lsr-id command in LDP view or
LDP-VPN instance view, LDP uses the LDP LSR ID. Otherwise, LDP uses the
MPLS LSR ID configured by the mpls lsr-id command.
Explanation This message is sent when the following situations occur:
• No LDP LSR ID is configured by using the lsr-id command.
• The MPLS LSR ID is modified.
1. Execute the display mpls ldp parameter [ vpn-instance
vpn-instance-name ] command to display the LSR ID.
Recommended 2. Verify that the LSR ID is the same as the configured MPLS LSR ID.
action If they are not the same, reset LDP sessions by executing the reset mpls ldp
command.

413
Security level: Secret

LDP_SESSION_CHG
Message text Session ([STRING], [STRING]) is [STRING].
$1: Peer's LDP ID. Value 0.0.0.0:0 indicates that the peer's LDP ID cannot be
obtained.
$2: VPN instance's name. Value public instance indicates that the session
belongs to the public network.
$3: State of the session, up or down. When the state is down, this field also
displays the reason for the down state error. Possible reasons include:
• interface not operational.
• MPLS disabled on interface.
• LDP disabled on interface.
• LDP auto-configure disabled on interface.
• VPN instance changed on interface.
• LDP instance deleted.
• targeted peer deleted.
• L2VPN disabled targeted peer.
• TE tunnel disabled targeted peer.
Variable fields • session protection disabled targeted peer.
• process deactivated.
• failed to receive the initialization message.
• graceful restart reconnect timer expired.
• failed to recover adjacency by NSR.
• failed to upgrade session by NSR.
• closed the GR session.
• keepalive hold timer expired.
• adjacency hold timer expired.
• session reset manually.
• TCP connection down.
• received a fatal notification message.
• internal error.
• memory in critical state.
• transport address changed on interface.
Severity level 5
LDP/5/LDP_SESSION_CHG: Session (22.22.22.2:0, public instance) is up.
Example LDP/5/LDP_SESSION_CHG: Session (22.22.22.2:0, VPN instance: vpn1) is
down (hello hold timer expired).
Explanation The session state changed.
When the session state is up, no action is required.
Recommended
When the session state is down, check the interface state, link state, and other
action configurations depending on the reason displayed.

414
Security level: Secret

LDP_SESSION_GR
Message text Session ([STRING], [STRING]): ([STRING]).
$1: Peer's LDP ID. Value 0.0.0.0:0 indicates that the peer's LDP ID cannot be
obtained.
$2: VPN instance's name. Value public instance indicates that the session
belongs to the public network.
Variable fields $3: State of the session graceful restart:
 Start reconnection.
 Reconnection failed.
 Start recovery.
 Recovery completed.
Severity level 5
LDP/5/LDP_SESSION_GR: Session (22.22.22.2:0, VPN instance: vpn1): Start
Example reconnection.
State of the session graceful restart. When a GR-capable LDP session is down,
Explanation the LDP GR started. This message is generated during the GR of the LDP
session, indicating the current GR state.
Check for the reason of session graceful restart, which can be obtained from the
LDP_SESSION_CHG log message.
Recommended When the graceful restart state Reconnection failed is displayed, verify the
action interface state, link state, and other configurations according to the reason for
the session graceful restart. No action is required for other graceful restart
states.

LDP_SESSION_SP
Message text Session ([STRING], [STRING]): ([STRING]).
$1: Peer's LDP ID. Value 0.0.0.0:0 indicates that the peer's LDP ID cannot be
obtained.
$2: VPN instance's name. Value public instance indicates that the session
belongs to the public network.
Variable fields $3: State of the session protection:
 Hold up the session.
 Session recovered successfully.
 Session recovery failed.
Severity level 5
LDP/5/LDP_SESSION_SP: Session (22.22.22.2:0, VPN instance: vpn1): Hold
Example up the session.
When the last link adjacency of the session was lost, session protection started.
Explanation This message is generated during the session protection process, indicating the
current session protection state.
Recommended Verify the interface state and link state.
action

415
Security level: Secret

LLDP messages
This section contains LLDP messages.

LLDP_CREATE_NEIGHBOR
[STRING] agent new neighbor created on port [STRING] (IfIndex [UINT32]),
Message text neighbor's chassis ID is [STRING], port ID is [STRING].
$1: Agent type.
$2: Port name.
Variable fields $3: Port ifIndex.
$4: Neighbor's chassis ID.
$5: Neighbor's port ID.
Severity level 6
LLDP/6/LLDP_CREATE_NEIGHBOR: Nearest bridge agent new neighbor
Example created on port Ten-GigabitEthernet10/0/15 (IfIndex 599), neighbor's chassis
ID is 3822-d666-ba00, port ID is GigabitEthernet6/0/5.
Explanation The port received an LLDP message from a new neighbor.
Recommended No action is required.
action

416
Security level: Secret

LLDP_DELETE_NEIGHBOR
[STRING] agent neighbor deleted on port [STRING] (IfIndex [UINT32]),
Message text neighbor's chassis ID is [STRING], port ID is [STRING].
$1: Agent type.
$2: Port name.
Variable fields $3: Port ifIndex.
$4: Neighbor's chassis ID.
$5: Neighbor's port ID.
Severity level 6
LLDP/6/LLDP_DELETE_NEIGHBOR: Nearest bridge agent neighbor deleted
Example on port Ten-GigabitEthernet10/0/15 (IfIndex 599), neighbor's chassis ID is
3822-d666-ba00, port ID is GigabitEthernet6/0/5.
Explanation The port received a deletion message when a neighbor was deleted.
Recommended No action is required.
action

LLDP_LESS_THAN_NEIGHBOR_LIMIT
The number of [STRING] agent neighbors maintained by port [STRING] (IfIndex
Message text [UINT32]) is less than [UINT32], and new neighbors can be added.
$1: Agent type.
$2: Port name.
Variable fields
$3: Port ifIndex.
$4: Maximum number of neighbors a port can maintain.
Severity level 6
LLDP/6/LLDP_LESS_THAN_NEIGHBOR_LIMIT: The number of nearest
Example bridge agent neighbors maintained by port Ten-GigabitEthernet10/0/15 (IfIndex
599) is less than 5, and new neighbors can be added.
New neighbors can be added for the port because the limit has not been
Explanation reached.
Recommended No action is required.
action

417
Security level: Secret

LLDP_NEIGHBOR_AGE_OUT
[STRING] agent neighbor aged out on port [STRING] (IfIndex [UINT32]),
Message text neighbor's chassis ID is [STRING], port ID is [STRING].
$1: Agent type.
$2: Port name.
Variable fields $3: Port ifIndex.
$4: Neighbor's chassis ID.
$5: Neighbor's port ID.
Severity level 5
LLDP/5/LLDP_NEIGHBOR_AGE_OUT: Nearest bridge agent neighbor aged
Example out on port Ten-GigabitEthernet10/0/15 (IfIndex599), neighbor's chassis ID is
3822-d666-ba00, port ID is GigabitEthernet6/0/5.
This message is generated when the port failed to receive LLDPDUs from the
Explanation neighbor within a certain period of time.
Recommended Verify the link status or the receive/transmit status of LLDP on the peer.
action

LLDP_PVID_INCONSISTENT
PVID mismatch discovered on [STRING] (PVID [UINT32]), with [STRING]
Message text [STRING] (PVID [STRING]).

$1: Port name.


$2: VLAN ID.
Variable fields $3: System name.
$4: Port name.
$5: VLAN ID.

Severity level 5

LLDP/5/LLDP_PVID_INCONSISTENT: MDC=1; PVID mismatch discovered on


Example Ten-GigabitEthernet0/2/6 (PVID 1), with Ten-GigabitEthernet0/2/7 (PVID 500).

This message is generated when the PVID on the peer is different from the PVID
Explanation of the local interface.
Recommended Configure the same PVID for the local and peer interfaces.
action

418
Security level: Secret

LLDP_REACH_NEIGHBOR_LIMIT
The number of [STRING] agent neighbors maintained by the port [STRING]
Message text (IfIndex [UINT32]) has reached [UINT32], and no more neighbors can be
added.
$1: Agent type.
$2: Port name.
Variable fields
$3: Port ifIndex.
$4: Maximum number of neighbors a port can maintain.
Severity level 5
LLDP/5/LLDP_REACH_NEIGHBOR_LIMIT: The number of nearest bridge
Example agent neighbors maintained by the port Ten-GigabitEthernet10/0/15 (IfIndex
599) has reached 5, and no more neighbors can be added.
This message is generated when the port with its maximum number of
Explanation neighbors reached received an LLDP packet.
Recommended No action is required.
action

419
Security level: Secret

LOAD messages
This section contains load management messages.

BOARD_LOADING
Message text Board in chassis [INT32] slot [INT32] is loading software images.
$1: Chassis ID.
Variable fields
$2: Slot ID.

Severity level 4
LOAD/4/BOARD_LOADING: Board in chassis 1 slot 5 is loading software
Example images.

Explanation The card is loading software images during the boot process.

Recommended No action is required.


action

LOAD_FAILED
Message text Board in chassis [INT32] slot [INT32] failed to load software images.
$1: Chassis ID.
Variable fields
$2: Slot ID.

Severity level 3
LOAD/3/LOAD_FAILED: Board in chassis 1 slot 5 failed to load software
Example images.

Explanation The card failed to load software images during the boot process.
1. Execute the display boot-loader command to identify the startup
software images.
2. Execute the dir command to verify that the startup software images exist.
Recommended If the startup software images do not exist or are damaged, re-upload the
action software images to the device or set another one as the startup software
images.
3. If the problem persists, contract Hewlett Packard Enterprise Support.

420
Security level: Secret

LOAD_FINISHED
Message text Board in chassis [INT32] slot [INT32] has finished loading software images.
$1: Chassis ID.
Variable fields
$2: Slot ID.

Severity level 5
LOAD/5/LOAD_FINISHED: Board in chassis 1 slot 5 has finished loading
Example software images.

Explanation The card has finished loading software images.

Recommended No action is required.


action

421
Security level: Secret

LOGIN messages
This section contains login messages.

LOGIN_FAILED
Message text [STRING] failed to login from [STRING].
$1: Username.
Variable fields
$2: Line name or IP address.

Severity level 5
LOGIN/5/LOGIN_FAILED: TTY failed to log in from console0.
Example
LOGIN/5/LOGIN_FAILED: usera failed to log in from 192.168.11.22.

Explanation A login attempt failed.

Recommended No action is required.


action

LOGIN_ INVALID_USERNAME_PWD
Message text Invalid username or password from [STRING].

Variable fields $1: User line name and user IP address.

Severity level 5
LOGIN/5/LOGIN_INVALID_USERNAME_PWD: Invalid username or password
from console0.
Example
LOGIN/5/LOGIN_INVALID_USERNAME_PWD: Invalid username or password
from 192.168.11.22.

Explanation A user entered an invalid username or password.

Recommended No action is required.


action

422
Security level: Secret

LPDT messages
This section contains loop detection messages.

LPDT_LOOPED
Message text Loopback exists on [STRING].

Variable fields $1: Port name.


Severity level 4
Example LPDT/4/LPDT_LOOPED: Loopback exists on Ethernet 6/4/2.
Explanation The first intra-VLAN loop was detected on a port.
Recommended Check the links and configuration on the device for the loop, and remove the
action loop.

LPDT_RECOVERED
Message text Loopback on [STRING] recovered.

Variable fields $1: Port name.


Severity level 5
Example LPDT/5/LPDT_RECOVERED: Loopback on Ethernet 6/4/1 recovered.
Explanation All intra-VLAN loops on a port were removed.
Recommended No action is required.
action

LPDT_VLAN_LOOPED
Message text Loopback exists on [STRING] in VLAN [UINT16].

$1: Port name.


Variable fields
$2: VLAN ID.

Severity level 4

Example LPDT/4/LPDT_VLAN_LOOPED: Loopback exists on Ethernet6/4/1 in VLAN 1.

Explanation A loop in a VLAN was detected on a port.

Recommended Check the links and configurations in the VLAN for the loop, and remove the
action loop.

423
Security level: Secret

LPDT_VLAN_RECOVERED
Message text Loopback on [STRING] in VLAN [UINT16] recovered.

$1: Port name.


Variable fields
$2: VLAN ID.

Severity level 5
LPDT/5/LPDT_RECOVERED: Loopback on Ethernet6/4/1 in VLAN 1
Example recovered.

Explanation A loop in a VLAN was removed on a port.

Recommended No action is required.


action

424
Security level: Secret

LS messages
This section contains Local Server messages.

LS_ADD_USER_TO_GROUP
Message text Admin [STRING] added user [STRING] to group [STRING].
$1: Admin name.
Variable fields $2: User name.
$3: User group name.
Severity level 4
LS/4/LS_ADD_USER_TO_GROUP: Admin admin added user user1 to group
Example group1.
Explanation The administrator added a user into a user group.
Recommended No action is required.
action

LS_AUTHEN_FAILURE
Message text User [STRING] from [STRING] failed authentication. [STRING]
$1: User name.
$2: IP address.
$3: Failure reason:
 "User not found."
Variable fields  "Password verified failed."
 "User not active."
 "Access type mismatch."
 "Binding attribute is failed."
 "User in blacklist."
Severity level 5
LS/5/LS_AUTHEN_FAILURE: User cwf@system from 192.168.0.22 failed
Example authentication. "User not found."
Explanation The local server rejected a user's authentication request.
Recommended No action is required.
action

425
Security level: Secret

LS_AUTHEN_SUCCESS
Message text User [STRING] from [STRING] was authenticated successfully.
$1: User name.
Variable fields
$2: IP address.
Severity level 6
LS/6/LS_AUTHEN_SUCCESS: User cwf@system from 192.168.0.22 was
Example authenticated successfully.
Explanation The local server accepted a user's authentication request.
Recommended No action is required.
action

LS_DEL_USER_FROM_GROUP
Message text Admin [STRING] delete user [STRING] from group [STRING].
$1: Admin name.
Variable fields $2: User name.
$3: User group name.
Severity level 4
LS/4/LS_DEL_USER_FROM_GROUP: Admin admin delete user user1 from
Example group group1.
Explanation The administrator deleted a user from a user group.
Recommended No action is required.
action

LS_DELETE_PASSWORD_FAIL
Message text Failed to delete the password for user [STRING].

Variable fields $1: User name.


Severity level 4
LS/4/LS_DELETE_PASSWORD_FAIL: Failed to delete the password for user
Example abcd.
Explanation Failed to delete the password for a user.
Recommended Check the file system for errors.
action

426
Security level: Secret

LS_PWD_ADDBLACKLIST
User [STRING] was added to the blacklist due to multiple login failures,
Message text [STRING].
$1: User name.
$2: Options include:
Variable fields  but could make other attempts.
 and is permanently blocked.
 and was temporarily blocked for [UINT32] minutes.
Severity level 4
LS/4/LS_PWD_ADDBLACKLIST: User user1 was added to the blacklist due to
Example multiple login failures, but could make other attempts.
Explanation A user was added to the blacklist because of multiple login failures.
Recommended Check the user's password.
action

LS_PWD_CHGPWD_FOR_AGEDOUT
Message text User [STRING] changed the password because it was expired.

Variable fields $1: User name.


Severity level 4
LS/4/LS_PWD_CHGPWD_FOR_AGEDOUT: User aaa changed the password
Example because it was expired.
Explanation A user changed the password because the password expired.
Recommended No action is required.
action

LS_PWD_CHGPWD_FOR_AGEOUT
Message text User [STRING] changed the password because it was about to expire.
$1: User name.
Variable fields
$2: Aging time.
Severity level 4
LS/4/LS_PWD_CHGPWD_FOR_AGEOUT: User aaa changed the password
Example because it was about to expire.
Explanation A user changed the password because the password is about to expire.
Recommended No action is required.
action

427
Security level: Secret

LS_PWD_CHGPWD_FOR_COMPOSITION
Message text User [STRING] changed the password because it had an invalid composition.

Variable fields $1: User name.


Severity level 4
LS/4/LS_PWD_CHGPWD_FOR_COMPOSITION: User aaa changed the
Example password because it had an invalid composition.
Explanation A user changed the password because it had an invalid composition.
Recommended No action is required.
action

LS_PWD_CHGPWD_FOR_FIRSTLOGIN
Message text User [STRING] changed the password at the first login.

Variable fields $1: User name.


Severity level 4
LS/4/LS_PWD_CHGPWD_FOR_FIRSTLOGIN: User aaa changed the
Example password at the first login.
Explanation A user changed the password at the first login.
Recommended No action is required.
action

LS_PWD_CHGPWD_FOR_LENGTH
Message text User [STRING] changed the password because it was too short.

Variable fields $1: User name.


Severity level 4
LS/4/LS_PWD_CHGPWD_FOR_LENGTH: User aaa changed the password
Example because it was too short.
Explanation A user changed the password because it was too short.
Recommended No action is required.
action

428
Security level: Secret

LS_PWD_FAILED2WRITEPASS2FILE
Message text Failed to write the password records to file.

Variable fields N/A


Severity level 4
LS/4/LS_PWD_FAILED2WRITEPASS2FILE: Failed to write the password
Example records to file.
Explanation Failed to write the password records to file.
Recommended No action is required.
action

LS_PWD_MODIFY_FAIL
Admin [STRING] from [STRING] could not modify the password for user
Message text [STRING], because [STRING].
$1: Admin name.
$2: IP address.
$3: User name.
Variable fields $4: Failure reason:
 passwords did not match.
 the password history cannot be written.
 the password cannot be verified.
Severity level 4
LS/4/LS_PWD_MODIFY_FAIL: Admin admin from 1.1.1.1 could not modify the
Example password for user user1, because passwords do not match.
Explanation An administrator failed to modify a user's password.
Recommended No action is required.
action

LS_PWD_MODIFY_SUCCESS
Admin [STRING] from [STRING] modify the password for user [STRING]
Message text successfully.
$1: Admin name.
Variable fields $2: IP address.
$3: User name.
Severity level 6
LS/6/LS_PWD_MODIFY_SUCCESS: Admin admin from 1.1.1.1 modify the
Example password for user abc successfully.
Explanation An administrator successfully modified a user's password.
Recommended No action is required.
action

429
Security level: Secret

LS_REAUTHEN_FAILURE
Message text User [STRING] from [STRING] failed reauthentication.
$1: User name.
Variable fields
$2: IP address.
Severity level 5
LS/5/LS_REAUTHEN_FAILURE: User abcd from 1.1.1.1 failed
Example reauthentication.
A user failed reauthentication because the old password entered for
Explanation reauthentication is invalid.
Recommended Check the old password.
action

LS_UPDATE_PASSWORD_FAIL
Message text Failed to update the password for user [STRING].

Variable fields $1: User name.


Severity level 4
LS/4/LS_UPDATE_PASSWORD_FAIL: Failed to update the password for user
Example abc.
Explanation Failed to update the password for a user.
Recommended Check the file system for errors.
action

LS_USER_CANCEL
Message text User [STRING] from [STRING] cancelled inputting the password.
$1: User name.
Variable fields
$2: IP address.
Severity level 5
LS/5/LS_USER_CANCEL: User 1 from 1.1.1.1 cancelled inputting the
Example password.
The user cancelled inputting the password or did not input the password in 90
Explanation seconds.
Recommended No action is required.
action

430
Security level: Secret

LS_USER_PASSWORD_EXPIRE
Message text User [STRING]'s login idle timer timed out.

Variable fields $1: User name.


Severity level 5
Example LS/5/LS_USER_PASSWORD_EXPIRE: User 1's login idle timer timed out.
Explanation The login idle time for a user expired.
Recommended No action is required.
action

LS_USER_ROLE_CHANGE
Message text Admin [STRING] [STRING] the user role [STRING] for [STRING].
$1: Admin name.
$2: Added/Deleted.
Variable fields
$3: User role.
$4: User name.
Severity level 4
LS/4/LS_USER_ROLE_CHANGE: Admin admin add the user role
Example network-admin for abcd.
Explanation The administrator added a user role for a user.
Recommended No action is required.
action

431
Security level: Secret

LSPV messages
This section contains LSP verification messages.

LSPV_PING_STATIS_INFO
Ping statistics for [STRING]: [UINT32] packets transmitted, [UINT32] packets
Message text received, [DOUBLE]% packets loss, round-trip min/avg/max =
[UINT32]/[UINT32]/[UINT32] ms.
$1: FEC.
$2: Number of echo requests sent.
$3: Number of echo replies received.
Variable fields $4: Percentage of the non-replied packets to the total requests.
$5: Minimum round-trip delay.
$6: Average round-trip delay.
$7: Maximum round-trip delay.
Severity level 6
LSPV/6/LSPV_PING_STATIS_INFO: Ping statistics for FEC 192.168.1.1/32: 5
Example packets transmitted, 5 packets received, 0.0% packets loss, round-trip
min/avg/max = 1/2/5 ms.
Ping statistics for an LSP tunnel or a PW.
Explanation
This message is generated when the ping mpls command is executed.
Recommended If no reply is received, verify the connectivity of the LSP tunnel or the PW.
action

432
Security level: Secret

MAC messages
This section contains MAC messages.

MAC_DRIVER_ADD_ENTRY
Driver failed to add MAC address entry: MAC address=[STRING],
Message text VLAN=[UINT32], State=[UINT32], interface=[STRING].
$1: MAC address.
$2: VLAN ID.
Variable fields
$3: Entry type number.
$4: Interface type and interface number.
Severity level 4
MAC/4/MAC_DRIVER_ADD_ENTRY: Driver failed to add MAC address entry:
Example MAC address=1-1-1, VLAN=1, State=2, interface=GigabitEthernet1/0/1.
Explanation Failed to add a MAC address entry on an interface.
Recommended No action is required.
action

MAC_TABLE_FULL_GLOBAL
Message text The number of MAC address entries exceeded the maximum number [UINT32].

Variable fields $1: Maximum number of MAC addresses.


Severity level 4
MAC/4/MAC_TABLE_FULL_GLOBAL: The number of MAC address entries
Example exceeded the maximum number 1024.
The number of entries in the global MAC address table exceeded the maximum
Explanation number supported by the table.
Recommended No action is required.
action

433
Security level: Secret

MAC_TABLE_FULL_PORT
The number of MAC address entries exceeded the maximum number [UINT32]
Message text for interface [STRING].
$1: Maximum number of MAC addresses.
Variable fields
$2: Interface name.
Severity level 4
MAC/4/MAC_TABLE_FULL_PORT: The number of MAC address entries
Example exceeded the maximum number 1024 for interface GigabitEthernet2/0/32.
The number of entries in the MAC address table for an interface exceeded the
Explanation maximum number supported by the table.
Recommended No action is required.
action

MAC_TABLE_FULL_VLAN
The number of MAC address entries exceeded the maximum number [UINT32]
Message text in VLAN [UINT32].
$1: Maximum number of MAC addresses.
Variable fields
$2: VLAN ID.
Severity level 4
MAC/4/MAC_TABLE_FULL_VLAN: The number of MAC address entries
Example exceeded the maximum number 1024 in VLAN 2.
The number of entries in the MAC address table for a VLAN exceeded the
Explanation maximum number supported by the table.
Recommended No action is required.
action

434
Security level: Secret

MACA messages
This section contains MAC authentication messages.

MACA_ENABLE_NOT_EFFECTIVE
Message text MAC authentication is enabled but is not effective on interface [STRING].

Variable fields $1: Interface type and number.


Severity level 3
MACA/3/MACA_ENABLE_NOT_EFFECTIVE: MAC authentication is
Example enabled but is not effective on interface Ethernet3/1/2.
MAC authentication configuration does not take effect on an interface,
Explanation because the interface does not support MAC authentication.
1. Disable MAC authentication on the interface.
2. Reconnect the connected devices to another interface that supports
Recommended action MAC authentication.
3. Enable MAC authentication on the new interface.

MACA_LOGIN_FAILURE
Messag -IfName=[STRING]-MACAddr=[STRING]-VLANID=[STRING]-Username=[STRING]-Username
e text Format=[STRING]; User failed MAC authentication.
$1: Interface type and number.
$2: MAC address.
Variable $3: VLAN ID.
fields
$4: Username.
$5: User account format.
Severity 6
level
MACA/6/MACA_LOGIN_FAILURE:-IfName=GigabitEthernet1/0/4-MACAddr=0010-8400-22b9-
Example VLANID=444-Username=00-10-84-00-22-b9-UsernameFormat=MAC address; User failed MAC
authentication.
Explana The user failed MAC authentication.
tion
Recom
mended Locate the failure cause and handle the problem according to the failure cause.
action

435
Security level: Secret

MACA_LOGIN_SUCC
Message -IfName=[STRING]-MACAddr=[STRING]-VLANID=[STRING]-Username=[STRING]-Username
text Format=[STRING]; User passed MAC authentication and came online.
$1: Interface type and number.
$2: MAC address.
Variable $3: VLAN ID.
fields
$4: Username.
$5: User account format.
Severity 6
level
MACA/6/MACA_LOGIN_SUCC:-IfName=GigabitEthernet1/0/4-MACAddr=0010-8400-22b9-VL
Example ANID=444-Username=00-10-84-00-22-b9-UsernameFormat=MAC address; User passed MAC
authentication and came online.
Explanat The user passed MAC authentication.
ion
Recomm
ended No action is required.
action

MACA_LOGOFF
Message -IfName=[STRING]-MACAddr=[STRING]-VLANID=[STRING]-Username=[STRING]-Username
text Format=[STRING]; MAC authentication user was logged off.
$1: Interface type and number.
$2: MAC address.
Variable $3: VLAN ID.
fields
$4: Username.
$5: User account format.
Severity 6
level
MACA/6/MACA_LOGOFF:-IfName=GigabitEthernet1/0/4-MACAddr=0010-8400-22b9-VLANID
Example =444-Username=00-10-84-00-22-b9-UsernameFormat=MAC address; MAC authentication
user was logged off.
Explanat The MAC authentication user was logged off.
ion
Recomm
Locate the logoff cause and remove the problem. If the logoff was requested by the user, no
ended action is required.
action

436
Security level: Secret

MACSEC messages
This section contains MACsec messages.

MACSEC_MKA_KEEPALIVE_TIMEOUT
The live peer with SCI [STRING] and CKN [STRING] aged out on interface
Message text [STRING].
$1: SCI.
Variable fields $2: CKN.
$3: Interface name.
Severity level 4
MACSEC/4/MACSEC_MKA_KEEPALIVE_TIMEOUT: The live peer with SCI
Example 00E00100000A0006 and CKN 80A0EA0CB03D aged out on interface
GigabitEthernet1/0/1.
A live peer aged out on an interface, because the local participant had not received
Explanation any MKA packets from the peer before the keepalive timer expired. The local
participant removed the peer information from the port.
Recommended Check the link between the local participant and the live peer for link failure. If the
action link is down, recover the link.

MACSEC_MKA_PRINCIPAL_ACTOR
Message text The actor with CKN [STRING] became principal actor on interface [STRING].
$1: CKN.
Variable fields
$2: Interface name.
Severity level 6
MACSEC/6/MACSEC_MKA_PRINCIPAL_ACTOR: The actor with CKN
Example 80A0EA0CB03D became principal actor on interface GigabitEthernet1/0/1.
Explanation The actor with the highest key server priority became the principal actor.
Recommended No action is required.
action

MACSEC_MKA_SAK_REFRESH
Message text The SAK has been refreshed on interface [STRING].

Variable fields $1: Interface name.


Severity level 6
MACSEC/6/MACSEC_MKA_SAK_REFRESH: The SAK has been refreshed on
Example interface GigabitEthernet1/0/1.
Explanation The participant on the interface derived or received a new SAK.
Recommended No action is required.
action

437
Security level: Secret

MACSEC_MKA_SESSION_REAUTH
The MKA session with CKN [STRING] was re-authenticated on interface
Message text [STRING].
$1: CKN.
Variable fields
$2: Interface name.
Severity level 6
MACSEC/6/MACSEC_MKA_SESSION_REAUTH: The MKA session with CKN
Example 80A0EA0CB03D was re-authenticated on interface GigabitEthernet1/0/1.
The interface performed 802.1X reauthentication.
Explanation After the 802.1X reauthentication, the participants received a new CAK, and used
it to re-establish the MKA session.
Recommended No action is required.
action

MACSEC_MKA_SESSION_SECURED
Message text The MKA session with CKN [STRING] was secured on interface [STRING].
$1: CKN.
Variable fields
$2: Interface name.
Severity level 6
MACSEC/6/MACSEC_MKA_SESSION_SECURED: The MKA session with CKN
Example 80A020EA0CB03D was secured on interface GigabitEthernet1/0/1.
The MKA session on the interface was secured. Packets are encrypted and
transmitted in cipher text. The event occurs in the following situations:
• The MKA session state changes from unsecured to secured.
Explanation • The local participant and the peer negotiate a new MKA session when the
following conditions exist:
 Both the key server and the peer support MACsec.
 A minimum of one participant is enabled with the MACsec desire feature.
Recommended No action is required.
action

438
Security level: Secret

MACSEC_MKA_SESSION_START
Message text The MKA session with CKN [STRING] started on interface [STRING].
$1: CKN.
Variable fields
$2: Interface name.
Severity level 6
MACSEC/6/MACSEC_MKA_SESSION_START: The MKA session with CKN
Example 80A020EA0CB03D started on interface GigabitEthernet1/0/1.
The MKA session negotiation was initiated. Possible reasons include:
• New CAK is available after MKA is enabled.
Explanation • The user re-establishes the MKA session.
• The interface that failed MKA session negotiation receives an MKA packet.
Recommended No action is required.
action

MACSEC_MKA_SESSION_STOP
Message text The MKA session with CKN [STRING] stopped on interface [STRING].
$1: CKN.
Variable fields
$2: Interface name.
Severity level 5
MACSEC/5/MACSEC_MKA_SESSION_STOP: The MKA session with CKN
Example 80A020EA0CB03D stopped on interface GigabitEthernet1/0/1.
The MKA session was terminated. Possible reasons include:
Explanation • The user removes or re-establishes the MKA session on the interface.
• The link associated to the session is down.
1. Use the display mka session command to check whether the session exists:
 If the session has been re-established, ignore the message.
Recommended  If the session does not exist and is not removed by the user, check the link
action associated with the session for link failure.
2. Recover the link if the link is down.

439
Security level: Secret

MACSEC_MKA_SESSION_UNSECURED
Message text The MKA session with CKN [STRING] was not secured on interface [STRING].
$1: CKN.
Variable fields
$2: Interface name.
Severity level 5
MACSEC/5/MACSEC_MKA_SESSION_UNSECURED: The MKA session with
Example CKN 80A020EA0CB03D was not secured on interface GigabitEthernet1/0/1.
The MKA session on the interface was not secured. Packets are transmitted in
plain text. The event occurs in the following situations:
• The MKA session state changes from secured to unsecured.
Explanation • The local participant and the peer negotiate a new MKA session when the
following conditions exist:
 The key server and the peer are not both MACsec capable.
 No participant is enabled with the MACsec desire feature.
To secure the MKA session, perform the following tasks:
Recommended • Verify that both the key server and the peer support MACsec.
action • Verify that a minimum of one participant is enabled with the MACsec desire
feature.

440
Security level: Secret

MBFD messages
This section contains MPLS BFD messages.

MBFD_TRACEROUTE_FAILURE
Message text [STRING] is failed. ([STRING].)
$1: LSP information.
Variable fields
$2: Reason for the LSP failure.
Severity level 5
MBFD/5/MBFD_TRACEROUTE_FAILURE: LSP (LDP IPv4: 22.22.2.2/32,
nexthop: 20.20.20.2) is failed. (Replying router has no mapping for the FEC.)
Example
MBFD/5/MBFD_TRACEROUTE_FAILURE: TE tunnel (RSVP IPv4: Tunnel1) is
failed. (No label entry.)
LSP/MPLS TE tunnel failure was detected by periodic MPLS tracert. This
Explanation message is generated when the system receives an MPLS echo reply with an
error return code.
Recommended Verify the configuration for the LSP or MPLS TE tunnel.
action

441
Security level: Secret

MDC messages
This section contains MDC messages.

MDC_CREATE_ERR
Message text Failed to create MDC [UINT16] for insufficient resources.

Variable fields $1: MDC ID.

Severity level 5
MDC/5/MDC_CREATE_ERR: -Slot=1; Failed to create MDC 2 for insufficient
Example resources.

The standby MPU did not have enough resources to create the MDC.
At startup, the standby MPU obtains MDC configuration information from the
Explanation
active MPU. If the standby MPU does not have enough resources to create an
MDC, it outputs this log message.
1. Use the display mdc resource command to display the CPU, memory,
and disk space resources on the standby MPU.
2. Perform one of the following tasks:
Recommended  If the memory space is insufficient, increase the memory space. If the
action disk space is insufficient, delete unused files.
 Use the undo mdc command to delete the specified MDC.
 Replace the standby MPU with an MPU that has sufficient resources.

MDC_CREATE
Message text MDC [UINT16] was created.

Variable fields $1: MDC ID.

Severity level 5

Example MDC/5/MDC_CREATE: MDC 2 was created.

Explanation An MDC was created successfully.

Recommended No action is required.


action

442
Security level: Secret

MDC_DELETE
Message text MDC [UINT16] was deleted.

Variable fields $1: MDC ID.

Severity level 5

Example MDC/5/MDC_DELETE: MDC 2 was deleted.

Explanation An MDC was deleted successfully.

Recommended No action is required.


action

MDC_KERNEL_EVENT_TOOLONG
Message text $1 kernel event in sequence $2 function $3 failed to finish within $4 minutes.
$1: MDC ID or context ID.
$2: Kernel event phase.
Variable fields
$3: Address of the function corresponding to the kernel event.
$4: Time duration.

Severity level 4
MDC/4/MDC_KERNEL_EVENT_TOOLONG: Slot=1; MDC 2 kernel event in
Example sequence 0x4fe5 function 0xff245e failed to finish within 15 minutes.

Explanation A kernel event stayed unfinished for a long period of time.

Recommended 1. Reboot the card in the specified slot.


action 2. If the problem persists, contact HP Support.

MDC_LICENSE_EXPIRE
Message text The MDC feature's license will expire in [UINT32] days.

Variable fields $1: Number of days, in the range of 1 to 30.

Severity level 5
MDC/5/MDC_LICENSE_EXPIRE: The MDC feature’s license will expire in 5
Example days.

Explanation The license for the MDC feature was about to expire.

Recommended Install a new license.


action

443
Security level: Secret

MDC_NO_FORMAL_LICENSE
Message text The feature MDC has no formal license.

Variable fields N/A

Severity level 5
MDC/5/MDC_NO_FORMAL_LICENSE: The feature MDC has no formal
Example license.
The standby MPU became the active MPU but it did not have a formal license.
Explanation The MDC feature has a free trial period. To use the feature after the period
elapses, you must install a license for the standby MPU.

Recommended Install a formal license.


action

MDC_NO_LICENSE_EXIT
Message text The MDC feature is being disabled, because it has no license.

Variable fields N/A

Severity level 5
MDC/5/MDC_NO_LICENSE_EXIT: The MDC feature is being disabled,
Example because it has no license.
The MDC feature was disabled because the license for the MDC feature expired
Explanation or was uninstalled.

Recommended Install the required license.


action

MDC_OFFLINE
Message text MDC [UINT16] is offline now.

Variable fields $1: MDC ID.

Severity level 5

Example MDC/5/MDC_OFFLINE: MDC 2 is offline now.

Explanation An MDC was stopped.

Recommended No action is required.


action

444
Security level: Secret

MDC_ONLINE
Message text MDC [UINT16] is online now.

Variable fields $1: MDC ID.

Severity level 5

Example MDC/5/MDC_ONLINE: MDC 2 is online now.

Explanation An MDC was started.

Recommended No action is required.


action

MDC_STATE_CHANGE
Message text MDC [UINT16] status changed to [STRING].
$1: MDC ID.
$2: MDC status:
 updating–The system is assigning interface cards to the MDC
(executing the location command).
 stopping–The system is stopping the MDC (executing the undo mdc
Variable fields start command).
 inactive–The MDC is inactive.
 starting–The system is starting the MDC (executing the mdc start
command).
 active–The MDC is operating correctly.

Severity level 5

Example MDC/5/MDC_STATE_CHANGE: MDC 2 status changed to active.

Explanation The status of an MDC changed.

Recommended No action is required.


action

445
Security level: Secret

MFIB messages
This section contains MFIB messages.

MFIB_MEM_ALERT
Message text MFIB process received system memory alert [STRING] event.

Variable fields $1: Type of the memory alert event.


Severity level 5
MFIB/5/MFIB_MEM_ALERT: MFIB process receive system memory alert start
Example event.
Explanation The MFIB module received a memory alert event from the system.
1. Check the system memory to make sure the memory usage does not exceed
Recommended action the thresholds.
2. Release memory from memory-intensive modules.

446
Security level: Secret

MGROUP messages
This section contains mirroring group messages.

MGROUP_APPLY_SAMPLER_FAIL
Failed to apply the sampler for mirroring group [UINT16], because the sampler
Message text resources are insufficient.

Variable fields $1: Mirroring group ID.


Severity level 3
MGROUP/3/MGROUP_APPLY_SAMPLER_FAIL: Failed to apply the sampler
Example for mirroring group 1, because the sampler resources are insufficient.
A sampler was not applied to the mirroring group because the sampler
Explanation resources were insufficient.
Recommended No action is required.
action

MGROUP_RESTORE_CPUCFG_FAIL
Failed to restore configuration for mirroring CPU of [STRING] in mirroring group
Message text [UINT16], because [STRING]
$1: Slot number.
Variable fields $2: Mirroring group ID.
$3: Failure reason.
Severity level 3
MGROUP/3/MGROUP_RESTORE_CPUCFG_FAIL: Failed to restore
Example configuration for mirroring CPU of chassis 1 slot 2 in mirroring group 1, because
the type of the monitor port in the mirroring group is not supported.
When the CPU of the card in the slot is the source CPU in the mirroring group,
Explanation configuration changes after the card is removed. When the card is reinstalled
into the slot, restoring the source CPU configuration might fail.
Check for the failure reason. If the reason is that the system does not support
Recommended the changed configuration, delete the unsupported configuration, and
action reconfigure the source CPU in the mirroring group.

447
Security level: Secret

MGROUP_RESTORE_IFCFG_FAIL
Failed to restore configuration for interface [STRING] in mirroring group
Message text [UINT16], because [STRING]
$1: Interface name.
Variable fields $2: Mirroring group ID.
$3: Failure reason.
Severity level 3
MGROUP/3/MGROUP_RESTORE_IFCFG_FAIL: Failed to restore
Example configuration for interface Ethernet3/1/2 in mirroring group 1, because the type
of the monitor port in the mirroring group is not supported.
When the interface of the card in the slot is the monitor port in the mirroring
Explanation group, configuration changes after the card is removed. When the card is
reinstalled into the slot, restoring the monitor port configuration might fail.
Check for the failure reason. If the reason is that the system does not support
Recommended the changed configuration, delete the unsupported configuration, and
action reconfigure the monitor port in the mirroring group.

MGROUP_SYNC_CFG_FAIL
Failed to restore configuration for mirroring group [UINT16] in [STRING],
Message text because [STRING]
$1: Mirroring group ID.
Variable fields $2: Slot number.
$3: Failure reason.
Severity level 3
MGROUP/3/MGROUP_SYNC_CFG_FAIL: Failed to restore configuration for
Example mirroring group 1 in chassis 1 slot 2, because monitor resources are insufficient.
When the complete mirroring group configuration was synchronized on the card
Explanation in the slot, restoring configuration failed because resources on the card were
insufficient.
Recommended Delete the mirroring group.
action

448
Security level: Secret

MPLS messages
This section contains MPLS messages.

MPLS_HARD_RESOURCE_NOENOUGH
Message text No enough hardware resource for MPLS.

Variable fields N/A


Severity level 4
MPLS/4/MPLS_HARD_RESOURCE_NOENOUGH: No enough hardware
Example resource for MPLS.
Explanation Hardware resources for MPLS were insufficient.
Check whether unnecessary LSPs had been generated. If yes, configure or
Recommended modify the LSP generation policy, label advertisement policy, and label
action acceptance policy to filter out unnecessary LSPs.

MPLS_HARD_RESOURCE_RESTORE
Message text Hardware resources for MPLS are restored.

Variable fields N/A


Severity level 6
MPLS/6/MPLS_HARD_RESOURCE_RESTORE: Hardware resources for
Example MPLS are restored.
Explanation Hardware resources for MPLS were restored.
Recommended No action is required.
action

449
Security level: Secret

MTLK messages
This section contains Monitor Link messages.

MTLK_UPLINK_STATUS_CHANGE
Message text The uplink of monitor link group [UINT32] is [STRING].
$1: Monitor link group ID.
Variable fields
$2: Monitor Link group status, up or down.

Severity level 6
MTLK/6/MTLK_UPLINK_STATUS_CHANGE: The uplink of monitor link group
Example 1 is up.

Explanation The uplink of a monitor link group went up or down.

Recommended Troubleshoot the uplink when it fails.


action

450
Security level: Secret

NAT messages
This section contains NAT messages.

NAT_ADDR_BIND_CONFLICT
Failed to activate NAT configuration on interface [STRING], because global IP
Message text addresses already bound to another service card.

Variable fields $1: Interface name.


Severity level 4
NAT/4/NAT_ADDR_BIND_CONFLICT: Failed to activate NAT configuration on
Example interface Ethernet0/0/2, because global IP addresses already bound to another
service card.
The NAT configuration did not take effect, because the global IP addresses that
Explanation the interface references have been bound to another service card.
If multiple interfaces reference the same global IP addresses, you must specify
the same service card to process NAT traffic passing through these interfaces.
To resolve the problem:
Recommended 1. Use the display nat all command to check the current configuration.
action 2. Remove the service card configuration on the interface.
3. Specify the same service card for interfaces referencing the same global IP
addresses.

NAT_FAILED_ADD_FLOW_TABLE
Message text Failed to add flow-table due to [STRING].
$1: Failure reason:
Variable fields • no enough resource.
• The item already exists.
Severity level 4
NAT/4/NAT_FAILED_ADD_FLOW_TABLE: Failed to add flow-table due to no
Example enough resource.
The system failed to add a flow table due to insufficient hardware resources or
Explanation NAT address overlapping.
If the failure is caused by insufficient hardware resources, contact Hewlett
Packard Enterprise Support.
Recommended action
If the failure is caused by address overlapping, reconfigure the NAT addresses.
Make sure the NAT address ranges do not overlap.

451
Security level: Secret

NAT_FLOW
Protocol(1001)=[STRING];SrcIPAddr(1003)=[IPADDR];SrcPort(1004)=[UINT
16];NATSrcIPAddr(1005)=[IPADDR];NATSrcPort(1006)=[UINT16];DstIPAddr
(1007)=[IPADDR];DstPort(1008)=[UINT16];NATDstIPAddr(1009)=[IPADDR];
NATDstPort(1010)=[UINT16];InitPktCount(1044)=[UINT32];InitByteCount(10
Message text 46)=[UINT32];RplyPktCount(1045)=[UINT32];RplyByteCount(1047)=[UINT32
];RcvVPNInstance(1042)=[STRING];SndVPNInstance(1043)=[STRING];Rcv
DSLiteTunnelPeer(1040)=[STRING];SndDSLiteTunnelPeer(1041)=[STRING]
;BeginTime_e(1013)=[STRING];EndTime_e(1014)=[STRING];Event(1048)=([
UNIT16])[STRING];
$1: Protocol type.
$2: Source IP address.
$3: Source port number.
$4: Source IP address after translation.
$5: Source port number after translation.
$6: Destination IP address.
$7: Destination port number.
$8: Destination IP address after translation.
$9: Destination port number after translation.
$10: Total number of incoming packets.
$11: Total number of incoming bytes.
$12: Total number of outgoing packets.
$13: Total number of outgoing bytes.
Variable fields $14: Source VPN instance name.
$15: Destination VPN instance name.
$16: Source DS-Lite tunnel.
$17: Destination DS-Lite tunnel.
$18: Time when the session is created.
$19: Time when the session is removed.
$20: Event time.
$21: Event description:
 Session created.
 Active flow threshold.
 Normal over.
 Aged for timeout.
 Aged for reset or config-change.
 Other.
Severity level 6
NAT/6/NAT_FLOW:
Protocol(1001)=UDP;SrcIPAddr(1003)=10.10.10.1;SrcPort(1004)=1024;NAT
SrcIPAddr(1005)=20.20.20.20;NATSrcPort(1006)=1024;DstIPAddr(1007)=20
.20.20.1;DstPort(1008)=21;NATDstIPAddr(1009)=20.20.20.1;NATDstPort(10
Example 10)=21;InitPktCount(1044)=1;InitByteCount(1046)=50;RplyPktCount(1045)=0
;RplyByteCount(1047)=0;RcvVPNInstance(1042)=;SndVPNInstance(1043)=;
RcvDSLiteTunnelPeer(1040)=;SndDSLiteTunnelPeer(1041)=;BeginTime_e(1
013)=03182024082546;EndTime_e(1014)=;Event(1048)=(8)Session created;
This message is sent in one of the following conditions:
• A NAT session is created or removed.
Explanation
• Regularly during a NAT session.
• The traffic threshold or aging time of a NAT session is reached.

452
Security level: Secret

Recommended action No action is required.

NAT_SERVICE_CARD_RECOVER_FAILURE
Failed to recover the configuration of binding the service card on chassis
Message text [UINT16] slot [UINT16] to interface [STRING], because [STRING].
$1: Member ID of the device in the IRF fabric.
$2: Number of the slot where the service card resides.
Variable fields $3: Interface name.
$4: Reasons why restoring the binding between the service card and the
interface fails.
Severity level 4
NAT/4/NAT_SERVICE_CARD_RECOVER_FAILURE: Failed to recover the
Example configuration of binding the service card on chassis 2 slot 3 to interface
Ethernet0/0/2, because NAT service is not supported on this service card.
Explanation Restoring the binding between the service card and the interface failed.
• If the operation fails because the NAT addresses have already been bound
to another service card:
 Use the display nat all command to check the current configuration.
 Specify the same service card for interfaces referencing the same NAT
Recommended addresses.
action • Check the service card for hardware problems if the failure is caused by
one of the following reasons:
 NAT service is not supported on this service card.
 The hardware resources are not enough.
 Unknown error.

NAT_SERVER_INVALID
The NAT server with Easy IP is invalid because its global settings conflict with
Message text that of another NAT server on this interface.

Variable fields N/A


Severity level 4
NAT/4/NAT_SERVER_INVALID: The NAT server with Easy IP is invalid
Example because its global settings conflict with that of another NAT server on this
interface.
The NAT Server with Easy IP did not take effect because its global settings
Explanation conflict with that the global settings of another NAT Server on the same
interface.
Modify the NAT Server configuration on the interface. The combination of
Recommended protocol type, global IP addresses and global ports must be unique for each
action NAT Server on the same interface.

453
Security level: Secret

NAT_FAILED_ADD_FLOW_RULE
Message text Failed to add flow-table due to: [STRING].

Variable fields $1: Reason for the failure.


Severity level 4
NAT/4/NAT_FAILED_ADD_FLOW_TABLE: Failed to add flow-table due to: Not
Example enough resources are available to complete the operation.
The system failed to deploy flow entries. Possible reasons include insufficient
Explanation hardware resources or memory.
Recommended Contact Hewlett Packard Enterprise Support.
action

454
Security level: Secret

ND messages
This section contains ND messages.

ND_CONFLICT
Message text [STRING] is inconsistent.
$1: Configuration type:
 M_FLAG.
 O_FLAG.
 CUR_HOP_LIMIT.
Variable fields  REACHABLE TIME.
 NS INTERVAL.
 MTU.
 PREFIX VALID TIME.
 PREFIX PREFERRED TIME.
Severity level 6
Example ND/6/ND_CONFLICT: PREFIX VALID TIME is inconsistent
The configuration information in the received router advertisement was not
Explanation consistent with the configuration on the device. A message is sent if an
inconsistency is detected.
Recommended Verify that the configurations on the device and the neighboring router are
action consistent.

ND_DUPADDR
Message text Duplicate address: [STRING] on the interface [STRING].
$1: IPv6 address that is to be assigned to the interface.
Variable fields
$2: Name of the interface.
Severity level 6
Example ND/6/ND_DUPADDR: Duplicate address: 33::8 on interface Vlan-interface9.
The IPv6 address that was to be assigned to the interface is being used by
Explanation another device.
Recommended Assign another IPv6 address to the interface.
action

455
Security level: Secret

ND_HOST_IP_CONFLICT
The host [STRING] connected to interface [STRING] cannot communicate
Message text correctly, because it uses the same IPv6 address as the host connected to
interface [STRING].
$1: IPv6 global unicast address of the host.
Variable fields $2: Name of the interface.
$3: Name of the interface.
Severity level 4
ND/4/ND_HOST_IP_CONFLICT: The host 2::2 connected to interface
Example GigabitEthernet1/0/1 cannot communicate correctly, because it uses the same
IPv6 address as the host connected to interface GigabitEthernet1/0/1.
The IPv6 global unicast address of the host is being used by another host that
Explanation connects to the same interface.
Recommended Disconnect the host and assign another IPv6 global unicast address to the host.
action

ND_MAC_CHECK
Packet received on interface [STRING] was dropped because source MAC
Message text [STRING] was inconsistent with link-layer address [STRING].
$1: Receiving interface of the ND packet.
Variable fields $2: Source MAC address in the Ethernet frame header of the ND packet.
$3: Source link-layer address in the ND packet.
Severity level 6
ND/6/ND_MAC_CHECK: Packet received on interface Ethernet2/0/2 was
Example dropped because source MAC 0002-0002-0001 was inconsistent with link-layer
address 0002-0002-0002.
The device dropped an ND packet because source MAC consistency check
Explanation detected that the source MAC address and the source link-layer address in the
packet are inconsistent.
Recommended Verify the validity of the ND packet originator.
action

ND_SET_PORT_TRUST_NORESOURCE
Message text Not enough resources to complete the operation.

Variable fields N/A


Severity level 6
ND/6/ND_SET_PORT_TRUST_NORESOURCE: Not enough resources to
Example complete the operation.
Explanation Failed to execute the command because driver resources were not enough.
Recommended Release the driver resources and execute the command again.
action

456
Security level: Secret

ND_SET_VLAN_REDIRECT_NORESOURCE
Message text Not enough resources to complete the operation.

Variable fields N/A


Severity level 6
ND/6/ND_SET_VLAN_REDIRECT_NORESOURCE: Not enough resources to
Example complete the operation.
Explanation Failed to execute the command because driver resources were not enough.
Recommended Release the driver resources and execute the command again.
action

ND_RAGUARD_DROP
Dropped RA messages with the source IPv6 address [STRING] on interface
Message text [STRING]. [STRING] messages dropped in total on the interface.
$1: IPv6 source IP address of the dropped RA messages.
Variable fields $2: Interface name on which the RA messages are dropped.
$3: Total number of dropped RA messages on the interface.
Severity level 4
ND/6/ND_RAGUARD_DROP: Dropped RA messages with the source IPv6
Example address FE80::20 on interface GigabitEthernet1/0/1. 20 RA messages dropped
in total on the interface.
RA guard dropped RA messages and displayed the information when RA guard
Explanation detected an attack.
Recommended Verify the validity of the RA message originator.
action

457
Security level: Secret

NQA messages
This section contains NQA messages.

NQA_LOG_UNREACHABLE
Message text Server [STRING] unreachable.

Variable fields $1: IP address of the NQA server.


Severity level 6
Example NQA/6/NQA_LOG_UNREACHABLE: Server 192.168.30.117 unreachable.
Explanation An unreachable server was detected.
Recommended Check the network environment.
action

458
Security level: Secret

NTP messages
This section contains NTP messages.

NTP_CLOCK_CHANGE
System clock changed from [STRING] to [STRING], the NTP server's IP
Message text address is [STRING].
$1: Time before synchronization.
Variable fields $2: Time after synchronization.
$3: IP address.

Severity level 5
NTP/5/NTP_CLOCK_CHANGE: System clock changed from 02:12:58
Example 12/28/2012 to 02:29:12 12/28/2012, the NTP server's IP address is
192.168.30.116.

Explanation The NTP client has synchronized its time to the NTP server.

Recommended No action is required.


action

NTP_LEAP_CHANGE
Message text System Leap Indicator changed from [UINT32] to [UINT32] after clock update.
$1: Original Leap Indicator.
Variable fields
$2: Current Leap Indicator.

Severity level 5
NTP/5/NTP_LEAP_CHANGE: System Leap Indicator changed from 00 to 01
Example after clock update.
The system Leap Indicator changed. For example, the NTP status changed
from unsynchronized to synchronized.
NTP Leap Indicator is a two-bit code warning of an impending leap second to be
Explanation inserted in the NTP timescale.
The bits are set before 23:59 on the day of insertion and reset after 00:00 on the
following day. This causes the number of seconds (rolloverinterval) in the day of
insertion to be increased or decreased by one.

Recommended No action is required.


action

459
Security level: Secret

NTP_SOURCE_CHANGE
Message text NTP server's IP address changed from [STRING] to [STRING].
$1: IP address of the original time source.
Variable fields
$2: IP address of the new time source.

Severity level 5
NTP/5/NTP_SOURCE_CHANGE: NTP server's IP address changed from
Example 1.1.1.1 to 1.1.1.2.

Explanation The system changed the time source.

Recommended No action is required.


action

NTP_SOURCE_LOST
Message text Lost synchronization with NTP server with IP address [STRING].

Variable fields $1: IP address.

Severity level 5
NTP/5/NTP_SOURCE_LOST: Lost synchronization with NTP server with IP
Example address 1.1.1.1.
The clock source of the NTP association is in unsynchronized state or it is
Explanation unreachable.
1. Verify the NTP server and network connection.
2. For NTP server failures:
 Use the ntp-service unicast-server command to specify a new NTP
Recommended server.
action  Use the ntp-service multicast-client command to configure the
device to operate in NTP multicast client mode and receive NTP
multicast packets from a new NTP server.
3. If the problem persists, contract Hewlett Packard Enterprise Support.

NTP_STRATUM_CHANGE
Message text System stratum changed from [UINT32] to [UINT32] after clock update.
$1: Original stratum.
Variable fields
$2: Current stratum.

Severity level 5
NTP/5/NTP_STRATUM_CHANGE: System stratum changed from 6 to 5 after
Example clock update.

Explanation System stratum has changed.

Recommended No action is required.


action

460
Security level: Secret

OBJP messages
This section contains object policy messages.

OBJP_ACCELERATE_NO_RES
Failed to accelerate [STRING] object-policy [STRING]. The resources are
Message text insufficient.
$1: Object policy version.
Variable fields
$2: Object policy name.

Severity level 4
OBJP/4/OBJP_ACCELERATE_NO_RES: Failed to accelerate IPv6
Example object-policy a. The resources are insufficient.

Explanation Object policy acceleration failed because of insufficient hardware resources.

Recommended Delete unnecessary rules or disable acceleration for other object policies to
action release hardware resources.

OBJP_ACCELERATE_NOT_SUPPORT
Failed to accelerate [STRING] object-policy [STRING]. The operation is not
Message text supported.
$1: Object policy version.
Variable fields
$2: Object policy name.

Severity level 4
OBJP/4/OBJP_ACCELERATE_NOT_SUPPORT: Failed to accelerate IPv6
Example object-policy a. The operation is not supported.
Object policy acceleration failed because the system did not support
Explanation acceleration.

Recommended No action is required.


action

461
Security level: Secret

OBJP_ACCELERATE_UNK_ERR
Message text Failed to accelerate [STRING] object-policy [STRING].
$1: Object policy version.
Variable fields
$2: Object policy name.

Severity level 4
OBJP/4/OBJP_ACCELERATE_UNK_ERR: Failed to accelerate IPv6
Example object-policy a.

Explanation Object policy acceleration failed because of a system failure.

Recommended No action is required.


action

462
Security level: Secret

OFP messages
This section contains OpenFlow messages.

OFP_ACTIVE
Message text Activate openflow instance [UINT16].

Variable fields $1: Instance ID.


Severity level 5
Example OFP/5/OFP_ACTIVE: Activate openflow instance 1.
Explanation A command is received from comsh to activate an OpenFlow instance.
Recommended No action is required.
action

OFP_ACTIVE_FAILED
Message text Failed to activate instance [UINT16].

Variable fields $1: Instance ID.


Severity level 4
Example OFP/4/OFP_ACTIVE_FAILED: Failed to activate instance 1.
Explanation An OpenFlow instance cannot be activated.
Recommended No action is required.
action

OFP_CONNECT
Message text Openflow instance [UINT16], controller [CHAR] is [STRING].
$1: Instance ID.
Variable fields $2: Controller ID.
$3: Connection status: connected or disconnected.
Severity level 5
Example OFP/5/OFP_CONNECT: Openflow instance 1, controller 0 is connected.
Explanation The connection status with a controller is changed in an OpenFlow instance.
Recommended No action is required.
action

463
Security level: Secret

OFP_FAIL_OPEN
Message text Openflow instance [UINT16] is in fail [STRING] mode.
$1: Instance ID.
Variable fields
$2: Connection interruption mode: secure or standalone.
Severity level 5
Example OFP/5/OFP_FAIL_OPEN: Openflow instance 1 is in fail secure mode.
An activated instance cannot connect to any controller or is disconnected from
Explanation all controllers. The connection interrupt mode is also displayed.
Recommended No action is required.
action

OFP_FLOW_ADD
Openflow instance [UINT16] controller [CHAR]: add flow entry [UINT32], xid
Message text 0x[HEX], cookie 0x[HEX], table id [CHAR].
$1: Instance ID.
$2: Controller ID.
$3: Rule ID.
Variable fields
$4: XID.
$5: Cookie of the flow entry.
$6: Table ID.
Severity level 5
OFP/5/OFP_FLOW_ADD: Openflow instance 1 controller 0: add flow entry 1,
Example xid 0x1, cookie 0x0, table id 0.
A flow entry is to be added to a flow table, according to a flow table modification
Explanation message that has passed the packet check.
Recommended No action is required.
action

464
Security level: Secret

OFP_FLOW_ADD_DUP
Openflow instance [UINT16] controller [CHAR]: add duplicate flow entry
Message text [UINT32], xid 0x[HEX], cookie 0x[HEX], table id [CHAR].
$1: Instance ID.
$2: Controller ID.
$3: Rule ID.
Variable fields
$4: XID.
$5: Cookie.
$6: Table ID.
Severity level 5
OFP/5/OFP_FLOW_ADD_DUP: Openflow instance 1 controller 0: add
Example duplicate flow entry 1, xid 0x1, cookie 0x1, table id 0.
Explanation A duplicate flow entry was added.
Recommended No action is required.
action

OFP_FLOW_ADD_FAILED
Openflow instance [UINT16] controller [CHAR]: failed to add flow entry
Message text [UINT32], table id [CHAR].
$1: Instance ID.
$2: Controller ID.
Variable fields
$3: Rule ID.
$4: Table ID.
Severity level 4
OFP/4/OFP_FLOW_ADD_FAILED: Openflow instance 1 controller 0: failed to
Example add flow entry1, table id 0.
Explanation Failed to add a flow entry.
Recommended No action is required.
action

465
Security level: Secret

OFP_FLOW_ADD_TABLE_MISS
Openflow instance [UINT16] controller [CHAR]: add table miss flow entry, xid
Message text 0x[HEX], cookie 0x[HEX], table id [CHAR].
$1: Instance ID.
$2: Controller ID.
Variable fields $3: XID.
$4: Cookie of the flow entry.
$5: Table ID.
Severity level 5
OFP/5/OFP_FLOW_ADD_TABLE_MISS: Openflow instance 1 controller 0: add
Example table miss flow entry, xid 0x1, cookie 0x0, table id 0.
A table-miss flow entry is to be added to a flow table, according to a flow table
Explanation modification message that has passed the packet check.
Recommended No action is required.
action

OFP_FLOW_ADD_TABLE_MISS_FAILED
Openflow instance [UINT16] controller [CHAR]: failed to add table miss flow
Message text entry, table id [CHAR].
$1: Instance ID.
Variable fields $2: Controller ID.
$3: Table ID.
Severity level 4
OFP/4/OFP_FLOW_ADD_TABLE_MISS_FAILED: Openflow instance 1
Example controller 0: failed to add table miss flow entry, table id 0.
Explanation Failed to add a table-miss flow entry.
Recommended No action is required.
action

466
Security level: Secret

OFP_FLOW_DEL
Openflow instance [UINT16] controller [CHAR]: delete flow entry, xid 0x[HEX],
Message text cookie 0x[HEX], table id [STRING].
$1: Instance ID.
$2: Controller ID.
Variable fields $3: XID.
$4: Cookie of the flow entry.
$5: Table ID.
Severity level 5
OFP/5/OFP_FLOW_DEL: Openflow instance 1 controller 0: delete flow entry,
Example xid 0x1, cookie 0x0, table id 0.
A list of flow entries are to be deleted, according to a flow table modification
Explanation message that has passed the packet check.
Recommended No action is required.
action

OFP_FLOW_DEL_TABLE_MISS
Openflow instance [UINT16] controller [CHAR]: delete table miss flow entry, xid
Message text 0x[HEX], cookie 0x[HEX], table id [STRING].
$1: Instance ID.
$2: Controller ID.
Variable fields $3: XID.
$4: Cookie of the flow entry.
$5: Table ID.
Severity level 5
OFP/5/OFP_FLOW_DEL_TABLE_MISS: Openflow instance 1 controller 0:
Example delete table miss flow entry, xid 0x1, cookie 0x0, table id 0.
A list of table-misses flow entries are to be deleted, according to a flow table
Explanation modification message that has passed the packet check.
Recommended No action is required.
action

467
Security level: Secret

OFP_FLOW_DEL_TABLE_MISS_FAILED
Openflow instance [UINT16] controller [CHAR]: failed to delete table miss flow
Message text entry, table id [STRING].
$1: Instance ID.
Variable fields $2: Controller ID.
$3: Table ID.
Severity level 4
OFP/4/OFP_FLOW_DEL_TABLE_MISS_FAILED: Openflow instance 1
Example controller 0: failed to delete table miss flow entry, table id 0.
Explanation Failed to delete a table-miss flow entry.
Recommended No action is required.
action

OFP_FLOW_MOD
Openflow instance [UINT16] controller [CHAR]: modify flow entry, xid 0x[HEX],
Message text cookie 0x[HEX], table id [CHAR].
$1: Instance ID.
$2: Controller ID.
Variable fields $3: XID.
$4: Cookie of the flow entry.
$5: Table ID.
Severity level 5
OFP/5/OFP_FLOW_MOD: Openflow instance 1 controller 0: modify flow entry,
Example xid 0x1, cookie 0x0, table id 0.
A list of flow entries are to be modified, according to a flow table modification
Explanation message that has passed the packet check.
Recommended No action is required.
action

OFP_FLOW_MOD_FAILED
Openflow instance [UINT16] controller [CHAR]: failed to modify flow entry, table
Message text id [CHAR].
$1: Instance ID.
Variable fields $2: Controller ID.
$3: Table ID.
Severity level 4
OFP/4/OFP_FLOW_MOD_FAILED: Openflow instance 1 controller 0: failed to
Example modify flow entry, table id 0.
Explanation Failed to modify a flow entry.
Recommended The controller must retry to modify the flow entry. If the flow entry still cannot be
action modified, the controller will delete it.

468
Security level: Secret

OFP_FLOW_MOD_TABLE_MISS
Openflow instance [UINT16] controller [CHAR]: modify table miss flow entry, xid
Message text 0x[HEX], cookie 0x[HEX], table id [CHAR].
$1: Instance ID.
$2: Controller ID.
Variable fields $3: XID.
$4: Cookie of the flow entry.
$5: Table ID.
Severity level 5
OFP/5/OFP_FLOW_MOD_TABLE_MISS: Openflow instance 1 controller 0:
Example modify table miss flow entry, xid 0x1, cookie 0x0, table id 0.
A list of flow entries are to be modified, according to a flow table modification
Explanation message that has passed the packet check.
Recommended No action is required.
action

OFP_FLOW_MOD_TABLE_MISS_FAILED
Openflow instance [UINT16] controller [CHAR]: failed to modify table miss flow
Message text entry, table id [CHAR].
$1: Instance ID.
Variable fields $2: Controller ID.
$3: Table ID.
Severity level 4
OFP/4/OFP_FLOW_MOD_TABLE_MISS_FAILED: Openflow instance 1
Example controller 0: failed to modify table miss flow entry, table id 0.
Explanation Failed to modify a table-miss flow entry.
Recommended The controller must retry to modify the table-miss flow entry. If the entry still
action cannot be modified, the controller will delete it.

OFP_FLOW_RMV_GROUP
The flow entry [UINT32] in table [CHAR] of instance [UINT16] was deleted with
Message text a group_mod message.
$1: Rule ID.
Variable fields $2: Table ID.
$3: Instance ID.
Severity level 5
OFP/5/OFP_FLOW_RMV_GROUP: The flow entry 1 in table 0 of instance 1
Example was deleted with a group_mod message.
Explanation A flow entry was deleted due to a group modification message.
Recommended No action is required.
action

469
Security level: Secret

OFP_FLOW_RMV_HARDTIME
The flow entry [UINT32] in table [CHAR] of instance [UINT16] was deleted
Message text because of a hard-time expiration.
$1: Rule ID.
Variable fields $2: Table ID.
$3: Instance ID.
Severity level 5
OFP/5/OFP_FLOW_RMV_HARDTIME: The flow entry 1 in table 0 of instance 1
Example was deleted because of a hard-time expiration.
Explanation A flow entry was deleted because of a hard time expiration.
Recommended No action is required.
action

OFP_FLOW_RMV_IDLETIME
The flow entry [UINT32] in table [CHAR] of instance [UINT16] was deleted
Message text because of an idle-time expiration.
$1: Rule ID.
Variable fields $2: Table ID.
$3: Instance ID.
Severity level 5
OFP/5/OFP_FLOW_RMV_IDLETIME: The flow entry 1 in table 0 of instance 1
Example was deleted because of an idle-time expiration.
Explanation A flow entry was deleted because of an idle time expiration.
Recommended No action is required.
action

OFP_FLOW_RMV_METER
The flow entry [UINT32] in table [CHAR] of instance [UINT16] was deleted with
Message text a meter_mod message.
$1: Rule ID.
Variable fields $2: Table ID.
$3: Instance ID.
Severity level 5
OFP/5/OFP_FLOW_RMV_GROUP: The flow entry 1 in table 0 of instance1
Example was deleted with a meter_mod message.
Explanation A flow entry was deleted due to a meter modification message.
Recommended No action is required.
action

470
Security level: Secret

OFP_GROUP_ADD
Openflow instance [UINT16] controller [CHAR]: add group [STRING], xid
Message text 0x[HEX].
$1: Instance ID.
$2: Controller ID.
Variable fields
$3: Group ID.
$4: XID.
Severity level 5
OFP/5/OFP_GROUP_ADD: Openflow instance 1 controller 0: add group 1, xid
Example 0x1.
A group entry is to be added to a group table, according to a group table
Explanation modification message that has passed the packet check.
Recommended No action is required.
action

OFP_GROUP_ADD_FAILED
Message text Openflow instance [UINT16] controller [CHAR]: failed to add group [STRING].
$1: Instance ID.
Variable fields $2: Controller ID.
$3: Group ID.
Severity level 4
OFP/4/OFP_GROUP_ADD_FAILED: Openflow Instance 1 controller 0: failed to
Example add group 1.
Explanation Failed to add a group entry.
Recommended No action is required.
action

OFP_GROUP_DEL
Openflow instance [UINT16] controller [CHAR]: delete group [STRING], xid
Message text [HEX].
$1: Instance ID.
$2: Controller ID.
Variable fields
$3: Group ID.
$4: XID.
Severity level 5
OFP/5/OFP_GROUP_DEL: Openflow instance 1 controller 0: delete group 1,
Example xid 0x1.
A group entry is to be deleted, according to a group table modification message
Explanation that has passed the packet check.
Recommended No action is required.
action

471
Security level: Secret

OFP_GROUP_MOD
Openflow instance [UINT16] controller [CHAR]: modify group [STRING], xid
Message text 0x[HEX].
$1: Instance ID.
$2: Controller ID.
Variable fields
$3: Group ID.
$4: XID.
Severity level 5
OFP/5/OFP_GROUP_MOD: Openflow instance 1 controller 0: modify group 1,
Example xid 0x1.
A group entry is to be modified, according to a group table modification
Explanation message that has passed the packet check.
Recommended No action is required.
action

OFP_GROUP_MOD_FAILED
Openflow instance [UINT16] controller [CHAR]: failed to modify group
Message text [STRING].
$1: Instance ID.
Variable fields $2: Controller ID.
$3: Group ID.
Severity level 4
OFP/4/OFP_GROUP_MOD_FAILED: Openflow instance 1 controller 0: failed
Example to modify group 1.
Explanation Failed to modify a group entry.
Recommended The controller must retry to modify the group. If the group still cannot be
action modified, the controller will delete it.

OFP_METER_ADD
Openflow instance [UINT16] controller [CHAR]: add meter [STRING], xid
Message text 0x[HEX].
$1: Instance ID.
$2: Controller ID.
Variable fields
$3: Meter ID.
$4: XID.
Severity level 5
OFP/5/OFP_METER_ADD: Openflow instance 1 controller 0: add meter 1, xid
Example 0x1.
Explanation A meter entry is to be added to a meter table.
Recommended No action is required.
action

472
Security level: Secret

OFP_METER_ADD_FAILED
Message text Openflow instance [UINT16] controller [CHAR]: failed to add meter [STRING].
$1: Instance ID.
Variable fields $2: Controller ID.
$3: Meter ID.
Severity level 4
OFP/4/OFP_METER_ADD_FAILED: Openflow Instance 1 controller 0: failed to
Example add meter 1.
Explanation Failed to add a meter entry.
Recommended No action is required.
action

OFP_METER_DEL
Openflow instance [UINT16] controller [CHAR]: delete meter [STRING], xid
Message text 0x[HEX].
$1: Instance ID.
$2: Controller ID.
Variable fields
$3: Meter ID.
$4: XID.
Severity level 5
OFP/5/OFP_METER_DEL: Openflow instance 1 controller 0: delete meter 1,
Example xid 0x1.
A meter entry is to be deleted, according to a meter table modification message
Explanation that has passed the packet check.
Recommended No action is required.
action

OFP_METER_MOD
Openflow instance [UINT16] controller [CHAR]: modify meter [STRING], xid
Message text 0x[HEX].
$1: Instance ID.
$2: Controller ID.
Variable fields
$3: Meter ID.
$4: XID.
Severity level 5
OFP/5/OFP_METER_MOD: Openflow Instance 1 controller 0: modify meter 1,
Example xid 0x1.
A meter entry is to be modified, according to a meter table modification
Explanation message that has passed the packet check.
Recommended No action is required.
action

473
Security level: Secret

OFP_METER_MOD_FAILED
Openflow instance [UINT16] controller [CHAR]: failed to modify meter
Message text [STRING].
$1: Instance ID.
Variable fields $2: Controller ID.
$3: Meter ID.
Severity level 4
OFP/4/OFP_METER_MOD_FAILED: Openflow instance 1 controller 0: failed to
Example modify meter 1.
Explanation Failed to modify a meter entry.
Recommended The controller must retry to modify the meter entry. If the meter entry still cannot
action be modified, the controller will delete it.

OFP_MISS_RMV_GROUP
The table-miss flow entry in table [CHAR] of instance [UINT16] was deleted with
Message text a group_mod message.
$1: Table ID.
Variable fields
$2: Instance ID.
Severity level 5
OFP/5/OFP_MISS_RMV_GROUP: The table-miss flow entry in table 0 of
Example instance 1 was deleted with a group_mod message.
Explanation The table-miss flow entry was deleted due to a group modification message.
Recommended No action is required.
action

OFP_MISS_RMV_HARDTIME
The table-miss flow entry in table [CHAR] of instance [UINT16] was deleted
Message text because of a hard-time expiration.
$1: Table ID.
Variable fields
$2: Instance ID.
Severity level 5
OFP/5/OFP_MISS_RMV_HARDTIME: The table-miss flow entry in table 0 of
Example instance 1 was deleted because of a hard-time expiration.
Explanation The table-miss flow entry was deleted because of a hard time expiration.
Recommended No action is required.
action

474
Security level: Secret

OFP_MISS_RMV_IDLETIME
The table-miss flow entry in table [CHAR] of instance [UINT16] was deleted
Message text because of an idle-time expiration.
$1: Table ID.
Variable fields
$2: Instance ID.
Severity level 5
OFP/5/OFP_MISS_RMV_IDLETIME: The table-miss flow entry in table 0 of
Example instance 1 was deleted because of an idle-time expiration.
Explanation The table-miss flow entry was deleted because of an idle time expiration.
Recommended No action is required.
action

OFP_MISS_RMV_METER
The table-miss flow entry in table [CHAR] of instance [UINT16] was deleted with
Message text a meter_mod message.
$1: Table ID.
Variable fields
$2: Instance ID.
Severity level 5
OFP/5/OFP_MISS_RMV_METER: The table-miss flow entry in table 0 of
Example instance 1 was deleted with a meter_mod message.
Explanation The table-miss flow entry was deleted due to a meter modification message.
Recommended No action is required.
action

475
Security level: Secret

OPENSRC (FreeRADIUS) messages


This section contains FreeRADIUS system log messages.

HUP event
Message text [DATE] [TIME] radiusd[UINT32]: [STRING]
$1: Date in month abbreviation and day format.
$2: Time in hh:mm:ss format.
Variable fields
$3: FreeRADIUS process ID.
$4: HUP event description, as listed in Table 6.
Severity level 6
Example OPENSRC/6/SYSLOG: Jan 1 01:14:04 radiusd[427]: Received HUP sign
A HUP signal was received and the user configuration was reloaded for
authentication, including the user name, password, authorization VLAN,
Explanation authorization ACL, and user validity period. The HUP signal could be ignored if it
arrived in less than 5 seconds since the last signal reception.
Recommended For the recommended action for each event, see Table 6.
action

Table 6 HUP events

HUP event Explanation Recommended action


Received HUP sign A HUP signal was received. No action is required.
The module configuration file was
Module: Reloaded module "files" No action is required.
reloaded.
A HUP signal was received and
HUP - Files loaded by a module
the configuration file was No action is required.
have changed.
reloaded.

The HUP signal was ignored To immediately activate the new


Ignoring HUP (less than 5s since because it was less than 5 user configuration, use the
last one) seconds since the last signal radius-server activate
reception. command.

476
Security level: Secret

Process restart event


Message text [DATE] [TIME] radiusd[UINT32]: [STRING]
$1: Date in month abbreviation and day format.
$2: Time in hh:mm:ss format.
Variable fields
$3: FreeRADIUS process ID.
$4: Process restart event description, as listed in Table 7.
Severity level 6
Example OPENSRC/6/SYSLOG: Jan 1 02:00:02 radiusd[427]: Signalled to terminate
Explanation The current process was terminated and restarted.
Recommended No action is required.
action

Table 7 Process restart events

Process restart event Explanation


Signalled to terminate A process termination signal was received.
Exiting normally The process was closed.
Debugger not attached Debugging was disabled for the process.
Loaded virtual server <default> The virtual server was loaded.
Loaded virtual server inner-tunnel The inner tunnel of the virtual server was loaded.
The default configuration of the virtual server was
Loaded virtual server default
loaded.
Ready to process requests Ready to process authentication packets.

Process start event


Message text [DATE] [TIME] radiusd[UINT32]: [STRING]
$1: Date in month abbreviation and day format.
$2: Time in hh:mm:ss format.
Variable fields
$3: FreeRADIUS process ID.
$4: Process restart event description, as listed in Table 8.
Severity level 4
OPENSRC/4/SYSLOG: Jan 1 02:00:03 radiusd[460]:
Example [//etc/raddb/mods-config/attr_filter/access_reject]:11 Check item
"FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
Explanation The system loaded default filter options when the process started.
Recommended No action is required.
action

Table 8 Process start events

Process start event Explanation


11 Check item "FreeRADIUS-Response-Delay" The default filter option

477
Security level: Secret

Process start event Explanation


found in filter list for realm "DEFAULT". FreeRADIUS-Response-Delay was checked in the
specified file.

The default filter option


11 Check item "FreeRADIUS-Response-Delay-USec"
FreeRADIUS-Response-Delay-USec was checked
found in filter list for realm "DEFAULT".
in the specified file.
Ignoring "sql" (see
SQL was ignored.
raddb/mods-available/README.rst)
Ignoring "ldap" (see
LDAP was ignored.
raddb/mods-available/README.rst)

User authentication
[DATE] [TIME] radiusd[UINT32]: ([UINT32]) [STRING]: [[STRING]] (from client
Message text [IPADDR] port [UINT32] cli [MAC])
$1: Date in month abbreviation and day format.
$2: Time in hh:mm:ss format.
$3: FreeRADIUS process ID.
$4: Log ID.
Variable fields $5: Authentication result.
$6: User name.
$7: RADIUS client IP address.
$8: RADIUS client port number.
$9: User's MAC address.
Severity level 5
OPENSRC/5/SYSLOG: Jan 1 02:06:15 radiusd[460]: (0) Login OK: [test] (from
Example client 7.7.7.7 port 33591297 cli 00-00-00-00-00-02)
Explanation User authentication succeeded.
Recommended For the recommended action for each authentication result, see Table 9.
action

Table 9 Authentication results

Authentication result Explanation Recommended action


• If user authentication succeeded,
no action is required.
• If user authentication failed, verify
that the RADIUS client and server
Authentication succeeded or use the same shared key.
Login OK shared key mismatch To set the shared key for the client,
occurred. use the primary authentication
command.
To set the shared key for the server,
use the radius-server client ip
command.
Login incorrect (pap: Cleartext
Incorrect password for PAP
password does not match Provide the correct user password.
authentication.
"known good" password)

Login incorrect (chap: Incorrect password for CHAP


Provide the correct user password.
Password comparison failed: authentication.

478
Security level: Secret

Authentication result Explanation Recommended action


password is incorrect)
• If the user is unauthorized and
should be ignored, no action is
required.
• If the user is new and should be
authenticated, create a local user
account for it by using the
User name mismatch occurred local-user command.
Login incorrect (No Auth-Type during PAP authentication, or
found: rejecting the user via the EAP authentication type • If a configuration error has
Post-Auth-Type = Reject) was specified for an 802.1X occurred, modify the authentication
user. type. For example, check the
authentication type of 802.1X users
by using the display dot1x
command, and then modify the
authentication type by using the
authentication-method
command.
• If the user is unauthorized and
should be ignored, no action is
Login incorrect (chap: required.
User name mismatch occurred
&control:Cleartext-Password is
during CHAP authentication. • If the user is new and should be
required for authentication) authenticated, create a local user
account for it by using the
local-user command.
• To ignore the expired user, no
action is required.
Invalid user (expiration:
• To extend the validity, modify the
Account expired at 'Jan 1 2013 The user had expired.
02:19:00 UTC') expiration period of the local user
by using the validity-datetime
command.

[DATE] [TIME] radiusd[UINT32]: ([UINT32]) Login incorrect (No Auth-Type


Message text found: rejecting the user via Post-Auth-Type = Reject): [[STRING]] (from client
[IPADDR] port [UINT32])
$1: Date in month abbreviation and day format.
$2: Time in hh:mm:ss format.
$3: FreeRADIUS process ID.
Variable fields $4: Log ID.
$5: User name.
$6: RADIUS client IP address.
$7: RADIUS client port number.
Severity level 5
OPENSRC/5/SYSLOG: Jan 1 02:21:20 radiusd[460]: (16) Login incorrect (No
Example Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [ddd] (from
client 7.7.7.7 port 0)
Explanation Authentication requests of login users were not supported.
Recommended No action is required.
action

479
Security level: Secret

[DATE] [TIME] radiusd[UINT32]: Ignoring request to auth address * port 1812


Message text bound to server default from unknown client [IPADDR] port [UINT32] proto udp
$1: Date in month abbreviation and day format.
$2: Time in hh:mm:ss format.
Variable fields $3: FreeRADIUS process ID.
$4: RADIUS client IP address.
$5: RADIUS client port number.
Severity level 3
OPENSRC/3/SYSLOG: Jan 1 02:31:05 radiusd[548]: Ignoring request to auth
Example address * port 1812 bound to server default from unknown client 7.7.7.7 port
11969 proto udp
Explanation The authentication request was sent from an unknown client and was ignored.
• If the client cannot be trusted, no action is required.
Recommended
• If the client is new and safe, add the RADIUS client configuration by using
action the radius-server client command.

480
Security level: Secret

OPTMOD messages
This section contains transceiver module messages.

BIAS_HIGH
Message text [STRING]: Bias current is high.

Variable fields $1: Interface type and number.

Severity level 2

Example OPTMOD/2/BIAS_HIGH: GigabitEthernet1/0/13: Bias current is high.

Explanation The bias current of the transceiver module exceeded the high threshold.
1. Execute the display transceiver diagnosis interface command to verify
that the bias current of the transceiver module has exceeded the high
threshold.
Recommended 2. Execute the display transceiver alarm interface command to verify that
action a high bias current alarm for the transceiver module has been generated
and not cleared.
3. Replace the transceiver module.

BIAS_LOW
Message text [STRING]: Bias current is low.

Variable fields $1: Interface type and number.

Severity level 5

Example OPTMOD/5/BIAS_LOW: GigabitEthernet1/0/13: Bias current is low.

Explanation The bias current of the transceiver module went below the low threshold.
1. Execute the display transceiver diagnosis interface command to verify
that the bias current of the transceiver module is below the low threshold.
Recommended 2. Execute the display transceiver alarm interface command to verify that
action a low bias current alarm for the transceiver module has been generated
and not cleared.
3. Replace the transceiver module.

481
Security level: Secret

BIAS_NORMAL
Message text [STRING]: Bias current is normal.

Variable fields $1: Interface type and number.

Severity level 5

Example OPTMOD/5/BIAS_NORMAL: GigabitEthernet1/0/13: Bias current is normal.

Explanation The bias current of the transceiver module returned to the acceptable range.

Recommended No action is required.


action

CFG_ERR
Message text [STRING]: Transceiver type and port configuration mismatched.

Variable fields $1: Interface type and number.

Severity level 3
OPTMOD/3/CFG_ERR: GigabitEthernet1/0/13: Transceiver type and port
Example configuration mismatched.

Explanation The transceiver module type does not match the port configurations.
Check for the transceiver module type and the current port configurations. If
Recommended they mismatch, replace the transceiver module or update the port
action configurations.

CHKSUM_ERR
Message text [STRING]: Transceiver information checksum error.

Variable fields $1: Interface type and number.

Severity level 5
OPTMOD/5/CHKSUM_ERR: GigabitEthernet1/0/13: Transceiver information
Example checksum error .
Checksum verification on the register information on the transceiver module
Explanation failed.

Recommended Replace the transceiver module, or contact Hewlett Packard Enterprise


action Support.

482
Security level: Secret

FIBER_SFP MODULE_INVALID
[STRING]: This transceiver module is not compatible with the interface card. HP
does not guarantee the correct operation of the transceiver module. The
Message text transceiver module will be invalidated in [UINT32] days. Please replace it with a
compatible one as soon as possible.

$1: Interface type and number.


Variable fields
$2: Number of days that the transceiver module will be invalid.

Severity level 4
OPTMOD/4/FIBER_SFPMODULE_INVALID: GigabitEthernet1/0/13: This
transceiver module is not compatible with the interface card. HP does not
Example guarantee the correct operation of the transceiver module. The transceiver
module will be invalidated in 3 days. Please replace it with a compatible one as
soon as possible.

Explanation The transceiver module is not compatible with the interface card.

Recommended Replace the transceiver module.


action

FIBER_SFPMODULE_NOWINVALID
[STRING]: This is not a supported transceiver for this platform. HP does not
guarantee the normal operation or maintenance of unsupported transceivers.
Message text Please review the platform datasheet on the HP web site or contact your HP
sales rep for a list of supported transceivers.

Variable fields $1: Interface type and number.

Severity level 4
OPTMOD/4/FIBER_SFPMODULE_NOWINVALID: GigabitEthernet1/0/13: This
is not a supported transceiver for this platform. HP does not guarantee the normal
Example operation or maintenance of unsupported transceivers. Please review the
platform datasheet on the HP web site or contact your HP sales rep for a list of
supported transceivers.

Explanation The system does not support the transceiver module.

Recommended Replace the transceiver module.


action

483
Security level: Secret

IO_ERR
Message text [STRING]: The transceiver information I/O failed.

Variable fields $1: Interface type and number.

Severity level 5
OPTMOD/5/IO_ERR: GigabitEthernet1/0/13: The transceiver information I/O
Example failed.

Explanation The device failed to access the register information of the transceiver module.
Execute the display transceiver diagnosis interface and display
Recommended transceiver alarm interface commands. If both commands fail to be executed,
action the transceiver module is faulty. Replace the transceiver module.

MOD_ALM_OFF
Message text [STRING]: [STRING] was removed.
$1: Interface type and number.
Variable fields
$2: Fault type.

Severity level 5
OPTMOD/5/MOD_ALM_OFF: GigabitEthernet1/0/13: Module_not_ready was
Example removed..

Explanation A fault was removed from the transceiver module.

Recommended No action is required.


action

MOD_ALM_ON
Message text [STRING]: [STRING] was detected.
$1: Interface type and number.
Variable fields
$2: Fault type.

Severity level 5
OPTMOD/5/MOD_ALM_ON: GigabitEthernet1/0/13: Module_not_ready
Example wasdetected.

Explanation A fault was detected on the transceiver module.


1. Execute the display transceive alarm interface command to verify that a
Recommended corresponding alarm for the fault has been generated and not cleared.
action 2. Replace the transceiver module.

484
Security level: Secret

MODULE_IN
Message text [STRING]: The transceiver is [STRING].
$1: Interface type and number.
Variable fields
$2: Type of the transceiver module.

Severity level 4
OPTMOD/4/MODULE_IN: GigabitEthernet1/0/13: The transceiver is
Example 1000_BASE_T_AN_SFP.
When a transceiver module is inserted, the OPTMOD module generates the
Explanation message to display the transceiver module type.

Recommended No action is required.


action

MODULE_OUT
Message text [STRING]: Transceiver absent.

Variable fields $1: Interface type and number.

Severity level 4

Example OPTMOD/4/MODULE_OUT: GigabitEthernet1/0/13: The transceiver is absent.

Explanation The transceiver module was removed.

Recommended No action is required.


action

PHONY_MODULE
[STRING]: This transceiver is not sold by Hewlett Packard Enterprise. Hewlett
Message text Packard Enterprise does not guarantee the correct operation of the module or
assume maintenance responsibility.

Variable fields $1: Interface type and number.

Severity level 4
OPTMOD/4/PHONY_MODULE: GigabitEthernet1/0/13: This transceiver is not
sold by Hewlett Packard Enterprise. Hewlett Packard Enterprise does not
Example guarantee the correct operation of the module or assume maintenance
responsibility.

Explanation The transceiver module is not sold by Hewlett Packard Enterprise.

Recommended Replace the transceiver module.


action

485
Security level: Secret

RX_ALM_OFF
Message text STRING]: [STRING] was removed.
$1: Interface type and number.
Variable fields
$2: RX fault type.

Severity level 5
OPTMOD/5/RX_ALM_OFF: GigabitEthernet1/0/13: RX_not_ready was
Example removed.

Explanation An RX fault was removed from the transceiver module.

Recommended No action is required.


action

RX_ALM_ON
Message text [STRING]: [STRING] was detected.
$1: Interface type and number.
Variable fields
$2: RX fault type.

Severity level 5
OPTMOD/5/RX_ALM_ON: GigabitEthernet1/0/13: RX_not_ready was
Example detected.

Explanation An RX fault was detected on the transceiver module.


1. Execute the display transceiver alarm interface command to verify that
Recommended a corresponding alarm for the fault has been generated and not cleared.
action 2. Replace the transceiver module.

RX_POW_HIGH
Message text [STRING]: RX power is high.

Variable fields $1: Interface type and number.

Severity level 5

Example OPTMOD/5/RX_POW_HIGH: GigabitEthernet1/0/13: RX power is high.

Explanation The RX power of the transceiver module exceeded the high threshold.
1. Execute the display transceiver diagnosis interface command to verify
that the RX power of the transceiver module has exceeded the high
threshold.
Recommended 2. Execute the display transceiver alarm interface command to verify that
action a high RX power alarm for the transceiver module has been generated
and not cleared.
3. Replace the transceiver module.

486
Security level: Secret

RX_POW_LOW
Message text [STRING]: RX power is low.

Variable fields $1: Interface type and number.

Severity level 5

Example OPTMOD/5/RX_POW_LOW: GigabitEthernet1/0/13: RX power is low.

Explanation The RX power of the transceiver module went below the low threshold.
1. Execute the display transceiver diagnosis interface command to verify
that the RX power of the transceiver module is below the low threshold.
Recommended 2. Execute the display transceiver alarm interface command to verify that
action a low RX power alarm for the transceiver module has been generated and
not cleared.
3. Replace the transceiver module.

RX_POW_NORMAL
Message text [STRING]: RX power is normal.

Variable fields $1: Interface type and number.

Severity level 5

Example OPTMOD/5/RX_POW_NORMAL: GigabitEthernet1/0/13: RX power is normal.

Explanation The RX power of the transceiver module returned to the acceptable range.

Recommended No action is required.


action

TEMP_HIGH
Message text [STRING]: Temperature is high.

Variable fields $1: Interface type and number

Severity level 5

Example OPTMOD/5/TEMP_HIGH: GigabitEthernet1/0/13: Temperature is high.

Explanation The temperature of the transceiver module exceeded the high threshold.
1. Verify that the fan trays are operating correctly.
 If there are no fan trays, install fan trays.
Recommended  If the fan trays fail, replace the fan trays.
action 2. Verify that the ambient temperature is in the acceptable range. If it is out of
the acceptable range, take measures to lower the temperature.
3. Replace the transceiver module.

487
Security level: Secret

TEMP_LOW
Message text [STRING]: Temperature is low.

Variable fields $1: Interface type and number.

Severity level 5

Example OPTMOD/5/TEMP_LOW: GigabitEthernet1/0/13: Temperature is low.

Explanation The temperature of the transceiver module went below the low threshold.
1. Verify that the ambient temperature is in the acceptable range. If it is out of
Recommended the acceptable range, take measures to raise the temperature.
action 2. Replace the transceiver module.

TEMP_NORMAL
Message text [STRING]: Temperature is normal.

Variable fields $1: Interface type and number.

Severity level 5

Example OPTMOD/5/TEMP_NORMAL: GigabitEthernet1/0/13: Temperature is normal.

Explanation The temperature of the transceiver module returned to the acceptable range.

Recommended No action is required.


action

TX_ALM_OFF
Message text [STRING]: [STRING] was removed.
$1: Interface type and number.
Variable fields
$2: TX fault type.

Severity level 5

Example OPTMOD/5/TX_ALM_OFF: GigabitEthernet1/0/13: TX_fault was removed.

Explanation A TX fault was removed from the transceiver module.

Recommended No action is required.


action

488
Security level: Secret

TX_ALM_ON
Message text [STRING]: [STRING] was detected.
$1: Interface type and number.
Variable fields
$2: TX fault type.

Severity level 5

Example OPTMOD/5/TX_ALM_ON: GigabitEthernet1/0/13: TX_fault was detected.

Explanation A TX fault was detected on the transceiver module.


1. Execute the display transceiver alarm interface command to verify that
Recommended a corresponding alarm for the fault has been generated and not cleared.
action 2. Replace the transceiver module.

TX_POW_HIGH
Message text [STRING]: TX power is high.

Variable fields $1: Interface type and number.

Severity level 2

Example OPTMOD/2/TX_POW_HIGH: GigabitEthernet1/0/13: TX power is high.

Explanation The TX power of the transceiver module exceeded the high threshold.
1. Execute the display transceiver diagnosis interface command to verify
that the TX power of the transceiver module has exceeded the high
threshold.
Recommended 2. Execute the display transceiver alarm interface command to verify that
action a high TX power alarm for the transceiver module has been generated and
not cleared.
3. Replace the transceiver module.

TX_POW_LOW
Message text [STRING]: TX power is low.

Variable fields $1: Interface type and number.

Severity level 5

Example OPTMOD/5/TX_POW_LOW: GigabitEthernet1/0/13: TX power is low.

Explanation The TX power of the transceiver module went below the low threshold.
1. Execute the display transceiver diagnosis interface command to verify
that the TX power of the transceiver module is below the low threshold.
Recommended 2. Execute the display transceiver alarm interface command to verify that
action a low TX power alarm for the transceiver module has been generated and
not cleared.
3. Replace the transceiver module.

489
Security level: Secret

TX_POW_NORMAL
Message text [STRING]: TX power is normal.

Variable fields $1: Interface type and number.

Severity level 5

Example OPTMOD/5/TX_POW_NORMAL: GigabitEthernet1/0/13: TX power is normal.

Explanation The TX power of the transceiver module returned to the acceptable range.

Recommended No action is required.


action

TYPE_ERR
Message text [STRING]: The transceiver type is not supported by port hardware.

Variable fields $1: Interface type and number.

Severity level 3
OPTMOD/3/TYPE_ERR: GigabitEthernet1/0/13: The transceiver type is not
Example supported by port hardware.

Explanation The transceiver module is not supported by the port.

Recommended Replace the transceiver module.


action

VOLT_HIGH
Message text [STRING]: Voltage is high.

Variable fields $1: Interface type and number

Severity level 5

Example OPTMOD/5/VOLT_HIGH: GigabitEthernet1/0/13: Voltage is high.

Explanation The voltage of the transceiver module exceeded the high threshold.
1. Execute the display transceiver diagnosis interface command to verify
that the voltage of the transceiver module has exceeded the high
threshold.
Recommended 2. Execute the display transceiver alarm interface command to verify that
action a high voltage alarm for the transceiver module has been generated and
not cleared.
3. Replace the transceiver module.

490
Security level: Secret

VOLT_LOW
Message text [STRING]: Voltage is low.

Variable fields $1: Interface type and number.

Severity level 5

Example OPTMOD/5/VOLT_LOW: GigabitEthernet1/0/13: Voltage is low.

Explanation The voltage of the transceiver module went below the low threshold.
1. Execute the display transceiver diagnosis interface command to verify
that the voltage of the transceiver module is below the low threshold.
Recommended 2. Execute the display transceiver alarm interface command to verify that
action a low voltage alarm for the transceiver module has been generated and
not cleared.
3. Replace the transceiver module.

VOLT_NORMAL
Message text [STRING]: Voltage is normal.

Variable fields $1: Interface type and number.

Severity level 5

Example OPTMOD/5/VOLT_NORMAL: GigabitEthernet1/0/13: Voltage is normal.

Explanation The voltage of the transceiver module returned to the acceptable range.

Recommended No action is required.


action

491
Security level: Secret

OSPF messages
This section contains OSPF messages.

OSPF_IP_CONFLICT_INTRA
OSPF [UINT16] Received newer self-originated network-LSAs. Possible
Message text conflict of IP address [IPADDR] in area [STRING] on interface [STRING].
$1: OSPF process ID.
$2: IP address.
Variable fields
$3: OSPF area ID.
$4: Interface name.

Severity level 6
OSPF/6/OSPF_IP_CONFLICT_INTRA: OSPF 1 Received newer
Example self-originated network-LSAs. Possible conflict of IP address 11.1.1.1 in area
0.0.0.1 on interface GigabitEthernet0/0/3.

The interfaces on two devices in the same OSPF area might have the same
Explanation primary IP address. At least one of the devices is a DR.

Modify IP address configuration after you make sure no router ID conflict


Recommended action occurs in the same OSPF area.

OSPF_RTRID_CONFLICT_INTRA
OSPF [UINT16] Received newer self-originated router-LSAs. Possible conflict
Message text of router ID [STRING] in area [STRING].
$1: OSPF process ID.
Variable fields $2: Router ID.
$3: OSPF area ID.

Severity level 6
OSPF/6/OSPF_RTRID_CONFLICT_INTRA: OSPF 1 Received newer
Example self-originated router-LSAs. Possible conflict of router ID 11.11.11.11 in area
0.0.0.1.
Two indirectly connected devices in the same OSPF area might have the same
Explanation router ID.
Modify the router ID on one device and use the reset ospf process command
Recommended action to make the new router ID take effect.

492
Security level: Secret

OSPF_RTRID_CONFLICT_INTER
OSPF [UINT16] Received newer self-originated ase-LSAs. Possible conflict of
Message text router ID [STRING].
$1: OSPF process ID.
Variable fields
$2: Router ID.

Severity level 6
OSPF/6/OSPF_RTRID_CONFILICT_INTER: OSPF 1 Received newer
Example self-originated ase-LSAs. Possible conflict of router ID 11.11.11.11.
Two indirectly connected devices in the same OSPF area might have the same
Explanation router ID. One of the devices is an ASBR.
Modify the router ID on one device and use the reset ospf process command
Recommended action to make the new router ID take effect.

OSPF_DUP_RTRID_NBR
OSPF [UINT16] Duplicate router ID [STRING] on interface [STRING], sourced
Message text from IP address [IPADDR].

$1: OSPF process ID.


$2: Router ID.
Variable fields
$3: Interface name.
$4: IP address.

Severity level 6
OSPF/6/OSPF_DUP_RTRID_NBR: OSPF 1 Duplicate router ID 11.11.11.11
Example on interface GigabitEthernet0/0/3, sourced from IP address 11.2.2.2.

Explanation Two directly connected devices were configured with the same router ID.
Modify the router ID on one device and use the reset ospf process command
Recommended action to make the new router ID take effect.

493
Security level: Secret

OSPF_LAST_NBR_DOWN
OSPF [UINT32] Last neighbor down event: Router ID: [STRING] Local address:
Message text [STRING] Remote address: [STRING] Reason: [STRING]
$1: OSPF process ID.
$2: Router ID.
Variable fields $3: Local IP address.
$4: Neighbor IP address.
$5: Reason.

Severity level 6
OSPF/6/OSPF_LAST_NBR_DOWN: OSPF 1 Last neighbor down event:
Example Router ID: 2.2.2.2 Local address: 10.1.1.1 Remote address: 10.1.1.2 Reason:
Dead Interval timer expired.
The device records the OSPF neighbor down event caused by a specific
Explanation reason.
• When a down event occurred because of configuration changes (for
example, interface parameter changes), check for the configuration errors.
• When a down event occurred because of dead interval expiration, check
Recommended for the dead interval configuration error and loss of network connectivity.
action • When a down event occurred because of BFD session down, check for the
BFD detection time configuration error and loss of network connectivity.
• When a down event occurred because of interface status changes, check
for loss of network connectivity.

OSPF_MEM_ALERT
Message text OSPF Process received system memory alert [STRING] event.

Variable fields $1: Type of the memory alarm.

Severity level 5
OSPF/5/OSPF_MEM_ALERT: OSPF Process received system memory alert
Example start event.

Explanation OSPF received a memory alarm.

Recommended Check the system memory and release memory for the modules that occupy too
action many memory resources.

494
Security level: Secret

OSPF_NBR_CHG
OSPF [UINT32] Neighbor [STRING] ([STRING]) changed from [STRING] to
Message text [STRING]
$1: OSPF process ID.
$2: Neighbor router ID.
Variable fields $3: Interface name.
$4: Old adjacency state.
$5: New adjacency state.

Severity level 5
OSPF/5/OSPF_NBR_CHG: OSPF 1 Neighbor 2.2.2.2 (Vlan-interface100)
Example changed from Full to Down.

Explanation The OSPF adjacency state changed on an interface.

Recommended When the adjacency with a neighbor changes from Full to another state on an
action interface, check for OSPF configuration errors and loss of network connectivity.

OSPF_RT_LMT
Message text OSPF [UINT32] route limit reached.

Variable fields $1: OSPF process ID.

Severity level 4

Example OSPF/4/OSPF_RT_LMT: OSPF 1 route limit reached.

Explanation The number of routes of an OSPF process reached the upper limit.

Recommended 1. Check for network attacks.


action 2. Reduce the number of routes.

OSPF_RTRID_CHG
OSPF [UINT32] New router ID elected, please restart OSPF if you want to make
Message text the new router ID take effect.

Variable fields $1: OSPF process ID.

Severity level 5
OSPF/5/OSPF_RTRID_CHG: OSPF 1 New router ID elected, please restart
Example OSPF if you want to make the new router ID take effect.

The OSPF router ID was changed because the user had changed the router ID
Explanation or the interface IP address used as the router ID had changed.

Recommended Use the reset ospf process command to make the new router ID take effect.
action

495
Security level: Secret

OSPF_VLINKID_CHG
Message text OSPF [UINT32] Router ID changed, reconfigure Vlink on peer

Variable fields $1: OSPF process ID.

Severity level 5
OSPF/5/OSPF_VLINKID_CHG:OSPF 1 Router ID changed, reconfigure Vlink
Example on peer

Explanation A new OSPF router ID takes effect.

Recommended Check and modify the virtual link configuration on the peer router to match the
action new router ID.

496
Security level: Secret

OSPFV3 messages
This section contains OSPFv3 messages.

OSPFV3_LAST_NBR_DOWN
OSPFv3 [UINT32] Last neighbor down event: Router ID: [STRING] Local
Message text interface ID: [UINT32] Remote interface ID: [UINT32] Reason: [STRING].
$1: OSPFv3 process ID.
$2: Router ID.
Variable fields $3: Local interface ID.
$4: Remote interface ID.
$5: Reason.

Severity level 6
OSPFV3/6/OSPFV3_LAST_NBR_DOWN: OSPFv3 1 Last neighbor down
Example event: Router ID: 2.2.2.2 Local interface ID: 1111 Remote interface ID: 2222
Reason: Dead Interval timer expired.
The device records the OSPFv3 neighbor down event caused by a specific
Explanation reason.
• When a down event occurred because of configuration changes (for
example, interface parameter changes), check for the configuration errors.
• When a down event occurred because of dead interval expiration, check
Recommended for the dead interval configuration error and loss of network connectivity.
action • When a down event occurred because of BFD session down, check for the
BFD detection time configuration error and loss of network connectivity.
• When a down event occurred because of interface status changes, check
for loss of network connectivity.

OSPFV3_MEM_ALERT
Message text OSPFV3 Process received system memory alert [STRING] event.

Variable fields $1: Type of the memory alarm.

Severity level 5
OSPFV3/5/OSPFV3_MEM_ALERT: OSPFV3 Process received system
Example memory alert start event.

Explanation OSPFv3 received a memory alarm.

Recommended Check the system memory and release memory for the modules that occupy too
action many memory resources.

497
Security level: Secret

OSPFV3_NBR_CHG
OSPFv3 [UINT32] Neighbor [STRING] ([STRING]) received [STRING] and its
Message text state from [STRING] to [STRING].
$1: Process ID.
$2: Neighbor router ID.
$3: Interface name.
Variable fields
$4: Neighbor event.
$5: Old adjacency state.
$6: New adjacency state.

Severity level 5
OSPFV3/5/OSPFV3_NBR_CHG: OSPFv3 1 Neighbor 2.2.2.2 (Vlan100)
Example received 1-Way and its state from Full to Init.

Explanation The OSPFv3 adjacency state changed on an interface.


When the adjacency with a neighbor changes from Full to another state on an
Recommended interface, check for OSPFv3 configuration errors and loss of network
action connectivity.

OSPFV3_RT_LMT
Message text OSPFv3 [UINT32] route limit reached.

Variable fields $1: Process ID.

Severity level 5

Example OSPFV3/5/OSPFV3_RT_LMT:OSPFv3 1 route limit reached.

Explanation The number of routes of an OSPFv3 process reached the upper limit.

Recommended 1. Check for network attacks.


action 2. Reduce the number of routes.

498
Packet capture messages
This section contains packet capture messages.

PKTCPT_AP_OFFLINE
Message text Failed to start packet capture. Reason: AP was offline.

Variable fields N/A


Severity level 6
PKTCPT/6/PKTCPT_AP_OFFLINE: Failed to start packet capture. Reason: AP
Example was offline.
Packet capture failed to start because the AP configured with packet capture
Explanation was offline.
1. Verify the AP configuration, and restart packet capture after the AP comes
Recommended online.
action 2. If the problem persists, contact Hewlett Packard Enterprise Support.

PKTCPT_AREADY_EXIT
Failed to start packet capture. Reason: The AP was uploading frames captured
Message text during the previous capturing operation.

Variable fields N/A


Severity level 6
PKTCPT/6/PKTCPT_AREADY_EXIT: Failed to start packet capture. Reason:
Example The AP was uploading frames captured during the previous capturing
operation.
When packet capture is stopped on the AC, the fit AP might be still uploading
Explanation the captured frames. This message is generated when the user restarted
packet capture at that time.
Recommended 1. Restart packet capture later.
action 2. If the problem persists, contact Hewlett Packard Enterprise Support.

499
PKTCPT_CONN_FAIL
Message text Failed to start packet capture. Reason: Failed to connect to the FTP server.

Variable fields N/A


Severity level 6
PKTCPT/6/PKTCPT_CONN_FAIL: Failed to start packet capture. Reason:
Example Failed to connect to the FTP server.
Packet capture failed to start because the device failed to be connected to the
Explanation FTP server in the same network segment.
1. Verify that the URL of the FTP server is valid.
Possible reasons for an invalid URL include the specified IP
address does not exist or is not the FTP server address, and
the specified FTP server port is disabled.
Recommended
2. Verify that the domain name resolution is successful.
action
3. Verify that the FTP server is reachable for the device configured with
packet capture.
4. Verify that the FTP server is online.
5. If the problem persists, contact Hewlett Packard Enterprise Support.

PKTCPT_INVALID_FILTER
Failed to start packet capture. Reason: Invalid expression for matching packets
Message text to be captured.

Variable fields N/A


Severity level 6
PKTCPT/6/PKTCPT_INVALD_FILTER: Failed to start packet capture. Reason:
Example Invalid expression for matching packets to be captured.
Explanation Packet capture failed to start because the capture filter expression was invalid.
Recommended 1. Correct the capture filter expression.
action 2. If the problem persists, contact Hewlett Packard Enterprise Support.

PKTCPT_LOGIN_DENIED
Message text Packet capture aborted. Reason: FTP server login failure.

Variable fields N/A


Severity level 6
PKTCPT/6/PKTCPT_LOGIN_DENIED: Packet capture aborted. Reason: FTP
Example server login failure.
Explanation Packet capture stopped because the user failed to log in to the FTP server.
Recommended 1. Verify the username and password.
action 2. If the problem persists, contact Hewlett Packard Enterprise Support.

500
PKTCPT_MEMORY_ALERT
Message text Packet capture aborted. Reason: Memory threshold reached.

Variable fields N/A


Severity level 6
PKTCPT/6/PKTCPT_MEMORY_ALERT: Packet capture aborted. Reason:
Example Memory threshold reached.
Explanation Packet capture stopped because the memory threshold was reached.
Recommended N/A
action

PKTCPT_OPEN_FAIL
Failed to start packet capture. Reason: File for storing captured frames not
Message text opened.

Variable fields N/A


Severity level 6
PKTCPT/6/PKTCPT_OPEN_FAIL: Failed to start packet capture. Reason: File
Example for storing captured frames not opened.
Packer capture failed to start because the file for storing the captured frames
Explanation cannot be opened.
1. Verify that the user has the write permission to the file.
If the user does not have the write permission, assign the
permission to the user.
Recommended 2. Verify that the specified file has been created and is not used by another
action feature.
If the file is used by another feature, use another file.
3. If the problem persists, contact Hewlett Packard Enterprise Support.

PKTCPT_OPERATION_TIMEOUT
Message text Failed to start or continue packet capture. Reason: Operation timed out.

Variable fields N/A


Severity level 6
PKTCPT/6/PKTCPT_OPERATION_TIMEOUT: Failed to start or continue
Example packet capture. Reason: Operation timed out.
This message is generated when one of the following situations occurs:
• Packet capture failed to start because the FTP server in a different network
Explanation segment is not reachable and the connection timed out.
• Packet capture stopped because the FTP server in a different network
segment is offline and uploading the captured frames timed out.
1. Verify that the FTP server is reachable.
Recommended 2. Verify that the FTP server is online.
action 3. If the problem persists, contact Hewlett Packard Enterprise Support.

501
PKTCPT_SERVICE_FAIL
Message text Failed to start packet capture. Reason: TCP or UDP port binding faults.

Variable fields N/A


Severity level 6
PKTCPT/6/PKTCPT_SERVICE_FAIL: Failed to start packet capture. Reason:
Example TCP or UDP port binding faults.
Packet capture failed to start because an error occurs during TCP or UDP port
Explanation binding.
1. Verify that Wireshark has been closed before you start packet capture.
If it is not closed, close Wireshark, and then restart packet
Recommended
capture.
action
2. Bind a new TCP or UDP port, and then restart packet capture.
3. If the problem persists, contact Hewlett Packard Enterprise Support.

PKTCPT_UNKNOWN_ERROR
Message text Failed to start or continue packet capture. Reason: Unknown error.

Variable fields N/A


Severity level 6
PKTCPT/6/PKTCPT_UNKNOWN_ERROR: Failed to start or continue the
Example packet capture. Reason: Unknown error.
Packet capture failed to start or packet capture stopped because of an unknown
Explanation error.
Recommended N/A
action

PKTCPT_UPLOAD_ERROR
Message text Packet capture aborted. Reason: Failed to upload captured frames.

Variable fields N/A


Severity level 6
PKTCPT/6/PKTCPT_UPLOAD_ERROR: Packet capture aborted. Reason:
Example Failed to upload captured frames.
Packet capture stopped because the capture failed to upload the captured
Explanation frames.
1. Verify that the FTP working directory is not changed.
2. Verify that the user has the write permission to the file on the FTP server.
3. Verify that the FTP server is online.
Recommended 4. Verify that the FTP server is reachable.
action 5. Verify that the FTP server has enough memory space.
6. Verify that the packet capture is not stopped during the upload of captured
frames.
7. If the problem persists, contact Hewlett Packard Enterprise Support.

502
PKTCPT_WRITE_FAIL
Message text Packet capture aborted. Reason: Not enough space to store captured frames.

Variable fields N/A


Severity level 6
PKTCPT/6/PKTCPT_WRITE_FAIL: Packet capture aborted. Reason: Not
Example enough space to store captured frames.
Packet capture stopped because the memory space is not enough for storing
Explanation captured frames.
Recommended 1. Delete unnecessary files to release the space.
action 2. If the problem persists, contact Hewlett Packard Enterprise Support.

503
Security level: Secret

PBB messages
This section contains PBB messages.

PBB_JOINAGG_WARNING
Because the aggregate interface [STRING] has been configured with PBB,
Message text assigning the interface [STRING] that does not support PBB to the aggregation
group will cause incorrect processing.

$1: Aggregation group name.


Variable fields
$2: Interface name.

Severity level 4
PBB/4/PBB_JOINAGG_WARNING: Because the aggregate interface
Bridge-Aggregation1 has been configured with PBB, assigning the interface
Example Ten-GigabitEthernet9/0/30 that does not support PBB to the aggregation group
will cause incorrect processing.
Assigning an interface that does not support PBB to an aggregation group that
Explanation has been configured with PBB will cause incorrect processing. If an aggregate
interface is a PBB uplink port, all its members should support PBB.

Recommended Remove the interface from the aggregation group.


action

504
Security level: Secret

PBR messages
This section contains PBR messages.

PBR_HARDWARE_ERROR
Message text Failed to update policy [STRING] due to [STRING].
$1: Policy name.
$2: Hardware error reasons:
• The hardware resources are insufficient.
Variable fields
• The system does not support the operation.
• The hardware resources are insufficient and the system does not support
the operation.

Severity level 4
PBR/4/PBR_HARDWARE_ERROR: Failed to update policy aaa due to
Example insufficient hardware resources and not supported operations.

Explanation The device failed to update PBR configuration.

Recommended Modify the PBR policy configuration according to the failure reason.
action

505
Security level: Secret

PCE messages
This section contains PCE messages.

PCE_PCEP_SESSION_CHG
Message text Session ([STRING], [STRING]) is [STRING].
$1: Peer address of the session.
$2: VPN instance name. Value unknown indicates that the VPN instance
cannot be obtained.
$3: State of the session, up or down. When the state is down, this field also
displays the reason for the down state error. Possible reasons include:
• TCP connection down.
• received a close message.
• reception of a malformed PCEP message.
Variable fields • internal error.
• memory in critical state.
• dead timer expired.
• process deactivated.
• remote peer unavailable/untriggered.
• reception of an unacceptable number of unrecognized PCEP messages.
• reception of an unacceptable number of unknown requests/replies.
• PCE address changed.
• initialization failed.
Severity level 5
PCE/5/PCE_PCEP_SESSION_CHG:
Session (22.22.22.2, public instance) is up.
Example
PCE/5/PCE_PCEP_SESSION_CHG:
Session (22.22.22.2, public instance) is down (dead timer expired).
Explanation The session state changed.
When the session state is up, no action is required.
Recommended
When the session state is down, verify the network and configuration according
action to the reason displayed.

506
PEX messages (IRF 3)
This section contains IRF 3 PEX messages.

PEX_ASSOCIATEID_MISMATCHING
The associated ID of PEX port [UNIT32] is [UNIT32] on the parent fabric, but the
Message text PEX connected to the port has obtained ID [UNIT32].
$1: PEX port ID.
$2: Virtual slot number configured on the parent fabric for a PEX. (Centralized
IRF devices.)
$2: Virtual chassis number configured on the parent fabric for a PEX.
Variable fields (Distributed devices in IRF mode.)
$3: Virtual slot number that the PEX has obtained. (Centralized IRF devices.)
$3: Virtual chassis number that the PEX has obtained. (Distributed devices in
IRF mode.)
Severity level 5
PEX/5/PEX_ASSOCIATEID_MISMATCHING: The associated ID of PEX port 1
Example is 100 on the parent fabric, but the PEX connected to the port has obtained ID
101.
The configured virtual slot number for a PEX is different from the virtual slot
number that the PEX has obtained. (Centralized IRF devices.)
Explanation
The configured virtual chassis number for a PEX is different from the virtual
chassis number that the PEX has obtained. (Distributed devices in IRF mode.)
Recommended Check the network connection.
action

507
PEX_CONFIG_ERROR
PEX port [UINT32] discarded a REGISTER request received from [STRING]
through interface [STRING]. Reason: The PEX was not assigned an ID, or the
Message text PEX was assigned an ID equal to or greater than the maximum value
([UINT32]).
$1: PEX port ID.
$2: PEX model.
$3: Name of a PEX physical interface.
Variable fields
$4: Maximum virtual slot number for PEX devices. (Centralized IRF devices.)
$4: Maximum virtual chassis number for PEX devices. (Distributed devices in
IRF mode.)
Severity level 4
PEX/4/PEX_CONFIG_ERROR: PEX port 1 discarded a REGISTER request
received from PEX-S5120HI-S5500HI through interface
Example Ten-GigabitEthernet10/0/31. Reason: The PEX was not assigned an ID, or the
PEX was assigned an ID equal to or greater than the maximum value 130.
This message is generated in the following situations:
• The PEX is not assigned a virtual slot number.
Explanation
• The PEX is assigned a virtual slot number that is equal to or greater than
the maximum value allowed for the PEX model.
1. Use the associate command to assign a valid slot number to the PEX.
Recommended Make sure the slot number is within the value range for the PEX model.
action 2. If the problem persists, contact Hewlett Packard Enterprise Support.

PEX_CONNECTION_ERROR
PEX port [UINT32] discarded a REGISTER request received from [STRING]
Message text through interface [STRING]. Reason: Another PEX has been registered on the
PEX port.
$1: PEX port ID.
Variable fields $2: PEX model.
$3: Name of a PEX physical interface.
Severity level 4
PEX/4/PEX_CONNECTION_ERROR: PEX port 1 discarded a REGISTER
request received from PEX-S5120HI-S5500HI through interface
Example Ten-GigabitEthernet10/0/31. Reason: Another PEX has been registered on the
PEX port.
Explanation This message is generated if a PEX port is connected to multiple PEXs.
1. Reconnect PEXs to ensure sure that only one PEX is connected to the
Recommended PEX port.
action 2. If the problem persists, contact Hewlett Packard Enterprise Support.

508
PEX_FORBID_STACK
Can't connect PEXs [UNIT32] and [UNIT32]: The PEX ports to which the PEXs
Message text belong are in different PEX port groups.
$1: Virtual slot number of a PEX. (Centralized IRF devices.)
$1: Virtual chassis number of a PEX. (Distributed devices in IRF mode.)
Variable fields
$2: Virtual slot number of a PEX. (Centralized IRF devices.)
$2: Virtual chassis number of a PEX. (Distributed devices in IRF mode.)
Severity level 5
PEX/5/PEX_FORBID_STACK: Can't connect PEXs 100 and 102: The PEX
Example ports to which the PEXs belong are in different PEX port groups.
Explanation PEXs belonging to PEX ports of different PEX port groups were connected.
Recommended Check the network connection.
action

PEX_LINK_BLOCK
Message text Status of [STRING] changed from [STRING] to blocked.
$1: Name of a PEX physical interface.
Variable fields
$2: Data link status of the interface.
Severity level 4
PEX/4/PEX_LINK_BLOCK: Status of Ten-GigabitEthernet2/0/1 changed from
Example forwarding to blocked.
Data link of the PEX physical interface has changed to blocked. The blocked
state is a transitional state between forwarding and down. In blocked state, a
PEX physical interface can forward protocol packets, but it cannot forward data
packets.
This state change occurs in one of the following situations:
• Incorrect physical connection:
 The PEX physical links on a PEX are connected to different PEX ports
on the parent device.
Explanation
 The PEX port on the parent device contains physical links to different
PEXs.
• The data link is forced to the blocked state. In the startup phase, a PEX
blocks the link of a PEX physical interface if the interface is physically up,
but it is not used for loading startup software.
• The physical state of the interface is up, but the PEX connection between
the PEX and the parent device has been disconnected. The PEX and the
parent device cannot receive PEX heartbeat packets from each other.
If a down PEX link changes from blocked to up quickly, you do not need to take
action. If the link stays in blocked state, check the PEX cabling to verify that:
• The PEX's all PEX physical interfaces are connected to the physical
interfaces assigned to the same PEX port on the parent device.
Recommended
• The PEX port contains only physical links to the same PEX.
action
If a forwarding PEX link stays in blocked state when it is changing to the down
state, verify that an IRF fabric split has occurred. When an IRF fabric split occur,
a PEX link is be blocked if it is connected to the Recovery-state IRF member
device.

509
PEX_LINK_DOWN
Message text Status of [STRING] changed from [STRING] to down.
$1: Name of a PEX physical interface.
Variable fields
$2: Data link status of the interface.
Severity level 4
PEX/4/PEX_LINK_DOWN: Status of Ten-GigabitEthernet2/0/1 changed from
Example forwarding to down.
Data link of the PEX physical interface has changed to the down state and
cannot forward any packets.
The following are common reasons for this state change:
Explanation • Physical link fails.
• The interface is shut down administratively.
• The system reboots.
If the interface has been shut down administratively or in the down state
because of a system reboot, use the undo shutdown command to bring up the
Recommended interface as needed.
action If the interface is down because of a physical link failure, verify that the cable
has been securely connected and is in good condition.

PEX_LINK_FORWARD
Message text Status of [STRING] changed from [STRING] to forwarding.
$1: Name of a PEX physical interface.
Variable fields
$2: Data link status of the interface.
Severity level 5
PEX/5/PEX_LINK_FORWARD: Status of Ten-GigabitEthernet2/0/1 changed
Example from blocked to forwarding.
Data link of the PEX physical interface has changed to the forwarding state and
can forward data packets.
This link state change occurs when one of the following events occurs:
Explanation
• The link is detected again after it changes to the blocked state.
• The PEX loads startup software images from the parent device through the
interface.
Recommended No action is required.
action

510
PEX_REG_JOININ
Message text PEX ([STRING]) registered successfully on PEX port [UINT32].
$1: Virtual slot number of a PEX. (Centralized IRF devices.)
Variable fields $1: Virtual chassis number of a PEX. (Distributed devices in IRF mode.)
$2: PEX port ID.
Severity level 5
PEX/5/PEX_REG_JOININ: PEX (slot 101) registered successfully on PEX port
Example 1.
The PEX has been registered successfully. You can configure and manage the
Explanation PEX attached to the PEX port on the parent device as if the PEX was an
interface card.
Recommended No action is required.
action

PEX_REG_LEAVE
Message text PEX ([STRING]) unregistered on PEX port [UINT32].
$1: Virtual slot number of a PEX. (Centralized IRF devices.)
Variable fields $1: Virtual chassis number of a PEX. (Distributed devices in IRF mode.)
$2: PEX port ID.
Severity level 4
Example PEX/4/PEX_REG_LEAVE: PEX (slot 101) unregistered on PEX port 1.
The PEX has been unregistered. You cannot operate the PEX from the parent
device.
A PEX unregister event occurs when one of the following events occurs:
• The PEX reboots.
Explanation • All physical interfaces in the PEX port are down. For example, all physical
interfaces are shut down administratively, or all the physical links are
disconnected.
• The PEX fails to start up within 30 minutes.
• Link detection fails on all physical interfaces in the PEX port.
If the event occurs because the PEX reboots or PEX physical interfaces are
shut down administratively, use the undo shutdown command to bring up the
interfaces as needed.
To resolve the problem that occurs for any other reasons:
• Use the display device command to verify that the slot number of the PEX
Recommended
is present and the state is correct.
action
• Use the display pex-port command to verify that the PEX physical
interfaces are configured correctly and in a correct state.
• Use the display interface command to verify that the physical state of the
PEX physical interfaces is up. If the Current state field displays down,
check the cabling for a physical link failure.

511
PEX_REG_REQUEST
Message text Received a REGISTER request on PEX port [UINT32] from PEX ([STRING]).
$1: PEX port ID.
Variable fields $2: Virtual slot number of a PEX. (Centralized IRF devices.)
$2: Virtual chassis number of a PEX. (Distributed devices in IRF mode.)
Severity level 5
PEX/5/PEX_REG_REQUEST: Received a REGISTER request on PEX port 1
Example from PEX (slot 101).
The PEX sent a registration request to the parent device.
This event occurs when the PEX starts up after PEX configuration is completed
Explanation and the PEX device is connected to the patent device correctly. The parent
device will allow the PEX to load startup software images after it receives a
REGISTER request.
Recommended No action is required.
action

PEX_STACKCONNECTION_ERROR
Message text A device was connected to a PEX that already had two neighboring devices.

Variable fields N/A


Severity level 5
PEX/5/PEX_STACKCONNECTION_ERROR: A device was connected to a
Example PEX that already had two neighboring devices.
Connection error was detected. A device was connected to a PEX that already
Explanation has two neighboring devices in an IRF 3 system.
Recommended Check the network connection.
action

512
PEX messages (IRF 3.1)
This section contains IRF 3.1 PEX messages.

PEX_LLDP_DISCOVER
Message text Discover peer device on interface [STRING]: MAC=STRING, priority=UINT32.
$1: Interface name.
Variable fields $2: MAC address of the peer device.
$3: Priority of the PEX upstream port.
Severity level 5
PEX/5/PEX_LLDP_DISCOVER: Discover peer device on interface
Example Bridge-Aggregation 1: MAC=20f4-9cb6-0100, priority=0.
Explanation The parent fabric or a PEX discovered a peer device through LLDP.
Recommended No action is required.
action

PEX_MEMBERID_EXCEED
To use the IRF fabric connected to interface %s as a PEX, the IRF member ID
Message text must be in the range of 1 to 4.

Variable fields $1: Interface name.


Severity level 4
PEX/4/PEX_MEMBERID_EXCEED: To use the IRF fabric connected to
Example interface Bridge-Aggregation1 as a PEX, the IRF member ID must be in the
range of 1 to 4.
To use an IRF fabric as a PEX, the IRF member ID must be in the range of 1 to
Explanation 4. Only single-member IRF fabrics can be used as PEXs in an IRF 3.1 system.
1. Check the IRF member ID of the device to be used as a PEX.
Recommended 2. Execute the irf member renumber command to change the IRF member
action ID to be in the range of 1 to 4.

513
PEX_PECSP_OPEN_RCVD
Message text Received a CSP Open message on interface [STRING].

Variable fields $1: Interface name.


Severity level 5
PEX/5/PEX_PECSP_OPEN_RCVD: Received a CSP Open message on
Example interface Bridge-Aggregation1.
A cascade port on the parent fabric or an upstream port on a PEX received a PE
CSP Open packet from the peer to request connection establishment. If each
Explanation side can receive a response from the peer within 60 seconds after sending a PE
CSP Open request, connection between them is established.
Recommended No action is required.
action

PEX_PECSP_OPEN_SEND
Message text Sent a CSP Open message on interface [STRING].

Variable fields $1: Interface name.


Severity level 5
PEX/5/PEX_PECSP_OPEN_SEND: Sent a CSP Open message on interface
Example Bridge-Aggregation1.
A cascade port on the parent fabric or an upstream port on a PEX sent a PE
CSP Open packet to request connection establishment. If each side can receive
Explanation a response from the peer within 60 seconds after sending a PE CSP Open
request, connection between them is established.
Recommended No action is required.
action

PEX_PECSP_TIMEOUT
Message text PE CSP timed out on interface [STRING].

Variable fields $1: Interface name.


Severity level 4
PEX/4/PEX_PECSP_TIMEOUT: PE CSP timed out on interface
Example Bridge-Aggregation1.
PE CSP timed out on an interface because no PE CSP packet was received on
Explanation the interface. The parent fabric and the PEX cannot establish connection.
1. Check the links between the parent fabric and the PEX. Make sure a
Recommended minimum of one link is up.
action 2. Check IRF 3.1 configuration. Verify that the configuration is correct.

514
Security level: Secret

PIM messages
This section contains PIM messages.

PIM_MEM_ALERT
Message text PIM process received system memory alert [STRING] event.

Variable fields $1: Event type of the memory alert.


Severity level 5
Example PIM/5/PIM_MEM_ALERT: PIM process received system memory alert start event.
Explanation The PIM module received a memory alert event.
1. Check the system memory to make sure the memory usage does not exceed
Recommended action the thresholds.
2. Release memory from memory-intensive modules.

PIM_NBR_DOWN
[STRING]PIM-NBR change: Neighbor [STRING]([STRING]) is down.
Message text ([STRING][STRING])
[STRING]: Neighbor [STRING] ([STRING]) is down.
$1: Public network or VPN instance.
Variable fields $2: IP address of the PIM neighbor.
$3: Interface name.
Severity level 5
PIM/5/PIM_NBR_DOWN: (public net): Neighbor 10.1.1.1(Vlan-interface10) is
Example down.
Explanation The PIM neighbor was down.
Recommended action Check the PIM configuration and network status.

515
Security level: Secret

PIM_NBR_UP
[STRING]PIM-NBR change: Neighbor [STRING]([STRING]) is up.
Message text ([STRING][STRING])
[STRING]: Neighbor [STRING] ([STRING]) is up.
$1: Public network or VPN instance.
Variable fields $2: IP address of the PIM neighbor.
$3: Interface name.
Severity level 5
Example PIM/5/PIM_NBR_UP: (public net): Neighbor 10.1.1.1(Vlan-interface10) is up.
Explanation The PIM neighbor was up.
Recommended action No action is required.

516
Security level: Secret

PING messages
This section contains ping messages.

PING_STATISTICS
[STRING] statistics for [STRING]: [UINT32] packets transmitted, [UINT32]
Message text packets received, [DOUBLE]% packet loss, round-trip min/avg/max/std-dev =
[DOUBLE]/[DOUBLE]/[DOUBLE]/[DOUBLE] ms.

$1: Ping or ping6.


$2: IP address, IPv6 address, or host name for the destination.
$3: Number of sent echo requests.
$4: Number of received echo replies.
Variable fields $5: Percentage of the non-replied packets to the total request packets.
$6: Minimum round-trip delay.
$7: Average round-trip delay.
$8: Maximum round-trip delay.
$9: Standard deviation round-trip delay.

Severity level 6
PING/6/PING_STATISTICS: Ping statistics for 192.168.0.115: 5 packets
Example transmitted, 5 packets received, 0.0% packet loss, round-trip
min/avg/max/std-dev = 0.000/0.800/2.000/0.748 ms.
A user uses the ping command to identify whether a destination in the public
Explanation network is reachable.

Recommended If there is no packet received, identify whether the interface is down.


action

517
Security level: Secret

PING_VPN_STATISTICS
[STRING] statistics for [STRING] in VPN instance [STRING] : [UINT32] packets
Message text transmitted, [UINT32] packets received, [DOUBLE]% packet loss, round-trip
min/avg/max/std-dev = [DOUBLE]/[DOUBLE]/[DOUBLE]/[DOUBLE] ms.

$1: Ping or ping6.


$2: IP address, IPv6 address, or host name for the destination.
$3: VPN instance name.
$4: Number of sent echo requests.
$5: Number of received echo replies.
Variable fields
$6: Percentage of the non-replied packets to the total request packets.
$7: Minimum round-trip delay.
$8: Average round-trip delay.
$9: Maximum round-trip delay.
$10: Standard deviation round-trip delay.

Severity level 6
PING/6/PING_VPN_STATISTICS: Ping statistics for 192.168.0.115 in VPN
Example instance vpn1: 5 packets transmitted, 5 packets received, 0.0% packet loss,
round-trip min/avg/max/std-dev = 0.000/0.800/2.000/0.748 ms.
A user uses the ping command to identify whether a destination in a private
Explanation network is reachable.

Recommended If there is no packet received, identify whether the interface is down and identify
action whether a valid route exists in the routing table.

518
Security level: Secret

PKI messages
This section contains PKI messages.

REQUEST_CERT_FAIL
Message text Failed to request certificate of domain [STRING].

Variable fields $1: PKI domain name


Severity level 5
Example PKI/5/REQUEST_CERT_FAIL: Failed to request certificate of domain abc.
Explanation Failed to request certificate for a domain.
Recommended Check the configuration of the device and CA server, and the network between
action them.

REQUEST_CERT_SUCCESS
Message text Request certificate of domain [STRING] successfully.

Variable fields $1: PKI domain name


Severity level 5
PKI/5/REQUEST_CERT_SUCCESS: Request certificate of domain abc
Example successfully.
Explanation Successfully requested certificate for a domain.
Recommended No action is required.
action

519
Security level: Secret

PKT2CPU messages
This section contains PKT2CPU messages.

PKT2CPU_NO_RESOURCE
-Interface=[STRING]-ProtocolType=[UINT32]-MacAddr=[STRING]; The resources
are insufficient.
Message text
-Interface=[STRING]-ProtocolType=[UINT32]-SrcPort=[UINT32]-DstPort=[UINT32];
The resources are insufficient.
$1: Interface type and number.
$2: Protocol type.
Variable fields
$3: MAC address or source port.
$4: Destination port.

Severity level 4
PKT2CPU/4/PKT2CPU_NO_RESOURCE:
Example -Interface=Ethernet0/0/2-ProtocolType=21-MacAddr=0180-c200-0014; The
resources are insufficient.

Explanation Hardware resources were insufficient.

Recommended Cancel the configuration.


action

520
Security level: Secret

PORTSEC messages
This section contains port security messages.

PORTSEC_CREATEAC_FAILURE
-IfName=[STRING]-VLANID=[STRING]- MACAddr=[STRING]-
Message text VSIName=[STRING]; Failed to map an Ethernet service instance to the VSI.
$1: Interface type and number.
$2: VLAN ID.
Variable fields
$3: MAC address.
$4: VSI name.
Severity level 3
PORTSEC/3/PORTSEC_CREATEAC_FAILURE:-IfName=GigabitEthernet1/0/4-
Example VLANID=444-MACAddr=0010-8400-22b9- VSIName=aaa; Failed to map an
Ethernet service instance to the VSI.
The port security module failed to map an Ethernet service instance to a specific
Explanation VSI.
Recommended Execute the display l2vpn vsi command and verify that the VSI exists. If the VSI
action does not exist, create the VSI by using the vsi vsi-name command.

PORTSEC_PORTMODE_NOT_EFFECTIVE
Message text The port security mode is configured but is not effective on interface [STRING].

Variable fields $1: Interface type and number.


Severity level 3
PORTSEC/3/PORTSEC_PORTMODE_NOT_EFFECTIVE: The port security
Example mode is configured but is not effective on interface Ethernet3/1/2.
The port security mode does not take effect on an interface, because the
Explanation interface does not support this mode.
• Change the port security mode to another mode that is supported by the
interface.
Recommended
• Reconnect the connected devices to another interface that supports this
action port security mode, and configure the port security mode on the new
interface.

521
Security level: Secret

PORTSEC_NTK_NOT_EFFECTIVE
The NeedToKnow feature is configured but is not effective on interface
Message text [STRING].

Variable fields $1: Interface type and number.


Severity level 3
PORTSEC/3/PORTSEC_NTK_NOT_EFFECTIVE: The NeedToKnow feature is
Example configured but is not effective on interface Ethernet3/1/2.
The NeedToKnow mode does not take effect on an interface, because the
Explanation interface does not support the NeedToKnow mode.
1. Disable the NeedToKnow feature on the interface.
Recommended 2. Reconnect the connected devices to another interface that supports the
action NeedToKnow mode.
3. Configure the NeedToKnow mode on the new interface.

PORTSEC_LEARNED_MACADDR
Message -IfName=[STRING]-MACAddr=[STRING]-VLANID=[STRING]; A new MAC address was
text learned.
$1: Interface type and number.
Variable $2: MAC address.
fields
$3: VLAN ID.
Severity 6
level
PORTSEC/6/PORTSEC_LEARNED_MACADDR:-IfName=GigabitEthernet1/0/4-MACAddr=
Example 0010-8400-22b9-VLANID=444; A new MAC address was learned.
Explanatio A new secure MAC address was learned on the interface.
n
Recomme
nded No action is required.
action

522
Security level: Secret

PORTSEC_VIOLATION
Message -IfName=[STRING]-MACAddr=[STRING]-VLANID=[STRING]-IfStatus=[STRING]; Intrusion
text protection was triggered.
$1: Interface type and number.
Variable $2: MAC address.
fields $3: VLAN ID.
$4: Interface status.
Severity 5
level
PORTSEC/5/PORTSEC_VIOLATION:-IfName=GigabitEthernet1/0/4-MACAddr=0010-8400-
Example 22b9-VLANID=444-IfStatus=Up; Intrusion protection was triggered.
Explanatio Intrusion protection was triggered.
n
Recomme • Check the port security configuration.
nded • Change the port security mode to another mode.
action

PORTSEC_ACL_FAILURE
Message text -IfName=[STRING]-MACAddr=[STRING]; ACL authorization failed because [STRING].
$1: Interface type and number.
$2: MAC address.
$3: Cause of failure:
Variable • the specified ACL didn't exist.
fields • this type of ACL is not supported.
• hardware resources were insufficient.
• the specified ACL conflicted with other ACLs applied to the interface.
• the specified ACL didn't contain any rules.
Severity level 5
PORTSEC/5/PORTSEC_ACL_FAILURE:-IfName=GigabitEthernet1/0/4-MACAddr=0010-
Example 8400-22b9; ACL authorization failed because the specified ACL didn't exist.
Explanation ACL authorization failed for a specific reason.
Recommend Handle the problem according to the failure cause.
ed action

523
Security level: Secret

PORTSEC_PROFILE_FAILURE
Message -IfName=[STRING]-MACAddr=[STRING]; Failed to assign a user profile to driver.
text
Variable $1: Interface type and number.
fields $2: MAC address.
Severity 5
level
PORTSEC/5/PORTSEC_PROFILE_FAILURE:-IfName=GigabitEthernet1/0/4-MACAddr=0
Example 010-8400-22b9; Failed to assign a user profile to driver.
Explanation The device failed to assign a user profile to the driver.
Recommend No action is required.
ed action

524
Security level: Secret

PPP messages
This section contains PPP messages.

IPPOOL_ADDRESS_EXHAUSTED
Message text The address pool [STRING] was exhausted.

Variable fields $1: Pool name.


Severity level 5
PPP/5/IPPOOL_ADDRESS_EXHAUSTED: The address pool aaa was
Example exhausted.
Explanation This message is generated when the last address is assigned from the pool.
Recommended Add addresses to the pool.
action

PPP_USER_LOGON_SUCCESS
Message -UserName=[STRING]-IPAddr=[IPADDR]-IfName=[STRING]-OutVlan=[UINT16]-InVlan=[UI
text NT16]-MACAddr=[MAC]; User got online successfully.

$1: Username.
$2: IP address.
Variable $3: Interface name.
fields $4: Outer VLAN ID.
$5: Inner VLAN ID.
$6: MAC address.
Severity 6
level
PPP/6/PPP_USER_LOGON_SUCCESS:
Example -UserName=abc-IPAddr=1.1.1.2-IfName=Route-Aggregation1023.4000-OutVlan=1000-InVla
n=4000-MACAddr=0230-0103-5601; User got online successfully.
Explanatio The user has come online.
n
Recomme
nded No action is required.
action

525
Security level: Secret

PPP_USER_LOGON_FAILED
Message -UserName=[STRING]-IPAddr=[IPADDR]-IfName=[STRING]-OutVlan=[UINT16]-InVlan=[UINT
text 16]-MACAddr=[MAC]-Reason=[STRING]; User got online failed.

$1: Username.
$2: IP address.
$3: Interface name.
Variable $4: Outer VLAN ID.
fields
$5: Inner VLAN ID.
$6: MAC address.
$7: Cause.
Severity 5
level
PPP/5/PPP_USER_LOGON_FAILED:
Example -UserName=abc-IPAddr=1.1.1.2-IfName=Route-Aggregation1023.4000-OutVlan=1000-InVlan
=4000-MACAddr=0230-0103-5601-Reason=Authentication failed; User got online failed.
Explanat The user failed to come online.
ion
Recomm 1. Verify that the username and password are correct.
ended 2. Verify that the AAA server is operating correctly.
action 3. Verify that the address pool is configured correctly.

PPP_USER_LOGOFF
Message -UserName=[STRING]-IPAddr=[IPADDR]-IfName=[STRING]-OutVlan=[UINT16]-InVlan=[UIN
text T16]-MACAddr=[MAC]-Reason=[STRING]; User logged off.

$1: Username.
$2: IP address.
$3: Interface name.
Variable $4: Outer VLAN ID.
fields
$5: Inner VLAN ID.
$6: MAC address.
$7: Cause (see Table 10).
Severity 6
level
PPP/6/PPP_USER_LOGOFF:
Example -UserName=abc-IPAddr=1.1.1.2-IfName=Route-Aggregation1023.4000-OutVlan=1000-InVla
n=4000-MACAddr=0230-0103-5601-Reason=Use request; User logged off.
Explanati The user has gone offline.
on
Recomm
ended No action is required.
action

526
Security level: Secret

Table 10 Cause description

Cause Description
User request The user session was terminated at the user's request.
The Keepalive packets were lost, possibly because the link between the user
Lost carrier
device and the device connecting to the BAS fails.
Lost service The service server terminated the service, such as L2TP.
BAS error The BAS software errors caused the user logoff.
BAS reboot The BAS sent disconnection information before an unexpected reboot.
Admin reset The user session was terminated because of management reasons.
BAS request Unknown reasons.
Session timeout The user session timed out or the traffic quota was used up.
Server command The AAA server logged off the user.
Idle timeout The user traffic did not reach the threshold within the specified period.
Account update fail The accounting update failed.

Port error The BAS detected errors on the user access port.

Admin reboot The BAS sent disconnection information before a reboot.

527
Security level: Secret

PWDCTL messages
This section contains password control messages.

ADDBLACKLIST
Message text [STRING] was added to the blacklist for failed login attempts.

Variable fields $1: Username.


Severity level 6
PWDCTL/6/ADDBLACKLIST: hhh was added to the blacklist for failed login
Example attempts.
The user entered an incorrect password. It failed to log in to the device and was
Explanation added to the password control blacklist.
Recommended No action is required.
action

CHANGEPASSWORD
Message text [STRING] changed the password because [STRING].
$1: Username.
$2: The reasons for changing password.
 Because it is the first login of the account.
Variable fields
 Because the password had expired.
 Because the password was too short.
 Because the password was not complex enough.
Severity level 6
PWDCTL/6/CNAHGEPASSWORD: hhh changed the password because It is
Example the first login of the account.
The user changed the password for some reason. For example, the user
Explanation changed the password because it is the first login of the user's account.
Recommended No action is required.
action

528
Security level: Secret

FAILEDTOWRITEPWD
Message text Failed to write the password records to file.

Variable fields N/A


Severity level 6
PWDCTL/6/FAILEDTOWRITEPWD: Failed to write the password records to
Example file.
Explanation The device failed to write a password to a file.
Recommended Check the file system of the device for memory space insufficiency.
action

529
Security level: Secret

QOS messages
This section contains QoS messages.

QOS_CAR_APPLYUSER_FAIL
[STRING]; Failed to apply the [STRING] CAR in [STRING] profile [STRING] to the user.
Message text Reason: [STRING].
$1: User identity.
$2: Application direction.
Variable fields $3: Profile type.
$4: Profile name.
$5: Failure cause.
Severity level 4
QOS/4/QOS_CAR_APPLYUSER_FAIL:
-MAC=1111-2222-3333-IP=192.168.1.2-SVLAN=100-VPN=”N/A”-Port=GigabitEthernet5
Example /1/5; Failed to apply the inbound CAR in user profile a to the user. Reason: The resources
are insufficient.
The system failed to perform one of the following actions:
Explanation • Apply a CAR policy when a user went online.
• Modify a configured CAR policy or configure a new CAR policy when a user is online.
Recommende Delete the CAR policy from the profile or modify the parameters of the CAR policy.
d action

QOS_CBWFQ_REMOVED
Message text CBWFQ is removed from [STRING].

Variable fields $1: Interface name.


Severity level 3
QOS/3/QOS_CBWFQ_REMOVED: CBWFQ is removed from
Example GigabitEthernet4/0/1.
CBWFQ was removed from an interface because the maximum bandwidth or
Explanation speed configured on the interface was below the bandwidth or speed required
for CBWFQ.
Recommended Increase the bandwidth or speed and apply the removed CBWFQ again.
action

530
Security level: Secret

QOS_GTS_APPLYUSER_FAIL
[STRING]; Failed to apply GTS in user profile [STRING] to the user. Reason:
Message text [STRING].
$1: User identity.
Variable fields $2: User profile name.
$3: Failure cause.
Severity level 4
QOS/4/QOS_GTS_APPLYUSER_FAIL:
-MAC=1111-2222-3333-IP=192.168.1.2/16-CVLAN=100-Port=GigabitEthernet5/1/5;
Example Failed to apply GTS in user profile a to the user. Reason: The resources are
insufficient.
The system failed to perform one of the following actions:
• Apply a GTS action when a user went online.
Explanation
• Modify a configured GTS action or configure a new GTS action when a user is
online.
Recommended Delete the GTS action from the user profile or modify the parameters of the GTS
action action.

QOS_NOT_ENOUGH_BANDWIDTH
Policy [STRING] requested bandwidth [UINT32](kbps). Only [UINT32](kbps) is
Message text available on [STRING].
$1: Policy name.
$2: Required bandwidth for CBWFQ.
Variable fields
$3: Available bandwidth on an interface.
$4: Interface name.
Severity level 3
QOS/3/QOS_NOT_ENOUGH_BANDWIDTH: Policy d requested bandwidth
Example 10000(kbps). Only 80(kbps) is available on GigabitEthernet4/0/1.
Configuring CBWFQ on an interface failed because the maximum bandwidth on
Explanation the interface was less than the bandwidth required for CBWFQ.
Recommended Increase the maximum bandwidth configured for the interface or set lower
action bandwidth required for CBWFQ.

531
Security level: Secret

QOS_POLICY_APPLYCOPP_CBFAIL
Failed to apply classifier-behavior [STRING] in policy [STRING] to the
Message text [STRING] direction of control plane slot [UINT32]. [STRING].
$1: Name of a classifier-behavior association.
$2: Policy name.
Variable fields $3: Application direction.
$4: Slot number.
$5: Failure cause.
Severity level 4
QOS/4/QOS_POLICY_APPLYCOPP_CBFAIL: Failed to apply
Example classifier-behavior d in policy b to the inbound direction of control plane slot 3.
The behavior is empty.
The system failed to perform one of the following actions:
• Apply a classifier-behavior association to a specific direction of a control
Explanation plane.
• Update a classifier-behavior association applied to a specific direction of a
control plane.
Recommended Modify the configuration of the QoS policy according to the failure cause.
action

QOS_POLICY_APPLYCOPP_FAIL
Failed to apply or refresh QoS policy [STRING] to the [STRING] direction of
Message text control plane slot [UINT32]. [STRING].
$1: Policy name.
$2: Traffic direction.
Variable fields
$3: Slot number.
$4: Failure cause.
Severity level 4
QOS/4/QOS_POLICY_APPLYCOPP_FAIL: Failed to apply or refresh QoS
Example policy b to the inbound direction of control plane slot 3. The operation is not
supported.
The system failed to perform one of the following actions:
Explanation • Apply a QoS policy to a specific direction of a control plane.
• Update a QoS policy applied to a specific direction of a control plane.
Recommended Modify the configuration of the QoS policy according to the failure cause.
action

532
Security level: Secret

QOS_POLICY_APPLYGLOBAL_CBFAIL
Failed to apply classifier-behavior [STRING] in policy [STRING] to the
Message text [STRING] direction globally. [STRING].
$1: Name of a classifier-behavior association.
$2: Policy name.
Variable fields
$3: Traffic direction.
$4: Failure cause.
Severity level 4
QOS/4/QOS_POLICY_APPLYGLOBAL_CBFAIL: Failed to apply
Example classifier-behavior a in policy b to the outbound direction globally. The behavior
is empty.
The system failed to perform one of the following actions:
• Apply a classifier-behavior association to a specific direction globally.
Explanation
• Update a classifier-behavior association applied to a specific direction
globally.
Recommended Modify the configuration of the QoS policy according to the failure cause.
action

QOS_POLICY_APPLYGLOBAL_FAIL
Failed to apply or refresh QoS policy [STRING] to the [STRING] direction
Message text globally. [STRING].
$1: Policy name.
Variable fields $2: Traffic direction.
$3: Failure cause.
Severity level 4
QOS/4/QOS_POLICY_APPLYGLOBAL_FAIL: Failed to apply or refresh QoS
Example policy b to the inbound direction globally. The operation is not supported.
The system failed to perform one of the following actions:
Explanation • Apply a QoS policy to a specific direction globally.
• Update a QoS policy applied to a specific direction globally.
Recommended Modify the configuration of the QoS policy according to the failure cause.
action

533
Security level: Secret

QOS_POLICY_APPLYIF_CBFAIL
Failed to apply classifier-behavior [STRING] in policy [STRING] to the
Message text [STRING] direction of interface [STRING]. [STRING].
$1: Name of a classifier-behavior association.
$2: Policy name.
Variable fields $3: Traffic direction.
$4: Interface name.
$5: Failure cause.
Severity level 4
QOS/4/QOS_POLICY_APPLYIF_CBFAIL: Failed to apply classifier-behavior b
Example in policy b to the inbound direction of interface Ethernet3/1/2. The behavior is
empty.
The system failed to perform one of the following actions:
• Apply a classifier-behavior association to a specific direction of an
Explanation interface.
• Update a classifier-behavior association applied to a specific direction of
an interface.
Recommended Modify the configuration of the QoS policy according to the failure cause.
action

QOS_POLICY_APPLYIF_FAIL
Failed to apply or refresh QoS policy [STRING] to the [STRING] direction of
Message text interface [STRING]. [STRING].
$1: Policy name.
$2: Traffic direction.
Variable fields
$3: Interface name.
$4: Failure cause.
Severity level 4
QOS/4/QOS_POLICY_APPLYIF_FAIL: Failed to apply or refresh QoS policy b
Example to the inbound direction of interface Ethernet3/1/2. The operation is not
supported.
The system failed to perform one of the following actions:
Explanation • Apply a QoS policy to a specific direction of an interface.
• Update a QoS policy applied to a specific direction of an interface.
Recommended Modify the configuration of the QoS policy according to the failure cause.
action

534
Security level: Secret

QOS_POLICY_APPLYUSER_FAIL
[STRING]; Failed to apply the [STRING] QoS policy [STRING] in user profile
Message text [STRING] to the user.Reason: [STRING].
$1: User identity.
$2: Application direction.
Variable fields $3: QoS policy name.
$4: User profile name.
$5: Failure cause.
Severity level 4
QOS/4/QOS_POLICY_APPLYUSER_FAIL:
-MAC=1111-2222-3333-IP=192.168.1.2/16-CVLAN=100-Port=GigabitEthernet5/1/5;
Example Failed to apply the inbound QoS policy p in user profile a to the user.Reason: The
QoS policy is not supported.
The system failed to perform one of the following actions:
Explanation • Issue the settings of a QoS policy when a user went online.
• Modify an applied QoS policy or apply a new QoS policy when a user is online.
Recommended Remove the QoS policy from the user profile or modify the parameters of the QoS
action policy.

QOS_POLICY_APPLYVLAN_CBFAIL
Failed to apply classifier-behavior [STRING] in policy [STRING] to the
Message text [STRING] direction of VLAN [UINT32]. [STRING].
$1: Name of a classifier-behavior association.
$2: Policy name.
Variable fields $3: Application direction.
$4: VLAN ID.
$5: Failure cause.
Severity level 4
QOS/4QOS_POLICY_APPLYVLAN_CBFAIL: Failed to apply
Example classifier-behavior b in policy b to the inbound direction of VLAN 2. The behavior
is empty.
The system failed to perform one of the following actions:
• Apply a classifier-behavior association to a specific direction of a VLAN.
Explanation
• Update a classifier-behavior association applied to a specific direction of a
VLAN.
Recommended Modify the configuration of the QoS policy according to the failure cause.
action

535
Security level: Secret

QOS_POLICY_APPLYVLAN_FAIL
Failed to apply or refresh QoS policy [STRING] to the [STRING] direction of
Message text VLAN [UINT32]. [STRING].
$1: Policy name.
$2: Application direction.
Variable fields
$3: VLAN ID.
$4: Failure cause.
Severity level 4
QOS/4/QOS_POLICY_APPLYVLAN_FAIL: Failed to apply or refresh QoS
Example policy b to the inbound direction of VLAN 2. The operation is not supported.
The system failed to perform one of the following actions:
Explanation • Apply a QoS policy to a specific direction of a VLAN.
• Update a QoS policy applied to a specific direction of a VLAN.
Recommended Modify the configuration of the QoS policy according to the failure cause.
action

QOS_QMPROFILE_APPLYUSER_FAIL
[STRING]; Failed to apply queue management profile [STRING] in session group
Message text profile [STRING] to the user. Reason: [STRING].
$1: User identity.
$2: Queue scheduling profile name.
Variable fields
$3: Session group profile name.
$4: Failure cause.
Severity level 4
QOS/4/QOS_QMPROFILE_APPLYUSER_FAIL:
-MAC=1111-2222-3333-IP=192.168.1.2/16-SVLAN=100-Port=GigabitEthernet5/1/5;
Example Failed to apply queue management profile b in session group profile a to the user.
Reason: The QMProfile is not supported.
The system failed to perform one of the following actions:
• Issue the settings of a queue scheduling profile when a user went online.
Explanation
• Modify an applied queue scheduling profile or apply a new queue scheduling
profile when a user is online.
Recommended Remove the queue scheduling profile from the session group profile or modify the
action parameters of the queue scheduling profile.

536
Security level: Secret

QOS_QMPROFILE_MODIFYQUEUE_FAIL
Failed to configure queue [UINT32] in queue management profile [STRING].
Message text [STRING].
$1: Queue ID.
Variable fields $2: Profile name.
$3: Failure cause.
Severity level 4
QOS/4/QOS_QMPROFILE_MODIFYQUEUE_FAIL: Failed to configure queue
Example 1 in queue management profile myqueue. The value is out of range.
The system failed to modify a queue in a queue scheduling profile successfully
Explanation applied to an interface because the new parameter was beyond port
capabilities.
Recommended Remove the queue scheduling profile from the interface, and then modify the
action parameters for the queue.

537
Security level: Secret

RADIUS messages
This section contains RADIUS messages.

RADIUS_AUTH_FAILURE
Message text User [STRING] from [STRING] failed authentication.
$1: User name.
Variable fields
$2: IP address.
Severity level 5
RADIUS/5/RADIUS_AUTH_FAILURE: User abc@system from 192.168.0.22
Example failed authentication.
Explanation An authentication request was rejected by the RADIUS server.
Recommended No action is required.
action

RADIUS_AUTH_SUCCESS
Message text User [STRING] from [STRING] was authenticated successfully.
$1: User name.
Variable fields
$2: IP address.
Severity level 6
RADIUS/6/RADIUS_AUTH_SUCCESS: User abc@system from 192.168.0.22
Example was authenticated successfully.
Explanation An authentication request was accepted by the RADIUS server.
Recommended No action is required.
action

RADIUS_DELETE_HOST_FAIL
Message text Failed to delete servers in scheme [STRING].

Variable fields $1: Scheme name.


Severity level 4
RADIUS/4/RADIUS_DELETE_HOST_FAIL: Failed to delete servers in scheme
Example abc.
Explanation Failed to delete servers from a RADIUS scheme.
Recommended No action is required.
action

538
Security level: Secret

RDDC messages
This section contains RDDC messages.

RDDC_ACTIVENODE_CHANGE
Redundancy group [STRING] active node changed to [STRING], because of
Message text [STRING].
$1: Redundancy group name.
$2: Active node information.
$3: Status change reason:
Variable fields
 manual switchover
 group's configuration changed
 node's weight changed
Severity level 5
RDDC/5/RDDC_ACTIVENODE_CHANGE: Redundancy group 1 active node
Example changed to node 1 (chassis 1), because of manual switchover.
The active node in the redundancy group changed because of manual
Explanation switchover, configuration change of the group, or weight change of the node.
Recommended No action is required.
action

539
Security level: Secret

RIP messages
This section contains RIP messages.

RIP_MEM_ALERT
Message text RIP Process received system memory alert [STRING] event.

Variable fields $1: Type of the memory alarm.

Severity level 5
RIP/5/RIP_MEM_ALERT: RIP Process received system memory alert start
Example event.

Explanation RIP received a memory alarm.

Recommended Check the system memory and release memory for the modules that occupy too
action many memory resources.

RIP_RT_LMT
Message text RIP [UINT32] Route limit reached

Variable fields $1: Process ID.

Severity level 6

Example RIP/6/RIP_RT_LMT: RIP 1 Route limit reached.

Explanation The number of routes of a RIP process reached the upper limit.

Recommended 1. Check for network attacks.


action 2. Reduce the number of routes.

540
Security level: Secret

RIPNG messages
This section contains RIPng messages.

RIPNG_MEM_ALERT
Message text RIPng Process received system memory alert [STRING] event.

Variable fields $1: Type of the memory alarm.

Severity level 5
RIPNG/5/RIPNG_MEM_ALERT: RIPNG Process received system memory
Example alert start event.

Explanation RIPng received a memory alarm.

Recommended Check the system memory and release memory for the modules that occupy too
action many memory resources.

RIPNG_RT_LMT
Message text RIPng [UINT32] Route limit reached

Variable fields $1: Process ID

Severity level 6

Example RIPNG/6/RIPNG_RT_LMT: RIPng 1 Route limit reached.

Explanation The number of routes of a RIPng process reached the upper limit.

Recommended 1. Check for network attacks.


action 2. Reduce the number of routes.

541
Security level: Secret

RM messages
This section contains RM messages.

RM_ACRT_REACH_LIMIT
Message text Max active [STRING] routes [UINT32] reached in URT of [STRING]
$1: IPv4 or IPv6.
Variable fields $2: Maximum number of active routes.
$3: VPN instance name.

Severity level 4
RM/4/RM_ROUTE_REACH_LIMIT: Max active IPv4 routes 100000 reached in
Example URT of VPN1
The number of active routes reached the upper limit in the unicast routing table
Explanation of a VPN instance.

Recommended Remove unused active routes.


action

RM_ACRT_REACH_THRESVALUE
Threshold value [UINT32] of max active [STRING] routes reached in URT of
Message text [STRING]

$1: Threshold of the maximum number of active routes in percentage.


Variable fields $2: IPv4 or IPv6.
$3: VPN instance name.

Severity level 4
RM/4/RM_ACRT_REACH_THRESVALUE: Threshold value 50% of max active
Example IPv4 routes reached in URT of vpn1
The percentage of the maximum number of active routes was reached in the
Explanation unicast routing table of a VPN instance.

Recommended Modify the threshold value or the route limit configuration.


action

542
Security level: Secret

RM_THRESHLD_VALUE_REACH
Threshold value [UINT32] of active [STRING] routes reached in URT of
Message text [STRING]
$1: Maximum number of active routes.
Variable fields $2: IPv4 or IPv6.
$3: VPN instance name.

Severity level 4
RM/4/RM_THRESHLD_VALUE_REACH: Threshold value 10000 of active IPv4
Example routes reached in URT of vpn1
The number of active routes reached the threshold in the unicast routing table of
Explanation a VPN instance.

Recommended Modify the route limit configuration.


action

543
Security level: Secret

RPR messages
This section contains RPR messages.

RPR_EXCEED_MAX_SEC_MAC
A maximum number of secondary MAC addresses exceeded defect is present
Message text on the ring corresponding to RPR logical interface [STRING].

Variable fields $1: Interface name.

Severity level 4
RPR/4/RPR_EXCEED_MAX_SEC_MAC: A maximum number of secondary
Example MAC addresses exceeded defect is present on the ring corresponding to RPR
logical interface RPR-Router1.
The number of RPR secondary MAC addresses on the ring has reached the
Explanation upper limit.

Recommended Disable VRRP on RPR stations.


action

RPR_EXCEED_MAX_SEC_MAC_OVER
A maximum number of secondary MAC addresses exceeded defect is cleared
Message text on the ring corresponding to RPR logical interface [STRING].

Variable fields $1: Interface name.

Severity level 5
RPR/5/RPR_EXCEED_MAX_SEC_MAC_OVER: A maximum number of
Example secondary MAC addresses exceeded defect is cleared on the ring
corresponding to RPR logical interface RPR-Router1.

The number of secondary MAC addresses on the ring has dropped below the
Explanation upper limit.

Recommended No action is required.


action

544
Security level: Secret

RPR_EXCEED_MAX_STATION
A maximum number of stations exceeded defect is present on the ring
Message text corresponding to RPR logical interface [STRING].

Variable fields $1: Interface name.

Severity level 4
RPR/4/RPR_EXCEED_MAX_STATION: A maximum number of stations
Example exceeded defect is present on the ring corresponding to RPR logical interface
RPR-Router1.

Explanation The number of RPR stations on the ring has reached the upper limit.

Recommended Remove some RPR stations.


action

RPR_EXCEED_MAX_STATION_OVER
A maximum number of stations exceeded defect is cleared on the ring
Message text corresponding to RPR logical interface [STRING].

Variable fields $1: Interface name.

Severity level 5
RPR/5/RPR_EXCEED_MAX_STATION_OVER: A maximum number of
Example stations exceeded defect is cleared on the ring corresponding to RPR logical
interface RPR-Router1.

Explanation The number of RPR stations on the ring has dropped below the upper limit.

Recommended action No action is required.

RPR_EXCEED_RESERVED_RATE
An excess reserved rate defect is present on ringlet0/ringlet1 corresponding to
Message text RPR logical interface [STRING].

Variable fields $1: Interface name.

Severity level 3
RPR/3/RPR_EXCEED_RESERVED_RATE: An excess reserved rate defect is
Example present on ringlet0 corresponding to RPR logical interface RPR-Router1.

The reserved bandwidth for the RPR station was greater than the total
Explanation bandwidth of the RPR ring.

Recommended action Reduce the reserved bandwidth.

545
Security level: Secret

RPR_EXCEED_RESERVED_RATE_OVER
An excess reserved rate defect is cleared on ringlet0/ringlet1 corresponding to
Message text RPR logical interface [STRING].

Variable fields $1: Interface name.

Severity level 5
RPR/5/RPR_EXCEED_RESERVED_RATE_OVER: An excess reserved rate
Example defect is cleared on ringlet0 corresponding to RPR logical interface
RPR-Router1.
The reserved bandwidth for the RPR station was smaller than the total
Explanation bandwidth of the RPR ring.

Recommended action No action is required.

RPR_IP_DUPLICATE
A duplicate IP address defect is present on the ring corresponding to RPR
Message text logical interface [STRING].

Variable fields $1: Interface name.

Severity level 3
RPR/3/RPR_IP_DUPLICATE: A duplicate IP address defect is present on the
Example ring corresponding to RPR logical interface RPR-Router1.

Explanation Another RPR station used the same IP address.

Recommended action Locate the RPR station, and change its IP address.

RPR_IP_DUPLICATE_OVER
A duplicate IP address defect is cleared on the ring corresponding to RPR
Message text logical interface [STRING].

Variable fields $1: Interface name.

Severity level 5
RPR/5/RPR_IP_DUPLICATE_OVER: A duplicate IP address defect is cleared
Example on the ring corresponding to RPR logical interface RPR-Router1.

Explanation The duplicate IP address defect was cleared.

Recommended action No action is required.

546
Security level: Secret

RPR_JUMBO_INCONSISTENT
A jumbo configuration defect is present on the ring corresponding to RPR
Message text logical interface [STRING].

Variable fields $1: Interface name.

Severity level 6
RPR/6/RPR_JUMBO_INCONSISTENT: A jumbo configuration defect is
Example present on the ring corresponding to RPR logical interface RPR-Router1.

Explanation An RPR station used different Jumbo frame configuration.

Recommended action Locate the RPR station and change its Jumbo frame configuration.

RPR_JUMBO_INCONSISTENT_OVER
A jumbo configuration defect is cleared on the ring corresponding to RPR
Message text logical interface [STRING].

Variable fields $1: Interface name.

Severity level 6
RPR/6/RPR_JUMBO_INCONSISTENT_OVER: A jumbo configuration defect
Example is cleared on the ring corresponding to RPR logical interface RPR-Router1.

Explanation The Jumbo frame configuration inconsistency defect was cleared.

Recommended action No action is required.

RPR_MISCABLING
A miscabling defect is present on ringlet0/ringlet1 corresponding to RPR logical
Message text interface [STRING].

Variable fields $1: Interface name.

Severity level 3
RPR/3/RPR_MISCABLING: A miscabling defect is present on ringlet0
Example corresponding to RPR logical interface RPR-Router1.
The west port of an RPR station was not connected to the east port of anther
Explanation RPR station.

Recommended action Examine the physical port connection of the two RPR stations.

547
Security level: Secret

RPR_MISCABLING_OVER
A miscabling defect is cleared on ringlet0/ringlet1 corresponding to RPR logical
Message text interface [STRING].

Variable fields $1: Interface name.

Severity level 5
RPR/5/RPR_MISCABLING_OVER: A miscabling defect is cleared on ringlet0
Example corresponding to RPR logical interface RPR-Router1.

Explanation The RPR physical port connection defect was cleared.

Recommended action No action is required.

RPR_PROTECTION_INCONSISTENT
A protection configuration defect is present on the ring corresponding to RPR
Message text logical interface [STRING].

Variable fields $1: Interface name.

Severity level 3
RPR/3/RPR_PROTECTION_INCONSISTENT: A protection configuration
Example defect is present on the ring corresponding to RPR logical interface
RPR-Router1.

Explanation An RPR station used different protection mode.

Recommended action Locate the RPR station and change its protection mode.

RPR_PROTECTION_INCONSISTENT_OVER
A protection configuration defect is cleared on the ring corresponding to RPR
Message text logical interface [STRING].

Variable fields $1: Interface name.

Severity level 5
RPR/5/RPR_PROTECTION_INCONSISTENT_OVER: A protection
Example configuration defect is cleared on the ring corresponding to RPR logical
interface RPR-Router1.

Explanation The protection mode inconsistency defect was cleared.

Recommended No action is required.


action

548
Security level: Secret

RPR_SEC_MAC_DUPLICATE
A duplicate secondary MAC addresses defect is present on the ring
Message text corresponding to RPR logical interface [STRING].

Variable fields $1: Interface name.

Severity level 3
RPR/3/RPR_SEC_MAC_DUPLICATE: A duplicate secondary MAC addresses
Example defect is present on the ring corresponding to RPR logical interface
RPR-Router1.

Explanation Another RPR station used the same secondary MAC address.

Recommended action Locate the RPR station, and change its secondary MAC address.

RPR_SEC_MAC_DUPLICATE_OVER
A duplicate secondary MAC addresses defect is cleared on the ring
Message text corresponding to RPR logical interface [STRING].

Variable fields $1: Interface name.

Severity level 5
RPR/5/RPR_SEC_MAC_DUPLICATE_OVER: A duplicate secondary MAC
Example addresses defect is cleared on the ring corresponding to RPR logical interface
RPR-Router1.

Explanation The duplicate secondary MAC address defect was cleared.

Recommended action No action is required.

RPR_TOPOLOGY_INCONSISTENT
An inconsistent topology defect is present on the ring corresponding to RPR
Message text logical interface [STRING].

Variable fields $1: Interface name.

Severity level 3
RPR/3/RPR_TOPOLOGY_INCONSISTENT: An inconsistent topology defect
Example is present on the ring corresponding to RPR logical interface RPR-Router1.

The topology information collected by the ports on the PRP stations was
Explanation different.
Execute the shutdown command and then the undo shutdown command on
Recommended action the ports to collect topology information again.

549
Security level: Secret

RPR_TOPOLOGY_INCONSISTENT_OVER
An inconsistent topology defect is cleared on the ring corresponding to RPR
Message text logical interface [STRING].

Variable fields $1: Interface name.

Severity level 5
RPR/5/RPR_TOPOLOGY_INCONSISTENT_OVER: An inconsistent topology
Example defect is cleared on the ring corresponding to RPR logical interface
RPR-Router1.

Explanation The topology information inconsistency defect was cleared.

Recommended No action is required.


action

RPR_TOPOLOGY_INSTABILITY
A topology instability defect is present on the ring corresponding to RPR logical
Message text interface [STRING].

Variable fields $1: Interface name.

Severity level 4
RPR/4/RPR_TOPOLOGY_INSTABILITY: A topology instability defect is
Example present on the ring corresponding to RPR logical interface RPR-Router1.

Explanation The RPR ring topology was unstable.

Recommended action No action is required.

RPR_TOPOLOGY_INSTABILITY_OVER
A topology instability defect is cleared on the ring corresponding to RPR logical
Message text interface [STRING].

Variable fields $1: Interface name.

Severity level 5
RPR/5/RPR_TOPOLOGY_INSTABILITY_OVER: A topology instability defect
Example is cleared on the ring corresponding to RPR logical interface RPR-Router1.

Explanation The RPR ring topology was stable.

Recommended action No action is required.

550
Security level: Secret

RPR_TOPOLOGY_INVALID
A topology invalid defect is present on the ring corresponding to RPR logical
Message text interface [STRING].

Variable fields $1: Interface name.

Severity level 4
RPR/4/RPR_TOPOLOGY_INVALID: A topology invalid defect is present on
Example the ring corresponding to RPR logical interface RPR-Router1.

Explanation The topology information collected by the RPR stations was invalid.
Execute the shutdown command and then the undo shutdown command on
Recommended action the RPR stations to collect topology information again.

RPR_TOPOLOGY_INVALID_OVER
A topology invalid defect is cleared on the ring corresponding to RPR logical
Message text interface [STRING].

Variable fields $1: Interface name.

Severity level 5
RPR/5/RPR_TOPOLOGY_INVALID_OVER: A topology invalid defect is
Example cleared on the ring corresponding to RPR logical interface RPR-Router1.

Explanation The topology information collected by the RPR stations was valid.

Recommended action No action is required.

551
Security level: Secret

RRPP messages
This section contains RRPP messages.

RRPP_RING_FAIL
Message text Ring [UINT32] in Domain [UINT32] failed.
$1: Ring ID.
Variable fields
$2: Domain ID.

Severity level 4

Example RRPP/4/RRPP_RING_FAIL: Ring 1 in Domain 1 failed.

Explanation A ring failure occurred in the RRPP domain.

Recommended Check each RRPP node to clear the network fault.


action

RRPP_RING_RESTORE
Message text Ring [UINT32] in Domain [UINT32] recovered.
$1: Ring ID.
Variable fields
$2: Domain ID.

Severity level 4

Example RRPP/4/RRPP_RING_RESTORE: Ring 1 in Domain 1 recovered.

Explanation The ring in the RRPP domain was recovered.

Recommended No action is required.


action

552
Security level: Secret

RTM messages
This section contains RTM messages.

RTM_TCL_NOT_EXIST
Failed to execute Tcl-defined policy [STRING] because the policy's Tcl script file
Message text was not found.

Variable fields $1: Name of a Tcl-defined policy.

Severity level 4
RTM/4/RTM_TCL_NOT_EXIST: Failed to execute Tcl-defined policy aaa
Example because the policy's Tcl script file was not found.
The system did not find the Tcl script file for the policy while executing the
Explanation policy.

Recommended 1. Check that the Tcl script file exists.


action 2. Reconfigure the policy.

RTM_TCL_MODIFY
Failed to execute Tcl-defined policy [STRING] because the policy's Tcl script file
Message text had been modified.

Variable fields $1: Name of a Tcl-defined policy.

Severity level 4
RTM/4/RTM_TCL_MODIFY: Failed to execute Tcl-defined policy aaa because
Example the policy's Tcl script file had been modified.

Explanation The Tcl script file for the policy was modified.

Recommended Reconfigure the policy, or modify the Tcl script to be the same as it was when it
action was bound with the policy.

RTM_TCL_LOAD_FAILED
Message text Failed to load the Tcl script file of policy [STRING].

Variable fields $1: Name of a Tcl-defined policy.

Severity level 4
RTM/4/RTM_TCL_LOAD_FAILED: Failed to load the Tcl script file of policy
Example [STRING].

Explanation The system failed to load the Tcl script file for the policy to memory.

Recommended No action is required.


action

553
Security level: Secret

SCM messages
This section contains SCM messages.

PROCESS_ABNORMAL
Message text The process [STRING] exited abnormally.

Variable fields $1: Process name.

Severity level 5

Example SCM/5/PROCESS_ABNORMAL: The process devd exited abnormally.

Explanation A service exited abnormally.


1. Use the display process command to identify whether the process exists.
If the process exists, the process is recovered.
2. If the process is not recovered, collect the following information:
a. Execute the view /var/log/trace.log > trace.log command in probe
view, and upload the trace.log file saved in the storage media of the
device to the server through FTP or TFTP (in binary mode).
b. Execute the display process log command to display process
information. If the core field displays Y, the core file was generated
Recommended when the process exited.
action c. Execute the display exception context command to collect process
exception information, and save the information. Then, execute the
display exception filepath command to display core file path and
upload the core file and the file that save the process exception
information through FTP or TFTP (in binary mode).
d. Send the files to Hewlett Packard Enterprise Support.
3. If the process has been recovered, but reasons need to be located, go to
step 212.

PROCESS_ACTIVEFAILED
The standby process [STRING] failed to switch to the active process due to
Message text uncompleted synchronization, and was restarted.

Variable fields $1: Process name.

Severity level 4
SCM/4/PROCESS_ACTIVEFAILED: The standby process [STRING] failed to
Example switch to the active process due to uncompleted synchronization, and was
restarted.
The standby process failed to switch to the active process because the active
Explanation process exited abnormally when the standby process has not completed
synchronization. The standby process was restarted.

Recommended No action is required.


action

554
Security level: Secret

SCM_ABNORMAL_REBOOT (Distributed
devices–Centralized IRF devices–In standalone
mode/Distributed devices–In IRF mode)
Message text The process $1 can't be restored. Reboot $2 now.
$1: Process name.
$2: ID of the slot where the abnormal card is located (distributed devices–in
Variable fields standalone mode /distributed devices–In IRF mode).
$2: ID of the abnormal IRF member device (centralized IRF devices).

Severity level 3
SCM/3/SCM_ABNORMAL_REBOOT: The process ipbased can't be restored.
Reboot slot 2 now. (distributed devices–centralized IRF devices–In standalone
Example mode)
SCM/3/SCM_ABNORMAL_REBOOT: The process ipbased can't be restored.
Reboot chassis 1 slot 2 now. (distributed devices–In IRF mode)
The process exited abnormally during card startup. If the process cannot
Explanation restore after multiple automatic restart attempts, the card will restart
automatically.
1. Use the display process command to verify that the process has restored
Recommended after the card restarts.
action 2. If the problem persists, contact Hewlett Packard Enterprise Support.

555
Security level: Secret

SCM_ABNORMAL_REBOOT
The process $1 can't be restored. Reboot now. (Distributed devices.)
Message text The process $1 can't be restored. Reboot now. (Distributed
devices–Centralized IRF devices.)

$1: Process name.


$2: ID of the slot where the card is located, in the slot [INT32] format.
(Distributed devices–In standalone mode.)
Variable fields $3: IRF member ID of the device, in the slot [INT32] format. (Centralized IRF
devices.)
$2: IRF member ID of the device, and ID of the slot where the card is located, in
the chassis [INT32] slot [INT32] format. (Distributed devices–In IRF mode.)

Severity level 3
SCM/3/SCM_ABNORMAL_REBOOT: The process ipbased can't be restored.
Example Reboot now. (Distributed devices–Centralized IRF devices–In standalone
mode.)
The process exited abnormally during the device startup. If the process cannot
restore after multiple automatic restart attempts, the device will restart
automatically. (Centralized IRF devices.)
Explanation
The process exited abnormally during the startup of a specified slot. If the
process cannot restore after multiple automatic restart attempts, the specified
slot will restart automatically. (Distributed devices–Centralized IRF devices.)
1. Use the display process command to verify that the process has restored
Recommended after the card restarts.
action 2. If the problem persists, contact Hewlett Packard Enterprise Support.

SCM_ABNORMAL_REBOOTMDC
Message text The process $1 in $2 $3 can't be restored. Reboot $2 $3 now.
$1: Process name.
Variable fields $2: MDC or context.
$3: ID of the MDC or context.

Severity level 3
SCM/3/SCM_ABNORMAL_REBOOTMDC: The process ipbased in MDC 2
Example can't be restored. Reboot MDC 2 now.

The process exited abnormally during the startup of the MDC on the active MPU
or the context on the main security engine in the security engine group. If the
Explanation process cannot restore after multiple automatic restart attempts, the MDC or
context will restart automatically. This message will be output in MDC 1 or
Context 1.
1. Use the display process command to verify that the process has restored
Recommended after the card restarts.
action 2. If the problem persists, contact Hewlett Packard Enterprise Support.

556
Security level: Secret

SCM_ABORT_RESTORE
Message text The process $1 can't be restored, abort it.

Variable fields $1: Process name.

Severity level 3
SCM/3/SCM_ABORT_RESTORE: The process ipbased can't be restored,
Example abort it.

The process exited abnormally during the system operation. If the process
Explanation cannot restore after multiple automatic restart attempts, the device will not
restore the process.
1. Use the display process log command in any view to display the details
about process exit.
Recommended 2. Restart the card or the MDC where the process is located.
action 3. Provide the output from the display process log command to Hewlett
Packard Enterprise Support.

SCM_INSMOD_ADDON_TOOLONG
Message text Failed to finish loading $1 in $2 minutes.
$1: Kernel file name.
Variable fields
$2: File loading duration.

Severity level 4
SCM/4/SCM_INSMOD_ADDON_TOOLONG: Failed to finish loading addon.ko
Example in 30 minutes.

Explanation Kernel file loading timed out during device startup.

Recommended 1. Restart the card.


action 2. Contact Hewlett Packard Enterprise Support.

SCM_KERNEL_INIT_TOOLONG
Message text Kernel init in sequence $1 function $2 failed to finish in $3 minutes.
$1: Kernel event phase.
Variable fields $2: Address of the function corresponding to the kernel event.
$3: Time duration.

Severity level 4
SCM/4/SCM_KERNEL_INIT_TOOLONG: Kernel init in sequence 0x25e7
Example function 0x6645ffe2 failed to finish in 15 minutes.

Explanation A function at a phase during kernel initialization ran too long.

Recommended 1. Restart the card.


action 2. Contact Hewlett Packard Enterprise Support.

557
Security level: Secret

SCM_PROCESS_STARTING_TOOLONG
Message text The process $1 on $2 has not finished starting in $3 hours.
$1: Process name.
$2: MDC or Context ID. ("on $2" will not be displayed on the devices that do not
Variable fields support MDC or Context.)
$3: Time duration.

Severity level 4
SCM/4/ SCM_PROCESS_STARTING_TOOLONG: The process ipbased on
Example MDC 2 has not finished starting in 1 hours.
The process initialization takes a long time and has not been finished. Too
Explanation many processes have been configured or the process is abnormal.
1. Wait 6 hours and then verify that the process has been started.
Recommended 2. Restart the card/MDC/context, and then use the display process
action command to verify that the process has restored.
3. Contact Hewlett Packard Enterprise Support.

SCM_PROCESS_STILL_STARTING
Message text The process $1 on $2 is still starting for $3 minutes.
$1: Process name.
$2: MDC or context ID. ("on $2" will not be displayed on the devices that do not
Variable fields support MDC or context.)
$3: Time duration.

Severity level 6
SCM/6/SCM_PROCESS_STILL_STARTING: The process ipbased on MDC 2
Example is still starting for 20 minutes.

Explanation A process is always in startup state.

Recommended No action is required.


action

558
Security level: Secret

SCM_SKIP_PROCESS
Message text The process $1 was skipped because it failed to start within 6 hours.

Variable fields $1: Process name.

Severity level 4
SCM/4/SCM_SKIP_PROCESS: The process ipbased was skipped because it
Example failed to start within 6 hours.

A process has not completed its startup within six hours during the
Explanation card/MDC/context startup, skip this process and go on with the startup.
1. Restart the card/MDC/context.
2. Use the display process command to verify that the process has
Recommended restored.
action 3. Provide the output from the display process log command to Hewlett
Packard Enterprise Support.

SCM_SKIP_PROCESS
Message text The process $1 on $2 was skipped because it failed to start within 6 hours.
$1: Process name.
Variable fields $2: MDC or context ID. "on $2" will not be displayed on the devices that do not
support MDC or context.

Severity level 3
SCM/3/SCM_SKIP_PROCESS: The process ipbased on MDC 2 was skipped
Example because it failed to start within 6 hours.

A process failed to start within 6 hours. The device will skip this process and
Explanation continue to start.
1. Restart the card/MDC/context, and then use the display process
Recommended command to verify that the process has restored.
action 2. Contact Hewlett Packard Enterprise Support.

559
Security level: Secret

SCRLSP messages
This section contains static CRLSP messages.

SCRLSP_LABEL_DUPLICATE
Message text Incoming label [INT32] for static CRLSP [STRING] is duplicate.
$1: Incoming label value.
Variable fields
$2: Static CRLSP name.
Severity level 4
SCRLSP/4/SCRLSP_LABEL_DUPLICATE: Incoming label 1024 for static
Example CRLSP aaa is duplicate.
The incoming label of a static CRLSP was occupied by another configuration,
for example, by a static PW or by a static LSP. This message is generated when
one of the following events occurs:
Explanation • When MPLS is enabled, configure a static CRLSP with an incoming label
which is occupied by another configuration.
• Enable MPLS when a static CRLSP whose incoming label is occupied by
another configuration already exists.
Recommended Remove this static CRLSP, and reconfigure it with another incoming label.
action

560
Security level: Secret

SESSION messages
This section contains session messages.

561
Security level: Secret

SESSION_IPV4_FLOW
Protocol(1001)=[STRING];SrcIPAddr(1003)=[IPADDR];SrcPort(1004
)=[UINT16];NATSrcIPAddr(1005)=[IPADDR];NATSrcPort(1006)=[UI
NT16];DstIPAddr(1007)=[IPADDR];DstPort(1008)=[UINT16];NATDst
IPAddr(1009)=[IPADDR];NATDstPort(1010)=[UINT16];InitPktCount(
1044)=[UINT32];InitByteCount(1046)=[UINT32];RplyPktCount(1045)
Message text =[UINT32];RplyByteCount(1047)=[UINT32];RcvVPNInstance(1042)
=[STRING];SndVPNInstance(1043)=[STRING];RcvDSLiteTunnelPe
er(1040)=[STRING];SndDSLiteTunnelPeer(1041)=[STRING];BeginT
ime_e(1013)=[STRING];EndTime_e(1014)=[STRING];Event(1048)=
([UNIT16])[STRING];
$1: Protocol type.
$2: Source IP address.
$3: Source port number.
$4: Source IP address after translation.
$5: Source port number after translation..
$6: Destination IP address.
$7: Destination port number.
$8: Destination IP address after translation.
$9: Destination port number after translation.
$10: Total number of inbound packets.
$11: Total number of inbound bytes.
$12: Total number of outbound packets.
$13: Total number of outbound bytes.
Variable fields $14: Source VPN instance name.
$15: Destination VPN instance name.
$16: Source DS-Lite tunnel.
$17: Destination DS-Lite tunnel.
$18: Time when the session is created.
$19: Time when the session is removed.
$20: Event type.
$20: Event description:
 Session created.
 Active flow threshold.
 Normal over.
 Aged for timeout.
 Aged for reset or config-change.
 Other.
Severity level 6
SESSION/6/SESSION_IPV4_FLOW:
Protocol(1001)=UDP;SrcIPAddr(1003)=10.10.10.1;SrcPort(1004)=1
024;NATSrcIPAddr(1005)=10.10.10.1;NATSrcPort(1006)=1024;DstI
PAddr(1007)=20.20.20.1;DstPort(1008)=21;NATDstIPAddr(1009)=2
Example 0.20.20.1;NATDstPort(1010)=21;InitPktCount(1044)=1;InitByteCoun
t(1046)=50;RplyPktCount(1045)=0;RplyByteCount(1047)=0;RcvVP
NInstance(1042)=;SndVPNInstance(1043)=;RcvDSLiteTunnelPeer(
1040)=;SndDSLiteTunnelPeer(1041)=;BeginTime_e(1013)=031820
24082546;EndTime_e(1014)=;Event(1048)=(8)Session created;
This message is sent in one of the following conditions:
Explanation
• An IPv4 session is created or removed.

562
Security level: Secret

• Periodically during an IPv4 session.


• The traffic-based or time-based threshold of an IPv4 session is
reached.
Recommended action No action is required.

SESSION_IPV6_FLOW
Protocol(1001)=[STRING];SrcIPv6Addr(1036)=[IPADDR];SrcPort(1004)=[UINT
16];DstIPv6Addr(1037)=[IPADDR];DstPort(1008)=[UINT16];InitPktCount(1044)
=[UINT32];InitByteCount(1046)=[UINT32];RplyPktCount(1045)=[UINT32];Rply
Message text ByteCount(1047)=[UINT32];RcvVPNInstance(1042)=[STRING];SndVPNInstan
ce(1043)=[STRING];BeginTime_e(1013)=[STRING];EndTime_e(1014)=[STRIN
G];Event(1048)=([UNIT16])[STRING];
$1: Protocol type.
$2: Source IPv6 address.
$3: Source port number.
$4: Destination IP address.
$5: Destination port number.
$6: Total number of inbound packets.
$7: Total number of inbound bytes.
$8: Total number of outbound packets.
$9: Total number of outbound bytes.
$10: Source VPN instance name.
Variable fields $11: Destination VPN instance name.
$12: Time when the session is created.
$13: Time when the session is removed.
$14: Event type.
$15: Event description:
 Session created.
 Active flow threshold.
 Normal over.
 Aged for timeout.
 Aged for reset or config-change.
 Other.
Severity level 6
SESSION/6/SESSION_IPV6_FLOW:
Protocol(1001)=UDP;SrcIPv6Addr(1036)=2001::2;SrcPort(1004)=1024;DstIPv
6Addr(1037)=3001::2;DstPort(1008)=53;InitPktCount(1044)=1;InitByteCount(1
Example 046)=110;RplyPktCount(1047)=0;RplyByteCount(1047)=0;RcvVPNInstance(10
42)=;SndVPNInstance(1043)=;BeginTime_e(1013)=03182024082901;EndTim
e_e(1014)=;Event(1048)=(8)Session created;
This message is sent in one of the following conditions:
• An IPv6 session is created or removed.
Explanation
• Periodically during an IPv6 session.
• The traffic-based or time-based threshold of an IPv6 session is reached.
Recommended No action is required.
action

563
Security level: Secret

SFLOW messages
This section contains sFlow messages.

SFLOW_HARDWARE_ERROR
Message text Failed to [STRING] on interface [STRING] due to [STRING].
$1: Configuration item: update sampling mode
Variable fields $2: Interface name.
$3: Failure reason: not supported operation
Severity level 4
SFLOW/4/SFLOW_HARDWARE_ERROR: Failed to update sampling mode on
Example interface GigabitEthernet1/0/1 due to not supported operation.
The configuration failed because the device does not support the fixed flow
Explanation sampling mode.
Recommended Specify the random flow sampling mode.
action

564
Security level: Secret

SHELL messages
This section contains shell messages.

SHELL_CMD
Message text -Line=[STRING]-IPAddr=[STRING]-User=[STRING]; Command is [STRING]
$1: User line type and number. If there is not user line information, this field
displays **.
Variable fields $2: IP address. If there is not IP address information, this field displays **.
$3: Username. If there is not username information, this field displays **.
$4: Command string.

Severity level 6

Example SHELL/6/SHELL_CMD: -Line=aux0-IPAddr=**-User=**; Command is quit

Explanation A command was successfully executed.

Recommended No action is required.


action

SHELL_CMD_CONFIRM
Message text Confirm option of command [STRING] is [STRING].
$1: Command string.
Variable fields
$2: Confirm option.

Severity level 6

Example SHELL/6/SHELL_CMD_CONFIRM: Confirm option of command save is no.

Explanation A user selected a confirmation option for a command.

Recommended No action is required.


action

565
Security level: Secret

SHELL_CMD_EXECUTEFAIL
-User=[STRING]-IPAddr=[STRING]; Command [STRING] in view [STRING]
Message text failed to be executed.
$1: Username.
$2: IP address.
Variable fields
$3: Command string.
$4: Command view.

Severity level 4
SHELL/4/SHELL_CMD_EXECUTEFAIL: -User=**-IPAddr=192.168.62.138;
Example Command save in view system failed to be executed.

Explanation A command failed to be executed.

Recommended No action is required.


action

SHELL_CMD_INPUT
Message text Input string for the [STRING] command is [STRING].
$1: Command string.
Variable fields
$2: String entered by the user.

Severity level 6
SHELL/6/SHELL_CMD_INPUT: Input string for the save command is
startup.cfg.
Example SHELL/6/SHELL_CMD_INPUT: Input string for the save command is CTRL_C.
SHELL/6/SHELL_CMD_INPUT: Input string for the save command is the Enter
key.

Explanation A user responded to the input requirement of a command.

Recommended No action is required.


action

SHELL_CMD_INPUT_TIMEOUT
Message text Operation timed out: Getting input for the [STRING] command.

Variable fields $1: Command string.

Severity level 6
SHELL/6/SHELL_CMD_INPUT_TIMEOUT: Operation timed out: Getting input
Example for the fdisk command.

The user did not respond to the input requirement of a command before the
Explanation timeout timer expired.

Recommended No action is required.


action

566
Security level: Secret

SHELL_CMD_MATCHFAIL
-User=[STRING]-IPAddr=[STRING]; Command [STRING] in view [STRING]
Message text failed to be matched.
$1: Username.
$2: IP address.
Variable fields
$3: Command string.
$4: Command view.

Severity level 4
SHELL/4/SHELL_CMD_MATCHFAIL: -User=**-IPAddr=192.168.62.138;
Example Command description 10 in view system failed to be matched.

Explanation The command string has errors, or the view does not support the command.

Recommended Enter the correct command string. Make sure the command is supported in the
action view.

SHELL_CMDDENY
-Line=[STRING]-IPAddr=[STRING]-User=[STRING]; Command=[STRING] is
Message text denied.

$1: User line type and number. If there is not user line information, this field
displays **.

Variable fields $2: IP address. If there is not IP address information, this field displays **.
$3: Username. If there is not username information, this field displays **.
$4: Command string.

Severity level 5
SHELL/5/SHELL_CMDDENY: -Line=vty0-IPAddr=192.168.62.138-User=**;
Example Command vlan 10 is permission denied.

Explanation The user did not have the right to execute the command.

Recommended No action is required.


action

SHELL_CMDFAIL
Message text Command [STRING] failed to restore the configuration.

Variable fields $1: Command string.

Severity level 6
SHELL/6/SHELL_CMDFAIL: The “save” command failed to restore the
Example configuration.

Explanation The command failed to restore the configuration.

Recommended No action is required.


action

567
Security level: Secret

SHELL_CRITICAL_CMDFAIL
Message text -User=[STRING]-IPAddr=[STRING]; Command=[STRING] .
$1: Username.
Variable fields $2: IP address.
$3: Command string.

Severity level 6
SHELL/6/SHELL_CRITICAL_CMDFAIL: -User=admin-IPAddr=169.254.0.7;
Example Command is save.

Explanation A command failed to be executed or was canceled.

Recommended No action is required.


action

SHELL_LOGIN
Message text [STRING] logged in from [STRING].
$1: Username.
Variable fields
$2: User line type and number.

Severity level 5

Example SHELL/5/SHELL_LOGIN: Console logged in from console0.

Explanation A user logged in.

Recommended No action is required.


action

SHELL_LOGOUT
Message text [STRING] logged out from [STRING].
$1: Username.
Variable fields
$2: User line type and number.

Severity level 5

Example SHELL/5/SHELL_LOGOUT: Console logged out from console0.

Explanation A user logged out.

Recommended No action is required.


action

568
Security level: Secret

SLSP messages
This section contains static LSP messages.

SLSP_LABEL_DUPLICATE
Message text Incoming label [INT32] for static LSP [STRING] is duplicate.
$1: Incoming label value.
Variable fields
$2: Static LSP name.
Severity level 4
SLSP/4/SLSP_LABEL_DUPLICATE: Incoming label 1024 for static LSP aaa is
Example duplicate.
The incoming label of a static LSP was occupied by another configuration, for
example, by a static PW or by a static CRLSP. This message is generated when
one of the following events occurs:
Explanation • When MPLS is enabled, configure a static LSP with an incoming label
which is occupied by another configuration.
• Enable MPLS when a static LSP whose incoming label is occupied by
another configuration already exists.
Recommended Remove this static LSP, and reconfigure it with another incoming label.
action

569
Security level: Secret

SMLK messages
This section contains Smart Link messages.

SMLK_LINK_SWITCH
Message text Status of port [STRING] in smart link group [UINT16] changes to active.
$1: Port name.
Variable fields
$2: Smart link group ID.

Severity level 4
SMLK/4/SMLK_LINK_SWITCH: Status of port GigabitEthernet0/1/4 in smart
Example link group 1 changes to active.

Explanation The port takes over to forward traffic after the former primary port fails.

Recommended Remove the network faults.


action

570
Security level: Secret

SNMP messages
This section contains SNMP messages.

SNMP_ACL_RESTRICTION
Message text SNMP [STRING] from [STRING] is rejected due to ACL restriction.
$1: SNMP community/usm-user/group.
Variable fields
$2: IP address of the NMS.

Severity level 3
SNMP/3/SNMP_ACL_RESTRICTION: SNMP community public from
Example 192.168.1.100 is rejected due to ACL restrictions.

Explanation SNMP packets are denied because of ACL restrictions.

Recommended Check the ACL configuration on the SNMP agent, and check if the agent was
action attacked.

SNMP_AUTHENTICATION_FAILURE
Message text Failed to authenticate SNMP message.

Variable fields N/A

Severity level 4
SNMP/4/SNMP_AUTHENTICATION_FAILURE: Failed to authenticate SNMP
Example message.

Explanation An NMS failed to be authenticated by the agent.

Recommended No action is required.


action

571
Security level: Secret

SNMP_GET
-seqNO=[UINT32]-srcIP=[STRING]-op=GET-node=[STRING]-value=[STRING]; The
Message text agent received a message.
$1: Sequence number of an SNMP operation log.
$2: IP address of the NMS.
Variable fields
$3: MIB object name and OID.
$4: Value field of the request packet.

Severity level 6
SNMP/6/SNMP_GET:
Example -seqNO=1-srcIP=192.168.28.28-op=GET-node=sysLocation(1.3.6.1.2.1.1.6.0)-value=;
The agent received a message.

SNMP received a Get request from an NMS. The system logs SNMP operations only
Explanation when SNMP logging is enabled.

Recommended No action is required.


action

SNMP_NOTIFY
Message text Notification [STRING][STRING].
$1: Notification name and OID.
$2: Variable-binding field of notifications.
Variable fields  If no MIB object exists, only notification name and OID are displayed.
 If MIB objects are included, " with " are displayed before the MIB object
and OID. MIB objects are separated by semicolons (;).

Severity level 6
SNMP/6/SNMP_NOTIFY: Notification
hh3cLogIn(1.3.6.1.4.1.25506.2.2.1.1.3.0.1) with
Example hh3cTerminalUserName(1.3.6.1.4.1.25506.2.2.1.1.2.1.0)=;hh3cTerminalSourc
e(1.3.6.1.4.1.25506.2.2.1.1.2.2.0)=Console.

The SNMP agent sent a notification. This message displays the notification
Explanation content.

Recommended No action is required.


action

572
Security level: Secret

SNMP_SET
Message -seqNO=[UINT32]-srcIP=[STRING]-op=SET-errorIndex=[UINT32]-errorStatus=[STRING]-no
text de=[STRING]-value=[STRING]; The agent received a message.

$1: Sequence number of an SNMP operation log.


$2: IP address of the NMS.
Variable $3: Error index of the Set operation.
fields $4: Error status of the Set operation.
$5: MIB object name and OID.
$6: Value of the MIB object changed by the Set operation.

Severity 6
level
SNMP/6/SNMP_SET:
Example -seqNO=3-srcIP=192.168.28.28-op=SET-errorIndex=0-errorStatus=noError-node=sysLocati
on(1.3.6.1.2.1.1.6.0)-value=Hangzhou China; The agent received a message.

Explanatio SNMP received a Set request from an NMS. The system logs SNMP operations only when
n SNMP logging is enabled.

Recomme
nded No action is required.
action

SNMP_USM_NOTINTIMEWINDOW
-User=[STRING]-IPAddr=[STRING]; SNMPv3 message is not in the time
Message text window.
$1: Username.
Variable fields
$2: IP address of the NMS.

Severity level 4
SNMP/4/SNMP_USM_NOTINTIMEWINDOW:
Example -User=admin-IPAddr=169.254.0.7; SNMPv3 message is not in the time
window.

Explanation The SNMPv3 message is not in the time window.

Recommended No action is required.


action

573
Security level: Secret

SSHS messages
This section contains SSH server messages.

SSHS_ACL_DENY
The SSH Connection [IPADDR]([STRING]) request was denied according to ACL
Message text rules.
$1: IP address of the SSH client.
Variable fields
$2: VPN instance to which the IP address of the SSH client belongs.
Severity level 5
SSHS/5/FTP_ACL_DENY: The SSH Connection 1.2.3.4(vpn1) request was
Example denied according to ACL rules.
The SSH server detected a login attempt from the invalid SSH client and denied
Explanation the connection request of the client by using the ACL rules.
Recommended No action is required.
action

SSHS_ALGORITHM_MISMATCH
Message text SSH client [STRING] failed to log in because of [STRING] algorithm mismatch.
$1: IP address of the SSH client.
Variable fields $2: Type of the algorithm, including encryption, key exchange, MAC, and public
key.
Severity level 6
SSHS/6/SSHS_ALGORITHM_MISMATCH: SSH client 192.168.30.117 failed to
Example log in because of encryption algorithm mismatch.
Explanation The SSH client and the SSH server used different algorithms.
Recommended Check that the SSH client and the SSH server use the same algorithm.
action

574
Security level: Secret

SSHS_AUTH_EXCEED_RETRY_TIMES
SSH user [STRING] (IP: [STRING]) failed to log in, because the number of
Message text authentication attempts exceeded the upper limit.
$1: User name.
Variable fields
$2: IP address of the SSH client.
Severity level 6
SSHS/6/SSHS_AUTH_EXCEED_RETRY_TIMES: SSH user David (IP:
Example 192.168.30.117) failed to log in, because the number of authentication attempts
exceeded the upper limit.
Explanation The number of authentication attempts by an SSH user reached the upper limit.
Recommended Prompt the SSH user to use the correct login data to try again.
action

SSHS_AUTH_FAIL
SSH user [STRING] (IP: [STRING]) didn't pass public key authentication for
Message text [STRING].
$1: Username.
$2: IP address of the SSH client.
$3: Failure reasons:
Variable fields
 Wrong public key algorithm.
 Wrong public key.
 Wrong digital signature.
Severity level 5
SSHS/5/SSHS_AUTH_FAIL: SSH user David (IP: 192.168.30.117) didn't pass
Example public key authentication for wrong public key algorithm.
Explanation An SSH user failed the publickey authentication.
Recommended Tell the SSH user to try to log in again.
action

SSHS_AUTH_TIMEOUT
Message text Authentication timed out for [IPADDR].

Variable fields $1: IP address of the SSH client.


Severity level 6
Example SSHS/6/SSHS_AUTH_TIMEOUT: Authentication timed out for 1.1.1.1.
The authentication timeout timer expired, and the SSH user failed the
Explanation authentication.
Recommended Make sure the SSH user enters correct authentication information before the
action authentication timeout timer expires.

575
Security level: Secret

SSHS_CONNECT
Message text SSH user [STRING] (IP: [STRING]) connected to the server successfully.
$1: Username.
Variable fields
$2: IP address of the SSH client.
Severity level 6
SSHS/6/SSHS_CONNECT: SSH user David (IP: 192.168.30.117) connected to
Example the server successfully.
Explanation An SSH user logged in to the server successfully.
Recommended No action is required.
action

SSHS_DECRYPT_FAIL
Message text The packet from [STRING] failed to be decrypted with [STRING].
$1: IP address of the SSH client.
Variable fields
$2: Encryption algorithm, such as AES256-CBC.
Severity level 5
SSHS/5/SSHS_DECRYPT_FAIL: The packet from 192.168.30.117 failed to be
Example decrypted with aes256-cbc.
Explanation A packet from an SSH client failed to be decrypted.
Recommended No action is required.
action

SSHS_DISCONNECT
Message text SSH user [STRING] (IP: [STRING]) disconnected from the server.
$1: Username.
Variable fields
$2: IP address of the SSH client.
Severity level 6
SSHS/6/SSHS_DISCONNECT: SSH user David (IP: 192.168.30.117)
Example disconnected from the server.
Explanation An SSH user logged out.
Recommended No action is required.
action

576
Security level: Secret

SSHS_ENCRYPT_FAIL
Message text The packet to [STRING] failed to be encrypted with [STRING].
$1: IP address of the SSH client.
Variable fields
$2: Encryption algorithm, such as aes256-cbc.
Severity level 5
SSHS/5/SSHS_ENCRYPT_FAIL: The packet to 192.168.30.117 failed to be
Example encrypted with aes256-cbc.
Explanation A packet to an SSH client failed to be encrypted.
Recommended No action is required.
action

SSHS_LOG
Authentication failed for [STRING] from [STRING] port [INT32] because of invalid
Message text username or wrong password.
$1: IP address of the SSH client.
Variable fields $2: Username.
$3: Port number.
Severity level 6
SSHS/6/SSHS_LOG: Authentication failed for David from 140.1.1.46 port 16266
Example because of invalid username or wrong password.
An SSH user failed password authentication because the username or password
Explanation was wrong.
Recommended No action is required.
action

SSHS_MAC_ERROR
SSH server received a packet with wrong message authentication code (MAC)
Message text from [STRING].

Variable fields $1: IP address of the SSH client.


Severity level 6
SSHS/6/SSHS_MAC_ERROR: SSH server received a packet with wrong
Example message authentication code (MAC) from 192.168.30.117.
Explanation The SSH server received a packet with a wrong MAC from a client.
Recommended No action is required.
action

577
Security level: Secret

SSHS_REACH_SESSION_LIMIT
SSH client [STRING] failed to log in. The current number of SSH sessions is
Message text [NUMBER]. The maximum number allowed is [NUMBER].
$1: IP address of the SSH client.
Variable fields $2: Current number of SSH sessions.
$3: Maximum number of SSH sessions allowed on the device.
Severity level 6
SSHS/6/SSHS_REACH_SESSION_LIMIT: SSH client 192.168.30.117 failed to
Example log in. The current number of SSH sessions is 10. The maximum number allowed
is 10.
Explanation The number of SSH sessions reached the upper limit.
Recommended No action is required.
action

SSHS_REACH_USER_LIMIT
SSH client [STRING] failed to log in, because the number of users reached the
Message text upper limit.

Variable fields $1: IP address of the SSH client.


Severity level 6
SSHS/6/SSHS_REACH_USER_LIMIT: SSH client 192.168.30.117 failed to log in,
Example because the number of users reached the upper limit.
Explanation The number of SSH users reached the upper limit.
Recommended No action is required.
action

SSHS_SCP_OPER
Message text User [STRING] at [IPADDR] requested operation: [STRING].
$1: Username.
$2: IP address of the SCP client.
Variable fields $3: Requested file operations:
 get file "name"'—Downloads the file name from the SCP server.
 put file "name"—Uploads the file name to the SCP server.

Severity level 6
SSHS/6/SSHS_SCP_OPER: -MDC=1; User user1 at 1.1.1.1 requested
Example operation: put file "aa".
Explanation The SCP sever received an operation request from an SCP client.
Recommended No action is required.
action

578
Security level: Secret

SSHS_SFTP_OPER
Message text User [STRING] at [IPADDR] requested operation: [STRING].
$1: Username.
$2: IP address of the SFTP client.
$3: Requested operations on a file or directory:
 open dir "path"—Opens the directory path.
 open "file" (attribute code code) in MODE mode—Opens the file file
with the attribute code code in mode MODE.
Variable fields
 remove file "path"—Deletes the file path.
 mkdir "path" (attribute code code)—Creates a new directory path with
the attribute code code.
 rmdir "path"—Deletes the directory path.
 rename old "old-name" to new "new-name"—Changes the name of a
file or folder from old-name to new-name.

Severity level 6
SSHS/6/SSHS_SFTP_OPER: User user1 at 1.1.1.1 requested operation: open
Example dir "flash:/".
Explanation The SFTP sever received an operation request from an SFTP client.
Recommended No action is required.
action

SSHS_VERSION_MISMATCH
Message text SSH client [STRING] failed to log in because of version mismatch.

Variable fields $1: IP address of the SSH client.


Severity level 6
SSHS/6/SSHS_VERSION_MISMATCH: SSH client 192.168.30.117 failed to log in
Example because of version mismatch.
Explanation The SSH client and the SSH server used different SSH versions.
Recommended Check that the SSH client and the SSH server use the same SSH version.
action

579
Security level: Secret

STAMGR messages
This section contains station management messages.

STAMGR_ADD_FAILVLAN
Message text -SSID=[STRING]-UserMAC=[STRING]; Added a user to the Fail VLAN [STRING].
$1: SSID.
Variable fields $2: MAC address of the client.
$3: ID of the Fail VLAN.
Severity level 5
STAMGR/5/STAMGR_ADD_FAILVLAN:-SSID=text-wifi-UserMAC=3ce5-a616-28cd;
Example Added a user to the Fail VLAN 5.
Explanation The client failed to pass the authentication and was assigned to the Auth-Fail VLAN.
Recommended No action is required.
action

STAMGR_ADDBAC_INFO
Message text Add BAS AC [STRING].

Variable fields $1: MAC address of the BAS AC.


Severity level 6
Example STAMGR/6/STAMGR_ADDBAC_INFO: Add BAS AC 3ce5-a616-28cd.
Explanation The BAS AC was connected to the master AC.
Recommended action No action is required.

STAMGR_ADDSTA_INFO
Message text Add client [STRING].

Variable fields $1: MAC address of the client.


Severity level 6
Example STAMGR/6/STAMGR_ADDSTA_INFO: Add client 3ce5-a616-28cd.
Explanation The client was connected to the BAS AC.
Recommended action No action is required.

580
Security level: Secret

STAMGR_AUTHORACL_FAILURE
-SSID=[STRING]-UserMAC=[STRING]; Failed to assign an ACL. Reason:
Message text [STRING].

$1: SSID.
$2: MAC address of the client.
$3: Reason:
• The ACL doesn't exist.
Variable fields • ACL type not supported.
• Not enough hardware resources.
• The ACL conflicts with other ACLs.
• The ACL doesn't contain any rules.
• Unknown error.

Severity level 5

STAMGR/5/STAMGR_AUTHORACL_FAILURE:-SSID=text-wifi-UserMAC=3ce5-
Example a616-28cd; Failed to assign an ACL. Reason: The ACL doesn’t exist.

Explanation The authentication server failed to assign an ACL to the client.

Recommended No action is required.


action

STAMGR_AUTHORUSERPROFILE_FAILURE
Message text -SSID=[STRING]-UserMAC=[STRING]; Failed to assign a user profile.

$1: SSID.
Variable fields
$2: MAC address of the client.

Severity level 5

STAMGR/5/STAMGR_AUTHORUSERPROFILE_FAILURE:-SSID=text-wifi-User
Example MAC=3ce5-a616-28cd; Failed to assign a user profile.

Explanation The authentication server failed to assign a user profile to the client.

Recommended No action is required.


action

581
Security level: Secret

STAMGR_CLIENT_OFFLINE
Client [STRING] went offline from BSS [STRING] with [STRING]. State changed to
Message text Unauth.
$1: MAC address of the client.
Variable fields $2: BSSID.
$3: SSID defined in the service template.
Severity level 6
STAMGR/6/STAMGR_CLIENT_OFFLINE: Client 0023-8933-2147 went offline
Example from BSS 0023-12ef-78dc with SSID abc. State changed to Unauth.
Explanation The client went offline from the BSS. The state of the client changed to Unauth.
To resolve the problem:
1. Examine whether the AP and its radios operate correctly if the client went
offline abnormally.
Recommended action 2. If they do not operate correctly, check the debugging information to locate the
problem and resolve it.
3. If the problem persists, contact Hewlett Packard Enterprise Support.

STAMGR_CLIENT_ONLINE
Client [STRING] went online from BSS [STRING] with SSID [STRING]. State
Message text changed to Run.
$1: MAC address of the client.
Variable fields $2: BSSID.
$3: SSID defined in the service template.
Severity level 6
STAMGR/6/STAMGR_CLIENT_ONLINE: Client 0023-8933-2147 went online
Example from BSS 0023-12ef-78dc with SSID abc. State changed to Run.
Explanation The client came online from the BSS. The state of the client changed to Run.
Recommended action No action is required.

STAMGR_DELBAC_INFO
Message text Delete BAS AC [STRING].

Variable fields $1: MAC address of the BAS AC.


Severity level 6
Example STAMGR/6/STAMGR_DELBAC_INFO: Delete BAS AC 3ce5-a616-28cd.
Explanation The BAS AC was disconnected from the master AC.
Recommended action No action is required.

582
Security level: Secret

STAMGR_DELSTA_INFO
Message text Delete client [STRING].

Variable fields $1: MAC address of the client.


Severity level 6
Example STAMGR/6/STAMGR_DELSTA_INFO: Delete client 3ce5-a616-28cd.
Explanation The client was disconnected from the BAS AC.
Recommended action No action is required.

STAMGR_DOT1X_LOGIN_FAILURE
-Username=[STRING]-UserMAC=[STRING]-SSID=[STRING]-VLANID=[STRING]; A
Message text user failed 802.1X authentication.
$1: Username.
$2: MAC address of the client.
Variable fields
$3: SSID.
$4: VLAN ID.
Severity level 5
STAMGR/5/STAMGR_DOT1X_LOGIN_FAILURE:-Username=
Example Dot1X-UserMAC=3ce5-a616-28cd-SSID=text-wifi-VLANID=11; A user failed 802.1X
authentication.
The client failed to pass 802.1X authentication. The failure can be caused by one of
the following reasons:
Explanation • Unavailable AAA server.
• Incorrect username or password.
To resolve the problem:
1. Examine the network connection between the device and the AAA server.
Recommended 2. Verify that the AAA server works correctly.
action 3. Verify that the AAA server is configured with the correct username and
password.
4. If the problem persists, contact Hewlett Packard Enterprise Support.

583
Security level: Secret

STAMGR_DOT1X_LOGIN_SUCC
-Username=[STRING]-UserMAC=[STRING]-SSID=[STRING]-VLANID=[STRING]
Message text ; A user passed 802.1X authentication and came online.

$1: Username.
$2: MAC address of the client.
Variable fields
$3: SSID.
$4: VLAN ID.

Severity level 6

STAMGR/6/STAMGR_DOT1X_LOGIN_SUCC:-Username=Dot1X-UserMAC=3ce
Example 5-a616-28cd-SSID=text-wifi-VLANID=11; A user passed 802.1X authentication
and came online.

Explanation The client came online after passing 802.1X authentication.

Recommended No action is required.


action

STAMGR_DOT1X_LOGOFF
Username=[STRING]-UserMAC=[STRING]-SSID=[STRING]-VLANID=[STRING];
Message text Session for an 802.1X user was terminated.

$1: Username.
$2: MAC address of the client.
Variable fields
$3: SSID.
$4: VLAN ID.

Severity level 6

STAMGR/6/STAMGR_DOT1X_LOGOFF:-Username=Dot1X-UserMAC=3ce5-a6
Example 16-28cd-SSID=text-wifi-VLANID=11; Session for an 802.1X user was terminated.

Explanation The 802.1X authenticated client was logged off.

Recommended No action is required.


action

584
Security level: Secret

STAMGR_MACA_LOGIN_FAILURE
-Username=[STRING]-UserMAC=[STRING]-SSID=[STRING]-VLANID=[STRING]
Message text -UsernameFormat=[STRING]; A user failed MAC authentication.

$1: Username.
$2: MAC address of the client.
$3: SSID.
Variable fields $4: VLAN ID.
$5: Username format:
• fixed.
• MAC address.

Severity level 5

STAMGR/5/STAMGR_MACA_LOGIN_FAILURE:-Username=MAC-UserMAC=3c
Example e5-a616-28cd-SSID=text-wifi-VLANID=11-UsernameFormat=fixed; A user failed
MAC authentication.
The client failed to pass MAC authentication. The failure can be caused by one of
the following reasons:
Explanation • Unavailable AAA server.
• Incorrect username or password.
To resolve the problem:
1. Examine the network connection between the device and the AAA server.
Recommended 2. Verify that the AAA server works correctly.
action 3. Verify that the AAA server is configured with the correct username and
password.
4. If the problem persists, contact Hewlett Packard Enterprise Support.

585
Security level: Secret

STAMGR_MACA_LOGIN_SUCC
-Username=[STRING]-UserMAC=[STRING]-SSID=[STRING]-VLANID=[STRING]
Message text -UsernameFormat=[STRING]; A user passed MAC authentication and came
online.
$1: Username.
$2: MAC address of the client.
$3: SSID.
Variable fields $4: VLAN ID.
$5: Username format:
• fixed.
• MAC address.

Severity level 6

STAMGR/6/STAMGR_MACA_LOGIN_SUCC:-Username=MAC-UserMAC=3ce5-
Example a616-28cd-SSID=text-wifi-VLANID=11-UsernameFormat=fixed; A user passed
MAC authentication and came online.

Explanation The client came online after passing MAC authentication.

Recommended No action is required.


action

STAMGR_MACA_LOGOFF
-Username=[STRING]-UserMAC=[STRING]-SSID=[STRING]-VLANID=[STRING]
Message text -UsernameFormat=[STRING]; Session for a MAC authentication user was
terminated.
$1: Username.
$2: MAC address of the client.
$3: SSID.
Variable fields $4: VLAN ID.
$5: Username format:
• fixed.
• MAC address.

Severity level 6

STAMGR/6/STAMGR_MACA_LOGOFF:-Username=MAC-UserMAC=3ce5-a616
Example -28cd-SSID=text-wifi-VLANID=11-UsernameFormat=fixed; Session for a MAC
authentication user was terminated.

Explanation The MAC authenticated client was logged off.

Recommended No action is required.


action

586
Security level: Secret

STAMGR_STAIPCHANGE_INFO
Message text IP address of client [STRING] changed to [STRING].
$1: MAC address of the client.
Variable fields
$1: New IP address of the client.
Severity level 6
STAMGR/6/STAMGR_STAIPCHANGE_INFO: IP address of client
Example 3ce5-a616-28cd changed to 4.4.4.4.
Explanation The IP address of the client was updated.
Recommended action No action is required.

STAMGR_TRIGGER_IP
-SSID=[STRING]-UserMAC=[STRING]-VLANID=[STRING]; Intrusion protection
Message text triggered. Action: [STRING].

$1: SSID.
$2: MAC address of the client.
$4: VLAN ID.
Variable fields $5: Action:
Added the user to the blocked MAC address list.
Closed the user's BSS temporarily.
• Closed the user's BSS permanently.

Severity level 5

STAMGR/5/STAMGR_TRIGGER_IP:-SSID=text-wifi-UserMAC=3ce5-a616-28cd-
Example VLANID=11; Intrusion protection triggered, the intrusion protection action: added a
user to the list of Block-MAC.

Explanation Intrusion protection was triggered and the action was displayed.

Recommended No action is required.


action

587
Security level: Secret

STM messages
This section contains IRF messages.

STM_AUTO_UPDATE_FAILED
Message text Slot [UINT32] auto-update failed. Reason: [STRING].
$1: IRF member ID.
$2: Failure reason:
 Timeout when loading—The IRF member device failed to complete
loading software within the required time period.
Variable fields  Wrong description when loading—The file description in the
software image file does not match the current attributes of the
software image. This issue might occur when the file does not exist or
is corrupted.
 Disk full when writing to disk—The subordinate device does not
have sufficient storage space.
Severity level 4
STM/4/STM_AUTO_UPDATE_FAILED: Slot 5 auto-update failed. Reason:
Example Timeout when loading.
Explanation Software synchronization from the master failed on a subordinate device.
1. Remove the issue depending on the failure reason:
 If the failure reason is Timeout when loading, verify that all IRF links
are up.
 If the failure reason is Wrong description when loading, download
Recommended the software images again.
action  If the failure reason is Disk full when writing to disk, delete unused
files to free the storage space.
2. Upgrade software manually for the device to join the IRF fabric, and then
connect the device to the IRF fabric.
3. If the problem persists, contact Hewlett Packard Enterprise Support.

588
Security level: Secret

STM_AUTO_UPDATE_FAILED
Message text Chassis [UINT32] slot [UINT32] auto-update failed. Reason: [STRING].
$1: IRF member ID.
$2: Slot number of an MPU.
$3: Failure reason:
 Timeout when loading—The MPU failed to complete loading
software within the required time period.
Variable fields  Wrong description when loading—The file description in the
software image file does not match the current attributes of the
software image. This issue might occur when the file does not exist or
is corrupted.
 Disk full when writing to disk—The MPU does not have sufficient
storage space.
Severity level 4
STM/4/STM_AUTO_UPDATE_FAILED: Chassis 1 slot 1 auto-update failed.
Example Reason: Timeout when loading.
Explanation Software synchronization from the master failed on an MPU.
1. Remove the issue depending on the failure reason:
 If the failure reason is Timeout when loading, verify that all IRF links
are up.
 If the failure reason is Wrong description when loading, download
Recommended the software images again.
action  If the failure reason is Disk full when writing to disk, delete unused
files to free the storage space.
2. Upgrade software manually for the device that holds the MPU, and then
connect the device to the IRF fabric.
3. If the problem persists, contact Hewlett Packard Enterprise Support.

STM_AUTO_UPDATE_FINISHED
Message text File loading finished on slot [UINT32].

Variable fields $1: IRF member ID.


Severity level 5
Example STM/5/STM_AUTO_UPDATE_FINISHED: File loading finished on slot 3.
Explanation The member device finished to load software images.
Recommended No action is required.
action

589
Security level: Secret

STM_AUTO_UPDATE_FINISHED
Message text File loading finished on chassis [UINT32] slot [UINT32].
$1: IRF member ID.
Variable fields
$2: Slot number of an MPU.
Severity level 5
STM/5/STM_AUTO_UPDATE_FINISHED: File loading finished on chassis 1
Example slot 3.
Explanation The MPU finished to load software images.
Recommended No action is required.
action

STM_AUTO_UPDATING
Message text Don't reboot the slot [UINT32]. It is loading files.

Variable fields $1: IRF member ID.


Severity level 5
Example STM/5/STM_AUTO_UPDATING: Don't reboot the slot 2. It is loading files.
The member device was loading software images. To avoid software upgrade
Explanation failure, do not reboot the member device when you see this message.
Recommended No action is required.
action

STM_AUTO_UPDATING
Message text Don't reboot the chassis [UINT32] slot [UINT32]. It is loading files.
$1: IRF member ID.
Variable fields
$2: Slot number of an MPU.
Severity level 5
STM/5/STM_AUTO_UPDATING: Don't reboot the chassis 1 slot 2. It is loading
Example files.
The MPU was loading software images. To avoid software upgrade failure, do
Explanation not reboot the MPU when you see this message.
Recommended No action is required.
action

590
Security level: Secret

STM_LINK_DOWN
Message text IRF port [UINT32] went down.

Variable fields $1: IRF port name.


Severity level 3
Example STM/3/STM_LINK_DOWN: IRF port 2 went down.
Explanation This event occurs when all physical ports bound to an IRF port are down.
Recommended Check the physical ports bound to the IRF port. Make sure a minimum of one
action member physical port is up.

STM_LINK_MERGE
Message text IRF merge occurred.

Variable fields N/A


Severity level 4
Example STM/4/STM_LINK_MERGE: IRF merge occurred.
Explanation IRF merge occurred.
Recommended No action is required.
action

STM_LINK_TIMEOUT
Message text IRF port [UINT32] went down because the heartbeat timed out.

Variable fields $1: IRF port name.


Severity level 2
STM/2/STM_LINK_TIMEOUT: IRF port 1 went down because the heartbeat
Example timed out.
Explanation The IRF port went down because of heartbeat timeout.
Recommended Check the IRF link for link failure.
action

591
Security level: Secret

STM_LINK_UP
Message text IRF port [UINT32] came up.

Variable fields $1: IRF port name.


Severity level 6
Example STM/6/STM_LINK_UP: IRF port 1 came up.
Explanation An IRF port came up.
Recommended No action is required.
action

STM_MERGE_NEED_REBOOT
Message text IRF merge occurred. This IRF system needs a reboot.

Variable fields N/A


Severity level 4
STM/4/STM_MERGE_NEED_REBOOT: IRF merge occurred. This IRF system
Example needs a reboot.
You must reboot the current IRF fabric for IRF merge, because it failed in the
Explanation master election.
Recommended Log in to the IRF fabric, and use the reboot command to reboot the IRF fabric.
action

STM_MERGE_NOT_NEED_REBOOT
Message text IRF merge occurred. This IRF system does not need to reboot.

Variable fields N/A


Severity level 5
STM/5/STM_MERGE_NOT_NEED_REBOOT: IRF merge occurred. This IRF
Example system does not need to reboot.
You do not need to reboot the current IRF fabric for IRF merge, because it was
Explanation elected the master.
Recommended Reboot the IRF fabric that has failed in the master election to finish the IRF
action merge.

592
Security level: Secret

STM_SAMEMAC
Message text Failed to stack because of the same bridge MAC addresses.

Variable fields N/A


Severity level 4
STM/4/STM_SAMEMAC: Failed to stack because of the same bridge MAC
Example addresses.
Failed to set up the IRF fabric because some member devices are using the
Explanation same bridge MAC address.
1. Verify that IRF bridge MAC persistence is disabled on the member
Recommended devices. To disable this feature, use the undo irf mac-address persistent
action command.
2. If the problem persists, contact Hewlett Packard Enterprise Support.

STM_SOMER_CHECK
Message text Neighbor of IRF port [UINT32] cannot be stacked.

Variable fields $1: IRF port name.


Severity level 3
Example STM/3/STM_SOMER_CHECK: Neighbor of IRF port 1 cannot be stacked.
The neighbor connected to the IRF port cannot form an IRF fabric with the
Explanation device.
1. Check the following items:
 The device models can form an IRF fabric.
Recommended  The IRF settings are correct. For more information, see the IRF
action configuration guide for the device.
2. If the problem persists, contact Hewlett Packard Enterprise Support.

593
Security level: Secret

STP messages
This section contains STP messages.

STP_BPDU_PROTECTION
Message text BPDU-Protection port [STRING] received BPDUs.

Variable fields $1: Interface name.


Severity level 4
STP/4/STP_BPDU_PROTECTION: BPDU-Protection port
Example GigabitEthernet1/0/1 received BPDUs.
Explanation A BPDU-guard-enabled port received BPDUs.
Recommended Check whether the downstream device is a terminal and check for possible
action attacks from the downstream device or other devices.

STP_BPDU_RECEIVE_EXPIRY
Instance [UINT32]'s port [STRING] received no BPDU within the rcvdInfoWhile
Message text interval. Information of the port aged out.
$1: Instance ID.
Variable fields
$2: Interface name.
Severity level 5
STP/5/STP_BPDU_RECEIVE_EXPIRY: Instance 0's port GigabitEthernet1/0/1
Example received no BPDU within the rcvdInfoWhile interval. Information of the port
aged out.
The state of a non-designated port changed because the port did not receive a
Explanation BPDU within the max age.
Recommended Check the STP status of the upstream device and possible attacks from other
action devices.

STP_CONSISTENCY_RESTORATION
Message text Consistency restored on VLAN [UINT32]'s port [STRING].
$1: VLAN ID.
Variable fields
$2: Interface name.
Severity level 6
STP/6/STP_CONSISTENCY_RESTORATION: Consistency restored on VLAN
Example 10's port GigabitEthernet1/0/1.
Explanation Port link type or PVID inconsistency was removed on a port.
Recommended No action is required.
action

594
Security level: Secret

STP_DETECTED_TC
Message text [STRING] [UINT32]'s port [STRING] detected a topology change.
$1: Instance or VLAN.
Variable fields $2: Instance ID or VLAN ID.
$3: Interface name.
Severity level 6
STP/6/STP_DETECTED_TC: Instance 0's port GigabitEthernet1/0/1 detected a
Example topology change.
The MSTP instance or VLAN to which a port belongs had a topology change,
Explanation and the local end detected the change.
Recommended Identify the topology change cause and handle the issue. For example, if the
action change is caused by a link down event, recover the link.

STP_DISABLE
Message text STP is now disabled on the device.

Variable fields N/A


Severity level 6
Example STP/6/STP_DISABLE: STP is now disabled on the device.
Explanation STP was globally disabled on the device.
Recommended No action is required.
action

STP_DISCARDING
Message text Instance [UINT32]'s port [STRING] has been set to discarding state.
$1: Instance ID.
Variable fields
$2: Interface name.
Severity level 6
STP/6/STP_DISCARDING: Instance 0's port GigabitEthernet1/0/1 has been set
Example to discarding state.
MSTP calculated the state of ports within an instance, and a port was set to the
Explanation discarding state.
Recommended No action is required.
action

595
Security level: Secret

STP_DISPUTE
[STRING] [UINT32]'s port [STRING] received an inferior BPDU from a
Message text designated port which is in forwarding or learning state.
$1: Instance or VLAN.
Variable fields $2: Instance ID or VLAN ID.
$3: Interface name.
Severity level 4
STP/4/STP_DISPUTE: Instance 0's port GigabitEthernet1/0/2 received an
Example inferior BPDU from a designated port which is in forwarding or learning state.
A port in the MSTI or VLAN received a low-priority BPDU from a designated port
Explanation in forwarding or learning state.
Verify that the peer port can receive packets from the local port:
1. Use the display stp abnormal-port command to display information
about ports that are blocked by dispute protection.
Recommended
2. Verify that the VLAN configurations on the local and peer ports are
action consistent.
3. Shut down the link between the two ports and then bring up the link, or
connect the local port to another port.

STP_ENABLE
Message text STP is now enabled on the device.

Variable fields N/A


Severity level 6
Example STP/6/STP_ENABLE: STP is now enabled on the device.
Explanation STP was globally enabled on the device.
Recommended No action is required.
action

STP_FORWARDING
Message text Instance [UINT32]'s port [STRING] has been set to forwarding state.
$1: Instance ID.
Variable fields
$2: Interface name.
Severity level 6
STP/6/STP_FORWARDING: Instance 0's port GigabitEthernet1/0/1 has been
Example set to forwarding state.
MSTP calculated the state of ports within an instance, and a port was set to the
Explanation forwarding state.
Recommended No action is required.
action

596
Security level: Secret

STP_LOOP_PROTECTION
Instance [UINT32]'s LOOP-Protection port [STRING] failed to receive
Message text configuration BPDUs.
$1: Instance ID.
Variable fields
$2: Interface name.
Severity level 4
STP/4/STP_LOOP_PROTECTION: Instance 0's LOOP-Protection port
Example GigabitEthernet1/0/1 failed to receive configuration BPDUs.
Explanation A loop-guard-enabled port failed to receive configuration BPDUs.
Recommended Check the STP status of the upstream device and possible attacks from other
action devices.

STP_LOOPBACK_PROTECTION
Message text [STRING] [UINT32]'s port [STRING] received its own BPDU.
$1: Instance or VLAN.
Variable fields $2: Instance ID or VLAN ID.
$3: Interface name.
Severity level 4
STP/4/STP_LOOPBACK_PROTECTION: Instance 0's port
Example GigabitEthernet1/0/2 received its own BPDU.
Explanation A port in the MSTI or VLAN received a BPDU sent by itself.
Recommended Check for forged BPDUs from attackers or loops in the network.
action

STP_NOT_ROOT
Message text The current switch is no longer the root of instance [UINT32].

Variable fields $1: Instance ID.


Severity level 5
Example STP/5/STP_NOT_ROOT: The current switch is no longer the root of instance 0.
The current switch is no longer the root bridge of an instance. It received a
Explanation superior BPDU after it was configured as the root bridge.
Recommended Check the bridge priority configuration and possible attacks from other devices.
action

597
Security level: Secret

STP_NOTIFIED_TC
Message text [STRING] [UINT32]'s port [STRING] was notified of a topology change.
$1: Instance or VLAN.
Variable fields $2: Instance ID or VLAN ID.
$3: Interface name.
Severity level 6
STP/6/STP_NOTIFIED_TC: Instance 0's port GigabitEthernet1/0/1 was notified
Example of a topology change.
The neighboring device on a port notified the current device that a topology
Explanation change occurred in the instance or VLAN to which the port belongs.
Recommended Identify the topology change cause and handle the issue. For example, if the
action change is caused by a link down event, recover the link.

STP_PORT_TYPE_INCONSISTENCY
Access port [STRING] in VLAN [UINT32] received PVST BPDUs from a trunk or
Message text hybrid port.
$1: Interface name.
Variable fields
$2: VLAN ID.
Severity level 4
STP/4/STP_PORT_TYPE_INCONSISTENCY: Access port
Example GigabitEthernet1/0/1 in VLAN 10 received PVST BPDUs from a trunk or hybrid
port.
Explanation An access port received PVST BPDUs from a trunk or hybrid port.
Recommended Check the port link type setting on the ports.
action

STP_PVID_INCONSISTENCY
Port [STRING] with PVID [UINT32] received PVST BPDUs from a port with
Message text PVID [UINT32].
$1: Interface name.
Variable fields $2: VLAN ID.
$3: VLAN ID.
Severity level 4
STP/4/STP_PVID_INCONSISTENCY: Port GigabitEthernet1/0/1 with PVID 10
Example received PVST BPDUs from a port with PVID 20.
Explanation A port received PVST BPDUs from a remote port with a different PVID.
Recommended Verify that the PVID is consistent on both ports.
action

598
Security level: Secret

STP_PVST_BPDU_PROTECTION
PVST BPDUs were received on port [STRING], which is enabled with PVST
Message text BPDU protection.

Variable fields $1: Interface name.


Severity level 4
STP/4/STP_PVST_BPDU_PROTECTION: PVST BPDUs were received on
Example port GigabitEthernet1/0/1, which is enabled with PVST BPDU protection.
Explanation In MSTP mode, a port enabled with PVST BPDU guard received PVST BPDUs.
Recommended Identify the device that sends the PVST BPDUs.
action

STP_ROOT_PROTECTION
Message text Instance [UINT32]'s ROOT-Protection port [STRING] received superior BPDUs.
$1: Instance ID.
Variable fields
$2: Interface name.
Severity level 4
STP/4/STP_ROOT_PROTECTION: Instance 0's ROOT-Protection port
Example GigabitEthernet1/0/1 received superior BPDUs.
A root-guard-enabled port received BPDUs that are superior to the BPDUs
Explanation generated by itself.
Recommended Check the bridge priority configuration and possible attacks from other devices.
action

599
Security level: Secret

SYSEVENT
This section contains system event messages.

EVENT_TIMEOUT
Module [UINT32]'s processing for event [UINT32] timed out.
Message text
Module [UINT32]'s processing for event [UINT32] on [STRING] timed out.
$1: Module ID.
Variable fields $2: Event ID.
$3: MDC MDC-ID or Context Context-ID.
Severity level 6
SYSEVENT/6/EVENT_TIMEOUT: -MDC=1; Module 0x1140000's processing
for event 0x20000010 timed out.
Example
SYSEVENT/6/EVENT_TIMEOUT: -Context=1; Module 0x33c0000's
processing for event 0x20000010 on context 16 timed out.
A module's processing for an event timed out on an MDC or context.
Logs generated on non-default MDCs or contexts do not include the MDC
MDC-ID or Context Context-ID.
Logs generated on the default MDC or context include the following types:
Explanation
• Logs of the default MDC or context, which do not include the MDC MDC-ID
or Context Context-ID.
• Logs of non-default MDCs or contexts, which include their MDC MDC-ID
or Context Context-ID.
Recommended No action is required.
action

600
Security level: Secret

SYSLOG messages
This section contains syslog messages.

SYSLOG_RTM_EVENT_BUFFER_FULL
In the last minute, [String] syslog logs were not monitored because the buffer
Message text was full.
$1: Number of system logs that were not sent to the EAA module in the last
Variable fields minute.
Severity level 5
SYSLOG/5/RTM_EVENT_BUFFER_REACH_LIMIT: In the last minute, 100
Example syslog logs were not monitored because the buffer was full.
This message records the number of system logs that are not processed by
EAA because the log buffer monitored by EAA is full. The log buffer can be filled
Explanation up if the device generates large numbers of system logs in a short period of
time.
• Identify log sources and take actions to reduce system logs.
Recommended
• Use the rtm event syslog buffer-size command to increase the log buffer
action size.

SYSLOG_LOGFILE_FULL
Message text Log file space is full.

Variable fields N/A


Severity level 4
Example SYSLOG/4/SYSLOG_LOGFILE_FULL: Log file space is full.
Explanation The log file is full.
Recommended Back up the log file, remove the original file, and then bring up interfaces as
action needed.

601
Security level: Secret

SYSLOG_RESTART
System restarted --
Message text
[STRING] [STRING] Software.
$1: Company name. Available options include HPE.
Variable fields
$2: Software name. Available options include Comware and Router.
Severity level 6
SYSLOG/6/SYSLOG_RESTART: System restarted --
Example
HPE Comware Software
Explanation A system restart log was generated.
Recommended No action is required.
action

602
Security level: Secret

TACACS messages
This section contains TACACS messages.

TACACS_AUTH_FAILURE
Message text User [STRING] from [STRING] failed authentication.
$1: User name.
Variable fields
$2: IP address.
Severity level 5
TACACS/5/TACACS_AUTH_FAILURE: User cwf@system from 192.168.0.22
Example failed authentication.
Explanation An authentication request was rejected by the TACACS server.
Recommended No action is required.
action

TACACS_AUTH_SUCCESS
Message text User [STRING] from [STRING] was authenticated successfully.
$1: User name.
Variable fields
$2: IP address.
Severity level 6
TACACS/6/TACACS_AUTH_SUCCESS: User cwf@system from 192.168.0.22
Example was authenticated successfully.
Explanation An authentication request was accepted by the TACACS server.
Recommended No action is required.
action

TACACS_DELETE_HOST_FAIL
Message text Failed to delete servers in scheme [STRING].

Variable fields $1: Scheme name.


Severity level 4
TACACS/4/TACACS_DELETE_HOST_FAIL: Failed to delete servers in
Example scheme abc.
Explanation Failed to delete servers from a TACACS scheme.
Recommended No action is required.
action

603
Security level: Secret

TELNETD messages
This section contains Telnet daemon messages.

TELNETD_ACL_DENY
The Telnet Connection [IPADDR]([STRING]) request was denied according to
Message text ACL rules.

$1: IP address of the Telnet client.


Variable fields
$2: VPN instance to which the IP address of the Telnet client belongs.

Severity level 5
TELNETD/5/TELNETD_ACL_DENY: The Telnet Connection 1.2.3.4(vpn1)
Example request was denied according to ACL rules.

The ACL for controlling Telnet access denied the access request of a Telnet
Explanation client.

Recommended No action is required.


action

TELNETD_REACH_SESSION_LIMIT
Telnet client [STRING] failed to log in. The current number of Telnet sessions is
Message text [NUMBER]. The maximum number allowed is ([NUMBER]).
$1: IP address of the Telnet client.
Variable fields $2: Current number of Telnet sessions.
$3: Maximum number of Telnet sessions allowed by the device.

Severity level 6
TELNETD/6/TELNETD_REACH_SESSION_LIMIT: Telnet client 1.1.1.1 failed to
Example log in. The current number of Telnet sessions is 10. The maximum number
allowed is (10).

Explanation The number of Telnet connections reached the limit.


1. Use the display current-configuration | include session-limit command
to view the current limit for Telnet connections. If the command does not
Recommended display the limit, the device is using the default setting.
action 2. If you want to set a greater limit, execute the aaa session-limit command. If
you think the limit is proper, no action is required.

604
Security level: Secret

TRILL messages
This section contains TRILL messages.

TRILL_DUP_SYSTEMID
Duplicate system ID [STRING] in [STRING] PDU sourced from RBridge
Message text 0x[HEX].
$1: System ID.
Variable fields $2: PDU type.
$3: Source RBridge's nickname.
Severity level 5
TRILL/5/TRILL_DUP_SYSTEMID: Duplicate system ID 0011.2200.1501 in LSP
Example PDU sourced from RBridge 0xc758.
The local RBridge received an LSP or IIH PDU that has the same system ID as
the local RBridge. The possible reasons include:
• The same system ID is assigned to the local RBridge and the remote
Explanation RBridge.
• The local RBridge received a self-generated LSP PDU with an old
nickname.
Recommended Please check the RBridge system IDs on the campus network.
action

TRILL_INTF_CAPABILITY
Message text The interface [STRING] does not support TRILL.

Variable fields $1: Interface name.


Severity level 4
TRILL/4/TRILL_INTF_CAPABILITY: The interface GigabitEthernet0/1/3 does
Example not support TRILL.
An interface that does not support TRILL is assigned to a link aggregation
Explanation group.
Recommended Remove the interface that does not support TRILL from the link aggregation
action group.

605
Security level: Secret

TRILL_LICENSE_EXPIRED
Message text The TRILL feature is being disabled, because its license has expired.

Variable fields N/A


Severity level 3
TRILL/3/TRILL_LICENSE_EXPIRED: The TRILL feature is being disabled,
Example because its license has expired.
Explanation The TRILL license has expired.
Recommended Install a valid license for TRILL.
action

TRILL_LICENSE_EXPIRED_TIME
Message text The TRILL feature will be disabled in [ULONG] days.

Variable fields $1: Available period of the feature.


Severity level 5
TRILL/5/TRILL_LICENSE_EXPIRED_TIME: The TRILL feature will be disabled in
Example 2 days.
TRILL will be disabled because no TRILL license is available. After an
Explanation active/standby MPU switchover, you can use TRILL only for 30 days if the new
active MPU does not have a TRILL license.
Recommended Install a new license.
action

TRILL_LICENSE_UNAVAILABLE
Message text The TRILL feature has no available license.

Variable fields N/A


Severity level 3
TRILL/3/TRILL_LICENSE_UNAVAILABLE: The TRILL feature has no available
Example license.
Explanation No license was found for TRILL when the TRILL process started.
Recommended Install a valid license for TRILL.
action

606
Security level: Secret

TRILL_MEM_ALERT
Message text TRILL process receive system memory alert [STRING] event.

Variable fields $1: Type of the memory alert event.


Severity level 5
TRILL/5/TRILL_MEM_ALERT: TRILL process receive system memory alert
Example start event.
Explanation TRILL receives a memory alert event from the system.
Recommended Check the system memory.
action

TRILL_NBR_CHG
TRILL [UINT32], [STRING] adjacency [STRING] ([STRING]), state changed to
Message text [STRING].
$1: TRILL process ID.
$2: Neighbor level.
$3: Neighbor system ID.
$4: Interface name.
Variable fields
$5: Current neighbor state:
• up—The neighbor has been established, and can operate correctly.
• initializing—The neighbor is being initialized.
• down—The neighbor is down.

Severity level 5
TRILL/5/TRILL_NBR_CHG: TRILL 1, Level-1 adjacency 0011.2200.1501
Example (GigabitEthernet0/1/3), state changed to down.
Explanation The state of a TRILL neighbor changed.
When the neighbor state changed to down or initializing, please check the
Recommended TRILL configuration and network status according to the reason for the
action neighbor state change.

607
Security level: Secret

VCF messages
This section contains VCF messages.

VCF_AGGR_CREAT
Phase [STRING], Device [STRING] created Layer 2 aggregation group [INT32]:
Message text member ports=[STRING].
$1: Phase.
$2: MAC address of the device.
Variable fields
$3: ID of a Layer 2 aggregation group.
$4: List of Layer 2 aggregation member ports.
Severity level 6
VCF/6/VCF_AGGR_CREAT: Phase 2.0.5, Device 0000-0000-0000 created
Example Layer 2 aggregation group 10: member ports=Ten-GigabitEthernet1/0/2,
Ten-GigabitEthernet1/0/10.
A Layer 2 aggregation group was created and member ports were added to the
Explanation aggregation group.
Recommended No action is required.
action

VCF_AGGR_DELETE
Message text Phase [STRING], Device [STRING] deleted Layer 2 aggregation group [INT32].
$1: Phase.
Variable fields $2: MAC address of the device.
$3: ID of a Layer 2 aggregation group.
Severity level 6
VCF/6/VCF_AGGR_DELETE: Phase 2.0.6, Device 0000-0000-0000 deleted
Example Layer 2 aggregation group 10.
A Layer 2 aggregation group was deleted when only one link in the aggregation
Explanation group was up.
Recommended No action is required.
action

608
Security level: Secret

VCF_AGGR_FAILED
Phase [STRING], Device [STRING] failed to create Layer 2 aggregation group
Message text [INT32].
$1: Phase.
Variable fields $2: MAC address of the device.
$3: ID of a Layer 2 aggregation group.
Severity level 3
VCF/3/ VCF_AGGR_FAILED: Phase 2.0.7, Device 0000-0000-0000 failed to
Example create Layer 2 aggregation group 10.
Explanation Failed to create a Layer 2 aggregation group.
Recommended Troubleshoot the reasons for the aggregation group creation failure, such as
action insufficient resources.

VCF_AUTO_ANALYZE_USERDEF
Message text Phase [STRING], Device [STRING] started to parse template file.
$1: Phase.
Variable fields
$2: MAC address of the device.
Severity level 6
VCF/6/VCF_AUTO_ANALYZE_USERDEF: Phase 1.2.2, Device
Example 0000-0000-0000 started to parse template file.
Explanation Started to parse user-defined configurations in the template file.
Recommended No action is required.
action

VCF_AUTO_NO_USERDEF
Phase [STRING], Device [STRING] found undefined variable [STRING] in
Message text command [STRING] on line [INTEGER].
$1: Phase.
$2: MAC address of the device.
Variable fields $3: Undefined user variable.
$4: Command in which the undefined user variable resides.
$5: Number of the command line.
Severity level 3
VCF/3/VCF_AUTO_NO_USERDEF: Phase 1.2.3, Device 0000-0000-0000
Example found undefined variable $$_ABC in command interface $$_ABC on line 192.
An undefined user variable exists in the template file. This message is displayed
Explanation each time an undefined user variable is detected.
Recommended Verify whether the user-defined variables in the template file are correct.
action

609
Security level: Secret

VCF_AUTO_START
Phase [STRING], Device [STRING] (Role [STRING]) started VCF automated
Message text deployment.
$1: Phase.
Variable fields $2: MAC address of the device.
$3: Role of the device, spine or leaf.
Severity level 5
VCF/5/VCF_AUTO_START: Phase 1.0.1, Device 0000-0000-0000 (Role leaf)
Example started VCF automated deployment.
Explanation Started VCF automated deployment.
Recommended No action is required.
action

VCF_AUTO_STATIC_CMD
Message text Phase [STRING], Device [STRING] automatically executed static commands.
$1: Phase.
Variable fields
$2: MAC address of the device.
Severity level 6
VCF/6/VCF_AUTO_STATIC_CMD: Phase 1.2.4, Device 0000-0000-0000
Example automatically executed static commands.
Executed static commands in the template file. Static commands refer to
Explanation commands that are independent from the VCF fabric topology.
Recommended No action is required.
action

VCF_BGP
Phase [STRING], Device [STRING] established a BGP session with peer
Message text [STRING] in AS [INT32].
$1: Phase.
$2: MAC address of the device.
Variable fields
$3: Address of a BGP peer.
$4: Number of the AS where the BGP peer resides.
Severity level 6
VCF/6/VCF_BGP: Phase 3.0.5, Device 0000-0000-0000 established a BGP
Example session with peer 1.1.1.1 in AS 100.
Successfully established a BGP session with a BGP peer during VXLAN
Explanation networking.
Recommended No action is required.
action

610
Security level: Secret

VCF_DOWN_LINK
Message text Phase [STRING], Device [STRING] discovered downlink interface [STRING].
$1: Phase.
Variable fields $2: MAC address of the device.
$3: Name of a downlink interface.
Severity level 6
VCF/6/VCF_DOWN_LINK: Phase 2.0.8, Device 0000-0000-0000 discovered
Example downlink interface Ten-GigabitEthernet1/0/1.
A downlink interface was found.
On a spine node, a downlink interface is the interface through which the spine
Explanation
node connects to a leaf node. On a leaf node, a downlink interface is the
interface through which the leaf node connects to a downstream access device.
Recommended No action is required.
action

VCF_GET_IMAGE
Phase [STRING], Device [STRING] obtained information about update startup
Message text image file [STRING]: new version=[STRING], current version=[STRING].
$1: Phase.
$2: MAC address of the device.
Variable fields $3: Name of the new startup image file.
$4: Version number of the new startup image file.
$5: Version number of the current startup image file.
Severity level 6
VCF/6/VCF_GET_IMAGE: Phase 1.3.1, Device 0000-0000-0000 obtained
Example information about update startup image file s6800.ipe: new
version=V300R009B01D002, current version=V300R009B01D001.
Obtained the name and the version number of the new startup image file
Explanation through the template file.
Recommended No action is required.
action

611
Security level: Secret

VCF_GET_TEMPLATE
Message text Phase [STRING], Device [STRING] downloaded template file [STRING].
$1: Phase.
Variable fields $2: MAC address of the device.
$3: Name of the template file.
Severity level 6
VCF/6/VCF_GET_TEMPLATE: Phase 1.2.1, Device 0000-0000-0000
Example downloaded template file /mnt/flash:/vxlan_spine.template.
Explanation Downloaded the template file for automated deployment.
Recommended No action is required.
action

VCF_INSTALL_IMAGE
Phase [STRING], Device [STRING] started to install the [STRING] version of
Message text startup image.
$1: Phase.
Variable fields $2: MAC address of the device.
$3: Version number of the new startup image file.
Severity level 6
VCF/6/VCF_INSTALL_IMAGE: Phase 1.3.3, Device 0000-0000-0000 started to
Example install the V700R001B70D001 version of startup image.
Explanation Started to install the new software version.
Recommended No action is required.
action

VCF_IRF_FINISH
Message text Phase [STRING], Device [STRING] finished IRF configuration: result=[INT32].
$1: Phase.
$2: MAC address of the device.
Variable fields $3: Result of IRF configuration:
• 0—Success.
• -1—Failure.
Severity level 5
VCF/5/VCF_IRF_FINISH: Phase 2.0.3, Device 0000-0000-0000 finished IRF
Example configuration: result=0.
Explanation Finished IRF configuration.
Recommended Contact Hewlett Packard Enterprise Support if IRF configuration failed.
action

612
Security level: Secret

VCF_IRF_FOUND
Phase [STRING], Device [STRING] (Role [STRING]) found a peer ([STRING])
Message text with the same role, IRF stackability check result: [INT32].
$1: Phase.
$2: MAC address of the device.
$3: Role of the device.
Variable fields $4: MAC address of the peer device.
$5: Result of the IRF stackability check:
• 0—Capable to form an IRF fabric.
• 1—MAC address conflict.

Severity level 5
VCF/5/VCF_IRF_FOUND: Phase 2.0.1, Device 0000-0000-0000 (Role leaf)
Example found a peer with the same role, IRF stackability check result: 0.
Found a peer device with the same role in VCF fabric topology discovery and
Explanation checked whether the device can form an IRF fabric with the peer device.
Recommended No action is required.
action

VCF_IRF_REBOOT
Phase [STRING], Device [STRING] will reboot immediately to activate IRF
Message text settings.
$1: Phase.
Variable fields
$2: MAC address of the device.
Severity level 5
VCF/5/VCF_IRF_REBOOT: Phase 2.0.4, Device 0000-0000-0000 will reboot
Example immediately to activate IRF settings.
The device was about to reboot to activate IRF settings.
Explanation After IRF configuration is finished, a leaf node whose IRF member ID has
changed will reboot, and a spine node will always reboot.
Recommended No action is required.
action

613
Security level: Secret

VCF_IRF_START
Phase [STRING], Device [STRING] started IRF configuration: current member
Message text ID=[INT32], new member ID=[INT32], priority=[INT32], IRF-port 1's member
ports=[STRING], IRF-port 2's member ports=[STRING].
$1: Phase.
$2: MAC address of the device.
$3: Current IRF member ID of the device.
$4: New IRF member ID of the device.
Variable fields $5: New IRF member priority of the device.
$6: List of IRF physical interfaces bound to IRF-port 1. The value none
indicates that no IRF physical interfaces were bound to IRF-port 1.
$7: List of IRF physical interfaces bound to IRF-port 2. The value none
indicates that no IRF physical interfaces were bound to IRF-port 2.
Severity level 5
VCF/5/VCF_IRF_START: Phase 2.0.2, Device 0000-0000-0000 started IRF
Example configuration: current member ID=2, new member ID=1, priority=2, IRF-port 1's
member ports=GigabitEthernet1/0/1, IRF-port 2's member ports=none.
Explanation Started to deploy IRF configuration.
Recommended No action is required.
action

VCF_LOOPBACK_START
Phase [STRING], IP address assignment started for Loopback 0 on other
Message text nodes.

Variable fields $1: Phase.


Severity level 5
VCF/5/VCF_LOOPBACK_START: Phase 3.0.1, IP address assignment started
Example for Loopback 0 on other nodes.
During VXLAN networking, the master spine node started to assign IP
Explanation addresses to interfaces Loopback 0 on other devices.
Recommended No action is required.
action

614
Security level: Secret

VCF_LOOPBACK_START_FAILED
Phase [STRING], failed to assign IP addresses to Loopback 0 on other nodes:
Message text reason=[STRING].
$1: Phase.
$2: Reason for failure to start IP address assignment:
Variable fields
• -1—No IP address range is specified.
• -2—Invalid IP addresses.

Severity level 5
VCF/5/VCF_LOOPBACK_START_FAILED: Phase 3.0.1, failed to assign IP
Example addresses to Loopback 0 on other nodes: reason=-1.
During VXLAN networking, the master spine node failed to assign IP addresses
to interfaces Loopback 0 on other devices due to one of the following reasons:
Explanation • No IP address range is specified.
• Invalid IP addresses.
Recommended Verify that whether the IP address range in the template file is correct.
action

VCF_LOOPBACK_ALLOC
Phase [STRING], assigned IP [STRING] to Loopback 0 on Device [STRING]:
Message text result=[INT32].
$1: IP address assigned to Loopback 0.
$2: MAC address of the device.
$3: Result of IP address assignment:
Variable fields • 0—Success.
• -1—NETCONF failed to implement IP address assignment.
• -2—NETCONF processed IP address assignment incorrectly.
• -3—NETCONF failed to initialize.
Severity level 5
VCF/5/VCF_LOOPBACK_ALLOC: Phase 3.0.2, assigned IP 10.100.1.1 to
Example Loopback 0 on Device 0000-0000-0000: result=0.
During VXLAN networking, the master spine node assigned an IP address to
Explanation Loopback 0 on a device.
Recommended Troubleshoot the reasons for the IP address assignment failure according to the
action result.

615
Security level: Secret

VCF_LOOPBACK_NO_FREE_IP
Message text Phase [STRING], no IP addresses available for Device [STRING].
$1: Phase.
Variable fields
$2: MAC address of the device.
Severity level 4
VCF/4/VCF_LOOPBACK_NO_FREE_IP: Phase 3.0.4, no IP addresses
Example available for Device 0000-0000-0000.
During VXLAN networking, the master spine node failed to assign an IP
Explanation address to Loopback 0 on a device because no IP address was available.
Recommended Verify whether the specified IP address range in the template file is correct.
action

VCF_LOOPBACK_RECLAIM
Phase [STRING], reclaimed IP [STRING] from Loopback 0 on Device
Message text [STRING]: reason=[INT32].
$1: Phase.
$2: Reclaimed IP address of Loopback 0.
$3: MAC address of the device of which the IP address of Loopback 0 was
Variable fields
reclaimed.
$4: Reason for reclaiming the IP address of Loopback 0. The value 1 indicates
that the device was down.
Severity level 5
VCF/5/VCF_LOOPBACK_RECLAIM: Phase 3.0.3, reclaimed IP 10.10.10.1
Example from Loopback 0 on Device 0000-0000-0000: reason=1.
During VXLAN networking, the master spine node reclaimed the IP address that
Explanation had been assigned to Loopback 0 on a device.
Recommended No action is required.
action

VCF_REBOOT
Phase [STRING], Device [STRING] completed startup image update. The
Message text device will reboot immediately.
$1: Phase.
Variable fields
$2: MAC address of the device.
Severity level 5
VCF/5/VCF_REBOOT: Phase 1.3.4, Device 0000-0000-0000 completed
Example startup image update. The device will reboot immediately.
Explanation Software update was completed. The device was about to reboot.
Recommended No action is required.
action

616
Security level: Secret

VCF_SKIP_INSTALL
Message text Phase [STRING], Device [STRING] skipped automatic version update.
$1: Phase.
Variable fields
$2: MAC address of the device.
Severity level 5
VCF/5/VCF_SKIP_INSTALL: Phase 1.3.2, Device 0000-0000-0000 skipped
Example automatic version update.
Skipped software upgrade because the current startup image version is the
Explanation same as the startup image version obtained from the template file.
Recommended No action is required.
action

VCF_STATIC_CMD_ERROR
Phase [STRING], Device [STRING] failed to automatically execute static
Message text command '[STRING]' in context '[STRING]'.
$1: Phase.
$2: MAC address of the device.
Variable fields
$3: Command that fail to be executed.
$4: Context in which the command resides.
Severity level 4
VCF/4/VCF_STATIC_CMD_ERROR: Phase 1.2.5, Device 0000-0000-0000
Example failed to automatically execute static command 'port link bridge' in context
'interface ten-gigabitethernet1/0/1; port link bridge'.
Explanation Failed to execute a static command during automated deployment.
Recommended Troubleshoot the reasons for the failure, correct the errors, and then restart the
action automated deployment.

VCF_UP_LINK
Message text Phase [STRING], Device [STRING] discovered uplink interface [STRING].
$1: Phase.
Variable fields $2: MAC address of the device.
$3: Name of an uplink interface.
Severity level 6
VCF/6/VCF_UP_LINK: Phase 2.0.9, Device 0000-0000-0000 discovered uplink
Example interface Ten-GigabitEthernet1/0/1.
An uplink interface was found. An uplink interface is the interface through which
Explanation a leaf node connects to an upstream spine node.
Recommended No action is required.
action

617
Security level: Secret

618
Security level: Secret

VLAN messages
This section contains VLAN messages.

VLAN_FAILED
Message text Failed to add interface [STRING] to the default VLAN.

Variable fields $1: Interface name.


Severity level 4
VLAN/4/VLAN_FAILED: Failed to add interface S-Channel4/2/0/19:100 to the
Example default VLAN.
An S-channel interface was created when hardware resources were
Explanation insufficient. The S-channel interface failed to be assigned to the default VLAN.
Recommended No action is required.
action

VLAN_VLANMAPPING_FAILED
The configuration failed because of resource insufficiency or conflicts on
Message text [STRING].

Variable fields $1: Interface name.


Severity level 4
VLAN/4/VLAN_VLANMAPPING_FAILED: The configuration failed because of
Example resource insufficiency or conflicts on Ethernet0/0.
Part of or all VLAN mapping configurations on the interface were lost because
of one of the following occurrences:
Explanation • Hardware resources were insufficient for the interface.
• The interface joined or left a Layer 2 aggregation group.
Recommended No action is required.
action

619
Security level: Secret

VLAN_VLANTRANSPARENT_FAILED
The configuration failed because of resource insufficiency or conflicts on
Message text [STRING].

Variable fields $1: Interface name.


Severity level 4
VLAN/4/VLAN_VLANTRANSPARENT_FAILED: The configuration failed
Example because of resource insufficiency or conflicts on Ethernet0/0.
Part of or all VLAN transparent transmission configurations on the interface
were lost because of one of the following occurrences:
Explanation • Hardware resources were insufficient for the interface.
• The interface joined or left a Layer 2 aggregation group.
Recommended No action is required.
action

620
Security level: Secret

VRRP messages
This section contains VRRP messages.

VRRP_STATUS_CHANGE
The status of [STRING] virtual router [UINT32] (configured on [STRING])
Message text changed from [STRING] to [STRING]: [STRING].

$1: VRRP version.


$2: VRRP group number.
$3: Name of the interface where the VRRP group is configured.
$4: Original status.
$5: Current status.
$6: Reason for status change:
• Interface event received—An interface event was received.
• IP address deleted—The virtual IP address has been deleted.
• The status of the tracked object changed—The status of the associated
Variable fields track entry changed.
• VRRP packet received—A VRRP advertisement was received.
• Current device has changed to IP address owner—The current device
has become the IP address owner.
• Master-down-timer expired—The master down timer (3 × VRRP
advertisement interval + Skew_Time) expired.
• Zero priority packet received—A VRRP packet containing priority 0 was
received.
• Preempt—Preemption occurred.
• Master group drove—The state of the master group changed.

Severity level 6
VRRP/6/VRRP_STATUS_CHANGE: The status of IPv4 virtual router 10
Example (configured on Ethernet0/0) changed (from Backup to Master):
Master-down-timer expired.

The VRRP group status changed because of the following reasons:


• An interface event was received.
• The virtual IP address has been deleted.
• The status of the associated track entry changed.
• A VRRP advertisement was received.
Explanation • The current device has become the IP address owner.
• The master down timer (3 × VRRP advertisement interval + Skew_Time)
expired.
• A VRRP packet containing priority 0 was received.
• Preemption occurred.
• The state of the master group changed.

Recommended Check the VRRP group status to make sure it is operating correctly.
action

621
Security level: Secret

VRRP_VF_STATUS_CHANGE
The [STRING] virtual router [UINT32] (configured on [STRING]) virtual
Message text forwarder [UINT32] detected status change (from [STRING] to [STRING]):
[STRING].

$1: VRRP version.


$2: VRRP group number.
$3: Name of the interface where the VRRP group is configured.
Variable fields $4: VF ID.
$5: Original status of VF.
$6: Current status of VF.
$7: Reason for the status change.

Severity level 6
VRRP/6/VRRP_VF_STATUS_CHANGE: The IPv4 virtual router 10 (configured
Example on GigabitEthernet5/1) virtual forwarder 2 detected status change (from Active
to Initialize): Weight changed.

The status of the virtual forwarder has changed because the weight changed,
Explanation the timeout timer expired, or VRRP went down.

Recommended Check the status of the track entry.


action

VRRP_VMAC_INEFFECTIVE
The [STRING] virtual router [UINT32] (configured on [STRING]) failed to add
Message text virtual MAC: [STRING].
$1: VRRP version.
$2: VRRP group number.
Variable fields
$3: Name of the interface where the VRRP group is configured.
$4: Reason for the error.

Severity level 3
VRRP/3/VRRP_VMAC_INEFFECTIVE: The IPv4 virtual router 10 (configured
Example on Ethernet0/0) failed to add virtual MAC: Insufficient hardware resources.

Explanation The virtual router failed to add a virtual MAC address.

Recommended Find out the root cause for the operation failure and fix the problem.
action

622
Security level: Secret

VSRP messages
This section contains VSRP messages.

VSRP_BIND_FAILED
Message text Failed to bind the IP addresses and the port on VSRP peer [STRING].

Variable fields $1: VSRP peer name.


Severity level 6
VSRP/6/VSRP_BIND_FAILED: Failed to bind the IP addresses and the port on
Example VSRP peer aaa.
Failed to bind the IP addresses and the port when creating a TCP connection to
Explanation the VSRP peer because the TCP port is in use.
Recommended No action is required.
action

623
WIPS messages
This section contains WIPS messages.

WIPS_APFLOOD
Message text -VSD=[STRING]; AP flood detected.

Variable fields $1: VSD name.

Severity level 5

Example WIPS/5/APFLOOD: -VSD=home; AP flood detected.

Explanation The number of APs detected in the specified VSD reached the threshold.

Recommended action Determine whether the device has suffered an attack.

WIPS_AP_CHANNEL_CHANGE
Message text -VSD=[STRING]-SrcMAC=[MAC]; Channel change detected.
$1: VSD name.
Variable fields
$2: MAC address of the AP.

Severity level 5
WIPS/5/AP_CHANNEL_CHANGE: -VSD=home-SrcMAC=1122-3344-5566;
Example Channel change detected.

Explanation The channel of the specified AP changed.

Recommended action Determine whether the channel change is valid.

WIPS_ASSOCIATEOVERFLOW
-VSD=[STRING]-SrcMAC=[MAC]; Association/Reassociation DoS attack
Message text detected.
$1: VSD name.
Variable fields
$2: MAC address of the AP.

Severity level 5
WIPS/5/ASSOCIATEOVERFLOW: -VSD=home-SrcMAC=1122-3344-5566;
Example Association/Reassociation DoS attack detected.

Explanation The specified AP sent an association response with the status code 17.

Recommended action Determine whether the AP has suffered an attack.

624
WIPS_DOS
Message text -VSD=[STRING]; [STRING] rate attack detected.
$1: VSD name.
Variable fields
$2: Device type: AP or client.

Severity level 5

Example WIPS/5/WIPS_DOS: -VSD=home; AP rate attack detected.


The number of device entries learned within the specified interval reached the
Explanation threshold.

Recommended action Determine whether the device has suffered an attack.

WIPS_FLOOD
Message text -VSD=[STRING]-SrcMAC=[MAC]; [STRING] flood detected.
$1: VSD name.
$2: Attacker's MAC address.
$3: Flood attack type. Options include the following:
• Association request
• Authentication
• Disassociation
• Reassociation request
Variable fields • Deauthentication
• Null data
• Beacon
• Probe request
• BlockAck
• CTS
• RTS
• EAPOL start

Severity level 5
WIPS/5/WIPS_FLOOD: -VSD=home-SrcMAC=1122-3344-5566; Association
Example request flood detected.
The number of a specific type of packets detected within the specified interval
Explanation reached the threshold.

Recommended Determine whether the packet sender is an authorized device.


action

625
WIPS_HONEYPOT
Message text -VSD=[STRING]-SrcMAC=[MAC]; Honeypot AP detected.
$1: VSD name.
Variable fields
$2: MAC address of the AP.

Severity level 5
WIPS/5/HONEYPOT: -VSD=home-SrcMAC=1122-3344-5566; Honeypot AP
Example detected.

Explanation The specified AP was detected as a honeypot AP.

Recommended action Determine whether the device has suffered an attack.

WIPS_HTGREENMODE
Message text -VSD=[STRING]-SrcMAC=[MAC]; HT-Greenfield AP detected.
$1: VSD name.
Variable fields
$2: MAC address of the AP.

Severity level 5
WIPS/5/HTGREENMODE: -VSD=home-SrcMAC=1122-3344-5566;
Example HT-Greenfield AP detected.

Explanation The specified AP was detected as an HT-greenfield AP.

Recommended action Determine whether the device has suffered an attack.

626
WIPS_MALF
Message text -VSD=[STRING]-SrcMAC=[MAC]; Error detected: [STRING].
$1: VSD name.
$2: Sender's MAC address.
$3: Malformed packet type. Options include the following:
• invalid ie length—Invalid IE length.
• duplicated ie—Duplicate IE.
• redundant ie—Redundant IE.
• invalid pkt length—Invalid packet length.
• illegal ibss ess—Abnormal IBSS and ESS setting.
• invalid source addr—Invalid source MAC address.
Variable fields • overflow eapol key—Oversized EAPOL key.
• malf auth—Malformed authentication request frame.
• malf assoc req—Malformed association request frame.
• malf ht ie—Malformed HT IE.
• large duration—Oversized duration.
• null probe resp—Malformed probe response frame.
• invalid deauth code—Invalid deauthentication code.
• invalid disassoc code—Invalid disassociation code.
• over flow ssid—Oversized SSID.
• fata jack—FATA-Jack.

Severity level 5
WIPS/5/WIPS_MALF: -VSD=home-SrcMAC=1122-3344-5566; Error detected:
Example fata jack.

Explanation A malformed packet was detected.

Recommended Determine whether the packet sender is an authorized device.


action

WIPS_MAN_IN_MIDDLE
Message text -VSD=[STRING]-SrcMAC=[MAC]; Man-in-the-middle attack detected.
$1: VSD name.
Variable fields
$2: MAC address of the client.

Severity level 5
WIPS/5/MAN_IN_MIDDLE: -VSD=home-SrcMAC=1122-3344-5566;
Example Man-in-the-middle attack detected.

Explanation The specified client suffered a man-in-the-middle attack.

Recommended action Determine whether the client has suffered a man-in-the-middle attack.

627
WIPS_SPOOF
Message text -VSD=[STRING]-SrcMAC=[MAC]; [STRING] detected.
$1: VSD name.
$2: MAC address of the device being spoofed.
$3: Spoofing attack type. Options include the following:
• AP spoofing AP—A fake AP spoofs an authorized AP.
Variable fields
• AP spoofing client—A fake AP spoofs an authorized client.
• AP spoofing ad-hoc—A fake AP spoofs an Ad hoc device.
• Ad-hoc spoofing AP—An Ad hoc device spoofs an authorized AP.
• Client spoofing AP—A client spoofs an authorized AP.

Severity level 5
WIPS/5/WIPS_SPOOF: -VSD=home-SrcMAC=1122-3344-5566; AP spoofing
Example AP detected.

Explanation A spoofing attack was detected.

Recommended Determine whether the packet sender is an authorized device.


action

WIPS_WEAKIV
Message text -VSD=[STRING]-SrcMAC=[MAC]; Weak IV detected.
$1: VSD name.
Variable fields
$2: Sender's MAC address.

Severity level 5
WIPS/5/WIPS_WEAKIV: -VSD=home-SrcMAC=1122-3344-5566; Weak IV
Example detected.

Explanation A weak IV was detected.

Recommended Use a more secure encryption method to encrypt packets.


action

628
WIPS_WIRELESSBRIDGE
Message text -VSD=[STRING]-AP1=[MAC]-AP2=[MAC]]; Wireless bridge detected.
$1: VSD name.
Variable fields $2: MAC address of AP 1.
$3: MAC address of AP 2.

Severity level 5
WIPS/5/WIRELESSBRIDGE:
Example -VSD=home-AP1=1122-3344-5566-AP2=7788-9966-5544; Wireless bridge
detected.

Explanation The specified APs set up a wireless bridge.

Recommended action Determine whether the wireless bridge is valid.

629

You might also like