NetScreen Message Log Reference Guide

Transcription

1HW6FUHHQ0HVVDJH/RJ
5HIHUHQFH*XLGH
9HUVLRQ
31
5HY%
Copyright Notice
Copyright © 1998-2001 NetScreen Technologies, Inc. NetScreen
Technologies, Inc., the NetScreen logo, NetScreen-5, NetScreen-5XP,
NetScreen-10, NetScreen-25, NetScreen-50, NetScreen-100,
NetScreen-500, NetScreen-1000, NetScreen-Global Manager,
NetScreen-Global PRO, NetScreen-Remote, GigaScreen ASIC, and
NetScreen ScreenOS are trademarks and NetScreen is a registered
trademark of NetScreen Technologies, Inc. All other trademarks and
registered trademarks are the property of their respective companies.
NetScreen Technologies, Inc.
350 Oakmead Parkway
Sunnyvale, CA 95051 U.S.A.
www.netscreen.com
Licenses, Copyrights, and Trademarks
THE SPECIFICATIONS REGARDING THE PRODUCTS IN THIS
MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS
MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED
WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED.
USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR
APPLICATION OF ANY PRODUCTS. NO PART OF THIS DOCUMENT
MAY BE REPRODUCED OR TRANSMITTED IN ANY FORM OR BY
ANY MEANS, ELECTRONIC OR MECHANICAL, FOR ANY
PURPOSE, WITHOUT RECEIVING WRITTEN PERMISSION FROM
NETSCREEN TECHNOLOGIES INC.
FCC Statement
This equipment has been tested and found to comply with the limits for
a Class A digital device, pursuant to part 15 of the FCC rules. These
limits are designed to provide reasonable protection against harmful
interference in a light commercial installation. This equipment
generates, uses and can radiate radio frequency energy, and, if not
installed and used in accordance with the instruction, may cause
harmful interference to radio communications. However, there is no
guarantee that interference will not occur in a particular installation. If
this equipment does cause harmful interference to radio or television
LL
reception, which can be determined by turning the equipment off and
on, the user is encouraged to try to correct the interference by one or
more of the following measures:
•Reorient or relocate the receiving antenna.
•Increase the separation between the equipment and receiver.
•Consult the dealer or an experienced radio/TV technician for help.
•Connect the equipment to an outlet on a circuit different from that to
which the receiver is connected.
Caution: Changes or modifications to this product could void the user's
warranty and authority to operate this device.
Product License Agreement
PLEASE READ THIS LICENSE AGREEMENT (“AGREEMENTS”)
CAREFULLY BEFORE USING THIS PRODUCT. BY INSTALLING AND
OPERATING, YOU INDICATE YOUR ACCEPTANCE OF THE TERMS
OF THIS LEGAL AND BINDING AGREEMENT AND ARE
CONSENTING TO BE BOUND BY AND ARE BECOMING A PART TO
THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE
TERMS OF THIS AGREEMENT, DO NOT START THE INSTALLATION
PROCESS.
1. License Grant. This is a license, not a sales agreement, between
you, the end user, and NetScreen Technologies, Inc. (“NetScreen”).
The term “Firmware” includes all NetScreen and third party Firmware
and software provided to you with the NetScreen product, and includes
any accompanying documentation, any updates and enhancements of
the Firmware and software provided to you by NetScreen, at its option.
NetScreen grants to you a non-transferable (except as provided in
section 3 (“Transfer”) below, non-exclusive license to use the Firmware
and software in accordance with the terms set forth in this License
Agreement. The Firmware and software are “in use” on the product
when they are loaded into temporary memory (i.e. RAM)
2. Limitation on Use. You may not attempt and if you are a corporation,
you will use best efforts to prevent your employees and contractors
from attempting to, (a) modify, translate, reverse engineer decompile,
disassemble, create, derivative works based on, sublicense, or
distribute the Firmware or the accompanying documentation; (b) rent or
lease any rights in the Firmware or software or accompanying
documentation in any form to any person; or (c) remove any proprietary
1HW6FUHHQ0HVVDJH/RJ
notice, labels, or marks on the Firmware, software, documentation, and
containers.
3.Transfer. You may transfer (not rent or lease) the Firmware or
software to the end user on a permanent basis, provided that: (I) the
end user receives a copy of this Agreement and agrees in writing to be
bound by its terms and conditions, and (ii) you at all times comply with
all applicable United States export control laws and regulations.
4. Proprietary Rights. All rights, title, interest, and all copyrights to the
Firmware, software, documentation, and any copy made by you remain
with NetScreen. You acknowledge that no title to the intellectual
property in the Firmware and software is transferred to you and you will
not acquire any rights to the Firmware except for the license as
expressly set forth herein.
5. Term and Termination. The term of the license is for the duration of
NetScreen’s copyright in the Firmware and software. NetScreen may
terminate this Agreement immediately without notice if you breach or
fail to comply with any of the terms and conditions of this Agreement.
You agree that, upon such termination, you will either destroy all copies
of the documentation or return all materials to NetScreen. The
provisions of this Agreement, other than the license granted in Section
1 (“License Grant”) shall survive termination.
6. Limited Warranty. For a period of one (1) year after delivery to
Customer, NetScreen will repair or replace any defective product
shipped to Customer, provided it is returned to Netscreen at Customer’s
expense within that period. For a period of ninety (90) days after the
initial delivery of a particular product, NetScreen warrants to Customer
that such product will substantially conform with NetScreen’s published
specifications for that product if properly used in accordance with the
procedures described in documentation supplied by NetScreen.
NetScreen’s exclusive obligation with respect to non-conforming
product shall be, at NetScreen’s option, to replace the product or use
diligent efforts to provide Customer with a correction of the defect, or to
refund to customer the purchase price paid for the unit. Defects in the
product will be reported to NetScreen in a form and with supporting
information reasonably requested by NetScreen to enable it to verify,
diagnose, and correct the defect. for returned product, the customer
shall notify NetScreen of any nonconforming product during the
warranty period, obtain a return authorization for the nonconforming
product, from NetScreen, and return the nonconforming product to
NetScreen’s factory of origin with a statement describing the
nonconformance.
5HIHUHQFH*XLGH
NOTWITHSTANDING ANYTHING HERIN TO THE CONTRARY, THE
FOREGOING IS CUSTOMER’S SOLE AND EXCLUSIVE REMEDY
FOR BREACH OF WARRANTY BY NETSCREEN WITH RESPECT TO
THE PRODUCT.
The warranties set forth above shall not apply to any Product or
Hardware which has been modified, repaired or altered, except by
NetScreen, or which has not been maintained in accordance with any
handling or operating instructions supplied by NetScreen, or which has
been subjected to unusual physical or electrical stress, misuse, abuse,
negligence or accidents.
THE FOREGOING WARRANTIES ARE THE SOLE AND EXCLUSIVE
WARRANTIES EXPRESS OR IMPLIED GIVEN BY NETSCREEN IN
CONNECTION WITH THE PRODUCT AND HARDWARE, AND
NETSCREEN DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING
IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD
PARTY RIGHTS. NETSCREEN DOES NOT PROMISE THAT THE
PRODUCT IS ERROR-FREE OR WILL OPERATE WITHOUT
INTERRUPTION.
7. Limitation of Liability. IN NO EVENT SHALL NETSCREEN OR ITS
LICENSORS BE LIABLE UNDER ANY THEORY FOR ANY INDIRECT,
INCIDENTAL, COLLATERAL, EXEMPLARY, CONSEQUENTIAL OR
SPECIAL DAMAGES OR LOSSES SUFFERED BY YOU OR ANY
THIRD PARTY, INCLUDING WITHOUT LIMITATION LOSS OF USE,
PROFITS, GOODWILL, SAVINGS, LOSS OF DATA, DATA FILES OR
PROGRAMS THAT MAY HAVE BEEN STORED BY ANY USER OF
THE FIRMWARE. IN NO EVENT WILL NETSCREEN'S OR ITS
LICENSORS' AGGREGATE LIABILITY CLAIM BY YOU, OR ANYONE
CLAIMING THROUGH OR ON BEHALF OF YOU, EXCEED THE
ACTUAL AMOUNT PAID BY YOU TO NETSCREEN FOR FIRMWARE.
Some jurisdictions do not allow the exclusions and limitations of
incidental, consequential or special damages, so the above exclusions
and limitations may not apply to you.
8. Export Law Assurance. You understand that the Firmware is subject
to export control laws and regulations. YOU MAY NOT DOWNLOAD
OR OTHERWISE EXPORT OR RE-EXPORT THE FIRMWARE OR
ANY UNDERLYING INFORMATION OR TECHNOLOGY EXCEPT IN
FULL COMPLIANCE WITH ALL UNITED STATES AND OTHER
APPLICABLE LAWS AND REGULATIONS.
9. U.S. Government Restricted Rights. If this Product is being acquired
by the U.S. Government, the Product and related documentation is
LLL
commercial computer Product and documentation developed
exclusively at private expense, and (a) if acquired by or on behalf of
civilian agency, shall be subject to the terms of this computer Firmware,
and (b) if acquired by or on behalf of units of the Department of Defense
(“Odd”) shall be subject to terms of this commercial computer Firmware
license Supplement and its successors.
10. Tax Liability. You agree to be responsible for the payment of any
sales or use taxes imposed at any time whatsoever on this transaction.
11. General. If any provisions of this Agreement are held invalid, the
remainder shall continue in full force and effect. The laws of the State of
California, excluding the application of its conflicts of law rules shall
govern this License Agreement. This Agreement will not be governed
by the United Nations Convention on the Contracts for the International
Sale of Goods. This Agreement is the entire agreement between the
parties as to the subject matter hereof and supersedes any other
Technologies, advertisements, or understandings with respect to the
Firmware and documentation. This Agreement may not be modified or
altered, except by written amendment, which expressly refers to this
Agreement and which, is duly executed by both parties.
You acknowledge that you have read this Agreement, understand, it,
and agree to be bound by its terms and conditions.
Hardware, including technical data, is subject to U.S. export laws,
including the U.S. Export Administration Act and its associated
regulations, and may be subject to export or import regulations in other
countries. Customer agrees to comply strictly with all such regulations
and acknowledges that it has the responsibility to obtain licensed to
export, re-export, or import hardware.
LY
1HW6FUHHQ0HVVDJH/RJ
&RQWHQWV
&RQWHQWV Y
3UHIDFH L[
2UJDQL]DWLRQ [
,QIRUPDWLRQ
1RWLILFDWLRQ
&ORFN
1RWLILFDWLRQ
)HHGEDFN [L
'HYLFH
&RQYHQWLRQV [LL
&ULWLFDO $GPLQ,QIRUPDWLRQ [LLL
'+&3 '+&36HUYHUDQG5HOD\$JHQW ,QWURGXFWLRQ [Y
$QDWRP\RID0HVVDJH [YL
'LVSOD\RSWLRQV [YLLL
0HVVDJHV $GGUHVV 1RWLILFDWLRQ/HYHO $GPLQ
&ULWLFDO :DUQLQJ :DUQLQJ ,QIRUPDWLRQ
1RWLILFDWLRQ
1RWLILFDWLRQ
'+&3&OLHQW ,QIRUPDWLRQ
,QIRUPDWLRQ
',3 1RWLILFDWLRQ
'16
1RWLILFDWLRQ ,QIRUPDWLRQ
1RWLILFDWLRQ
1RWLILFDWLRQ
$XWK )LUHZDOO $OHUW :DUQLQJ :DUQLQJ :DUQLQJ ,QIRUPDWLRQ 5HIHUHQFH*XLGH
(PHUJHQF\ (PHUJHQF\ (PHUJHQF\ $OHUW
$OHUW
Y
$OHUW ,QWHUIDFH $OHUW 1RWLILFDWLRQ $OHUW $OHUW $OHUW 1RWLILFDWLRQ $OHUW /RJV &ULWLFDO ,QIRUPDWLRQ &ULWLFDO 0,3 1RWLILFDWLRQ *OREDO
*OREDO352
&ULWLFDO ,QIRUPDWLRQ 1RWLILFDWLRQ ,QIRUPDWLRQ 3., &ULWLFDO ,QIRUPDWLRQ 1RWLILFDWLRQ *OREDO0DQDJHU 3ROLFLHV &ULWLFDO 1RWLILFDWLRQ 1RWLILFDWLRQ 5RXWHV +LJK$YDLODELOLW\
1RWLILFDWLRQ +$
6FKHGXOH
&ULWLFDO 1RWLILFDWLRQ ,QIRUPDWLRQ 1RWLILFDWLRQ 3DWK0RQLWRULQJ &ULWLFDO 1RWLILFDWLRQ ,.( $OHUW YL
/LQN6WDWXV
6&6
&ULWLFDO (UURU :DUQLQJ 1RWLILFDWLRQ 6HUYLFHV
,QIRUPDWLRQ 6HUYLFHV 1RWLILFDWLRQ 1RWLILFDWLRQ 1HW6FUHHQ0HVVDJH/RJ
6HUYLFH*URXSV 9/$1V
1RWLILFDWLRQ 1RWLILFDWLRQ 1RWLILFDWLRQ
6103 &ULWLFDO ,QIRUPDWLRQ 1RWLILFDWLRQ 1RWLILFDWLRQ 6RIWZDUH.H\
1RWLILFDWLRQ 6\VORJDQG:HE7UHQGV 6\VORJ 1RWLILFDWLRQ :HE7UHQGV 931V 931V
&ULWLFDO ,QIRUPDWLRQ
1RWLILFDWLRQ
/73
,QIRUPDWLRQ
1RWLILFDWLRQ
$SSHQGL[$(PHUJHQF\0HVVDJHV$
$SSHQGL[%$OHUW0HVVDJHV %
$SSHQGL[&&ULWLFDO0HVVDJHV &
1RWLILFDWLRQ $SSHQGL['(UURU0HVVDJHV'
6\VWHP $SSHQGL[(:DUQLQJ0HVVDJHV (
&ULWLFDO 8VHUV *HQHULF8VHU5HODWHG(YHQWV $SSHQGL[),QIRUPDWLRQ0HVVDJHV )
$SSHQGL[*1RWLILFDWLRQ0HVVDJHV *
,QIRUPDWLRQ 1RWLILFDWLRQ 'LDOXS8VHUV 1RWLILFDWLRQ 9,3 &ULWLFDO ,QIRUPDWLRQ 1RWLILFDWLRQ 9LUWXDO6\VWHPV 1RWLILFDWLRQ 5HIHUHQFH*XLGH
YLL
YLLL
1HW6FUHHQ0HVVDJH/RJ
3UHIDFH
This reference guide documents the log messages that appear in ScreenOS 3.0.0. It serves a dual purpose:
Managing Message Log Databases
It provides a tool for categorizing and filtering messages
for administrators using such network management tools
as NetScreen-Global Manager, NetScreen-Global PRO,
SNMP, syslog, or WebTrends. Because the book is
organized by subject, you can quickly find all the
messages related to particular areas and filter those into
meaningful sections in the database.
For example, you can find all the messages related to
firewall status in the Firewall section on page 28. All the
messages related to VPNs are in the VLANs section on
page 138.
5HIHUHQFH*XLGH
Understanding Messages
It provides the NetScreen administrator with a
comprehensive list of all the messages that the
NetScreen system generates with explanations of what
the messages mean and what possible actions you might
take upon receiving them. You can find appendices at the
end of the book organized by severity level. In each
appendix, the messages are listed by their message type
ID numbers.
For example, if you see a message with the severity level
“Notification” and the ID “00001,” you can look it up in the
Notification Messages appendix, and see that message
00001 is explained on page 2.
L[
2UJDQL]DWLRQ
25*$1,=$7,21
The book is organized into the following sections:
• Preface – The Preface explains the purpose of this book, its organization, and the
terminology conventions used in all NetScreen documentation.
• Introduction – The Introduction examines the discrete components of a message and the
options that affect how a message is displayed.
• Messages – This section contains all the messages organized by subject, then severity level,
then message type ID number. For example, Address >> Notification Level >> 00001 (subject
>> severity level >> message type ID). Each entry contains the following elements:
– Message – The text of the message that appears in the log.
– Meaning – An explanation of what the message means.
– Action – One or more recommended actions for the administrator to take, when such
action is required.
For example, one of the messages found at Address >> Notification Level >> 00001 is
the following:
Message
Address group <grp_name> has been { added | modified | deleted }.
Meaning
An administrator has added, modified, or deleted the specified address group.
Action
No recommended action
• Emergency Messages – This appendix lists all the emergency messages by message type ID numbers,
allowing you to find any emergency message quickly via its message type ID.
• Alert Messages – This appendix lists all the alert messages by message type ID numbers.
• Critical Messages – This appendix lists all the critical messages by message type ID numbers.
• Error Messages – This appendix lists all the error messages by message type ID numbers.
[
1HW6FUHHQ0HVVDJH/RJ
)HHGEDFN
• Warning Messages – This appendix lists all the warning messages by message type ID numbers.
• Information Messages – This appendix lists all the information messages by message type ID numbers.
• Notification Messages – This appendix lists all the notification messages by message type ID numbers.
)(('%$&.
This version of the NetScreen Message Log Reference Guide marks the first attempt to document all of the
ScreenOS messages. As it stands, this effort continues to be an ongoing project. If you find any errors or
omissions in the following content, please contact us at the e-mail address below:
[email protected]
5HIHUHQFH*XLGH
[L
&RQYHQWLRQV
&219(17,216
NetScreen publications use the following conventions to indicate optional and required elements, variables, and
options:
• A parameter inside [ ] (square brackets) is optional. This element might appear in the message.
• A parameter inside { } (braces) is required. This element must appear in the message.
• Anything inside < > (angle brackets) is a variable and denotes the type, rather than the exact wording, of
element that appears in the message.
• If there is more than one option for an element inside [ ] and { }, they are separated by a pipe ( | ).
For example, the following three messages can appear in the log:
• Address group sales has been added.
• Address group sales has been modified.
• Address group sales has been deleted.
In this book, these three messages are combined into one and written as follows:
• Address group <grp_name> has been { added | modified | deleted }.
Note that the variable <grp_name> denotes the specific name of the address group (sales in this example). The
braces and pipes indicate that one of the elements—added, modified, deleted—must appear in the message.
[LL
1HW6FUHHQ0HVVDJH/RJ
&RQYHQWLRQV
$GPLQ,QIRUPDWLRQ
When a message results from an administrator’s action, the administrator’s name precedes the message and the
location from which the administrator acted is included at the end of the message. All such log entries include the
following information:
<admin_name>: <message text> from { the console | scs <ip_addr> | telnet <ip_addr> | web <ip_addr>
| the master | the backup | the LCD display }.
Note: The terms “master” and “backup” denote the status of NetScreen devices configured for high
availability (HA) in a redundant cluster. The LCD display is available only on the NetScreen-500.
For example, messages such as the following can appear in the log:
• netscreen: Address group sales has been added from the console.
• joe: Address group sales has been modified from web 10.10.2.171.
• xo: Address group sales has been deleted from the master.
In the messages that follow in this book, the administrator’s name and location have been omitted to avoid
unnecessary repetition.
Note: Not all messages report the results of an admin’s action. For example, a message such as
CPU utilization has reached 90% of capacity does not include such information because no admin is
involved in the event.
5HIHUHQFH*XLGH
[LLL
&RQYHQWLRQV
[LY
1HW6FUHHQ0HVVDJH/RJ
,QWURGXFWLRQ
The messages explained in this book report events useful for system administrators when recording,
monitoring, and tracing the operation of a NetScreen device. The messages provide information regarding
the following events:
• Firewall attacks
• Configuration changes
• Successful and unsuccessful system operations
The following sections in the Introduction explain the separate components of each message and the
available display options:
• “Anatomy of a Message” on page xvi
• “Display options” on page xviii
5HIHUHQFH*XLGH
[Y
$QDWRP\RID0HVVDJH
$1$720<2)$0(66$*(
All messages consist of the following elements:
•
•
•
•
•
•
Date
Date
Time
Module name
Severity level
Message type ID
Message text
Time
Module
Name
Severity
Level
Message
Type ID
Message
Text
2001-9-25 12:02:57 system-emergency-00001: Address group jamaica has been added from the console.
The date shows the year-month-day when the event occurred.
The time shows the hour:minute:second when the event occurred.
The module name is the section of the system where the event occurred. In ScreenOS 3.0.0, the only module
noted is system.
The severity level places the event in one of eight levels of severity, using the hierarchical structure
established by syslog, as shown in the following table.
[YL
1HW6FUHHQ0HVVDJH/RJ
$QDWRP\RID0HVVDJH
Levels
Explanation of Levels
0 Emergency
The system has become unusable.
1 Alert
Immediate action is required.
2 Critical
Functionality is affected.
3 Error
An erroneous condition exists and functionality is probably affected.
4 Warning
Functionality might be affected.
5 Notification
Notification of normal events.
6 Information
General information about system operations.
7 Debugging
Detailed information useful for debugging purposes. (currently not used)
The message type ID provides a number for classifying the category for each type of message. For example, a
notification message with ID 00001 indicates that it belongs in the address category. A critical message with
ID 00027 indicates that it belongs in the admin category.
You can find a list of message type ID numbers organized by severity level in the indexes at the back of this
book:
•
•
•
•
•
•
•
“Emergency Messages” on page A-1
“Alert Messages” on page B-1
“Critical Messages” on page C-1
“Error Messages” on page D-1
“Warning Messages” on page E-1
“Information Messages” on page F-1
“Notification Messages” on page G-1
The message text describes the event being reported and often contains detailed information such as IP
addresses, port numbers, and specific configuration settings.
5HIHUHQFH*XLGH
[YLL
'LVSOD\RSWLRQV
',63/$<237,216
By default, messages appear as described in the previous section “Anatomy of a Message” on page xvi.
Optionally, you can change the message display to include return-address information. This information is
useful for debugging purposes. To change the message display to include the return-address, use the
following CLI command:
set logging header-format return-address
The message format changes to include the return-address (in bold below) for each message, as the following
examples illustrate:
2001-9-25 10:56:03 system-critical-00027(ra=0x8013b6fc): Multiple login failures for user jSm1th
from 10.100.2.171:80.
2001-9-25 11:00:00 system-notification-00008(ra=0x8013b754): The system clock has been updated
through NTP.
2001-9-25 11:28:38 system-information-00527(ra=0x8013b7d8): A DHCP-assigned IP address has
been manually released from web 10.2.150.22.
To change the format back to the default style, use the following CLI command:
set logging header-format detail
The messages no longer display the return-address information, as shown below:
2001-9-25 10:56:03 system-critical-00027: Multiple login failures for user jSm1th from
10.100.2.171:80.
2001-9-25 11:00:00 system-notification-00008: The system clock has been updated through NTP.
2001-9-25 11:28:38 system-information-00527: A DHCP-assigned IP address has been manually
released from web 10.2.150.22.
[YLLL
1HW6FUHHQ0HVVDJH/RJ
0HVVDJHV
This section contains a compendium of all the NetScreen messages. Each message is presented, its meaning
explained, and— where appropriate—an administrative action recommended. The messages are grouped by
message type, and then within that type by severity level, from the most severe to the least.
• “Address” on page 2
• “IKE” on page 61
• “Software Key” on page 126
• “Admin” on page 4
• “Interface” on page 83
• “Syslog and WebTrends” on page 127
• “Auth” on page 11
• “Link Status” on page 88
• “System” on page 131
• “Clock” on page 17
• “Logs” on page 89
• “Users” on page 132
• “Device” on page 18
• “MIP” on page 90
• “VIP” on page 134
• “DHCP” on page 20
• “PKI” on page 91
• “Virtual Systems” on page 136
• “DIP” on page 25
• “Policies” on page 102
• “VLANs” on page 138
• “DNS” on page 26
• “Routes” on page 104
• “VPNs” on page 139
• “Firewall” on page 28
• “Schedule” on page 105
• “Software Key” on page 126
• “Global” on page 43
• “SCS” on page 106
• “High Availability” on page 52
• “SNMP” on page 118
All messages reporting an administrative action include the location from which that action has been made: either
from the console, from an administrator’s host IP address via SCS, Telnet, or the Web, or from the LCD display
(NetScreen-500). When devices are used in a redundant cluster for high availability, the message also states
whether the action occurred on a master or backup unit. Note that because the part of a message stating the
source of an action is the same in all such messages, it is not included in the messages listed here. For more
information, see “Admin Information” on page xiii.
5HIHUHQFH*XLGH
$GGUHVV
$''5(66
These messages relate to the the creation, modification, and removal of addresses.
1RWLILFDWLRQ/HYHO
Message
Address group <grp_name>: { Added | Deleted } member <addr_name>.
Meaning
An administrator has added the named address to or deleted it from the named address group.
Action
Message
<security_zone> address <addr_name> with { ip address <ip_addr> | domain name <dmn_name> } has
been { added | deleted | modified }.
Meaning
An administrator has added an address with the specified IP address or domain name in the specified
security zone to the address book, deleted it from the address book, or modified it in the address book.
Action
Message
Address group <grp_name> has been { added | modified | deleted }.
Meaning
An administrator has added, modified, or deleted the specified address group.
Action
1HW6FUHHQ0HVVDJH/RJ
$GGUHVV
Message
Address group <grp_name> comments have been modified.
Meaning
An administrator has modified the comment for the specified group.
Action
Message
Address group <grp_name1> group name has been changed to <grp_name2>.
Meaning
An administrator has changed the name of the address group.
Action
5HIHUHQFH*XLGH
$GPLQ
$'0,1
These messages relate to the administration of the NetScreen device.
&ULWLFDO
Message
ScreenOS <version> serial # <number>: Asset recovery has been performed.
Meaning
From the console, an administrator has used the asset recovery option to return the specified ScreenOS
version on a NetScreen device with the specified serial number to its factory default settings.
Action
After successfully performing the asset recovery operation, an administrator must reconfigure the
NetScreen device.
Message
Multiple login failures for user <name> from { <ip_addr>:<port_num> | console }.
Meaning
The named user has failed to log in after three attempts from either a network address or via a console
connection. After three failed login attempts, the NetScreen device automatically terminates the
connection.
Action
1HW6FUHHQ0HVVDJH/RJ
$GPLQ
:DUQLQJ
Message
[ Vsys ] Admin <admin_name> has logged { on | out } via { the console | Telnet from
<ip_addr>:<port_num> | SCS from <ip_addr>:<port_num> }.
Meaning
The named administrator has logged on or out via a console connection or via a Telnet session from the
specified IP address and port number.
Action
Message
[ Vsys ] Admin <admin_name> has logged on via the WebUI ( { HTTP | HTTPS } ) to port <port_num>
from <ip_addr>:<port_num> }.
Meaning
The named administrator has logged on to the WebUI at the specified port number using HTTP or HTTPS
from the specified IP address and port number.
Action
Message
Management session via { the console | Telnet from <ip_addr>:<port_num> | SCS from
<ip_addr>:<port_num> } for [ vsys ] admin <admin_name> has timed out.
Meaning
The management session via the console, Telnet, or SCS for the named administrator has expired.
Action
5HIHUHQFH*XLGH
$GPLQ
Message
Login attempt to system by admin <admin_name> via { the console | Telnet from <ip_addr>:<port_num> |
SCS from <ip_addr>:<port_num> } has failed.
Meaning
An attempt to log in to the NetScreen system by the named administrator via the console, Telnet, or SCS
has failed.
Action
:DUQLQJ
Message
ScreenOS <version> serial # <number>: Asset recovery has been aborted.
Meaning
From the console, an administrator has aborted the asset recovery operation for the specified ScreenOS
version on a NetScreen device with the specified serial number.
Action
1RWLILFDWLRQ
Message
System configuration has been erased.
Meaning
An administrator has erased the system configuration as the result of a successfully performing asset
recovery via a console connection or by issuing an unset all command.
Action
The system configuration must be reconfigured.
1HW6FUHHQ0HVVDJH/RJ
$GPLQ
Message
Management restriction for <ip_addr> <mask> has been { added | removed }.
Meaning
An administrator has either restricted network access to the NetScreen device only to administrators
logging in from the specified IP address or removed that restriction.
If the restriction is removed, administrators can manage the NetScreen device from any IP address (the
default setting).
Action
Message
System IP has been changed from <ip_addr1> to <ip_addr2>.
Meaning
An administrator has changed the system IP address.
Action
Message
{ HTTP | SCS | SSL | Telnet } port has been changed from <port_num1> to <port_num2>.
Meaning
An administrator has changed the port number used for managing the device via HTTP, SCS, SSL, or
Telnet.
Action
5HIHUHQFH*XLGH
$GPLQ
Message
{ Root admin | Read/write admin | Vsys admin } { password | name } has been changed.
Meaning
Because there are different administrative levels with different privileges, the level of the admin taking
action affects the possible meanings of this message, which can be any of the following:
• The root admin has changed its own password or user name, or the password or user name of any
other admin.
• A read/write admin has changed its own password or the password or user name of a vsys admin.
• A vsys read/write admin has changed its own password.
Action
Message
Admin user <name> has been { added | modified | deleted }.
Meaning
The root admin has added the named admin user, modified the user’s administrative privileges, or
deleted the user.
Action
Message
The management idle timeout value has been changed from <minutes> to <minutes>.
Meaning
An admin has changed the management idle timeout value that terminates an administrative session via
the Web when the specified amount of idle time has been reached.
Action
1HW6FUHHQ0HVVDJH/RJ
$GPLQ
Message
E-mail notification has been { enabled | disabled }.
Meaning
An admin has enabled or disabled e-mail notification of event alarms.
Action
Message
Mail server { IP address | domain name } has been changed.
Meaning
An admin has changed the IP address or domain name of the SMTP server used for sending e-mail
notification of event alarms.
Action
Message
E-mail address { 1 | 2 } has been changed.
Meaning
An admin has changed the first or second e-mail address to which e-mail notification of event alarms is
sent.
Action
Message
Inclusion of traffic logs with e-mail notification of event alarms has been { enabled | disabled }.
Meaning
An admin has enabled or disabled the inclusion of traffic logs with the e-mail notification of event alarms.
Action
5HIHUHQFH*XLGH
$GPLQ
Message
LCD control keys have been locked.
Meaning
An admin has locked the LCD control keys on the NetScreen-500 device.
Action
Message
LCD display has been turned off and the LCD control keys have been locked.
Meaning
An admin has locked the LCD control keys and turned off the LCD display on the NetScreen-500 device.
Action
Message
LCD display has been turned on.
Meaning
An admin has turned on the LCD display on the NetScreen-500 device.
Action
Message
LCD display has been turned on and the LCD control keys have been unlocked.
Meaning
An admin has turned on the LCD display and unlocked the LCD control keys on the NetScreen-500
device.
Action
1HW6FUHHQ0HVVDJH/RJ
$XWK
$87+
The following messages relate to user authentication.
$OHUW
Message
Multiple authentication failures have been detected! From <ip_addr>:<port_number> to
<ip_addr>:<port_number>, using protocol TCP, on interface <interface_name>.
Meaning
The NetScreen device has detected a multiple failed authentication attempts from the specified source IP
address and port, destined for the specified IP address and port, using the TCP protocol at the specified
interface.
Action
An unauthorized party might be trying to access the NetScreen device. Research the owner of the source
IP address and the name used for the attempted log in to determine the cause of the multiple
authentication failures. If they appear suspicious, notify your network security officer (NSO).
:DUQLQJ
Message
User <name> at <ip_addr> must enter “Next Code” for SecurID <ip_addr>.
Meaning
The user at the specified IP address must enter the next token code from his or her SecurID card to
authenticate with the SecurID server at the specified IP address.
Action
5HIHUHQFH*XLGH
$XWK
:DUQLQJ
Message
Local authentication for user <name> was { denied | successful }.
Meaning
The local database either denied access to the specified user or authenticated the user.
Action
Message
User <name> at <ip_addr> has been { accepted | rejected } via the { RADIUS | SecurID | LDAP } server at
<ip_addr>.
Meaning
The user at the specified IP address has been accepted or rejected by the specified authentication
server.
Action
Message
Admin user <name> has been { accepted | rejected } via the RADIUS server at <ip_addr>.
Meaning
The named admin user has been accepted or rejected by the specified RADIUS server.
Action
1HW6FUHHQ0HVVDJH/RJ
$XWK
:DUQLQJ
Message
{RADIUS | SecurID | LDAP } user authentication attempt has timed out.
Meaning
The NetScreen device could not make a network connection to the RADIUS, SecurID, or LDAP server to
authenticate a user and the attempt has timed out.
Action
Check the network cable connection, the IP address of the authentication server entered on the
NetScreen device, and the authentication settings on both the NetScreen device and the authentication
server.
,QIRUPDWLRQ
Message
User <name> at <ip_addr> must enter the new PIN” for SecurID <ip_addr>.
Meaning
The user at the specified IP address must enter the new PIN to authenticate with the SecurID server at
the specified IP address.
Action
Message
User <name> at <ip_addr> must make a “New PIN” choice for SecurID <ip_addr>.
Meaning
The user at the specified IP address must choose between creating a new user-generated PIN, using a
new system-generated PIN, or quitting the session to authenticate with the SecurID server at the
specified IP address.
Action
5HIHUHQFH*XLGH
$XWK
Message
User <name> at <ip_addr> has selected a system-generated PIN for authentication with SecurID
<ip_addr>.
Meaning
The specified user has selected that the SecurID server at the specified IP address generate a New PIN
for the user.
Action
Message
The new PIN for user <name> at <ip_addr> has been { accepted | rejected } by SecurID <ip_addr>.
Meaning
The SecurID server at the specified IP address has accepted or rejected the specified user’s new PIN.
Action
,QIRUPDWLRQ
Message
Cannot contact the SecurID server.
Meaning
The NetScreen device cannot make a network connection to the SecurID server.
Action
Check that the network and authentication settings on both the NetScreen device and the SecurID server
are correctly configured and that the SecurID server has an active physical network connection.
1HW6FUHHQ0HVVDJH/RJ
$XWK
1RWLILFDWLRQ
Message
LDAP { server name | port number | distinguished name | common name } has been changed.
Meaning
An administrator has changed the server IP address, TCP port number, distinguished name, or common
name for the LDAP server.
Action
Message
Authentication type has been changed to { internal database | RADIUS | SecurID | LDAP }.
Meaning
An administrator has changed the authentication type to the specified method.
Action
Message
RADIUS server { IP | port | secret } has been changed.
Meaning
An administrator has changed the IP address or port number of the RADIUS server, or the secret shared
between the NetScreen device and the RADIUS server.
Action
5HIHUHQFH*XLGH
$XWK
Message
{ Master | Backup } SecurID server IP address has been changed.
Meaning
An administrator has changed the IP address of either the master or backup SecurID server.
Action
Message
SecurID { authentication port | duress mode | timeout value | number of retries value } has been changed.
Meaning
An administrator has changed one of the following SecurID parameters:
- The SecurID port number on which the NetScreen device communicates with the SecurID server
- Duress mode, which allows a user to log in with a different PIN only once if he or she is doing so
under duress
- Timeout value in seconds that the NetScreen device waits between authentication retry attempts
- Number of authentication attempts, or retries, that the NetScreen device makes to establish a
connection with the SecurID server
Action
1HW6FUHHQ0HVVDJH/RJ
&ORFN
&/2&.
The following messages relate to the system clock.
1RWLILFDWLRQ
Message
The system clock has been updated through NTP.
Meaning
The NetScreen system clock has used the Network Time Protocol (NTP) to update itself automatically.
Action
Message
NTP settings have been changed.
Meaning
An admin has changed at least one the Network Time Protocol (NTP) settings.
Action
5HIHUHQFH*XLGH
'HYLFH
'(9,&(
The following messages relate to the physical hardware components of the NetScreen device.
&ULWLFDO
Message
At least one power supply is not functioning properly.
Meaning
At least one power supply is incorrectly seated, unplugged, or malfunctioning.
Action
First check that the power supplies are fully seated, that the power cords are plugged in to both power
supplies and plugged in to active power sources, and that the power cords are undamaged. If the
problem persists, replace the faulty power supply.
Message
The { primary | secondary } power supply is not functioning properly.
Meaning
Either the primary or secondary supply is incorrectly seated, unplugged, or malfunctioning.
Action
First check that the specified power supply is fully seated, that the power cord is plugged in to both the
power supply and an active power source, and that the power cord is undamaged. If the problem persists,
replace the power supply.
Message
At least one fan is not functioning properly.
Meaning
The fan assembly is incorrectly seated, or at least one fan is malfunctioning.
Action
First check that the fan assembly is properly in place and that nothing is restricting air flow to the fans. If
the problem persists, replace the fan assembly.
1HW6FUHHQ0HVVDJH/RJ
'HYLFH
Message
The system temperature (<number>° C, <number>° F) is too high.
Meaning
The system temperature has exceeded the alarm threshold.
Action
First check that the fan assembly is functioning properly. If it is functioning properly, check that nothing is
restricting air flow to the fans. If it is not functioning properly, check that the fan assembly is correctly
seated. If the problem persists, replace the fan assembly.
Message
The { primary | secondary } power supply is now functioning properly.
Meaning
The specified power supply, which had malfunctioned, has returned to normal operation.
Action
Message
All { power supplies | fans } are now functioning properly.
Meaning
At least one power supply or fan that had malfunctioned has returned to normal operation.
Action
5HIHUHQFH*XLGH
'+&3
'+&3
The following messages relate to Dynamic Host Control Protocol (DHCP). Some NetScreen devices can act as a
DHCP server or relay agent. Some NetScreen devices can also act as a DHCP client. The following messages
are divided into two sections: The first is for DHCP server and relay agent messages; the second is or DHCP
client messages.
'+&36HUYHUDQG5HOD\$JHQW
,QIRUPDWLRQ
Message
A DHCP-assigned IP address has been manually released.
Meaning
An admin has manually released an IP address that the NetScreen device had assigned to a DHCP
client. (The client then automatically requests another IP address.)
Action
Message
A DHCP-assigned IP address <ip_addr> has been { assigned to <mac_addr> | freed from <mac_addr> }.
Meaning
The NetScreen device, acting as a DHCP server, has either assigned or freed an IP address for a DHCP
client with the specified MAC address.
Action
1HW6FUHHQ0HVVDJH/RJ
'+&3
Message
MAC address <mac_addr> has detected an IP conflict and has declined address <ip_addr>.
Meaning
The DHCP client has detected an IP address conflict and has declined the specified address. (After a
DHCP client has been offered an IP address and before it accepts it, the client checks if there is any other
host using the same address. If the client does not find a conflict, it accepts the address. If it does find a
conflict, it rejects it.)
Action
Message
DHCP server has { assigned | released } an IP address.
Meaning
The NetScreen device, acting as a DHCP server, has either assigned or released an IP address.
Action
1RWLILFDWLRQ
Message
The DHCP server options have been changed.
Meaning
An admin has changed one or more of the DHCP server options on the NetScreen device.
Action
5HIHUHQFH*XLGH
'+&3
1RWLILFDWLRQ
Message
The DHCP server IP address pool has changed.
Meaning
The NetScreen device, acting as a DHCP server, has offered, committed, or freed at least one IP address
in its DHCP address pool.
Action
'+&3&OLHQW
,QIRUPDWLRQ
Message
DHCP client lease for <ip_addr> has expired.
Meaning
The specified DHCP client IP address is no longer valid. (The NetScreen device automatically requests
another IP address from the DHCP server.)
Action
Message
DHCP server <ip_addr> has assigned the <interface_name> interface <ip_addr> with lease <lease>.
Meaning
The specified DHCP server has assigned an IP address to the named security zone for the specified
length of time.
Action
1HW6FUHHQ0HVVDJH/RJ
'+&3
Message
An IP conflict has been detected and the DHCP client has declined address <ip_addr>.
Meaning
The DHCP client has detected an IP address conflict and has declined the specified address. (After a
DHCP client has been offered an IP address and before it accepts it, the client checks if there is any other
host using the same address. If the client does not find a conflict, it accepts the address. If it does find a
conflict, it rejects it.)
Action
Message
DHCP client IP <ip_addr> for the interface <interface_name> has been manually released.
Meaning
An admin has manually released the specified IP address assigned to the named interface acting as a
DHCP client.
Action
Message
DHCP client is unable to get an IP address for the <interface_name> interface.
Meaning
The NetScreen device, acting as a DHCP client, requested an IP address (perhaps repeatedly) for the
specified interface but did not receive one from the DHCP server.
Action
If none of the requests for an IP address from the DHCP server are successful, check the DHCP client
settings on the NetScreen device and the settings on the DHCP server.
5HIHUHQFH*XLGH
'+&3
,QIRUPDWLRQ
Message
System auto-config of file <file_name> from TFTP server <ip_addr> has { been loaded successfully |
failed }.
Meaning
The NetScreen device, acting as a DHCP client, has either automatically loaded or failed to load the
specified system configuration file from the specified TFTP server.
Action
1HW6FUHHQ0HVVDJH/RJ
',3
',3
The following messages relate to dynamic IP (DIP) addresses.
1RWLILFDWLRQ
Message
DIP <ip_addr1>-<ip_addr2> has been { added | modified | deleted }.
Meaning
An administrator has added, modified, or deleted the DIP pool consisting of the specified range of IP
addresses.
Action
5HIHUHQFH*XLGH
'16
'16
The following messages concern Domain Name System (DNS) settings.
,QIRUPDWLRQ
Message
DNS entries have been { manually | automatically } refreshed.
Meaning
An admin has refreshed the entries in the DNS table, or the NetScreen device has refreshed the entries
through a scheduled operation.
Action
1RWLILFDWLRQ
Message
Daily DNS lookup time has been changed.
Meaning
An administrator has changed the time when the NetScreen device performs the daily DNS lookup,
resolving domain names with IP addresses in its DNS table.
Action
Message
Daily DNS lookup has been disabled.
Meaning
An administrator has disabled the automatic daily lookup of entries in the DNS table.
Action
To refresh the DNS table, an admin must manually invoke the DNS lookup operation.
1HW6FUHHQ0HVVDJH/RJ
'16
Message
{ Primary | Secondary } DNS server IP has been changed.
Meaning
An administrator has changed the IP address of the primary or secondary DNS server.
Action
Message
DNS cache table has been cleared.
Meaning
An administrator has cleared the DNS entries stored in the cache.
Action
1RWLILFDWLRQ
Message
DNS has been refreshed.
Meaning
The NetScreen device has just performed a DNS lookup and refreshed its DNS table of domain name to
IP address mappings.
Action
5HIHUHQFH*XLGH
)LUHZDOO
),5(:$//
The following messages concern firewall settings and reports of attacks.
(PHUJHQF\
Message
SYN flood has been detected! From <ip_addr>:<port_number> to <ip_addr>:<port_number>, using
protocol TCP, on interface <interface_name>. [ The attack occurred <number> times. ]
Meaning
The NetScreen device has detected an excessive number of SYN packets arriving at the specified
interface from the specified source IP address and port, destined for the specified IP address and port,
and using Transmission Control Protocol (TCP). The number indicates how many consecutive times per
second the internal timer detected SYN packets in excess of the SYN attack alarm threshold.
Action
First determine if a valid SYN flood attack triggered the alarm. If the traffic originated from a small number
of consistently fixed IP addresses or was destined for a popular server, it might be a false alarm. In that
case, you might want to adjust the SYN flood alarm threshold. If the traffic came from a wide range of
noncontiguous IP addresses or was bound for IP addresses that do not normally receive much traffic, it
was probably an attack. In that case, contact your network security officer (NSO) and your upstream
service provider to resolve the issue.
1HW6FUHHQ0HVVDJH/RJ
)LUHZDOO
(PHUJHQF\
Message
Teardrop attack has been detected! From <ip_addr>:<port_number> to <ip_addr>:<port_number>, using
protocol { TCP | UDP | <protocol_number> }, on interface <interface_name>. [ The attack occurred
<number> times. ]
Meaning
The NetScreen device has detected a Teardrop attack at the specified interface, from the specified
source IP address and port, destined for the specified IP address and port, and using the specified
protocol. (Note: If the protocol is not TCP or UDP, the source and destination port numbers are not
included in the message.) The number of times the attack occurred indicates how many consecutive
fragmented packets per second the NetScreen device received and was unable to reassemble because
of discrepant fragment sizes and offset values.
A Teardrop attack exploits the reassembly of fragmented packets, altering the offset values used when
recombining fragments so that the target device cannot successfully complete the reassembly procedure.
A flood of such packets can force the target device to expend all its resources on reassembling
fragmented packets, causing a denial-of-service (DoS) for legitimate traffic.
Action
5HIHUHQFH*XLGH
Investigate the source IP address by checking a service such as the American Registry of Internet
Numbers (ARIN) in the United States and performing a Whois lookup on the address. If the source
address raises suspicion, notify your network security officer (NSO).
)LUHZDOO
(PHUJHQF\
Message
Ping of Death has been detected! From <ip_addr> to <ip_addr>, using protocol 1, on interface
<interface_name>. [ The attack occurred <number> times. ]
Meaning
The NetScreen device has detected an attempted Ping of Death attack at the specified interface, from the
specified source IP address, destined for the specified IP address, and using the specified protocol (1).
The number of times the attack occurred indicates how many consecutive oversized ICMP echo requests
(or PINGs) per second the NetScreen device received.
When encountering a Ping of Death attack, the NetScreen device detects grossly oversized ICMP
packets and rejects them.
Action
1HW6FUHHQ0HVVDJH/RJ
)LUHZDOO
$OHUW
Message
Winnuke attack has been detected! From <ip_addr> to <ip_addr>, using protocol 139, on interface
<interface_name>. [ The attack occurred <number> times. ]
Meaning
The NetScreen device has detected and corrected the overlapping offset value of a NetBIOS Session
Service (port 139) packet from the specified source IP address, destined for the specified address, and
arriving at the specified interface. The number indicates how many consecutive times per second the
internal timer detected incidents of spoofed IP packets.
Action
5HIHUHQFH*XLGH
)LUHZDOO
$OHUW
Message
IP spoofing has been detected! From <ip_addr>:<port_number> to <ip_addr>:<port_number>, using
protocol { TCP | UDP | <protocol_number> }, on interface <interface_name>. [ The attack occurred
<number> times. ]
Meaning
The NetScreen device has detected and rejected a packet having a source IP address and arriving at an
interface that conflicts with the NetScreen route table. (Note: If the protocol is not TCP or UDP, the source
and destination port numbers are not included in the message.) The number indicates how many
consecutive times per second the internal timer detected incidents of spoofed IP packets.
Action
If the IP spoofing continues long enough and you consider it worth the effort, contact your upstream
service provider to initiate a backtracking operation, basically tracking packets with the spoofed address
from router to router back to their actual source. When the source is located, investigate it to determine if
it is the instigator or merely an innocent and unwitting pawn hosting a “zombie agent” controlled by
another device.
1HW6FUHHQ0HVVDJH/RJ
)LUHZDOO
$OHUW
Message
IP source routing has been detected! From <ip_addr>:<port_number> to <ip_addr>:<port_number>,
using protocol { TCP | UDP | <protocol_number> }, on interface <interface_name>. [ The attack occurred
<number> times. ]
Meaning
The NetScreen device has detected and blocked a packet having the source route option enabled in its
header. The packet came from the specified source IP address and port number, bound for the specified
destination address and port number, using the specified protocol, and arriving at the specified interface.
(Note: If the protocol is not TCP or UDP, the source and destination port numbers are not included in the
message.) The number indicates how many consecutive times per second the internal timer detected
packets with the source route option enabled in their headers.
In IP, the source route option can contain routing information that specifies a different source IP address
than that in the packet header. The NetScreen device rejects any packets with this option enabled.
Action
5HIHUHQFH*XLGH
)LUHZDOO
$OHUW
Message
Land attack has been detected! From <ip_addr1>:<port_number1> to <ip_addr1>:<port_number1>,
using protocol TCP, on interface <interface_name>. [ The attack occurred <number> times. ]
Meaning
The NetScreen device has detected and blocked SYN packets whose source IP addresses have been
spoofed to be the same as the destination addresses. The packets used TCP and arrived at the specified
interface. The number indicates how many consecutive times per second the internal timer detected
incidents of spoofed IP packets with identical source and destination IP addresses.
By combining elements of the SYN flood defense and IP Spoofing detection, the NetScreen device blocks
any attempted attacks of this nature.
Action
If the attack continues long enough and you consider it worth the effort, contact your upstream service
provider to initiate a backtracking operation, basically tracking packets with the spoofed address from
router to router back to their actual source. When the source is uncovered, investigate it to determine if it
is the instigator or merely an innocent and unwitting pawn hosting a “zombie agent” controlled by another
device.
1HW6FUHHQ0HVVDJH/RJ
)LUHZDOO
$OHUW
Message
ICMP flood has been detected! From <ip_addr>:<port_number> to <ip_addr>:<port_number>, using
protocol 1, on interface <interface_name>. [ The attack occurred <number> times. ]
Meaning
The NetScreen device has detected an excessive number of ICMP echo requests arriving at the specified
interface from the specified source IP address and port, and destined for the specified IP address and
port. The number indicates how many consecutive times the internal timer detected ICMP echo requests
in excess of the ICMP attack alarm threshold.
Action
First determine if a valid ICMP flood attack triggered the alarm. If the traffic originated from a small
number of consistently fixed IP addresses or was destined for a popular server, it might be a false alarm.
In that case, you might want to adjust the ICMP flood alarm threshold. If the traffic came from a wide
range of noncontiguous IP addresses or was bound for IP addresses that do not normally receive much
traffic, it was probably an attack. In that case, contact your network security officer (NSO) and your
upstream service provider to resolve the issue.
5HIHUHQFH*XLGH
)LUHZDOO
$OHUW
Message
UDP flood has been detected! From <ip_addr>:<port_number> to <ip_addr>:<port_number>, using
protocol UDP, on interface <interface_name>. [ The attack occurred <number> times. ]
Meaning
The NetScreen device has detected an excessive number of UDP packets arriving at the specified
interface from the specified source IP address and port, destined for the specified IP address and port,
and using User Datagram Protocol (UDP). The number indicates how many consecutive times the
internal timer detected UDP packets in excess of the UDP attack alarm threshold.
Action
First, determine if this was indeed a UDP flood attack by checking whether the NetScreen is processing
Voice-over-IP (VoIP) or Video over IP (H.323) traffic, which can appear to the device as a flood of UDP
traffic.
Second, determine if this was an attack by checking if the traffic originated from a small number of
consistently fixed IP addresses or was destined for a popular server. If so, it might be a false alarm, and
you might want to adjust the ICMP flood alarm threshold. If the traffic came from a wide range of
noncontiguous IP addresses or was bound for IP addresses that do not normally receive much traffic, it
was probably an attack. In that case, contact your network security officer (NSO) and your upstream
service provider to resolve the issue.
1HW6FUHHQ0HVVDJH/RJ
)LUHZDOO
$OHUW
Message
Port scan has been detected! From <ip_addr>:<port_number> to <ip_addr>, using protocol { TCP | UDP |
<protocol_number> }, on interface <interface_name>. [ The attack occurred <number> times. ]
Meaning
The NetScreen device has detected an excessive number of port scans arriving at the specified interface
from the specified source IP address and port, destined for the specified IP address, and using the
specified protocol. (Note: If the protocol is not TCP or UDP, the source and destination port numbers are
not included in the message.) The number indicates how many consecutive times per second the internal
timer detected ports being scanned in excess of the port scan alarm threshold.
Action
Investigate the source IP address. If the address belongs to a server, verify that it is not infected with a
port-scanning worm. If the address raises suspicion, notify your network security officer (NSO) and
resolve the issue with the owner of the address.
Note: If you enable logging on your basic inbound “deny any” policy, all inbound denied packets are
logged in the logging table associated with that policy. This allows you to check for patterns of activity and
more easily discern suspicious activity from innocent.
5HIHUHQFH*XLGH
)LUHZDOO
$OHUW
Message
Address sweep has been detected! From <ip_addr>:<port_number>, using protocol { TCP | UDP |
Meaning
The NetScreen device has detected an excessive number of IP address scans arriving at the specified
interface from the specified source IP address and port, and using the specified protocol. (Note: If the
protocol is not TCP or UDP, the source and destination port numbers are not included in the message.)
The number indicates how many consecutive times per second the internal timer detected IP addresses
being scanned in excess of the address sweep alarm threshold.
Action
Investigate the source IP address. If the address belongs to a server, verify that it is not infected with a
port-scanning worm. If the address raises suspicion, notify your network security officer (NSO) and
resolve the issue with the owner of the address.
Note: If you enable logging on your basic inbound “deny any” policy, all inbound denied packets are
logged in the logging table associated with that policy. This allows you to check for patterns of activity and
more easily discern suspicious activity from innocent.
1HW6FUHHQ0HVVDJH/RJ
)LUHZDOO
&ULWLFDO
Message
HTTP packet containing a malicious URL has been detected and blocked! From
<ip_addr>:<port_number> to <ip_addr>:<port_number>, using protocol { TCP | UDP |
Meaning
The NetScreen device has detected and rejected a HyperText Transport Protocol (HTTP) packet with a
URL containing a malicious string used to attack Web servers. The packet came from the specified
source IP address and port number, bound for the specified destination address and port number, using
the specified protocol, and arriving at the specified interface. The number indicates how many
consecutive times per second the internal timer detected packets with such malicious URL strings.
Action
5HIHUHQFH*XLGH
)LUHZDOO
&ULWLFDO
Message
Session threshold has been exceeded! From <ip_addr>:<port_number>, to <ip_addr>:<port_number>,
using protocol { TCP | UDP | <protocol_number> }, and arriving at interface <interface_name>. [ The
threshold was exceeded <number> times. ]
Meaning
The NetScreen device has detected an excessive number of packets from the same source IP address,
destined for the specified IP address, using the specified protocol, and arriving at the specified interface.
(Note: If the protocol is not TCP or UDP, the source and destination port numbers are not included in the
message.) The number indicates how many consecutive times per second the internal timer detected
packets in excess of the session threshold.
Action
Investigate the source IP address and check the session threshold setting. If the address belongs to a
server with a high number of sessions, valid traffic from the address might exceed the threshold. In that
case, you might want to adjust the threshold.
If the source address raises suspicion, check if it is infected with a port-scanning worm, which can quickly
generate thousands of sessions, and notify your network security officer (NSO).
1HW6FUHHQ0HVVDJH/RJ
)LUHZDOO
1RWLILFDWLRQ
Message
<Firewall_protection_type> has been { enabled | disabled }.
Meaning
An administrator has either enabled or disabled one of the following firewall protection or packet handling
options:
• IP spoofing protection
• WinNuke attack protection
• Teardrop attack protection
• Port scan protection
• Ping of death protection
• IP sweep protection
• IP source route filtering protection
• Java/ActiveX/ZIP/EXE blocking
• SYN flood protection
• Default packet-deny policy
• Land attack protection
• Bypass-others-IPSec option
• ICMP flood protection
• Bypass non-IP traffic option
• UDP flood protection
• Deny policy alarm option
Action
Message
SYN flood { alarm threshold | alarm queue size | timeout value | attack threshold | attack threshold from
the same source } has been changed to <number>/second.
Meaning
An admin has changed the SYN flood alarm threshold, alarm queue size, timeout value, attack threshold,
or attack threshold from the same source IP address to the specified setting.
Action
5HIHUHQFH*XLGH
)LUHZDOO
Message
{ ICMP | UDP } flood alarm threshold from the same source has been changed to <number>/second.
Meaning
An admin has changed the the ICMP or UDP flood alarm threshold from the same source IP address to
the specified setting.
Action
Message
Logging of { dropped | IKE | SNMP } traffic to self has been { enabled | disabled }.
Meaning
An admin has enabled or disabled the logging of dropped traffic, IKE traffic, or SNMP traffic destined for
the NetScreen device.
Action
1HW6FUHHQ0HVVDJH/RJ
*OREDO
*/2%$/
The following messages relate to configuration changes to NetScreen-Global Manager and NetScreen-Global
PRO central management software.
• “Global PRO” on page 43
• “Global Manager” on page 49
*OREDO352
These messages pertain to NetScreen-Global PRO status reports and configuration changes.
&ULWLFDO
Message
Intruder has attempted to connect to the NetScreen-Global PRO port! From <ip_addr>:<port_number> to
<ip_addr>:15400, using protocol { TCP | UDP | <protocol_number> }, at interface <interface_name>.
[ The attack occurred <number> times. ]
Meaning
The NetScreen device has detected an unauthorized attempt to connect to the device via the
NetScreen-Global PRO port. The connection attempt was from the specified source IP address and port
number, to the specified address and port number (15400 for NetScreen-Global PRO), using the
specified protocol, and arriving at the specified interface. The number indicates how many consecutive
times per second the internal timer detected unauthorized connection attempts to the NetScreen-Global
PRO port.
Action
5HIHUHQFH*XLGH
*OREDO
,QIRUPDWLRQ
Message
Cannot connect to Global PRO data collector at <ip_addr>.
Meaning
The NetScreen device cannot make a network connection to the NetScreen-Global PRO data collector
(DC) at the specified IP address.
Action
Check that the DC IP address settings are correct and that the DC is connected to the network and
functioning properly.
Message
Device is not known to Global PRO data collector at <ip_addr>.
Meaning
The NetScreen device is not registered with the NetScreen-Global PRO data collector (DC) at the
specified IP address.
Action
Using the NetScreen-Global PRO program, register the NetScreen device with the DC.
Message
Lost connection to Global PRO data collector at <ip_addr>.
Meaning
The TCP connection between the NetScreen device and the NetScreen-Global PRO data collector (DC)
at the specified IP address has been lost.
Action
Check that the DC has an active network link, is currently running, is accepting new connections at the
specified IP address, and is accessible from the NetScreen device.
1HW6FUHHQ0HVVDJH/RJ
*OREDO
Message
Connection to Global PRO data collector at <ip_addr> has timed out.
Meaning
The NetScreen-Global PRO data collector (DC) at the specified IP address has stopped responding to
the keep-alive messages sent by the NetScreen device.
Action
Check that the DC has an active network link, is currently running, is accepting new connections at the
specified IP address, and is accessible from the NetScreen device.
Message
Lost socket connection to Global PRO data collector at <ip_addr>.
Meaning
Due to network failure, the TCP connection between the NetScreen device and the NetScreen-Global
PRO data collector (DC) at the specified IP address has been lost.
Action
Check the network, and make sure that the DC is accessible from the NetScreen device.
Message
Device has connected to the Global PRO { primary | secondary } data collector at <ip_addr>.
Meaning
The NetScreen device has established a TCP connection to either the primary or secondary
NetScreen-Global PRO data collector (DC) at the specified IP address.
Action
5HIHUHQFH*XLGH
*OREDO
Message
Connection to Global PRO data collector at <ip_addr> has been closed.
Meaning
An admin has closed the TCP connection between the NetScreen device and the NetScreen-Global PRO
data collector at the specified IP address.
Action
1RWLILFDWLRQ
Message
Global PRO { primary | secondary } host has been set to { domain_name | IP_addr }.
Meaning
An administrator has changed the IP address or domain name of the Global PRO primary or secondary
host.
Action
Message
Global PRO has been { enabled | disabled }.
Meaning
An administrator has enabled or disabled Global-PRO manageability.
Action
1HW6FUHHQ0HVVDJH/RJ
*OREDO
Message
Global PRO { primary | secondary } host has been disabled.
Meaning
An administrator has disabled the Global-PRO primary or secondary host.
Action
Message
User-defined service <service_name> has been { added | removed } from Global PRO distribution.
Meaning
An administrator has either added or removed the specified user-defined service from the Global-PRO
protocol distribution table.
Action
Message
Global PRO timeout value has been returned to the default: 30 seconds.
Meaning
An admin has returned the NetScreen-Global PRO timeout value to its default setting of ??? seconds.
Action
Message
Global PRO timeout value has been changed to <number> seconds.
Meaning
An admin has changed the NetScreen-Global PRO timeout value to the specified number of seconds.
Action
5HIHUHQFH*XLGH
*OREDO
Message
Reporting of { the <table_type> table | <alarm_type> alarms | <log_type> logs } to Global PRO has been
{ enabled | disabled }.
Meaning
An administrator has either enabled or disabled the inclusion of one of the following Global PRO tables,
alarms, or logs in reports to NetScreen-Global PRO:
• Protocol distribution table
• Attack alarms
• Ethernet statistics table
• Miscellaneous alarms
• Attack statistics table
• Configuration logs
• Flow statistics table
• Information logs
• Policy table
• Self-Management logs
• Traffic alarms
• Traffic logs
When one of the above tables is enabled, the NetScreen device reports that type of information to the
Global PRO data collector (DC).
When one of the above tables is disabled, the device does not report that information to the DC.
Action
1HW6FUHHQ0HVVDJH/RJ
*OREDO
*OREDO0DQDJHU
These messages pertain to NetScreen-Global Manager errors and configuration changes.
&ULWLFDO
Message
Intruder has attempted to connect to the NetScreen-Global Manager port! From
<ip_addr>:<port_number> to <ip_addr>:15397, using protocol { TCP | UDP | <protocol_number> }, at
interface <interface_name>. [ The attack occurred <number> times. ]
Meaning
The NetScreen device has detected an attempt to connect to the device via the NetScreen-Global
Manager port. The connection attempt was from the specified source IP address and port number, to the
specified address and port number (15397 for NetScreen-Global Manager), using the specified protocol,
and arriving at the specified interface. The number indicates how many consecutive times per second the
internal timer detected unauthorized connection attempts to the NetScreen-Global Manager port.
Action
Message
Global Manager error in decoding bytes has been detected.
Meaning
The NetScreen device has detected an error while decoding a message sent from NetScreen-Global
Manager.
Action
Check that NetScreen-Global Manager is encoding its messages.
5HIHUHQFH*XLGH
*OREDO
1RWLILFDWLRQ
Message
Reporting of the { network activities | device resources | event logs | summary logs } to Global Manager
has been { enabled | disabled }.
Meaning
An administrator has either enabled or disabled the reporting of network activities, device resources,
event logs, or summary logs from the NetScreen device to NetScreen-Global Manager.
Action
Message
Global Manager { report port | listen port } has been set to <port_number>.
Meaning
An administrator has set the NetScreen-Global Manager report port or listen port to the specified port
number.
Action
Message
The Global Manager keep-alive value has been changed to <number> seconds.
Meaning
An administrator has changed the NetScreen-Global Manager keep-alive value to the specified number
of seconds. The keep-alive value is the interval at which the NetScreen device pings the
NetScreen-Global Manager host to ensure continued network connectivity.
Action
1HW6FUHHQ0HVVDJH/RJ
*OREDO
Message
Global Manager has been { enabled | disabled }.
Meaning
An administrator has enabled or disabled NetScreen-Global Manager manageability.
Action
Message
Global Manager domain name has been defined as <domain_name>.
Meaning
An administrator has defined the NetScreen-Global Manager domain name as specified.
Action
Message
Global Manager VPN management tunnel has been { enabled | disabled }.
Meaning
An administrator has enabled or disabled management of the NetScreen device through a VPN tunnel to
NetScreen-Global Manager.
Action
5HIHUHQFH*XLGH
+LJK$YDLODELOLW\
+,*+$9$,/$%,/,7<
The following messages concern high availability (HA) functions and HA-related features.
+$
&ULWLFDO
Message
Primary HA link has gone down. Local NetScreen device has begun using the secondary HA link.
Meaning
The primary HA link has gone down (perhaps the cable has become disconnected or needs to be
replaced) and HA communications have been transferred to the secondary HA link.
Action
Restore the primary HA link as soon as possible.
,QIRUPDWLRQ
Message
HA link state has { gone down | come up }.
Meaning
The state of the HA link has changed either from up to down or from down to up.
Action
If the HA link has gone down, restore it as soon as possible.
1HW6FUHHQ0HVVDJH/RJ
+LJK$YDLODELOLW\
1RWLILFDWLRQ
Message
HA state of the local NetScreen device has changed from { master | backup | init } to { master | backup |
init }.
Meaning
The state of the local NetScreen device, which is a member of a redundant cluster of devices in HA
mode, has changed. The three states that a device can be in are as follows:
• Master – The device is actively processing network and VPN traffic.
• Backup – The device is actively backing up the configuration and sessions processed by the master so
that the it can assume mastership without service interruption if the current master steps down or a
failover occurs.
• Init – The device passes through a transitory initial state when it initially joins a cluster, when it rejoins a
cluster after rebooting, and when it exceeds the IP tracking failure threshold. While in this state, the
devices in the cluster negotiate whether it becomes master or backup.
Action
Message
HA state of the local device has changed to init because IP tracking has failed.
Meaning
The state of the local NetScreen device in a redundant cluster has changed from master or backup to init
because it exceeded the IP tracking failure threshold. While in the init state, the device continues to
perform IP tracking until it no longer exceeds the failure threshold. At that point, it is promoted to either
backup or master, as various factors such as priority settings and MAC values determine.
Action
5HIHUHQFH*XLGH
+LJK$YDLODELOLW\
Message
HA state of the local device has changed to backup because a device with a { higher priority has been
detected | lower MAC value has been detected }.
Meaning
The state of the local NetScreen device in a redundant cluster has changed because one of the following
two reasons:
• Another device with a higher priority value than that of the local device (which had been acting as
master) has been added to the cluster, causing the state of the local device to change from master to
backup.
• As two devices with the same device priority settings pass through the initial state, another device with
a lower MAC address than that of the local device becomes master, causing the state of the local
device to change from init to backup.
Action
Message
HA: Local device has been elected master because no other master exists.
Meaning
The local NetScreen device has become master due to one of the following conditions:
• The previous master has been demoted (possibly due to a failover or IP tracking failure).
• An admin has removed the previous master from the cluster.
• The local device is the first and so far only member of the cluster.
Action
1HW6FUHHQ0HVVDJH/RJ
+LJK$YDLODELOLW\
Message
HA: Local NetScreen device has been elected backup because its MAC value is higher than those of
other devices in the cluster.
Meaning
The local NetScreen device has detected that its MAC address is higher than those of others in its cluster
and has been elected backup.
In a redundant cluster in which device priority settings are the same and so do not control HA states,
devices rely on MAC addresses to determine master and backup roles. The device with the lowest MAC
address is elected master. The others become backups.
Action
Message
HA: Local NetScreen device has been elected backup because its priority value is higher than those of
other devices in the cluster.
Meaning
The local NetScreen device has detected that its priority value is higher than those of others in its cluster
and has been elected backup.
In a redundant cluster in which device priority settings control HA states, the device with the priority value
closest to 1 is elected master. By default, all devices in HA mode have a priority value of 100.
Action
Message
HA: Local NetScreen device has been elected backup because a master already exists.
Meaning
The local NetScreen device has detected another device in the cluster acting as master, and because the
comparison of the priority settings and MAC addresses of the cluster members has not effected a state
change, the local device has been elected backup.
Action
5HIHUHQFH*XLGH
+LJK$YDLODELOLW\
Message
HA: Previous master has promoted the local NetScreen device to master.
Meaning
The device acting as master of the redundant cluster issued a command promoting the local NetScreen
device to master.
Action
Message
HA cluster ID has been changed to <number>.
Meaning
An admin has changed the ID number of the redundant cluster to which the local NetScreen device
belongs to a number between 1 and 255.
Action
Message
Primary HA interface has been changed to { 0 | 1 | 2 }.
Meaning
An admin has changed the primary interface to the trusted (0), untrusted (1), or DMZ (2) interface.
Action
Message
HA: Local device priority has been changed to <number>.
Meaning
An admin has changed the priority setting of the local NetScreen device to a number between 1 and 255.
Action
1HW6FUHHQ0HVVDJH/RJ
+LJK$YDLODELOLW\
Message
HA { encryption | authentication } { password | key } has been changed.
Meaning
An admin has changed either the encryption password or key or the authentication password or key used
to secure HA communications among members of the same redundant cluster.
Action
Message
Reporting of HA configuration and status changes to NetScreen-Global Manager has been enabled.
Meaning
An admin has enabled the reporting of changes to HA configuration and status to NetScreen-Global
Manager.
Action
3DWK0RQLWRULQJ
&ULWLFDO
Message
IP tracking to <ip_addr> has failed.
Meaning
The number of consecutive unanswered ICMP echo requests or ARP requests to the specified IP
address has exceeded the tracked IP failure threshold.
Action
Check that the physical network link on the NetScreen device is up and that it is securely connected to
adjacent network devices, whose physical links are also up.
5HIHUHQFH*XLGH
+LJK$YDLODELOLW\
1RWLILFDWLRQ
Message
IP tracking to <ip_addr> with interval <seconds>, threshold <number>, weight <number>, interface
<Interface_name>, method { ping | ARP } has been added.
Meaning
An admin has added the specified IP address with the following attributes to the list of targeted addresses
for IP tracking:
• Interval – the frequency for sending ping or
ARP requests to the tracked IP address
• Interface – the interface from which the ping
or ARP requests are sent
• Threshold – the number of unanswered ping
or ARP requests that indicate a failed
attempt to contact the tracked IP address
• Method – the method by which IP tracking to
the specified address is performed—either
ping or ARP.
• Weight – a value indicating the importance
of connectivity to this address in relation to
that of others being tracked
Action
Message
Tracked IP <ip_addr> has been deleted.
Meaning
An admin has deleted the specified IP address from the list of addresses targeted for IP tracking.
Action
1HW6FUHHQ0HVVDJH/RJ
+LJK$YDLODELOLW\
Message
Tracked IP <ip_addr> options have been changed from int <seconds> thr <number> wgt <number> inf
<interface_name> { ping | ARP } to <seconds> <number> <number> <Interface_name> { ping | ARP }.
Meaning
An admin has changed the specified path monitoring options for the specified tracked IP address.
Action
Message
IP tracking has been { enabled | disabled }.
Meaning
An admin has enabled or disabled the IP tracking feature.
Action
Message
IP tracking device failover threshold has been disabled.
Meaning
An admin has disabled the IP tracking device failover threshold. The device failover is now based solely
on which device has the greater total of failed attempts to elicit responses from ping or ARP requests to
targeted IP addresses.
Action
5HIHUHQFH*XLGH
+LJK$YDLODELOLW\
Message
IP tracking device failover threshold has been set to <number>.
Meaning
An admin has set the IP tracking device failover threshold to the specified number. A device failover
occurs when the master fails to elicit the specified number of consecutive responses from ping or ARP
requests to the targeted IP addresses.
Action
1HW6FUHHQ0HVVDJH/RJ
,.(
,.(
The following messages relate to the Internet Key Exchange (IKE) protocol, one of the three main components of
IPSec—the other two are the Encapsulating Security Payload (ESP) and Authentication Header (AH) protocols.
IKE provides a secure means for the distribution and maintenance of cryptographic keys and the negotiation of
the parameters constituting a secure communications channel.
$OHUW
Message
IKE <ip_addr>: Missing heartbeats have exceeded the threshold. All Phase 1 and 2 SAs have been
removed.
Meaning
The number of IKE heartbeats that the local NetScreen device sends to the specified peer through the
IPSec tunnel has exceeded the failure threshold. The security associations (SAs) for both Phase 1 and
Phase 2 have been removed.
Action
Verify network connectivity to the peer gateway. Check if the peer has changed or deleted the tunnel
configuration or rebooted the remote gateway device.
5HIHUHQFH*XLGH
,.(
,QIRUPDWLRQ
Message
IKE <ip_addr> Phase 1: Certificate received has a different { IP address | FQDN | UFQDN } SubAltName
than expected.
Meaning
The local NetScreen device received a certificate from the specified IKE peer that contained a different
subject alternative name (SubAltName) than was configured as the IKE ID on the local device.
The SubAltName is an alternative name for the subject of a certificate. NetScreen supports the following
kinds:
• IP address, such as 209.157.66.170
• Fully Qualified Domain Name (FQDN), such as www.netscreen.com
• User’s Fully Qualified Domain Name (UFQDN), such as [email protected]
Action
Recommend the peer use a certificate with the expected SubAltName or change the IKE ID in the local
VPN configuration to match that of the certificate.
Message
IKE <ip_addr> Phase 1: Certificate received has a subject name that does not match the ID payload.
Meaning
The local NetScreen device received a certificate from the specified IKE peer that contained a different
subject than the IKE ID sent by the peer.
The subject of a certificate can be a distinguished name (DN) composed of a concatenation of the
common name elements listed in the request submitted for that certificate. The DN is the identity of the
certificate holder.
Action
Advise the peer to change the IKE ID in its VPN configuration to match that of the certificate, or use a
certificate with a subject name that matches the IKE ID configured for the VPN.
1HW6FUHHQ0HVVDJH/RJ
,.(
Message
IKE <ip_addr> Phase 1: Cannot use a preshared key because the peer’s gateway has a dynamic IP
address and negotiations are in Main mode.
Meaning
When configuring an IPSec tunnel to the specified remote gateway, which has a dynamically assigned IP
address, an admin specified a preshared key and selected Main mode for the Phase 1 negotiations.
Authentication via preshared key is not allowed when Main mode is used with a peer at a dynamically
assigned IP address.
Action
Reconfigure the VPN using a certificate to authenticate the remote party, or select Aggressive mode for
use with preshared key authentication.
Message
IKE <ip_addr> Phase 1: Main mode packet has arrived with ID type { IP address | FQDN | UFQDN |
ASN1_DN }, but no user configuration was found for that ID.
Meaning
The NetScreen device has received the packet in Phase 1 Main mode negotiations that specifies the
identity of the remote entity. The packet is from a VPN dialup user at the specified address and contains
the specified IKE ID type. However, the NetScreen device cannot find a configuration for the VPN dialup
user based on the ID received.
NetScreen supports the following four IKE ID types:
• Abstract Syntax Notation, version 1, distinguished name (ASN1_DN), such as cn=ns100, ou=eng,
o=netscreen, l=santa clara, s=ca, c=us
Action
5HIHUHQFH*XLGH
Check that a VPN dialup user has been configured with the specified identity.
,.(
Message
IKE <ip_addr> Phase 1: Retransmission limit has been reached.
Meaning
The local NetScreen device has reached the retransmission limit (10 failed attempts) during Phase 1
negotiations with the specified remote peer because the local device has not received a response.
Note: If the local device continues receiving outbound traffic for the remote peer after the first 10 failed
attempts, it makes another 10 attempts, and continues to do so until it either succeeds at contacting the
remote gateway or it no longer receives traffic bound for that gateway.
Action
Verify network connectivity to the peer gateway. Request the remote gateway admin to consult the log to
determine if the connection requests reached it and, if so, why the device did not respond.
Message
IKE <ip_addr> Phase 1: Completed { Aggressive | Main } mode negotiations with a <number>-second
lifetime.
Meaning
The NetScreen device and the specified remote gateway have successfully completed Phase 1
negotiations in either Aggressive mode or Main mode with the lifetime of the Phase 1 security association
(SA) defined in seconds.
Action
Message
IKE <ip_addr> Phase 1: Discarded a second initial packet, which arrived within 5 seconds after the first.
Meaning
The local NetScreen device received two initial Phase 1 packets from the peer at the specified address
within a five-second interval. As a result, the local device dropped the second initial packet.
Action
Verify if the packets came from a legitimate peer gateway. If so, check the local logs and request the
remote gateway admin to check his logs to uncover the cause of the difficulty in completing the Phase 1
negotiations.
1HW6FUHHQ0HVVDJH/RJ
,.(
Message
IKE <ip_addr> Phase 1: Initiated { Main | Aggressive } mode negotiations.
Meaning
The local NetScreen device has initiated a Phase 1 exchange with the peer at the specified address using
either Main mode or Aggressive mode.
Action
Message
IKE <ip_addr> Phase 1: { Aggressive | Main } mode negotiations have failed.
Meaning
The Phase 1 session initiated by the local NetScreen device to the specified peer has failed. The session
was in either Main mode or Aggressive mode.
Action
Request the remote admin to consult the event log to determine the cause of the failure.
Message
IKE <ip_addr> Phase 1: Received an invalid RSA signature.
Meaning
The specified IKE peer has sent an invalid RSA signature in Phase 1 Message 5 or 6.
Action
Request the peer to ensure that the RSA private key used to sign the packet pairs with the public key sent
in the certificate.
5HIHUHQFH*XLGH
,.(
Message
IKE <ip_addr> Phase 1: Vendor ID payload indicates that the peer does not support NAT-T.
Meaning
The local NetScreen device has detected that the IKE peer or VPN dialup client does not support
NAT-Transversal (NAT-T).
One VPN participant determines if the other supports NAT-T by examining the information in the vendor
ID payload exchanged in the first two Phase 1 messages. If the participant supports NAT-T, the payload
contains the following MD5 hash of “draft-ietf-ipsec-nat-t-ike-00”:
4485152d 18b6bbcd 0be8a846 9579ddcc
Action
If NAT-T is required for successfully building an IPSec between the two VPN participants, make sure that
the NAT-T option is enabled on the local device and contact the remote peer admin or the VPN dialup
user to request that he or she enable NAT-T support there as well.
Message
IKE <ip_addr> Phase 1: Initiated negotiations in { Aggressive | Main } mode.
Meaning
The local NetScreen device has initiated Phase 1 negotiations in either Aggressive mode or Main mode
to the specified peer.
Action
Message
IKE <ip_addr> Phase 1: Cannot verify { RSA | DSA } signature.
Meaning
The local NetScreen device cannot verify the RSA or DSA signature sent by the specified IKE peer.
Action
Contact the remote admin to check if he or she sent a certificate with the public key matching the private
key used to produce the signature.
1HW6FUHHQ0HVVDJH/RJ
,.(
Message
IKE <ip_addr> Phase 1: No private key exists to sign packets.
Meaning
The private key needed to create an RSA or DSA signature to authenticate packets destined for the
specified IKE peer does not exist.
This situation can arise if the following conditions are met:
• If the local configuration for the remote gateway specifies a local certificate that an admin later removes
• If there are no local certificates in the certificate store and no local certificate is specified in the remote
gateway configuration
Action
Obtain and load a certificate for use in authenticating IKE packets.
Message
IKE <ip_addr> Phase 1: { RSA | DSA } private key is needed to sign packets.
Meaning
The IKE gateway configurations—locally and remotely—require an RSA or DSA private key to
authenticate packets destined for the specified IKE peer. However, only a different type of key pair exists
locally (that is, an RSA private key is required, but only a DSA key pair is loaded; or a DSA private key is
required, but only an RSA key pair is loaded).
Action
Either change the gateway configuration to specify a key type that is already loaded, or obtain and load
the required certificate.
5HIHUHQFH*XLGH
,.(
Message
IKE <ip_addr> Phase 1: Received an incorrect public key authentication method.
Meaning
In the first and second Phase 1 messages, the IKE participants agreed to use a preshared key for packet
authentication. Then, in the fifth or sixth message (Main mode) or second or third message (Aggressive
mode), the remote peer sent a signature payload, which requires the local device to use a public key (not
a preshared key) to authenticate the packet.
The NetScreen device, however, does not attempt to authenticate the packet; it drops the packet.
Action
Check if the remote peer is a legitimate IKE peer. If so, contact the remote admin to check if that device
has malfunctioned. If not, this might be an ineffectual attack in which the attacker is attempting to force
the NetScreen device to consume bandwidth while trying to verify bogus signature payloads.
Message
IKE <ip_addr> Phase 1: IKE { initiator | responder } has detected NAT in front of the { local | remote }
device.
Meaning
The local NetScreen device, with NAT-Traversal (NAT-T) enabled and functioning as either an initiator or
responder of Phase 1 IKE negotiations, has detected a NAT device in the data path either in front of itself
or in front of its remote peer.
There are several reasons for IPSec/NAT incompatibility. (For a list of IPSec/NAT incompatibilities, see
draft-ietf-ipsec-nat-reqts-00.txt by Bernard Aboba.) If NAT-T is enabled on both IKE participants, IPSec
packets are encapsulated within UDP packets, protecting the original IPSec header from modification by
NAT devices. Consequently, packet authentication—and communication via the IPSec tunnel—is
successful.
Action
1HW6FUHHQ0HVVDJH/RJ
,.(
Message
IKE <ip_addr> Phase { 1 | 2 }: Aborted negotiations because the time limit has elapsed.
Meaning
The NetScreen device has aborted Phase 1 or Phase 2 negotiations with the specified remote peer
because the time limit—60 seconds for Phase 1 and 40 seconds for Phase 2—has elapsed.
Action
Verify network connectivity to the peer gateway. Consult the local log and request the remote gateway
admin to consult his or her log to determine why the negotiations timed out before completion.
Message
IKE <ip_addr> Phase { 1 | 2 }: Rejected proposals from peer. Negotiations failed.
Meaning
The local NetScreen device has rejected the Phase 1 or Phase 2 proposals sent by the specified IKE
peer.
Action
To see the local and remote peers’ Phase 1 proposals, contact the admin of the remote peer and
compare configurations, or enter the following CLI commands when both peers participate in the next
Phase 1 negotiation:
1. debug ike detail
2. clear dbuf
3. get dbuf stream
4. Check that at least one of the Phase 1 proposals for both peers match
5. To stop the debugger, press the ESCAPE key.
5HIHUHQFH*XLGH
,.(
Message
IKE <ip_addr> Phase 2: Initiated negotiations.
Meaning
The local NetScreen device has sent the initial message for IKE Phase 2 negotiations to the specified
peer.
Action
Message
IKE <ip_addr> Phase 2: Received a message but did not check a policy because id-mode is set to IP or
policy-checking is disabled.
Meaning
When the local NetScreen device received an IKE Phase 2 message from the specified peer, it could not
check for a policy because the id-mode was set to IP or policy-checking was disabled.
If the id-mode is set to IP, the remote peer does not send the proxy ID payload when initiating a Phase 2
session. The proxy ID consists of the local end entity’s IP address and netmask, protocol, and port
number; and those for the remote end entity. Consequently, the local peer cannot use the information in
the proxy ID to match the information in a local policy.
If policy-checking is disabled for IKE traffic with the specified peer, the IKE module builds an SA without
verifying the policy configuration.
Action
Verify if this is intended behavior. If not, set the id-mode to subnet (set ike id-mode subnet) and enable
policy-checking (set ike policy-checking).
1HW6FUHHQ0HVVDJH/RJ
,.(
Message
IKE <ip_addr> Phase 2: No policy exists for the proxy ID received: local ID (<ip_addr>/<netmask>,
<protocol>, <port_number>) remote ID (<ip_addr>/<netmask>, <protocol>, <port_number>).
Meaning
When the local NetScreen device received an IKE Phase 2 message from the specified peer, it detected
that no access policy exists matching the attributes specified in the proxy ID payload.
Action
If you intend to allow IPSec traffic between the specified local and remote end entities, configure the
necessary access policy.
Message
IKE <ip_addr> Phase 2: Received DH group <value1> instead of expected group <value2> for PFS.
Meaning
While executing a Diffie-Hellman exchange to refresh the cryptographic keys with Perfect Forward
Secrecy (PFS) during Phase 2 Messages 1 and 2, the remote peer used a different Diffie-Hellman group
than did the local NetScreen device. Consequently, the Phase 2 session has failed.
Action
Change the Phase 2 configuration on the local peer or request the admin for the remote peer to change
that configuration so that both employ the same Diffie-Hellman group for PFS.
Message
IKE <ip_addr> Phase 2 msg-id <number>: Received responder lifetime notification.
Meaning
The local NetScreen device has received a responder lifetime notification message from the specified
peer. The Phase 2 negotiation is identified by the specified message ID.
The notification includes the Phase 2 SA lifetime in both seconds and kilobytes. The peers use the
shortest lifetime defined.
Action
5HIHUHQFH*XLGH
,.(
Message
IKE <ip_addr> Phase 2 msg-id <number>: Negotiations have failed. Policy-checking has been disabled
but multiple VPN policies to the peer exist.
Meaning
An admin has disabled policy-checking although multiple access policies for VPN traffic to the specified
peer exist. Consequently, the IKE module cannot find the correct SA for traffic covered by each policy.
Note: Policy-checking must be enabled if multiple policies for VPN traffic to the same gateway exist.
Action
Enable policy-checking or limit one policy per remote gateway.
Message
IKE <ip_addr> Phase 2 msg-id <number>: Responded to the first peer message.
Meaning
The local NetScreen device has responded to the specified peer, which sent the first message for Phase
2 IKE negotiations.
Action
Message
IKE <ip_addr> Phase 2 msg-id <number>: Negotiations have failed.
Meaning
The specified Phase 2 negotiations to the identified peer have failed.
Action
Examine the local log and request the remote admin to examine his or her log for possible causes.
1HW6FUHHQ0HVVDJH/RJ
,.(
Message
IKE <ip_addr> Phase 2 msg-id <number>: Completed negotiations with SPI <number>, tunnel ID
<number>, and lifetime <number> seconds/<number> KB.
Meaning
The local NetScreen device has successfully negotiated a Phase 2 session with the specified peer. The
Phase 2 session consists of the specified attributes.
Action
Message
IKE <ip_addr>: Dropped packet because remote gateway <name> is not used in any VPN tunnel
configurations.
Meaning
The local NetScreen device has discarded an IKE packet sent from the specified remote gateway
because the local device does not reference that gateway in any of its VPN tunnel configurations.
Action
Verify that the packet came from a peer with whom you want to establish a VPN. If so, configure a VPN
using that gateway.
5HIHUHQFH*XLGH
,.(
Message
IKE <ip_addr>: Received incorrect ID payload: { IP address <ip_addr> | FQDN <string> | UFQDN
<string> | ASN1_DN <string> } instead of { IP address <ip_addr> | FQDN <string> | UFQDN <string> |
ASN1_DN <string> }.
Meaning
The NetScreen device received an incorrect IKE ID payload instead of the one that it was configured to
receive.
NetScreen supports the following four IKE ID types:
• Abstract Syntax Notation, version 1, distinguished name (ASN1_DN), such as cn=ns100, ou=eng,
o=netscreen, l=santa clara, s=ca, c=us
Action
Check that the IKE ID configuration is identical on both the local and remote gateway devices.
Message
IKE <ip_addr>: Sent initial contact notification.
Meaning
The local NetScreen device has sent an initial contact notification message to the specified remote
gateway.
After rebooting, the local device sends an initial contact notification message when contacting a peer for
the first time. The message informs the peer that the local device has no previous state with it.
Action
1HW6FUHHQ0HVVDJH/RJ
,.(
Message
IKE <ip_addr>: Rejected an initial Phase 1 packet from an unrecognized peer gateway.
Meaning
The local NetScreen device has received an initial Phase 1 packet from the specified address. However,
because the NetScreen device could not find a matching peer gateway configuration, it rejected the
packet.
Action
Review the local VPN configurations to determine if the packet came from a legitimate peer.
Message
IKE <ip_addr>: Heartbeats have been lost <number> times.
Meaning
The IKE heartbeats that the local NetScreen device sends to the specified peer through the IPSec tunnel
have been lost the specified number of times.
Action
Message
IKE <ip_addr>: Responded to a packet with a bad SPI after rebooting.
Meaning
The local NetScreen device responded to an IPSec packet with an invalid security parameters index
(SPI) number from the specified peer. If configured, this happens after a system reboot for a configurable
number of times.
Note: To enable the NetScreen device to respond to an IPSec packet with an invalid SPI, use the
following CLI command: set ike respond-bad-spi <number>. When the NetScreen device reboots, it
loses any SPI values it had. However, the peers might still try to use SPI values in earlier SAs that have
not yet timed out on their devices.
Action
5HIHUHQFH*XLGH
If you do not want the NetScreen device to respond to IPSec packets with bad SPI values, modify the
configuration.
,.(
Message
IKE <ip_addr>: Received notify message for DOI <doi_value> <type_value> <msg_text>.
Meaning
The device has received one of the following notification messages in the specified Domain of
Interpretation (DOI):
Error Types
6. Invalid payload type
19. No proposal chosen
7. DOI not supported
20. Bad proposal syntax
8. Situation not supported
21. Payload malformed
9. Invalid cookie
22. Invalid key information
10. Invalid major version
23. Invalid ID information
11. Invalid minor version
24. Invalid cert encoding
12. Invalid exchange type
25. Invalid certificate
13. Invalid flags
26. Cert type unsupported
14. Invalid message ID
27. Invalid cert authority
15. Invalid protocol ID
28. Invalid hash information
16. Invalid SPI
29. Authentication failed
17. Invalid transform ID
30. Invalid signature
18. Attributes not supported
31. Address notification
Status Types
Action
16384 Connected
24577 Replay status
24576 Responder lifetime
24578 Initial contact
For the error notification messages, take action as appropriate for the error described. For the status
notification messages, no action is necessary.
1HW6FUHHQ0HVVDJH/RJ
,.(
Message
IKE <ip_addr>: Received a bad SPI.
Meaning
The local NetScreen device detected an invalid security parameters index (SPI) number in IPSec traffic
from the specified peer.
Action
Receiving a few messages of this kind during rekey is normal. However, if you receive a large number of
these messages, check the SA status.
Message
IKE <ip_addr>: Sent initial contact notification message.
Meaning
The local NetScreen device has sent an initial contact notification message to the specified peer because
this is the first time for the local device to contact that peer.
Action
Message
IKE <ip_addr>: Added the initial contact task to the task list.
Meaning
The IKE module in the local NetScreen device has added to the task list the transmission of an initial
contact notification message for the Phase 1 SA being negotiated.
The device sends the initial contact notification message in either the fifth message (when the device is
the initiator) or the sixth message (when it is the responder) of Main mode message exchanges. When
using Aggressive mode, it sends the notification after the Phase 1 negotiations are completed.
Action
5HIHUHQFH*XLGH
,.(
Message
IKE <ip_addr>: Added Phase 2 session tasks to the task list.
Meaning
The IKE module in the local NetScreen device has added the task to start a Phase 2 session with the
specified peer to the task list for the Phase 1 SA being negotiated.
Action
Message
IKE <ip_addr>: Phase 2 negotiation request is already in the task list.
Meaning
The IKE module in the local NetScreen device, when attempting to add a Phase 2 negotiation task to its
task list, discovered that the list already contained an identical task for the specified peer.
When beginning Phase 1 negotiations, the NetScreen device adds the tasks that the Phase 1 security
association (SA) must do to its Phase 1 task list. One such task is to perform Phase 2 negotiations. If
Phase 1 negotiations progress too slowly, local traffic might initiate another Phase 2 SA request to the
IKE module. If so, before the NetScreen device adds the Phase 2 task to its task list, it will discover that
an identical task is already in the list and refrain from adding the duplicate.
Action
Check if the IKE Phase 1 negotiations with that peer have successfully completed.
1HW6FUHHQ0HVVDJH/RJ
,.(
Message
IKE <ip_addr>: Received initial contact notification and removed Phase { 1 | 2 } SAs.
Meaning
The local NetScreen device has received an initial contact notification message from a peer and removed
all IKE Phase 1 or Phase 2 security associations (SAs) for that peer.
Note: When the NetScreen device receives an initial contact notification message, it removes all Phase 1
and Phase 2 SAs. However, because the removal of Phase 1 and Phase 2 SAs occurs separately, the
NetScreen device logs both removals separately.
Action
Message
IKE <ip_addr>: Removed Phase 2 SAs after receiving a notification message.
Meaning
The local NetScreen device has received a notification message from a peer and removed all IKE Phase
2 security associations (SAs) for that peer.
A notification to remove Phase 2 SAs can occur when the lifetime of a Phase 2 SA expires or when the
peer manually deletes an SA before it expires. (To delete a specific SA, use the CLI command clear sa
<id_number>. To delete all SAs, use the command clear ike all.)
Action
Message
IKE <ip_addr>: Rejected first Phase 1 packet from an unrecognized source.
Meaning
The local NetScreen device has rejected the first IKE Phase 1 message from a source that does not
match any configured VPN gateways.
Action
Check your VPN configurations and investigate if you want to build a security association (SA) with the
peer at the address from which the message originated.
5HIHUHQFH*XLGH
,.(
Message
IKE <ip_addr>: Dropped peer packet because no policy uses the peer configuration.
Meaning
The local NetScreen device has dropped a packet from the specified IKE peer because no access policy
using that peer can be found.
Action
If you intend to establish a security association (SA) with the specified peer, verify that an access policy
permitting traffic via that peer exists and is positioned correctly in the access control list (ACL).
Message
IKE <ip_addr>: Heartbeats have been disabled because the peer is not sending them.
Meaning
The local NetScreen device has detected that the specified peer has not enabled IKE heartbeat
transmission, so the local device has also disabled heartbeat transmission to that peer.
Both ends of the IPSec tunnel must enable IKE heartbeat transmission for this feature to remain active. If
the local peer detects that the remote peer has not enabled this feature, the local peer automatically
ceases heartbeat transmission
Action
Message
IKE <ip_addr>: Changed heartbeat interval to <number>.
Meaning
After detecting that the specified peer is using a shorter heartbeat interval than was originally configured
locally, the local device has adjusted its rate of heartbeat transmission to that peer.
Action
1HW6FUHHQ0HVVDJH/RJ
,.(
Message
Local gateway IP address has changed to 0.0.0.0. VPNs cannot terminate at an interface with IP 0.0.0.0.
Meaning
An admin has changed the IP address used for VPN termination on the local device to 0.0.0.0.
Consequently, no VPN traffic can reach or leave the device.
If the device is in NAT or Route mode, the admin has changed the IP address of the untrusted interface to
0.0.0.0/0. If the device is in Transparent mode, the admin has changed the system IP address to 0.0.0.0.
Action
If you made the change by mistake, return the changed address to its previous setting. If you made the
change intentionally (for example, you changed the operational mode from NAT or Route mode to
Transparent mode) and you want to maintain VPN activity with existing peers, set a valid IP address and
notify all remote gateway admins of the address change so they can reconfigure their VPN
configurations.
Message
Local gateway IP address has changed from 0.0.0.0 to another setting.
Meaning
An admin has changed the IP address that the local device can use for VPN termination from 0.0.0.0 to
another address.
Action
1RWLILFDWLRQ
Message
IKE key <key_id> has been deleted.
Meaning
An admin has deleted the specified IKE key.
Action
5HIHUHQFH*XLGH
,.(
Message
IKE <ip_addr>: Gateway settings have been modified.
Meaning
An admin has modified the settings for the specified remote IKE gateway.
Action
1HW6FUHHQ0HVVDJH/RJ
,QWHUIDFH
,17(5)$&(
The following messages relate to interface configurations.
1RWLILFDWLRQ
Message
IP for interface <interface_name> has been changed from <ip_addr1> to <ip_addr2>.
Meaning
An administrator has changed the IP address for the specified interface.
Action
Message
Netmask for interface <interface_name> has been changed from <mask1> to <mask2>.
Meaning
An administrator has changed the netmask for the specified interface.
Action
Message
Manage IP for interface <interface_name> has been changed from <ip_addr1> to <ip_addr2>.
Meaning
An administrator has changed the manage IP address for the specified interface.
Action
5HIHUHQFH*XLGH
,QWHUIDFH
Message
Gateway IP for interface <interface_name> has been changed from <ip_addr1> to <ip_addr2>.
Meaning
An administrator has changed the IP address of the gateway for the specified interface.
Action
Message
Interface <interface_name> with IP <ip_addr> <mask> [ tag <802.1Q_tag> ] has been created.
Meaning
An administrator has created an interface for the specified interface. It has the specified IP address and
netmask, and (optionally) the specified VLAN tag.
Action
Message
Interface <interface_name> has been removed.
Meaning
An administrator has removed the specified interface.
Action
1HW6FUHHQ0HVVDJH/RJ
,QWHUIDFH
Message
Maximum bandwidth <mbw> kbps on interface <interface_name> is less than the total guaranteed
bandwidth <gbw> kbps.
Meaning
The specified interface bandwidth settings are insufficient for the total guaranteed bandwidth specified in
the traffic shaping option of the access policies that traverse that interface.
Action
Increase the interface bandwidth settings or decrease the traffic shaping bandwidth settings on the
access policies.
Message
The configured bandwidth setting on the interface <interface_name> has been changed to <cbw> kbps.
Meaning
An administrator has changed the configured bandwidth for the specified interface.
Action
Message
{ Global PRO | Ident-reset | NS-Global | Ping | SCS | SNMP | SSL | Telnet | Web } has been { enabled |
disabled } on the interface <interface_name>.
Meaning
An administrator has either enabled or disabled Global PRO, NS-Global, SCS, SNMP, SSL, Telnet, or
Web manageability, or ident-reset or ping functionality for the specified interface.
Action
5HIHUHQFH*XLGH
,QWHUIDFH
Message
The 802.1Q tag for the interface <interface_name> has been removed.
Meaning
An administrator has removed the 802.1Q VLAN tag for the specified interface.
Action
Message
The 802.1Q tag for the interface <interface_name> has been changed to <tag>.
Meaning
An administrator has changed the 802.1Q VLAN tag for the specified interface to the named tag.
Action
Message
802.1Q VLAN trunking for the interface <interface_name> has been turned on.
Meaning
An administrator has enabled 802.1Q VLAN trunking for the specified interface. Note that this option is
only available in Transparent mode.
Action
Message
802.1Q VLAN trunking for the interface <interface_name> has been turned off.
Meaning
An administrator has disabled 802.1Q VLAN trunking for the specified interface. Note that this option is
only available in Transparent mode.
Action
1HW6FUHHQ0HVVDJH/RJ
,QWHUIDFH
Message
The operational mode for the interface <interface_name> has been changed to { Route | NAT }.
Meaning
An administrator has changed the operational mode for the specified interface to { Route | NAT }.
Action
Check access policy configurations to ensure that they function properly in the new operational mode.
Message
DHCP on the interface <interface_name> has been { enabled | disabled }.
Meaning
An administrator has { enabled | disabled } DHCP on the specified interface.
Action
Check access policy configurations to ensure that they function properly in the new operational mode.
5HIHUHQFH*XLGH
/LQN6WDWXV
/,1.67$786
The following messages relate to the status of the physical interface links.
1RWLILFDWLRQ
Message
The physical state of the interface <interface_name> has changed to { up | down }.
Meaning
The physical state of the specified interface has changed from up to down, or from down to up.
Action
1HW6FUHHQ0HVVDJH/RJ
/RJV
/2*6
The following messages relate to the event, traffic, and self logs.
,QIRUPDWLRQ
Message
<log_name> has been cleared.
Meaning
An administrator has cleared the named log.
Action
5HIHUHQFH*XLGH
0,3
0,3
The following messages relate to mapped IP (MIP) addresses.
,QIRUPDWLRQ
Message
MIP <ip_addr>/<netmask> has been { added | modified | deleted }.
Meaning
An administrator has added, modified, or deleted the specified mapped IP address.
Action
1HW6FUHHQ0HVVDJH/RJ
3.,
3.,
The following messages relate to Public Key Infrastructure (PKI).
&ULWLFDO
Message
Cannot load more X509 certificates. The maximum number has been reached.
Meaning
An admin has attempted to load more X509 certificates than the maximum allowed (128).
Action
Remove any unused or expired certificates before attempting to load new ones.
Message
Failed to save the CA configuration.
Meaning
An admin attempted to save the configuration for a CA on the NetScreen device, but the device failed to
save it.
Action
Check the CA configuration settings on the NetScreen device.
Message
Failed to send the X509 request file via e-mail.
Meaning
An admin attempted to send an X509 request file via e-mail, but the attempt failed.
Action
Check the Simple Mail Transfer Protocol (SMTP) configuration settings on the NetScreen device.
5HIHUHQFH*XLGH
3.,
,QIRUPDWLRQ
Message
PKI error message has been received: PKI_CID_VERIFY_CERT_RSP. The peer’s public key cannot be
decoded.
Meaning
The NetScreen device has generated the message PKI_CID_VERIFY_CERT_RSP, indicating that a
peer using a certificate in an IPSec Phase 1 negotiation has sent a public key that the NetScreen device
cannot decode.
Action
Notify the peer that his or her certificate might be invalid.
Message
Cannot find the CA certificate with distinguished name <dn_name>.
Meaning
The NetScreen device cannot locate the specified CA certificate because it has not been loaded in the
device.
Action
Load the required CA certificate in the NetScreen device.
Message
Local certificate with distinguished name <dn_name> is invalid.
Meaning
The specified local certificate is invalid.
Action
Request another local certificate from the CA.
1HW6FUHHQ0HVVDJH/RJ
3.,
Message
PKI error message has been received: <message>.
Meaning
The NetScreen device generated one of the following messages:
• The NetScreen device has received an invalid
X509 certificate.
• The NetScreen device cannot retrieve the
CRL.
• The return packet for an X509 certificate
request is empty.
• The CRL contents are invalid.
end entity (EE) certificate. (That is, a IPSec
peer’s local certificate is invalid.)
• LDAP operation has failed.
• The NetScreen device is unable to decode the
issuer CA’s public key.
• LDAP search operation has failed.
• The NetScreen device cannot find the issuer
CA certificate for the CRL.
• The NetScreen device failed to retrieve the
CRL.
5HIHUHQFH*XLGH
• LDAP bind request has failed.
CA certificate.
• The CA is not responding.
Action
• The NetScreen device checked the CRL
signature and the signature failed the
inspection.
• LDAP server host name is empty.
• LDAP modification: The del operation is not
currently supported.
• LDAP modification: The add operation is not
currently supported.
Check the LDAP and SCEP configurations on the NetScreen device and request the CA admin to check
if the CA server is properly configured.
3.,
Message
Distinguished name <dn_name> in the X509 certificate request is invalid.
Meaning
The distinguished name in the X509 certificate request is invalid. The distinguished name is a
concatenation of the following elements that together define the subject of the request: name, phone
number, unit/department, organization, county/locality, state, country, e-mail address, and IP address.
Action
Change one or more of the elements composing the distinguished name in the certificate request.
Message
PKCS #7 data cannot be decapsulated.
Meaning
The NetScreen device is unable to decapsulate a PKCS #7 packet received from a CA.
Action
Contact the CA and request them to retransmit the packet.
Message
SCEP_FAILURE message has been received from the CA.
Meaning
The CA has responded to a Simple Certificate Enrollment Protocol (SCEP) request with a
SCEP_FAILURE message indicating that the X509 certificate request has been rejected.
Action
Check the SCEP configuration on the NetScreen device and contact the CA administrator.
1HW6FUHHQ0HVVDJH/RJ
3.,
1RWLILFDWLRQ
Message
X509 { certificate | CRL } cannot be loaded.
Meaning
An admin cannot load an X509 certificate or certificate revocation list (CRL) in the NetScreen device.
Action
Verify if the certificate or CRL is valid by trying to open it. If you can open the certificate or CRL, it is valid.
If you cannot open it, it is invalid and you must request another one.
Message
X509 certificate has been deleted.
Meaning
An admin has deleted an X509 certificate from the NetScreen device.
Action
Message
CA configuration is invalid.
Meaning
The configuration on the NetScreen device for the CA is invalid.
Action
Check the CA configuration settings on the NetScreen device.
5HIHUHQFH*XLGH
3.,
Message
In the X509 certificate request, the { name | phone |e-mail | country | state | county/locality | organization |
unit/department | IP address | e-mail to } field has been changed from { <name> to none | none to
<name> | <name1> to <name2> }.
Meaning
An admin has changed the specified common name (CN) field in the X509 certificate request.
Action
Message
For the X509 certificate request, the raw CN setting has been changed from { <enabled> to <disabled> |
<disabled> to <enabled> }.
Meaning
An admin has enabled or disabled the use of the certificate name alone (as opposed to a concatenation
of all the common names) as the distinguished name (DN) of the X509 certificate request.
Action
Message
The X509 certificate validation level has been changed from { full to partial | partial to full }.
Meaning
An admin has changed the certificate validation level either from full to partial or from partial to full.
“Full” means that the NetScreen device validates a peer’s certificate by checking all the CAs in the
hierarchical PKI validation path of the peer’s certificate until it verifies the root CA certificate, which must
be loaded on the NetScreen device.
“Partial” means that the NetScreen device verifies the first CA certificate—which must be loaded on the
NetScreen device to be verified—in the hierarchical PKI validation path of a peer’s certificate.
Action
1HW6FUHHQ0HVVDJH/RJ
3.,
Message
Default LDAP server name managing the CRL has been changed from { <ip_addr1> to <ip_addr2> |
<domain_name1> to <domain_name2> }.
Meaning
An admin has changed the IP address or domain name of the default LDAP server that manages the
certificate revocation list (CRL).
Action
Message
Default LDAP server CRL URL has been changed from <url1> to <url2>.
Meaning
An admin has changed the URL on the default LDAP server at which the certificate revocation list (CRL)
is accessed.
Action
Message
Default CRL refresh frequency has been changed from <interval1> to <interval2>.
Meaning
An admin has changed the frequency for checking the CRL on the default LDAP server. The options are
daily, weekly, monthly, and default, which uses the frequency that the CA specifies.
Action
5HIHUHQFH*XLGH
3.,
Message
The { CA | RA } CGI URL for SCEP requests has been changed from <url1> to <url2>.
Meaning
An admin has changed the HTTP URL or LDAP URL of the common gateway interface (CGI) on the CA
server for either the certificate authority (CA) or registration authority (RA). The CGI identifies the script
path used by the CA server to process the incoming Simple Certificate Enrollment Protocol (SCEP)
request.
Action
Message
The { CA IDENT | Challenge password } for SCEP has been changed from <string1> to <string2>.
Meaning
An admin has changed the CA IDENT or the Challenge password. The CA IDENT uniquely identifies the
initiator of a Simple Certificate Enrollment Protocol (SCEP) request to the responding CA server. The end
entity (EE) can use the challenge password, included in the PKCS #10 certificate request, to validate its
identity when requesting the CA to revoke the EE’s certificate.
Action
Message
DSS checking of CRLs has been changed from { 0 to 1 | 1 to 0 }.
Meaning
An admin has enabled (1) or disabled (0) the use of digital signatures—using the Digital Signature
Standard (DSS)—to check the integrity of CRL content that the NetScreen device references.
Action
1HW6FUHHQ0HVVDJH/RJ
3.,
Message
SCEP mode has has been changed from { 0 to 1 | 1 to 0 }.
Meaning
An admin has changed the mode for trusting a CA certificate received via the Simple Certificate
Enrollment Protocol (SCEP) from auto to manual (0 to 1) or manual to auto (1 to 0).
To verify the integrity of a newly loaded CA certificate, you can compare its fingerprint (a hash of part of
the certificate) with the hash of the same certificate available elsewhere (such as at the CA’s Web site). If
the two hashes match, you can trust that its integrity is intact.
Until you have confirmed its integrity, you can determine whether to trust or distrust the CA certificate.
When the SCEP mode is set to auto (0), the NetScreen device automatically trusts CA certificates
received via SCEP. When the SCEP mode is set to manual (1), the NetScreen device distrusts them until
you have confirmed their integrity and manually approved them (set pki auth <cert_id_number> scep
authentication { failed | passed }.
Action
Message
RSA key length has been changed from { 512 | 768 | 1024 | 2048 } to { 512 | 768 | 1024 | 2048 }.
Meaning
An admin has changed the bit length of the RSA key pair.
Action
Message
X509 certificate for ScreenOS image authentication is invalid.
Meaning
While attempting to load an X509 certificate to update the DSA key for authenticating the ScreenOS
image, the NetScreen device determines the file to be invalid.
Action
Request another certificate.
5HIHUHQFH*XLGH
3.,
Message
The public key used for ScreenOS image authentication cannot be { decoded | loaded }.
Meaning
When loading an X509 certificate for updating the DSA key that authenticates the ScreenOS image, the
NetScreen device has discerned that the public key within the X509 certificate either cannot be decoded
or it cannot be loaded.
Action
Message
The public key for ScreenOS image has successfully been updated.
Meaning
An admin has successfully updated the DSA key that authenticates the ScreenOS image.
Action
Message
Self-signed X509 certificate cannot be generated.
Meaning
An admin has attempted to make an X509 certificate request, which involves the generation of a local
certificate to be sent to a CA for signing; however, the NetScreen device cannot generate an X509
certificate.
Action
Check that the total number of certificates—CA and local certificates combined—does not exceed the
maximum of 128.
1HW6FUHHQ0HVVDJH/RJ
3.,
Message
RA X509 certificate cannot be loaded.
Meaning
An admin has attempted to load an X509 certificate, but the NetScreen device has rejected it.
Action
Check that the CA certificate and RA certificate are valid by trying to open them. If you can open a
certificate, it is valid. However, it might have expired, so also check the expiration date. If you cannot
open the certificate, it is invalid and you must request another one.
5HIHUHQFH*XLGH
3ROLFLHV
32/,&,(6
The following messages relate to the configuration of access policies.
1RWLILFDWLRQ
Message
Policy (<id_num>, <direction>, <src_addr> -> <dst_addr>, <service_name>, { permit | deny | tunnel }) has
been { added | modified | deleted | enabled | disabled }.
Meaning
An admin has added, modified, or deleted an access policy with the following attributes:
• ID – The ID number of the access policy.
• Direction – The direction of traffic to which the
policy applies.
• Source Address – The name of the source
address from which the traffic is sent. (Note: If
the source address appears as NULL Name,
an error has occurred and the NetScreen
device cannot find the source address name.)
• Destination Address – The name of the
destination address to which the traffic is sent.
(Note: If the destination address appears as
NULL Name, an error has occurred and the
Action
NetScreen device cannot find the destination
address name.)
• Service – The kind of traffic (such as HTTP,
FTP, or ANY—which means all kinds of traffic)
• Action – The action that the NetScreen device
takes when this policy matches traffic
received:
-
Permitting traffic to pass
Denying traffic
Tunneling traffic through a VPN tunnel
Enabling the policy to take effect
Disabling the policy from taking effect
1HW6FUHHQ0HVVDJH/RJ
3ROLFLHV
Message
Positions of policies <id_num1> and <id_num2> have been exchanged.
Meaning
An administrator has exchanged the positions of the two specified policies in the access control list
(ACL).
Action
Message
Policy <id_num1> has been moved { before | after } <id_num2>.
Meaning
An administrator has moved the first specified policy either before or after the second policy in the access
control list (ACL).
Action
5HIHUHQFH*XLGH
5RXWHV
5287(6
The following messages relate to routing configurations.
1RWLILFDWLRQ
Message
Route to <ip_addr>/<mask> [ interface <interface_name> gateway <gw_ip> ] has been { added |
deleted | modified }.
Meaning
An administrator has { added | deleted | modified } a route to the specified IP address. Optionally, the
message can include the interface and gateway IP address through which the route must pass.
Action
1HW6FUHHQ0HVVDJH/RJ
6FKHGXOH
6&+('8/(
The following messages relate to schedules created for use in access policies.
1RWLILFDWLRQ
Message
Schedule <schedule_name> has been { added | modified | deleted }.
Meaning
An administrator has added, modified, or deleted the specified schedule.
Action
5HIHUHQFH*XLGH
6&6
6&6
The following messages relate to the secure command shell (SCS) utility on the NetScreen device. SCS is
compatible with secure shell (SSH™) , which provides a method for an admin (SSH client) to securely access a
NetScreen device (SCS server) remotely over unsecured channels to manage it via the CLI.
&ULWLFDO
Message
NetScreen device failed to { identify itself | send the identification string } to the SSH client at
<ip_addr>:<port_number>.
Meaning
The NetScreen device, acting as the SCS server, failed to identify itself or send the identification string to
the specified SSH client during the SCS connection procedure. This most likely is the result of a low-level
internal processing error.
Action
Advise the SSH admin user to initiate another connection with the device. If the problem persists, reset
the NetScreen device and have the SSH user try again.
Message
NetScreen device failed to authenticate the SSH client at <ip_addr>:<port_number>.
Meaning
The NetScreen device, acting as the SCS server, was unable to authenticate the specified SSH client
during the SCS connection procedure.
Action
Advise the SSH admin user to verify that the SSH client software is configured correctly and is using a
cipher that the NetScreen device supports—DES and 3DES.
1HW6FUHHQ0HVVDJH/RJ
6&6
Message
Incompatible SSH version <version_string> has been received from the SSH client at
<ip_addr>:<port_number>.
Meaning
The NetScreen device, acting as the SCS server, has received an incompatible version of the SSH
protocol from the specified SSH client during the SCS connection procedure.
Action
Advise the SSH user to run SSH version 1 for compatibility with a NetScreen device.
Message
Unable to validate cookie from the SSH client at <ip_addr>:<port_number>.
Meaning
The specified SSH client sent an invalid cookie during the SCS connection procedure.
Action
An attempted security attack might be in progress. First, validate the source of the connection attempt. If
you repeatedly receive this message, you might want to disable SCS until you determine the cause.
Message
Failed to retrieve PKA key bound to SSH user <name>. (Key ID=<key_id_number>)
Meaning
The NetScreen device unsuccessfully attempted to retrieve the specified PKA key bound to the specified
admin user attempting to log in using SCS.
Action
Contact NetScreen technical support. For contact information, visit
http://www.netscreen.com/support/index.html
5HIHUHQFH*XLGH
6&6
Message
Failed to { bind | unbind } PKA key { to | from } SSH user <name>. (Key ID=<key_id_number>)
Meaning
An administrator unsuccessfully attempted to bind or unbind the specified PKA key to the specified admin
user.
Action
If binding is the problem, it might be that the specified PKA key is already bound to the specified admin
user or that four PKA keys (the maximum) are already bound to him or her. In the latter case, you must
first unbind one of the other keys from the user before binding the new one.
If unbinding is the problem, verify that the specified key is actually bound to the specified admin user.
Message
NetScreen device failed to generate a PKA RSA challenge for SSH user <name>.
(Key ID=<key_id_number>)
Meaning
The NetScreen device, acting as the SCS server, failed to generate a PKA RSA challenge for the
specified SSH user during the SCS connection procedure. The challenge requires the SSH user to
respond with an appropriate password to complete the authentication process.
Action
Check that the SSH user has the PKA RSA public key that has been bound to that user on the NetScreen
device loaded on the SSH client. Also check that the user has configured the client to specify the identity
file containing that PKA RSA public key during the log in process.
1HW6FUHHQ0HVVDJH/RJ
6&6
(UURU
Message
SSH client at <ip_addr>:<port_number> has failed to make an SCS connection to vsys <name> because
SCS cannot generate the host and server keys before timing out.
Meaning
The SCS utility was unable to generate the host and server keys for the specified virtual system on the
NetScreen device before the connection request timed out.
Action
Recommend that the SSH client wait one minute and then attempt another SCS connection.
Message
SSH client at <ip_addr>:<port_number> has failed to make an SCS connection because it requested an
unsupported cipher.
Meaning
The specified SSH client attempted to make an SCS connection to the NetScreen device but failed
because it requested a cipher not supported by the NetScreen device.
Action
Recommend that the SSH client reconfigure its request, using a cipher supported by the NetScreen
device—DES and 3DES—and then attempt another SCS connection.
Message
SSH user <name> at <ip_addr>:<port_number> has failed the PKA RSA challenge.
Meaning
The specified SSH user has failed the Public Key Authentication (PKA) process while attempting to make
an SCS connection to the NetScreen device.
Action
It is possible that the SSH user selected the wrong PKA key during the log in process. Compare the
fingerprint for the PKA key bound to the SSH user and the fingerprint that the SSH user is using to see if
they match.
5HIHUHQFH*XLGH
6&6
:DUQLQJ
Message
SCS has been { enabled | disabled } for <vsys_name> with <number> PKA keys already bound to
<number> SSH users.
Meaning
An admin has enabled or disabled SCS for the specified virtual system with the specified number of
Public Key Authentication (PKA) keys for the specified number of SSH users.
Note that this message only appears if PKA keys are already bound to SSH users in the specified system
when SCS is enabled or disabled.
Action
If you disable SCS, review the PKA keys to see if you need to keep or discard them. A large number of
keys can consume considerable memory space, which you can reclaim by discarding the unused keys.
Also, because SSH clients can no longer log in, you might consider notifying remote administrators
running unmanned scripts via their SSH connections.
If you enable SCS, after having disabled it earlier, review all the PKA keys and delete any for which you
cannot account. Because anyone who has one of the PKA keys can access the NetScreen device, you
must ensure that the NetScreen device is only storing keys for valid administrators.
Message
SSH user <name> at <ip_addr>:<port_number> has requested { password | PKA RSA } authentication,
which is not supported for that client.
Meaning
While attempting to make an SCS connection to the NetScreen device, the specified SSH user requested
a mode of authentication—password or PKA RSA—that had not been configured for that user.
Action
Enable the requested authentication method on the NetScreen device or reconfigure the SSH client
application to use the method already enabled on the NetScreen device.
1HW6FUHHQ0HVVDJH/RJ
6&6
Message
SSH user <name> at <ip_addr>:<port_number> has unsuccessfully attempted to log in via SCS to vsys
<name> using the shared untrusted interface.
Meaning
The specified SSH user failed to make an SCS connection to the specified virtual system, which shares
the untrusted interface with the root system.
Action
Because the NetScreen device uses the host and server keys of the root system—not those of the virtual
system—when sharing the untrusted interface, make sure that the SSH client has the public host key of
the root system loaded on its system.
To allow SCS management of a virtual system sharing the untrusted interface with the root system, make
sure that SCS is enabled at the root level.
Optionally, create a separate untrusted subinterface for that virtual system and enable SCS
manageability on its untrusted subinterface.
Message
Maximum number of SCS sessions (5) has been reached. Connection request from SSH user <name> at
<ip_addr>:<port_number> has been denied.
Meaning
The maximum number of concurrent SCS sessions is five. Because five SCS connections are currently
active, the NetScreen device has denied the connection request from the specified SSH user.
Action
Advise the admin user to wait for one of the currently active sessions to close before attempting another
SCS connection.
5HIHUHQFH*XLGH
6&6
Message
SSH client at <ip_addr>:<port_number> has attempted to make an SCS connection to vsys <name> but
failed because SCS is not enabled for that vsys.
Meaning
The specified SSH client has attempted to make an SCS connection to the specified virtual system.
However, because SCS is not enabled for that virtual system, the attempt was unsuccessful.
Action
If you want the SSH client to be able to access the specified virtual system via SCS, enter that virtual
system and enable SCS manageability.
Message
SSH user <name> at <ip_addr>:<port_number> cannot log in via SCS to <vsys_name> using the shared
untrusted interface because SCS is disabled.
Meaning
The specified SSH user has failed to make an SCS connection to the specified virtual system, which
shares the untrusted interface with the root system. When SCS is disabled at the root level, it disables
SCS manageability for all virtual systems that share the untrusted interface.
Note: This message only appears in the event log of the virtual system to which the SSH user attempted
to connect.
Action
To allow an SCS connection to a virtual system sharing the untrusted interface with the root system,
make sure that SCS is enabled at the root level.
Optionally, create a separate untrusted subinterface for that virtual system and enable SCS
manageability on its untrusted subinterface.
1HW6FUHHQ0HVVDJH/RJ
6&6
Message
SSH client at <ip_addr> has attempted to make an SCS connection to interface <interface_name> at IP
<ip_addr> but failed because SCS is not enabled for that interface.
Meaning
The specified SSH client has attempted to make an SCS connection to the NetScreen device at the
specified interface. However, because SCS was not enabled on that interface, the attempt was
unsuccessful.
Action
If you want the SSH client to be able to access the device on the specified interface via SCS, enable SCS
manageability for that interface.
Message
SSH client at <ip_addr>:<port_number> has attempted to make an SCS connection to { the root system|
vsys <name> } but failed because SCS was not completely initialized for that system.
Meaning
The SCS utility was unable to generate the host and server keys for the specified virtual system on the
NetScreen device before the connection request timed out.
Action
Recommend that the SSH client wait one minute and then attempt another SCS connection.
Message
SCS connection has been terminated for admin user <name> at <ip_addr>:<port_number>
Meaning
Either the SSH client or the NetScreen device has terminated the SCS connection for the specified admin
user.
Action
5HIHUHQFH*XLGH
6&6
1RWLILFDWLRQ
Message
SCS has been { enabled | disabled } for { <vsys_name> | root system }.
Meaning
An admin has enabled or disabled SCS for the specified virtual system or root system.
Action
Message
SCS key regeneration interval has been changed from <interval1> to <interval2>.
Meaning
An admin has changed how often (in minutes) the NetScreen device generates a new SCS server key.
Action
Message
SSH user <name> has been authenticated using { password | PKA RSA } from
<ip_addr>:<port_number> [ with key ID <key_id_number> ].
Meaning
The specified SSH user has logged in to the NetScreen device from the specified IP address and port
number via SCS and authenticated himself or herself using either Public Key Authentication (PKA) or a
password. If the client uses PKA, the key ID number for the RSA key pair bound to that client and used for
SCS authentication is specified.
Action
1HW6FUHHQ0HVVDJH/RJ
6&6
Message
SCS PKA key has been { bound to | unbound from } admin user <name>. (Key ID = <key_id_number>)
Meaning
The root admin has either bound the RSA public key with the specified key ID number to the named
admin user or unbound the key from him or her. The admin user uses this key to authenticate himself or
herself via Public Key Authentication (PKA) when making an SCS connection to the NetScreen device.
Action
5HIHUHQFH*XLGH
6HUYLFHV
6(59,&(6
The following messages relate to user-defined and predefined services, and service groups.
6HUYLFHV
1RWLILFDWLRQ
Message
Service <service_name> has been { added | modified | deleted }.
Meaning
An administrator has added, modified, or deleted the specified user-defined service.
Action
6HUYLFH*URXSV
1RWLILFDWLRQ
Message
Service group <grp_name> has been { added | modified | deleted }.
Meaning
An administrator has added, modified, or deleted the specified service group.
Action
1HW6FUHHQ0HVVDJH/RJ
6HUYLFHV
1RWLILFDWLRQ
Message
Service group <grp_name>: { Added | Deleted } member <service_name>.
Meaning
An administrator has added the specified service to or deleted it from the named service group.
Action
Message
Service group <grp_name> comments have been modified.
Meaning
An administrator has modified the comments for the specified service group.
Action
Message
Service group <grp_name1> group name has been changed to <grp_name2>.
Meaning
An administrator has changed the name of the service group.
Action
5HIHUHQFH*XLGH
6103
6103
The following messages pertain to the Simple Network Management Protocol (SNMP).
&ULWLFDO
Message
SNMP listen port has been restored from <port_num> to default port 161. This change goes into effect in
three seconds.
Meaning
An admin has restored the user-configured SNMP listen port number to the default SNMP listen port
number (161). The port number assignment takes three seconds to go into effect.
Action
Advise the SNMP admin to change the port number on the SNMP manager at which it makes SNMP
requests.
Message
SNMP listen port has been restored from <port_num1> to <port_num2>. This change goes into effect in
three seconds.
Meaning
An admin has changed the user-configured SNMP listen port number to another user-configured port
number. The change of port number assignments takes three seconds to go into effect.
Action
requests.
1HW6FUHHQ0HVVDJH/RJ
6103
Message
SNMP trap port has been changed from <port_num1> to port <port_num2>.
Meaning
An admin has changed the user-configured SNMP trap port number to another user-configured port
number.
Action
Advise the SNMP admin to change the port number on the SNMP manager at which it receives SNMP
traps.
,QIRUPDWLRQ
Message
SNMP request from <ip_addr>:<port_num> to <ip_addr>:<port_num> has been received, but the SNMP
version type is incorrect.
Meaning
A request from the specified SNMP manager to the SNMP agent located in the specified NetScreen
device has been received. However, because NetScreen supports SNMP version 1 and the SNMP
manager making the request uses a different version of the protocol (such as SNMP version 2C or SNMP
version 3), the agent cannot respond to the request.
Action
If the request is from a legitimate SNMP manager, advise the admin to use SNMP version 1.
Message
Response to SNMP request from <ip_addr>:<port_num> to <ip_addr>:<port_num> has failed due to a
coding error.
Meaning
When the NetScreen device responded to an SNMP request, a BER coding/decoding error occurred.
BER (Basic Encoding Rules) converts data into bits and bytes and is the transfer syntax for SNMP.
Action
Advise the SNMP administrator to retry.
5HIHUHQFH*XLGH
6103
Message
SNMP request from an unknown SNMP community <name> at <ip_addr>:<port_num> to
<ip_addr>:<port_num> has been received.
Meaning
A request from the specified SNMP manager to the SNMP agent located in the specified NetScreen
device has been received. However, the NetScreen device does not recognize the specified SNMP
community name.
Action
If the SNMP manager IP address and port number are legitimate, advise the SNMP admin to check the
configuration.
Message
NetScreen device at <ip_addr>:<port_num> has responded successfully to SNMP request from
<ip_addr>:<port_num>.
Meaning
The SNMP agent located in the specified NetScreen device has successfully responded to an SNMP
request from the specified SNMP manager.
Action
Message
SNMP community <name> cannot be added because the community list is full.
Meaning
An admin has attempted to add the named SNMP community, but the NetScreen device already has the
maximum number of communities configured.
Action
Either remove one of the existing communities and then add the new one, or forgo the attempt.
1HW6FUHHQ0HVVDJH/RJ
6103
Message
SNMP host <ip_addr> cannot be added because community <name> is full.
Meaning
An admin has attempted to add the specified host to the named SNMP community, but the community
already has the maximum number of hosts allowed.
Action
Either remove one of the existing hosts and then add the new one, or forgo the attempt.
Message
SNMP host <ip_addr> cannot be added to community <name> because of an IP address conflict.
Meaning
An admin has attempted to add the specified host to the named SNMP community, but its IP address
duplicates another entry.
Action
Check that the IP address for the host is correct and that it has not already been added to the community.
Message
SNMP host <ip_addr> cannot be removed from community <name> because host cannot be found.
Meaning
An admin has attempted to remove the specified host from the named SNMP community, but the host is
not listed in the community.
Action
Check that you are using the correct IP address for the host that you want to remove.
5HIHUHQFH*XLGH
6103
Message
SNMP request has been received from an unknown host in SNMP community <name> at
<ip_addr>:<port_num> to <ip_addr>:<port_num>.
Meaning
An SNMP request from an unknown host in the specified SNMP community has been received.
Action
If the SNMP request is from a legitimate SNMP community member, add the IP address for that host to
the SNMP community configuration on the NetScreen device.
Message
SNMP request has been received from host <ip_addr>:<port_num> with read-only privileges to
<ip_addr>:<port_num>.
Meaning
An SNMP request from a host at the specified IP address and port number with read-only privileges has
been received at the specified IP address and port number of the NetScreen device.
Action
If you want the host to have read/write privileges, change the configuration on the NetScreen device for
that SNMP community to permit it.
Message
SNMP request has been received, but no SNMP community has been configured.
Meaning
The SNMP agent on the NetScreen device has received an SNMP request, but no SNMP communities
have been configured yet.
Action
Configure an SNMP community.
1HW6FUHHQ0HVVDJH/RJ
6103
1RWLILFDWLRQ
Message
SNMP VPN has been { enabled | disabled }.
Meaning
An admin has either enabled or disabled VPN encryption for SNMP traffic between the SNMP agent (that
is, the NetScreen device) and the SNMP manager.
Action
Message
SNMP AuthenTraps have been { enabled | disabled }.
Meaning
An admin has either enabled the SNMP agent to generate SNMP authentication-failure traps or disabled
the agent from doing so when the SNMP manager sends the incorrect community name string.
Action
Message
SNMP { contact | location } description has been modified.
Meaning
An admin has modified the SNMP contact information, such as the NetScreen admin’s telephone number
or e-mail address, or the information about the physical location of the NetScreen device.
Action
5HIHUHQFH*XLGH
6103
Message
SNMP community <name> attributes—write access, { yes | no }; receive traps, { yes | no }; receive traffic
alarms, { yes | no }—have been modified.
Meaning
An admin has modified at least one of the following attributes for the specified SNMP community:
• Read/write privileges (write access, yes) or read-only privileges (write access, no)
• Receiving traps sent from the NetScreen SNMP agent (receive traps, yes) or not receiving traps
(receive traps, no), in which case the SNMP manager must request information from the agent
• Receiving traffic alarms sent from the NetScreen SNMP agent (receive traffic alarms, yes) or not
receiving traffic alarms (receive traffic alarms, no)
Action
Message
SNMP host <ip_addr> has been { added to | removed from } SNMP community <name>.
Meaning
An admin has added the specified host to the named SNMP community or removed it from the
community.
Action
1HW6FUHHQ0HVVDJH/RJ
6103
1RWLILFDWLRQ
Message
SNMP listen port has been restored from <port_num> to default port 161. This change goes into effect in
three seconds.
Meaning
An admin has restored the user-configured SNMP listen port number to the default SNMP listen port
number (161). The port number assignment takes three seconds to go into effect.
Action
requests.
Message
SNMP listen port has been changed from <port_num1> to <port_num2>. This change goes into effect in
three seconds.
Meaning
An admin has changed the user-configured SNMP listen port number to another user-configured port
number. The change of port number assignments takes three seconds to go into effect.
Action
requests.
Message
SNMP trap port has been restored from <port_num> to default port 162.
Meaning
An admin has restored the user-configured SNMP trap port number to the default SNMP trap port number
(162).
Action
Advise the SNMP admin to change the port number on the SNMP manager at which it receives SNMP
traps.
5HIHUHQFH*XLGH
6RIWZDUH.H\
62)7:$5(.(<
The following message relates to software keys used for enhancing functionality or adding optional features to the
ScreenOS.
1RWLILFDWLRQ
Message
An optional ScreenOS feature has been activated via a software key.
Meaning
An administrator has activated an optional ScreenOS feature by using a software key.
Action
1HW6FUHHQ0HVVDJH/RJ
6\VORJDQG:HE7UHQGV
6<6/2*$1':(%75(1'6
The following messages pertain to configuring and enabling syslog and WebTrends© facilities.
6\VORJ
1RWLILFDWLRQ
Message
Attempt to enable { syslog | traffic logging via syslog } has failed because syslog settings have not yet
been configured.
Meaning
An admin has attempted to enable the syslog facility or traffic logging via syslog before configuring the
syslog settings. Consequently the attempt has failed.
Action
Before attempting to enable syslog or traffic logging via syslog, configure the syslog settings.
Message
{ Syslog | Traffic logging via syslog } has been { enabled | disabled }.
Meaning
An admin has either enabled or disabled the syslog facility or traffic logging via syslog.
Action
Message
Syslog VPN encryption has been { enabled | disabled }.
Meaning
An admin has either enabled or disabled VPN encryption of all syslog messages sent from the NetScreen
device to the syslog host.
Action
5HIHUHQFH*XLGH
6\VORJDQG:HE7UHQGV
Message
Syslog host { IP | domain name | port number } has been changed to { <ip_addr> | <domain_name> |
<port_num> }.
Meaning
An admin has changed the IP address or domain name of the syslog host or the port number to which the
NetScreen device sends UDP packets bound for the syslog host.
Action
Message
Syslog { facility | security facility } has been changed to { local0 | local1 | local2 | local3 | local4 | local5 |
local6 | local7 | auth/sec }.
Meaning
An admin has changed the name of the syslog facility or security facility for the messages sent to the
syslog host.
Action
Message
Syslog message level has been changed to { debug | information | notification | warning | error | critical |
alert | emergency }.
Meaning
An admin has changed the level of messages sent to the syslog host. The NetScreen device sends the
syslog host messages at this level and higher. (The syslog messages rank from lowest to highest as
follows: debug–information–notification–warning–error–critical–alert–emergency.)
Action
1HW6FUHHQ0HVVDJH/RJ
6\VORJDQG:HE7UHQGV
Message
Socket cannot be assigned for syslog.
Meaning
The NetScreen system cannot allocate an IP socket for the syslog facility.
Action
To free up a socket, close other management facilities that use sockets as connection tools, such as
Telnet or the Web, and which are not currently in use.
:HE7UHQGV
1RWLILFDWLRQ
Message
Attempt to enable WebTrends has failed because WebTrends settings have not yet been configured.
Meaning
An admin has attempted to enable the WebTrends facility before configuring the WebTrends settings.
Consequently the attempt has failed.
Action
Before attempting to enable WebTrends, configure the WebTrends settings.
Message
WebTrends has been { enabled | disabled }.
Meaning
An admin has either enabled or disabled the WebTrends facility.
Action
5HIHUHQFH*XLGH
6\VORJDQG:HE7UHQGV
Message
WebTrends VPN encryption has been { enabled | disabled }.
Meaning
An admin has either enabled or disabled VPN encryption of all WebTrends messages sent from the
NetScreen device to the WebTrends host.
Action
Message
WebTrends host { IP | domain name | port number } has been changed to { <ip_addr> | <domain_name> |
<port_num> }.
Meaning
An admin has changed the IP address or domain name of the WebTrends host or the port number to
which the NetScreen device sends UDP packets bound for the WebTrends host.
Action
Message
Socket cannot be assigned for WebTrends.
Meaning
The NetScreen system cannot allocate an IP socket for the WebTrends facility.
Action
To free up a socket, close some other facilities, such as Telnet, which are not currently in use.
1HW6FUHHQ0HVVDJH/RJ
6\VWHP
6<67(0
The following message pertains to NetScreen system memory.
&ULWLFDO
Message
System memory is low: <number> bytes allocated out of <number> bytes total.
Meaning
The number of bytes allocated for system memory has surpassed the alarm threshold.
Action
If the memory alarm threshold was set too low, use the set alarm threshold memory <percent_value>
command to increase the threshold. (The default is 95% of the total memory.) Check if a firewall attack is
in progress. Seek ways to reduce traffic.
5HIHUHQFH*XLGH
8VHUV
86(56
The following messages relate to users and has been divided into several sections:
• “Generic User-Related Events” on page 132
• “Dialup Users” on page 133
*HQHULF8VHU5HODWHG(YHQWV
The following messages pertain to events that affect user settings and status at a global level.
,QIRUPDWLRQ
Message
The user limit has been exceeded and <ip_addr> cannot be added.
Meaning
(NetScreen-5 and -5XP only) The limit for the number of internal users that can access the NetScreen
device has been exceeded. Therefore, a communication attempt from the specified IP address has been
denied.
Action
1RWLILFDWLRQ
Message
Authentication idle timeout value in minutes has changed from <value1> to <value2>.
Meaning
An administrator has changed the value (in minutes) for timing out firewall authentication users.
Action
1HW6FUHHQ0HVVDJH/RJ
8VHUV
'LDOXS8VHUV
The following messages relate to VPN dialup users and dialup user groups.
1RWLILFDWLRQ
Message
The user <user_name> has been { added | modified | deleted }.
Meaning
An administrator has added, modified, or deleted the specified user.
Action
Message
The user group <grp_name> has been { added | modified | deleted }.
Meaning
An administrator has added, modified, or deleted the named dialup user group.
Action
Message
The group member <member_name> has been { added to a group | deleted from a group }.
Meaning
An administrator has added the specified member to a user group or deleted the member from a group.
Action
5HIHUHQFH*XLGH
9,3
9,3
The following messages concern virtual IP addresses (VIPs).
&ULWLFDO
Message
{ VIP | VIP load balancing } server <ip_addr> is not responding.
Meaning
The specified VIP server or VIP load balancing server is not responding to the heartbeat PINGs sent by
the NetScreen device.
Action
Check that the server is powered up, that it is connected to the network, and that its TCP/IP settings are
correct.
,QIRUPDWLRQ
Message
{ VIP | VIP load balancing } server <ip_addr> is now responding.
Meaning
The specified VIP server or VIP load balancing server has begun responding to the heartbeat PINGs sent
by the NetScreen device.
Action
1HW6FUHHQ0HVVDJH/RJ
9,3
1RWLILFDWLRQ
Message
VIP (<ip_addr1> <service> <ip_addr2>) has been { added | modified | deleted }.
Meaning
An administrator has added, modified, or deleted the specified VIP.
Action
5HIHUHQFH*XLGH
9LUWXDO6\VWHPV
9,578$/6<67(06
The following messages relate to virtual system configurations.
1RWLILFDWLRQ
Message
Vsys <vsys_name> has been created.
Meaning
A root level administrator has created the specified virtual system.
Action
Message
Vsys <vsys_name1> has been changed to <vsys_name2>.
Meaning
A root level administrator has changed the name of a virtual system.
Action
Message
Vsys <vsys_name> ID has been changed to <new_id>.
Meaning
A root level administrator has changed the ID of the specified virtual system.
Action
1HW6FUHHQ0HVVDJH/RJ
9LUWXDO6\VWHPV
Message
Vsys <vsys_name> has been deleted.
Meaning
A root level administrator has deleted the specified virtual system.
Action
5HIHUHQFH*XLGH
9/$1V
9/$16
The following messages relate to virtual LANs.
1RWLILFDWLRQ
Message
VLAN tag <number> has been { created | deleted }.
Meaning
An admin has created or deleted the specified VLAN tag.
Action
1HW6FUHHQ0HVVDJH/RJ
931V
9316
The following messages relate to virtual private networks (VPNs), and VPN-related technologies.
• “VPNs” on page 139
• “L2TP” on page 144
931V
The following messages concern IPSec VPN tunnels.
&ULWLFDO
Message
Replay packets have been detected! From <ip_addr>:<port_number> to <ip_addr>:<port_number>,
using protocol { 50 | 51 }, on interface <interface_name>. [ The attack occurred <number> times.]
Meaning
The NetScreen device has detected Encapsulating Security Payload (ESP, protocol 50) or Authentication
Header (AH, protocol 51) packets whose sequence numbers fall outside a specified range for VPNs with
the replay protection feature enabled. The packets are from the specified source IP address and port,
destined for the specified IP address and port, use the specified protocol, and enter the NetScreen device
at the specified interface. The number indicates how many consecutive times per second the internal
timer detected the arrival of packets with sequence numbers falling outside the defined range of
acceptability.
Out-of-sequence packets might indicate that somebody has resent a series of previously intercepted
packets with the intent of gaining entry to the trusted network or of flooding the NetScreen device to
cause a denial-of-service (DoS).
Action
5HIHUHQFH*XLGH
If the NetScreen device is in high availability (HA) mode in a redundant cluster, check if a failover has
recently occurred. Because packet sequence numbers are not synchronized between master and backup
units, all ESP or AH packets for VPNs with the replay protection feature enabled appear to be out of
sequence to the new master. Consequently, the new master registers these packets as components of a
replay attack.
931V
,QIRUPDWLRQ
Message
UDP packets have been received from <src_ip>/<src_port> at interface <name> at <dst_ip>/<dst_port>.
Meaning
UDP packets from the specified IP address and port number have been received at the named interface
at the specified IP address and port number.
Action
Message
VPN ID number cannot be assigned.
Meaning
The NetScreen device was unable to assign an ID number to a newly configured VPN.
Action
Check if the maximum number of VPNs has been reached.
1RWLILFDWLRQ
Message
VPN monitoring frequency has been unset.
Meaning
An admin has returned the VPN monitoring frequency to its default setting. The VPN monitoring feature
sends an ICMP echo request (PING) through a VPN tunnel from end to end to check if the tunnel is up or
down. The default setting is one PING per minute.
Action
1HW6FUHHQ0HVVDJH/RJ
931V
Message
VPN monitoring for VPN (name> has been { enabled | disabled }.
Meaning
An An admin has either enabled or disabled the VPN monitoring option for the specified VPN tunnel. VPN
monitoring checks if a VPN tunnel is up or down. If the state changes, an SNMP trap is triggered and the
NetScreen device sends a message to an SNMP manager.
Action
Message
VPN monitoring frequency has been set to <number>.
Meaning
An admin has changed the VPN monitoring frequency to the specified number of seconds. The VPN
monitoring feature sends an ICMP echo request (PING) through a VPN tunnel from end to end at the
specified frequency to check if the tunnel is up or down.
Action
Message
The DF-BIT for VPN <name> has been { cleared | set | copied }.
Meaning
For the specified VPN tunnel, an admin has cleared or set the Don’t Fragment BIT in the outside header
of an encapsulated packet, or copied the DF-BIT setting from the inside header to the outside header.
Action
5HIHUHQFH*XLGH
931V
Message
P1 proposal <name> with { preshared key | RSA-sig | DSA-sig }, DH group { 0 | 1 | 2 | 5 }, ESP { NULL |
DES | 3DES | AES }, auth { NULL | MD5 | SHA}, and lifetime <number> has been { added | modified |
deleted }.
Meaning
An admin has added or deleted the specified Phase 1 proposal, or modified at least one of the following
Phase 1 proposal attributes:
• Preshared Key
• Triple DES (3DES) encryption algorithm
• RSA signature
• DSA signature
• Advanced Encryption Standard (AES)
encryption algorithm
• Diffie-Hellman group 1, 2, or 5
• Authentication Header (auth) protocol
Note: “DH group 0” indicates that a DH
group is not employed because the proposal
does not contain Perfect Forwarding
Secrecy (PFS).
• Encapsulating Security Payload (ESP)
protocol
• Message Digest version 5 (MD5) hash
algorithm
• Secure Hash Algorithm-1 (SHA-1) hash
algorithm
• Lifetime (number in seconds, minutes,
hours, or days)
• Data Encryption Standard (DES) encryption
algorithm
Action
Message
Gateway <name> at <ip_addr> in { main | aggressive } mode with ID: { <peer_id> | none } has been
{ added | modified | deleted }.
Meaning
An admin has added or deleted the specified remote gateway, or modified at least one of its attributes.
Action
1HW6FUHHQ0HVVDJH/RJ
931V
Message
P2 proposal <name> with DH group { 0 | 1 | 2 | 5 }, { AH | ESP }, enc { NULL | DES | 3DES | AES }, auth {
NULL | MD5 | SHA}, and lifetime { { sec | min | hour | day } <number> | kb <number> } has been { added |
modified | deleted }.
Meaning
An admin has added or deleted the specified Phase 1 proposal, or modified at least one of the following
attributes:
• Diffie-Hellman group 1, 2, or 5
• Triple DES (3DES) encryption algorithm
Note: “DH group 0” indicates that a DH
group is not employed because the proposal
does not contain Perfect Forwarding
Secrecy (PFS).
• Authentication Header (AH) protocol
• Advanced Encryption Standard (AES)
encryption algorithm
• Encapsulating Security Payload (ESP)
protocol
• DSA signature
• Message Digest version 5 (MD5) hash
algorithm
• Secure Hash Algorithm-1 (SHA-1) hash
algorithm
• Lifetime (number in seconds, minutes,
hours, or days)
• Data Encryption Standard (DES) encryption
algorithm
Action
Message
VPN <name> with gateway <name>, { no-rekey | rekey }, and p2-proposal <name> has been { added |
modified | deleted }.
Meaning
An admin has added or deleted the specified VPN, or modified at least one of its attributes.
Action
5HIHUHQFH*XLGH
931V
Message
VPN <name> with gateway <ip_addr> and SPI <local_spi>/<remote_spi> has been { added | modified |
deleted }.
Meaning
An admin has added or deleted the specified VPN, or modified at least one of its attributes.
Action
Message
IPSec NAT-T for VPN <name> has been { enabled | disabled }.
Meaning
An admin has either enabled or disabled the NAT traversal (NAT-T) option for the specified VPN.
NAT traversal adds an extra layer of encapsulation, encapsulating the original IPSec packet (using ESP
or AH protocols) within a UDP packet.
Most NAT servers cannot recognize the ESP or AH protocols and drop IPSec packets. When the NAT-T
option is enabled, the sender encapsulates the ESP or AH packet within a UDP packet. The NAT server
recognizes the UDP protocol and sends it on. The recipient then strips off the UDP packet and processes
the inner ESP or AH packet accordingly.
Action
/73
The following messages concern the configuration and operation of Layer 2 Tunneling Protocol (L2TP).
1HW6FUHHQ0HVVDJH/RJ
931V
,QIRUPDWLRQ
Message
No IP address in L2TP IP pool for user <name>.
Meaning
The PPP server cannot assign an IP address from its address pool for the named L2TP user.
Action
You can enlarge the size of the L2TP default IP pool or assign an IP pool specifically to the user:
• set ippool <name> <start_IP_addr> <end_IP_addr>
• set user <name> remote-settings ippool <name>
Message
No L2TP IP pool for user <name>.
Meaning
There is no L2TP IP address pool on the PPP server for the named L2TP user.
Action
You must create an L2TP IP pool:
• set ippool <name> <start_IP_addr> <end_IP_addr>
• To make the above IP pool the default L2TP IP pool: set l2tp default ippool <name>
• To use the above IP pool for the specified user: set user <name> remote-settings ippool <name>
1RWLILFDWLRQ
Message
IP pool <pool_name> with range <start_ip-end_ip> has been { created | deleted }.
Meaning
The named IP pool with the specified range of IP addresses has been created or deleted.
Action
5HIHUHQFH*XLGH
931V
1HW6FUHHQ0HVVDJH/RJ
$SSHQGL[$
(PHUJHQF\0HVVDJHV
$
The following list contains page references for the messages at the highest severity level: emergency.
(PHUJHQF\0HVVDJHV
......................................................................................28
......................................................................................29
......................................................................................30
5HIHUHQFH*XLGH
$
$
1HW6FUHHQ0HVVDJH/RJ
$SSHQGL[%
$OHUW0HVVDJHV
%
The following list contains page references for the messages at the second highest severity level: alert.
$OHUW0HVVDJHV
......................................................................................11
......................................................................................31
......................................................................................32
......................................................................................33
......................................................................................34
......................................................................................35
......................................................................................36
......................................................................................37
......................................................................................38
......................................................................................61
5HIHUHQFH*XLGH
%
%
1HW6FUHHQ0HVVDJH/RJ
$SSHQGL[&
&ULWLFDO0HVVDJHV
&
The following list contains page references for the messages at the third highest severity level: critical.
&ULWLFDO0HVVDJHV
5HIHUHQFH*XLGH
&
&
1HW6FUHHQ0HVVDJH/RJ
$SSHQGL['
(UURU0HVVDJHV
'
The following list contains page references for the messages at the fourth highest severity level: error.
(UURU0HVVDJHV
....................................................................................109
5HIHUHQFH*XLGH
'
'
1HW6FUHHQ0HVVDJH/RJ
$SSHQGL[(
:DUQLQJ0HVVDJHV
(
The following list contains page references for all the messages at the fifth highest severity level: warning.
:DUQLQJ0HVVDJHV
5HIHUHQFH*XLGH
(
(
1HW6FUHHQ0HVVDJH/RJ
$SSHQGL[)
,QIRUPDWLRQ0HVVDJHV
)
The following list contains page references for the messages at the second lowest severity level: information.
,QIRUPDWLRQ0HVVDJHV
5HIHUHQFH*XLGH
)
)
1HW6FUHHQ0HVVDJH/RJ
$SSHQGL[*
1RWLILFDWLRQ0HVVDJHV
*
The following list contains page references for all the messages at the lowest severity level: notification.
1RWLILFDWLRQ0HVVDJHV
5HIHUHQFH*XLGH
*
*
1HW6FUHHQ0HVVDJH/RJ

NetScreen Message Log Reference Guide

Transcription

Similar documents

datasheet1 (Page 1)

Napoleon Container Terminal

Subcutaneous Port Catheter (Port, porta

January 17, 2011 - Village of Port Clements

Sze Wong | CEO | Zerion Software, Inc.

PDF 1mb - Marina Adelaide

the perfect condo in port aransas!

JAY A. FERNANDO Vice-President Strategic Planning

#104 300 Klahanie Drive • Port Moody

The project incorporates two types of new architecture